From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 19:21:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D88885F for ; Sun, 5 Oct 2014 19:21:35 +0000 (UTC) Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0CA5AE20 for ; Sun, 5 Oct 2014 19:21:34 +0000 (UTC) Received: by mail-wg0-f48.google.com with SMTP id k14so3701782wgh.19 for ; Sun, 05 Oct 2014 12:21:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ffPf4DGvsYl+wy3jOVUQPVL19LtXif+aw2VNnCRc7ic=; b=Fh7EVOiVs6LAZwdTSJWSfd1u6lx2Y1uQIaKjcmpJk7rTObFFzuXnU1Gw3gA7gN0AQi l61H2XLAN14RhdoreGSIu5KkEHlF18ETn+drkrllkayToJK6wdGl3VEVjU2QEpovXK2E pXc9VkFk+oiXXrkduzUtm4/PAhhcA7ebpjCdEU0ygy4MvfLROkSsIF6LHPlUc2/dicVg wuYn9Nk/0IKrmsqe94kE66LSqtcegLijuuggE66Uu0iuZPLSLB0GbJXeGgV9brP5pHW4 z+PGXRuRmzapWKAWaOeusXrdhp/ztbX2qIV1v4xAVayIYM57FM2c4pYWaK4Qc4LhoVa/ tszg== X-Gm-Message-State: ALoCoQlTdQdjwesTj2lR37DV/c7QUMLO6a5hnvfaqPuFWVCiuxI0njLer3c4S8ELgs0CIYMwHSKt MIME-Version: 1.0 X-Received: by 10.194.92.116 with SMTP id cl20mr24569442wjb.101.1412536887208; Sun, 05 Oct 2014 12:21:27 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 12:21:27 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 15:21:27 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: Brandon Vincent , Colin Percival Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net , freebsd-users@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 19:21:35 -0000 ok.. this is getting a bit ridiculous=E2=80=A6 just did a brand new install of the freebsd 9.3 aim on amazon=E2=80=A6 with nothing installed on it and only ssh open i get the same result when scanning with openvas: "Summary: The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself. Solution: drop source routed packets on this host or on other ingress routers or firewalls.' and by default: # sysctl -a | grep accept_sourceroute net.inet.ip.accept_sourceroute: 0 thing is the other machine - the bsd 10 - was scanned with the sameopen vas setup and with a service called hackerguardian offered by a compony called comodo. they sell that service as a pci compliance scan. both machines are non compliant according to both the openvas scan and the hackerguardian one=E2=80=A6 i can't be done with this job if i can't pass the pci scan=E2=80=A6 i'd appreciate any help=E2=80=A6 thanks... now what? On Sun, Oct 5, 2014 at 1:09 PM, el kalin wrote: > thanks brandon=E2=80=A6 but that didn't help=E2=80=A6. > > i still get the same result=E2=80=A6 > > i guess i'd report this as a bug=E2=80=A6 > > > On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent > wrote: > >> On Sun, Oct 5, 2014 at 8:33 AM, el kalin wrote: >> > should is submit this as a bug? >> >> Can you first try adding "set block-policy return" to pf.conf? OpenVAS >> might be assuming that a lack of response from your system to source >> routed packets is an acknowledgement that it is accepting them. >> >> Brandon Vincent >> > >