Date: Mon, 6 Oct 2014 02:17:25 -0400 From: el kalin <kalin@el.net> To: Brandon Vincent <Brandon.Vincent@asu.edu> Cc: freebsd-net <freebsd-net@freebsd.org>, Adrian Chadd <adrian@freebsd.org>, freebsd-users@freebsd.org, Colin Percival <cperciva@freebsd.org>, freebsd-security@freebsd.org Subject: Re: remote host accepts loose source routed IP packets Message-ID: <CAMJXocmJ%2BnKu9VjSiXYw%2BaqLxRnZK_XSdPhLYt3wiZRQ0wfY8w@mail.gmail.com> In-Reply-To: <CAJm4238LSs5L%2BmtrbvepC3Hi7EvpWvJwmUTFt7j0X3rmavsdtg@mail.gmail.com> References: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com> <CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA@mail.gmail.com> <CAMJXockiQ%2B0gFbxSY43OyMbNqTjdzR1i16w%2Byiqmm=cQ8HR=pQ@mail.gmail.com> <CAJm423-mFg%2BzU_RB%2Bkp8wmp-V31onJJV0K4FUOLcv%2BczAOCKXA@mail.gmail.com> <CAMJXock7iYsh%2BMXMcxZjaTNg6cgm7g%2BHa4=ZQJqLq0DtzK5BWQ@mail.gmail.com> <CAMJXocm=2D_F8uN1JCKjMTdQvkRhWv9Owd8=UMhYOpKK=drSHw@mail.gmail.com> <CAMJXocnJRGSr%2BLy2dEnwZweg1hCN6LxtHBtjE=OEed_qoeShrA@mail.gmail.com> <CAJ-VmonFr4eAWqS0tngV-M7m_aUHv%2B9qOVny3o5Xt0CyuxwJ8w@mail.gmail.com> <CAJm4238LSs5L%2BmtrbvepC3Hi7EvpWvJwmUTFt7j0X3rmavsdtg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 5, 2014 at 6:24 PM, Brandon Vincent <Brandon.Vincent@asu.edu> wrote: > On Sun, Oct 5, 2014 at 2:39 PM, Adrian Chadd <adrian@freebsd.org> wrote: > > All accept_sourceroute does is prevent the stack from forwarding > > source routed packets. If it's destined locally then it's still > > accepted. > > Out of curiosity, isn't "net.inet.ip.accept_sourceroute" supposed to > reject incoming source routed packets? that was my understanding too. as far a forwarding - have it off too: # sysctl -a | grep forwa kern.smp.forward_signal_enabled: 1 net.inet.ip.forwarding: 0 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 0 > > On 5 October 2014 13:22, el kalin <kalin@el.net> wrote: > > hmmm=E2=80=A6 could it be openvas?! > > OpenVAS is a fork of Nessus from when it was open source. > HackerGuardian seems to use Nessus as the chief scanning engine. i'm aware of those. i used to use Nessus when it was open and did pre scanning for pci with it on freebsd 7 and 8 and everything was fine. now this is really mind boggling=E2=80=A6. i can't imagine that both freebsd 9 an 10 and also netbsd 6 will have this "vulnerability" which according to the information that the hackerguardian (nessus?!) suggest to read points to links from 2002. unless it has to do with virtualization somehow. am i the first person ever to try to get pci compliant on bsd on aws?! i did report this as a false positive to hackerguardian on friday. haven't heard from them since. but i'm not holding my breath=E2=80=A6 > > Brandon Vincent >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMJXocmJ%2BnKu9VjSiXYw%2BaqLxRnZK_XSdPhLYt3wiZRQ0wfY8w>