search for: log_martian

...raded to 4.0.9). Everything works flawlessly. One small exception I have noticed (since I''m a new shorewall user I assume this is probably an error on my part). 1. Problem: With no "logmartians" entries in /etc/shorewall/interfaces, shorewall-perl sets /proc/sys/net/ipv4/conf/*/log_martians to "0". 2. Expected behavior: For any interface entry in /etc/shorewall/interfaces for which the "logmartians" option is not present, shorewall-perl should take no action, leaving the system settings alone. (Unless I have misunderstood the shorewall-interfaces man page and th...

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=40 laforge@netfilter.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From laforge@netfilter.org 2003-02-03 16:49 ------- We haven't seen this

...4 61 0 0 0 0 /proc /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 1 /proc/sys/net/ipv4/conf/all/log_martians = 0 /proc/sys/net/ipv4/conf/br0/proxy_arp = 0 /proc/sys/net/ipv4/conf/br0/arp_filter = 0 /proc/sys/net/ipv4/conf/br0/rp_filter = 0 /proc/sys/net/ipv4/conf/br0/log_martians = 0 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/i...

I''m very new to shorewall. My setup is IP Gateway (CentOS 4 + Shorewall) with 3 NIC cards. Shorewall works great on the firewall machine. Bind also works (local net machines get IPs fine). Under firestarter, all works great. With shorewall, the loc machines can not route past the firewall. They can connect to the firewall, but not past it. Exactly what information should I post to get

...all-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 vm.vfs_cache_pressure = 35 vm.nr_hugepages = 512 net.ipv4.tcp_max_syn_backlog = 2048 fs.aio-max-nr = 1048576 vm.dirty_backgroun...

I am running version 3.0.7 of Shorewall on a Debian Sarge system, but when I start Shorewall I get this: /usr/share/shorewall/firewall: line 204: 4: command not found I looked there and found this: # Run ip and if an error occurs, stop the firewall and quit # run_ip() { if ! ip $@ ; then if [ -z "$STOPPING" ]; then error_message "ERROR: Command \"ip

...#39; i discovered that simply some services (i tested squid and the openldap server) does not communicate anymore; digging with tcpdump arise the problem: olorin acces the squid proxy on radagast via the eth1 interfaces, but reply on eth0, so olorin kernel drop the packet (i''ve not enabled log_martian, but i think was interesting ;). As try_out solution, i''ve enabled arp_proxy on eth0 and ip_forwarding, resulting in a working envirionment, but resulting also in packets directing to olorin that pass thru radagast and vice versa; also, a solution similar to this tempted in another place...

...s packets errors dropped carrier collsns 42348 380 0 0 0 0 /proc /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 1 /proc/sys/net/ipv4/conf/all/log_martians = 0 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 1 /proc/sys/net/ipv4/conf/default/log_martians = 0 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0 /proc/sys/net/ipv4/...

...urce_route /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses /bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT ip...

Hi all: I see a lot of the errors below in /var/log/messages on my firewall: Aug 1 00:47:44 munin kernel: [109008.257109] martian source 192.168.1.5 from 127.0.0.1, on dev eth1 Aug 1 00:48:44 munin kernel: [109068.257384] martian source 192.168.1.5 from 127.0.0.1, on dev eth1 Aug 1 00:49:44 munin kernel: [109128.257509] martian source 192.168.1.5 from 127.0.0.1, on dev eth1 Aug 1 00:50:44

....proxy_arp=1 #net.ipv4.conf.eth1.proxy_arp=1 #net.ipv6.conf.all.forwarding=1 #net.ipv4.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_redirects = 0 #net.ipv4.conf.all.send_redirects = 0 #net.ipv4.conf.all.accept_source_route = 0 #net.ipv6.conf.all.accept_source_route = 0 #net.ipv4.conf.all.log_martians = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 *** Any idea what I''m doing wrong here?????? Thanks a lot, Walter

Hi folks, Has anyone tested the changes to multiple ISPs/load balancing or routestopped in 2.4.0-RC1 yet? We need to talk about what criteria we will use for determining whether 2.4.0 is ready for release. I''ve started configuring a firewall at work with the multiple ISPs support, but its kernel doesn''t have connection marking support, so it''s going to be a couple of

...0 0 0 0 0 /proc /proc/sys/net/ipv4/ip_forward = 1 /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 /proc/sys/net/ipv4/conf/all/proxy_arp = 0 /proc/sys/net/ipv4/conf/all/arp_filter = 0 /proc/sys/net/ipv4/conf/all/rp_filter = 0 /proc/sys/net/ipv4/conf/all/log_martians = 0 /proc/sys/net/ipv4/conf/default/proxy_arp = 0 /proc/sys/net/ipv4/conf/default/arp_filter = 0 /proc/sys/net/ipv4/conf/default/rp_filter = 1 /proc/sys/net/ipv4/conf/default/log_martians = 0 /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 /proc/sys/net/ipv4/conf/eth0/arp_filter = 0...

