Re: [newbie] Martian source in Syslog
On Thursday 04 March 2004 09:37 pm, Terence Golightly wrote: How might I track this address? Do an ifconfig -a from your machines and that will give you the MAC address of the machine. Just match them to the one from the martian source. It looks like for some reason my ISP is responsible. See below: Figure out what the 151.201.x.x IP is and if it is in your control before you consider turning logging of martian packets off. Heres a couple of nmap scans I ran awhile ago: Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-03-04 20:28 EST All 1644 scanned ports on A1-0-0-711067.DSL-RTR1.PITT2.verizon-gni.net (151.201.29.1) are: closed I will note that it appears that this particular IP belongs to a DSL router, which makes sense if you have the same problem that I was reporting. Another thing to take a look at is if the martian source comes in regular intervals, every 30 seconds, 3 minutes, etc. I have seen people reporting these associated with fetchmail among other causes. Regular interval packets are more likely to be something innocuous, random packets are more likely to be associated with intrusion attempts. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
Bryan, On Fri, 2004-03-05 at 20:37, Bryan Phinney wrote: On Friday 05 March 2004 07:44 pm, Terence Golightly wrote: They appear to be a regular pattern You can check the timestamps, patterns are like clockwork although you may have multiple sources that may throw it off. Another terrific tool for troubleshooting is to install Ethereal and do a capture on a specific interface. You can have it enable Network name resolution and you may find that you can identify the exact daemon processes that are creating the packets. I downloaded it, but it looks complicated to use. I got an error: The capture session could not be initiated (socket:Operation not permitted). Please check to make sure you have sufficient permissions, and that you have proper interface or pipe specified. I ran it as user. Does it need to be run as root? snip Q: What is the easiest way to print logs/cut/paste them. gnome-log-viewer won't permit it? I usually tail log files from the command line. If I was looking for specific stuff, I would grep it and pipe it to a text file. Hey I can do that!! :) Thanks, Terry -- I used to have a signature, but I lost it. My new one is: IIRC CRS Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
On Friday 05 March 2004 09:24 pm, Terence Golightly wrote: The capture session could not be initiated (socket:Operation not permitted). Please check to make sure you have sufficient permissions, and that you have proper interface or pipe specified. I ran it as user. Does it need to be run as root? Yes, it needs to be run as root. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
Bryan, I just turned Shorewall on after modifying the /etc/X11/interfaces and a shorewall restart from a root console. On Wed, 2004-03-03 at 07:57, Bryan Phinney wrote: Okay, just general information. Has anyone else on the list recently started noticing a lot of martian source packets being logged from the kernel? If so, I can probably help you to track down what is causing the entries and also help you remove them. I get the kernel martian messages but they seem to be eminating from my ISP or another source. I'll post the messages below: kernel martian source 151.201.29.xxx from 151.201.29.1 on dev eth0 kernel ll header:ff:ff:ff:ff:ff:ff:00:08:e3:b9:45:08:06 **Could this be my MAC address kernel Shorewall:net2all:DROP:IN=ppp0 OUT=MAC= SRC=68.161.232.35 DST=68.161.232.35 DST=68.162.128.17 LEN=92 TOS=0x00 PREC=0x00 TTL=118 ID=64127 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=40632 kernel Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.10 DST=10.0.0.255 LEN=166 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 LEN=146 10.0.0.10 is designated in my hosts file as my machine name. I'm green when it comes to this security stuff. What is the 'quick' way to stop these messages and I'll look at the shorewall site unless you know of a better source on learning how to set this up better. Thanks, Terry -- I used to have a signature, but I lost it. My new one is: IIRC CRS Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
