Hi, I closed this issue too quickly it seems...
I have noticed problems with my nameserver not sustaining the propagation of my DNS records. On investigation, I have found a number of intermittent incorrect cksum messages when using tcpdump. These incorrect cksums occur with both udp and tcp packets. As an example: on my firewall I monitored packets with: tcpdump -vv -i eth0 'udp port domain’ on my laptop on an external network: dig @203.214.66.102 www.foss4climate.org <http://www.foss4climate.org/> I noted the following in the tcpdump output: ===== 10:23:51.969937 IP (tos 0x10, ttl 240, id 17818, offset 0, flags [DF], proto UDP (17), length 77) pa49-199-219-38.pa.vic.optusnet.com.au.21131 > 203-214-66-102.perm.iinet.net.au.domain: [udp sum ok] 60940+ [1au] A? www.foss4climate.org. ar: . OPT UDPsize=4096 (49) 10:23:51.970434 IP (tos 0x0, ttl 63, id 6571, offset 0, flags [none], proto UDP (17), length 127) 203-214-66-102.perm.iinet.net.au.domain > pa49-199-219-38.pa.vic.optusnet.com.au.21131: [bad udp cksum 0x1ba7 -> 0xde0b!] 60940*- q: A? www.foss4climate.org. 1/1/2 www.foss4climate.org. A 203.214.66.103 ns: foss4climate.org. NS ns1.foss4climate.org. ar: ns1.foss4climate.org. A 203.214.66.102, . OPT UDPsize=4096 (99) ===== Does anyone have a pointer on how to address this issue? Kind regards, Bruce Bannerman > On 27 Feb 2020, at 15:13, Bruce Bannerman <bruban...@gmail.com> wrote: > > Hello Tom, > > Many thanks for your help sorting out my issue. > > The problem that I was experiencing appears to have been caused by a dodgy > modem/router. > > Once I replaced the modem/router, my incoming and outgoing connections are > working fine. > > > > For others: > > In my case, the connectivity issues were interspersed in the log file with > martian destination messages such as: > > ===== > Feb 21 10:16:06 fw kernel: [173036.380121] IPv4: martian destination 0.0.0.0 > from 49.199.143.136, dev eth0 > ===== > > I did extensive searching for 'martian destination’ posts on the web, but > found very little information on their cause. > > The best explanation for ‘martian destination’ messages that I have seen to > date, came from Tom Eastep. In my case: > > ===== > The (‘martian destination’) packets are coming from your laptop, but it > appears that the > modem/router is mangling them (setting destination IP to 0.0.0.0). > Note that if your laptop would have actually sent such packets, they > would have never reached your on-prem modem/router. Messages like the > above indicate that the packets are being dropped by the Linux IP stack. > ===== > > After replacing my external modem/router all is OK and I have not received > any more such messages to date. > > > Kind regards, > > Bruce Bannerman > > > >> On 24 Feb 2020, at 18:30, Bruce Bannerman <bruban...@gmail.com >> <mailto:bruban...@gmail.com>> wrote: >> >> Tom, >> >> Thanks for the tip regarding the dodgy router/modem. >> >> I have now replaced it and run another set of tests: >> >> I’m still set up using the router/modem port forward configuration. >> All tests appeared to work OK: domain, smtp, smtps, msa, imaps, http, https >> I did not see any martian destination packets. >> >> I’ve included shorewall_dump-4 below. >> >> <snip/> >> >> Kind regards, >> >> Bruce >> >> >> >> <shorewall_dump-4.tar.gz> >> >>> On 23 Feb 2020, at 08:18, Bruce Bannerman <bruban...@gmail.com >>> <mailto:bruban...@gmail.com>> wrote: >>> >>> Regarding Martian packets: >>> >>> Yes, I’m still seeing many of them under the router/modem port forward >>> configuration. >>> >>> I’ll replace my modem tomorrow and try again. >>> >>> Thanks for the pointer. >>> >>> Kind regards, >>> >>> Bruce >>> >>> >>> >>>> On 23 Feb 2020, at 5:21 am, Tom Eastep <teas...@shorewall.net >>>> <mailto:teas...@shorewall.net>> wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA512 >>>> >>>>> On 2/21/20 12:20 PM, Bruce Bannerman wrote: >>>>> Hi Tom, >>>>> >>>>> I have some partial improvement that may help. >>>>> >>>>> >>>>> I have: >>>>> >>>>> * reset my nameserver to point each of my ‘servers’ to the IP >>>>> address of the external interface of my external router/modem. * on >>>>> the external router/modem, I configured WAN Port Forwarding to >>>>> point to several of the same /28 subnet external addresses as per >>>>> my previous emails: o http, https 203.214.66.103 >>>>> o smtp 203.214.66.100 o smtps, msa, imaps >>>>> 203.214.66.104 * made no changes to my shorewall configuration. * >>>>> made no changes to the network addresses or routing configuration >>>>> of my servers. * made no changes to my web server, or reverse proxy >>>>> server >>>> configuration. >>>>> >>>>> >>>>> When testing externally I can now access the website at >>>>> www.foss4climate.org <http://www.foss4climate.org/> >>>>> <http://www.foss4climate.org <http://www.foss4climate.org/>>. However, >>>>> access >>>>> is considerably slower than normal. >>>>> >>>>> NB: These tests were conducted soon after I made my nameserver >>>>> changes. While my laptop’s nameserver could get the correct URL for >>>>> the website. it had not picked up the correct URL for my mail >>>>> servers. So ignore the mail related connections. >>>>> >>>>> Also note that my shorewall configuration does not take account of >>>>> the router/modem's external interface, or IP address. It just >>>>> accounts for the modem’s internal IP Address. >>>>> >>>>> Shorewall Dump for test 3 is attached. >>>>> >>>>> IP Addresses in test 3: >>>>> >>>>> 203.214.66.97external router/modem gateway (internal interface) >>>>> >>>>> 203.214.66.103Reverse Proxy Server 172.16.4.203Web Server >>>>> 49.199.104.114Laptop’s updated IP address >>>> >>>> Is seems to me that from the Shorewall box's point of view, this >>>> configuration should be no difference that the one where DNS resolves >>>> to the actual server addresses - by the time that packets reach the >>>> Shorewall system, they should look the same. Are you still seeing >>>> martian packets with this configuration? >>>> >>>> - -Tom >>>> - -- >>>> Tom Eastep \ Q: What do you get when you cross a mobster >>>> Shoreline, \ with an international standard? >>>> Washington, USA \ A: Someone who makes you an offer you >>>> http://shorewall.org <http://shorewall.org/> \ can't understand >>>> \________________________________________ >>>> -----BEGIN PGP SIGNATURE----- >>>> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/> >>>> >>>> iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5RcNYACgkQluaz8kI6 >>>> TRAXCxAAjY0ssYEUm1fVlBxYYmdnsXWyfkHjzupCFMxOMvpeCa1kUcm1ziKy4kMF >>>> uBbaU7/LqlUkckWUTAUlo1BrKk5qeZThfNrvcnZgychk74e5RPNUwjGw3Kmz44Vl >>>> RaEsApSmZrHwT4SJWdn82OJ8NH8PJA9aBVkOoDFb8yEUcE92PVJQzKoRB4OmoCJO >>>> tpRwbG2ptodLxi6DAZMklM18qkY81RxuVhyun7BTr9rVNZHQw5szD13t18ijDP3j >>>> QWFS2R0gre/abKrvSZPStE+lnLk0s83lMmELvBj9FT1zOw/WKLwwmvdEoGWGsYSo >>>> QDkr+h3KPrAnF8b6rF0Lj9oyQA+ofukv/G0E0iqy+5U2IhMsICPANsOirQr2UPXy >>>> kAq+VRwtwu8wQkQBrCdkBBZ8mJuLpnaeQs9OOzWIguMXcMNyq4cJL4Gx9OrGt4kD >>>> z4ZMEFbInap+AVoqz+Rf2oEKeue0PQhrC5vTJEJDoQTblcoG+ZVRO0X8j4rsN9lG >>>> Hw1TKctpKVAlRkYX/nyatFlgxYkS9AQ8jlNjWXYX9qXVDZmUvwSPqnVnYqDEmV8s >>>> L0JscT9xXGyCuYj/o0VRwWoYvrPOc13czGJzysg2z+uOKZKSCfvUfrcOc2jUC9fx >>>> 12q+lYv7cDpzD2/n+cOD8b9UJM2Imu/5tVmRgyoNmRvgxkHBRQk= >>>> =iAio >>>> -----END PGP SIGNATURE----- >>>> >>>> >>>> _______________________________________________ >>>> Shorewall-users mailing list >>>> Shorewall-users@lists.sourceforge.net >>>> <mailto:Shorewall-users@lists.sourceforge.net> >>>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>>> <https://lists.sourceforge.net/lists/listinfo/shorewall-users>
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
