Date: Sun, 5 Oct 2014 16:22:22 -0400 From: el kalin <kalin@el.net> To: Brandon Vincent <Brandon.Vincent@asu.edu>, Colin Percival <cperciva@freebsd.org> Cc: freebsd-net <freebsd-net@freebsd.org>, freebsd-users@freebsd.org, freebsd-security@freebsd.org Subject: Re: remote host accepts loose source routed IP packets Message-ID: <CAMJXocnJRGSr%2BLy2dEnwZweg1hCN6LxtHBtjE=OEed_qoeShrA@mail.gmail.com> In-Reply-To: <CAMJXocm=2D_F8uN1JCKjMTdQvkRhWv9Owd8=UMhYOpKK=drSHw@mail.gmail.com> References: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com> <CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA@mail.gmail.com> <CAMJXockiQ%2B0gFbxSY43OyMbNqTjdzR1i16w%2Byiqmm=cQ8HR=pQ@mail.gmail.com> <CAJm423-mFg%2BzU_RB%2Bkp8wmp-V31onJJV0K4FUOLcv%2BczAOCKXA@mail.gmail.com> <CAMJXock7iYsh%2BMXMcxZjaTNg6cgm7g%2BHa4=ZQJqLq0DtzK5BWQ@mail.gmail.com> <CAMJXocm=2D_F8uN1JCKjMTdQvkRhWv9Owd8=UMhYOpKK=drSHw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hmmm=E2=80=A6 could it be openvas?! just installed netbsd 6.1.4 aim i found on the aws community aims list=E2= =80=A6 same thing.. just the possibility of both openvas and the hackarguardian service being both wrong is a bit too much of a coincidence for me=E2=80=A6 any thoughts? On Sun, Oct 5, 2014 at 3:21 PM, el kalin <kalin@el.net> wrote: > ok.. this is getting a bit ridiculous=E2=80=A6 > > just did a brand new install of the freebsd 9.3 aim on amazon=E2=80=A6 > > with nothing installed on it and only ssh open i get the same result when > scanning with openvas: > > "Summary: > The remote host accepts loose source routed IP packets. > The feature was designed for testing purpose. > An attacker may use it to circumvent poorly designed IP filtering > and exploit another flaw. However, it is not dangerous by itself. > Solution: > drop source routed packets on this host or on other ingress > routers or firewalls.' > > and by default: > # sysctl -a | grep accept_sourceroute > net.inet.ip.accept_sourceroute: 0 > > thing is the other machine - the bsd 10 - was scanned with the sameopen > vas setup and with a service called hackerguardian offered by a compony > called comodo. they sell that service as a pci compliance scan. both > machines are non compliant according to both the openvas scan and the > hackerguardian one=E2=80=A6 > > i can't be done with this job if i can't pass the pci scan=E2=80=A6 > > i'd appreciate any help=E2=80=A6 > > thanks... > > > now what? > > > > > > > On Sun, Oct 5, 2014 at 1:09 PM, el kalin <kalin@el.net> wrote: > >> thanks brandon=E2=80=A6 but that didn't help=E2=80=A6. >> >> i still get the same result=E2=80=A6 >> >> i guess i'd report this as a bug=E2=80=A6 >> >> >> On Sun, Oct 5, 2014 at 11:58 AM, Brandon Vincent <Brandon.Vincent@asu.ed= u >> > wrote: >> >>> On Sun, Oct 5, 2014 at 8:33 AM, el kalin <kalin@el.net> wrote: >>> > should is submit this as a bug? >>> >>> Can you first try adding "set block-policy return" to pf.conf? OpenVAS >>> might be assuming that a lack of response from your system to source >>> routed packets is an acknowledgement that it is accepting them. >>> >>> Brandon Vincent >>> >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMJXocnJRGSr%2BLy2dEnwZweg1hCN6LxtHBtjE=OEed_qoeShrA>