From owner-freebsd-security@FreeBSD.ORG  Sun Oct  5 20:52:27 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2E8E6A9C
 for <freebsd-security@freebsd.org>; Sun,  5 Oct 2014 20:52:27 +0000 (UTC)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com
 [209.85.212.177])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id B35239C3
 for <freebsd-security@freebsd.org>; Sun,  5 Oct 2014 20:52:26 +0000 (UTC)
Received: by mail-wi0-f177.google.com with SMTP id fb4so2908131wid.4
 for <freebsd-security@freebsd.org>; Sun, 05 Oct 2014 13:52:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=CuYTVZCEY3nuAypXPh48UTpdngNh3a/NuY+IXOhhb8s=;
 b=hKhwwSSi9yw6/56KD7b5JUitMDXELkfkmL8KxXo70HR8cd/IYPg1cMo6R2ohCYJqjY
 jU2fk8pbAIJToWEnY8OJHtjyLj3upsrMrcus4HcTI5lxQczjqC5Gfv5IfYX7U1px4E25
 OUzELxjiH/2oy4Kxm1xOoc54vl1K6C8p7bStwiOzIhbW6mF1yKe9BB1BOaiz2JCUbJdM
 koMGftkQRFAhphyTeNTLRvq0Iv+m5xC3oSRAHvGDhnN5JaMS/n49xQgfRF5sTwKTKay0
 SVuRMnsgIobc3PEiMzP2MXXePLnLQuXhMKHX7cr/mgIE76wjjSUg8frD7cGGvQAuHhXV
 1A3A==
X-Gm-Message-State: ALoCoQld3Uu8ADw9+UiscmWc6t/EqpDenUKe+edIHexwPZbmd+9KzHB1MNd0vh9xh65cE9JS6Yxg
MIME-Version: 1.0
X-Received: by 10.180.76.37 with SMTP id h5mr14766054wiw.22.1412540542072;
 Sun, 05 Oct 2014 13:22:22 -0700 (PDT)
Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 13:22:22 -0700 (PDT)
In-Reply-To: <CAMJXocm=2D_F8uN1JCKjMTdQvkRhWv9Owd8=UMhYOpKK=drSHw@mail.gmail.com>
References: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com>
 <CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA@mail.gmail.com>
 <CAMJXockiQ+0gFbxSY43OyMbNqTjdzR1i16w+yiqmm=cQ8HR=pQ@mail.gmail.com>
 <CAJm423-mFg+zU_RB+kp8wmp-V31onJJV0K4FUOLcv+czAOCKXA@mail.gmail.com>
 <CAMJXock7iYsh+MXMcxZjaTNg6cgm7g+Ha4=ZQJqLq0DtzK5BWQ@mail.gmail.com>
 <CAMJXocm=2D_F8uN1JCKjMTdQvkRhWv9Owd8=UMhYOpKK=drSHw@mail.gmail.com>
Date: Sun, 5 Oct 2014 16:22:22 -0400
Message-ID: <CAMJXocnJRGSr+Ly2dEnwZweg1hCN6LxtHBtjE=OEed_qoeShrA@mail.gmail.com>
Subject: Re: remote host accepts loose source routed IP packets
From: el kalin <kalin@el.net>
To: Brandon Vincent <Brandon.Vincent@asu.edu>,
 Colin Percival <cperciva@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: freebsd-net <freebsd-net@freebsd.org>, freebsd-users@freebsd.org,
 freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Oct 2014 20:52:27 -0000

hmmm=E2=80=A6  could it be openvas?!

just installed netbsd 6.1.4 aim i found on the aws community aims list=E2=
=80=A6
 same thing..

just the possibility of both openvas and the hackarguardian service being
both wrong is a bit too much of a coincidence for me=E2=80=A6

any thoughts?




On Sun, Oct 5, 2014 at 3:21 PM, el kalin <kalin@el.net> wrote:

> ok..  this is getting a bit ridiculous=E2=80=A6
>
> just did a brand new install of the freebsd 9.3 aim on amazon=E2=80=A6
>
> with nothing installed on it and only ssh open i get the same result when
> scanning with openvas:
>
> "Summary:
>  The remote host accepts loose source routed IP packets.
> The feature was designed for testing purpose.
> An attacker may use it to circumvent poorly designed IP filtering
> and exploit another flaw. However, it is not dangerous by itself.
>  Solution:
>  drop source routed packets on this host or on other ingress
> routers or firewalls.'
>
> and by default:
> # sysctl -a | grep accept_sourceroute
> net.inet.ip.accept_sourceroute: 0
>
> thing is the other machine - the bsd 10 - was scanned with the sameopen
> vas setup and with a service called hackerguardian offered by a compony
> called comodo. they sell that service as a pci compliance scan. both
> machines are non compliant according to both the openvas scan and the
> hackerguardian one=E2=80=A6
>
> i can't be done with this job if i can't pass the pci scan=E2=80=A6
>
> i'd appreciate any help=E2=80=A6
>
> thanks...
>
>
> now what?
>
>
>
>
>
>
> On Sun, Oct 5, 2014 at 1:09 PM, el kalin <kalin@el.net> wrote:
>
>> thanks brandon=E2=80=A6  but that didn't help=E2=80=A6.
>>
>> i still get the same result=E2=80=A6
>>
>> i guess i'd report this as a bug=E2=80=A6
>>
>>
>> On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent <Brandon.Vincent@asu.ed=
u
>> > wrote:
>>
>>> On Sun, Oct 5, 2014 at 8:33 AM, el kalin <kalin@el.net> wrote:
>>> > should is submit this as a bug?
>>>
>>> Can you first try adding "set block-policy return" to pf.conf? OpenVAS
>>> might be assuming that a lack of response from your system to source
>>> routed packets is an acknowledgement that it is accepting them.
>>>
>>> Brandon Vincent
>>>
>>
>>
>