debian gateway relaying appletalk aagh!

[browolf]

we have a debian box acting as a gateway (2 nics) on a mac network primarily to separate all the macs and the macserver from our windows network. All it does is relay the internet on squid to our other debian proxy and cups for printing. Have just discovered there's a tonne of apple talk broadcasts leaking on to the windows thats been causing IP spoofing on our ISA sevrer and possibly some other network problems we've been having for ages.

The person that has setup both of these debians has left. I have enough understanding of linux that if someone points me in the right direction i can probably muddle through.

so what the best way to block this appletalk on this debian box?

cheers

Andyt

[Ric_]

If you are using OS X, you don't need Appletalk anyway so it may be better to investigate the source first.

[Geoff]

Code:

apt-get remove netatalk

[browolf]

what i know about OS X could be written on a postage stamp! it was all setup by some apple people so dont want to be messing with that

[browolf]

Code:

apt-get remove netatalk

i'll check that. its all ip stuff from 10.10.10.10 to 255.255.255.255
strangely the same ip has changing mac addresses.

[Geoff]

You could also install ArpWatch on your Debian machine to track it down.

[browolf]

i was thinking i could maybe use some firewall thing on the deb box just to block the outgoing traffic to the windows nic.

[Geoff]

install shorewall.

[browolf]

had a look. netatalk isnt installed.

[Geoff]

Then it's not appletalk, it's something else. I suggest you pull our your favorite network sniffer and examine the problem packets. Chances get some clues as to which system is generating it.

[Ric_]

Surely netatalk doesn't need to be installed if the box is set up to simply route all traffic.

[browolf]

i tried to upload a packet dump but it wont allow the extension

[browolf]

Surely netatalk doesn't need to be installed if the box is set up to simply route all traffic.

is there anyway to find out? i know....

Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.17.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.0.0 U 0 0 0 eth0

hmm i thought those macs had 10.10.10.x addresses but it seems they have 10.1.17.0


0000 ff ff ff ff ff ff 00 0f cb f8 f0 0e 08 00 45 00 ........ ......E.
0010 00 22 00 00 00 00 00 63 a6 66 0a 0a 0a 0a ff ff .".....c .f......
0020 ff ff 6d 65 6b 6d 69 74 61 73 64 69 67 6f 61 74 ..mekmit asdigoat
0030 00 12 a9 54 9a c0 08 04 00 00 00 00 00 00 20 01 ...T.... ...... .
0040 20 01 00 21 01 b1 00 ff c0 a8 2d cb 00 16 39 fc ..!.... ..-...9.
0050 00 00 00 00 00 00 00 00 00 00 00 00 33 63 6f 6d ........ ....3com
0060 2d 41 50 32 37 35 30 3a 52 45 4c 5f 33 2e 32 2e -AP2750: REL_3.2.
0070 32 2e 30 5f 30 33 32 39 30 35 5f 41 50 00 03 00 2.0_0329 05_AP...
0080 02 00 77 00 00 00 00 41 74 68 65 72 6f 73 3a 4d ..w....A theros:M
0090 49 50 53 33 32 20 73 70 65 65 64 3d 31 36 30 30 IPS32 sp eed=1600
00a0 30 30 30 30 30 20 48 7a 20 76 65 72 00000 Hz ver


hmmm. ap2750 is some sort of wireless ap. we have wireless aps...

[Oops_my_bad]

Did you ever get to the bottom of this?

I am currently getting a lot of spoofed access point MAC warnings by our wireless controller (3com WX4400 with AP2750 AP's). Like you we also have Mac's on our network (albeit on the same subnet) When I run a sniffer I am getting a load of multicast broadcasting from a 10.10.10.x address. The MAC address seems to match that of our wireless controller. These broadcasts are affecting the usability of our wireless network! Googling this I ran "igmp-proxy-reporting disable" on the console of the WX as this seemed to be causing the issue however it hasnt improved anything.

[Oops_my_bad]

Scrap that - looks like it's the Altiris client agent on our HP thin clients causing this!

Does some funny things this Multicast...