...= 1 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_window_scaling = 0 net.ipv4.tcp_sack = 0 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_low_latency = 1 net.ipv4.tcp_ecn = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.ip_conntrack_max = 8192 net.ipv4.hashsize = 1023 net.ipv4.ip_local_port_range = "32768 61000" and after this, that linux put in their "/var/log/messages" next: Mar 1 14:08:16 morpheus kernel: host 192.168.212.17/if4 ignores redirects for 192.168.210.98 to 192.16...

...s always been a rather silly feature. For incoming packets, it duplicates the function of the ''routefilter'' option. It provides no value on output since it enforces the same thing that the routing table does. In other words, if you set ''routefilter'' and ''log_martians'' you get the same effect. I''ve decided to remove the ''detectnet'' option from future versions of Shorewall-perl. Shorewall-perl 4.0.4 will issue a warning message that the option is going away; Shorewall-perl will issue a warning message that support for the opt...

...:37:57 firewall kernel: [ 895.708399] ll header: ff:ff:ff:ff:ff:ff:90:f6:52:3f:65:c0:08:00 Nov 8 15:37:59 firewall kernel: [ 897.711647] martian source 192.168.0.3 from 192.168.0.1, on dev eth0 Nov 8 15:37:59 firewall kernel: [ 897.711654] ll header: ff:ff:ff:ff:ff:ff:90:f6:52:3f:65:c0:08:00 LOG_MARTIANS= (Yes|No) no matter if above variable is yes or no, logs are keep coming. echo "0" > /proc/sys/net/ipv4/conf/eth0/rp_filter when i change the value 1 to 0, and restart the shorewall by using the command "shorewall restart" it automatically change the value from 0 to 1. c...

...|INVALID --- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-06-14 17:01:31 CEST --- These packets will never make it to netfilter, because they will be dropped by the network core as a martian source. If you enable logging of martian packets (via /proc/sys/net/ipv4/conf/*/log_martians), you will see an entry in your syslog similar to this: localhost kernel: [19202.736982] IPv4: martian source 192.168.19.150 from 192.168.19.255, on dev p3p1 As such, this is not a netfilter bug - it is simply the way Linux works. Closing. -- Configure bugmail: https://bugzilla.netfilter.org/...

...ib/sysctl.d/00-system.conf. # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv4.ip_forward = 0 kernel.panic = 20 kernel.sem = 250 65000 32 256 vm.swappiness = 10 net.ipv4.conf.all.log_martians = 1 kernel.dmesg_restrict = 1 vm.dirty_ratio = 15 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv4.tcp_syncookies = 1 net.ipv6.conf.all.disable_ipv6 = 1 kernel.kptr_restrict = 1 [root at web-devel-local-1 ~]# systemctl status systemd-sysctl ? systemd-sysctl.service - Apply Kernel Variables Loa...

...> /proc > > /proc/sys/net/ipv4/ip_forward = 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all = 0 > /proc/sys/net/ipv4/conf/all/proxy_arp = 0 > /proc/sys/net/ipv4/conf/all/arp_filter = 0 > /proc/sys/net/ipv4/conf/all/rp_filter = 1 > /proc/sys/net/ipv4/conf/all/log_martians = 0 > /proc/sys/net/ipv4/conf/default/proxy_arp = 0 > /proc/sys/net/ipv4/conf/default/arp_filter = 0 > /proc/sys/net/ipv4/conf/default/rp_filter = 1 > /proc/sys/net/ipv4/conf/default/log_martians = 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0 > /proc/sys/net/i...

also in /etc/sysctl.d/ On Thu, Dec 24, 2015 at 8:58 AM, Gordon Messmer <gordon.messmer at gmail.com> wrote: > On 12/23/2015 05:08 AM, Ofer Hasson wrote: > >> By running "systemctl status systemd-sysctl" I also receive the same >> output, but a simple "cat /proc/sys/vm/swappiness" returns the default >> value, and not the one set by my conf file.