diff mbox series

firewall/sysctl: Make Reverse Path Forwarding mode configurable

Message ID 495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org
State Superseded
Headers
Series firewall/sysctl: Make Reverse Path Forwarding mode configurable |

Commit Message

Peter Müller April 18, 2022, 6:27 p.m. UTC 
  For the vast majority of IPFire installations (i. e. those who do not
make use of asymmetric routing), it is safe to run the Linux kernel's
Reverse Path Forwarding in 'strict' mode, as specified in RFC 3704,
section 2.2, significantly hampering spoofing attacks.

However, we cannot switch to this operating mode globally, since (a)
some IPFire installations cannot use it and (b) we need to avoid a
breaking change on this end.

Therefore, this patch adds a switch to the firewall options CGI,
permitting users to choose between 'loose' and 'strict' RPF mode,
whereas 'loose' is the current default. On existing installations, this
should be left untouched - although users are urged to check whether
they can switch to the 'strict' mode -; similar to the 'drop hostile'
feature, this should be set to 'strict' by default on new installations.

Since only a sysctl is changed under the hood, changes do not require a
reboot, but an execution of the /etc/rc.d/init.d/sysctl initscript. The
corresponding misc-prog has been adjusted to reflect this.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 html/cgi-bin/optionsfw.cgi    | 18 ++++++++++++++++++
 langs/de/cgi-bin/de.pl        |  3 +++
 langs/en/cgi-bin/en.pl        |  5 ++++-
 src/initscripts/system/sysctl | 11 ++++++++++-
 src/misc-progs/firewallctrl.c |  1 +
 5 files changed, 36 insertions(+), 2 deletions(-)

Comments

Michael Tremer April 19, 2022, 9:51 a.m. UTC | #1 
Hello,

I do not quite understand the rationale for this switch. Why would the user need to change this?

You are talking about asymmetric routing which requires this to be configured in loose mode. Did you have a setup like this?

And if so, I would just recommend to revert the original change that clearly seems to be incompatible with some installations then.

I do no see that this is desirable for the user to control. It is complicated to understand what is happening here and the benefits are so marginal (if there are any at all) that I don’t think this is worth it.

