Re: [suse-security] firewall messages.... what is goin on?
thanks for the prompt respons: the thing is there is ... or was nothing wrong for month: I don't have 192.168.0.5 my ports are scanned intensly and the firewall lists are endless... on top of that strange phantom nics appeared, I mailed that earlier in this group. By now I have screen shots of that (control centre-nic's in kde 3) I don't want to cry wolve but something strange is happening. What kind of info do you need? piet Armin Schöch wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Piet !
Probably you can find the answer when looking for the keywords "martian source" with Google or any other search engine.
Jun 17 05:47:36 photoserver kernel: martian source 213.17.34.12 from 192.168.0.5, on dev ppp0 Jun 17 05:47:36 photoserver kernel: ll header: 45:00:00:4e Jun 17 05:47:36 photoserver kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=213.22.197.144 DST=213.17.34.12 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=16403 PROTO=UDP SPT=137 DPT=137 LEN=58
There is a paket coming from your dial-up interface ppp0 with the source address 213.22.197.144 go port 137 (netbios-ns) of your machine. "Martian source" means that the packet is coming from the wrong interface. This is a sign that there is something misconfigured in the network either at your routing or at any other PC in your network neighbourhood.
Jun 17 05:47:37 photoserver kernel: martian source 213.17.34.12 from 192.168.0.5, on dev ppp0
The packet with source IP 213.17.34.12 is coming from your interface ppp0 with IP 192.168.0.5. But this is a private subnet where only source IPs of 192.168. are allowed. Therefore it's a martian source.
Jun 17 05:47:37 photoserver kernel: ll header: 45:00:00:4e
- --> This seems to be a ping packet (ICMP echo request).
Jun 17 05:47:37 photoserver kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC= SRC=213.22.197.144 DST=213.17.34.12 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=19731 PROTO=UDP SPT=137 DPT=137 LEN=58 Jun 17 05:47:39 photoserver kernel: martian source 213.17.34.12 from 192.168.0.5, on dev ppp0 Jun 17 05:47:39 photoserver kernel: ll header: 45:00:00:4e Jun 17 20:57:58 photoserver kernel: SuSE-FW-UNALLOWED-ROUTINGIN=ppp0 OUT=eth1 SRC=195.96.96.97 DST=192.168.0.4 LEN=126 TOS=0x00 PREC=0x00 TTL=248 ID=22226 DF PROTO=UDP SPT=53 DPT=137 LEN=106
Obviously there is more unallowed routing going on. You should provice more details about your network setup so we have a better chance of understanding the problem.
HTH, Armin
- -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org
iD8DBQE9DkpIG8Xv4GxznLoRAjqrAKCgwctW19eT6ZRtc5IfqVsrj9NTiQCg1jPu PoOnsaFgZ0VzxPnDbuVRZnI= =EASV -----END PGP SIGNATURE-----
participants (1)
-
PR