The Friday 2004-01-09 at 23:00 -0500, L. Mark Stone wrote:
On Fri, 2004-01-09 at 18:33, Carlos E. R. wrote:
The Thursday 2004-01-08 at 20:40 -0500, L. Mark Stone wrote:
Note that the machine generating these messages has a fixed private IP address of 192.168.15.225, runs Samba server and connects to the Internet (via wireless) through a SonicWall Tele3 appliance (if all of that info is helpful).
Thanks!
Jan 8 20:33:13 outside kernel: SuSE-FW-DROP-ANTI-SPOOFING IN=wlan0 OUT= MAC= SRC=192.168.15.225 DST=192.168.15.255 LEN=259 TOS=0x00 PREC=0x00 TTL=64 ID=6763 DF PROTO=UDP SPT=138 DPT=138 LEN=239 Jan 8 20:33:13 outside kernel: martian source 192.168.15.255 from 192.168.15.225, on dev wlan0 Jan 8 20:33:13 outside kernel: ll header: ff:ff:ff:ff:ff:ff:00:80:c8:16:38:4a:08:00
To what is connected /dev/wlan0? Who has the above ethernet address? Try "arp -a"
That will give you the machine sending those packets.
Carlos,
outside:/home/lmstone # arp -a ? (192.168.15.1) at 00:80:C8:0A:16:48 [ether] on wlan0 ? (192.168.15.150) at 00:40:10:17:4D:D1 [ether] on wlan0 ? (192.168.15.200) at 00:50:8B:CF:F1:74 [ether] on wlan0
Ok. The machine sending the martian things is the one with the MAC address of "ff:ff:ff:ff:ff:ff:00:80:c8:16:38:4a:08:00". From the output of the arp command 192.168.15.1 has a similar ethernet mac address, but not quite the same. Could you double check your logs? At the same time as the command. If we accept it that it is the same, then it seems that is sending claiming to be 192.168.15.225 instead, if I read it correctly. I'm a bit thick today :-)
192.168.15.1 is a wireless access point (my machine, which has an IP of 192.168.15.225, has a wireless NIC).
Phisically diferent interfaces?
The log file is from my machine; it looks to me like my machine is generating the broadcasts, not anything else on the LAN.
Not quite. The kernel says it is a martian source because it is getting an IP from outside that it knows it is impossible, because it is it's own IP. The firewall says it is an invented IP (spoofed). So, it gives you the hardware address (MAC) so that you can manually check who is claiming to be you. On a side note... you could enable "snort" (rcsnort start): Snort - open source network intrusion detection system This a log of one of those martian packets (different type from yours): [**] [1:528:3] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 10/18-21:16:13.730730 127.0.0.1:80 -> 212.166.94.225:1764 TCP TTL:127 TOS:0x0 ID:21132 IpLen:20 DgmLen:40 ***A*R** Seq: 0x0 Ack: 0x64C60001 Win: 0x0 TcpLen: 20 [Xref => url rr.sans.org/firewall/egress.php] You can look at that url for some more documentation on this. And, if they are frequent, you can use "ethereal" to log the packets and look at them. -- Cheers, Carlos Robinson