Shorewall users - Jul 2012 - A lot of kernel martian source messages in /var/log/messages

Hi all:

I see a lot of the errors below in /var/log/messages on my firewall:

Aug  1 00:47:44 munin kernel: [109008.257109] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:48:44 munin kernel: [109068.257384] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:49:44 munin kernel: [109128.257509] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:50:44 munin kernel: [109188.257788] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:51:44 munin kernel: [109248.258060] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:52:44 munin kernel: [109308.258438] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:53:44 munin kernel: [109368.258711] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:54:44 munin kernel: [109428.259190] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:55:44 munin kernel: [109488.259259] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:56:44 munin kernel: [109548.259484] martian source 192.168.1.5 from
127.0.0.1, on dev eth1
Aug  1 00:57:44 munin kernel: [109608.259758] martian source 192.168.1.5 from
127.0.0.1, on dev eth1

The pattern is that the kernel logs this every 60 seconds.

192.168.1.5 = Wireless Access Point.

The AP receives it''s IP via a static lease from isc-dhcp-server running
on the firewall box.

Firewall:

Debian wheezy
Shorewall 4.5.5.3
Eth0 = net
Eth1 = loc

If I turn off the AP the martian errors goes away.
Any ideas of why I see these messages?
I''m assuming it''s the AP and not a misconfigured
firewall/router since the messages goes away when I power the AP down.

Thanks.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 7/31/12 4:28 PM, "Øyvind Lode - Forums" <forums@lode.is>
wrote:
>Hi all:
>
>I see a lot of the errors below in /var/log/messages on my firewall:
>
>Aug  1 00:47:44 munin kernel: [109008.257109] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:48:44 munin kernel: [109068.257384] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:49:44 munin kernel: [109128.257509] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:50:44 munin kernel: [109188.257788] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:51:44 munin kernel: [109248.258060] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:52:44 munin kernel: [109308.258438] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:53:44 munin kernel: [109368.258711] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:54:44 munin kernel: [109428.259190] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:55:44 munin kernel: [109488.259259] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:56:44 munin kernel: [109548.259484] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>Aug  1 00:57:44 munin kernel: [109608.259758] martian source 192.168.1.5
>from 127.0.0.1, on dev eth1
>
>The pattern is that the kernel logs this every 60 seconds.
>
>192.168.1.5 = Wireless Access Point.
>
>The AP receives it''s IP via a static lease from isc-dhcp-server
running
>on the firewall box.
>
>Firewall:
>
>Debian wheezy
>Shorewall 4.5.5.3
>Eth0 = net
>Eth1 = loc
>
>If I turn off the AP the martian errors goes away.
>Any ideas of why I see these messages?

It''s because the firewall is receiving packets from 127.0.0.1 on eth1.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Den 2012-08-01 01:28, Øyvind Lode - Forums skrev:
> 192.168.1.5 = Wireless Access Point.
>
> The AP receives it's IP via a static lease from isc-dhcp-server
> running on the firewall box.
are there any route with default via ?, if so remove this and make 
explicit network routes

default via is only good if ther is one network card with one outgoing 
wan ip

maybe i am wrong, maybe i am not :)



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

I'll be the first one to admit that I don't know why this is happening.

On the firewall there is 2 NICs.

Eth0 = wan
Eth1 = lan

There is only 1 default via and that is to the ISP's router.

To me that makes sense.

All clients and servers receive the same gateway settings from the dhcp server
on the firewall.

Gateway = 192.168.1.1 which is the firewalls lan interface eth1.

Servers receive static dhcp lease from the dhcp server but gateway, dns etc is
the same for all hosts.

The only difference is that the static addresses is not a part of the dynamic
pool.

I had a look at my Shorewall config and it look fine to me.

But I changed LOG_MARTIANS=Yes to LOG_MARTIANS=No in
/etc/shorewall/shorewall.conf to stop these messages from cluttering my log.

I still have logmargians activated on eth0 though.

Is this an acceptable workaround or should I worry about those kernel martians
on eth1?

