[plug] Martian source

Jon Miller jlmiller at mmtnetworks.com.au
Sun Nov 9 21:05:07 WST 2003 

I should have stated that I did run sysctl -p.  The equiptment and setup of the network is a Cisco 2621 router at the hub of a VPN network and the termination is a Cisco 1721 router and on the other side a Cisco 827 router.  All traffic is rerouted through the Cisco 2621 router.   The VPN however is established via a Linux (RHL 7.2 server at the Hub end of the VPN and a RHL 7.1 server at the termination end) using CIPE.  There is another VPN link established between the Hub end and another RHL 7.2 server.  However the problem lies between the 1721 router and the RHL7.1 server (judging by the IP Address 192.168.4.1 (ethernet card on the RHL7.1 server)).
All traffic is supposed to be coming in and out through the hub router (192.168.3.254).

Nov  9 20:52:31 gateway kernel: martian source 69.37.24.72 from 192.168.4.1, on dev cipcb0

Hope this helps.

Jon


Jon L. Miller, MCNE, CNS, ASE
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au

"I don't know the key to success, but the key to failure
 is trying to please everybody." -Bill Cosby



>>> devenish at guild.uwa.edu.au 12:23:27 PM 9/11/2003 >>>
In message <sfadb121.060 at mmtnetworks.com.au>
on Sun, Nov 09, 2003 at 03:14:33AM +0800, Jon  Miller wrote:
> Lately I've seen martian source enty in the /var/log/messages.  I
> understand that they have to do with the kernel thinking they are
> spoofed or incorrect.

Yep.

> Is there a way to stop them

Fix the offending equipment :-) If you are getting these messages on a
local area network, then something is probably broken. (Note: others on
this list have mentioned that Telstra cable will cause a lot of these
errors. "Martian source" is basically a frequently asked question on
this list.)

> (I've changed the value in /etc/sysctl.conf to 0 for the rp_filter
> line) but the message is still there.

If rp_filter is the right thing to change, then you are on the right
track. However, editing /etc/sysctl.conf will only influence the system
settings upon reboot. To have changes take effect immediately, use the
`sysctl` command. For example:

    sysctl -p

This will read in your modifications from /etc/sysctl.conf

> We are getting these from within the VPN and the source ip address is
> not what it should be. That is it's not from the VPN but from
> obviously spoofed ip addresses.  Does anyone know of a way to 1) kill
> these off or do I need to do something else.

People would need more info to diagnose this problem for you. Might even
require someone having technical familiarity with your network.


_______________________________________________
plug mailing list
plug at plug.linux.org.au 
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug 



_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug

More information about the plug mailing list