I am getting in my logs the following messages every three minutes: Jan 9 21:35:30 server2 kernel: martian source 0101a8c0 for ff[changed], dev eth1 Jan 9 21:35:30 server2 kernel: ll header: ff ff ff ff ff ff 00 a0 24 c7 08 86 08 00 If I've understood correctly from previous SuSE archive messages, 0101a8c0 is hex for IP address 192.168.1.1 and ff7150c6 is hex for xx.yy.zz.255 (IP address changed to protect their anonymity) Again if I've understood correctly the header "11 header" is Destination: ff ff ff ff ff ff = broadcast Source: 00 a0 24 c7 08 86 = sender's MAC address Type: 08 00 (no idea what this means but I assume it does not matter. I have two linux PCs, server1 (SuSE 6.2) and server2 (SuSE 7.0). Both have an external interface on a network connected to a router to "the internet" and have IP addresses xx.yy.zz.a and xx.yy.zz.b. eth1 on server2 is on this network. The external NIC on server1 does have MAC address 00:a0:24:c7:08:86 Both server1 and server2 have internal networks with IP addresses 192.168.1.1 and 192.168.1.6 respectively. So what the message seem to be saying is that the external interface on server2 is receiving packets from the internal interface on server1. This presumably should not happen. It seems to me that there are two possibilities here. First that I have the interface cards on server2 the wrong way round, so that eth1 on server2 with IP address xx.yy.zz.b is connected to the internal network and eth0 with IP address 192.168.1.6 to the external network. How can I test this? I have tried on server2 running
/sbin/arp -a and get server1 (192.168.1.1) at 00:E0:29:2D:CF:51 [ether] on eth0 server1 (xx.yy.zz.a) at 00:A0:24:C7:08:86 [ether] on eth1 workstation (xx.yy.zz.c) at 00:A0:24:C7:09:4F [ether] on eth1 router (xx.yy.zz.254) at 00:30:94:E5:C5:77 [ether] on eth1
and doing the same on server1 I get: server2 (192.168.1.6) at 00:C0:DF:01:C7:C8 [ether] on eth0 server2 (xx.yy.zz.b) at 00:C0:DF:F3:15:D1 [ether] on eth1 workstation (xx.yy.zz.c) at 00:A0:24:C7:09:4F [ether] on eth1 router (xx.yy.zz.254) at 00:30:94:E5:C5:77 [ether] on eth1 That looks to me like they're the right way round. Both servers are running the SuSE firewal script with IP forwarding switched on. So is the second possibility somehow that one server is forwarding packets through to the second? Could this be causing the problem? If so, is there a solution somewhere in firewall.rc.config in one of the two machines (and if so which one, or both). Or can I switch off logging with: echo "0" > /proc/sys/net/ipv4/ip_log_martians and would this cause any security concerns? Many thanks Andrew -- Andrew Hougie, Grinton, Aldenham Grove, Radlett, Hertfordshire, England, WD7 7BW Email: andrew@hougie.co.uk WWW: http://www.hougie.co.uk
participants (1)
-
Andrew Hougie