On Tue, Aug 26, 2003 at 12:21:05PM -0400, Chris Brenton spoke thusly:
>What I found weird was that there is no legitimate "communication" reason
>for the legal NAT address to be ARPing for the private NAT address, at
>least not that I can think of. Also, I don't *think* this is
>a "ARP being seen off of all interfaces" problem, as I would expect to see
>ARPs for the external gateway on the internal network if it was and I
>never see these. Its always the legal NAT to private NAT address.
Yes. That would be odd. That said, I've personally seen these ARPs on all
interfaces issue cause odd (*) packet drops when we were debugging our
firewall previously. At that time, I was rather daft and had both the
internal & external ethernet cables plugged into the same 10Mbit hub.
(*) Odd until we figured out the problem. Its been documented on this
netfilter list a couple of times also.
>>Are you running 'tcpdump' on the firewall/routing device itself ? I think a
>>number of us have noticed rather odd things in regards to snat/dnat
>>addresses when running tcpdump on the firewall itself.
>
>Hummm. I'm not running tcpdump, but I am running Snort which would have
>the same effect on the interface. Let me shut Snort down for a while and
>see if the problem goes away. If it does turn out to be Snort, that
>would be kind of weird as well as I've run this config since last fall.
>I did recently upgrade to Snort 2.0 however, so maybe something that's
>changed in Snort from 1.9 --> 2.0 is causing it.
(snip rest)
