diff mbox series

sysctl: Use strict Reverse Path Filtering

Message ID 2a19b137-55c7-ecb4-6161-8e87dc1a9a6b@ipfire.org
State Accepted
Commit 1af975dcebb2892a13775d344109508e46bb0be4
Headers
Series sysctl: Use strict Reverse Path Filtering |

Commit Message

Peter Müller April 30, 2022, 9:45 a.m. UTC 
  The strict mode, as specified in RFC 3704, section 2.2, causes packets
to be dropped by the kernel if they arrive with a source IP address that
is not expected on the interface they arrived in. This prevents internal
spoofing attacks, and is considered best practice among the industry.

After a discussion with Michael, we reached the conclusion that
permitting users to configure the operating mode of RPF in IPFire causes
more harm than good. The scenarios where strict RPF is not usable are
negligible, and the vast majority of IPFire's userbase won't even
notice a difference.

This supersedes <495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org>.

Suggested-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/etc/sysctl.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Adolf Belka May 1, 2022, 5:01 p.m. UTC | #1 
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>

On 30/04/2022 11:45, Peter Müller wrote:
> The strict mode, as specified in RFC 3704, section 2.2, causes packets
> to be dropped by the kernel if they arrive with a source IP address that
> is not expected on the interface they arrived in. This prevents internal
> spoofing attacks, and is considered best practice among the industry.
>
> After a discussion with Michael, we reached the conclusion that
> permitting users to configure the operating mode of RPF in IPFire causes
> more harm than good. The scenarios where strict RPF is not usable are
> negligible, and the vast majority of IPFire's userbase won't even
> notice a difference.
>
> This supersedes <495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org>.
>
> Suggested-by: Michael Tremer <michael.tremer@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
>   config/etc/sysctl.conf | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index 5fc3e3d89..7fe397bb7 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries = 3
>   net.ipv4.tcp_synack_retries = 3
>   
>   net.ipv4.conf.default.arp_filter = 1
> -net.ipv4.conf.default.rp_filter = 2
> +net.ipv4.conf.default.rp_filter = 1
>   net.ipv4.conf.default.accept_redirects = 0
>   net.ipv4.conf.default.accept_source_route = 0
>   net.ipv4.conf.default.log_martians = 1
>   
>   net.ipv4.conf.all.arp_filter = 1
> -net.ipv4.conf.all.rp_filter = 2
> +net.ipv4.conf.all.rp_filter = 1
>   net.ipv4.conf.all.accept_redirects = 0
>   net.ipv4.conf.all.accept_source_route = 0
>   net.ipv4.conf.all.log_martians = 1
diff mbox series

Patch

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 5fc3e3d89..7fe397bb7 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -12,13 +12,13 @@  net.ipv4.tcp_syn_retries = 3
 net.ipv4.tcp_synack_retries = 3
 
 net.ipv4.conf.default.arp_filter = 1
-net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.default.rp_filter = 1
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.log_martians = 1
 
 net.ipv4.conf.all.arp_filter = 1
-net.ipv4.conf.all.rp_filter = 2
+net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.log_martians = 1