remote host accepts loose source routed IP packets

[el kalin]

hi all…

i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible…
i used openvas to scan it and pretty much everything is fine except this:

 "The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.
 Solution:
 drop source routed packets on this host or on other ingress
routers or firewalls."

there is no "other ingress routers or firewalls." except the AWS "security
group" which only has open ports 80, 443 and 22 and allICMP for pinging...

on the instance itself i have this already set up...

in /etc/sysctl.conf i have:

net.inet.ip.accept_sourceroute=0

in /etc/derfaults/rc.conf i got:

accept_sourceroute="NO"


 # sysctl -a | grep accept_sourceroute
net.inet.ip.accept_sourceroute: 0

i also have a pf enabled locally pretty much with the same ports as the
security group. can i use pf to drop those packets?

how do i drop the source routed packets?
without this i can't pass a pci scan…

thanks...