[SOLVED] Strip IPv4 Options not working?

TKITFrank · Mon Jun 20, 2011 4:27 pm

Hi,

I was trying to block IPv4 options on my firewall @home for test and I seem to get the rule to work but it does not remove any thing? I have had a nessus scan from the outside and it still reports that my system sends timestamp.

I can confirm this at this site as well http://lcamtuf.coredump.cx/p0f-help/ it can see my uptime so it seems that is not working or am I wrong? If I do it at the corporate firewall that is of a different brand it don't show any uptime information.

This is my config as you can see i have tried different ways but non seems to work...
0 chain=prerouting action=strip-ipv4-options protocol=tcp ipv4-options=any
1 chain=postrouting action=strip-ipv4-options protocol=tcp ipv4-options=any
2 chain=input action=strip-ipv4-options protocol=tcp ipv4-options=any
3 chain=output action=strip-ipv4-options protocol=tcp ipv4-options=any

Any ideas?

System is RB800 with ROS 5.4

fewi · Mon Jun 20, 2011 4:42 pm

Can't say I've tried this, but maybe leave off the protocol=tcp. IPv4 options are in the layer three header, so maybe UDP packets with options are still going through? I assume the rule is counting packets?

TKITFrank · Mon Jun 20, 2011 6:49 pm

Hi Fewi,

I will try without TCP but from what I get by the nessus scan it is all about TCP timestamp.

Nope non of the rules are counting anything.

That is one of the things that made me wonder if it is working as it should be. But maybe it is as you pointed out that it is the TCP that messes around with it. I will try it later and post a response.

TKITFrank · Mon Jun 20, 2011 7:03 pm

Hi again,

Removing protocol tcp did not help

Do you have any more ideas?

Update, It works or at least counting packets on the rule when I removed the "ipv4-options=any" but still nessus reports timestamp also the link posted above. So from what I can see the action is not applied. Or am I wrong?

TKITFrank · Mon Jun 27, 2011 12:43 pm

Hi,

Upgraded to 5.5 but that did not help, Can anyone confirm this function working?

I can see the rule triggering packets now when the rule looks like this. It did the same when I set TCP as protocol.
Now the rules look like this.

0   chain=prerouting action=strip-ipv4-options 
1   chain=postrouting action=strip-ipv4-options 
2   chain=output action=strip-ipv4-options 
3   chain=input action=strip-ipv4-options

@MikroTik staff, Am I doing this wrong or is this a bug? Please feel free to test against this link. http://lcamtuf.coredump.cx/p0f-help/

p.s Im using the built in proxy but I think that the nessus scan that I use trigger on the remote PPTP-Server. If that is to any help d.s

TKITFrank · Fri Jul 08, 2011 8:10 am

Hi,

After a mail conversation with Janis I got the repose that the timestamps I was trying to remove did not have anything to do with this.
I was trying to remove TCP timestamps and they do not have anything to do with IPV4 Option "Timestamps".

After some digging on google I found this.

The only way to remove or add TCP timestamps is to do the following in linux.
add the following line to the /etc/sysctl.conf file
#Disable TCP timestamps
net.ipv4.tcp_timestamps = 0

#Enable TCP Timestamps
net.ipv4.tcp_timestamps = 1

Or when the system is running...
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/tcp_timestamps

So it was not a bug more a lack of knowledge