Bug 244606 - apple mac mini floods arpwatch
apple mac mini floods arpwatch
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: arpwatch (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Lichvar
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-17 22:35 EDT by Dave Jones
Modified: 2015-01-04 17:29 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-09 09:04:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Jones 2007-06-17 22:35:30 EDT
I plugged a mac mini into my home network, and arpwatch went nuts, logging this
over and over..

Jun 16 18:16:11 firewall arpwatch: bogon 169.254.149.175 0:50:da:6a:34:3
Jun 16 18:16:11 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc
Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:17:f2:53:d3:dc
Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:17:f2:53:d3:dc
Jun 16 18:16:11 firewall arpwatch: bogon 169.254.111.145 0:50:da:6a:34:3
Jun 16 18:16:11 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc
Jun 16 18:16:12 firewall arpwatch: bogon 0.0.0.0 0:17:f2:53:d3:dc

It should probably ignore the 169.254.x.x zeroconf addresses, not sure about the
0.0.0.0 ones.
Comment 1 Ignacio Vazquez-Abrams 2007-06-17 22:41:54 EDT
That sounds like IPv4LL as part of Bonjour. How long did this persist?
Comment 2 Dave Jones 2007-06-18 18:41:17 EDT
until I gave it an entry in my dhcpd.conf and restarted dhcpd.
Comment 3 Dave Jones 2007-06-19 13:48:02 EDT
actually, I was mistaken.  I restarted arpwatch, and powered it back up.
The flood resumed.  It does it even if it has a valid IP address, which seems a
bit crazy.
Comment 4 Miroslav Lichvar 2007-06-20 07:45:41 EDT
Bogons from 169.254/16 can be avoided by adding -n 169.254/16 to
/etc/sysconfig/arpwatch. I'm not sure we want this enabled by default, an
administrator might want to know about it.

Bogons from 0.0.0.0 can be avoided only by using -N (completely disabling bogons
reporting). arpwatch could be fixed to allow -n 0/32, would that be enough?
Comment 5 Dave Jones 2007-06-20 19:28:03 EDT
I'm not sure we should do anything.  Technically, 0.0.0.0 _is_ a bogon, so we'd
want to know about it.

I blame apple.
Comment 6 Miroslav Lichvar 2007-08-09 09:04:46 EDT
arpwatch-2.1a15-6.fc8 allows to use -n 0/32 which will disable reporting bogons
from 0.0.0.0.

Note You need to log in before you can comment on or make changes to this bug.