remote host accepts loose source routed IP packets
el kalin
kalin at el.net
Sun Oct 5 15:33:46 UTC 2014
should is submit this as a bug?
On Sun, Oct 5, 2014 at 2:04 AM, el kalin <kalin at el.net> wrote:
> hi again… i have disabled the icmp pings… same result...
>
> currently:
>
> /etc/pf.conf:
>
> tcp_in = "{ www, https }"
> udp = "{ domain, ntp, snmp }"
> ping = "echoreq"
>
> set skip on lo
> scrub in
> antispoof for xn0 inet
> block in all
> pass out all keep state
> pass out inet proto udp from any to any port 33433 >< 33626 keep state
> pass proto udp to any port $dup
> ### pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh
>
>
> # sysctl -a | grep sourceroute
> net.inet.ip.sourceroute: 0
> net.inet.ip.accept_sourceroute: 0
>
> in /etc/defaults/rc.conf:
>
> forward_sourceroute="NO"
> accept_sourceroute="NO"
>
>
> what am i missing? this is pretty important….
>
> thanks…..
>
>
>
> On Sat, Oct 4, 2014 at 11:46 PM, el kalin <kalin at el.net> wrote:
>
>>
>> hi all…
>>
>> i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible…
>> i used openvas to scan it and pretty much everything is fine except this:
>>
>> "The remote host accepts loose source routed IP packets.
>> The feature was designed for testing purpose.
>> An attacker may use it to circumvent poorly designed IP filtering
>> and exploit another flaw. However, it is not dangerous by itself.
>> Solution:
>> drop source routed packets on this host or on other ingress
>> routers or firewalls."
>>
>> there is no "other ingress routers or firewalls." except the AWS
>> "security group" which only has open ports 80, 443 and 22 and allICMP for
>> pinging...
>>
>> on the instance itself i have this already set up...
>>
>> in /etc/sysctl.conf i have:
>>
>> net.inet.ip.accept_sourceroute=0
>>
>> in /etc/derfaults/rc.conf i got:
>>
>> accept_sourceroute="NO"
>>
>>
>> # sysctl -a | grep accept_sourceroute
>> net.inet.ip.accept_sourceroute: 0
>>
>> i also have a pf enabled locally pretty much with the same ports as the
>> security group. can i use pf to drop those packets?
>>
>> how do i drop the source routed packets?
>> without this i can't pass a pci scan…
>>
>> thanks...
>>
>>
>>
>
More information about the freebsd-net
mailing list