On Thu, 24 Oct 2002 10:11:57 +0200 (CEST) "Grosswiler Roger" <roger@gwch.ath.cx> wrote:
On Thu, 24 Oct 2002, Grosswiler Roger wrote:
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00 ^^^^^^^^^^^^^^^^^ This does not really seem to be a MAC-Adress.. http://www.susesecurity.com/faq/ -> see about in the middle for Martians... I found another link...how about this one?
*giggl* - well, i meant that HE has to find the Network-Card with
Joerg Henner wrote: [...] the specified MAC-Adress ;))))
arp
Or am I missing something here?
Christian
ok, Roger gave you the link where to read more about. This is a message from kernel routing. Please check both lines in /var/log/messages, the first on tells you the (claimed) source IP and the destination IP and the interface where it was detected. The second one (see above) contains the MACs from where to where the packet should be routed. Both should be interfaces on the same net segment, one belongs probably to the listed interface (eth0).
What does these messages tell you? if the (claimed) sorce IP is a valid IP in your LAN, and these messages are random somehow (well, I need to explain this more detailled ..), then it's most likely a mis-configured client, for example routing (see in docs mentioned above). If the source IP is not valid in your LAN, and you have these messages in a sequence (for example every 2 seconds, or increasing IP), then it's most likely that someone scans with spoofed IPs.
What to do? If you don't care about the scans (probably 'cause you know that your firewall is prepared for it:), then you may just ignore these messages. If you feel that its a mis-configured client, fix it. You simply may switch of the logging by
echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
By the way: echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians did not work as i still get those messages...
Please try echo 0 >/proc/sys/net/ipv4/conf/eth1/log_martians echo 0 >/proc/sys/net/ipv4/conf/all/log_martians echo 0 >/proc/sys/net/ipv4/conf/default/log_martians
Does this answer you question? Achim
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- ------------------------ /"\ Andreas.Tirok@beusen.de \ / ASCII Ribbon Campaign fon: +49 30 549932-0 X Against HTML Mail fax: +49 30 549932-21 / \