>On Tue, 16 Jul 2013 17:16:15 +0100 >"lux-integ" <lux-in...@btconnect.com> wrote:
> I had the system running fine for a day then sudddenly I keep > getting these flood of lines like the below in /var/log/messages:- > > (remark the internal net does not use the 192.168.2.0/ subnet ) > > ###################### > Jul 16 13:37:50 biker kernel: [ 57.617604] IPv4: martian source > 192.168.2.254 from 192.168.2.1, on dev eth1 > Jul 16 13:37:50 biker kernel: [ 57.622549] ll header: 00000000: ff > ff ff ff ff ff 11 22 33 44 55 66 77 88 ........Oj}... > ########################## > > I have checked the 48-bit mac code wich I gave as as 11 22 33 etc > does not represent the MAC address of the NIC asigned as eth1 ( or > any ther NIC on tjhe mchine. ) Seems like someone is ratcheting the doors of your digital fortress. Not sure about where was that 192.168.2.1 packet captured. I think you said something about the ethernet being on the inside in your first e-mail. But while that packet is excusable, the other one (the one with the bogus MAC adress) is not. And BTW, it's pretty obvious that is a bogus packet. There is a nice series of numbers which extends into the ethertype field and probably into the rest of the packet. Now, generally, this is normal if troubling. From my firends stories, I concluded that those living outside any firewalls have this sort of thing happen to them constantly. We never were able to figure out if it was the ISP that sent out such packets or someone masquerading as the ISP but we did conclude that you don't want to live without a firewall, and a good one at that. You can have even more hair-raising fun if you set up tcpdump on your outside interface and then later go through all the crap it sniffed up. Just make sure to inform (and get consent from, if applicable) all other users of your sniffing router that packet capture is live. You'll probably have to make it not record TCP streams though, because that will eat up your hard drive in three to four hours. And make you wonder how the hell does NSA plan to capture AND STORE all Internet traffic starting this september. > I also put a line such as > iptables -A INPUT -s 192.168.2.1-192.168.2.254 > -j DROP > > (or some such ) > but it made zilchdifference. If you could make it not log martians, you should be set. There's an option somewhere in iptables manpage but it's been ages since I last read it. No idea how to make it not log bogus MAC addresses, though. >On Tue, 16 Jul 2013 10:24:49 -0400 >"Baho Utot" <baho-u...@columbus.rr.com> wrote: > > https://en.wikipedia.org/wiki/Martian_packet Huh? I thought only 127.0.0.1 is martian. -- You don't need an AI for a robot uprising. Humans will do just fine.
signature.asc
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
