I'm trying to troubleshoot a flakey network connection on my SuSE 9.2 Pro installation. I've noticed that the most frequent message in my /var/log/messages file, sometimes every few seconds, is the following (the SRC is different every time, the DST is always my static ip address -- which I've deleted below):

Dec 17 10:16:55 DBHC1V51 kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0f:1f:e2:b9:6d:00:0f:1f:66:a5:ba:08:00 SRC=128.100.42.200 DST=[deleted my.ip.address] LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=37779 PROTO=UDP SPT=123 DPT=123 LEN=76

I also notice this line in the log file once in a while:

Dec 17 09:05:41 DBHC1V51 kernel: martian source 128.100.43.255 from [deleted my.ip.address], on dev eth0

Could these messages have anything to do with my flakey connection?

You have an iptables rule which is creating this log message..

do iptables-save to display your rules..

log-martians are a sysctl setting..
cat /proc/sys/net/ipv4/conf/all/log_martians to read it

Probably added by your iptables script...

iptables-save doesn't do anything on my system, but when I do iptables -nL I get a bunch of output which I previously posted in the 3rd entry here:

http://www.linuxquestions.org/questi...hreadid=259196

Since disabling the firewall a few minutes ago, I no longer get the "SFW2-INext-DROP-DEFLT" messages in my log file, but my network connection is still flakey, so I'm still a long ways from figuring out the solution to my conectivity problem.

Incidentally, cat /proc/sys/net/ipv4/conf/all/log_martians returns 0.

Ok.. the port used by the strange log entries is the ntp time protocol..
Still can't tell if it's an originating packet or a reply packet..
Coz src & dest ports are the same, I say it's an originating packet..

I am very surprised iptables-save doesn't exist..
Check the rpm to see if it exists in there or not..
It's a great tool for displaying current rules, much better than just iptables..

for the log_martians..
do cat /proc/sys/net/ipv4/conf/eth0/log_martians
It may be only entered against the interface or default..
/proc/sys/net/ipv4/conf/default/log_martians

SRC and DST are not the same. DST is always my static IP address, SRC is something different each time (though probably from within my origanization).

iptables-save doesn't show up as an installable option in YaST. Don't know how else to look for it.

Both cat /proc/sys/net/ipv4/conf/eth0/log_martians and
cat /proc/sys/net/ipv4/conf/default/log_martians return 0 as well.

iptables-save is one of the programmes in the iptables package..

Ahhh... src & dest ports..
both are port 123..
Usually a client will use a high port >1023 to connect from..
So seeing the same port number and udp protocol suggests that it's not a reply.. maybe a scanning attempt or an improperly set router..
(I'll check my ntp server to see if it synchronises with low ports..)
---added comment Yes, my ntp server uses 123 for a src port..
So it may be a poorly setup ntp server looking for sources to synchronise on..
Can block that on your router if you don't have an ntp server for the public...
----

After reading your previous post about "flakey connections"..
which setup do you have now?
I gather you have an internet ip number, via a hub, which also means via a router somewhere..
You mentioned treating your network as "safe" so I'm not too sure that's true if you have a public ip number..
It makes it difficult to do firewall mods without proper tools if you're public..
Need to be sure you've closed down all unecessary listening daemons before clearing rules out.

Sorry, not sure what it means to have an "ntp server for the public." Is that something I should know?

Quote:

After reading your previous post about "flakey connections".. which setup do you have now? I gather you have an internet ip number, via a hub, which also means via a router somewhere.. You mentioned treating your network as "safe" so I'm not too sure that's true if you have a public ip number.. It makes it difficult to do firewall mods without proper tools if you're public.. Need to be sure you've closed down all unecessary listening daemons before clearing rules out.

Yes, I've been assigned a static IP number. There is a router in my building, plus a little hub in my office that allows multiple computers to connect (using different IPs).

I have no idea how to modify the firewall, aside from turning it on & off. It's off at the moment. The network administrators in my building, however, run their own firewall, and I'm currently looking into whether anything they are doing is interfering with my network connectivity. However, a colleague on the same floor also runs SuSE, and he has no connection issues, so it makes me think the issues I'm having aren't related to my network administrators' firewall settings.

Do you have an ntp time server running in your pc or network?
Usually your net admin would block these at the router if you didn't have one..
(In fact any unused services should be blocked at the router..)
do netstat -lnp and look for something listening on port 123 in your pc..

Also please check the MAC address in the logs and see if it matches the MAC address of the router..
do arp -n to list the current MAC addresses your pc recognises.
(The table expires afer 15 mins so not everyone will be in there..)
I am a bit curious about the source of the packets.. there are so many.. and whether they are from outside your net (most likely) or inside spoofed packets..

Also please check cat /proc/sys/net/ipv4/tcp_ecn. It should be 0
This can make the net connection flakey if it is on..

I don't feel too confident seeing a public static ip number without a firewall somewhere.. even if the hacks on linux are very few..
There are many firewall scripts and gui tools to make it easy for you..
The LQ Wiki lists a few.. http://wiki.linuxquestions.org/wiki/Firewall

I grepped the output from that command and 123 doesn't show up anywhere.

Quote:

Also please check the MAC address in the logs and see if it matches the MAC address of the router.. do arp -n to list the current MAC addresses your pc recognises. (The table expires afer 15 mins so not everyone will be in there..)

There are two entries in that table. They both share enough information with my assigned static IP address that either certainly could be the router. I'll check with my network admin guys to verify that one of them actually is.

Quote:

Also please check cat /proc/sys/net/ipv4/tcp_ecn. It should be 0 This can make the net connection flakey if it is on..

It's 0.

Quote:

I don't feel too confident seeing a public static ip number without a firewall somewhere.. even if the hacks on linux are very few.. There are many firewall scripts and gui tools to make it easy for you.. The LQ Wiki lists a few.. http://wiki.linuxquestions.org/wiki/Firewall

It's true I've temporarily disabled my linux firewall, but my machine resides within a network protected by an outer firewall. The network admin guys opened up port 22 for me so I could get SSH connections going. I'm currently doing some digging to see if the firewall the network admin guys run for the entire group is somehow interfering with my linux box's ability to maintain a stable connection.

Edited to add:
By the way, thanks for all your help. I'm pretty frustrated, and it helps a lot to have someone waaaaaay more knowledgeable than me guiding my search for resolution!

Ok, I'll kick myself now...
For some reason I've been thinking you have an internet static number on your eth0 rather than a local net number..
Which makes for a good question..
What kind of firewall/router configuration redirects port 123 to your pc?
You don't have an ntp time server on your pc..
Find that MAC address..

Your router/gateway will be listed with route -n

Not sure I'm following. What's the difference between an internet static number and a local net number? I have a static IP address assigned to my linux box that no one else uses, ie, if I type that IP address in a web browser on a network-connected machine anywhere, it brings up my linux box's default apache page. I would have thought that was an 'internet static number' but I must be confused...

When I do route -n it brings up four entries. I guess that in order to know which is the router/gateway (and to find out more info about the firewall/router), I'll have to wait for a response from my network admin guys to be sure... Will report back when I know more about that stuff.

There's two distinct numbering groups for local networks and for internet networks

See http://www.tldp.org/HOWTO/PPP-HOWTO/c112.html

With route -n, usually the last number is the gateway..
but it can be recognised by the UG entry in the line..
It's possible to have several gateways too..
eg..