[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Re: [opensuse-security] Martian sources on the private interface of a openSUSE router
From:       Joachim Banzhaf <joachimbanzhaf () compuserve ! de>
Date:       2007-11-06 8:59:56
Message-ID: 200711060959.56640.joachimbanzhaf () compuserve ! de
[Download RAW message or body]

Hi Mark,

I am not an expert on this, but I have some experience, so maybe I can help a 
bit. But dont take everything I write as hard facts. I might well be 
wrong :-)

Am Montag, 5. November 2007 20:26:35 schrieb Mark Van De Vyver:
> Hi Gary,

> FE-eth0 - external-IP
> FE-eth1 - 192.168.0.10
> P0-eth0 - 192.168.0.20
> P0-eth1 - 192.168.0.21
> P1-eth0 - 192.168.0.30
> P1-eth1 - 192.168.0.31

Avoid multiple interfaces on the same subnet without using bonding.

And since they are connected via a virtual switch (->software) I doubt you 
gain performance by using them in parallel, with or without bonding.
At least it would depend very much on the workload.
I think two interfaces at virtual switches are mainly useful for firewalling. 
E.g. if you have more than 2 machines on that switch and you want  A <-> B 
<-> C but not A <-> C

> >         Third, I have a similar setup with a gateway (your FE) machine. I
> > get martian sources on my OUTSIDE interface all the time, some say
> > 255.255.255.255 others 169.254.x.x and they all say from 192.168.0.3
> > which is a mahcine in my providers network with the same subnet as my
> > inside network. The martian message means that it's seeing trafic from
> > one subnet on the other card, and that makes no sense.

I think it is a feature of linux that packets show up on all interfaces.
I dont know why this could be usefull, but it is the default behaviour.
It can be switched off, but I dont know how. Probably by writing some value to 
some file in /proc/sys/net?

> OK, on my private network I see 255.* martian sources from one of the
> other machines.  I don't see anything on the other (but I suspect I
> don't have logging turned on there).

You can get rid of the symptom (log entries for martians) by issuing this:

for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo "0" >$i; done

For a permanent solution you have to put this in some boot script.

> I'm not sure if that provides any useful information - I'd appreciate
> any thoughts/suggestions you might have.

Ok thats it. HTH

Joachim Banzhaf
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security+help@opensuse.org

[prev in list] [next in list] [prev in thread] [next in thread]