Since upgrade to 166 I'm getting "martian source" entries in the log

1

Good evening everyone,
since upgarde to 166 last Monday I#m getting loads of entries in the kernel section of the log:

|20:34:45|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|---|---|---|
|20:34:45|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|20:27:10|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|20:27:10|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|20:27:10|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|20:27:10|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|20:24:45|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|20:24:45|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|20:14:45|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|20:14:45|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|20:04:45|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|20:04:45|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|19:54:45|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|19:54:45|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|19:44:45|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|19:44:45|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|19:34:45|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|19:34:45|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|
|19:27:10|kernel: |ll header: 00000000: ff ff ff ff ff ff 2c 91 ab 4b b2 95 08 00|
|19:27:10|kernel: |IPv4: martian source 255.255.255.255 from 192.168.178.1, on dev red0|

Since I’m not an expert and answers by aunty Google suggest that it might be an attempted break-in, could anybody confirm that or is it only a consequence of some changes in 166? The source IP is ma Fritzbox.
Thx for your help,
Christian

2

@methusalix

From : https://wiki.ipfire.org/configuration/firewall/options

Log dropped spoofed packets and martians
This option allows you to enable or disable logging of packets being detected as a network spoofing attempt, or arriving on interfaces IPFire knows they cannot legitimately arrive on.

3

It isn’t really helpful to switch off logging in such a case.
In most cases this error shows some misconfiguration in the network, especially when there is a high frequency.
How are your networks ( red, green, blue, …) defined?
Are there any physical connections between them? Each should end in it’s own NIC of the IPFire device, with no switches handling more than one network.

4

Now that is some misguiding error message though it‘s no fault of ipfire. Source actually is the DESTINATION and from is the real source if my google-fu is accurate. That means your system with the ip 192.168.178.1 is broadcasting (255.255.255.255 is the broadcast address). For example a DHCPDISCOVER uses that mechanism but with a source address of 0.0.0.0. I don‘t know why that broadcast is flagged as martian though but I doubt it is an attack or compromised system.

5

Thank you for your reply!
My device is a APU4D4 with red, green, blue, orange:
red - behind a Fritzbox (the Fritzbox’ IP is 192.168.178.1, works in bridge mode), connection is via PPoE
green - 192.168.5.1
blue - 192.168.0.1
orange - 192.168.150.1 (currently no devices connected)

There are no physical connections between the networks, every network has its own NIC.

6

thx for your comment and explanations! To be honest, I was hoping for such an answer :innocent: , but that would be too easy, ain’t it? What makes me wonder is, that I’m getting these log entries only since I rebooted after the upgrade to 166. And I’m absolutely sure that nothing else was changed in my infrastructure. I’ve only become suspicious because I’ve been noticing more and more hits on the firewall from Russian and Chinese IP addresses for weeks - like probably almost all of us