Date: Sun, 5 Oct 2014 11:33:38 -0400 From: el kalin <kalin@el.net> To: freebsd-net <freebsd-net@freebsd.org>, freebsd-users@freebsd.org, freebsd-security@freebsd.org Subject: Re: remote host accepts loose source routed IP packets Message-ID: <CAMJXockiQ%2B0gFbxSY43OyMbNqTjdzR1i16w%2Byiqmm=cQ8HR=pQ@mail.gmail.com> In-Reply-To: <CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA@mail.gmail.com> References: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com> <CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
should is submit this as a bug?
On Sun, Oct 5, 2014 at 2:04 AM, el kalin <kalin@el.net> wrote:
> hi again=E2=80=A6 i have disabled the icmp pings=E2=80=A6 same result..=
.
>
> currently:
>
> /etc/pf.conf:
>
> tcp_in =3D "{ www, https }"
> udp =3D "{ domain, ntp, snmp }"
> ping =3D "echoreq"
>
> set skip on lo
> scrub in
> antispoof for xn0 inet
> block in all
> pass out all keep state
> pass out inet proto udp from any to any port 33433 >< 33626 keep state
> pass proto udp to any port $dup
> ### pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh
>
>
> # sysctl -a | grep sourceroute
> net.inet.ip.sourceroute: 0
> net.inet.ip.accept_sourceroute: 0
>
> in /etc/defaults/rc.conf:
>
> forward_sourceroute=3D"NO"
> accept_sourceroute=3D"NO"
>
>
> what am i missing? this is pretty important=E2=80=A6.
>
> thanks=E2=80=A6..
>
>
>
> On Sat, Oct 4, 2014 at 11:46 PM, el kalin <kalin@el.net> wrote:
>
>>
>> hi all=E2=80=A6
>>
>> i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible=
=E2=80=A6
>> i used openvas to scan it and pretty much everything is fine except this=
:
>>
>> "The remote host accepts loose source routed IP packets.
>> The feature was designed for testing purpose.
>> An attacker may use it to circumvent poorly designed IP filtering
>> and exploit another flaw. However, it is not dangerous by itself.
>> Solution:
>> drop source routed packets on this host or on other ingress
>> routers or firewalls."
>>
>> there is no "other ingress routers or firewalls." except the AWS
>> "security group" which only has open ports 80, 443 and 22 and allICMP fo=
r
>> pinging...
>>
>> on the instance itself i have this already set up...
>>
>> in /etc/sysctl.conf i have:
>>
>> net.inet.ip.accept_sourceroute=3D0
>>
>> in /etc/derfaults/rc.conf i got:
>>
>> accept_sourceroute=3D"NO"
>>
>>
>> # sysctl -a | grep accept_sourceroute
>> net.inet.ip.accept_sourceroute: 0
>>
>> i also have a pf enabled locally pretty much with the same ports as the
>> security group. can i use pf to drop those packets?
>>
>> how do i drop the source routed packets?
>> without this i can't pass a pci scan=E2=80=A6
>>
>> thanks...
>>
>>
>>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMJXockiQ%2B0gFbxSY43OyMbNqTjdzR1i16w%2Byiqmm=cQ8HR=pQ>