On Thursday 04 March 2004 08:28 pm, Terence Golightly wrote: I get the kernel martian messages but they seem to be eminating from my ISP or another source. I'll post the messages below: kernelmartian source 151.201.29.xxx from 151.201.29.1 on dev eth0 The first IP is the supposed target of the packets, the second is the supposed source. kernelll header:ff:ff:ff:ff:ff:ff:00:08:e3:b9:45:08:06 **Could this be my MAC address That is supposed to be the MAC address of the source. You might be able to use this address to track down the origination of the martian packets. 10.0.0.10 is designated in my hosts file as my machine name. I'm green when it comes to this security stuff. What is the 'quick' way to stop these messages and I'll look at the shorewall site unless you know of a better source on learning how to set this up better. Before you turn off logging of these kinds of messages, you need to be VERY sure that you trust your firewall to be actively blocking and adequately filtering packets. That is because these types of messages may indicate that someone is spoofing packets while trying to break into your system. If you are pretty sure that the packets are being sourced from internal machines and just showing up on the wrong interface, only then consider turning off logging. Figure out what the 151.201.x.x IP is and if it is in your control before you consider turning logging of martian packets off. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
Bryan, Thanks for your quick reply: On Thu, 2004-03-04 at 21:01, Bryan Phinney wrote: On Thursday 04 March 2004 08:28 pm, Terence Golightly wrote: I get the kernel martian messages but they seem to be eminating from my ISP or another source. I'll post the messages below: kernel martian source 151.201.29.xxx from 151.201.29.1 on dev eth0 The first IP is the supposed target of the packets, the second is the supposed source. kernel ll header:ff:ff:ff:ff:ff:ff:00:08:e3:b9:45:08:06 **Could this be my MAC address That is supposed to be the MAC address of the source. You might be able to use this address to track down the origination of the martian packets. How might I track this address? 10.0.0.10 is designated in my hosts file as my machine name. snip Before you turn off logging of these kinds of messages, you need to be VERY sure that you trust your firewall to be actively blocking and adequately filtering packets. That is because these types of messages may indicate that someone is spoofing packets while trying to break into your system. I did notice 1 or 2 like this: Socks5[998] Auth Failed:(172.153.8.184:4146) The port 4146 is closed on my machine. If you are pretty sure that the packets are being sourced from internal machines and just showing up on the wrong interface, only then consider turning off logging. It looks like for some reason my ISP is responsible. See below: Figure out what the 151.201.x.x IP is and if it is in your control before you consider turning logging of martian packets off. Heres a couple of nmap scans I ran awhile ago: Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-03-04 20:28 EST All 1644 scanned ports on A1-0-0-711067.DSL-RTR1.PITT2.verizon-gni.net (151.201.29.1) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 13.910 seconds Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-03-04 20:29 EST All 1644 scanned ports on pool-151-201-29-195.pitt.east.verizon.net (151.201.29.195) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 105.224 seconds Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-03-04 20:55 EST All 1644 scanned ports on AC9908B8.ipt.aol.com (172.153.8.184) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 1335.952 seconds Thanks again, Terry -- I used to have a signature, but I lost it. My new one is: IIRC CRS Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
--- Terence Golightly [EMAIL PROTECTED] wrote: Bryan, I just turned Shorewall on after modifying the /etc/X11/interfaces and a shorewall restart from a root console. On Wed, 2004-03-03 at 07:57, Bryan Phinney wrote: Okay, just general information. Has anyone else on the list recently started noticing a lot of martian source packets being logged from the kernel? If so, I can probably help you to track down what is causing the entries and also help you remove them. I get the kernel martian messages but they seem to be eminating from my ISP or another source. I'll post the messages below: kernelmartian source 151.201.29.xxx from 151.201.29.1 on dev eth0 kernelll header:ff:ff:ff:ff:ff:ff:00:08:e3:b9:45:08:06 **Could this be my MAC address kernelShorewall:net2all:DROP:IN=ppp0 OUT=MAC= SRC=68.161.232.35 DST=68.161.232.35 DST=68.162.128.17 LEN=92 TOS=0x00 PREC=0x00 TTL=118 ID=64127 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=40632 kernelShorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=10.0.0.10 DST=10.0.0.255 LEN=166 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 LEN=146 10.0.0.10 is designated in my hosts file as my machine name. I'm green when it comes to this security stuff. What is the 'quick' way to stop these messages and I'll look at the shorewall site unless you know of a better source on learning how to set this up better. Thanks, Terry -- I used to have a