On Thu, 24 Oct 2002, Grosswiler Roger wrote:
Joerg Henner wrote: [...]
Once again, complete:
Oct 24 00:00:23 trinity kernel: martian source 255.255.255.255 from
10.225.80.1, on dev eth1
Oct 24 00:00:23 trinity kernel: ll header:
ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
ll header: ff:ff:ff:ff:ff:ff:00:09:7b:8d:08:54:08:00
^^^^^^^^^^^^^^^^^
This does not really seem to be a MAC-Adress..
http://www.susesecurity.com/faq/ -> see about in the middle for
Martians...
I found another link...how about this one? *giggl* - well, i meant that HE has to find the Network-Card with
the specified MAC-Adress ;)))) arp
arp - n was a good idea...
Address HWtype HWaddress Flags Mask
Iface
217.162.200.1 ether 00:09:7B:8D:08:54 C
eth1 My Net is Class A 10.0.0.0
Subnet is 255.0.0.0
IP 217.162.200.80 -> one IP of my Cablemodem
My Server really has 2 Network-Cards: eth0 -> LAN 10.0.0.0/8
eth1 -> WAN 217.162.200.80/Cablemodem
eth0 Link encap:Ethernet HWaddr 00:04:5A:65:F8:B7
inet addr:10.0.0.2 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::204:5aff:fe65:f8b7/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:29371 errors:0 dropped:0 overruns:0 frame:0
TX packets:27561 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4649259 (4.4 Mb) TX bytes:5552056 (5.2 Mb)
Interrupt:5 Base address:0x7000
eth1 Link encap:Ethernet HWaddr 00:00:E8:56:EB:D7
inet addr:217.162.200.80 Bcast:255.255.255.255 Mask:255.255.248.0
inet6 addr: fe80::200:e8ff:fe56:ebd7/10 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2514331 errors:0 dropped:0 overruns:0 frame:0
TX packets:644829 errors:0 dropped:0 overruns:0 carrier:0
collisions:428 txqueuelen:100
RX bytes:181205855 (172.8 Mb) TX bytes:112859445 (107.6 Mb)
Interrupt:11 Base address:0x220
2 interfaces are needed for the routing between internet/lan. see ifconfig
below. i am nearly sure, that there is a misconfiguration error. Or am I missing something here? Christian ok, Roger gave you the link where to read more about.
This is a message from kernel routing.
Please check both lines in /var/log/messages, the first on tells you the
(claimed) source IP and the destination IP and the interface where it
was detected. The second one (see above) contains the MACs from where to
where the packet should be routed. Both should be interfaces on the same
net segment, one belongs probably to the listed interface (eth0). What does these messages tell you?
if the (claimed) sorce IP is a valid IP in your LAN, and these messages
are random somehow (well, I need to explain this more detailled ..),
then it's most likely a mis-configured client, for example routing (see
in docs mentioned above).
If the source IP is not valid in your LAN, and you have these messages
in a sequence (for example every 2 seconds, or increasing IP), then it's
most likely that someone scans with spoofed IPs. What to do?
If you don't care about the scans (probably 'cause you know that your
firewall is prepared for it:), then you may just ignore these messages.
If you feel that its a mis-configured client, fix it.
You simply may switch of the logging by echo 0 >/proc/sys/net/ipv4/conf/<interface>/log_martians
i've done this as normally i trust my firewall.... Does this answer you question?
Achim --
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here