From 1af975dcebb2892a13775d344109508e46bb0be4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sat, 30 Apr 2022 09:45:27 +0000 Subject: [PATCH] sysctl: Use strict Reverse Path Filtering MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The strict mode, as specified in RFC 3704, section 2.2, causes packets to be dropped by the kernel if they arrive with a source IP address that is not expected on the interface they arrived in. This prevents internal spoofing attacks, and is considered best practice among the industry. After a discussion with Michael, we reached the conclusion that permitting users to configure the operating mode of RPF in IPFire causes more harm than good. The scenarios where strict RPF is not usable are negligible, and the vast majority of IPFire's userbase won't even notice a difference. This supersedes <495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org>. Suggested-by: Michael Tremer Signed-off-by: Peter Müller Reviewed-by: Adolf Belka --- config/etc/sysctl.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 5fc3e3d892..7fe397bb71 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries = 3 net.ipv4.tcp_synack_retries = 3 net.ipv4.conf.default.arp_filter = 1 -net.ipv4.conf.default.rp_filter = 2 +net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.all.arp_filter = 1 -net.ipv4.conf.all.rp_filter = 2 +net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.log_martians = 1 -- 2.39.2