From owner-freebsd-security@FreeBSD.ORG Sun Oct 5 21:40:00 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 484E7446; Sun, 5 Oct 2014 21:40:00 +0000 (UTC) Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63CACE59; Sun, 5 Oct 2014 21:39:59 +0000 (UTC) Received: by mail-wg0-f45.google.com with SMTP id m15so5102854wgh.28 for ; Sun, 05 Oct 2014 14:39:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=qmq0KGmznDJEZR5UsstdQ+O1itetFOfOCV0DlaAc0aM=; b=Z5vHLGPi1DKqxmdNjK6ji/1bryAv1bhO5Cc7XZVidoHz70t9Q7EJMVdKI2fC9OWbEI GIJAi2TXXodGA2TyMW7XSRKkuXN7iYyEKPg7DWktKh/ZzPiMMv5qErNThB5xfbMMrIzC xOSEYa9zBN44bQ5BmUkRnMkMaN9hBOpID/0h/V3OoNQROGftyYDqnF5+7HSXEqm4wF3U Sh3PzFOygEQqj71utcRR2CkEZI9pyFD4qsLn8xG5hUUAEolywm5Hrd1QmbdASE41z9U+ 2ds8higw1/TGy6VaZ/i0r9AoETxo6/k57PfMvvVROxbPUJ1CD+0Jm+W7f9gQE0H8Ufpn 8S+Q== MIME-Version: 1.0 X-Received: by 10.180.97.98 with SMTP id dz2mr14918530wib.26.1412545197757; Sun, 05 Oct 2014 14:39:57 -0700 (PDT) Sender: adrian.chadd@gmail.com Received: by 10.216.106.136 with HTTP; Sun, 5 Oct 2014 14:39:57 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 14:39:57 -0700 X-Google-Sender-Auth: x2K3Vud6rqBYuU5eggVo3Ou6nEM Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: Adrian Chadd To: el kalin Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sun, 05 Oct 2014 22:55:46 +0000 Cc: freebsd-security@freebsd.org, freebsd-net , freebsd-users@freebsd.org, Colin Percival , Brandon Vincent X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 21:40:00 -0000 Hi, Can you please get a packet capture of what it's sending and what it's receiving? All accept_sourceroute does is prevent the stack from forwarding source routed packets. If it's destined locally then it's still accepted. You could try crafting an ipfw rule to filter out packets with these options set: from man ipfw: ipoptions spec Matches packets whose IPv4 header contains the comma separated list of options specified in spec. The supported IP options a= re: ssrr (strict source route), lsrr (loose source route), rr (rec= ord packet route) and ts (timestamp). The absence of a particular option may be denoted with a `!'. something like: 1 deny ip from any to any ipoptions ssrr,lsrr,rr 65000 allow ip from any to any -a On 5 October 2014 13:22, el kalin wrote: > hmmm=E2=80=A6 could it be openvas?! > > just installed netbsd 6.1.4 aim i found on the aws community aims list=E2= =80=A6 > same thing.. > > just the possibility of both openvas and the hackarguardian service being > both wrong is a bit too much of a coincidence for me=E2=80=A6 > > any thoughts? > > > > > On Sun, Oct 5, 2014 at 3:21 PM, el kalin wrote: > >> ok.. this is getting a bit ridiculous=E2=80=A6 >> >> just did a brand new install of the freebsd 9.3 aim on amazon=E2=80=A6 >> >> with nothing installed on it and only ssh open i get the same result whe= n >> scanning with openvas: >> >> "Summary: >> The remote host accepts loose source routed IP packets. >> The feature was designed for testing purpose. >> An attacker may use it to circumvent poorly designed IP filtering >> and exploit another flaw. However, it is not dangerous by itself. >> Solution: >> drop source routed packets on this host or on other ingress >> routers or firewalls.' >> >> and by default: >> # sysctl -a | grep accept_sourceroute >> net.inet.ip.accept_sourceroute: 0 >> >> thing is the other machine - the bsd 10 - was scanned with the sameopen >> vas setup and with a service called hackerguardian offered by a compony >> called comodo. they sell that service as a pci compliance scan. both >> machines are non compliant according to both the openvas scan and the >> hackerguardian one=E2=80=A6 >> >> i can't be done with this job if i can't pass the pci scan=E2=80=A6 >> >> i'd appreciate any help=E2=80=A6 >> >> thanks... >> >> >> now what? >> >> >> >> >> >> >> On Sun, Oct 5, 2014 at 1:09 PM, el kalin wrote: >> >>> thanks brandon=E2=80=A6 but that didn't help=E2=80=A6. >>> >>> i still get the same result=E2=80=A6 >>> >>> i guess i'd report this as a bug=E2=80=A6 >>> >>> >>> On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent >> > wrote: >>> >>>> On Sun, Oct 5, 2014 at 8:33 AM, el kalin wrote: >>>> > should is submit this as a bug? >>>> >>>> Can you first try adding "set block-policy return" to pf.conf? OpenVAS >>>> might be assuming that a lack of response from your system to source >>>> routed packets is an acknowledgement that it is accepting them. >>>> >>>> Brandon Vincent >>>> >>> >>> >> > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"