martian source messages
Hi all I am getting the following martian kernel messages since I changed my ISP: martian source 81.56.221.174 from 127.0.0.1, on dev ppp0 ll header: 45:08:00:28:da:b8:00:00:7d:06:b5:27:7f:00:00:01:51:38:dd:ae:00:50 Now here is the configuration of my box: I have an ADSL/Ethernet modem on ppp0: ppp0 Link encap:Point-to-Point Protocol inet addr:81.56.221.174 P-t-P:192.168.254.254 Mask:255.255.255.255 The modem is connected to eth0: eth0 Link encap:Ethernet HWaddr 00:60:97:4B:82:AA inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 Additionally I have the loopback interface(127.0.0.1) and one more interface for local network: eth1 Link encap:Ethernet HWaddr 00:60:97:75:B4:28 inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0 I am running SuSEfirewall2 as FW and NAT router. Here are the main config parameters: FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="lo eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="ppp0" I don't see where I am getting these "martian packets" from. I need some help. Cheers Pep Serrano.
On Sep 17, Pep Serrano
I am getting the following martian kernel messages since I changed my ISP:
martian source 81.56.221.174 from 127.0.0.1, on dev ppp0 ll header: 45:08:00:28:da:b8:00:00:7d:06:b5:27:7f:00:00:01:51:38:dd:ae:00:50 [...] FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="lo eth1" If you are using PPP over ethernet, eth0 will NOT be your external device. Also, I don't think that lo should be treated as an internal device. It should read FW_DEV_EXT="ppp0" FW_DEV_INT="eth1"
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Hi! I guess you are rigth. In fact, that was my previous configuration, since always. I tried adding eth0 and lo to SuSEfirewall2 but it didn't make any difference.
If you are using PPP over ethernet, eth0 will NOT be your external device. Also, I don't think that lo should be treated as an internal device. It should read FW_DEV_EXT="ppp0" FW_DEV_INT="eth1"
Heya, On Wed, 17 Sep 2003, Pep Serrano wrote:
Hi all
I am getting the following martian kernel messages since I changed my ISP:
martian source 81.56.221.174 from 127.0.0.1, on dev ppp0 ll header: 45:08:00:28:da:b8:00:00:7d:06:b5:27:7f:00:00:01:51:38:dd:ae:00:50
Now here is the configuration of my box:
I have an ADSL/Ethernet modem on ppp0: ppp0 Link encap:Point-to-Point Protocol inet addr:81.56.221.174 P-t-P:192.168.254.254 Mask:255.255.255.255 ^^^^^^^^^^^^^^^ This looks strange. The P-t-P should be an IP of your ISP (your next hop to the internet). If you're using rp-pppoe there is a switch "DEFAULTROUTE=" in your /etc/ppp/pppoe.conf. It have to be like this
<!-- snip # /etc/ppp/pppoe.conf --> # Make the PPPoE connection your default route. Set to # DEFAULTROUTE=no if you don't want this. DEFAULTROUTE=yes <!-- snap --> If your're using smpppd change it against the rp-ppppoe. (I hate smpppd) ;-)
FW_DEV_EXT="ppp0 eth0" ^^^^ This is not an external device.
FW_DEV_INT="lo eth1" ^^ I think that's not allowed.
FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="ppp0"
I don't see where I am getting these "martian packets" from. I need some help.