-Michael

> On 18 Apr 2022, at 19:27, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> For the vast majority of IPFire installations (i. e. those who do not
> make use of asymmetric routing), it is safe to run the Linux kernel's
> Reverse Path Forwarding in 'strict' mode, as specified in RFC 3704,
> section 2.2, significantly hampering spoofing attacks.
> 
> However, we cannot switch to this operating mode globally, since (a)
> some IPFire installations cannot use it and (b) we need to avoid a
> breaking change on this end.
> 
> Therefore, this patch adds a switch to the firewall options CGI,
> permitting users to choose between 'loose' and 'strict' RPF mode,
> whereas 'loose' is the current default. On existing installations, this
> should be left untouched - although users are urged to check whether
> they can switch to the 'strict' mode -; similar to the 'drop hostile'
> feature, this should be set to 'strict' by default on new installations.
> 
> Since only a sysctl is changed under the hood, changes do not require a
> reboot, but an execution of the /etc/rc.d/init.d/sysctl initscript. The
> corresponding misc-prog has been adjusted to reflect this.
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> html/cgi-bin/optionsfw.cgi    | 18 ++++++++++++++++++
> langs/de/cgi-bin/de.pl        |  3 +++
> langs/en/cgi-bin/en.pl        |  5 ++++-
> src/initscripts/system/sysctl | 11 ++++++++++-
> src/misc-progs/firewallctrl.c |  1 +
> 5 files changed, 36 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> index fbff67b2f..72a4cddc8 100644
> --- a/html/cgi-bin/optionsfw.cgi
> +++ b/html/cgi-bin/optionsfw.cgi
> @@ -158,6 +158,9 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
> $selected{'MASQUERADE_BLUE'}{'off'} = '';
> $selected{'MASQUERADE_BLUE'}{'on'} = '';
> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
> +$checked{'RPFORWARDINGMODE'}{'loose'} = '';
> +$checked{'RPFORWARDINGMODE'}{'strict'} = '';
> +$checked{'RPFORWARDINGMODE'}{$settings{'RPFORWARDINGMODE'}} = "checked='checked'";
> 
> &Header::openbox('100%', 'center',);
> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
> @@ -334,6 +337,21 @@ END
> </table>
> 
> <br />
> +
> +<table width='95%' cellspacing='0'>
> +	<tr bgcolor='$color{'color20'}'>
> +		<td colspan='2' align='left'><b>$Lang::tr{'reverse path forwarding'}</b></td>
> +	</tr>
> +	<tr>
> +		<td align='left' width='60%'>$Lang::tr{'reverse path forwarding mode'}</td>
> +		<td align='left'>
> +			$Lang::tr{'strict'} <input type='radio' name='RPFORWARDINGMODE' value='strict' $checked{'RPFORWARDINGMODE'}{'strict'} />/
> +			<input type='radio' name='RPFORWARDINGMODE' value='loose' $checked{'RPFORWARDINGMODE'}{'loose'} /> $Lang::tr{'loose'}
> +		</td>
> +	</tr>
> +</table>
> +<br>
> +
> <table width='100%' cellspacing='0'>
> <tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 6094c191a..047d47fe0 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -1623,6 +1623,7 @@
> 'logging server' => 'Protokollierungsserver',
> 'loginlogout' => 'Login/Logout',
> 'logs' => 'Protokolldateien',
> +'loose' => 'locker',
> 'loosedirectorychecking' => 'Loose directorychecking',
> 'low' => 'Niedrig',
