sysctl: Use strict Reverse Path Filtering

The strict mode, as specified in RFC 3704, section 2.2, causes packets
to be dropped by the kernel if they arrive with a source IP address that
is not expected on the interface they arrived in. This prevents internal
spoofing attacks, and is considered best practice among the industry.

After a discussion with Michael, we reached the conclusion that
permitting users to configure the operating mode of RPF in IPFire causes
more harm than good. The scenarios where strict RPF is not usable are
negligible, and the vast majority of IPFire's userbase won't even
notice a difference.

This supersedes <495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org>.

Suggested-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 5fc3e3d892cf8fec333c44979336cb78e01b7da6..7fe397bb71a1fa7b6ce21aae58e7cf5ade8da932 100644 (file)
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries = 3
 net.ipv4.tcp_synack_retries = 3
 
 net.ipv4.conf.default.arp_filter = 1
-net.ipv4.conf.default.rp_filter = 2
+net.ipv4.conf.default.rp_filter = 1
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.log_martians = 1
 
 net.ipv4.conf.all.arp_filter = 1
-net.ipv4.conf.all.rp_filter = 2
+net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.log_martians = 1