From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] sysctl.conf: Enable Loose Reverse Path Filter according to RFC 3704
Date: Sun, 16 Jan 2022 14:47:25 +0000 [thread overview]
Message-ID: <5afbf7f4-cb4c-afc9-ee8c-4858fd6fbea5@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2527 bytes --]
For historical reasons, we were always reluctant to reverse path
filtering, since configuration changes were tricky to evaluate for a
larger userbase, IPFire permits a number of complex scenarios, and due
to limited resources.
As a compromise, this patch suggests to enable Loose Reverse Path
Filtering, as specified in RFC 3704 (section 2.4), to gain at least some
security achievement on this end.
To quote from that:
Loose Reverse Path Forwarding (Loose RPF) is algorithmically similar
to strict RPF, but differs in that it checks only for the existence
of a route (even a default route, if applicable), not where the route
points to. Practically, this could be considered as a "route
presence check" ("loose RPF is a misnomer in a sense because there is
no "reverse path" check in the first place).
The questionable benefit of Loose RPF is found in asymmetric routing
situations: a packet is dropped if there is no route at all, such as
to "Martian addresses" or addresses that are not currently routed,
but is not dropped if a route exists.
There is no legitimate reason why we cannot enable this: If IPFire
receives a packet on some interface it cannot route on _any_ interface
at all, there is no sense in processing it.
While testing this change, I was unable to produce a situation where it
actually causes any harm. In theory, it shouldn't do so anyways.
In the future, we will hopefully be able to set these sysctl's to "1",
using Strict Reverse Path Filtering, as specified in RFC 3704 (section
2.2). Doing so was found to work fine in my testing environment as well,
but there is no asymmetric routing in place there.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
config/etc/sysctl.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index bc2d21c93..c8c775d13 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 3
net.ipv4.conf.default.arp_filter = 1
-net.ipv4.conf.default.rp_filter = 0
+net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.arp_filter = 1
-net.ipv4.conf.all.rp_filter = 0
+net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
--
2.31.1
next reply other threads:[~2022-01-16 14:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-16 14:47 Peter Müller [this message]
2022-01-16 14:56 ` Michael Tremer
2022-01-18 21:18 ` Peter Müller
2022-01-19 8:18 ` Michael Tremer
2022-01-25 16:56 ` Peter Müller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5afbf7f4-cb4c-afc9-ee8c-4858fd6fbea5@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox