On 05/08/2012 03:17 PM, Maarten Vanraes wrote:
Op dinsdag 08 mei 2012 02:05:44 schreef imnotpc:
[...]
promiscuous mode means you're passing through from layer 2 to layer 3
irrespective of mac address (ie: even if it's not for you)
iptables is not complaining
martians is kernel level, (resource path filtering (for asynchronous
routing)), before iptables even comes into play.
So the kernel would log the martian before iptables sees it? That
explains why it isn't dropped by the firewall. But that begs the
question, is there any point in using iptables rules to block packets
from other subnets if iptables will never see them? Just about every
sample firewall ruleset I've ever seen does this either explicitly or by
allowing them to fall through to the default DROP rule. Now that I'm
thinking back, in 10+ years of Linux LAN experience I've never seen a
martian packet logged by any of my firewalls. i just assumed it was good
network management ;-)
yes, because rp_filter level can be adjusted in the kernel :-)
Ah, so it was my good network management then, hehe. Good info, thanks.
