martian source: 127.0.0.1 on eth0?

Dear Newsgroup,

I am running Linux and setup my machine (myserver.some.network) to function
as a router for my internal network connected to eth1. This router connects
to the external network on eth0 (which has the IP address 130.104.3.75) and
has a firewall installed. I realised that in /var/log/messages I get from
time to time a message (4 to 5 times per hour) from the kernel notifying me
about a "martian source", e.g.

Jan 21 14:22:19 linux kernel: martian source 130.104.3.75 from 127.0.0.1, on
dev eth0

I know what "martian source" means and that packages from 127.0.0.1 should
not arrive at eth0, correct? Since I didn't know what was causing these
messages I used ethereal to capture traffic on eth0. In the log I found the
following packet that matches the timestamp of the above message:

Frame 6219 (60 bytes on wire, 60 bytes captured)
Arrival Time: Jan 21, 2004 14:22:19.738646000
Time delta from previous packet: 0.431011000 seconds
Time relative to first packet: 772.879013000 seconds
Frame Number: 6219
Packet Length: 60 bytes
Capture Length: 60 bytes
Ethernet II, Src: xx:xx:xx:xx:xx:xx, Dst: xx:xx:xx:xx:xx:xx
Destination: xx:xx:xx:xx:xx:xx (myserver.some.network)
Source: xx:xx:xx:xx:xx:xx (gateway_for_myserver.some.network)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src Addr: localhost (127.0.0.1), Dst Addr:
myserver.some.network (130.104.3.75)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xc9cb (51659)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 123
Protocol: TCP (0x06)
Header checksum: 0x7150 (correct)
Source: localhost (127.0.0.1)
Destination: myserver.some.network (130.104.3.75)
Transmission Control Protocol, Src Port: http (80), Dst Port: evb-elm
(1504), Seq: 0, Ack: 1070661633, L
en: 0
Source port: http (80)
Destination port: evb-elm (1504)
Sequence number: 0
Acknowledgement number: 1070661633
Header length: 20 bytes
Flags: 0x0014 (RST, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 0
Checksum: 0x651a (correct)
SEQ/ACK analysis
TCP Analysis Flags
This is a ZeroWindow segment

I know the IP address of the gateway (gateway_for_myserver.some.network) I
connect to the internet from myserver.some.network on eth0 and it's not
127.0.0.1. So, I am wondering why it sends packages with the source address
127.0.0.1? Also the destination port varies but the source is always the
gateway. Now I am asking, why is the gateway sending those packets (not
only to me but also to other clients on this network as I can see with
ethereal)? Is this some routine testing for certain services on the
clients? Why is it sending 127.0.0.1 as the source of those packets
(misconfiguration?)? Should I drop those packets using iptables?

Any help and answers would be appreciated.

Frank

"Frank Wolk" <(E-Mail Removed)> wrote in message
news:bum57f$jb449$(E-Mail Removed)

> I am running Linux and setup my machine (myserver.some.network) to
> function as a router for my internal network connected to eth1. This
> router connects to the external network on eth0 (which has the IP
> address 130.104.3.75) and has a firewall installed. I realised that
> in /var/log/messages I get from time to time a message (4 to 5 times
> per hour) from the kernel notifying me about a "martian source", e.g.
>
> Jan 21 14:22:19 linux kernel: martian source 130.104.3.75 from
> 127.0.0.1, on dev eth0
[...]
> I know the IP address of the gateway
> (gateway_for_myserver.some.network) I connect to the internet from
> myserver.some.network on eth0 and it's not 127.0.0.1. So, I am
> wondering why it sends packages with the source address 127.0.0.1?
> Also the destination port varies but the source is always the
> gateway. Now I am asking, why is the gateway sending those packets
> (not only to me but also to other clients on this network as I can
> see with ethereal)? Is this some routine testing for certain services
> on the clients? Why is it sending 127.0.0.1 as the source of those
> packets (misconfiguration?)? Should I drop those packets using
> iptables?
>
> Any help and answers would be appreciated.

