[Snort-users] Dual ethernet cards under Linux - could be of use to others

Jason Haar Jason.Haar at ...294...
Sun Nov 5 18:55:27 EST 2000

On Mon, Nov 06, 2000 at 10:38:53AM +1300, Jason Haar wrote:
> On Fri, Nov 03, 2000 at 09:38:16AM -0600, A.L.Lambert wrote:
> > 	I've run across this before, and for the life of me I can't seem
> > to find the related e-mail's in my archive.  As I recall, the fix was
> > using a kernel greater than 2.2.13, and doing:
> > 
> > echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden 
> > echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden 
> > 
> Does that sound like a kernel bug? I don't understand why Linux thinks
> dual-homed cards should be ARPing for each other by default. 

Figured it out. By default Linux will respond to ARPs via any/all interfaces
it has. If you don't like this behaviour, and basically want the different
interfaces to not even realise the others exist, then you set
/proc/sys/net/ipv4/conf/all/hidden to 1. If you only wanted eth1 to not know
about eth0, so that it could respond to ARPs for eth0's IP address/etc, the
you'd only set /proc/sys/net/ipv4/conf/eth0/hidden to 1.

This indeed does work, but weirdly. Sure enough, I no longer see eth1
packets on the LAN, but if I do:

tcpdump -i eth1 -n host ether eth1_mac_address, then I do see ARP packets -
but they all appear to be destined for eth0 and nothing else - so I guess
that's OK...

Bit wierd tho'...


Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the Snort-users mailing list