From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] sysctl.conf: Enable Loose Reverse Path Filter according to RFC 3704 Date: Wed, 19 Jan 2022 08:18:48 +0000 Message-ID: <30F945D5-0AB2-4B99-B05D-82702D294736@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4038706308706437950==" List-Id: --===============4038706308706437950== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, Okay. Let=E2=80=99s give it a try. I will refer anyone running into problems = to you :) -Michael > On 18 Jan 2022, at 21:18, Peter M=C3=BCller wr= ote: >=20 > Hello Michael, >=20 > thanks for your reply. >=20 > Well, besides amending the patch for Core Update 164 (or beyond), mention i= t in the changelog, > and encourage people running special setups to test this update, I have no = idea. >=20 > Since the vast majority of IPFire installations will have a default route s= et, Loose Reverse > Path Filtering cannot break anything for them. Therefore, I am willing to r= isk the procedure > mentioned above. >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >=20 >> Hello, >>=20 >> How are we going to test this with a wider audience? >>=20 >> I do not expect this to break anything, but I would like to make sure that= this assumption holds true. >>=20 >> -Michael >>=20 >>> On 16 Jan 2022, at 14:47, Peter M=C3=BCller = wrote: >>>=20 >>> For historical reasons, we were always reluctant to reverse path >>> filtering, since configuration changes were tricky to evaluate for a >>> larger userbase, IPFire permits a number of complex scenarios, and due >>> to limited resources. >>>=20 >>> As a compromise, this patch suggests to enable Loose Reverse Path >>> Filtering, as specified in RFC 3704 (section 2.4), to gain at least some >>> security achievement on this end. >>>=20 >>> To quote from that: >>>=20 >>> Loose Reverse Path Forwarding (Loose RPF) is algorithmically similar >>> to strict RPF, but differs in that it checks only for the existence >>> of a route (even a default route, if applicable), not where the route >>> points to. Practically, this could be considered as a "route >>> presence check" ("loose RPF is a misnomer in a sense because there is >>> no "reverse path" check in the first place). >>>=20 >>> The questionable benefit of Loose RPF is found in asymmetric routing >>> situations: a packet is dropped if there is no route at all, such as >>> to "Martian addresses" or addresses that are not currently routed, >>> but is not dropped if a route exists. >>>=20 >>> There is no legitimate reason why we cannot enable this: If IPFire >>> receives a packet on some interface it cannot route on _any_ interface >>> at all, there is no sense in processing it. >>>=20 >>> While testing this change, I was unable to produce a situation where it >>> actually causes any harm. In theory, it shouldn't do so anyways. >>>=20 >>> In the future, we will hopefully be able to set these sysctl's to "1", >>> using Strict Reverse Path Filtering, as specified in RFC 3704 (section >>> 2.2). Doing so was found to work fine in my testing environment as well, >>> but there is no asymmetric routing in place there. >>>=20 >>> Signed-off-by: Peter M=C3=BCller >>> --- >>> config/etc/sysctl.conf | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>=20 >>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>> index bc2d21c93..c8c775d13 100644 >>> --- a/config/etc/sysctl.conf >>> +++ b/config/etc/sysctl.conf >>> @@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries =3D 3 >>> net.ipv4.tcp_synack_retries =3D 3 >>>=20 >>> net.ipv4.conf.default.arp_filter =3D 1 >>> -net.ipv4.conf.default.rp_filter =3D 0 >>> +net.ipv4.conf.default.rp_filter =3D 2 >>> net.ipv4.conf.default.accept_redirects =3D 0 >>> net.ipv4.conf.default.accept_source_route =3D 0 >>> net.ipv4.conf.default.log_martians =3D 1 >>>=20 >>> net.ipv4.conf.all.arp_filter =3D 1 >>> -net.ipv4.conf.all.rp_filter =3D 0 >>> +net.ipv4.conf.all.rp_filter =3D 2 >>> net.ipv4.conf.all.accept_redirects =3D 0 >>> net.ipv4.conf.all.accept_source_route =3D 0 >>> net.ipv4.conf.all.log_martians =3D 1 >>> --=20 >>> 2.31.1 >>=20 --===============4038706308706437950==--