From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 15:33:46 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8622FC39 for ; Sun, 5 Oct 2014 15:33:46 +0000 (UTC) Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1528A402 for ; Sun, 5 Oct 2014 15:33:45 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id x13so4735455wgg.6 for ; Sun, 05 Oct 2014 08:33:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=5VH1TwCpjoWepC+slrtfZ4mDCND3756XOc/wgBYc+2Y=; b=ZRA5aYE1JgzdICsFMIu/9LeHNl/Q6hXuMWLSM010rdKDOfMZwRyb4b8XyEwk2DW4Cz 0Z2JtM6DqVXSTyQ0gLf+ohcevCrznxJpJJT/eRM/sUFUpmRDXkhR9DzO05ujegMPETzX +ZYevkSjqGgGRMSez1tFs0uBdXu5r1N01G5H9E18JxZJ4x3aj9SH+zSF+4F8LBa/AOQr IK5ZI++hHk+42+VcuqglghbOn8Gp1UMKkSSig2dgn48iE9hsjbjSO+Dl9Er8Lwyk0h0a fdLhEI+cV/bvwxyH/dUj6PaRVjYhzYUmHE9Cmh5RHiFmglsj+4nXCszXIrxPzH0a5HGh 9D/Q== X-Gm-Message-State: ALoCoQlSE4ytCm52i5HnLCaS/uTPlQ8NYPNH1tji9ei2+LHP/wBANn56fZGFQanwYnv/HK+43wIx MIME-Version: 1.0 X-Received: by 10.194.246.2 with SMTP id xs2mr22338672wjc.33.1412523218315; Sun, 05 Oct 2014 08:33:38 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 08:33:38 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 11:33:38 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: freebsd-net , freebsd-users@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 15:33:46 -0000 should is submit this as a bug? On Sun, Oct 5, 2014 at 2:04 AM, el kalin wrote: > hi again=E2=80=A6 i have disabled the icmp pings=E2=80=A6 same result..= . > > currently: > > /etc/pf.conf: > > tcp_in =3D "{ www, https }" > udp =3D "{ domain, ntp, snmp }" > ping =3D "echoreq" > > set skip on lo > scrub in > antispoof for xn0 inet > block in all > pass out all keep state > pass out inet proto udp from any to any port 33433 >< 33626 keep state > pass proto udp to any port $dup > ### pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh > > > # sysctl -a | grep sourceroute > net.inet.ip.sourceroute: 0 > net.inet.ip.accept_sourceroute: 0 > > in /etc/defaults/rc.conf: > > forward_sourceroute=3D"NO" > accept_sourceroute=3D"NO" > > > what am i missing? this is pretty important=E2=80=A6. > > thanks=E2=80=A6.. > > > > On Sat, Oct 4, 2014 at 11:46 PM, el kalin wrote: > >> >> hi all=E2=80=A6 >> >> i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible= =E2=80=A6 >> i used openvas to scan it and pretty much everything is fine except this= : >> >> "The remote host accepts loose source routed IP packets. >> The feature was designed for testing purpose. >> An attacker may use it to circumvent poorly designed IP filtering >> and exploit another flaw. However, it is not dangerous by itself. >> Solution: >> drop source routed packets on this host or on other ingress >> routers or firewalls." >> >> there is no "other ingress routers or firewalls." except the AWS >> "security group" which only has open ports 80, 443 and 22 and allICMP fo= r >> pinging... >> >> on the instance itself i have this already set up... >> >> in /etc/sysctl.conf i have: >> >> net.inet.ip.accept_sourceroute=3D0 >> >> in /etc/derfaults/rc.conf i got: >> >> accept_sourceroute=3D"NO" >> >> >> # sysctl -a | grep accept_sourceroute >> net.inet.ip.accept_sourceroute: 0 >> >> i also have a pf enabled locally pretty much with the same ports as the >> security group. can i use pf to drop those packets? >> >> how do i drop the source routed packets? >> without this i can't pass a pci scan=E2=80=A6 >> >> thanks... >> >> >> >