Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] firewall messages.... what is goin on?
  • From: PR <prooroa@xxxxxxxxxx>
  • Date: Mon, 17 Jun 2002 22:50:18 +0200
  • Message-id: <3D0E4B8A.5000509@xxxxxxxxxx>
thanks for the prompt respons:
the thing is there is ... or was nothing wrong for month: I don't have 192.168.0.5
my ports are scanned intensly and the firewall lists are endless...
on top of that strange phantom nics appeared, I mailed that earlier in this group.
By now I have screen shots of that (control centre-nic's in kde 3)
I don't want to cry wolve but something strange is happening.

What kind of info do you need?
piet

Armin Schöch wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Piet !

Probably you can find the answer when looking for the keywords
"martian source" with Google or any other search engine.

Jun 17 05:47:36 photoserver kernel: martian source 213.17.34.12 from
192.168.0.5, on dev ppp0
Jun 17 05:47:36 photoserver kernel: ll header: 45:00:00:4e
Jun 17 05:47:36 photoserver kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC=
SRC=213.22.197.144 DST=213.17.34.12 LEN=78 TOS=0x00 PREC=0x00 TTL=113
ID=16403 PROTO=UDP SPT=137 DPT=137 LEN=58


There is a paket coming from your dial-up interface ppp0 with the
source address 213.22.197.144 go port 137 (netbios-ns) of your
machine. "Martian source" means that the packet is coming from the
wrong interface. This is a sign that there is something misconfigured
in the network either at your routing or at any other PC in your
network neighbourhood.

Jun 17 05:47:37 photoserver kernel: martian source 213.17.34.12 from
192.168.0.5, on dev ppp0


The packet with source IP 213.17.34.12 is coming from your interface
ppp0 with IP 192.168.0.5. But this is a private subnet where only
source IPs of 192.168. are allowed. Therefore it's a martian source.

Jun 17 05:47:37 photoserver kernel: ll header: 45:00:00:4e

- --> This seems to be a ping packet (ICMP echo request).

Jun 17 05:47:37 photoserver kernel: SuSE-FW-DROP-DEFAULTIN=ppp0 OUT= MAC=
SRC=213.22.197.144 DST=213.17.34.12 LEN=78 TOS=0x00 PREC=0x00 TTL=113
ID=19731 PROTO=UDP SPT=137 DPT=137 LEN=58
Jun 17 05:47:39 photoserver kernel: martian source 213.17.34.12 from
192.168.0.5, on dev ppp0
Jun 17 05:47:39 photoserver kernel: ll header: 45:00:00:4e
Jun 17 20:57:58 photoserver kernel: SuSE-FW-UNALLOWED-ROUTINGIN=ppp0
OUT=eth1 SRC=195.96.96.97 DST=192.168.0.4 LEN=126 TOS=0x00 PREC=0x00
TTL=248 ID=22226 DF PROTO=UDP SPT=53 DPT=137 LEN=106


Obviously there is more unallowed routing going on. You should provice
more details about your network setup so we have a better chance of
understanding the problem.

HTH,
Armin

- -- Am Hasenberg 26 office: Institut für Atmosphärenphysik
D-18209 Bad Doberan Schloss-Straße 6
Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY
Email: schoech@xxxxxxxxxxxx Tel. +49-(0)38293-68-102
WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9DkpIG8Xv4GxznLoRAjqrAKCgwctW19eT6ZRtc5IfqVsrj9NTiQCg1jPu
PoOnsaFgZ0VzxPnDbuVRZnI=
=EASV
-----END PGP SIGNATURE-----







< Previous Next >
This Thread
  • No further messages