Forgot to group-reply..
--- Begin Message ---
On Wed, Oct 09, 2002 at 05:32:03PM -0700, Matthew Dillon wrote:
>
> :> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> :> inet 216.240.41.17 netmask 0xffffffc0 broadcast 216.240.41.63
> :> inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
> :> inet 216.240.41.21 netmask 0xffffffff broadcast 216.240.41.21
> :
> :That's what I said.. However, I would never use the above setup if
> :it's supposed to be secure. Anyone with access to a machine in the
> :41.1-41.62 range would be able to sniff the 10-net, which would not
> :like. (maybe your setup allows for this, but I wouldn't mind the cost
> :of a $6 el-cheapo NIC and a crosscable to get more secure, it's even
> :cheaper than the time spend typing this mail ;-) ).
>
> Uhh. I don't see how this can possibly make things more secure. If
> the machine needs to be on both nets and someone breaks root on it,
> having a second NIC isn't going to save you.
Physical access to any hub or socket on the same segment, as is quite
possible in many office-setups or with many different local users
managing there own servers.
> :But in the case of two physical interfaces on the same (physical)
> :segment, you get ARP errors. With aliases, you don't.
> :
> :Regards,
> :
> :Paul
>
> ARP errors? Only if you try to configure the same IP address on
> the two interfaces.
> > xl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > options=3D3<rxcsum,txcsum>
> > inet 200.x.x.72 netmask 0xffffffc0 broadcast 200.x.x.127
> > inet 200.x.x.90 netmask 0xffffffc0 broadcast 200.x.x.127
> > inet 200.x.x.91 netmask 0xffffffc0 broadcast 200.x.x.127
> > ether 00:10:4b:c5:2e:1c
> > media: Ethernet autoselect (100baseTX <full-duplex>)
> >
> > xl1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> > inet 200.y.y.132 netmask 0xfffffc0 broadcast 200.y.y.191
> > ether 00:60:97:dd:f0:b8
> > media: Ethernet autoselect (10baseT/UTP <full-duplex>)
> >
> > arp: 200.y.y.130 is on xl1 but got reply from 00:b0:64:08:36:60 on xl0
> > arp: 200.x.x.72 is on lo0 but got reply from 00:10:4b:c5:2e:1c on xl1
> >
> > What's the problem ??
> >
> It means just that: and arp reply for some address in the 200.y.y.0
> subnet
> (xl1 subnet) arrived on xl1 and vice-versa.
>
> Are both NICs connected to the same physical LAN, by chance?
(copied from questions, not my answer, but still also my experience
when installing my home-firewall, having both NIC's temporarily
connected to the same switch, bypassing the firewall)
> -Matt
> Matthew Dillon
> <[EMAIL PROTECTED]>
Regards,
Paul
--- End Message ---
