On Thu, 24 Oct 2002, Grosswiler Roger wrote:
Joerg Henner wrote: [...]
Once again, complete: Oct 24 00:00:23 trinity kernel: martian source 255.255.255.255 from 10.225.80.1, on dev eth1 Oct 24 00:00:23 trinity kernel: ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 <hw-adress of cablemodem, see below ARP
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?
*giggl* - well, i meant that HE has to find the Network-Card with the specified MAC-Adress ;))))
arp arp - n was a good idea... Address HWtype HWaddress Flags Mask Iface 217.162.200.1 ether 00:09:7B:8D:08:54 C eth1
My Net is Class A 10.0.0.0 Subnet is 255.0.0.0 IP 217.162.200.80 -> one IP of my Cablemodem My Server really has 2 Network-Cards: eth0 -> LAN 10.0.0.0/8 eth1 -> WAN 217.162.200.80/Cablemodem eth0 Link encap:Ethernet HWaddr 00:04:5A:65:F8:B7 inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::204:5aff:fe65:f8b7/10 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:29371 errors:0 dropped:0 overruns:0 frame:0 TX packets:27561 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:4649259 (4.4 Mb) TX bytes:5552056 (5.2 Mb) Interrupt:5 Base address:0x7000 eth1 Link encap:Ethernet HWaddr 00:00:E8:56:EB:D7 inet addr:217.162.200.80 Bcast:255.255.255.255 Mask:255.255.248.0 inet6 addr: fe80::200:e8ff:fe56:ebd7/10 Scope:Link UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2514331 errors:0 dropped:0 overruns:0 frame:0 TX packets:644829 errors:0 dropped:0 overruns:0 carrier:0 collisions:428 txqueuelen:100 RX bytes:181205855 (172.8 Mb) TX bytes:112859445 (107.6 Mb) Interrupt:11 Base address:0x220 2 interfaces are needed for the routing between internet/lan. see ifconfig below. i am nearly sure, that there is a misconfiguration error.
Or am I missing something here?
Christian
ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).
What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.
What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by
echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians i've done this as normally i trust my firewall....
Does this answer you question? Achim
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here