Hi,
When I turn log_martians on in my shorewall configuration I get
occasionally messages in my log file stating that some martian source
packages occurred.
>> martian source A.B.C.D from 0.0.0.0, on dev eth0
>> ll header: ff:ff:ff:ff:ff:ff:00:10:83:35:8a:XX:08:00
where A.B.C.D is the IP address of the responsible DHCP server, which
is however not located within the same subnet (centrally managed DHCP
server, where every group has their own subnet).
!!! I know how to turn off these messages, but I would rather like to
understand what's the cause of these messages. !!!
>From the header this package is clearly an IPv4 (08:00) ethernet
package being send to the broadcast address 255.255.255.255 from the
client with mac address 00:10:83:35:8a:XX. Using tcpdump I managed to
obtain the corresponding package which upsets my kernel / shorewall
configuration.
IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto UDP (17), length 576)
0.0.0.0.bootpc > A.B.C.D.bootps: [udp sum ok] BOOTP/DHCP, Request
from 00:10:83:35:8a:XX (oui Unknown), length 548, xid 0x36e553d3,
Flags [none] (0x0000)
Client-IP logikanalysator.eit.lth.se
Client-Ethernet-Address 00:10:83:35:8a:XX (oui Unknown)
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Vendor-Class Option 60, length 20: "HewlettPackard.HP-UX"
Parameter-Request Option 55, length 12:
Subnet-Mask, SS, YS, BR
Domain-Name-Server, Domain-Name, YD, RL
Hostname, Default-Gateway, Static-Route, NTP
This package obviously uses the 0.0.0.0 source address to send an DHCP
Request package to the DHCP server. In my understanding of the RFCs
it's totally fine to use the 0.0.0.0 address as a source address. In
particular as this machine just started up, and has know knowledge
about any assigned ip address and thus HAS TO use the 0.0.0.0 source
address.
Where is the misconception in my understanding?
Why does the kernel / shorewall configuration complain about this package?
Thanks a lot
/Florian
------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
