[Openswan Users] locally generated traffic originating from eth0
bob at computerisms.ca
Fri Jan 14 22:27:42 EST 2011
Thank you for the reply.
> > (terminal 1)fw-ps:~# ping -I lo 127.0.0.1
> > (terminal 2)fw-ps:/var/log# tcpdump -n -i lo
> > listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
> > 09:40:44.988414 IP 126.96.36.199 > 127.0.0.1: ICMP echo request, id
> > 8706, seq 15, length 64
> > 09:40:44.988449 IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 8706, seq
> > 15, length 64
> I'm not sure why this is happening, but some advise on debugging....
> - Always disable rp_filter. It just can't deal with packets appearing "out
> of nowhere" due to the IPsec hooks (be it klips, but especially with netkey)
> - enable logigng of martians. Martians are packets that "could not have arrived"
> by any known route, and therefor must be using superiar martian technology.
> so change /etc/sysctl.conf to say:
> net.ipv4.conf.all.log_martians = 1
> net.ipv4.conf.default.log_martians = 1
> net.ipv4.conf.default.rp_filter = 0
> run sysctl -p
> Then since this is not always enough to disable rp_filter for real, run:
> for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/rp_filter; done
> Martians will appear in dmesg.
> hope things helps you somewhat in your quest for packets from the linux packet pie.
Unfortunately I can report no martian packets, that would be a place to
start. But that doesn't mean they didn't use other superior technology
to confound my machine. Stupid martians!!
rp_filter is definitely off. No change in behaviour, nothing extra in
any log file.
I looked over my notes on this box, I did have this working at one point
as a pure l2tp environment. then I found out that potentially up to
three road warriors were behind the same nat device, so I made them a
site-to-site tunnel. l2tp has not been tested since that happened,
couple months back. This means that even though it is a likely cause, I
cannot say for sure my mistyped command is the cause. I may have
inadvertently caused this building the site-to-site tunnel and it just
hasn't shown up till now.
Tomorrow I will try to see if I can attach this to iptables. I am
pretty sure that is a martian program that would pull this kind of
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions
More information about the Users