From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] sysctl: Use strict Reverse Path Filtering
Date: Sun, 01 May 2022 19:01:46 +0200
Message-ID: <5320e465-3bb1-fe5f-8cba-f35add5f71e2@ipfire.org>
In-Reply-To: <2a19b137-55c7-ecb4-6161-8e87dc1a9a6b@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2544520178143460217=="
List-Id: <development.lists.ipfire.org>

--===============2544520178143460217==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>

On 30/04/2022 11:45, Peter Müller wrote:
> The strict mode, as specified in RFC 3704, section 2.2, causes packets
> to be dropped by the kernel if they arrive with a source IP address that
> is not expected on the interface they arrived in. This prevents internal
> spoofing attacks, and is considered best practice among the industry.
>
> After a discussion with Michael, we reached the conclusion that
> permitting users to configure the operating mode of RPF in IPFire causes
> more harm than good. The scenarios where strict RPF is not usable are
> negligible, and the vast majority of IPFire's userbase won't even
> notice a difference.
>
> This supersedes <495b4ca2-5a4b-2ffa-8306-38f152889582(a)ipfire.org>.
>
> Suggested-by: Michael Tremer <michael.tremer(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
>   config/etc/sysctl.conf | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index 5fc3e3d89..7fe397bb7 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries = 3
>   net.ipv4.tcp_synack_retries = 3
>   
>   net.ipv4.conf.default.arp_filter = 1
> -net.ipv4.conf.default.rp_filter = 2
> +net.ipv4.conf.default.rp_filter = 1
>   net.ipv4.conf.default.accept_redirects = 0
>   net.ipv4.conf.default.accept_source_route = 0
>   net.ipv4.conf.default.log_martians = 1
>   
>   net.ipv4.conf.all.arp_filter = 1
> -net.ipv4.conf.all.rp_filter = 2
> +net.ipv4.conf.all.rp_filter = 1
>   net.ipv4.conf.all.accept_redirects = 0
>   net.ipv4.conf.all.accept_source_route = 0
>   net.ipv4.conf.all.log_martians = 1

--===============2544520178143460217==--