martians and arp

To: debian-firewall@lists.debian.org
Subject: martians and arp
From: "A.M.P. Boelens" <arnout@vvier.xs4all.nl>
Date: Fri, 24 Jun 2005 23:31:37 +0200
Message-id: <[🔎] 20050624213137.GA10755@vvier.xs4all.nl>

Hello list

I've got a problem with my firewall. I've got a server (running sarge with a 2.6
kernel) with two NIC's. eth0, which is by a modem connected to the internet
(using a ppp connection), and eth1, which is connected to a LAN. In my log files
appear the following entries now and then:

martian source ip1 from ip2, on dev eth1
ll header: ff:ff:ff:ff:ff:ff:00:80:5f:d6:05:60:08:06

where ip1 is an address on my network and ip2 the address of eth1. The mac
address belongs to eth1.

using tcpdump I found out that these messages are caused by the following
ARP broadcast packages:

14:18:10.519587 00:80:5f:d6:05:60 > Broadcast, ethertype ARP (0x0806), length
42: arp who-has ip1 tell ip2

Broadcast packages with a length of 60 are fine and are not logged as martians.

Does anyone knows what could be wrong? I spend quite some time googling now, but
I couldn't find an answer.

Regards,

Arnout

Reply to:

Prev by Date: Re: RE: Error-Guard Support Request
Next by Date: Any Software.. get rush undr $15-$99..
Previous by thread: Re: RE: Error-Guard Support Request
Next by thread: Any Software.. get rush undr $15-$99..
Index(es):
- Date
- Thread