Mailing List for Experienced Users of Shoreline Firewall (Shorewall)

Surge | 1 Sep 2009 01:09

Re: LOC traffic shows up as NET traffic

I checked as mentioned it's not on the same hub/switch. Any other ideas or suggestions ?

From: Tom Eastep <teastep <at> shorewall.net>
To: Shorewall Users <shorewall-users <at> lists.sourceforge.net>
Sent: Monday, August 31, 2009 5:42:16 PM
Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/31/2009 02:34 PM, Surge wrote:
> Sorry I sent the old interface config here's the correct one! Shorewall
> 4.2.10 and Shorewall -perl 4.2.10.3
>
>
> -----------------Interfaces ----------------
>
> #ZONE INTERFACE BROADCAST OPTIONS
>
> net eth5 detect routeback,tcpflags
>
> loc eth3 detect
>
> loc1 eth4 detect

This indicates that eth5 is bridged to eth3 or eth4. Are two or more
firewall interfaces connected to the same switch/hub?

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqcQ7gACgkQO/MAbZfjDLIp5gCeIlF9KTBnBUboX5QR1XmL3Svf
vIcAn1kY1v5QnlZghlxcwCo/N2kA9vL3
=d/4E
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Jos Bockting | 1 Sep 2009 14:36

Re: Default Action DROP_DEFAULT=Drop not found

Tom,

Your remark did the trick!
For whatever reason the action.std was completely empty.
Adding the 2 lines solved my problem.
Thank you very much!

Regards, Jos.

P.S. I am at Shorewall V4.2.10 now and wanted to upgrade to V4.4.

> Date: Mon, 31 Aug 2009 14:35:14 -0700
> From: teastep <at> shorewall.net
> To: shorewall-users <at> lists.sourceforge.net
> Subject: Re: [Shorewall-users] Default Action DROP_DEFAULT=Drop not found
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/31/2009 01:57 PM, Jos Bockting wrote:
> > Hello,
> >
> >
> >
> > Up till now I ran shorewall in the Shell environment. But to upgrade to
> > Shorewall V 4.4 I have to switch to perl.
> >
> > Doing so, I get an error “ERROR: Default Action DROP_DEFAULT=Drop not found”
> >
> > I run linux OpenSuse 11.0.
> >
> > Can anybody give me hint where to look? Or do you need more info?
>
> What are the contents of /usr/share/shorewall/actions.std?
>
> There should be two lines in the file that are not all comments:
>
> Drop # Default Action for DROP policy
> Reject # Default Action for REJECT policy
>
> If the first line is missing, these same symptoms will occur.
>
> - -Tom
> - --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqcQhIACgkQO/MAbZfjDLIsgACgnZ8euSQbLDAmid0zyLZbALcL
> DUgAn2nzC6kWMwNPXtKL0Ounga3TjXHh
> =Vbob
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

With Windows Live, you can organize, edit, and share your photos. Click here.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Cristian Rodriguez | 1 Sep 2009 14:07

Re: Combatting DDoS attack

On 29/08/09 04:18, Michael Mansour wrote:

> How can I tackle this? 

Your ISP is the right place where the attack should be blocked, also
contact your local authorities.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Tom Eastep | 1 Sep 2009 19:35

Re: LOC traffic shows up as NET traffic

Surge wrote:
> I checked as mentioned it's not on the same hub/switch. Any other ideas
> or suggestions ?

Then you had better check that the hubs/switches that they are connected
to are not themselves connected.

The only possible explanation for packets from 10.1.50.0/24 arriving on
eth5 is that the subnet is connected to eth5 either directly or indirectly.

I suggest that you:

	tcpdump -nei eth5 net 10.1.50.0/24

Look at the packets and check the source MAC address. If different hosts
are sending packets with the same MAC source then the host with the
sending MAC is routing the packets to you. If the MAC addresses match
the sending hosts' real MACs, then 10.1.50.0/24 is bridged to eth5 in
some way.

Note that the traffic from 10.1.50.0/24 may be intermittent through
eth5; that is because of what I call 'ARP Roulette' (see
http://www.shorewall.net/FoolsFirewall.html for additional information).

