[Nottingham] Network Martians
Martin
martin at ml1.co.uk
Sat Aug 20 21:59:14 BST 2005
Cam wrote:
> Martin
>
>> I have an internet facing NIC that connects via a transparent bridge,
>> so it directly sees incoming internet addressed packets (no NAT).
>>
>> In ifcfg-eth0, setting MASK=0.0.0.0 doesn't work as expected.
>> Regardless, Martians are logged for anything coming in.
>>
>> I'd prefer not to turn off Martian logging.
>>
>> How should that interface be set? Or should MASK=0.0.0.0 be accepted ok?
>
>
> I'm not sure 0.0.0.0 as a mask makes sense but it might have some
> esoteric meaning. I think if you assign the correct IP and netmask to
> the interface the problems should be solved.
OK, so a little experimenting later and thoughts of "It Must be A Bug!" and:
The answer is simple enough if a little thought is applied :)
Firstly, using "#" for commenting in the "ifcfg-*" files is not
honoured. The scripts seem to just blindly extract any keyword=value
pairs. (Also, the newish "ifcfg-eth*-range*" system works fine except
for when an interface is electrically brought up or down. ifplugd not
coping correctly for the range stuff? "eth*:*" aliases work fine always.)
To set the scene:
Usually, for an internal network you would set a NETMASK of:
255.0.0.0 for a class A block;
255.255.0.0 for a class B block;
255.255.255.0 for a class C block;
or whatever bit pattern for whatever range you want, so for example:
255.255.255.248 for an 8 IP block.
Any IP headers seen outside the netmask are treated as Martians because
those data packets simply shouldn't be seen on that interface.
So, for an internet facing interface, you could set a netmask of 0.0.0.0
so that nothing is seen to be a Martian. "ifconfig" will accept and set
0.0.0.0 without problem. What the "ifup" scripts do instead when given
NETMASK=0.0.0.0 is actually set a netmask of 255.255.255.255 which then
seems to have special meaning to ignore Martians.
Interestingly, you can set any broadcast address you like.
Aside: If you have multiple internet facing interfaces on your box,
don't forget to implement source routing tables so that incoming
connections go back out on the same interface!
All good fun!
Cheers,
Martin
--
----------------
Martin Lomas
martin at ml1.co.uk
----------------
More information about the Nottingham
mailing list