martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Hello all

So as in the topic in my /var/log/messeges i heve a lot of things like
this one
----------------------------------
martian source 255.255.255.255 from 10.64.39.106, on dev eth0
----------------------------------

Im using Mandrake 10, witn 2 network cards. eth0 (provider) and eth1
(my local nework ) . Eth0 is conected to my service provider, and i
have my own public ip.

I have readed lot of post but none of them explaining what is the real
problem of this " martian source 255.255.255.255" . From time to time
my eth0 goes down and I suspected that this information about maritian
is a problem and i dont know how to stop it. On mandrake im runing my
proftpd dhcpd ssh and apache and vnc.

Any advice

baholeoko wrote:
> Hello all
>
> So as in the topic in my /var/log/messeges i heve a lot of things like
> this one
> ----------------------------------
> martian source 255.255.255.255 from 10.64.39.106, on dev eth0
> ----------------------------------
>
> Im using Mandrake 10, witn 2 network cards. eth0 (provider) and eth1
> (my local nework ) . Eth0 is conected to my service provider, and i
> have my own public ip.
>
> I have readed lot of post but none of them explaining what is the real
> problem of this " martian source 255.255.255.255" . From time to time
> my eth0 goes down and I suspected that this information about maritian
> is a problem and i dont know how to stop it. On mandrake im runing my
> proftpd dhcpd ssh and apache and vnc.

martian sources are mostly fake ip addresses pretending an internal
source. However it should not be unrecognized.

Since 10.0.0.0 is a private network, make sure all traffic from these
network coming from outside is blocked by your firewall.

Afterwards, you can ignore these messages.

Eric

> martian sources are mostly fake ip addresses pretending an internal
> source. However it should not be unrecognized.

What a load of drivel. Do this...

echo "0" >/proc/sys/net/ipv4/conf/DEV/log_martians

--
Regards,
Peter.
http://www.pelicom.net.nz

Peter Lowrie wrote:
>> martian sources are mostly fake ip addresses pretending an internal
>> source. However it should not be unrecognized.
>
> What a load of drivel. Do this...
>
> echo "0" >/proc/sys/net/ipv4/conf/DEV/log_martians
>

This will just turn off the messages, but it will not solve the cause!

Eric

Peter Lowrie wrote:
> What a load of drivel. Do this...

I hate replying to people who write bullshit and need more experience
but Peter you should put a rm /var/log/messages into your crontab!

Then you will be the most free and secure man in the world.

Eric

--
for mails replace NOSPAM.com by w e b . d e

Eric Teuber wrote:
> Peter Lowrie wrote:
>>> martian sources are mostly fake ip addresses pretending an internal
>>> source. However it should not be unrecognized.
>> What a load of drivel. Do this...
>>
>> echo "0" >/proc/sys/net/ipv4/conf/DEV/log_martians
>>
>
> This will just turn off the messages, but it will not solve the cause!

what do i say, Peter knows how to handle such things. Let's see what he
is suggesting besides suppressing log messages.

Eric

--
replace NOSPAM.com by w e b . d e

>Since 10.0.0.0 is a private network, make sure all traffic from these
>network coming from outside is blocked by your firewall.

in my network eth1 there is only 192.168.... and so on.
between my provider and my server ther is 10.0.0.... and my server
have public ip (redirection is on the provider's server)
so how a shoud block it

>Afterwards, you can ignore these messages.

I can in this situation?

What else i can give to you readers to see what the problem is, im not
so good in linux, so except messeges from /var/log where i can check
why my interface gone down from time to time? . And again what about
maritian, i can ignore it?

On 11 Mar 2006 03:24:54 -0800, baholeoko wrote:

> in my network eth1 there is only 192.168.... and so on.
> between my provider and my server ther is 10.0.0.... and my server
> have public ip (redirection is on the provider's server)
> so how a shoud block it

You can block using entries in /etc/shorewall/rules or in
/etc/shorewall/blacklist, and other places using files in
/etc/shorewall.

You can look at the shorewall documentation.

Click up a terminal
locate shorewall | grep /doc | grep index
and cut/paste something like
/usr/share/doc/shorewall-doc-2.4.1/index.html
into your browser.


>>Afterwards, you can ignore these messages.
>
> I can in this situation?

Yes.


> And again what about maritian, i can ignore it?

Yes, You can block shorewall messages by creating an entry in your
/etc/shorewall/blacklist.

you can use just ip address, port number, ranges......

I'll guess 10.64.39.106 is your provider's modem for your lan.
Try it, put
10.64.39.106
in /etc/shorewall/blacklist, and to load the blacklist, do a
shorewall refresh

Verify your network still works,
service network restart

baholeoko wrote:
>> Since 10.0.0.0 is a private network, make sure all traffic from these
>> network coming from outside is blocked by your firewall.
>
> in my network eth1 there is only 192.168.... and so on.
> between my provider and my server ther is 10.0.0.... and my server
> have public ip (redirection is on the provider's server)
> so how a shoud block it

eth1 is not of interest here.

>
>> Afterwards, you can ignore these messages.
>
> I can in this situation?
>
> What else i can give to you readers to see what the problem is, im not
> so good in linux, so except messeges from /var/log where i can check
> why my interface gone down from time to time? . And again what about
> maritian, i can ignore it?

It is quite complex to figure out, where the fake's come from. So,
actually what you can do is blocking the 10.0.0.0 network on your eth0
device. As i said, afterwards you can ignore martians.

The matter of your interface going down, you need to explain a little
closer! When does it happen? It might be a problem with your router,
provider, your firewall box or whatever.

If you experience it again, provide as much information as you can, such
as last entries of /var/log/messages or the device logfile.

Eric

--
replace NOSPAM.com by w e b . d e

Eric Teuber wrote:

> Peter Lowrie wrote:
>> What a load of drivel. Do this...
>
> I hate replying to people who write bullshit and need more experience
> but Peter you should put a rm /var/log/messages into your crontab!

Hate's a bit of a strong term isn't it?

> Then you will be the most free and secure man in the world.
>
> Eric
>

1st thing. You are not under attack. There's no need to DROP martian IP's
becuase you'll spend the rest of your life just blocking them...There's
nothing to block. Martians are simply DNS relics. As an example do a
tcpdump -i eth0 and have alook at all the "who has, tell..." strings with
IP numbers from here to kingdom-come.

As for your ideas relating to messages, I detect a hint of sarcasm.
Your /var/log dir is going to fill up over time with messages.etc.foo.gz
files as they rollover. It's the old gz files you'd crontab.

As to security. I think shorewall is a jerk-off and iptables is far better.
Before iptabes was chains. Since 1992, when I started using linux, no-one
has hacked through ssh, I've had no viruses, trojans, rootkits but it
doesn't stop persistent hack attempts - especially from Korean
universities. I only block the worst of them...

-A INPUT -s 123.123.123.123/255.255.255.255 -j DROP

for example. Obviously for internet facing connections strong passwords are
a must.

Hope this helps.


--
Regards,
Peter.
http://www.pelicom.net.nz