> 'ls_dhcpd' => 'DHCP-Server:',
> @@ -2159,6 +2160,8 @@
> 'restore defaults' => 'Voreinstellungen wiederherstellen',
> 'restore hardware settings' => 'Hardwareeinstellungen wiederherstellen',
> 'restore settings' => 'Einstellungen wiederherstellen',
> +'reverse path forwarding' => 'Reverse Path Forwarding',
> +'reverse path forwarding mode' => 'Betriebsmodus des Reverse Path Forwarding (siehe <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, Abschnitt 2</a>)',
> 'reverse sort' => 'In umgekehrter chronologischer Reihenfolge sortieren',
> 'root' => 'Root',
> 'root certificate' => 'Root-Zertifikat',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index 510ed095b..80d8f7f1a 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -1671,6 +1671,7 @@
> 'logging server' => 'Logging Server',
> 'loginlogout' => 'Login/Logout',
> 'logs' => 'logs',
> +'loose' => 'loose',
> 'loosedirectorychecking' => 'Loosedirectorychecking',
> 'low' => 'Low',
> 'ls_dhcpd' => 'DHCP Server:',
> @@ -2211,6 +2212,8 @@
> 'restore defaults' => 'Restore defaults',
> 'restore hardware settings' => 'Restore hardware settings',
> 'restore settings' => 'Reset Settings',
> +'reverse path forwarding' => 'Reverse Path Forwarding',
> +'reverse path forwarding mode' => 'Operating mode of Reverse Path Forwarding (see <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, section 2</a>)',
> 'reverse sort' => 'Sort in reverse chronological order',
> 'root' => 'Root',
> 'root certificate' => 'Root Certificate',
> @@ -2394,7 +2397,7 @@
> 'stop' => 'Stop',
> 'stop ovpn server' => 'Stop OpenVPN Server',
> 'stopped' => 'STOPPED',
> -'strict' => 'Strict',
> +'strict' => 'strict',
> 'subject' => 'Subject',
> 'subject test' => 'Teste-mail',
> 'subject warn' => 'Warning - warnlevel reached',
> diff --git a/src/initscripts/system/sysctl b/src/initscripts/system/sysctl
> index 8897c1faa..c7aebbc8d 100644
> --- a/src/initscripts/system/sysctl
> +++ b/src/initscripts/system/sysctl
> @@ -22,6 +22,8 @@
> . /etc/sysconfig/rc
> . ${rc_functions}
> 
> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
> +
> case "${1}" in
> 	start)
> 		if [ -f "/etc/sysctl.conf" ]; then
> @@ -29,7 +31,7 @@ case "${1}" in
> 			sysctl -q -p
> 			evaluate_retval
> 		fi
> -		arch=`uname -m`
> +		arch=$(uname -m)
> 		case "${arch}" in
> 			armv*)
> 				arch="armv6l":
> @@ -40,6 +42,13 @@ case "${1}" in
> 			sysctl -q -p /etc/sysctl-${arch}.conf
> 			evaluate_retval
> 		fi
> +
> +		if [ "$RPFORWARDINGMODE" == "strict" ]; then
> +			boot_mesg "Setting Reverse Path Forwarding mode to 'strict'..."
> +			sysctl -q -w net.ipv4.conf.all.rp_filter=1
> +			evaluate_retval
> +		fi
> +
> 		;;
> 
> 	status)
> diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c
> index 0f176597d..b6756b0b1 100644
> --- a/src/misc-progs/firewallctrl.c
> +++ b/src/misc-progs/firewallctrl.c
> @@ -13,6 +13,7 @@ int main(int argc, char *argv[]) {
> 	if (!(initsetuid()))
> 		exit(1);
> 
> +	safe_system("/etc/rc.d/init.d/sysctl start");
> 	int retval = safe_system("/usr/lib/firewall/rules.pl");
> 
> 	/* If rules.pl has been successfully executed, the indicator
> -- 
> 2.34.1
Peter Müller April 19, 2022, 12:01 p.m. UTC | #2 
Hello Michael,