Regards, Thomas
Hi Thomas, On Wednesday 17 September 2003 20:29, Thomas Schweiger wrote:
I have an ADSL/Ethernet modem on ppp0: ppp0 Link encap:Point-to-Point Protocol inet addr:81.56.221.174 P-t-P:192.168.254.254 Mask:255.255.255.255
^^^^^^^^^^^^^^^ This looks strange. The P-t-P should be an IP of your ISP (your next hop to the internet). If you're using rp-pppoe there is a switch "DEFAULTROUTE=" in your /etc/ppp/pppoe.conf. It have to be like this
Yes, that's what I though. Isn't this IP reserved? Indeed the PtP is my default route, and the gateway IP is the one that my ISP sends at the beginning of the connection. Here is my routing table: montblanc:/home/pep # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.254.254 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 0.0.0.0 192.168.254.254 0.0.0.0 UG 40 0 0 ppp0 montblanc:/home/pep #
<!-- snip # /etc/ppp/pppoe.conf --> # Make the PPPoE connection your default route. Set to # DEFAULTROUTE=no if you don't want this. DEFAULTROUTE=yes <!-- snap -->
If your're using smpppd change it against the rp-ppppoe. (I hate smpppd) ;-)
I've been using the smppd since 8.0 and never had a problem before. What's so wrong with it? Cheers Pep Serrano
Hola, On Wed, 17 Sep 2003, Pep Serrano wrote:
Hi Thomas,
On Wednesday 17 September 2003 20:29, Thomas Schweiger wrote:
I have an ADSL/Ethernet modem on ppp0: ppp0 Link encap:Point-to-Point Protocol inet addr:81.56.221.174 P-t-P:192.168.254.254 Mask:255.255.255.255 ^^^^^^^^^^^^^^^ This looks strange. The P-t-P should be an IP of your ISP (your next hop to the internet). If you're using rp-pppoe there is a switch "DEFAULTROUTE=" in your /etc/ppp/pppoe.conf. It have to be like this
Yes, that's what I though. Isn't this IP reserved?
Yepp. It's a non routed private IP address.
Indeed the PtP is my default route, and the gateway IP is the one that my ISP sends at the beginning of the connection.
I can't reproduce why your ISP should give you a private IP address as your standard gateway. 192.168.x.x are not routed addresses.
Here is my routing table: montblanc:/home/pep # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.254.254 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 ^^^^^^^^^^^^^^^ Here should be the P-t-P address of your ppp0 device.
10.0.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 0.0.0.0 192.168.254.254 0.0.0.0 UG 40 0 0 ppp0 ^^^^^^^^^^^^^^^ and here again.
Something's definitly wrong with your routing table. Have a look to your /etc/ppp/options. It should look like this <!-- snip # grep -v ^# /etc/ppp/options | grep -v ^$ --> noipdefault noauth crtscts lock modem asyncmap 0 nodetach lcp-echo-interval 30 lcp-echo-failure 4 lcp-max-configure 60 lcp-restart 2 idle 600 noipx file /etc/ppp/filters <!-- snap -->
<!-- snip # /etc/ppp/pppoe.conf --> # Make the PPPoE connection your default route. Set to # DEFAULTROUTE=no if you don't want this. DEFAULTROUTE=yes <!-- snap -->
If your're using smpppd change it against the rp-ppppoe. (I hate smpppd) ;-)
I've been using the smppd since 8.0 and never had a problem before. What's so wrong with it?
From time to time it happens that after a forced ISP-disconnect the routing table for the ppp0 device isn't flushed (at least on about 40 proxies I have installed). And after the next dial in the default route still has the previous value. So you haven't any route to the internet.
Slantje, Thomas Schweiger
Hola Thomas!
On Wednesday 17 September 2003 20:29, Thomas Schweiger wrote:
I have an ADSL/Ethernet modem on ppp0: ppp0 Link encap:Point-to-Point Protocol inet addr:81.56.221.174 P-t-P:192.168.254.254 Mask:255.255.255.255
Yes, that's what I though. Isn't this IP reserved?
Yepp. It's a non routed private IP address. I can't reproduce why your ISP should give you a private IP address as your standard gateway. 192.168.x.x are not routed addresses.
When I do a traceroute from my home box to the inet I get through 192.168.254.254: montblanc:/etc/ppp # traceroute microsoft.com traceroute to microsoft.com (207.46.245.222), 30 hops max, 40 byte packets 1 192.168.254.254 (192.168.254.254) 122 ms 136 ms 121 ms 2 th2-6k-1.routers.proxad.net (212.27.37.30) 121 ms 120 ms 128 ms 3 Ge1-2.PASBB2.Pastourelle.opentransit.net (193.251.252.221) 123 ms 119 ms 121 ms ... But when I do a traceroute from inet to my home computer the 192.168.254.254 is missing (as should be!): ... 6 free-telecom.sfinx.tm.fr (194.68.129.223) 1.305 ms 2.210 ms 1.644 ms 7 th2-6k-1-a0.routers.proxad.net (212.27.32.212) 1.623 ms 9.910 ms 2.332 ms 8 lns-th2-4-a10.routers.proxad.net (212.27.37.4) 2.214 ms 2.088 ms 11.017 ms 9 lns-th2-4f-81-56-221-174.adsl.proxad.net (81.56.221.174) 79.620 ms 74.923 ms 75.842 ms
Here is my routing table: montblanc:/home/pep # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.254.254 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
^^^^^^^^^^^^^^^ Here should be the P-t-P address of your ppp0 device.
