Solved doesn't block ip option

[emahdij]

I'm using nping in kali to send packets with "loose source routing" option set to pf. but after looking at the logs it says they're passed. I thought by default pf blocked this kind of packets. and i didn't allow it via "allow-opts"
this is my nping command:

nping 192.168.2.10 --ip-option R -c 10

and below you can see pf log.

 

[SirDice]

"open source routing"

The option is called 'source-routing'. Open source routing would imply things like Quagga.

The --ip-option R only records the route, there's no source routing involved here.


Do you have any rules? Or did you only enable PF? By default PF allows everything.

 

[emahdij]

I want to test loose source routing attack in pf.
whats your suggestion?

 

[SirDice]

There's no source routing involved here, you're on the same network and packets are destined for the FreeBSD machine. So they'll arrive and are accepted regardless of a loose source route. You can block those if they are passed through the router, but not if they're destined for the router itself.

There are two 'knobs' for this:

dice@maelcum:~ % sysctl -d net.inet.ip.sourceroute
net.inet.ip.sourceroute: Enable forwarding source routed IP packets
dice@maelcum:~ % sysctl -d net.inet.ip.accept_sourceroute
net.inet.ip.accept_sourceroute: Enable accepting source routed IP packets
dice@maelcum:~ %

Both are disabled by default. Which pretty much means any lssr is simply ignored.