thanks for your reply.

> Hello,
> 
> I do not quite understand the rationale for this switch. Why would the user need to change this?

See below.

> 
> You are talking about asymmetric routing which requires this to be configured in loose mode. Did you have a setup like this?

No, but you mentioned IPFire installations running such setups a few times to me, and that we cannot
use strict Reverse Path Forwarding there because that would break asymmetric routing.

> And if so, I would just recommend to revert the original change that clearly seems to be incompatible with some installations then.

I think that is a misunderstanding: There is no original change; actually, I am trying to introduce a
change that would improve IPFire's security for most users, while providing the remaining userbase
fraction a possibility to disable that improvement, so they can continue to use IPFire.

> I do no see that this is desirable for the user to control. It is complicated to understand what is happening here and the benefits are so marginal (if there are any at all) that I don’t think this is worth it.

Strict Reverse Path Forwarding renders classes of spoofing attacks void. Especially for internal attacks,
I do think being resistant to spoofing is a security benefit.

This is a complex topic indeed, and most users probably won't understand this in general. I am afraid I do
not have a solution to that, which is why I propose to turn this on on new installations, and recommend users
to change it only if they know precisely what they are doing.

Hope to have your questions answered. :-)

Thanks, and best regards,
Peter Müller

> 
> -Michael
> 
>> On 18 Apr 2022, at 19:27, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> For the vast majority of IPFire installations (i. e. those who do not
>> make use of asymmetric routing), it is safe to run the Linux kernel's
>> Reverse Path Forwarding in 'strict' mode, as specified in RFC 3704,
>> section 2.2, significantly hampering spoofing attacks.
>>
>> However, we cannot switch to this operating mode globally, since (a)
>> some IPFire installations cannot use it and (b) we need to avoid a
>> breaking change on this end.
>>
>> Therefore, this patch adds a switch to the firewall options CGI,
>> permitting users to choose between 'loose' and 'strict' RPF mode,
>> whereas 'loose' is the current default. On existing installations, this
>> should be left untouched - although users are urged to check whether
>> they can switch to the 'strict' mode -; similar to the 'drop hostile'
>> feature, this should be set to 'strict' by default on new installations.
>>
>> Since only a sysctl is changed under the hood, changes do not require a
>> reboot, but an execution of the /etc/rc.d/init.d/sysctl initscript. The
>> corresponding misc-prog has been adjusted to reflect this.
>>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> html/cgi-bin/optionsfw.cgi    | 18 ++++++++++++++++++
>> langs/de/cgi-bin/de.pl        |  3 +++
>> langs/en/cgi-bin/en.pl        |  5 ++++-
>> src/initscripts/system/sysctl | 11 ++++++++++-
>> src/misc-progs/firewallctrl.c |  1 +
>> 5 files changed, 36 insertions(+), 2 deletions(-)
>>
>> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
>> index fbff67b2f..72a4cddc8 100644
>> --- a/html/cgi-bin/optionsfw.cgi
>> +++ b/html/cgi-bin/optionsfw.cgi
>> @@ -158,6 +158,9 @@ $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
>> $selected{'MASQUERADE_BLUE'}{'off'} = '';
>> $selected{'MASQUERADE_BLUE'}{'on'} = '';
>> $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
>> +$checked{'RPFORWARDINGMODE'}{'loose'} = '';
>> +$checked{'RPFORWARDINGMODE'}{'strict'} = '';
>> +$checked{'RPFORWARDINGMODE'}{$settings{'RPFORWARDINGMODE'}} = "checked='checked'";
>>
>> &Header::openbox('100%', 'center',);
>> print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
>> @@ -334,6 +337,21 @@ END
>> </table>
>>
>> <br />
>> +
>> +<table width='95%' cellspacing='0'>
>> +	<tr bgcolor='$color{'color20'}'>
>> +		<td colspan='2' align='left'><b>$Lang::tr{'reverse path forwarding'}</b></td>
>> +	</tr>
>> +	<tr>
>> +		<td align='left' width='60%'>$Lang::tr{'reverse path forwarding mode'}</td>
>> +		<td align='left'>
>> +			$Lang::tr{'strict'} <input type='radio' name='RPFORWARDINGMODE' value='strict' $checked{'RPFORWARDINGMODE'}{'strict'} />/
>> +			<input type='radio' name='RPFORWARDINGMODE' value='loose' $checked{'RPFORWARDINGMODE'}{'loose'} /> $Lang::tr{'loose'}
>> +		</td>
>> +	</tr>
>> +</table>
>> +<br>
>> +
>> <table width='100%' cellspacing='0'>
>> <tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
>> <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
>> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
>> index 6094c191a..047d47fe0 100644
>> --- a/langs/de/cgi-bin/de.pl
>> +++ b/langs/de/cgi-bin/de.pl
>> @@ -1623,6 +1623,7 @@
>> 'logging server' => 'Protokollierungsserver',
>> 'loginlogout' => 'Login/Logout',
>> 'logs' => 'Protokolldateien',
>> +'loose' => 'locker',
>> 'loosedirectorychecking' => 'Loose directorychecking',
>> 'low' => 'Niedrig',
>> 'ls_dhcpd' => 'DHCP-Server:',
>> @@ -2159,6 +2160,8 @@
>> 'restore defaults' => 'Voreinstellungen wiederherstellen',
>> 'restore hardware settings' => 'Hardwareeinstellungen wiederherstellen',
>> 'restore settings' => 'Einstellungen wiederherstellen',
>> +'reverse path forwarding' => 'Reverse Path Forwarding',
>> +'reverse path forwarding mode' => 'Betriebsmodus des Reverse Path Forwarding (siehe <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, Abschnitt 2</a>)',
>> 'reverse sort' => 'In umgekehrter chronologischer Reihenfolge sortieren',
>> 'root' => 'Root',
>> 'root certificate' => 'Root-Zertifikat',
>> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
>> index 510ed095b..80d8f7f1a 100644
>> --- a/langs/en/cgi-bin/en.pl
>> +++ b/langs/en/cgi-bin/en.pl
>> @@ -1671,6 +1671,7 @@
>> 'logging server' => 'Logging Server',
>> 'loginlogout' => 'Login/Logout',
>> 'logs' => 'logs',
>> +'loose' => 'loose',
>> 'loosedirectorychecking' => 'Loosedirectorychecking',
>> 'low' => 'Low',
>> 'ls_dhcpd' => 'DHCP Server:',
>> @@ -2211,6 +2212,8 @@
>> 'restore defaults' => 'Restore defaults',
>> 'restore hardware settings' => 'Restore hardware settings',
>> 'restore settings' => 'Reset Settings',
>> +'reverse path forwarding' => 'Reverse Path Forwarding',
>> +'reverse path forwarding mode' => 'Operating mode of Reverse Path Forwarding (see <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, section 2</a>)',
>> 'reverse sort' => 'Sort in reverse chronological order',
>> 'root' => 'Root',
>> 'root certificate' => 'Root Certificate',
>> @@ -2394,7 +2397,7 @@
>> 'stop' => 'Stop',
>> 'stop ovpn server' => 'Stop OpenVPN Server',
>> 'stopped' => 'STOPPED',
>> -'strict' => 'Strict',
>> +'strict' => 'strict',
>> 'subject' => 'Subject',
>> 'subject test' => 'Teste-mail',
>> 'subject warn' => 'Warning - warnlevel reached',
>> diff --git a/src/initscripts/system/sysctl b/src/initscripts/system/sysctl
>> index 8897c1faa..c7aebbc8d 100644
>> --- a/src/initscripts/system/sysctl
>> +++ b/src/initscripts/system/sysctl
>> @@ -22,6 +22,8 @@
>> . /etc/sysconfig/rc
>> . ${rc_functions}
>>
>> +eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
>> +
>> case "${1}" in
>> 	start)
>> 		if [ -f "/etc/sysctl.conf" ]; then
>> @@ -29,7 +31,7 @@ case "${1}" in
>> 			sysctl -q -p
>> 			evaluate_retval
>> 		fi
>> -		arch=`uname -m`
>> +		arch=$(uname -m)
>> 		case "${arch}" in
>> 			armv*)
>> 				arch="armv6l":
>> @@ -40,6 +42,13 @@ case "${1}" in
>> 			sysctl -q -p /etc/sysctl-${arch}.conf
>> 			evaluate_retval
>> 		fi
>> +
>> +		if [ "$RPFORWARDINGMODE" == "strict" ]; then
>> +			boot_mesg "Setting Reverse Path Forwarding mode to 'strict'..."
>> +			sysctl -q -w net.ipv4.conf.all.rp_filter=1
>> +			evaluate_retval
>> +		fi
>> +
>> 		;;
>>
>> 	status)
>> diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c
>> index 0f176597d..b6756b0b1 100644
>> --- a/src/misc-progs/firewallctrl.c
>> +++ b/src/misc-progs/firewallctrl.c
>> @@ -13,6 +13,7 @@ int main(int argc, char *argv[]) {
>> 	if (!(initsetuid()))
>> 		exit(1);
>>
>> +	safe_system("/etc/rc.d/init.d/sysctl start");
>> 	int retval = safe_system("/usr/lib/firewall/rules.pl");
>>
>> 	/* If rules.pl has been successfully executed, the indicator
>> -- 
>> 2.34.1
>
diff mbox series

