Hi, When I turn log_martians on in my shorewall configuration I get occasionally messages in my log file stating that some martian source packages occurred.>> martian source A.B.C.D from 0.0.0.0, on dev eth0 >> ll header: ff:ff:ff:ff:ff:ff:00:10:83:35:8a:XX:08:00where A.B.C.D is the IP address of the responsible DHCP server, which is however not located within the same subnet (centrally managed DHCP server, where every group has their own subnet). !!! I know how to turn off these messages, but I would rather like to understand what''s the cause of these messages. !!!>From the header this package is clearly an IPv4 (08:00) ethernetpackage being send to the broadcast address 255.255.255.255 from the client with mac address 00:10:83:35:8a:XX. Using tcpdump I managed to obtain the corresponding package which upsets my kernel / shorewall configuration. IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 576) 0.0.0.0.bootpc > A.B.C.D.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:10:83:35:8a:XX (oui Unknown), length 548, xid 0x36e553d3, Flags [none] (0x0000) Client-IP logikanalysator.eit.lth.se Client-Ethernet-Address 00:10:83:35:8a:XX (oui Unknown) Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Request Vendor-Class Option 60, length 20: "HewlettPackard.HP-UX" Parameter-Request Option 55, length 12: Subnet-Mask, SS, YS, BR Domain-Name-Server, Domain-Name, YD, RL Hostname, Default-Gateway, Static-Route, NTP This package obviously uses the 0.0.0.0 source address to send an DHCP Request package to the DHCP server. In my understanding of the RFCs it''s totally fine to use the 0.0.0.0 address as a source address. In particular as this machine just started up, and has know knowledge about any assigned ip address and thus HAS TO use the 0.0.0.0 source address. Where is the misconception in my understanding? Why does the kernel / shorewall configuration complain about this package? Thanks a lot /Florian ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Tue, 2011-09-06 at 17:41 +0200, Florian wrote:> Hi, > > When I turn log_martians on in my shorewall configuration I get > occasionally messages in my log file stating that some martian source > packages occurred. > > > >> martian source A.B.C.D from 0.0.0.0, on dev eth0 > >> ll header: ff:ff:ff:ff:ff:ff:00:10:83:35:8a:XX:08:00 > > where A.B.C.D is the IP address of the responsible DHCP server, which > is however not located within the same subnet (centrally managed DHCP > server, where every group has their So packets with 0 as the SOURCE IP address will be considered to be martians when the default route is not out of that interface. own subnet). >...> > This package obviously uses the 0.0.0.0 source address to send an DHCP > Request package to the DHCP server. In my understanding of the RFCs > it''s totally fine to use the 0.0.0.0 address as a source address. In > particular as this machine just started up, and has know knowledge > about any assigned ip address and thus HAS TO use the 0.0.0.0 source > address.That''s the way it works.> > Where is the misconception in my understanding?Your understanding is correct.> Why does the kernel / shorewall configuration complain about this package?Shorewall can turns RP filtering and logging on or off; beyond that, Shorewall has no control over how it works. When rp_filter is enabled on an interface, an incoming packet is considered to be a martian if the SOURCE IP address in the packet is not routed out of that interface. The IP stack reverses the SOURCE and DESTINATION IP addresses and looks up the appropriate route; if the route is out of a different interface, the packet is a martian. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Sep 6, 2011, at 19:29 , Tom Eastep wrote:> Shorewall can turns RP filtering and logging on or off; beyond that, > Shorewall has no control over how it works. When rp_filter is enabled on > an interface, an incoming packet is considered to be a martian if the > SOURCE IP address in the packet is not routed out of that interface. The > IP stack reverses the SOURCE and DESTINATION IP addresses and looks up > the appropriate route; if the route is out of a different interface, the > packet is a martian.Thanks for your clarification. However, shouldn''t the kernel check if the corresponding package is a DHCP Request and in this case skip the rp_filter as the source ip address will most likely be invalid? Or is there some special motivation for having rp_filter enabled for those packages as well? /Florian ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
On Tue, 2011-09-06 at 19:45 +0200, Florian wrote:> > Thanks for your clarification. > However, shouldn''t the kernel check if the corresponding package is a > DHCP Request and in this case skip the rp_filter as the source ip > address will most likely be invalid? Or is there some special > motivation for having rp_filter enabled for those packages as well?You''ll have to ask the kernel networking developers. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you''ll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev