martian source baffling me?

Pcghost · 03-31-2003, 11:57 AM

Here is the setup

Internet <--12.xx.xxx.xx --> Firewall box (192.168.10.1)<----------> Squid server (192.168.10.2)<------>LAN (192.168.0.0/24)

My squid server doubles as a Domino server with the correct ports forwarded to and from it. Heres the catch.

In /var/log/messages on the firewall machine I have entries saying

Martian source - source 192.168.1.101 from 192.168.0.56 incoming int eth0

The way I read this is, that a packet came from the squid server claiming to be from the 1.101 address (I don't use that subnet) came in on the firewalls internal interface (x-over cable to squid server). Should I be worried? It sounds like packet spoofing, but I have protection against that in the firewall.
The firewall stands up to a port scan from the outside showing only the mail ports I forward as "open"..

bahamat · 03-31-2003, 12:08 PM

Well since the packet is aparently from 192.168.0.56 why not start there and see what may be causing it?

You might just find that you've got a gateway address typed in wrong.

As they say, don't attribute to malice that which can be adequately explained by stupidity. In other words, the cause is 9 times out of 10 harmless.

Pcghost · 03-31-2003, 01:01 PM

I thought that as well. So I checked the mail/squid server for log entries. I tracerouted 192.168.1.101 to see where it went. It ended up resolving to 12.124.170.61 . Strange, I checked the hosts files on both machines and there is no entry for this address. I port scanned it and it shows no ports open, or like me it's dropping icmp requests. How is it tracerouting to an internal address like 192.168.1.101 could lead me to an external address with no entry in the local hosts files and no mension of it in the firewall?

Oh I should also mension that 192.168.0.56 is the internal/LAN side address of the Squid server.

bastard23 · 04-01-2003, 09:43 PM

Pcghost,
How often do they happen? Run 'tcpdump -w 101.tcp -s0 host 192.168.1.101' on the firewall to capture the packets. Use 'tcpdump -r 101.tcp' to look at it (ethereal is better if you can transfer the file to a machine with X). At least you'll know what is being sent. I suspect that the ISP is using some similar adresseses. Technically, they "can" work on the same "network" (aka your ISP's), but not at their border routers (the internet).

I would recommend dropping this at your border router (you firewall box or your router).

Hope that helps,
chris