Honeypots: honeyd - linux icmp echo replies and xprobe2.conf

[James Oliver <686f6e6579 () gmail com>]

Hi,

I'm running honeyd (1.0) with a host based on the "Linux 2.4.20"
personality. A firewall (iptables 1.2.9) drops all new outgoing
connections. When I try to ping this Linux host from outside the
firewall always drops the packet, stating this is a new connection.

I have analysed the ICMP Echo Replies honeyd sends for the "Linux
2.4.20" personality and the Code field is set to 1, even if the ICMP
Echo Request's Code field is 0.

In http://www.networkmagazine.com/shared/printableArticle.jhtml?articleID=8702910
it is stated that Linux doesn't change the code field, so I'm
wondering why this happens. I have analysed my own ICMP Echo
Requests/Replies and looked at /usr/src/linux/net/ipv4/icmp.c to have
a look at the Linux ICMP code. This code is the same as the one in the
Linux 2.4.20 sources, so the behaviour should be the same AFAIK.

Therefore I have now modified my /usr/share/honeyd/xprobe2.conf in line 237 to

icmp_echo_code = 0

instead of

icmp_echo_code = !0

After this change the firewall accepts the ICMP Echo Replies of
honeyd's Linux 2.4.20 personality. Nevertheless it now always changes
the ICMP Echo Replie Code always to 0 which is not Linux behaviour.

Is the behavior in the original xprobe2.conf intended? Is there a
mistake on my side?

Thanks for your suggestions,
James