Date: Sun, 5 Oct 2014 02:04:52 -0400 From: el kalin <kalin@el.net> To: freebsd-net <freebsd-net@freebsd.org>, freebsd-users@freebsd.org Subject: Re: remote host accepts loose source routed IP packets Message-ID: <CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA@mail.gmail.com> In-Reply-To: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com> References: <CAMJXoc=s=Ud52NJ0dbK-6qKEcszbni4bi1MA8mgRtQSo=2Uuyw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi again=E2=80=A6 i have disabled the icmp pings=E2=80=A6 same result...
currently:
/etc/pf.conf:
tcp_in =3D "{ www, https }"
udp =3D "{ domain, ntp, snmp }"
ping =3D "echoreq"
set skip on lo
scrub in
antispoof for xn0 inet
block in all
pass out all keep state
pass out inet proto udp from any to any port 33433 >< 33626 keep state
pass proto udp to any port $dup
### pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh
# sysctl -a | grep sourceroute
net.inet.ip.sourceroute: 0
net.inet.ip.accept_sourceroute: 0
in /etc/defaults/rc.conf:
forward_sourceroute=3D"NO"
accept_sourceroute=3D"NO"
what am i missing? this is pretty important=E2=80=A6.
thanks=E2=80=A6..
On Sat, Oct 4, 2014 at 11:46 PM, el kalin <kalin@el.net> wrote:
>
> hi all=E2=80=A6
>
> i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible=
=E2=80=A6
> i used openvas to scan it and pretty much everything is fine except this:
>
> "The remote host accepts loose source routed IP packets.
> The feature was designed for testing purpose.
> An attacker may use it to circumvent poorly designed IP filtering
> and exploit another flaw. However, it is not dangerous by itself.
> Solution:
> drop source routed packets on this host or on other ingress
> routers or firewalls."
>
> there is no "other ingress routers or firewalls." except the AWS "securit=
y
> group" which only has open ports 80, 443 and 22 and allICMP for pinging..=
.
>
> on the instance itself i have this already set up...
>
> in /etc/sysctl.conf i have:
>
> net.inet.ip.accept_sourceroute=3D0
>
> in /etc/derfaults/rc.conf i got:
>
> accept_sourceroute=3D"NO"
>
>
> # sysctl -a | grep accept_sourceroute
> net.inet.ip.accept_sourceroute: 0
>
> i also have a pf enabled locally pretty much with the same ports as the
> security group. can i use pf to drop those packets?
>
> how do i drop the source routed packets?
> without this i can't pass a pci scan=E2=80=A6
>
> thanks...
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMJXoc=5gs17ZgQ7LYALwKFRPN5hQ38OOuBtDk=EjZzi82EFMA>