My opensuse box has two NICs, eth1 and eth2. The network physically is delivered by a single cable, but we have to networks on it, so we have two networks on the same physical layer.

Both eth1 and eth2 connects to this physical layer using a simple switch, but they are set up to connect to different networks.

eth1 is set up with IP address like 193.5.x.x
eth2 is set up with IP address 172.19.175.25

My log file is full of messages like:

martian source 255.255.255.255 from 172.19.175.25, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:34:52:98:ae:1e:08:00

Sometimes I have similar message but on eth2, and the IP is the IP of eth1 or another computer on this network.

The NICs are set up in a way that the internet is accessed through eth2, and local servers are accessed with eth1. Eth1 also serves as an address to access the computer from the internet.

Basically everything works as intended, except the fact, the the log file is practically unusable because of the millions of martians attacking

I see, that the problem is the two networks somehow mix on the same layer. What can be done? Is there a solution, to stop receiving martians?

you can disable logging martians with sysctl -w net.ipv4.conf.all.log_martians=0. but, instead of using two interfaces, why not give eth1 a secondary IP address?

People usually say it is not a good practice to disable martian logging. This is somehow hiding the problem, and not solving it.

The two IPS are not on the same subnet, they belong to different networks. I am not sure if it is possible to have a secondary IP address on a different network for the same NIC. Any suggestions how to try this?

to "solve" the problem for your setup, the two switch ports connected to your system would have to be on different vlans. failing that, you cannot prevent martian broadcasts on the same switch.

your distro's documentation is the best place to learn about configuring a secondary IP address, since configuration files vary. it's also possible to have the secondary IP address on a different network from the primary.

[edit] Also, I believe that with a secondary IP address configured, broadcasts from either network would not be considered martian [/edit]

I see, thanks. Two additional questions:

If using only one NIC but with two IPs, will this prevent martians to come up for sure?

What is the reason for not having martians when only one NIC is in use? The physical layer itself still has two networks, and computers on this layer either connect to one or the other (or sometimes both).

Mod: I have tried the sysctl... command, and nothing changed. syslogd was restarted. What am I missing?

yes, i'm almost sure that's the case.

a martian is supposed to be something that comes from an unexpected source. by defining a secondary IP address, you are declaring that another network is present on that interface.

right, but something is declared a martian based on its source address and on the interface it came in on. e.g. a packet from the 172.19.175.x
network is not a martian when it comes in on eth2, but it is when it comes through eth1.

what does "sysctl -a | grep martian" show?

net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth2.log_martians = 1
net.ipv4.conf.eth1.log_martians = 1
net.ipv4.conf.vboxnet0.log_martians = 1

I thought all.log should be enough, but eth1 and eth2 was also needed. Now they are stopped.

Is there a way to not receive martians from the other NICs network, but receive otherwise? Is defining secondary IPs for both NICs with the other NIC's network can help? For some reasons it would be better to keep both NICs.

dropping martians is not a problem. the problem is that martian logging may occur (i'm not sure) early in the inspection process, earlier, for example, than the iptables rule which drops such a packet.