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Tom Eastep | 1 Sep 2009 20:00

Re: Default Action DROP_DEFAULT=Drop not found

Jos Bockting wrote:
> Tom,
> 
> Your remark did the trick!
> For whatever reason the action.std was completely empty.

I assume that you meant 'actions.std'.

> Adding the 2 lines solved my problem.
> Thank you very much!
> 
> Regards, Jos.
> 
> P.S. I am at Shorewall V4.2.10 now and wanted to upgrade to V4.4.

Out of curiosity, how did you install 4.2.10? I want to be sure that we
don't have a bad package that includes an empty actions.std.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Jos Bockting | 1 Sep 2009 21:37

Re: Default Action DROP_DEFAULT=Drop not found

I am using shorewall for many years (I do not remember which version I started).
After each update of shorewall I upgraded by installing the SuSE / RedHat package (rpm -U ...).
I do not remember that I cleaned the actions.std file. But it is still possible that I cleared it in the past, because of an advice of a clever shorewall user.
As I did not find any similar problem description, I am afraid that I caused the problem myself. Otherwise more complaints could be found about this error.

> Date: Tue, 1 Sep 2009 11:00:53 -0700
> From: teastep <at> shorewall.net
> To: shorewall-users <at> lists.sourceforge.net
> Subject: Re: [Shorewall-users] Default Action DROP_DEFAULT=Drop not found
>
> Jos Bockting wrote:
> > Tom,
> >
> > Your remark did the trick!
> > For whatever reason the action.std was completely empty.
>
> I assume that you meant 'actions.std'.
>
> > Adding the 2 lines solved my problem.
> > Thank you very much!
> >
> > Regards, Jos.
> >
> > P.S. I am at Shorewall V4.2.10 now and wanted to upgrade to V4.4.
>
> Out of curiosity, how did you install 4.2.10? I want to be sure that we
> don't have a bad package that includes an empty actions.std.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>

Windows Live: Make it easier for your friends to see what you’re up to on Facebook. Find out more.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Tom Eastep | 1 Sep 2009 21:49

Re: Default Action DROP_DEFAULT=Drop not found

Jos Bockting wrote:
> I am using shorewall for many years (I do not remember which version I
> started).
> After each update of shorewall I upgraded by installing the SuSE /
> RedHat package (rpm -U ...).
> I do not remember that I cleaned the actions.std file. But it is still
> possible that I cleared it in the past, because of an advice of a clever
> shorewall user.
> As I did not find any similar problem description, I am afraid that I
> caused the problem myself. Otherwise more complaints could be found
> about this error.

Were you setting USE_ACTIONS=No in shorewall.conf with Shorewall-shell?

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Jos Bockting | 1 Sep 2009 22:46

Re: Default Action DROP_DEFAULT=Drop not found

USE_ACTIONS was (and is) set to "Yes".

> Date: Tue, 1 Sep 2009 12:49:18 -0700
> From: teastep <at> shorewall.net
> To: shorewall-users <at> lists.sourceforge.net
> Subject: Re: [Shorewall-users] Default Action DROP_DEFAULT=Drop not found
>
> Jos Bockting wrote:
> > I am using shorewall for many years (I do not remember which version I
> > started).
> > After each update of shorewall I upgraded by installing the SuSE /
> > RedHat package (rpm -U ...).
> > I do not remember that I cleaned the actions.std file. But it is still
> > possible that I cleared it in the past, because of an advice of a clever
> > shorewall user.
> > As I did not find any similar problem description, I am afraid that I
> > caused the problem myself. Otherwise more complaints could be found
> > about this error.
>
> Were you setting USE_ACTIONS=No in shorewall.conf with Shorewall-shell?
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>

Windows Live: Make it easier for your friends to see what you’re up to on Facebook. Find out more.

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Surge | 1 Sep 2009 22:52

Re: LOC traffic shows up as NET traffic

Hi,

This is what I found when I ran the tcpdump on the firewall. It looks like the Suse Linux box is getting request to the external interface by the Sun box. I'm a bit more confused now than before.....

16:38:59.262393 00:03:ba:1b:95:10 > 00:0c:29:74:9c:0c, ethertype IPv4 (0x0800),
length 69: 10.1.50.10.39371 > 10.1.50.7.53: 20785+ A? yahoo.com. (27)
16:38:59.619216 00:80:64:20:eb:85 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800),
length 296: 10.1.50.198.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:80:
64:20:eb:85, length 254

Here is the ipconfig -all of the firewall, the netstat -rn shows default route 10.1.50.7 and the resolv.conf has 10.1.50.7

----------Firewall ---------------------

eth3      Link encap:Ethernet HWaddr 00:0C:29:74:9C:F8
          inet addr:10.1.50.7 Bcast:10.1.50.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:164507 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42921 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:19329107 (18.4 Mb) TX bytes:14528295 (13.8 Mb)
          Interrupt:18 Base address:0x1400

eth4      Link encap:Ethernet HWaddr 00:0C:29:74:9C:02
          inet addr:192.168.2.7 Bcast:192.168.2.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:13600 errors:0 dropped:0 overruns:0 frame:0
          TX packets:318 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1055431 (1.0 Mb) TX bytes:17689 (17.2 Kb)
          Interrupt:19 Base address:0x1480

eth5      Link encap:Ethernet HWaddr 00:0C:29:74:9C:0C
          inet addr:74.2.235.59 Bcast:74.2.235.63 Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:172988 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24787 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:31690672 (30.2 Mb) TX bytes:4432651 (4.2 Mb)
          Interrupt:16 Base address:0x1800

Here is the ipconfig -a for the box that I've been testing that has issue doing a DNS query

----------Client-------------------

ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 192.168.2.10 netmask ffffff00 broadcast 192.168.2.255
        ether 0:3:ba:1b:95:1e
ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 192.168.3.11 netmask ffffff00 broadcast 192.168.3.255
        ether 0:3:ba:1b:95:1f
ce6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 10.1.50.10 netmask ffffff00 broadcast 10.1.50.255
        ether 0:3:ba:1b:95:10

From: Tom Eastep <teastep <at> shorewall.net>
To: Shorewall Users <shorewall-users <at> lists.sourceforge.net>
Sent: Tuesday, September 1, 2009 1:35:00 PM
Subject: Re: [Shorewall-users] LOC traffic shows up as NET traffic

Surge wrote:
> I checked as mentioned it's not on the same hub/switch. Any other ideas
> or suggestions ?

Then you had better check that the hubs/switches that they are connected
to are not themselves connected.

The only possible explanation for packets from 10.1.50.0/24 arriving on
eth5 is that the subnet is connected to eth5 either directly or indirectly.

I suggest that you:

tcpdump -nei eth5 net 10.1.50.0/24

Look at the packets and check the source MAC address. If different hosts
are sending packets with the same MAC source then the host with the
sending MAC is routing the packets to you. If the MAC addresses match
the sending hosts' real MACs, then 10.1.50.0/24 is bridged to eth5 in
some way.

Note that the traffic from 10.1.50.0/24 may be intermittent through
eth5; that is because of what I call 'ARP Roulette' (see
http://www.shorewall.net/FoolsFirewall.html for additional information).

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

headers

Tom Eastep | 1 Sep 2009 23:22

Re: LOC traffic shows up as NET traffic


On 09/01/2009 01:52 PM, Surge wrote:
> Hi,
>  
> This is what I found when I ran the tcpdump on the firewall. It looks
> like the Suse Linux box is getting request to the external interface by
> the Sun box.

"The Sun box" doesn't mean anything to us -- but I'm guessing that it is
the box with MAC address 00:03:ba:1b:95:10 since that is a Sun MAC.

I'm a bit more confused now than before.....
>  
> 16:38:59.262393 00:03:ba:1b:95:10 > 00:0c:29:74:9c:0c, ethertype IPv4
> (0x0800),
> length 69: 10.1.50.10.39371 > 10.1.50.7.53: 20785+ A? yahoo.com. (27)

> 16:38:59.619216 00:80:64:20:eb:85 > ff:ff:ff:ff:ff:ff, ethertype IPv4
> (0x0800),
> length 296: 10.1.50.198.68 > 255.255.255.255.67: BOOTP/DHCP, Request
> from 00:80:
> 64:20:eb:85, length 254

The sending MAC addresses are different.

