On Fri, Feb 09, 2007 at 07:25:19PM -0500, Brian J. Murrell wrote: > On Fri, 2007-02-09 at 23:56 +0000, Andrew Suffield wrote: > > > > The message is somewhat obtusely phrased. > > Indeed. > > > The kernel has received a > > packet from 64.86.88.116 to 66.11.173.224 on eth1, and it doesn't like > > the source address for whatever reason, > > Or the destination address, considering that it's the destination > address for a different interface?
Not directly AFAIK - the destination address is used only to consider whether the source address is routable (ie, if you're using source routing). 'Martian' is conceptually a collection of vaguely related objections to the source address. However... > > so it dropped the packet. Most > > likely, 64.86.88.116 is not routable via eth1, which implies either > > your routing tables are wrong > > # ip route ls > ... > default > nexthop via 72.38.184.1 dev eth1 weight 1 > nexthop via 192.168.200.1 dev ppp0 weight 1 > > That should make it routable, yes? Only if it didn't match any other routes (and if you're doing weird things, I'm really not sure exactly what the kernel thinks is acceptable - the code is funky and not very well commented). From one of your earlier mails, don't you have a source route for 66.11.173.224 that sends it out ppp0? I'm not completely certain, but I believe that will cause the kernel to reject anything destined for that address coming from other interfaces. While it's not always true if your routing is complicated, rpfilter generally means "If I wouldn't route my reply to this packet back out of this interface, then it shouldn't be arriving at this interface" (which is almost exactly equivalent to "all routes must be symmetric"). > > or you need to disable return-path > > filtering on this interface (I still haven't been paying enough > > attention to know which, but you must disable rpfilter if your routing > > is assymetric). > > Well, it should not be. I do have two interfaces but they are in > completely different subnets with different providers. IOW, completely > independent of each other. > > That's what makes it odd that a packet could arrive on my eth1 with a > destination address of 66.11.173.224. The Internet would not route that > destination address to my eth1 via my eth1 provider but rather to my > ppp0 via my ppp0 provider. Then probably either this packet is malformed or you've got some weird NAT issue. Exactly why that may be happening is not immediately apparent to me. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
