Shorewall users - Nov 2004 - Martian sources...

We are seeing the following in our logs:

Nov 25 16:21:41 fw kernel: martian source 139.142.66.253 from 
10.0.0.199, on dev eth0
Nov 25 16:21:41 fw kernel: ll header: 
00:a0:c9:60:0e:b2:00:02:7e:21:0e:dc:08:00

00:a0:c9:60:0e:b2 is the mac of our firewall interface on IP 
139.142.66.253. 

00:02:7e:21:0e:dc is the mac of our Cisco router on IP 10.0.0.1

10.0.0.199 is a Cisco switch - we have about 40 of these sending NTP 
requests to the firewall, which is running ntpd. 

It didn''t complain about these before, so I''m not sure why it
does now. Is
there something about the use of the "zero" subnets it
doesn''t like?

I have this rule to allow UDP port 123:

ACCEPT  sls     fw      udp     123     -

A portion of my shorewall show status is below (the full output is in a 
previous message re: AllowPing). There are no hits for UDP 123 coming 
from 10.0.0.x, probably because they are seen as martians.

Chain sls2fw (1 references)
 pkts bytes target     prot opt in     out     source               destination
  108  5362 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
state RELATED,ESTABLISHED 
    1    44 @all2all   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
tcp
flags:0x16/0x02 
   80  6126 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       139.142.66.0/24      0.0.0.0/0
multiport dports 22,10000 
    0     0 ACCEPT     udp  --  *      *       139.142.66.252       0.0.0.0/0
udp dpt:161 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
udp dpt:123 
    0     0 all2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca

On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote:
> We are seeing the following in our logs:
> 
> Nov 25 16:21:41 fw kernel: martian source 139.142.66.253 from 
> 10.0.0.199, on dev eth0
> Nov 25 16:21:41 fw kernel: ll header: 
> 00:a0:c9:60:0e:b2:00:02:7e:21:0e:dc:08:00
> 
> 00:a0:c9:60:0e:b2 is the mac of our firewall interface on IP 
> 139.142.66.253. 
> 
> 00:02:7e:21:0e:dc is the mac of our Cisco router on IP 10.0.0.1
> 
> 10.0.0.199 is a Cisco switch - we have about 40 of these sending NTP 
> requests to the firewall, which is running ntpd. 
> 
> It didn''t complain about these before, so I''m not sure
why it does now. Is
> there something about the use of the "zero" subnets it
doesn''t like?
Shawn -- how do you have this firewall cabled?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On 25 Nov 2004 at 17:18, Tom Eastep wrote:
> On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote:
> > We are seeing the following in our logs:
> > 
> > Nov 25 16:21:41 fw kernel: martian source 139.142.66.253 from 
> > 10.0.0.199, on dev eth0
> > Nov 25 16:21:41 fw kernel: ll header: 
> > 00:a0:c9:60:0e:b2:00:02:7e:21:0e:dc:08:00
> > 
> > 00:a0:c9:60:0e:b2 is the mac of our firewall interface on IP 
> > 139.142.66.253. 
> > 
> > 00:02:7e:21:0e:dc is the mac of our Cisco router on IP 10.0.0.1
> > 
> > 10.0.0.199 is a Cisco switch - we have about 40 of these sending NTP 
> > requests to the firewall, which is running ntpd. 
> > 
> > It didn''t complain about these before, so I''m not
sure why it does now. Is
> > there something about the use of the "zero" subnets it
doesn''t like?
> 
> Shawn -- how do you have this firewall cabled?
eth0 - 100FD connection to a Cisco 3524XL switch, which is trunked to a 
Cat6000 switch with a MSFC router card. (the source mac of the packets). 

eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for 
internet feed. 

Most of our network, including nearly all of the switches generating the 
NTP martians, are hung off trunks leading to the Cat6000. 10.0.0.x is the 
admin VLAN, used for all switch management.

I checked into the logs from 3-4 weeks ago, and these martians did not 
appear then. I''m not quite certain what has changed to cause this. I
first
saw them with a new temporary firewall, and expected they would go 
away when the original box went back. They didn''t. 

About the only thing left for us to try is to reboot the core switches and 
router, but it is hard to find a good time for that.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca

On Thu, 2004-11-25 at 17:35 -0800, Shawn Wright wrote:
> On 25 Nov 2004 at 17:18, Tom Eastep wrote:
> 
> > On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote:
> > >
> eth0 - 100FD connection to a Cisco 3524XL switch, which is trunked to a 
> Cat6000 switch with a MSFC router card. (the source mac of the packets). 
> 
> eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for 
> internet feed. 
> 
> Most of our network, including nearly all of the switches generating the 
> NTP martians, are hung off trunks leading to the Cat6000. 10.0.0.x is the 
> admin VLAN, used for all switch management.
> 
> I checked into the logs from 3-4 weeks ago, and these martians did not 
> appear then. I''m not quite certain what has changed to cause this.
I first
> saw them with a new temporary firewall, and expected they would go 
> away when the original box went back. They didn''t. 
> 
> About the only thing left for us to try is to reboot the core switches and 
> router, but it is hard to find a good time for that.
You have no route to 10.0.0.0/24 on eth0.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On 25 Nov 2004 at 17:46, Tom Eastep wrote:
> On Thu, 2004-11-25 at 17:35 -0800, Shawn Wright wrote:
> > On 25 Nov 2004 at 17:18, Tom Eastep wrote:
> > 
> > > On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote:
> > > >
> > eth0 - 100FD connection to a Cisco 3524XL switch, which is trunked to
a
> > Cat6000 switch with a MSFC router card. (the source mac of the
packets).
> > 
> > eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for 
> > internet feed. 
> > 
> > Most of our network, including nearly all of the switches generating
the
> > NTP martians, are hung off trunks leading to the Cat6000. 10.0.0.x is
the
> > admin VLAN, used for all switch management.
> > 
> > I checked into the logs from 3-4 weeks ago, and these martians did not
> > appear then. I''m not quite certain what has changed to cause
this. I first
> > saw them with a new temporary firewall, and expected they would go 
> > away when the original box went back. They didn''t. 
> > 
> > About the only thing left for us to try is to reboot the core switches
and
> > router, but it is hard to find a good time for that.
> 
> You have no route to 10.0.0.0/24 on eth0.
!!! Ack!
That is strange. I have this in rc.local, and it''s been there since the
machine was put in service.
route add -net 10.0.0.0/8 gw  139.142.66.245

Somehow it got nuked, so I need to find out why. Ok, I feel stupid for not 
catching that, sorry to bother you.


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Shawn Wright, I.T. Manager
Shawnigan Lake School
http://www.sls.bc.ca
swright@sls.bc.ca

On Thu, 2004-11-25 at 17:53 -0800, Shawn Wright wrote:
> On 25 Nov 2004 at 17:46, Tom Eastep wrote:
> 
> > On Thu, 2004-11-25 at 17:35 -0800, Shawn Wright wrote:
> > > On 25 Nov 2004 at 17:18, Tom Eastep wrote:
> > > 
> > > > On Thu, 2004-11-25 at 17:07 -0800, Shawn Wright wrote:
> > > > >
> > > eth0 - 100FD connection to a Cisco 3524XL switch, which is
trunked to a
> > > Cat6000 switch with a MSFC router card. (the source mac of the
packets).
> > > 
> > > eth1 - 10FD connection to a Cisco 1912 switch provided by ISP for
> > > internet feed. 
> > > 
> > > Most of our network, including nearly all of the switches
generating the
> > > NTP martians, are hung off trunks leading to the Cat6000.
10.0.0.x is the
> > > admin VLAN, used for all switch management.
> > > 
> > > I checked into the logs from 3-4 weeks ago, and these martians
did not
> > > appear then. I''m not quite certain what has changed to
cause this. I first
> > > saw them with a new temporary firewall, and expected they would
go
> > > away when the original box went back. They didn''t. 
> > > 
> > > About the only thing left for us to try is to reboot the core
switches and
> > > router, but it is hard to find a good time for that.
> > 
> > You have no route to 10.0.0.0/24 on eth0.
> 
> !!! Ack!
> That is strange. I have this in rc.local, and it''s been there
since the
> machine was put in service.
> route add -net 10.0.0.0/8 gw  139.142.66.245
> 
> Somehow it got nuked, so I need to find out why. Ok, I feel stupid for not 
> catching that, sorry to bother you.
rc.local is a really bad place to put ''route'' commands. You
should
configure routes using the Mandrake network config tool so that if you
down and up interfaces, the routes get restored properly.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key