Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Internet <--12.xx.xxx.xx --> Firewall box (192.168.10.1)<----------> Squid server (192.168.10.2)<------>LAN (192.168.0.0/24)
My squid server doubles as a Domino server with the correct ports forwarded to and from it. Heres the catch.
In /var/log/messages on the firewall machine I have entries saying
Martian source - source 192.168.1.101 from 192.168.0.56 incoming int eth0
The way I read this is, that a packet came from the squid server claiming to be from the 1.101 address (I don't use that subnet) came in on the firewalls internal interface (x-over cable to squid server). Should I be worried? It sounds like packet spoofing, but I have protection against that in the firewall.
The firewall stands up to a port scan from the outside showing only the mail ports I forward as "open"..
I thought that as well. So I checked the mail/squid server for log entries. I tracerouted 192.168.1.101 to see where it went. It ended up resolving to 12.124.170.61 . Strange, I checked the hosts files on both machines and there is no entry for this address. I port scanned it and it shows no ports open, or like me it's dropping icmp requests. How is it tracerouting to an internal address like 192.168.1.101 could lead me to an external address with no entry in the local hosts files and no mension of it in the firewall?
Oh I should also mension that 192.168.0.56 is the internal/LAN side address of the Squid server.
Pcghost,
How often do they happen? Run 'tcpdump -w 101.tcp -s0 host 192.168.1.101' on the firewall to capture the packets. Use 'tcpdump -r 101.tcp' to look at it (ethereal is better if you can transfer the file to a machine with X). At least you'll know what is being sent. I suspect that the ISP is using some similar adresseses. Technically, they "can" work on the same "network" (aka your ISP's), but not at their border routers (the internet).
I would recommend dropping this at your border router (you firewall box or your router).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
martian source baffling me?