The /etc/hosts file should have the line:

127.0.0.1 localhost.localdomain localhost

with *no* other hostnames, aliases or FQDNs on that line. Does yours contain
extraneous information that might be confusing a particular application's
name resolution capabilities?


tony

--
use hotmail for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

"ynotssor" <"ynotssor"> wrote:
>
>The /etc/hosts file should have the line:
>
> 127.0.0.1 localhost.localdomain localhost
>
>with *no* other hostnames, aliases or FQDNs on that line. Does yours contain
>extraneous information that might be confusing a particular application's
>name resolution capabilities?
>
> tony

Actually that is *not* correct. The line should be

127.0.0.1 localhost

With *no* other hostnames, aliases, or FQDN's on that line.
See RFC1537, and read any good book on network administration.

If you want a loopback for "localhost.localdomain", either use a
dummy interface, or add this or something like it using any
127.x.x.x IP addresses other than 127.0.0.0, 127.0.0.1 and,
127.0.0.255.

127.0.4.2 localhost.localdomain

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

"Floyd Davidson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)

>> The /etc/hosts file should have the line:
>>
>> 127.0.0.1 localhost.localdomain localhost
>>
>> with *no* other hostnames, aliases or FQDNs on that line. Does yours
>> contain extraneous information that might be confusing a particular
>> application's name resolution capabilities?
>
> Actually that is *not* correct. The line should be
>
> 127.0.0.1 localhost
>
> With *no* other hostnames, aliases, or FQDN's on that line.
> See RFC1537,

RFC1537 deals with DNS zone files, in which case you are correct. I was
referring to /etc/hosts.





-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

I quoted and wrote in message news:(E-Mail Removed)

>>> The /etc/hosts file should have the line:
>>>
>>> 127.0.0.1 localhost.localdomain localhost
>>>
>>> with *no* other hostnames, aliases or FQDNs on that line. Does yours
>>> contain extraneous information that might be confusing a particular
>>> application's name resolution capabilities?
>>
>> Actually that is *not* correct. The line should be
>>
>> 127.0.0.1 localhost
>>
>> With *no* other hostnames, aliases, or FQDN's on that line.
>> See RFC1537, ...
>
> RFC1537 deals with DNS zone files, in which case you are correct. I
> was referring to /etc/hosts.

I'll add that localhost.localdomain is an absolute literal. It does not
imply substitution of ones actual domainname for localdomain, as RFC1537
indicates for DNS zone files:

" - translating 127.0.0.1 into "localhost.my_domain" can cause some
software to connect to itself using the loopback interface when
it didn't want to.

--
use hotmail for any email replies



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

"ynotssor" <"ynotssor"> wrote:
>I quoted and wrote in message news:(E-Mail Removed)
>
>>>> The /etc/hosts file should have the line:
>>>>
>>>> 127.0.0.1 localhost.localdomain localhost
>>>>
>>>> with *no* other hostnames, aliases or FQDNs on that line. Does yours
>>>> contain extraneous information that might be confusing a particular
>>>> application's name resolution capabilities?
>>>
>>> Actually that is *not* correct. The line should be
>>>
>>> 127.0.0.1 localhost
>>>
>>> With *no* other hostnames, aliases, or FQDN's on that line.
>>> See RFC1537, ...
>>
>> RFC1537 deals with DNS zone files, in which case you are correct. I
>> was referring to /etc/hosts.

It is just as true for /etc/hosts.

>I'll add that localhost.localdomain is an absolute literal. It does not
>imply substitution of ones actual domainname for localdomain, as RFC1537
>indicates for DNS zone files:
>
>" - translating 127.0.0.1 into "localhost.my_domain" can cause some
> software to connect to itself using the loopback interface when
> it didn't want to.

The address 127.0.0.1 should resolve to "localhost", not to something
else.

Research it in any good book on network configuration.

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

On Wed, 21 Jan 2004 18:29:47 -0900, Floyd Davidson <(E-Mail Removed)>
wrote:

>The address 127.0.0.1 should resolve to "localhost", not to something
>else.
>
>Research it in any good book on network configuration.

Really? From my /etc/hosts on Red Hat 7.3 (unedited by me ever):

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost

So I guess it's not relevant.


--
Richard Steven Hack
"Whatever does not kill me makes me stronger" -
and YOU have not killed me!

