hi all… i'm setting up a freebsd 10 on aws (amazon) to be as secure as possible… i used openvas to scan it and pretty much everything is fine except this:
"The remote host accepts loose source routed IP packets. The feature was designed for testing purpose. An attacker may use it to circumvent poorly designed IP filtering and exploit another flaw. However, it is not dangerous by itself. Solution: drop source routed packets on this host or on other ingress routers or firewalls." there is no "other ingress routers or firewalls." except the AWS "security group" which only has open ports 80, 443 and 22 and allICMP for pinging... on the instance itself i have this already set up... in /etc/sysctl.conf i have: net.inet.ip.accept_sourceroute=0 in /etc/derfaults/rc.conf i got: accept_sourceroute="NO" # sysctl -a | grep accept_sourceroute net.inet.ip.accept_sourceroute: 0 i also have a pf enabled locally pretty much with the same ports as the security group. can i use pf to drop those packets? how do i drop the source routed packets? without this i can't pass a pci scan… thanks... _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
