[Mageia-discuss] Odd entry in log file

imnotpc imnotpc at Rock3d.net
Tue May 8 01:42:34 CEST 2012

>> Well isn't that interesting. That Comcast IP is the address of the 
>> ISP gateway I use. Both of my firewall/gateway boxes that are logging 
>> martian packets are connected to similar Comcast routers. The routers 
>> are configured in bridge mode so the router DHCP service has no 
>> effect on my connection, but it might still be active on the router. 
>> Also each ISP router also has a wireless interface and that could 
>> still be active. My firewall doesn't block any private IPs coming 
>> from the Internet interface since the ISP routers would never forward 
>> them, so that explains how they get past the firewall.
> No, I think traceroute doesn't special-case internal IP addresses.  
> Your routing table is (correctly) set up to route traffic for anything 
> other than your known subnets to the external internet, and that's 
> exactly what traceroute is doing.  It's your ISP's job to discard 
> internal address packets, not yours.
> But I think you're on to something with the ISP routers.  Is there 
> some reason you don't just run the cable from the cable modem to the 
> external NIC on the gateway PC ?  If you're willing to try that, and 
> the martians disappear, it's these routers.
> Try going into configuration on these routers, and see what their DHCP 
> servers are set up for, and whether the 192.168.3 subnet appears 
> anywhere in there.  It's possible that one of your DHCP-using wireless 
> clients is getting an answer to its broadcast from these guys before 
> your internal router, and picking up a IP address from them.

Well the Comcast cable modem was a dead end. I checked it and DHCP is 
disabled, and even if it were enabled it uses a completely different 
subnet. Besides, It would be coming in on eth2 and not eth0. I checked 
the wireless router in the LAN and it uses the subnet for 
it's DHCP connections. It has a fixed IP of on the LAN 
interface so I don't know why these IPs would ever be seen by the 
firewall/gateway box, but this looks like the most likely source.