On Wed, 21 Jan 2004 18:29:47 -0900, Floyd Davidson <(E-Mail Removed)>
wrote:

>The address 127.0.0.1 should resolve to "localhost", not to something
>else.
>
>Research it in any good book on network configuration.
================================================== =========
From UNIX System Administration Handbook, chapter 16, The Doman Name
System, page 455:

The localhost zone.

The address 127.0.0.1 refers to a host itself and should always be
mapped to the name "localhost.localdomain", for example,
localhost.cs.colorado.edu. Some sites map the address to just plain
"localhost" as though it were part of the root domain; this
configuration is incorrect.

If you forget to configure the localhost zone, your site may end up
querying the root servers for localhost information. The root servers
are currently receiving so many of these queries that the operators
are considering adding a generic mapping between localhost and
127.0.0.1 at the root level.
================================================== ===========


--
Richard Steven Hack
"Whatever does not kill me makes me stronger" -
and YOU have not killed me!

Richard Steven Hack <(E-Mail Removed)> wrote:
>On Wed, 21 Jan 2004 18:29:47 -0900, Floyd Davidson <(E-Mail Removed)>
>wrote:
>
>>The address 127.0.0.1 should resolve to "localhost", not to something
>>else.
>>
>>Research it in any good book on network configuration.
>
>Really? From my /etc/hosts on Red Hat 7.3 (unedited by me ever):
>
># Do not remove the following line, or various programs
># that require network functionality will fail.
>127.0.0.1 localhost.localdomain localhost
>
>So I guess it's not relevant.

It *is* relevant. RedHat screwed up, and a couple other
distributions have copied them. If you are going to continue
using things "out of the box" only, there isn't much to worry
about. If you ever intend to head off on your own and install
things that haven't been massaged by RedHat, it would probably
be best to move the "localhost.localdomain" to a separate line
and assign it something like 127.0.0.2.

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)

Richard Steven Hack <(E-Mail Removed)> wrote:
>On Wed, 21 Jan 2004 18:29:47 -0900, Floyd Davidson <(E-Mail Removed)>
>wrote:
>
>>The address 127.0.0.1 should resolve to "localhost", not to something
>>else.
>>
>>Research it in any good book on network configuration.
>================================================= ==========
>From UNIX System Administration Handbook, chapter 16, The Doman Name
>System, page 455:

What book is that? Who's the publisher, and who is the author?

>The localhost zone.
>
>The address 127.0.0.1 refers to a host itself and should always be
>mapped to the name "localhost.localdomain", for example,
>localhost.cs.colorado.edu. Some sites map the address to just plain
>"localhost" as though it were part of the root domain; this
>configuration is incorrect.

I suppose that book uses RedHat as an example... ;-) Sigh...

>If you forget to configure the localhost zone, your site may end up
>querying the root servers for localhost information. The root servers
>are currently receiving so many of these queries that the operators
>are considering adding a generic mapping between localhost and
>127.0.0.1 at the root level.

From "Running Linux" 3rd Edition, 1999, by Welsh, Dalheimer, and
Kaufman, published by O'Reilly & Associates, Inc.

Page 530:

... your /etc/hosts would look like this:

127.0.0.1 localhost
128.17.75.20 eggplant.veggie.com eggplant

If you're only using loopback, the only line in /etc/hosts file
should be the address 127.0.0.1.


From "LINUX Network Administrator's Guide", 1995, by Olaf Kirch,
published by O'Reilly & Associates, Inc.

Page 92:

Example 6-5: The named.local file

;
; /var/named/named.local Reverse mapping of 127.0.0
; Origin is 0.0.127.in-addr.arps.
;
...
1 IN PTR localhost


See also "TCP/IP Network Administration", 2nd Ed., Hunt,
O'Reilly 1998. See pages 50-51 for discussion of /etc/hosts and
an example, which are essentially the same as the first example
described above. See pages 215-216 for discussion of the
named.local file, which is also essentially the same as the
second example above.

--
Floyd L. Davidson <http://web.newsguy.com/floyd_davidson>
Ukpeagvik (Barrow, Alaska) (E-Mail Removed)