signature, but I lost it. My new one is: IIRC CRS Hi Terry, It does look like your ISP, or someone, is trying to ping you. Note after ID it has PROTO=ICMP TYPE=8 - this translates into someone is using protocol ICMP to send a type 8 ping, and is looking for a responce, ICMP being the protocol for pinging. There are commonly three types of pings you may want to respond to, #s 0, 3, and 8, while the rest should be dropped, and ignored - reject may be the wrong responce, as it lets someone know that a computer is there. It looks like IP address 151.201.29.1 is trying to ping 68.161.232.35 (your cable or DSL modem?), and then 68.161.232.35 is trying to relay the ping request to both itself (note how 68.161.232.35 appears in both soruce and destination - most likely the problem here), and 68.162.128.17. Since your ethernet card is probley set up as 10.0.0.10, and connected to the modem, it is most likely seeing the ping request being retransmitted, and it should not - that should of been filterd by your ISP, or the modem. Also, it went through a protocol translation, from ICMP to UPD, and so it is no longer in the same forum as when it started. I don't think the string that starts with ff:ff: is your MAC, as it just doesn't look right. If you type ifconfig from the command line as root you will see something simular, and it may start off with a bunch of ff:, yet the last six pairs of hex code should not repeat like that. In this case you go from ff: to 00: to the six hex code pairs, starting with 08:. That 00: is a spoiler, and would not be in there, or would be consistant with the ff:. That is why I don't think it is your MAC. Also, the snippet of log shows ppp0 - so I am guessing that you are using a (A)DSL modem, as ppp0 tends to be dial-up, or a basic DSL modem, and it may just be using PPPoE, or even PPPoA (ppp and PPP = Point to Point Protocol, o = over, E = Ethernet, A = ATM switch). Since you are showing both eth0 and ppp0, a DSL modem is my choise. It seems as if the length of the message (ping) got changed. It went from 92 bytes, up to 166 bytes, and then dropped down to 146 bytes. That may be cause for concern, and why it was written to the log file as well. I'm affraid that I can't be of much help - I am using IPCop, and it uses snort with iptables, so the implentation is a bit differant. You may want to check Shorewall's web site, and see if they have an active forum, or can point you to one. It may be worth investigating. My ISP pings my DSL modem an average of every five seconds - to keep route tables updated, and I have silently dropped thous, not even logging them now. I do see stuff show up that makes me think that they are not doing a good job of dropping stuff, as I see pings to differant segments showing up. Worst comes to worst, ask your ISP to do a better job of filtering theire router traffic, and maybe even send a copy of your log files to them as proof. Hope this helps in some small way. = Mike (a.k.a. AWEV) RLU 347983 __ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Martian source in Syslog
Okay, just general information. Has anyone else on the list recently started noticing a lot of martian source packets being logged from the kernel? If so, I can probably help you to track down what is causing the entries and also help you remove them. I just spent the better half of a day doing just that and since I haven't seen anyone else talk about it, didn't know if it was just me so I thought I would mention it. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
Let's see... $ cat /etc/security/msec/level.local from mseclib import * enable_log_strange_packets(0) Is this how you disabled the martian log? It made me crazy for some time after installing shorewall in MDK9.1 I'd be insterested in what you found. raffaele [EMAIL PROTECTED] wrote: Okay, just general information. Has anyone else on the list recently started noticing a lot of martian source packets being logged from the kernel? If so, I can probably help you to track down what is causing the entries and also help you remove them. I just spent the better half of a day doing just that and since I haven't seen anyone else talk about it, didn't know if it was just me so I thought I would mention it. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