Patch

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index fbff67b2f..72a4cddc8 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -158,6 +158,9 @@  $selected{'MASQUERADE_ORANGE'}{$settings{'MASQUERADE_ORANGE'}} = 'selected="sele
 $selected{'MASQUERADE_BLUE'}{'off'} = '';
 $selected{'MASQUERADE_BLUE'}{'on'} = '';
 $selected{'MASQUERADE_BLUE'}{$settings{'MASQUERADE_BLUE'}} = 'selected="selected"';
+$checked{'RPFORWARDINGMODE'}{'loose'} = '';
+$checked{'RPFORWARDINGMODE'}{'strict'} = '';
+$checked{'RPFORWARDINGMODE'}{$settings{'RPFORWARDINGMODE'}} = "checked='checked'";
 
 &Header::openbox('100%', 'center',);
 print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>";
@@ -334,6 +337,21 @@  END
 </table>
 
 <br />
+
+<table width='95%' cellspacing='0'>
+	<tr bgcolor='$color{'color20'}'>
+		<td colspan='2' align='left'><b>$Lang::tr{'reverse path forwarding'}</b></td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'reverse path forwarding mode'}</td>
+		<td align='left'>
+			$Lang::tr{'strict'} <input type='radio' name='RPFORWARDINGMODE' value='strict' $checked{'RPFORWARDINGMODE'}{'strict'} />/
+			<input type='radio' name='RPFORWARDINGMODE' value='loose' $checked{'RPFORWARDINGMODE'}{'loose'} /> $Lang::tr{'loose'}
+		</td>
+	</tr>
+</table>
+<br>
+
 <table width='100%' cellspacing='0'>
 <tr><td align='right'><form method='post' action='$ENV{'SCRIPT_NAME'}'>
 <input type='submit' name='ACTION' value='$Lang::tr{'save'}' />
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 6094c191a..047d47fe0 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1623,6 +1623,7 @@ 
 'logging server' => 'Protokollierungsserver',
 'loginlogout' => 'Login/Logout',
 'logs' => 'Protokolldateien',
+'loose' => 'locker',
 'loosedirectorychecking' => 'Loose directorychecking',
 'low' => 'Niedrig',
 'ls_dhcpd' => 'DHCP-Server:',
@@ -2159,6 +2160,8 @@ 
 'restore defaults' => 'Voreinstellungen wiederherstellen',
 'restore hardware settings' => 'Hardwareeinstellungen wiederherstellen',
 'restore settings' => 'Einstellungen wiederherstellen',
+'reverse path forwarding' => 'Reverse Path Forwarding',
+'reverse path forwarding mode' => 'Betriebsmodus des Reverse Path Forwarding (siehe <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, Abschnitt 2</a>)',
 'reverse sort' => 'In umgekehrter chronologischer Reihenfolge sortieren',
 'root' => 'Root',
 'root certificate' => 'Root-Zertifikat',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 510ed095b..80d8f7f1a 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1671,6 +1671,7 @@ 
 'logging server' => 'Logging Server',
 'loginlogout' => 'Login/Logout',
 'logs' => 'logs',
+'loose' => 'loose',
 'loosedirectorychecking' => 'Loosedirectorychecking',
 'low' => 'Low',
 'ls_dhcpd' => 'DHCP Server:',
@@ -2211,6 +2212,8 @@ 
 'restore defaults' => 'Restore defaults',
 'restore hardware settings' => 'Restore hardware settings',
 'restore settings' => 'Reset Settings',
+'reverse path forwarding' => 'Reverse Path Forwarding',
+'reverse path forwarding mode' => 'Operating mode of Reverse Path Forwarding (see <a href="https://datatracker.ietf.org/doc/html/rfc3704#section-2" target="_blank">RFC 3704, section 2</a>)',
 'reverse sort' => 'Sort in reverse chronological order',
 'root' => 'Root',
 'root certificate' => 'Root Certificate',
@@ -2394,7 +2397,7 @@ 
 'stop' => 'Stop',
 'stop ovpn server' => 'Stop OpenVPN Server',
 'stopped' => 'STOPPED',
-'strict' => 'Strict',
+'strict' => 'strict',
 'subject' => 'Subject',
 'subject test' => 'Teste-mail',
 'subject warn' => 'Warning - warnlevel reached',
diff --git a/src/initscripts/system/sysctl b/src/initscripts/system/sysctl
index 8897c1faa..c7aebbc8d 100644
--- a/src/initscripts/system/sysctl
+++ b/src/initscripts/system/sysctl
@@ -22,6 +22,8 @@ 
 . /etc/sysconfig/rc
 . ${rc_functions}
 
+eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
+
 case "${1}" in
 	start)
 		if [ -f "/etc/sysctl.conf" ]; then
@@ -29,7 +31,7 @@  case "${1}" in
 			sysctl -q -p
 			evaluate_retval
 		fi
-		arch=`uname -m`
+		arch=$(uname -m)
 		case "${arch}" in
 			armv*)
 				arch="armv6l":
@@ -40,6 +42,13 @@  case "${1}" in
 			sysctl -q -p /etc/sysctl-${arch}.conf
 			evaluate_retval
 		fi
+
+		if [ "$RPFORWARDINGMODE" == "strict" ]; then
+			boot_mesg "Setting Reverse Path Forwarding mode to 'strict'..."
+			sysctl -q -w net.ipv4.conf.all.rp_filter=1
+			evaluate_retval
+		fi
+
 		;;
 
 	status)
diff --git a/src/misc-progs/firewallctrl.c b/src/misc-progs/firewallctrl.c
index 0f176597d..b6756b0b1 100644
--- a/src/misc-progs/firewallctrl.c
+++ b/src/misc-progs/firewallctrl.c
@@ -13,6 +13,7 @@  int main(int argc, char *argv[]) {
 	if (!(initsetuid()))
 		exit(1);
 
+	safe_system("/etc/rc.d/init.d/sysctl start");
 	int retval = safe_system("/usr/lib/firewall/rules.pl");
 
 	/* If rules.pl has been successfully executed, the indicator