[Openswan Users] locally generated traffic originating from eth0

Bob Miller bob at computerisms.ca
Fri Jan 14 22:27:42 EST 2011 

Hi Paul,
Thank you for the reply.

> > (terminal 1)fw-ps:~# ping -I lo 127.0.0.1
> >
> > (terminal 2)fw-ps:/var/log# tcpdump -n -i lo
> > listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
> > 09:40:44.988414 IP 194.242.22.23 > 127.0.0.1: ICMP echo request, id
> > 8706, seq 15, length 64
> > 09:40:44.988449 IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 8706, seq
> > 15, length 64
> 
> I'm not sure why this is happening, but some advise on debugging....
> 
> - Always disable rp_filter. It just can't deal with packets appearing "out
>    of nowhere" due to the IPsec hooks (be it klips, but especially with netkey)
> 
> - enable logigng of martians. Martians are packets that "could not have arrived"
>    by any known route, and therefor must be using superiar martian technology.
> 
> so change /etc/sysctl.conf to say:
> 
> net.ipv4.conf.all.log_martians = 1
> net.ipv4.conf.default.log_martians = 1
> net.ipv4.conf.default.rp_filter = 0
> 
> run sysctl -p
> 
> Then since this is not always enough to disable rp_filter for real, run:
> 
> for i in /proc/sys/net/ipv4/conf/*; do echo 0 >  $i/rp_filter; done
> 
> 
> Martians will appear in dmesg.
> 
> hope things helps you somewhat in your quest for packets from the linux packet pie.

Unfortunately I can report no martian packets, that would be a place to
start.  But that doesn't mean they didn't use other superior technology
to confound my machine.  Stupid martians!!
rp_filter is definitely off.  No change in behaviour, nothing extra in
any log file.
I looked over my notes on this box, I did have this working at one point
as a pure l2tp environment.  then I found out that potentially up to
three road warriors were behind the same nat device, so I made them a
site-to-site tunnel.  l2tp has not been tested since that happened,
couple months back.  This means that even though it is a likely cause, I
cannot say for sure my mistyped command is the cause.  I may have
inadvertently caused this building the site-to-site tunnel and it just
hasn't shown up till now.
Tomorrow I will try to see if I can attach this to iptables.  I am
pretty sure that is a martian program that would pull this kind of
trick...

> 
> Paul

Bob Miller
334-7117/660-5315
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions

More information about the Users mailing list