Mailinglist Archive: opensuse-security (257 mails)
| < Previous | Next > |
Re: [suse-security] Martian source
- From: m3047@xxxxxxxx (Fred Morris)
- Date: Mon, 2 Aug 2004 09:32:59 -0700
- Message-id: <v02130501bd341a9e9965@[10.0.0.251]>
We get these from the phones which are part of an ethernet/IP phone system
when they come in over an IPSec tunnel with a separate subnet at the other
end and are trying to contact the switch. The local tunnel endpoint is not
running on the default gateway (and no way to set routes on idiot phone
switch), so there is a route on the default gateway machine to send the
packets to the machine with the tunnel endpoint (certainly not an optimal
network configuration, but it works for everything else).
The box with the VPN endpoint then drops the martian packets (could turn
that off, I suppose). The expedient course of action was to change the
default route on the phone switch so that it points to the VPN gateway, and
then they're not considered "martian". So far that hasn't broken anything
else; I suppose if it does we'll have to add a route to the VPN box so that
it redirects "normal" traffic to the default gateway.. :-\
--
Fred Morris
fredm3047@xxxxxxxx (I-ACK)
when they come in over an IPSec tunnel with a separate subnet at the other
end and are trying to contact the switch. The local tunnel endpoint is not
running on the default gateway (and no way to set routes on idiot phone
switch), so there is a route on the default gateway machine to send the
packets to the machine with the tunnel endpoint (certainly not an optimal
network configuration, but it works for everything else).
The box with the VPN endpoint then drops the martian packets (could turn
that off, I suppose). The expedient course of action was to change the
default route on the phone switch so that it points to the VPN gateway, and
then they're not considered "martian". So far that hasn't broken anything
else; I suppose if it does we'll have to add a route to the VPN box so that
it redirects "normal" traffic to the default gateway.. :-\
--
Fred Morris
fredm3047@xxxxxxxx (I-ACK)
| < Previous | Next > |