>  
> Here is the ipconfig -all of the firewall, the netstat -rn shows default
> route 10.1.50.7 and the resolv.conf has 10.1.50.7
> ----------Firewall ---------------------
> eth3      Link encap:Ethernet  HWaddr 00:0C:29:74:9C:F8
>           inet addr:10.1.50.7  Bcast:10.1.50.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:164507 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:42921 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:19329107 (18.4 Mb)  TX bytes:14528295 (13.8 Mb)
>           Interrupt:18 Base address:0x1400
> eth4      Link encap:Ethernet  HWaddr 00:0C:29:74:9C:02
>           inet addr:192.168.2.7  Bcast:192.168.2.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:13600 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:318 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:1055431 (1.0 Mb)  TX bytes:17689 (17.2 Kb)
>           Interrupt:19 Base address:0x1480
> eth5      Link encap:Ethernet  HWaddr 00:0C:29:74:9C:0C
>           inet addr:74.2.235.59  Bcast:74.2.235.63  Mask:255.255.255.240
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:172988 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:24787 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:31690672 (30.2 Mb)  TX bytes:4432651 (4.2 Mb)
>           Interrupt:16 Base address:0x1800
>  
> Here is the ipconfig -a for the box that I've been testing that has
> issue doing a DNS query
> ----------Client-------------------
> ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
>         inet 192.168.2.10 netmask ffffff00 broadcast 192.168.2.255
>         ether 0:3:ba:1b:95:1e
> ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
>         inet 192.168.3.11 netmask ffffff00 broadcast 192.168.3.255
>         ether 0:3:ba:1b:95:1f
> ce6: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
>         inet 10.1.50.10 netmask ffffff00 broadcast 10.1.50.255
>         ether 0:3:ba:1b:95:10
                ---------------

I assume that this Sun system is connected through eth3 on the SuSE system?

So how can you explain these packets arriving on eth5 other than that
eth3 and eth5 are bridged?

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

45	June 2013
114	May 2013
126	April 2013
184	March 2013
90	February 2013
149	January 2013
83	December 2012
67	November 2012
186	October 2012
208	September 2012
154	August 2012
133	July 2012
152	June 2012
185	May 2012
158	April 2012
206	March 2012
121	February 2012
173	January 2012
79	December 2011
94	November 2011
142	October 2011
147	September 2011
175	August 2011
169	July 2011
204	June 2011
344	May 2011
172	April 2011
148	March 2011
96	February 2011
85	January 2011
99	December 2010
115	November 2010
138	October 2010
238	September 2010
197	August 2010
152	July 2010
145	June 2010
111	May 2010
101	April 2010
88	March 2010
228	February 2010
60	January 2010
204	December 2009
159	November 2009
167	October 2009
148	September 2009
153	August 2009
90	July 2009
239	June 2009
189	May 2009
194	April 2009
177	March 2009
158	February 2009
249	January 2009
227	December 2008
275	November 2008
203	October 2008
260	September 2008
118	August 2008
182	July 2008
179	June 2008
194	May 2008
221	April 2008
329	March 2008
248	February 2008
256	January 2008
257	December 2007
308	November 2007
306	October 2007
216	September 2007
383	August 2007
261	July 2007
246	June 2007
397	May 2007
444	April 2007
281	March 2007
189	February 2007
302	January 2007
224	December 2006
247	November 2006
279	October 2006
202	September 2006
376	August 2006
231	July 2006
271	June 2006
280	May 2006
398	April 2006
498	March 2006
466	February 2006
332	January 2006
263	December 2005
354	November 2005
393	October 2005
386	September 2005
473	August 2005
580	July 2005
340	June 2005
437	May 2005
465	April 2005
444	March 2005
469	February 2005
450	January 2005
665	December 2004
547	November 2004
454	October 2004
432	September 2004
403	August 2004
513	July 2004
418	June 2004
613	May 2004
582	April 2004
403	March 2004
400	February 2004
394	January 2004
243	December 2003
1	May 2003
2	June 2002
1	January 2002

Mon	Tue	Wed	Thu	Fri	Sat	Sun

	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30