remote host accepts loose source routed IP packets

[el kalin]

hi again…  i have disabled the icmp pings…  same result...

currently:

/etc/pf.conf:

tcp_in = "{ www, https }"
udp = "{ domain, ntp, snmp }"
ping = "echoreq"

set skip on lo
scrub in
antispoof for xn0 inet
block in all
pass out all keep state
pass out inet proto udp from any to any port 33433 >< 33626 keep state
pass proto udp to any port $dup
### pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh


# sysctl -a | grep sourceroute
net.inet.ip.sourceroute: 0
net.inet.ip.accept_sourceroute: 0

in /etc/defaults/rc.conf:

forward_sourceroute="NO"
accept_sourceroute="NO"


what am i missing? this is pretty important….

thanks…..



On Sat, Oct 4, 2014 at 11:46 PM, el kalin <kalin at el.net> wrote:

>
> hi all…
>
> i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible…
> i used openvas to scan it and pretty much everything is fine except this:
>
>  "The remote host accepts loose source routed IP packets.
> The feature was designed for testing purpose.
> An attacker may use it to circumvent poorly designed IP filtering
> and exploit another flaw. However, it is not dangerous by itself.
>  Solution:
>  drop source routed packets on this host or on other ingress
> routers or firewalls."
>
> there is no "other ingress routers or firewalls." except the AWS "security
> group" which only has open ports 80, 443 and 22 and allICMP for pinging...
>
> on the instance itself i have this already set up...
>
> in /etc/sysctl.conf i have:
>
> net.inet.ip.accept_sourceroute=0
>
> in /etc/derfaults/rc.conf i got:
>
> accept_sourceroute="NO"
>
>
>  # sysctl -a | grep accept_sourceroute
> net.inet.ip.accept_sourceroute: 0
>
> i also have a pf enabled locally pretty much with the same ports as the
> security group. can i use pf to drop those packets?
>
> how do i drop the source routed packets?
> without this i can't pass a pci scan…
>
> thanks...
>
>
>