From owner-freebsd-security@FreeBSD.ORG Mon Oct 6 06:17:34 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5AF6D6EA for ; Mon, 6 Oct 2014 06:17:34 +0000 (UTC) Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DDDE4344 for ; Mon, 6 Oct 2014 06:17:33 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id a1so5620518wgh.35 for ; Sun, 05 Oct 2014 23:17:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=OEqOrOrmnl348YeegQyST0ZiiNIRMkCncBrSWAamF0s=; b=N/1rjOEkMcvlWxB78JCjPLrDmRKkI8iLqi8cZ/IW1v4TOZ8W57j4WVObrtW1gg4RlK 1B8LUTboIfaU2NeUu5MqURPQ3HcvtmNtquc1gCR2/gxCefafqNgnD06hbQedmKJi8p6O jRKQL5gm49rLnzNPie1plb82iEDRB4kA/boapaQNQpfqUnfQoHD+JFhxMCfRccY5LKm4 UYw5dCVyo3E/1/+bzNu5cqgCywHtkZjh4hFh20vZ9kXBihOIqVtx6huHJozYIXLeLWmZ r/yzBtLspB/jO870qZLKW9di6VDjFlnw2H/mxIuk49nhk0sc4x+NHqqMkBC7P4hckRE7 hHCQ== X-Gm-Message-State: ALoCoQm4yKVlKtPqObThViVBObYbcdYEdbJ5Ter2YnTs3H5aHDUR0xT8yWNqKYTZuARzR/yoLkzS MIME-Version: 1.0 X-Received: by 10.194.246.2 with SMTP id xs2mr26357122wjc.33.1412576245906; Sun, 05 Oct 2014 23:17:25 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sun, 5 Oct 2014 23:17:25 -0700 (PDT) In-Reply-To: References: Date: Mon, 6 Oct 2014 02:17:25 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: Brandon Vincent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-net , Adrian Chadd , freebsd-users@freebsd.org, Colin Percival , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Oct 2014 06:17:34 -0000 On Sun, Oct 5, 2014 at 6:24 PM, Brandon Vincent wrote: > On Sun, Oct 5, 2014 at 2:39 PM, Adrian Chadd wrote: > > All accept_sourceroute does is prevent the stack from forwarding > > source routed packets. If it's destined locally then it's still > > accepted. > > Out of curiosity, isn't "net.inet.ip.accept_sourceroute" supposed to > reject incoming source routed packets? that was my understanding too. as far a forwarding - have it off too: # sysctl -a | grep forwa kern.smp.forward_signal_enabled: 1 net.inet.ip.forwarding: 0 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 0 > > On 5 October 2014 13:22, el kalin wrote: > > hmmm=E2=80=A6 could it be openvas?! > > OpenVAS is a fork of Nessus from when it was open source. > HackerGuardian seems to use Nessus as the chief scanning engine. i'm aware of those. i used to use Nessus when it was open and did pre scanning for pci with it on freebsd 7 and 8 and everything was fine. now this is really mind boggling=E2=80=A6. i can't imagine that both freebsd 9 an 10 and also netbsd 6 will have this "vulnerability" which according to the information that the hackerguardian (nessus?!) suggest to read points to links from 2002. unless it has to do with virtualization somehow. am i the first person ever to try to get pci compliant on bsd on aws?! i did report this as a false positive to hackerguardian on friday. haven't heard from them since. but i'm not holding my breath=E2=80=A6 > > Brandon Vincent >