Neocekavana zmena default gateway
Vilem Kebrt
vilem.kebrt at gmail.com
Mon Dec 17 17:53:32 CET 2012
Ahoj,
asi budu paranoidni cynik, ale hledej rootkit, tohle uz mi smrdi cizim
zasahem...
Tenhle redirect se stava napriklad pri konvergenci dynamiky, ale
jestlize nemas dynamicky rout sw pusteny nemelo by se to dit.
Dalsi moznost je lokalni skryta proxy .... mas tam nejakej fw nahozenej
? (pf, ipfw, jestli ano prosim vypis pravidel pred a po zmene)...
Doporucoval bych kldstat a mrknout na moduly pokud tam nejaky jsou
(pokud nemas static jadro)...
Vilem
Dne 17.12.2012 15:27, Radek Krejča napsal(a):
> Zapnul jsem logovani icmp redirectu:
>
> Uplne mi neni jasne toto:
>
> icmp redirect from 10.4.4.122: 10.4.29.242 => 10.4.4.121
> icmp redirect from 10.4.4.122: 10.4.29.242 => 10.4.4.121
> icmp redirect from 10.4.4.122: 10.4.29.242 => 10.4.4.121
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
> icmp redirect from 127.0.0.1: 10.4.29.242 => 10.4.29.242
>
>
> Chapu, ze napred chodilo z 10.4.4.122, ale proc pak ze 127.0.0.1? Nebo chapu spatne ten zaznam?
>
> Jinak jeste jsem koukal s kolegou do /usr/src/sys/netinet/ip_icmp.c a tam je pasaz:
>
> printf("icmp redirect from %d.%d.%d.%d: "
> "%d.%d.%d.%d => %d.%d.%d.%d\n",
> (int)(src >> 24), (int)((src >> 16) & 0xff),
> (int)((src >> 8) & 0xff), (int)(src & 0xff),
> (int)(dst >> 24), (int)((dst >> 16) & 0xff),
> (int)((dst >> 8) & 0xff), (int)(dst & 0xff),
> (int)(gw >> 24), (int)((gw >> 16) & 0xff),
> (int)((gw >> 8) & 0xff), (int)(gw & 0xff));
> }
> /*
> * RFC1812 says we must ignore ICMP redirects if we
> * are acting as router.
> */
> if (V_drop_redirect || V_ipforwarding)
> break;
>
> Prijde mi, ze ten komentar neodpovida skutecnosti ve chvili, kdy tech icmp redirectu prijde fakt hodne moc. Pri tom logovani totiz chodi proad neco, ale ve chvili, kdy se mi zacne plnit log opravdu masivne, tak k te zmene ip dojde.
>
> Radek
>
More information about the Users-l
mailing list