Honeypots mailing list archives
Re: Sebek problems with Honeywall in NAT-Mode
From: Edward Balas <ebalas () iu edu>
Date: Thu, 2 Oct 2003 12:44:17 -0500 (EST)
On Thu, 2 Oct 2003 heiko.helmle () basf-ag de wrote:
Hello everybody, I had a little problem getting sebek2 to work in nat-mode. It seems that sebek sends its udp-packets out with a TTL of 1. On a bridging honeywall this is not a problem, but on a NAT-ting firewall, those packets are rejected and never reach the FORWARD-chain (which prevents logging to syslog - snort gets them anyway).
Yeah, sorry about that, Ill send out an update when I get back in town. Basic deal is that the linux client sets the TTL to 1, and I need to set it to something else.
I experimented with the sebek sources and changed the TTL to 2 and the honeywall now logs (and drops) the packets correctly. Is there any security problem with setting the TTL to something higher than 1 (for NAT and bridge-mode)?
No not really.
Regards Heiko Helmle
Current thread:
- Sebek problems with Honeywall in NAT-Mode heiko . helmle (Oct 02)
- Re: Sebek problems with Honeywall in NAT-Mode Edward Balas (Oct 02)