Re: Unknown process modifying routing table
On Feb 06 12:18:40, ja...@jmp-e.com wrote: > I've disabled my VPN on the machine as well as dhclient, connecting via a > fixed static IP address and DNS servers. That would be a much aeasier environment to debug this. So please show your hostname.if, mygate and your routing table right after boot, and the log of script -c 'route -n monitor' route.log at least up to the first change.
Re: Unknown process modifying routing table
On Sat, Feb 06, 2021 at 02:16:20PM +0100, Otto Moerbeek wrote: > On Sat, Feb 06, 2021 at 12:18:40PM +, James wrote: > > > I've disabled my VPN on the machine as well as dhclient, connecting via a > > fixed static IP address and DNS servers. My routing table is still being > > modifed by PID 0 (which I assume to be the kernel) every 30 minutes or so. > > Ntpd is also disabled. > > > > I have also caught my machine communicating to one the of the IPs via TCP > > and have a pcap dump from wireshark. No actual data was sent other than a > > TCP timestamp. > > > > > If your default route is a VPN, > > > please show how you establish the VPN to be your default route. > > > > > The default route is established mannually in a script that is run after the > > VPN starts. Essentially it does the following: > > > > route add $VPN_HOST $DEFAULT_GW > > > > route change default $VPN_HOST > > > > > > I do not belive the VPN to be the cause of this problem. > > > > > > Any tips on debugging the kernel to track the cause of these route changes > > would be greatly appreciated. > > > > > > Thanks, > > > > The kernel uses the routing table to store things like PMTU discovery > data and ARP entries, > Also showing the route -n monitor output will help to identify what is going on. -- :wq Claudio
Re: Unknown process modifying routing table
I've disabled my VPN on the machine as well as dhclient, connecting via a fixed static IP address and DNS servers. My routing table is still being modifed by PID 0 (which I assume to be the kernel) every 30 minutes or so. Ntpd is also disabled. I have also caught my machine communicating to one the of the IPs via TCP and have a pcap dump from wireshark. No actual data was sent other than a TCP timestamp. If your default route is a VPN, please show how you establish the VPN to be your default route. The default route is established mannually in a script that is run after the VPN starts. Essentially it does the following: route add $VPN_HOST $DEFAULT_GW route change default $VPN_HOST I do not belive the VPN to be the cause of this problem. Any tips on debugging the kernel to track the cause of these route changes would be greatly appreciated. Thanks,
Re: Unknown process modifying routing table
On Sat, Feb 06, 2021 at 12:18:40PM +, James wrote: > I've disabled my VPN on the machine as well as dhclient, connecting via a > fixed static IP address and DNS servers. My routing table is still being > modifed by PID 0 (which I assume to be the kernel) every 30 minutes or so. > Ntpd is also disabled. > > I have also caught my machine communicating to one the of the IPs via TCP > and have a pcap dump from wireshark. No actual data was sent other than a > TCP timestamp. > > > If your default route is a VPN, > > please show how you establish the VPN to be your default route. > > > The default route is established mannually in a script that is run after the > VPN starts. Essentially it does the following: > > route add $VPN_HOST $DEFAULT_GW > > route change default $VPN_HOST > > > I do not belive the VPN to be the cause of this problem. > > > Any tips on debugging the kernel to track the cause of these route changes > would be greatly appreciated. > > > Thanks, > The kernel uses the routing table to store things like PMTU discovery data and ARP entries, -Otto
Re: Unknown process modifying routing table
On Jan 26 15:10:03, ja...@jmp-e.com wrote: > > Hi all, > > My routing table is being modified by an unknown process. > > I have system accounting enabled and I'm monitoring route changes > but the PID of the process reported by `route monitor` is always 0 > for these unknown changes. > > I've seen my default route (VPN) being deleted and new routes being > added for specific IPs. I'm out of ideas how to find out what process > is modifying my routing table. If your default route is a VPN, please show how you establish the VPN to be your default route. > Here are the logs: > > bash-5.0# route -n show > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default10.0.0.1 UGS 15 635 - 8 pair1 > 224/4 127.0.0.1 URS00 32768 8 lo0 > 10.0.0/24 10.0.0.2 UCn10 - 4 pair1 > 10.0.0.1 xx:xx:xx:xx:xx:xx UHLch 20 76 - 3 pair1 > 10.0.0.2 xx:xx:xx:xx:xx:xx UHLl 0 251 - 1 pair1 > 10.0.0.255 10.0.0.2 UHb00 - 1 pair1 > 10.2.0.1 10.0.0.1 UGHD 1 599 - L 8 pair1 > 13.35.193.117 10.0.0.1 UGHD 1 616 - L 8 pair1 > 13.224.227.64 10.0.0.1 UGHD 1 611 - L 8 pair1 > 52.48.109.111 10.0.0.1 UGHD 1 614 - L 8 pair1 > 52.84.91.7 10.0.0.1 UGHD 1 574 - L 8 pair1 > 99.84.5.23010.0.0.1 UGHD 1 620 - L 8 pair1 > 104.16.9.251 10.0.0.1 UGHD 0 289 1350 8 pair1 > 104.16.241.18 10.0.0.1 UGHD 1 610 - L 8 pair1 > 104.18.26.20 10.0.0.1 UGHD 1 609 - L 8 pair1 > 104.21.22.28 10.0.0.1 UGHD 1 617 - L 8 pair1 > 108.177.120.13610.0.0.1 UGHD 1 625 - L 8 pair1 > 127/8 127.0.0.1 UGRS 00 32768 8 lo0 > 127.0.0.1 127.0.0.1 UHhl 8 7322 32768 1 lo0 > 140.82.121.3 10.0.0.1 UGHD 1 636 - L 8 pair1 > 142.250.186.12910.0.0.1 UGHD 1 604 - L 8 pair1 > 157.230.120.63 10.0.0.1 UGHD 1 596 - L 8 pair1 > 172.67.203.118 10.0.0.1 UGHD 1 607 - L 8 pair1 > 172.217.169.86 10.0.0.1 UGHD 1 632 - L 8 pair1 > 185.199.111.15410.0.0.1 UGHD 2 633 - L 8 pair1 > 216.58.206.132 10.0.0.1 UGHD 1 624 - L 8 pair1 > 216.58.212.227 10.0.0.1 UGHD 1 629 - L 8 pair1 > The routes for 216.58.212.227, 216.58.206.132, 185.199.111.154, > 172.217.169.86, 172.67.203.118, 157.230.120.63, 142.250.186.129, > 140.82.121.3, 108.177.120.136, 104.21.22.28, 104.18.26.20, > 104.16.241.18, 104.16.9.251, 99.84.5.230, 52.48.109.111, 52.84.5.230, > 13.224.227.64, 13.35.193.117 are completely unknown and not added by > myself. These are probably added by your VPN setup. Jan
