From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] sysctl.conf: Enable Loose Reverse Path Filter according to RFC 3704 Date: Tue, 25 Jan 2022 16:56:03 +0000 Message-ID: <3ac3dd40-fe3c-6b6a-e35c-1eb58a073751@ipfire.org> In-Reply-To: <30F945D5-0AB2-4B99-B05D-82702D294736@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5307504358197867579==" List-Id: --===============5307504358197867579== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, please do. It would be interesting to see setups where this breaks anything... Thanks, and best regards, Peter M=C3=BCller > Hello, >=20 > Okay. Let=E2=80=99s give it a try. I will refer anyone running into problem= s to you :) >=20 > -Michael >=20 >> On 18 Jan 2022, at 21:18, Peter M=C3=BCller w= rote: >> >> Hello Michael, >> >> thanks for your reply. >> >> Well, besides amending the patch for Core Update 164 (or beyond), mention = it in the changelog, >> and encourage people running special setups to test this update, I have no= idea. >> >> Since the vast majority of IPFire installations will have a default route = set, Loose Reverse >> Path Filtering cannot break anything for them. Therefore, I am willing to = risk the procedure >> mentioned above. >> >> Thanks, and best regards, >> Peter M=C3=BCller >> >> >>> Hello, >>> >>> How are we going to test this with a wider audience? >>> >>> I do not expect this to break anything, but I would like to make sure tha= t this assumption holds true. >>> >>> -Michael >>> >>>> On 16 Jan 2022, at 14:47, Peter M=C3=BCller = wrote: >>>> >>>> For historical reasons, we were always reluctant to reverse path >>>> filtering, since configuration changes were tricky to evaluate for a >>>> larger userbase, IPFire permits a number of complex scenarios, and due >>>> to limited resources. >>>> >>>> As a compromise, this patch suggests to enable Loose Reverse Path >>>> Filtering, as specified in RFC 3704 (section 2.4), to gain at least some >>>> security achievement on this end. >>>> >>>> To quote from that: >>>> >>>> Loose Reverse Path Forwarding (Loose RPF) is algorithmically similar >>>> to strict RPF, but differs in that it checks only for the existence >>>> of a route (even a default route, if applicable), not where the route >>>> points to. Practically, this could be considered as a "route >>>> presence check" ("loose RPF is a misnomer in a sense because there is >>>> no "reverse path" check in the first place). >>>> >>>> The questionable benefit of Loose RPF is found in asymmetric routing >>>> situations: a packet is dropped if there is no route at all, such as >>>> to "Martian addresses" or addresses that are not currently routed, >>>> but is not dropped if a route exists. >>>> >>>> There is no legitimate reason why we cannot enable this: If IPFire >>>> receives a packet on some interface it cannot route on _any_ interface >>>> at all, there is no sense in processing it. >>>> >>>> While testing this change, I was unable to produce a situation where it >>>> actually causes any harm. In theory, it shouldn't do so anyways. >>>> >>>> In the future, we will hopefully be able to set these sysctl's to "1", >>>> using Strict Reverse Path Filtering, as specified in RFC 3704 (section >>>> 2.2). Doing so was found to work fine in my testing environment as well, >>>> but there is no asymmetric routing in place there. >>>> >>>> Signed-off-by: Peter M=C3=BCller >>>> --- >>>> config/etc/sysctl.conf | 4 ++-- >>>> 1 file changed, 2 insertions(+), 2 deletions(-) >>>> >>>> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >>>> index bc2d21c93..c8c775d13 100644 >>>> --- a/config/etc/sysctl.conf >>>> +++ b/config/etc/sysctl.conf >>>> @@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries =3D 3 >>>> net.ipv4.tcp_synack_retries =3D 3 >>>> >>>> net.ipv4.conf.default.arp_filter =3D 1 >>>> -net.ipv4.conf.default.rp_filter =3D 0 >>>> +net.ipv4.conf.default.rp_filter =3D 2 >>>> net.ipv4.conf.default.accept_redirects =3D 0 >>>> net.ipv4.conf.default.accept_source_route =3D 0 >>>> net.ipv4.conf.default.log_martians =3D 1 >>>> >>>> net.ipv4.conf.all.arp_filter =3D 1 >>>> -net.ipv4.conf.all.rp_filter =3D 0 >>>> +net.ipv4.conf.all.rp_filter =3D 2 >>>> net.ipv4.conf.all.accept_redirects =3D 0 >>>> net.ipv4.conf.all.accept_source_route =3D 0 >>>> net.ipv4.conf.all.log_martians =3D 1 >>>> --=20 >>>> 2.31.1 >>> >=20 --===============5307504358197867579==--