Hi Kevin, We've got the same problem from our NT box. The multihomed NT server box has 2 nics. One goes to our internal network. One is dedicated via a switch to our Linux internet server. Both have different ip addresses ( I mean network addresses ie 192.168.7.XX and 192.168.1.XX) The Linux box has 2 nics. One to the internet router, and one to the NT box via the switch(192.168.1.XX). the NT box transmits a broadcast every 5 minutes (exactly 5 mins) on the second nic 192.168.1.xx but the traffic is for the other network (192.168.7.xx). So far we have turned off routing, all the bindings for the second nic, disabled wins, disabled browsing, We still get the broadcast. Why it's on the wrong nic is a mystery. I suspect that this is one of the reasons that MS software is insecure. I am just going to disable the reporting of Martian source on that interface. As for where its coming from in /usr/var/messages ther should be something like this. Mar 8 14:07:34 floyd kernel: martian source 255.255.255.255 from 192.168.7.XX, on dev eth0 Mar 8 14:07:34 floyd kernel: ll header: ff:ff:ff:ff:ff:ff:00:02:b3:3b:6d:73:08:00 The first line will tell you what it is and where from (in this case broadcast from 192.168.7.xx) The second line in my case shows all the ff ie 255.255.255.255 followed by the MAC address of the nic/machine. So now you know a bit more but like me you are no closer to solving the problem :-) I'm just off to turn ours off. Bye for now Steve -----Original Message----- From: Kevin Passey [mailto:kpassey@kdpsoftware.co.uk] Sent: 08 March 2002 14:47 To: SuSE Security (E-mail) Subject: RE: [suse-security] Firewall2 log - What does this mean Hi again, This is what I have set up Internet-------------->>>>> ADSL Router>>>>>>>NT SBS with SMTP only - plus firewall and Proxy --------------------->>>>> Same >>>>>>>>>>>>>Linux 7.3 Suse - Web Server + forward rules to DB server The NT machine is connected to our internal network it has 2 nic's 10.0.0.xxx plus 62.49.zzz.xxx (as in the log) The Linux machine is also connected to our internal network it too has 2 nic's 10.0.0.5 plus 62.49.zzz.yyy. Are the packets somehow getting past the NT firewall - how can I tell where they are coming from. Regards Kevin -----Original Message----- From: Michael Appeldorn [mailto:appeldorn@codixx.de] Sent: 08 March 2002 14:40 To: SuSE Security (E-mail); Kevin Passey Subject: Re: [suse-security] Firewall2 log - What does this mean Quite easy [snip] What does "kernel: martian source aabbccdd for 11223344, dev eth0" mean? These are packets that Linux does not expect from the direction they came from (i.e. packets from internal hosts coming in on the external interface). The cause is probably a misconfigured machine on your LAN. You can turn off logging those packets via /proc/sys/net/ipv4/conf/*interface*/log_martians which is documented in /usr/src/linux/Documentation/proc.txt [snap] Michael Appeldorn This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed, copied, or forwarded to anyone other than the addressee without permission. Unauthorised recipients are requested to preserve this confidentiality and to advise us of the error in transmission, by emailing us at: info@yeovil-college.ac.uk Thank you for your cooperation.