From owner-freebsd-net@FreeBSD.ORG Sun Oct 5 06:04:55 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71A594E3 for ; Sun, 5 Oct 2014 06:04:55 +0000 (UTC) Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0229A7F8 for ; Sun, 5 Oct 2014 06:04:54 +0000 (UTC) Received: by mail-wi0-f169.google.com with SMTP id cc10so4350927wib.4 for ; Sat, 04 Oct 2014 23:04:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=zbhVE02iGvwpmZebUL4n1W9Er8j2rmRqv6l59mNa5Fk=; b=jBJfLOS/peA72HuP0IalgldHPPlIBJ/vwLc50W0JCVjR9IWaHFIXHwKOgoWteU6LGq 4D7jlfSJ4N0n3lxvgzZzY5rNOAMndEld9b5DMfMTdTiTo7o9HM/iSz4trJOdn2KFtAth rK4ozeOtDlcBmXAE05BRT/GsKV387cmAlxXJidIETLcokC3fGVTIEE/z8w0GQpfm9yGP 7mQZhZcb4w0Zp62QkRj8ukKUB7YckBVHFXh1Z2Dv0Qa3uguFNFsAVsudAVf2qs7JDMya TIUOFVFPYTNfJJFCqW7lskD/pyHIOoT7ruNUjleisSRr63572vX7M4jL3Lmye5UMvYty PLcA== X-Gm-Message-State: ALoCoQlAccVNRBF9Ld6qyq8iWcYHizpaxiqwg+Ix4v/LtRRI9ARBj1HeFv32rLSuRqoLMSNS2UkP MIME-Version: 1.0 X-Received: by 10.180.20.139 with SMTP id n11mr10483471wie.22.1412489092887; Sat, 04 Oct 2014 23:04:52 -0700 (PDT) Received: by 10.27.94.16 with HTTP; Sat, 4 Oct 2014 23:04:52 -0700 (PDT) In-Reply-To: References: Date: Sun, 5 Oct 2014 02:04:52 -0400 Message-ID: Subject: Re: remote host accepts loose source routed IP packets From: el kalin To: freebsd-net , freebsd-users@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Oct 2014 06:04:55 -0000 hi again=E2=80=A6 i have disabled the icmp pings=E2=80=A6 same result... currently: /etc/pf.conf: tcp_in =3D "{ www, https }" udp =3D "{ domain, ntp, snmp }" ping =3D "echoreq" set skip on lo scrub in antispoof for xn0 inet block in all pass out all keep state pass out inet proto udp from any to any port 33433 >< 33626 keep state pass proto udp to any port $dup ### pass inet proto icmp all icmp-type $ping keep state pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state pass proto tcp to any port ssh # sysctl -a | grep sourceroute net.inet.ip.sourceroute: 0 net.inet.ip.accept_sourceroute: 0 in /etc/defaults/rc.conf: forward_sourceroute=3D"NO" accept_sourceroute=3D"NO" what am i missing? this is pretty important=E2=80=A6. thanks=E2=80=A6.. On Sat, Oct 4, 2014 at 11:46 PM, el kalin wrote: > > hi all=E2=80=A6 > > i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible= =E2=80=A6 > i used openvas to scan it and pretty much everything is fine except this: > > "The remote host accepts loose source routed IP packets. > The feature was designed for testing purpose. > An attacker may use it to circumvent poorly designed IP filtering > and exploit another flaw. However, it is not dangerous by itself. > Solution: > drop source routed packets on this host or on other ingress > routers or firewalls." > > there is no "other ingress routers or firewalls." except the AWS "securit= y > group" which only has open ports 80, 443 and 22 and allICMP for pinging..= . > > on the instance itself i have this already set up... > > in /etc/sysctl.conf i have: > > net.inet.ip.accept_sourceroute=3D0 > > in /etc/derfaults/rc.conf i got: > > accept_sourceroute=3D"NO" > > > # sysctl -a | grep accept_sourceroute > net.inet.ip.accept_sourceroute: 0 > > i also have a pf enabled locally pretty much with the same ports as the > security group. can i use pf to drop those packets? > > how do i drop the source routed packets? > without this i can't pass a pci scan=E2=80=A6 > > thanks... > > >