On Thu, Oct 23, 2003 at 08:04:46AM +0800, Joe Morris (NTM) wrote:
On 10/23/2003 06:37 AM, Kastus wrote:
I have both FW_LOG_CRITICAL and FW_LOG_ALL set to "yes" but SuSEfirewall is not logging those spoofed packets from localhost.
Does it mean that kernel drops martian source packets before they reach iptables?
Check FW_KERNEL_SECURITY. This needs to be Yes to log the martian sources messages.
Just checked, it is set to yes. I still wonder if martian source packets ever reach iptables or they are dropped before that so iptables wee nothing. I looked at the source, /usr/src/linux/net/ipv4/route.c, and here is what is done to martian source packets: martian_source: rt_cache_stat[smp_processor_id()].in_martian_src++; #ifdef CONFIG_IP_ROUTE_VERBOSE if (IN_DEV_LOG_MARTIANS(in_dev) && net_ratelimit()) { /* * RFC1812 recommendation, if source is martian, * the only hint is MAC header. */ printk(KERN_WARNING "martian source %u.%u.%u.%u from " "%u.%u.%u.%u, on dev %s\n", NIPQUAD(daddr), NIPQUAD(saddr), dev->name); if (dev->hard_header_len) { int i; unsigned char *p = skb->mac.raw; printk(KERN_WARNING "ll header: "); for (i = 0; i < dev->hard_header_len; i++, p++) { printk("%02x", *p); if (i < (dev->hard_header_len - 1)) printk(":"); } printk("\n"); } } #endif goto e_inval; e_inval: err = -EINVAL; goto done; done: if (free_res) fib_res_put(&res); if (dev_out) dev_put(dev_out); out: return err; Does it mean at this point that the packet is dropped? Thanks, -Kastus