Reviewed-by: Adolf Belka On 30/04/2022 11:45, Peter Müller wrote: > The strict mode, as specified in RFC 3704, section 2.2, causes packets > to be dropped by the kernel if they arrive with a source IP address that > is not expected on the interface they arrived in. This prevents internal > spoofing attacks, and is considered best practice among the industry. > > After a discussion with Michael, we reached the conclusion that > permitting users to configure the operating mode of RPF in IPFire causes > more harm than good. The scenarios where strict RPF is not usable are > negligible, and the vast majority of IPFire's userbase won't even > notice a difference. > > This supersedes <495b4ca2-5a4b-2ffa-8306-38f152889582(a)ipfire.org>. > > Suggested-by: Michael Tremer > Signed-off-by: Peter Müller > --- > config/etc/sysctl.conf | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index 5fc3e3d89..7fe397bb7 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries = 3 > net.ipv4.tcp_synack_retries = 3 > > net.ipv4.conf.default.arp_filter = 1 > -net.ipv4.conf.default.rp_filter = 2 > +net.ipv4.conf.default.rp_filter = 1 > net.ipv4.conf.default.accept_redirects = 0 > net.ipv4.conf.default.accept_source_route = 0 > net.ipv4.conf.default.log_martians = 1 > > net.ipv4.conf.all.arp_filter = 1 > -net.ipv4.conf.all.rp_filter = 2 > +net.ipv4.conf.all.rp_filter = 1 > net.ipv4.conf.all.accept_redirects = 0 > net.ipv4.conf.all.accept_source_route = 0 > net.ipv4.conf.all.log_martians = 1