git.ipfire.org Git - ipfire-2.x.git/commit

author	Peter Müller <peter.mueller@ipfire.org>
	Sat, 30 Apr 2022 09:45:27 +0000 (09:45 +0000)
committer	Peter Müller <peter.mueller@ipfire.org>
	Mon, 2 May 2022 05:28:52 +0000 (05:28 +0000)
commit	1af975dcebb2892a13775d344109508e46bb0be4
tree	6333d4d2544f39ab702925d64063ac845d6c2d49	tree \| snapshot
parent	01cb6d794baf9f19c47e4037e7e0bf3e7b7710f3	commit \| diff

sysctl: Use strict Reverse Path Filtering

The strict mode, as specified in RFC 3704, section 2.2, causes packets
to be dropped by the kernel if they arrive with a source IP address that
is not expected on the interface they arrived in. This prevents internal
spoofing attacks, and is considered best practice among the industry.

After a discussion with Michael, we reached the conclusion that
permitting users to configure the operating mode of RPF in IPFire causes
more harm than good. The scenarios where strict RPF is not usable are
negligible, and the vast majority of IPFire's userbase won't even
notice a difference.

This supersedes <495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org>.

Suggested-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>