-----Original Message-----
From: Benny Pedersen [mailto:me@junc.org] 
Sent: 1. august 2012 05:36
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] A lot of kernel martian source messages in
/var/log/messages

Den 2012-08-01 01:28, Øyvind Lode - Forums skrev:
> 192.168.1.5 = Wireless Access Point.
>
> The AP receives it's IP via a static lease from isc-dhcp-server 
> running on the firewall box.
are there any route with default via ?, if so remove this and make explicit
network routes

default via is only good if ther is one network card with one outgoing wan ip

maybe i am wrong, maybe i am not :)



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and threat
landscape has changed and how IT managers can respond. Discussions will include
endpoint security, mobile security and the latest in malware threats.
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

If I understand this correctly, some device on your LAN is sending 
packets with a source address of 127.0.0.1.  I would want to see those 
packets with tcpdump:

tcpdump -n -i eth1 host 127.0.0.1

Bill


On 8/1/2012 4:54 AM, Øyvind Lode - Forums wrote:
> I'll be the first one to admit that I don't know why this is
happening.
>
> On the firewall there is 2 NICs.
>
> Eth0 = wan
> Eth1 = lan
>
> There is only 1 default via and that is to the ISP's router.
>
> To me that makes sense.
>
> All clients and servers receive the same gateway settings from the dhcp
server on the firewall.
>
> Gateway = 192.168.1.1 which is the firewalls lan interface eth1.
>
> Servers receive static dhcp lease from the dhcp server but gateway, dns etc
is the same for all hosts.
>
> The only difference is that the static addresses is not a part of the
dynamic pool.
>
> I had a look at my Shorewall config and it look fine to me.
>
> But I changed LOG_MARTIANS=Yes to LOG_MARTIANS=No in
/etc/shorewall/shorewall.conf to stop these messages from cluttering my log.
>
> I still have logmargians activated on eth0 though.
>
> Is this an acceptable workaround or should I worry about those kernel
martians on eth1?
>
> -----Original Message-----
> From: Benny Pedersen [mailto:me@junc.org]
> Sent: 1. august 2012 05:36
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] A lot of kernel martian source messages in
/var/log/messages
>
> Den 2012-08-01 01:28, Øyvind Lode - Forums skrev:
>
>> 192.168.1.5 = Wireless Access Point.
>>
>> The AP receives it's IP via a static lease from isc-dhcp-server
>> running on the firewall box.
> are there any route with default via ?, if so remove this and make explicit
network routes
>
> default via is only good if ther is one network card with one outgoing wan
ip
>
> maybe i am wrong, maybe i am not :)
>
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions will
include endpoint security, mobile security and the latest in malware threats.
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 8/1/12 3:24 PM, Bill Shirley wrote:
> If I understand this correctly, some device on your LAN is sending 
> packets with a source address of 127.0.0.1.  I would want to see those 
> packets with tcpdump:
> 
> tcpdump -n -i eth1 host 127.0.0.1
> 
I would also want to see the ethernet header on the offending packets,
so I would add the -e option:

tcpdump -nei eth1 host 127.0.0.1

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: 2. august 2012 04:32
On 8/1/12 3:24 PM, Bill Shirley wrote:
> If I understand this correctly, some device on your LAN is sending 
> packets with a source address of 127.0.0.1.  I would want to see those 
> packets with tcpdump:
> 
> tcpdump -n -i eth1 host 127.0.0.1
> 
> I would also want to see the ethernet header on the offending packets, so I
would add the -e option:
> tcpdump -nei eth1 host 127.0.0.1
munin:~# tcpdump -nei eth1 host 127.0.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:04:28.383784 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
10:05:28.384162 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
10:06:28.384288 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
10:07:28.384566 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
10:08:28.565055 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46

__________

I hope you guys understand the above output.
Because I don''t fully understand :)

