APF+BFD Strange thing

G

gcypher

Verified User
Joined
Jun 28, 2005
Messages
159
Location
The Netherlands
Kernel: martian source ¿?

Hi to all,


a client of mine got dropped in the route table by BFD (brute force detection),
Actually this client happens to be my dad in Spain. so there is no chance he is brute forcing as he dont even know what that is. Normally i would go and logon to shell and xecute the following to unban the ip/hostname:
/usr/local/sbin/apf -u ip
as this returned the message
Deleted from firewall: Deny all to/from 80.24.64.XXX
so this should be ok .. so i tried a ping
[root@fast-xs ad]# ping 80.24.64.XXX
connect: Network is unreachable
Weird.. it didnt work as i expected.
So i tried a restart of APF, goes well but after i still get the same error
[root@fast-xs ad]# ping 80.24.64.XXX
connect: Network is unreachable

Why cant i seem te remove that ban?????
i cant find it back in any config file of apf nor bfd ...
I can ashure you that there is absolutely no problem with the network or system from both sides (server and client pc).

This never happend to me before ... i did some googling but did not found anything related to my problem.:confused:

Thanks in advance
 
Last edited:
well .. i did some more investigation and came up with this in the /var/log/messages


May 1 20:07:00 fast-xs kernel: martian source 82.192.81.XXX from 80.24.64.XX on dev eth0

anyone seen this before ??:confused:
 
well obviously it shows up in the Kernel route table as following

[root@fast-xs log]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
fast-xs.net * 255.255.255.255 UH 0 0 0 eth0
18.red-80-24-64 - 255.255.255.255 !H - - - -
210.187.84.14 - 255.255.255.255 !H - - - -
82.192.81.37 * 255.255.255.255 UH 0 0 0 eth0
as we see it doesnt define a eth0, but anyhow those 2 ips should not be there at all ..

18.red-80-24-64 - 255.255.255.255 !H - - - -
210.187.84.14 - 255.255.255.255 !H - - - -


so why are they there ? and how to edit, modify, the kernel route table ..

anyone has any advice for me ?

Thanks in advance
 
as a solution i have added a new record into the route table on which points at the right device and this solved my problem.
But its not what i really intend to do.

Its not normal for a static home ip to be in my route table with the !H (meaning the ip is rejected)XX.red-80-24-64 - 255.255.255.255 !H 0 - 0 -

the strange thing is i cannot seem to remove it properly .. as this line does not route on any interface so from command line i cant get it to recognize it so itwill be removed using the /sbin/route del command.

so all i did to resolve this for now .. i added a new route with that actual ip so now i have the following 2 lines into my route table
XX.red-80-24-64 * 255.255.255.255 UH 0 0 0 eth0
XX.red-80-24-64 - 255.255.255.255 !H 0 - 0 -


as the above one if the correct one ..

anyone can give me a hand on how to properly remove the line below the correct one .. i tried many pssoibilities which does remove the correct line but skips the wrong one rejecting that actual ip.

I hope this is somewhat clear to you all .. as i dont speak english perfectly

anyways great forum !! keep it up
 
You must log in or register to reply here.
Back
Top