grsecurity forums

(grsecurity-1.9.6-2.4.19.patch.gz)

I'm not seeing any difference with altered_pings set to 1. When I ping my machine from another machine, tcpdump still shows a different ID in the echo reply than was used in the echo request:

[root@host /proc/sys/kernel/grsecurity]# echo 1 > altered_pings
[root@host /proc/sys/kernel/grsecurity]# cat altered_pings
1
[root@host /proc/sys/kernel/grsecurity]# tcpdump -vni eth0 icmp
tcpdump: listening on eth0
16:36:14.272827 192.168.0.9 > 192.168.0.1: icmp: echo request (DF) (ttl 64, id 0, len 84)
16:36:14.272887 192.168.0.1 > 192.168.0.9: icmp: echo reply (ttl 64, id 34446, len 84)
16:36:15.272954 192.168.0.9 > 192.168.0.1: icmp: echo request (DF) (ttl 64, id 0, len 84)
16:36:15.273004 192.168.0.1 > 192.168.0.9: icmp: echo reply (ttl 64, id 34447, len 84)
16:36:16.273080 192.168.0.9 > 192.168.0.1: icmp: echo request (DF) (ttl 64, id 0, len 84)
16:36:16.273126 192.168.0.1 > 192.168.0.9: icmp: echo reply (ttl 64, id 34448, len 84)
16:36:17.273209 192.168.0.9 > 192.168.0.1: icmp: echo request (DF) (ttl 64, id 0, len 84)
16:36:17.273249 192.168.0.1 > 192.168.0.9: icmp: echo reply (ttl 64, id 34449, len 84)

What you're looking at are IP IDs. These are different than icmp echo ids. icmp echo ids are set within a union of the icmp payload. If you use iptables you can log the packets and look at the icmp id fields.

-Brad