Hi all, I am having an issue with my router, I have attached my shorewall status, what happens is everything is working great and then I get a couple of lines in the syslog pasted below and then I have now access through the firewall, I can access anything on the local network but anything that has to go through the firewall does not work until I either restart the machine or just restart the network with /etc/init.d/networking restart followed by shorewall restart, then access resumes until I get another martian sources then it stops again. Do I have something configured wrong or what am I missing, I have two other systems that are identical in every way and they are working just fine and have been for a while, These systems were all setup and installed at the same time as well. Thanks for any input. Here is what shows up in syslog: Oct 25 06:43:08 localhost kernel: martian source 67.139.236.33 from 67.139.236.130, on dev eth0 Oct 25 06:43:08 localhost kernel: ll header: ff:ff:ff:ff:ff:ff:00:0e:08:ea:c6:93:08:06 -- Jon Scottorn Systems Administrator Possibility Forge 435.635.0591 x.1004
On Tuesday 25 October 2005 14:58, Jon Scottorn wrote:> Hi all, > > I am having an issue with my router, I have attached my shorewall > status, what happens is everything is working great and then I get a > couple of lines in the syslog pasted below and then I have now accessI assume that you mean "...no access...".> through the firewall,Is the "shorewall status" output obtained when the router is working or when it is not working? We need the latter. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
You can disregard my previous question -- I think I''ve determined the problem with what you sent. On Tuesday 25 October 2005 14:58, Jon Scottorn wrote:> > Oct 25 06:43:08 localhost kernel: martian source 67.139.236.33 from > 67.139.236.130, on dev eth0 > Oct 25 06:43:08 localhost kernel: ll header: > ff:ff:ff:ff:ff:ff:00:0e:08:ea:c6:93:08:06Here''s what this message tells you. A packet from 67.139.236.130 to 67.139.236.33 was received on eth0. The link-level destination was the broadcast address ff:ff:ff:ff:ff:ff and the source link level address is 00:0e:08:ea:c6:93. A lookup of the latter at http://www.coffer.com/mac_find yields the following. 000E08 Sipura Technology, In The ethernet frame type is 08:06 which is ARP. So this is an ARP "who-has 67.139.236.33 tell 67.139.236.130" request (and of course 67.139.236.130 is the public IP address of *your* router) but isn''t coming from your router. So: a) It looks like another box is spoofing the IP address of your router. b) The spoofer has a network card made by Sipura Technology. c) /etc/init.d/networking restart is probably sending a gratuitous ARP (the name of the file suggests you are running Debian which does gratuitous ARP from ''ifup''). d) Assuming that you are running Debian, then if you install the iputils-arping package, you can correct this problem when it occurs using the command: arping -U -I eth0 -c 2 67.139.236.130 If you don''t have a box that fits the description of the spoofer, it''s time to call you ISP to help you run the culprit to ground. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, Thanks so much for the insight. That is exactly what we have going on here. We are running Debian and there is probably a VoIP device that is on the network. Again, Great thanks for the help. You know your stuff! JS Jon Scottorn Systems Administrator Possibility Forge 435.635.0591 x.1004 Tom Eastep wrote:>You can disregard my previous question -- I think I''ve determined the problem >with what you sent. > >On Tuesday 25 October 2005 14:58, Jon Scottorn wrote: > > > >>Oct 25 06:43:08 localhost kernel: martian source 67.139.236.33 from >>67.139.236.130, on dev eth0 >>Oct 25 06:43:08 localhost kernel: ll header: >>ff:ff:ff:ff:ff:ff:00:0e:08:ea:c6:93:08:06 >> >> > >Here''s what this message tells you. > >A packet from 67.139.236.130 to 67.139.236.33 was received on eth0. The >link-level destination was the broadcast address ff:ff:ff:ff:ff:ff and the >source link level address is 00:0e:08:ea:c6:93. A lookup of the latter at >http://www.coffer.com/mac_find yields the following. > > 000E08 Sipura Technology, In > >The ethernet frame type is 08:06 which is ARP. So this is an ARP "who-has >67.139.236.33 tell 67.139.236.130" request (and of course 67.139.236.130 is >the public IP address of *your* router) but isn''t coming from your router. > >So: > >a) It looks like another box is spoofing the IP address of your router. >b) The spoofer has a network card made by Sipura Technology. >c) /etc/init.d/networking restart is probably sending a gratuitous ARP (the >name of the file suggests you are running Debian which does gratuitous ARP >from ''ifup''). >d) Assuming that you are running Debian, then if you install the >iputils-arping package, you can correct this problem when it occurs using the >command: > > arping -U -I eth0 -c 2 67.139.236.130 > >If you don''t have a box that fits the description of the spoofer, it''s time to >call you ISP to help you run the culprit to ground. > >-Tom > >------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Tuesday 25 October 2005 15:26, Tom Eastep wrote:> > Here''s what this message tells you. > > A packet from 67.139.236.130 to 67.139.236.33 was received on eth0. The > link-level destination was the broadcast address ff:ff:ff:ff:ff:ff and the > source link level address is 00:0e:08:ea:c6:93. A lookup of the latter at > http://www.coffer.com/mac_find yields the following. > > 000E08 Sipura Technology, In > > The ethernet frame type is 08:06 which is ARP. So this is an ARP "who-has > 67.139.236.33 tell 67.139.236.130" request (and of course 67.139.236.130 is > the public IP address of *your* router) but isn''t coming from your router. > > So: > > a) It looks like another box is spoofing the IP address of your router. > b) The spoofer has a network card made by Sipura Technology. > c) /etc/init.d/networking restart is probably sending a gratuitous ARP (the > name of the file suggests you are running Debian which does gratuitous ARP > from ''ifup''). > d) Assuming that you are running Debian, then if you install the > iputils-arping package, you can correct this problem when it occurs using > the command: > > arping -U -I eth0 -c 2 67.139.236.130 >For those who didn''t follow: The spoofer is poisoning the ARP cache of the upstream router (67.139.236.33). Both "/etc/init.d/networking restart" and the arping command that I recommend restore that cache to correctly point to Jon''s router rather than the spoofer. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key