We are seeing the following in our logs: Nov 25 16:21:41 fw kernel: martian source 139.142.66.253 from 10.0.0.199, on dev eth0 Nov 25 16:21:41 fw kernel: ll header: 00:a0:c9:60:0e:b2:00:02:7e:21:0e:dc:08:00 00:a0:c9:60:0e:b2 is the mac of our firewall interface on IP 139.142.66.253. 00:02:7e:21:0e:dc is the mac of our Cisco router on IP 10.0.0.1 10.0.0.199 is a Cisco switch - we have about 40 of these sending NTP requests to the firewall, which is running ntpd. It didn''t complain about these before, so I''m not sure why it does now. Is there something about the use of the "zero" subnets it doesn''t like? I have this rule to allow UDP port 123: ACCEPT sls fw udp 123 - A portion of my shorewall show status is below (the full output is in a previous message re: AllowPing). There are no hits for UDP 123 coming from 10.0.0.x, probably because they are seen as martians. Chain sls2fw (1 references) pkts bytes target prot opt in out source destination 108 5362 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 1 44 @all2all tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 80 6126 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 139.142.66.0/24 0.0.0.0/0 multiport dports 22,10000 0 0 ACCEPT udp -- * * 139.142.66.252 0.0.0.0/0 udp dpt:161 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote:> We are seeing the following in our logs: > > Nov 25 16:21:41 fw kernel: martian source 139.142.66.253 from > 10.0.0.199, on dev eth0 > Nov 25 16:21:41 fw kernel: ll header: > 00:a0:c9:60:0e:b2:00:02:7e:21:0e:dc:08:00 > > 00:a0:c9:60:0e:b2 is the mac of our firewall interface on IP > 139.142.66.253. > > 00:02:7e:21:0e:dc is the mac of our Cisco router on IP 10.0.0.1 > > 10.0.0.199 is a Cisco switch - we have about 40 of these sending NTP > requests to the firewall, which is running ntpd. > > It didn''t complain about these before, so I''m not sure why it does now. Is > there something about the use of the "zero" subnets it doesn''t like?Shawn -- how do you have this firewall cabled? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 25 Nov 2004 at 17:18, Tom Eastep wrote:> On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote: > > We are seeing the following in our logs: > > > > Nov 25 16:21:41 fw kernel: martian source 139.142.66.253 from > > 10.0.0.199, on dev eth0 > > Nov 25 16:21:41 fw kernel: ll header: > > 00:a0:c9:60:0e:b2:00:02:7e:21:0e:dc:08:00 > > > > 00:a0:c9:60:0e:b2 is the mac of our firewall interface on IP > > 139.142.66.253. > > > > 00:02:7e:21:0e:dc is the mac of our Cisco router on IP 10.0.0.1 > > > > 10.0.0.199 is a Cisco switch - we have about 40 of these sending NTP > > requests to the firewall, which is running ntpd. > > > > It didn''t complain about these before, so I''m not sure why it does now. Is > > there something about the use of the "zero" subnets it doesn''t like? > > Shawn -- how do you have this firewall cabled?eth0 - 100FD connection to a Cisco 3524XL switch, which is trunked to a Cat6000 switch with a MSFC router card. (the source mac of the packets). eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for internet feed. Most of our network, including nearly all of the switches generating the NTP martians, are hung off trunks leading to the Cat6000. 10.0.0.x is the admin VLAN, used for all switch management. I checked into the logs from 3-4 weeks ago, and these martians did not appear then. I''m not quite certain what has changed to cause this. I first saw them with a new temporary firewall, and expected they would go away when the original box went back. They didn''t. About the only thing left for us to try is to reboot the core switches and router, but it is hard to find a good time for that. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
On Thu, 2004-11-25 at 17:35 -0800, Shawn Wright wrote:> On 25 Nov 2004 at 17:18, Tom Eastep wrote: > > > On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote: > > > > eth0 - 100FD connection to a Cisco 3524XL switch, which is trunked to a > Cat6000 switch with a MSFC router card. (the source mac of the packets). > > eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for > internet feed. > > Most of our network, including nearly all of the switches generating the > NTP martians, are hung off trunks leading to the Cat6000. 10.0.0.x is the > admin VLAN, used for all switch management. > > I checked into the logs from 3-4 weeks ago, and these martians did not > appear then. I''m not quite certain what has changed to cause this. I first > saw them with a new temporary firewall, and expected they would go > away when the original box went back. They didn''t. > > About the only thing left for us to try is to reboot the core switches and > router, but it is hard to find a good time for that.You have no route to 10.0.0.0/24 on eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 25 Nov 2004 at 17:46, Tom Eastep wrote:> On Thu, 2004-11-25 at 17:35 -0800, Shawn Wright wrote: > > On 25 Nov 2004 at 17:18, Tom Eastep wrote: > > > > > On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote: > > > > > > eth0 - 100FD connection to a Cisco 3524XL switch, which is trunked to a > > Cat6000 switch with a MSFC router card. (the source mac of the packets). > > > > eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for > > internet feed. > > > > Most of our network, including nearly all of the switches generating the > > NTP martians, are hung off trunks leading to the Cat6000. 10.0.0.x is the > > admin VLAN, used for all switch management. > > > > I checked into the logs from 3-4 weeks ago, and these martians did not > > appear then. I''m not quite certain what has changed to cause this. I first > > saw them with a new temporary firewall, and expected they would go > > away when the original box went back. They didn''t. > > > > About the only thing left for us to try is to reboot the core switches and > > router, but it is hard to find a good time for that. > > You have no route to 10.0.0.0/24 on eth0.!!! Ack! That is strange. I have this in rc.local, and it''s been there since the machine was put in service. route add -net 10.0.0.0/8 gw 139.142.66.245 Somehow it got nuked, so I need to find out why. Ok, I feel stupid for not catching that, sorry to bother you. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
On Thu, 2004-11-25 at 17:53 -0800, Shawn Wright wrote:> On 25 Nov 2004 at 17:46, Tom Eastep wrote: > > > On Thu, 2004-11-25 at 17:35 -0800, Shawn Wright wrote: > > > On 25 Nov 2004 at 17:18, Tom Eastep wrote: > > > > > > > On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote: > > > > > > > > eth0 - 100FD connection to a Cisco 3524XL switch, which is trunked to a > > > Cat6000 switch with a MSFC router card. (the source mac of the packets). > > > > > > eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for > > > internet feed. > > > > > > Most of our network, including nearly all of the switches generating the > > > NTP martians, are hung off trunks leading to the Cat6000. 10.0.0.x is the > > > admin VLAN, used for all switch management. > > > > > > I checked into the logs from 3-4 weeks ago, and these martians did not > > > appear then. I''m not quite certain what has changed to cause this. I first > > > saw them with a new temporary firewall, and expected they would go > > > away when the original box went back. They didn''t. > > > > > > About the only thing left for us to try is to reboot the core switches and > > > router, but it is hard to find a good time for that. > > > > You have no route to 10.0.0.0/24 on eth0. > > !!! Ack! > That is strange. I have this in rc.local, and it''s been there since the > machine was put in service. > route add -net 10.0.0.0/8 gw 139.142.66.245 > > Somehow it got nuked, so I need to find out why. Ok, I feel stupid for not > catching that, sorry to bother you.rc.local is a really bad place to put ''route'' commands. You should configure routes using the Mandrake network config tool so that if you down and up interfaces, the routes get restored properly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key