Thanks.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 8/2/12 1:19 AM, Øyvind Lode - Forums wrote:
> 
> From: Tom Eastep [mailto:teastep@shorewall.net] 
> Sent: 2. august 2012 04:32
> On 8/1/12 3:24 PM, Bill Shirley wrote:
>> If I understand this correctly, some device on your LAN is sending 
>> packets with a source address of 127.0.0.1.  I would want to see those 
>> packets with tcpdump:
>>
>> tcpdump -n -i eth1 host 127.0.0.1
>>
> 
>> I would also want to see the ethernet header on the offending packets,
so I would add the -e option:
> 
>> tcpdump -nei eth1 host 127.0.0.1
> 
> munin:~# tcpdump -nei eth1 host 127.0.0.1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 10:04:28.383784 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
> ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
> 10:05:28.384162 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
> ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
> 10:06:28.384288 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
> ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
> 10:07:28.384566 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
> ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
> 10:08:28.565055 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), l
> ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, length 46
> 
> __________
> 
> I hope you guys understand the above output.
> Because I don''t fully understand :)
The above shows that the system with MAC address 00:19:cb:c2:20:e7 wants
to communicate with 192.168.1.5 but it is bizarrely using 127.0.0.1 as
the source IP address in its ARP requests. So whichever box has that MAC
address is the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: 2. august 2012 15:28

On 8/2/12 1:19 AM, Øyvind Lode - Forums wrote:
> 
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: 2. august 2012 04:32
> On 8/1/12 3:24 PM, Bill Shirley wrote:
>> If I understand this correctly, some device on your LAN is sending 
>> packets with a source address of 127.0.0.1.  I would want to see 
>> those packets with tcpdump:
>>
>> tcpdump -n -i eth1 host 127.0.0.1
>>
> 
>> I would also want to see the ethernet header on the offending packets,
so I would add the -e option:
> 
>> tcpdump -nei eth1 host 127.0.0.1
> 
> munin:~# tcpdump -nei eth1 host 127.0.0.1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol 
> decode listening on eth1, link-type EN10MB (Ethernet), capture size 
> 65535 bytes
> 10:04:28.383784 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP 
> (0x0806), l ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, 
> length 46
> 10:05:28.384162 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP 
> (0x0806), l ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, 
> length 46
> 10:06:28.384288 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP 
> (0x0806), l ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, 
> length 46
> 10:07:28.384566 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP 
> (0x0806), l ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, 
> length 46
> 10:08:28.565055 00:19:cb:c2:20:e7 > ff:ff:ff:ff:ff:ff, ethertype ARP 
> (0x0806), l ength 60: Request who-has 192.168.1.5 tell 127.0.0.1, 
> length 46
> 
> __________
> 
> I hope you guys understand the above output.
> Because I don''t fully understand :)
>The above shows that the system with MAC address 00:19:cb:c2:20:e7 wants to
communicate with 192.168.1.5 but it is bizarrely using 127.0.0.1 as the source
IP address in its ARP requests. So >whichever box has that MAC address is the
problem.
Interesting.

MAC 00:19:cb:c2:20:e7 is in fact the host with IP 192.168.1.5.

So it''s trying to communicate with itself using 127.0.0.1 as
it''s source.

MAC 00:19:cb:c2:20:e7 with IP 192.168.1.5 = my wireless AP (ZyXEL NWA1100)

I''m in the market for a new AP hehe
   

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Den 2012-08-02 10:19, Øyvind Lode - Forums skrev:
> I hope you guys understand the above output.
> Because I don't fully understand :)
it means that 192.168.1.5 host missing route for 127.0.0.0/8

if that is missing it will get routed to 192.168.1.1, where there is no 
way back since 127.0.0.1 is there too

kernel logs this as metians sources

show your:

ip route show
netstat -nr

from the host in 192.168.1.5




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Den 2012-08-02 17:10, Øyvind Lode - Forums skrev:
> MAC 00:19:cb:c2:20:e7 with IP 192.168.1.5 = my wireless AP (ZyXEL 
> NWA1100)
will an firmware update not do ?
> I'm in the market for a new AP hehe
will not help if there firmware still not working

just keep it linux where shorewall hopefully works :)



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

From: Benny Pedersen [mailto:me@junc.org] 
Sent: 3. august 2012 06:05
> will an firmware update not do ?
I''m actually running latest firmware.
I talked to a friend who''s got the same AP and he confirmed that
he''s having the same issue with this particular AP.

[Me]
> I''m in the market for a new AP hehe
> will not help if there firmware still not working
I''ll probably look elsewhere of course.
3Com/HP or Linksys is usually a safe bet.

But I''m quite happy with this Zyxel AP so for now I''m just
ignoring these messages.

I have disabled logmartians on eth1 to avoid it from cluttering my log.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/