Received packet with own address as source address


#1

NethServer Version: 7.4
Module: your_module

I glanced at the logs of a production server and messages is full of;
Jun 5 10:15:16 server7c kernel: br0: received packet on enp0s17 with own address as source address (addr:08:00:27:10:08:fb, vlan:0)
Jun 5 10:15:16 server7c kernel: br0: received packet on enp0s17 with own address as source address (addr:08:00:27:10:08:fb, vlan:0)
Jun 5 10:15:21 server7c kernel: br0: received packet on enp0s17 with own address as source address (addr:08:00:27:10:08:fb, vlan:0)

firewall;
Jun 5 10:15:16 server7c kernel: Shorewall:net2fw:DROP:IN=br0 OUT= MAC=08:00:27:10:08:fb:c0:3f:0e:3c:2c:56:08:00 SRC=192.168.0.239 DST=192.168.124.227 LEN=104 TOS=0x00 PREC=0x00 TTL=255 ID=56539 DF PROTO=ICMP TYPE=0 CODE=0 ID=34613 SEQ=30181
Jun 5 10:15:21 server7c kernel: Shorewall:net2fw:DROP:IN=br0 OUT= MAC=08:00:27:10:08:fb:c0:3f:0e:3c:2c:56:08:00 SRC=192.168.0.239 DST=192.168.124.227 LEN=104 TOS=0x00 PREC=0x00 TTL=255 ID=56543 DF PROTO=ICMP TYPE=0 CODE=0 ID=34613 SEQ=30182

This is a standalone vm, single interface, samba dc and nextcloud server, all the logs are full of this back to mid may so I don’t know when it started but wasn’t doing this last time I skimmed the logs… a while back. Not sure what’s generating the ping.


(bob) #2

Is it me, or does there seem to be a few firewall related problems around at the moment? There are posts about martian packets, arps floods and sporadic WAN connections. They all seem to be related to RHEL based distributions. NS, ClearOS, RHEL.

e.g.

They’re probably not related, but it does seem strange how many firewall problems there seems to be at the moment.

Bob


(Filippo Carletti) #3

Hints to diagnose the logs:
08:00:27:10:08:fb is PCS Systemtechnik GmbH
c0:3f:0e:3c:2c:56 is netgear


#4

… uh oh, can you say mirrored port and promisc interface… hmmm… I’ll have to look into this, Thank you.