--- Bryan Phinney [EMAIL PROTECTED] wrote: Okay, just general information. Has anyone else on the list recently started noticing a lot of martian source packets being logged from the kernel? If so, I can probably help you to track down what is causing the entries and also help you remove them. I just spent the better half of a day doing just that and since I haven't seen anyone else talk about it, didn't know if it was just me so I thought I would mention it. -- Bryan Phinney Software Test Engineer Are you refering to log entries in your Intrudsion Detection System (IDS) from your internet/intranet connection? If so, then a better place to post this information may be the firewall mailing list. None the less, I would be interested, as I am a member on the IPCops.net forums for the IPCop firewall, and any insights or help is much apreaciated. = Mike (a.k.a. AWEV) RLU 347983 __ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
On Wednesday 03 March 2004 09:04 am, Raffaele Belardi wrote: Let's see... $ cat /etc/security/msec/level.local from mseclib import * enable_log_strange_packets(0) Is this how you disabled the martian log? It made me crazy for some time after installing shorewall in MDK9.1 I setup a cron job to turn the martian source logging itself off in the proc system, and now I just run it every hour along with msec which turns the logging on. I did grep for martian source but didn't find anything in msec, if strange_packets is it, then I might be able to do it that way but changing the proc system works and I don't need to worry about anything changing it back. I'd be insterested in what you found. Well, ymmv, but I was more interested in tracking and finding the actual source of the martian packets. On my system, I was getting packets logged every 30 seconds, all from the local machine IP. Sniffing the stream helped me figure out that cupsd was set to broadcast the printer connected to it to @LOCAL which goes out to both local net ranges on eth0 as well as loopback on lo. Somehow, the eth0 device is seeing packets bound for the loopback device and thus being logged as martian source. If you disable print server browse broadcasting, the martian packets go away. I want browsing to be available on my network, so I just removed the logging. Also, if you run the rwhod process, you might see martian packets each time it sends ARP packets to find out who and what machines are on the LAN. I saw those too, just not as frequent as the CUPS packets which default to broadcast every 30 seconds. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
On Wednesday 03 March 2004 09:37 am, Mike Fehse wrote: Are you refering to log entries in your Intrudsion Detection System (IDS) from your internet/intranet connection? No, kernel logging of martian source packets which are packets that are expected to come from a particular route but are somehow seen or directed to an alternate one. In my case, packets bound for loopback device that somehow get directed to eth0 and are thus seen as foreign or martian. If so, then a better place to post this information may be the firewall mailing list. None the less, I would be interested, as I am a member on the IPCops.net forums for the IPCop firewall, and any insights or help is much apreaciated. Are you seeing martian source headers being logged in syslog on your system? -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
--- Bryan Phinney [EMAIL PROTECTED] wrote: On Wednesday 03 March 2004 09:37 am, Mike Fehse wrote: Are you refering to log entries in your Intrudsion Detection System (IDS) from your internet/intranet connection? No, kernel logging of martian source packets which are packets that are expected to come from a particular route but are somehow seen or directed to an alternate one. In my case, packets bound for loopback device that somehow get directed to eth0 and are thus seen as foreign or martian. If so, then a better place to post this information may be the firewall mailing list. None the less, I would be interested, as I am a member on the IPCops.net forums for the IPCop firewall, and any insights or help is much apreaciated. Are you seeing martian source headers being logged in syslog on your system? -- Bryan Phinney Software Test Engineer Hi Bryan, I use a firewall called IPCop, that was originaly based on Smoothwall. Both are Linux-based products, using iptables, squid, and snot, with some custom coding thrown in for good messure. IPCop's development team has theire web site at www.ipcop.org, while the un-official user support forum, which I belong to, is located at www.ipcops.net We have about six topics that deal with martians, and it pops up regularly, hence, my interest. Some times it is after a nasty day of mblaster, code_red, and so forth, that some of our users find the little green guys in the IDS logs. Other times, just adding a computer, or a new program, to theire LAN does the same. Since we can't always determind the problem, just adding to the knowldge base is a help. Would you mind if I added your experiance to our FAQ? = Mike (a.k.a. AWEV) RLU 347983 __ Do you Yahoo!? Yahoo! Search - Find what youre looking for faster http://search.yahoo.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Martian source in Syslog
