[Mageia-discuss] Odd entry in log file

[imnotpc]

On 05/06/2012 06:38 PM, Frank Griffin wrote:
> On 05/06/2012 02:23 PM, imnotpc wrote:
>> Some of my mga2 boxes are recording lines like this:
>>
>> May  5 08:42:38 Cedar1 kernel: [2420746.469695] ll header: 
>> 00:11:09:01:8f:2b:00:18:4d:9d:dc:39:08:00
>> May  5 08:42:38 Cedar1 kernel: [2420746.470060] martian source 
>> 173.194.74.154 from 192.168.3.2, on dev eth0
>>
>>
>> I don't know about 'martian', but those IPs are indeed unfamiliar and 
>> not anything I'm aware of. Any idea what is causing this and if it is 
>> something to be concerned about?
> Martians are IP packets which have a source or destination IP address 
> that is in one of the "internal" ranges that are defined only for 
> private network use, such as 10.x.x.x or 192.168.x.x.
>
> The message is less than clear, since both IPs are identified as 
> "source" or "from", which leaves you guessing as to which was the 
> source and which was the target, but the 192,168.3.2 address is the 
> culprit.
>
> Either you're sending the packet, in which case you have a problem 
> that needs to be addressed, or someone else is in which case you can 
> ignore the message.

My thanks to you, Maarten, and Doug for replying. I knew that packets in 
private subnets are never forwarded by routers, one of the basic 
security features of the IPV4 system. I had never heard them referred to 
as martian before, but the name makes sense. Based on the destination of 
the packets (Google, Facebook), my assumption is that these are not 
malicious, and based on my knowledge of my network, I believe these are 
originating from the wireless hosts as Doug indicated. I guess the only 
part I still don't understand is how these packets are reaching the 
kernel of the gateway through NAT and firewalls? Perhaps there is 
something I don't understand about how IP traffic moves between hosts.

Jeff