It is the P-t-P address of my ppp0. Do I miss something?
Something's definitly wrong with your routing table. Have a look to your /etc/ppp/options. It should look like this
We have identic ppp options config. Buenas noches, Pep Serrano.
Alle 00:23, giovedì 18 settembre 2003, Pep Serrano ha scritto:
Hola Thomas! Buenas noches, Pep Serrano.
Pep, we have the same problem. My P-t-P router has a private ip address too. Everything works properly, except the marsians log. Roland Freeman
Pep, we have the same problem. My P-t-P router has a private ip address too. Everything works properly, except the marsians log. A private IP address as gateway is not necessarily a problem. ISP's use
On Sep 18, Roland Freeman
But is this the real cause of our martian logs?
On Sep 18, Roland Freeman
wrote: Pep, we have the same problem. My P-t-P router has a private ip address too. Everything works properly, except the marsians log.
A private IP address as gateway is not necessarily a problem. ISP's use this to save IP addresses and it is in no way bad for anyone. As long as they are not used in the route back to you, which isn't the case as you stated.
Last night I spent some time with ethereal tracking my traffic between the loopback and my ppp0. I could see there are some packets from localhost on port 80 to random ports of ppp0. This packet repeats abour every minute. I closed almost all services, disabled routing, no applications... lsof didn't show any process using localhost:80, and yet the werid traffic was still there. Cheers Pep Serrano.
On Thu, 2003-09-18 at 10:23, Pep Serrano wrote:
But is this the real cause of our martian logs?
On Sep 18, Roland Freeman
wrote: Pep, we have the same problem. My P-t-P router has a private ip address too. Everything works properly, except the marsians log.
A private IP address as gateway is not necessarily a problem. ISP's use this to save IP addresses and it is in no way bad for anyone. As long as they are not used in the route back to you, which isn't the case as you stated.
Last night I spent some time with ethereal tracking my traffic between the loopback and my ppp0. I could see there are some packets from localhost on port 80 to random ports of ppp0. This packet repeats abour every minute. I closed almost all services, disabled routing, no applications... lsof didn't show any process using localhost:80, and yet the werid traffic was still there.
That would be incoming web requests from machines on the other side of your modem. Probably someone trying to see if you're running a web server. Log the packets and inspect the contents.
Cheers Pep Serrano.
--
--
Raymond Leach
Ray,
That would be incoming web requests from machines on the other side of your modem. Probably someone trying to see if you're running a web server.
In such case, the traffic should be ppp0 -> loopback or perhaps both directions... But I only can see packets in loopback->ppp0 direction. Where are the requests? Another friend suggested it can be blaster or something related to the winupdate? I really don't get the point... it looks like traffic going out of my loopback but no incomming traffic (e.x. http requests).
Log the packets and inspect the contents.
Alle 10:23, giovedì 18 settembre 2003, Pep Serrano ha scritto:
But is this the real cause of our martian logs?
On Sep 18, Roland Freeman
wrote: Pep, we have the same problem. My P-t-P router has a private ip address too. Everything works properly, except the marsians log.
A private IP address as gateway is not necessarily a problem. ISP's use this to save IP addresses and it is in no way bad for anyone. As long as they are not used in the route back to you, which isn't the case as you stated.
Last night I spent some time with ethereal tracking my traffic between the loopback and my ppp0. I could see there are some packets from localhost on port 80 to random ports of ppp0. This packet repeats abour every minute. I closed almost all services, disabled routing, no applications... lsof didn't show any process using localhost:80, and yet the werid traffic was still there.
Cheers Pep Serrano.
I did the same, and found the same results. All the packets are from port 80 to a high port on ppp0. Logs report "ll header: 45:00:00:28" While receiving this packets (from localhost:80) I am not even surfing the web, but they still arrives. All tcp packets I have seen have the RST ACK flags set.
participants (5)
-
Markus Gaugusch
-
Pep Serrano
-
Ray Leach
-
Roland Freeman
-
Thomas Schweiger