Suppress arpwatch flip flop emails for Bonjour Sleep Proxy

dbwiddis

I just set up a new SG-3100 and want to get email notifications when a new device joins my network. Arpwatch seems the correct tool for this. However, I have a few Apple TV devices on my network, which use the Bonjour Sleep Proxy service.

The impact of this is that one or more of my apple devices (Time Capsule, Apple TV, MacBook running OSX) will respond to ARP requests for the sleeping device. From the link above: "When a sleep proxy sees an IPv4 ARP or IPv6 ND Request for one of the sleeping device's addresses, it answers on behalf of the sleeping device, without waking it up, giving its own MAC address as the current (temporary) owner of that address."

This results in frequent (every few minutes) changes in MAC Address in the arpwatch database, away from, and then back to, the sleeping device. The symptoms are similar to those reported by @chudak and @Nixxk in Arpwatch Question.

I see no way of suppressing alerts or configuring notifications for the arpwatch emails, either for the assigned static IP, or for Apple OUIs, or any other pattern. It looks like it's all or nothing on the email notifications. I thought I had a workaround just sending it to my gmail address and creating a rule sending some of the unwanted notifications to trash, but now google has temporarily suspended my account for the unusual traffic!

So at this point, I'm just disabling arpwatch. Is there any possible way of configuring it to suppress these emails? Is there any other alternative package to arpwatch that is more configurable?

dbwiddis

EDIT: This has been fixed in release 0.2.0_2. Do not do the hacks below, just update your arpwatch package!

Well, I've managed a temporary hack to stop the messages! I say "temporary" because any change to the arpwatch settings (basically pressing the "save button") undoes them.

There is a file /usr/local/arpwatch/sendmail_proxy.php which does the final step of actually sending the mail, after a little parsing. In that file, I've replaced the line that currently says:

if (false !== $message) {

with a more expanded conditional check which will only send the message if it is not a flip flop email, or does not contain the mac addresses (obfuscated below) of my problematic devices:

$flipflop='flip flop';
$tv1='c8:69:cd:00:00:00';
$tv2='e0:89:7e:00:00:00';
$tv3='1c:1a:c0:00:00:00';
  
if ((false !== $message) and (
  (false === strpos($message, $flipflop)) or
  ( (false === strpos($message, $tv1)) and
    (false === strpos($message, $tv2)) and
    (false === strpos($message, $tv3)) ))) {

Now if I can figure out where this code gets overwritten on the "save" I can try to make it more permanent.

dbwiddis

Aha! That code is written from inside /usr/local/pkg/arpwatch.inc. So if I edit that file it'll not get overwritten unless I remove and re-add the package.

chudak

@dbwiddis @dbwiddis

Did you guys figure out the more perm solution?

I see in file:

#!/usr/bin/env php
<?php

require_once("notices.inc");

$fd = fopen('php://stdin','r');
$message = stream_get_contents($fd);
fclose($fd);

if (false !== $message) {
        $subject = array();
        preg_match('/^Subject: (.*)$/m', $message, $subject);
        $message = preg_replace('/^From: .*$/m', '', $message);
        $message = preg_replace('/^To: .*$/m', '', $message);
        $message = preg_replace('/^Subject: .*$/m', '', $message);
        $message = preg_replace("/^(\n){4}/", '', $message);

        send_smtp_message($message, "{$config['system']['hostname']}.{$config['system']['domain']} - Arpwatch Notificatio
n : {$subject[1]}");
}

?>

dbwiddis

@chudak said in Suppress arpwatch flip flop emails for Bonjour Sleep Proxy:

Did you guys figure out the more perm solution?

As I noted in my second post, the file is generated by code in /usr/local/pkg/arpwatch.inc. Editing that file seems to work! I'm receiving other mails but not the flip flop mails.

chudak

@dbwiddis

Can you pls post the original and the change ?

dbwiddis

EDIT: This has been fixed in release 0.2.0_2. Do not do the hacks below, just update your arpwatch package!

It is posted in my original post. Look in /usr/local/pkg/arpwatch.inc for the line

if (false !== $message) {

And replace it with the below (substitute your own device MAC addresses):

$flipflop='flip flop';
$tv1='c8:69:cd:00:00:00';
$tv2='e0:89:7e:00:00:00';
$tv3='1c:1a:c0:00:00:00';
  
if ((false !== $message) and (
  (false === strpos($message, $flipflop)) or
  ( (false === strpos($message, $tv1)) and
    (false === strpos($message, $tv2)) and
    (false === strpos($message, $tv3)) ))) {

chudak

@dbwiddis Thx !

dbwiddis

Actually, I realized I had an error and reversed the order of the arguments in the strpos. I've corrected my posts. What I had suppressed all messages, oops :)

chudak

@dbwiddis
I was about to say - it does not work :)

Thx for correction.
We will see now!

chudak

@dbwiddis said in Suppress arpwatch flip flop emails for Bonjour Sleep Proxy:

Actually, I realized I had an error and reversed the order of the arguments in the strpos. I've corrected my posts. What I had suppressed all messages, oops :)

So far in last 3-4 hours it seem to be holding water :)
Did you tested if it will stay if arpwatch reinstalled it will stay in place or not ?

dbwiddis

@chudak said in Suppress arpwatch flip flop emails for Bonjour Sleep Proxy:

Did you tested if it will stay if arpwatch reinstalled it will stay in place or not ?

I did just test and uninstall / reinstall arpwatch, and it wiped the script hack and the database. But it was easy to put back in.

chudak

@dbwiddis

I installed arpwatch 0.2.0_1 and see 'sometimes' still flip flop emails.

Odd...
Do you see it after upgrade ?

dbwiddis

@chudak said in Suppress arpwatch flip flop emails for Bonjour Sleep Proxy:

@dbwiddis

I installed arpwatch 0.2.0_1 and see 'sometimes' still flip flop emails.

Odd...
Do you see it after upgrade ?

Since uninstall/reinstall replaced my custom fixes it wouldn't surprise me if an upgrade overwrote any modifications you've made. Just go re-edit the /usr/local/pkg/arpwatch.inc file, and in the arpwatch config hit "save" to copy from there to /usr/local/arpwatch/sendmail_proxy.php. You can use the file viewer to confirm whether the modifications are there.

I have only seen one other "flip flop" email for a different device (my Orbi mesh router, that has a hidden mac/wifi address for its backhaul network).

chudak

@dbwiddis said in Suppress arpwatch flip flop emails for Bonjour Sleep Proxy:

/usr/local/arpwatch/sendmail_proxy.php

I did not did Save configuration step, hope it's good now.
Confirmed now the changes were saved to /usr/local/arpwatch/sendmail_proxy.php

Thx

viktor_g

Please see https://redmine.pfsense.org/issues/10474

dbwiddis

@viktor_g Fantastic! I had thought about doing something like that but had no clue where to start.

dbwiddis

So now that @viktor_g showed us the right way to make a permanent fix, I've implemented that change as well as my own tweak to it, and another request to not wipe the database on uninstall/upgrade. I love this community. :)

chudak

@dbwiddis very cool !

What's ETA for this to be merged ?

dbwiddis

@chudak said in Suppress arpwatch flip flop emails for Bonjour Sleep Proxy:

What's ETA for this to be merged ?

Dunno, @viktor_g made a pull request that someone has to review, and I made a pull request to his branch that he has to review (and testing indicates might be broken...) and then even when they are all accepted they need to release 0.2.0_2.

So.... don't hold your breath, but if you're comfortable hacking a bit, you can get a jump on the official release :)