[prev in list] [next in list] [prev in thread] [next in thread]
List: lids-user
Subject: Re: [lids] Strange ICMP networking problem 0.9.11 / 2.2.17
From: Huagang Xie <xie () gnuchina ! org>
Date: 2000-11-30 1:58:37
[Download RAW message or body]
Hi,
maybe you should open all lids.cap "+" and try again...;-).. You can find
the problem as Step by Step.
1) enable all capability , /etc/lids/lids.cap mark all cap as "+",
if (you problem is solved) {
disable "CAP_NET_ADMIN" or "CAP_NET_RAW"
if(problem_raised_again)
bingo("the CAP_NET_ADMIN" or CAP_NET_RAW" is the
problem");
else(disable other cap and see if it cause the problem).
}
else {
remove all lids.conf, "echo "" > /etc/lids.conf".
reboot and see
if(problem) {
tell me it must be a bug and I will do search on the code.
}
else {
add ACLs one by one and "reload it into the system" to see if
the problem is vanished..
}
}
hope you success!
XIE
On Wed, 29 Nov 2000, Paul Tiemann wrote:
> Before I explain my unique problem, let me first say that I got LIDS up
> and running last night like a charm! I love it! Xie, you and the team
> are awesome, thank you very VERY much!
>
> (History: What brought me to LIDS)
> I was compromised a few days ago, so I decided I never want that to
> happen again. The cracker put a root kit on and everything. It was a
> very interesting thing to discover, and investigate, but now that it's
> done with, I don't think I ever want to deal with a root kit again.
>
> (My Strange Problem)
> I use my box for IP Masquerading and Port forwarding for the computers
> on my internal (192.168.) network. The masquerading out works fine.
> The port forwarding appears to work ok, with the exception of ICMP type
> traffic. I know that my portfw rules and ipchains firewall rules all
> work correctly, because they all work perfectly under my non-LIDS
> kernel. When I boot into my LIDS kernel (2.2.17 with 0.9.11) I can't
> use the port forwarding, and that keeps my little brother and I from
> playing out favorite MUD type game (Asheron's Call). I have snort
> running on the box too, and in the snort logs I found some information
> that might help -->
>
> [**] ICMP Destination Unreachable [**]
> 11/29-02:14:07.501879 AAA.BBB.CCC.DDD -> 207.46.204.73
> ICMP TTL:255 TOS:0xC0 ID:16236
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> [**] ICMP Destination Unreachable [**]
> 11/29-02:14:09.433307 AAA.BBB.CCC.DDD -> 207.46.204.73
> ICMP TTL:255 TOS:0xC0 ID:16237
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> [**] ICMP Destination Unreachable [**]
> 11/29-02:14:11.490207 AAA.BBB.CCC.DDD -> 207.46.204.73
> ICMP TTL:255 TOS:0xC0 ID:16238
> DESTINATION UNREACHABLE: PORT UNREACHABLE
> [**] ICMP Destination Unreachable [**]
> 11/29-02:14:13.445862 AAA.BBB.CCC.DDD -> 207.46.204.73
> ICMP TTL:255 TOS:0xC0 ID:16239
> DESTINATION UNREACHABLE: PORT UNREACHABLE
>
> (AAA.BBB.CCC.DDD) is the internet address of eth0.
>
> There were no logs written to /var/log/messages and I couldn't find
> anything else strange with the setup.
>
> My big question: Does LIDS control or limit outgoing ICMP traffic? If
> so, is there any way for me to disable this? I had tried to enable it
> by enabling every capability in my lids.cap file, but this didn't make
> any difference. I disabled snort and it still wouldn't do it. I
> removed all firewall rules, and only had the portfw rules and it still
> wouldn't work.
>
> I'm a programmer, but I feel completely incompetent when it comes to
> looking at kernel level networking code, so if anyone of you guys out
> there have any ideas, I'd greatly appreciate them!
>
> Thanks!
> Paul Tiemann
>
--
Happy Hacking
Linux Intrusion Detection System
http://www.lids.org/
-------------------------- eGroups Sponsor -------------------------~-~>
eLerts
It's Easy. It's Fun. Best of All, it's Free!
http://click.egroups.com/1/9699/1/_/18396/_/975549644/
---------------------------------------------------------------------_->
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic