Michael D. Schleif wrote:
I don't think it is entirely. Martin-ness is related to the routing tables and the interface a particular packet arrives on. IPSec plays with this at a very low level, which is why some types of tunnels will not work with the kernel's rp_filter (spoofing) protection enabled.Charles Steinkuehler wrote:You don't give enough information to correctly diagnose martian errors, which are based pretty much entirely on the status of the route tables. Also, while I have not done a lot of host-host or host-subnet VPNs (you also don't include your IPSec configuration), you will run into problems with these VPN flavors if you don't have rpfiltering turned off (you'll get a warning when starting IPSec about this if it's enabled).Yes, I know that I did not include ipsec info; but, I fail to see any relevancy. Isn't martian-ness independent of anything ipsec?
Fundamentally, IPSec can setup what looks to the kernel like asymetric routing tables, which can cause martians and (in the case of rp_filter) dropped packets. A good example is a host-host VPN. Your routing rules specify ipsec0 for the remote IP, but you will be recieving encrypted traffic from that system on your external interface (in violation of your routing tables as far as the martian and rp_filter logic are concerned).
What I see here is a valid public address trying to come in the publicly addressed external interface of a router.My question, I feel, remains valid: How can this be considered martian?
I can't tell without your routing table information.
A packet is considered a "martian" if it arrives on an interface *OTHER* than the interface the kernel would route a packet out of, when trying to reply to the source IP of the packet.Clearly, in order for me to understand this, I need a better grasp of martian-ness. Pointers? Docs?
For docs, your best bet is the kernel source-tree. In addiiton to the source itself, some info is in the Documentation directory:
linux/Documentation/networking/ip-sysctl.txt
linux/Documentation/proc.txt
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd522.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html