From patchwork Wed Sep 30 14:46:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 3502 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4C1fG34wfRz3wh7 for ; Wed, 30 Sep 2020 14:46:19 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4C1fG21x9Jz1n; Wed, 30 Sep 2020 14:46:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4C1fG21Cxjz2y37; Wed, 30 Sep 2020 14:46:18 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4C1fG05ntdz2xjX for ; Wed, 30 Sep 2020 14:46:16 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 4C1fFz0jqjz8G for ; Wed, 30 Sep 2020 14:46:14 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1601477176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=R80bjl/j5ONgeZCMmWgr6R4kmtEmqMluFLnnvq/Hwn0=; b=JFoO/0vqHBIvsXSf694Gdmt9ULxCHnzRANmOBj743tFAYtznnmLLpM1gVzQ0GssCE5oYw2 TID5i2Ry4PUat3AA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1601477176; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=R80bjl/j5ONgeZCMmWgr6R4kmtEmqMluFLnnvq/Hwn0=; b=mQn/BEz0FO4z+oMCaxn06m6KZZ4G7rkkk4cTVQUvJLW/1L/LKabLZHDw0jYPO4bOgjIzCc h/9rU6jjj2IQBRp2VWlb1LfyvEQLlPbq0XptuHHjCj0HQfCXWlZOU9drnUGt/RLkrKoSe2 R2GzhHTA+B3bqAsZCB3RkAF8z0+0whxhXtFYBxbRkyKzZMFbngR6fx/QeTQ1xklCrM2+m7 ljOmBeawvE9A6w4VDmvsG9qbGwxURtkekXLDxJACuGK/mSatvBwzfoCG/JTL7XGOzXEmTO adLs8uOcCTQcg+3MULMK+CvQGCm6jqJ2AfFIinf2OfJn0PrkNOTzHaK/oQpqDA== To: development@lists.ipfire.org From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] sysctl.conf: drop RST packets for sockets in TIME-WAIT state Message-ID: Date: Wed, 30 Sep 2020 14:46:07 +0000 MIME-Version: 1.0 Content-Language: en-US Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" RFC 1337 describes various TCP (side channel) attacks against prematurely closed connections stalling in TIME-WAIT state, such as DoS or injecting arbitrary TCP segments, and recommends to silently discard RST packets for sockets in this state. While applications still tied to such sockets should tolerate invalid input (thanks to Jon Postel), there is little legitimate reason to send such RST packets altogether. At the time of writing, no collateral damage related to active RFC 1337 implementations is known. Measuerements in productive environments did not reveal any side effects either, which is why I consider enabling RFC 1337 implementation to be a safe change. See also: https://tools.ietf.org/html/rfc1337 Signed-off-by: Peter Müller --- config/etc/sysctl.conf | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7e7ebee44..d48c7734e 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -32,7 +32,7 @@ net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 # Enable netfilter accounting -net.netfilter.nf_conntrack_acct=1 +net.netfilter.nf_conntrack_acct = 1 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 @@ -86,10 +86,15 @@ net.ipv4.tcp_wmem = 4096 16384 16777216 net.ipv4.udp_mem = 3145728 4194304 16777216 # Prefer low latency over higher throughput -net.ipv4.tcp_low_latency=1 +net.ipv4.tcp_low_latency = 1 # Reserve more socket space for the TCP window -net.ipv4.tcp_adv_win_scale=2 +net.ipv4.tcp_adv_win_scale = 2 # Enable TCP fast-open net.ipv4.tcp_fastopen = 3 + +# Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337. +# This protects against various TCP attacks, such as DoS against or injection +# of arbitrary segments into prematurely closed connections. +net.ipv4.tcp_rfc1337 = 1