On Wednesday 03 March 2004 12:33 pm, Mike Fehse wrote: Some times it is after a nasty day of mblaster, code_red, and so forth, that some of our users find the little green guys in the IDS logs. Those would be the kind that you actually do want to be logged since it can be evidence of someone trying to gain access to the system by spoofing IP's. Other times, just adding a computer, or a new program, to theire LAN does the same. Since we can't always determind the problem, just adding to the knowldge base is a help. Would you mind if I added your experiance to our FAQ? Not at all. In fact, my own ability to track down the cause was aided by discussions about rp_filters from firewall discussions and some of the things that caused spurious martians on those. I suspect that I could tailor a rule on the firewall of the router to drop these, or if I cared to delve a little more deeply into how CUPS does its broadcasting, I would be able to eliminate them that way. Another thought that I had was to setup a static route for the loopback to try to totally eliminate that traffic from hitting the router altogether but since the CUPS broadcast does have to go out to the local netrange, I am not sure that would eliminate the problem. I might look into some of the discussions at IPCOP to see if there are any specific steps that I might take to research it further. -- Bryan Phinney Software Test Engineer Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] martian source in syslog
On Sun, 20 Jul 2003 09:29, Sharrea wrote: Recently I got a satellite internet connection which uses a PCI Telemann Skymedia 200DPA card. It was working fine until a few days ago when suddenly all packets received via this card are dropped by the kernel with the 'martian source' messages in syslog: Jul 20 09:22:40 tbird kernel: martian source 203.109.204.173 from 210.55.24.8, on dev sm200d Jul 20 09:22:40 tbird kernel: ll header: ff:55:01:bc:90:00:00:90:bc:01:55:ff:08:00 So obviously the kernel does not know where to route the packets to. No settings were changed and my firewall rules are the same as when the connection was working. Besides, this also happens with no firewall running. I still use a dialup 56K modem to upload (dynamic IP), so only download via satellite. When the sat. card's driver is loaded this what ifconfig shows for these two devices: snip Does anyone know how I tell the kernel that this device is supposed to receive packets from the internet? I've spent two days fiddling with problem and I'm at a loss as to what to try next... and I've not much hair left to pull out ;) ANY help would be very much appreciated. Just thought I'd let everyone know in case it happens to someone else: the answer was to issue the command (as root user): echo 0 /proc/sys/net/ipv4/conf/all/rp_filter Thanks to Nic on the NZLUG mailing list. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] martian source in syslog
On Tue, 22 Jul 2003 08:19, Sharrea wrote: Just thought I'd let everyone know in case it happens to someone else: the answer was to issue the command (as root user): echo 0 /proc/sys/net/ipv4/conf/all/rp_filter Oops, forgot to mention: see kernel docs- Configure.help from line 5220 Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] martian source in syslog
Hi Recently I got a satellite internet connection which uses a PCI Telemann Skymedia 200DPA card. It was working fine until a few days ago when suddenly all packets received via this card are dropped by the kernel with the 'martian source' messages in syslog: Jul 20 09:22:40 tbird kernel: martian source 203.109.204.173 from 210.55.24.8, on dev sm200d Jul 20 09:22:40 tbird kernel: ll header: ff:55:01:bc:90:00:00:90:bc:01:55:ff:08:00 So obviously the kernel does not know where to route the packets to. No settings were changed and my firewall rules are the same as when the connection was working. Besides, this also happens with no firewall running. I still use a dialup 56K modem to upload (dynamic IP), so only download via satellite. When the sat. card's driver is loaded this what ifconfig shows for these two devices: ppp0 Link encap:Point-to-Point Protocol inet addr:203.109.204.173 P-t-P:192.168.251.44 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1514 Metric:1 RX packets:3 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:66 (66.0 b) TX bytes:87 (87.0 b) sm200dLink encap:Ethernet HWaddr 00:90:BC:01:55:FF inet addr:192.168.19.53 Bcast:192.168.19.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Does anyone know how I tell the kernel that this device is supposed to receive packets from the internet? I've spent two days fiddling with problem and I'm at a loss as to what to try next... and I've not much hair left to pull out ;) ANY help would be very much appreciated. Sharrea -- Help Microsoft stamp out piracy - give Linux to a friend today Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] martian source on syslog
