arp 攻击 freebsd

在FreeBSD里设置第二块网卡为内网网卡，同时又不经过路由器连接另一台机器的话，dmesg经常会收到如下的信息：
System: arp: [ip] is on [if 0] but got reply from [mac] on [if 1]
其意思就是IP地址本来在网卡if0上，但返回的MAC地址却是if1的MAC地址。这种情况也是受到arp病毒攻击时的会表现出来的状况。对这种情况，解释是这样的：


A switch works on a low level: it only knows MAC addresses. When it receives a broadcast
message it will send that message to all of its ports (like it is supposed to do). Your
machine maneges an arp table (try 'arp -a'). This table makes sure that your machine
knows on which MAC address which ipaddress is so it can do an Internet-to-Ethernet
translation. When the broadcast reaches your machine it will be received on both you
NIC's. Arp notices that it gets a package from a MAC address of which it thought was on
interface 0 on interface 1 and reports this problem. I think you might agree with me that

this is a good thing. But everything works fine and there are situations where such a
setup is desired and this problem generates allot of messages. These messages are going
to hide some of the important other messages because of the amount of them so you realy
want to get rid of them.

意思是这样的：交换机只会认MAC地址。当收到广播信息时，它会把广播消息发送到本交换机的每个端口上。你的机器维护着一个路由表(命令行下输入arp -a可以查看这个路由表)，这个表确保你的机器能识别某一个MAC地址对应的IP地址，并因此可以完全Internet到Ethernet的转换。从交换机传来发广播信息会发送到两个网卡上，arp发现有一个错误的数据包，它以为是从网卡0上发送过来的，但事实上却是网卡1，于是就向系统报告了这个问题。你可能跟我想的一样，认为这是个好事情。一切工作正常，而这里却不停止的发送大量的错误报告(作者笔误，应该是 a lots of messages)。大量这些信息频繁出现以至于你严重影响到你阅读其他的一些重要的信息，于是你特别特别想把这些信息除去。BSD爱好者乐园7GL_xT~,m~

解决办法：
有四种办法，但我们一般不会使用其他办法：
1是忽略这些信息。
2是从源代码中去掉这些信息。
修改/usr/src/sys/netinet/if_ether.c中
Log(LOG_ERR,"arp:%s is on %s%d but got reply from %6D on %s%d n",...);
去掉这句话，重新make world吧。
3是改进一下网络连接，连接路由器（路由器可以有效的过滤一些广播信息）
4是调整内核参数。有效而且容易实施的办法是4，在FreeBSD下可以如下操作：root@host:/#sysctl-w net.link.ether.inet.log_arp_wrong_iface=0
然后在/etc/sysctl.conf(如果文件不存在，请自行创建)添加一行：net.link.ether.inet.log_arp_wrong_iface=0

其他*nix系统也是相同操作，不过大部分Linux默认内核设置里就已经设置为了0