diff options
Diffstat (limited to 'zarb-ml/mageia-discuss/20120508/007253.html')
| -rw-r--r-- | zarb-ml/mageia-discuss/20120508/007253.html | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/zarb-ml/mageia-discuss/20120508/007253.html b/zarb-ml/mageia-discuss/20120508/007253.html new file mode 100644 index 000000000..e57a21598 --- /dev/null +++ b/zarb-ml/mageia-discuss/20120508/007253.html @@ -0,0 +1,125 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-discuss] Odd entry in log file + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Odd%20entry%20in%20log%20file&In-Reply-To=%3C4FA86358.3000409%40Rock3d.net%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="007252.html"> + <LINK REL="Next" HREF="007257.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-discuss] Odd entry in log file</H1> + <B>imnotpc</B> + <A HREF="mailto:mageia-discuss%40mageia.org?Subject=Re%3A%20%5BMageia-discuss%5D%20Odd%20entry%20in%20log%20file&In-Reply-To=%3C4FA86358.3000409%40Rock3d.net%3E" + TITLE="[Mageia-discuss] Odd entry in log file">imnotpc at Rock3d.net + </A><BR> + <I>Tue May 8 02:05:44 CEST 2012</I> + <P><UL> + <LI>Previous message: <A HREF="007252.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI>Next message: <A HREF="007257.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7253">[ date ]</a> + <a href="thread.html#7253">[ thread ]</a> + <a href="subject.html#7253">[ subject ]</a> + <a href="author.html#7253">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On 05/07/2012 05:27 PM, Maarten Vanraes wrote: +><i> Op maandag 07 mei 2012 23:04:14 schreef Frank Griffin: +</I>>><i> On 05/07/2012 04:50 PM, Maarten Vanraes wrote: +</I>>>><i> Op maandag 07 mei 2012 14:23:44 schreef Frank Griffin: +</I>>>><i> [...] +</I>>>><i> +</I>>>><i> it's like this: +</I>>>><i> +</I>>>><i> mostly people natting will do: +</I>>>><i> +</I>>>><i> iptables -s 192.168.0.0/24 -o eth0 -j MASQUERADE +</I>>>><i> +</I>>>><i> which means internal traffic on 192.168.3.2 would go outside without +</I>>>><i> being natted. if someone nearby uses 192.168.3.2 as a local network ip, +</I>>>><i> it would get martians, since that network is coming from an unexpected +</I>>>><i> source interface. +</I>>><i> Yes, but it would go to the ISP gateway and get discarded. Why would it +</I>>><i> be seen by anything else on the ISP subnet, unless the NIC were in +</I>>><i> promiscuous mode ? And if that (promiscuous mode) were the case, why +</I>>><i> would iptables complain ? +</I>><i> promiscuous mode means you're passing through from layer 2 to layer 3 +</I>><i> irrespective of mac address (ie: even if it's not for you) +</I>><i> +</I>><i> iptables is not complaining +</I>><i> +</I>><i> martians is kernel level, (resource path filtering (for asynchronous routing)), +</I>><i> before iptables even comes into play. +</I> +So the kernel would log the martian before iptables sees it? That +explains why it isn't dropped by the firewall. But that begs the +question, is there any point in using iptables rules to block packets +from other subnets if iptables will never see them? Just about every +sample firewall ruleset I've ever seen does this either explicitly or by +allowing them to fall through to the default DROP rule. Now that I'm +thinking back, in 10+ years of Linux LAN experience I've never seen a +martian packet logged by any of my firewalls. i just assumed it was good +network management ;-) + +><i> +</I>><i> martians is actually also on the same level as promiscuous checking iinm... +</I>><i> +</I>><i> ie: it's disregarding an ip packet on an interface, which should not have come +</I>><i> from that interface, but according to routing information, you expect it to +</I>><i> come from another interface. +</I>><i> +</I>><i> ie: if you have: +</I>><i> eth0: 192.168.0.2/24 +</I>><i> eth1: 192.168.1.5/24 +</I>><i> eth2: 75.124.56.84 +</I>><i> and default route via eth2 +</I>><i> +</I>><i> if coming from eth2 there is a packet with source IP 192.168.1.54, it would +</I>><i> fire. +</I>><i> +</I>><i> if going out to eth1 a packet with dest IP 192.168.0.6 it would also fire. +</I>><i> +</I>><i> if coming from eth0 is a packet with source ip 192.168.3.8, it also fires, +</I>><i> since default route is eth2. +</I>><i> +</I>><i> i donno if you see an interface which it's speaking of in the martians +</I>><i> warning, but i suggest you look at the routing table and see what is going on. +</I>><i> +</I>><i> you can furthermore try to use tcpdump and see what is going on. +</I> +I'll give this a try and see what I dig up. +</PRE> + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="007252.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI>Next message: <A HREF="007257.html">[Mageia-discuss] Odd entry in log file +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#7253">[ date ]</a> + <a href="thread.html#7253">[ thread ]</a> + <a href="subject.html#7253">[ subject ]</a> + <a href="author.html#7253">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-discuss">More information about the Mageia-discuss +mailing list</a><br> +</body></html> |