my understanding of martians are lost packets usually due to bogus routing or badly spoofed address's... you might need to add just one iptables rule to your firewall to block martians.. (sorry can't tell you what it is offhand.. I never learned iptables as well as I did ipchains.) but since iptables is stateful inspection, it seems trivial to block bogus packets... a quick search on google should show you an iptables rule to add to rc.local to block them.. rgds frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Raffaele Belardi Sent: Monday, 18 November 2002 10:33 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] martian source on syslog Thanks, but I am already behing a company firewall. I only want to stop the kernel from logging the martian source message to prevent the syslog from filling up with useless messages. Can that be done? thanks, raffaele [EMAIL PROTECTED] wrote: I suggest you install and use gShield .. It has settings for martians, portforwarding, blacklists tcp cookies and a ton of other stuff.. all from one smallish human edited config file thats easy to read and understand. give it a go.. If Mandrake just used gShield, and created a small mcc app to make the config file editing a GUI issue, all the compliants on their firewall would stop... I used to use pmfirewall for ipchains, but since I started using gShield on iptables I've never looked back.. rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Raffaele Belardi Sent: Monday, 18 November 2002 9:57 PM To: [EMAIL PROTECTED] Subject: [newbie] martian source on syslog kernel: martian source 0.255.255.255 from 0.0.0.0, on dev eth0 kernel: ll header: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx How do I get rid of these messages? At a rate of about 1 every 5 seconds they're filling up my syslog! I'm running MDK8.2, msec level 3, had shorewall installed for a brief period, now I uninstalled it. The messages started to appear after shorewall installation, but did not vanish after shorewall disinstallation. Any hints? thanks, raffaele Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] martian source on syslog (YOUR ANSWER SIR!!! )
Try this line: echo 0 /proc/sys/net/ipv4/conf/all/log_martians The firewall you were running obviously put a 1 in there... removing it should solve your probs... hope that helps.. rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Raffaele Belardi Sent: Monday, 18 November 2002 10:33 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] martian source on syslog Thanks, but I am already behing a company firewall. I only want to stop the kernel from logging the martian source message to prevent the syslog from filling up with useless messages. Can that be done? thanks, raffaele [EMAIL PROTECTED] wrote: I suggest you install and use gShield .. It has settings for martians, portforwarding, blacklists tcp cookies and a ton of other stuff.. all from one smallish human edited config file thats easy to read and understand. give it a go.. If Mandrake just used gShield, and created a small mcc app to make the config file editing a GUI issue, all the compliants on their firewall would stop... I used to use pmfirewall for ipchains, but since I started using gShield on iptables I've never looked back.. rgds Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Raffaele Belardi Sent: Monday, 18 November 2002 9:57 PM To: [EMAIL PROTECTED] Subject: [newbie] martian source on syslog kernel: martian source 0.255.255.255 from 0.0.0.0, on dev eth0 kernel: ll header: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx How do I get rid of these messages? At a rate of about 1 every 5 seconds they're filling up my syslog! I'm running MDK8.2, msec level 3, had shorewall installed for a brief period, now I uninstalled it. The messages started to appear after shorewall installation, but did not vanish after shorewall disinstallation. Any hints? thanks, raffaele Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] martian source on syslog (YOUR ANSWER SIR!!! )
Wonderful, thanks a lot, it did the trick! I am always amazed of how easily can Linux kernel be reconfigured, provided you know how... :-) Could you post the link you found? Thanks again, you where very helpful! raffaele [EMAIL PROTECTED] wrote: Try this line: echo 0 /proc/sys/net/ipv4/conf/all/log_martians The firewall you were running obviously put a 1 in there... removing it should solve your probs... hope that helps.. rgds Frank Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com