On Wednesday 03 March 2004 09:04 am, Raffaele Belardi wrote: > Let's see... > > $ cat /etc/security/msec/level.local > from mseclib import * > enable_log_strange_packets(0) > > Is this how you disabled the martian log? It made me crazy for some time > after installing shorewall in MDK9.1....
I setup a cron job to turn the martian source logging itself off in the proc system, and now I just run it every hour along with msec which turns the logging on. I did grep for martian source but didn't find anything in msec, if strange_packets is it, then I might be able to do it that way but changing the proc system works and I don't need to worry about anything changing it back. > I'd be insterested in what you found. Well, ymmv, but I was more interested in tracking and finding the actual source of the martian packets. On my system, I was getting packets logged every 30 seconds, all from the local machine IP. Sniffing the stream helped me figure out that cupsd was set to broadcast the printer connected to it to @LOCAL which goes out to both local net ranges on eth0 as well as loopback on lo. Somehow, the eth0 device is seeing packets bound for the loopback device and thus being logged as martian source. If you disable print server browse broadcasting, the martian packets go away. I want browsing to be available on my network, so I just removed the logging. Also, if you run the rwhod process, you might see martian packets each time it sends ARP packets to find out who and what machines are on the LAN. I saw those too, just not as frequent as the CUPS packets which default to broadcast every 30 seconds. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com