Date: Sat, 4 Oct 2014 23:46:04 -0400 From: el kalin <kalin@el.net> To: freebsd-net@freebsd.org, freebsd-users@freebsd.org Subject: remote host accepts loose source routed IP packets Message-ID: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
hi all=E2=80=A6 i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible=E2= =80=A6 i used openvas to scan it and pretty much everything is fine except this: "The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself. Solution: drop source routed packets on this host or on other ingress routers or firewalls." there is no "other ingress routers or firewalls." except the AWS "security group" which only has open ports 80, 443 and 22 and allICMP for pinging... on the instance itself i have this already set up... in /etc/sysctl.conf i have: net.inet.ip.accept_sourceroute=3D0 in /etc/derfaults/rc.conf i got: accept_sourceroute=3D"NO" # sysctl -a | grep accept_sourceroute net.inet.ip.accept_sourceroute: 0 i also have a pf enabled locally pretty much with the same ports as the security group. can i use pf to drop those packets? how do i drop the source routed packets? without this i can't pass a pci scan=E2=80=A6 thanks...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw>