--- Terence Golightly <[EMAIL PROTECTED]> wrote: > Bryan, > > I just turned Shorewall on after modifying the > /etc/X11/interfaces and a > shorewall restart from a root console. > > On Wed, 2004-03-03 at 07:57, Bryan Phinney wrote: > > Okay, just general information. Has anyone else > on the list recently started > > noticing a lot of martian source packets being > logged from the kernel? If > > so, I can probably help you to track down what is > causing the entries and > > also help you remove them. > > I get the kernel martian messages but they seem to > be eminating from my > ISP or another source. I'll post the messages below: > > kernel martian source 151.201.29.xxx from > 151.201.29.1 on dev eth0 > kernel ll > header:ff:ff:ff:ff:ff:ff:00:08:e3:b9:45:08:06 > **Could this > be my MAC address > kernel Shorewall:net2all:DROP:IN=ppp0 OUT=MAC= > SRC=68.161.232.35 > DST=68.161.232.35 DST=68.162.128.17 LEN=92 TOS=0x00 > PREC=0x00 TTL=118 > ID=64127 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=40632 > kernel Shorewall:OUTPUT:REJECT:IN= OUT=eth0 > SRC=10.0.0.10 > DST=10.0.0.255 LEN=166 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=UDP > SPT=631 LEN=146 > > 10.0.0.10 is designated in my hosts file as my > machine name. > > I'm green when it comes to this security stuff. What > is the 'quick' way > to stop these messages and I'll look at the > shorewall site unless you > know of a better source on learning how to set this > up better. > > Thanks, > > Terry > > -- > I used to have a signature, but I lost it. My new > one is: > > IIRC CRS
Hi Terry, It does look like your ISP, or someone, is trying to ping you. Note after ID it has "PROTO=ICMP TYPE=8" - this translates into someone is using protocol ICMP to send a type 8 ping, and is looking for a responce, ICMP being the protocol for pinging. There are commonly three types of pings you may want to respond to, #s 0, 3, and 8, while the rest should be dropped, and ignored - reject may be the wrong responce, as it lets someone know that a computer is there. It looks like IP address 151.201.29.1 is trying to ping 68.161.232.35 (your cable or DSL modem?), and then 68.161.232.35 is trying to relay the ping request to both itself (note how 68.161.232.35 appears in both soruce and destination - most likely the problem here), and 68.162.128.17. Since your ethernet card is probley set up as 10.0.0.10, and connected to the modem, it is most likely seeing the ping request being retransmitted, and it should not - that should of been filterd by your ISP, or the modem. Also, it went through a protocol translation, from ICMP to UPD, and so it is no longer in the same forum as when it started. I don't think the string that starts with ff:ff: is your MAC, as it just doesn't look right. If you type ifconfig from the command line as root you will see something simular, and it may start off with a bunch of ff:, yet the last six pairs of hex code should not repeat like that. In this case you go from ff: to 00: to the six hex code pairs, starting with 08:. That 00: is a spoiler, and would not be in there, or would be consistant with the ff:. That is why I don't think it is your MAC. Also, the snippet of log shows ppp0 - so I am guessing that you are using a (A)DSL modem, as ppp0 tends to be dial-up, or a basic DSL modem, and it may just be using PPPoE, or even PPPoA (ppp and PPP = Point to Point Protocol, o = over, E = Ethernet, A = ATM switch). Since you are showing both eth0 and ppp0, a DSL modem is my choise. It seems as if the length of the message (ping) got changed. It went from 92 bytes, up to 166 bytes, and then dropped down to 146 bytes. That may be cause for concern, and why it was written to the log file as well. I'm affraid that I can't be of much help - I am using IPCop, and it uses snort with iptables, so the implentation is a bit differant. You may want to check Shorewall's web site, and see if they have an active forum, or can point you to one. It may be worth investigating. My ISP pings my DSL modem an average of every five seconds - to keep route tables updated, and I have silently dropped thous, not even logging them now. I do see stuff show up that makes me think that they are not doing a good job of dropping stuff, as I see pings to differant segments showing up. Worst comes to worst, ask your ISP to do a better job of filtering theire router traffic, and maybe even send a copy of your log files to them as proof. Hope this helps in some small way. ===== Mike (a.k.a. AWEV) RLU 347983 __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com