From owner-freebsd-net@FreeBSD.ORG  Mon Oct  6 06:23:00 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 319B8AAE
 for <freebsd-net@freebsd.org>; Mon,  6 Oct 2014 06:23:00 +0000 (UTC)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com
 [209.85.212.178])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B3DB65FD
 for <freebsd-net@freebsd.org>; Mon,  6 Oct 2014 06:22:59 +0000 (UTC)
Received: by mail-wi0-f178.google.com with SMTP id cc10so3480575wib.17
 for <freebsd-net@freebsd.org>; Sun, 05 Oct 2014 23:22:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=OEqOrOrmnl348YeegQyST0ZiiNIRMkCncBrSWAamF0s=;
 b=aLPMlhEQ56MRiIE0SbCrmsyHvefjIxJN4FZ3k2CKdIUHWqMcUiEc7JlKR6XrlISj5I
 L1xaWwvpPAaMxi6d6hKvyyxdwX7hAfaKK0TwG8P9HlPy+abPX+OafvVc33WZAelzkHsv
 gOke9fBy6/PFOXtQ3s4f87eCkhx8OYBilx0d5T4S8aMKxqyRIglrB+UAmrT/Xpaf1YKY
 3IokipJaH/aIEGFNThfnuUBN4Q65Er7skKNIKKVSlMEg/Q/MktE4VNRQ+EUgaVQ29USO
 cyu9CFfmvAxP6w1FtUreAkwnXoGJ11rDrAYa9ASO36cv5zZ2Tn85tfdBe5DKWB2RevHI
 B2/Q==
X-Gm-Message-State: ALoCoQmaQMRY2PGRuzxreRnlRqhoqnivJvU2g/7NLD8P4ywXH8AJqanlSFi6EFN0Bo8wUMR7xueX
MIME-Version: 1.0
X-Received: by 10.194.246.2 with SMTP id xs2mr26357122wjc.33.1412576245906;
 Sun, 05 Oct 2014 23:17:25 -0700 (PDT)
Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 23:17:25 -0700 (PDT)
In-Reply-To: <CAJm4238LSs5L+mtrbvepC3Hi7EvpWvJwmUTFt7j0X3rmavsdtg@mail.gmail.com>
References: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com>
 <CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA@mail.gmail.com>
 <CAMJXockiQ+0gFbxSY43OyMbNqTjdzR1i16w+yiqmm=cQ8HR=pQ@mail.gmail.com>
 <CAJm423-mFg+zU_RB+kp8wmp-V31onJJV0K4FUOLcv+czAOCKXA@mail.gmail.com>
 <CAMJXock7iYsh+MXMcxZjaTNg6cgm7g+Ha4=ZQJqLq0DtzK5BWQ@mail.gmail.com>
 <CAMJXocm=2D_F8uN1JCKjMTdQvkRhWv9Owd8=UMhYOpKK=drSHw@mail.gmail.com>
 <CAMJXocnJRGSr+Ly2dEnwZweg1hCN6LxtHBtjE=OEed_qoeShrA@mail.gmail.com>
 <CAJ-VmonFr4eAWqS0tngV-M7m_aUHv+9qOVny3o5Xt0CyuxwJ8w@mail.gmail.com>
 <CAJm4238LSs5L+mtrbvepC3Hi7EvpWvJwmUTFt7j0X3rmavsdtg@mail.gmail.com>
Date: Mon, 6 Oct 2014 02:17:25 -0400
Message-ID: <CAMJXocmJ+nKu9VjSiXYw+aqLxRnZK_XSdPhLYt3wiZRQ0wfY8w@mail.gmail.com>
Subject: Re: remote host accepts loose source routed IP packets
From: el kalin <kalin@el.net>
To: Brandon Vincent <Brandon.Vincent@asu.edu>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: freebsd-net <freebsd-net@freebsd.org>, Adrian Chadd <adrian@freebsd.org>,
 freebsd-users@freebsd.org, Colin Percival <cperciva@freebsd.org>,
 freebsd-security@freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2014 06:23:00 -0000

On Sun, Oct 5, 2014 at 6:24 PM, Brandon Vincent <Brandon.Vincent@asu.edu>
wrote:

> On Sun, Oct 5, 2014 at 2:39 PM, Adrian Chadd <adrian@freebsd.org> wrote:
> > All accept_sourceroute does is prevent the stack from forwarding
> > source routed packets. If it's destined locally then it's still
> > accepted.
>
> Out of curiosity, isn't "net.inet.ip.accept_sourceroute" supposed to
> reject incoming source routed packets?


that was my understanding too. as far a forwarding - have it off too:

# sysctl -a | grep forwa
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 0
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0


>
> On 5 October 2014 13:22, el kalin <kalin@el.net> wrote:
> > hmmm=E2=80=A6  could it be openvas?!
>
> OpenVAS is a fork of Nessus from when it was open source.
> HackerGuardian seems to use Nessus as the chief scanning engine.


i'm aware of those. i used to use Nessus when it was open and did pre
scanning for pci with it on freebsd 7 and 8 and everything was fine. now
this is really mind boggling=E2=80=A6.

i can't imagine that both freebsd 9 an 10 and also netbsd 6 will have this
"vulnerability" which according to the information that the hackerguardian
(nessus?!) suggest to read points to links from 2002.

unless it has to do with virtualization somehow. am i the first person ever
to try to get pci compliant on bsd on aws?!

i did report this as a false positive to hackerguardian on friday. haven't
heard from them since. but i'm not holding my breath=E2=80=A6



>
> Brandon Vincent
>