PF doesn't block ip option

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

PF doesn't block ip option

mehdi jafartpur
I'm using nping in kali to send packets with "open source routing" option
set to pf. but after looking at the logs it says they're passed. I thought
by default pf blocked this kind of packets. and i didn't allow it via
"allow-opts"
this is my nping command:

nping 192.168.2.10 --ip-option R -c 10

and below you can see pf log.

log pf.png (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PF doesn't block ip option

Alexander Bluhm
On Tue, Aug 06, 2019 at 01:37:05PM +0430, mehdi jafartpur wrote:
> I'm using nping in kali to send packets with "open source routing" option
> set to pf. but after looking at the logs it says they're passed. I thought
> by default pf blocked this kind of packets. and i didn't allow it via
> "allow-opts"
> this is my nping command:
>
> nping 192.168.2.10 --ip-option R -c 10

For me it works.

# tcpdump -X -vvv -s2048 -ni pflog0
tcpdump: listening on pflog0, link-type PFLOG
22:44:32.721907 10.188.74.17 > 10.188.74.74: icmp: echo request (id:2c12 seq:1) [icmp cksum ok] (ttl 64, id 1201, len 68, optlen=40 NOP RR{39}= RR{#0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0})
  0000: 4f00 0044 04b1 0000 4001 9a2a 0abc 4a11  O..D....@..*..J.
  0010: 0abc 4a4a 0107 2704 0000 0000 0000 0000  ..JJ..'.........
  0020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
  0030: 0000 0000 0000 0000 0000 0000 0800 cbec  ................
  0040: 2c12 0001                                ,...

# pfctl -si
...
  ip-option                             53            0.1/s

Could you show your kernel version, pf.conf, tcpdump -i pflog0, pfctl -si

bluhm