From owner-freebsd-net@FreeBSD.ORG Sun Oct 5 03:46:12 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7BB3D28F for ; Sun, 5 Oct 2014 03:46:12 +0000 (UTC) Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 16BC9A6B for ; Sun, 5 Oct 2014 03:46:11 +0000 (UTC) Received: by mail-wi0-f169.google.com with SMTP id cc10so4257015wib.2 for ; Sat, 04 Oct 2014 20:46:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=mwqqujrDR2zUehi4CMew72XTN0i4qK0fx/O8afGGQXk=; b=kLkOyfv/vJ24C3FP1u5k8vqrDuwLphN1J/OEM9+tKaLFO5C3nR2KiIPBHi8Ujrpfg6 Nll8Msc8BDTXJWwop0l6STbDpXfNlz9naVcLlETvs5ZJiL2FRIshQExDIF28EbbPqybD x/dqk+nhQUPd0NpR8wdGFaAdj+ao+Fld+9JCbrh7yidFmdbn+1vmzFPzFq8YNqIYy8Hy fURc40/i7suBwNino5Ub8y3tgpm7FgyqUXA6DE31ezZ3xWfw9X5HJn4lWLlPyRe6OuSI DP4/2Rli+u4FHXX5TcG+C9pJqB2CDcSpg+OWGOlaVi2iUoWvLvJrS3HTS5Mx28GjkAfE 3fYA== X-Gm-Message-State: ALoCoQlcC2uDxD4idFKA+kPlsN5da2bLBOaV6fUsKrD/02curFLnE689uviuyWGpZE1ojiLvlBqz MIME-Version: 1.0 X-Received: by 10.180.20.139 with SMTP id n11mr9854010wie.22.1412480764314; Sat, 04 Oct 2014 20:46:04 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sat, 4 Oct 2014 20:46:04 -0700 (PDT) Date: Sat, 4 Oct 2014 23:46:04 -0400 Message-ID: Subject: remote host accepts loose source routed IP packets From: el kalin To: freebsd-net@freebsd.org, freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 03:46:12 -0000 hi all=E2=80=A6 i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible=E2= =80=A6 i used openvas to scan it and pretty much everything is fine except this: "The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself. Solution: drop source routed packets on this host or on other ingress routers or firewalls." there is no "other ingress routers or firewalls." except the AWS "security group" which only has open ports 80, 443 and 22 and allICMP for pinging... on the instance itself i have this already set up... in /etc/sysctl.conf i have: net.inet.ip.accept_sourceroute=3D0 in /etc/derfaults/rc.conf i got: accept_sourceroute=3D"NO" # sysctl -a | grep accept_sourceroute net.inet.ip.accept_sourceroute: 0 i also have a pf enabled locally pretty much with the same ports as the security group. can i use pf to drop those packets? how do i drop the source routed packets? without this i can't pass a pci scan=E2=80=A6 thanks...