From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] sysctl.conf: Enable Loose Reverse Path Filter according to RFC 3704 Date: Tue, 18 Jan 2022 21:18:27 +0000 Message-ID: In-Reply-To: <37403036-7BA4-4ACA-8AA1-366915D0AA93@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4478368443379944367==" List-Id: --===============4478368443379944367== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. Well, besides amending the patch for Core Update 164 (or beyond), mention it = in the changelog, and encourage people running special setups to test this update, I have no id= ea. Since the vast majority of IPFire installations will have a default route set= , Loose Reverse Path Filtering cannot break anything for them. Therefore, I am willing to ris= k the procedure mentioned above. Thanks, and best regards, Peter M=C3=BCller > Hello, >=20 > How are we going to test this with a wider audience? >=20 > I do not expect this to break anything, but I would like to make sure that = this assumption holds true. >=20 > -Michael >=20 >> On 16 Jan 2022, at 14:47, Peter M=C3=BCller w= rote: >> >> For historical reasons, we were always reluctant to reverse path >> filtering, since configuration changes were tricky to evaluate for a >> larger userbase, IPFire permits a number of complex scenarios, and due >> to limited resources. >> >> As a compromise, this patch suggests to enable Loose Reverse Path >> Filtering, as specified in RFC 3704 (section 2.4), to gain at least some >> security achievement on this end. >> >> To quote from that: >> >> Loose Reverse Path Forwarding (Loose RPF) is algorithmically similar >> to strict RPF, but differs in that it checks only for the existence >> of a route (even a default route, if applicable), not where the route >> points to. Practically, this could be considered as a "route >> presence check" ("loose RPF is a misnomer in a sense because there is >> no "reverse path" check in the first place). >> >> The questionable benefit of Loose RPF is found in asymmetric routing >> situations: a packet is dropped if there is no route at all, such as >> to "Martian addresses" or addresses that are not currently routed, >> but is not dropped if a route exists. >> >> There is no legitimate reason why we cannot enable this: If IPFire >> receives a packet on some interface it cannot route on _any_ interface >> at all, there is no sense in processing it. >> >> While testing this change, I was unable to produce a situation where it >> actually causes any harm. In theory, it shouldn't do so anyways. >> >> In the future, we will hopefully be able to set these sysctl's to "1", >> using Strict Reverse Path Filtering, as specified in RFC 3704 (section >> 2.2). Doing so was found to work fine in my testing environment as well, >> but there is no asymmetric routing in place there. >> >> Signed-off-by: Peter M=C3=BCller >> --- >> config/etc/sysctl.conf | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf >> index bc2d21c93..c8c775d13 100644 >> --- a/config/etc/sysctl.conf >> +++ b/config/etc/sysctl.conf >> @@ -12,13 +12,13 @@ net.ipv4.tcp_syn_retries =3D 3 >> net.ipv4.tcp_synack_retries =3D 3 >> >> net.ipv4.conf.default.arp_filter =3D 1 >> -net.ipv4.conf.default.rp_filter =3D 0 >> +net.ipv4.conf.default.rp_filter =3D 2 >> net.ipv4.conf.default.accept_redirects =3D 0 >> net.ipv4.conf.default.accept_source_route =3D 0 >> net.ipv4.conf.default.log_martians =3D 1 >> >> net.ipv4.conf.all.arp_filter =3D 1 >> -net.ipv4.conf.all.rp_filter =3D 0 >> +net.ipv4.conf.all.rp_filter =3D 2 >> net.ipv4.conf.all.accept_redirects =3D 0 >> net.ipv4.conf.all.accept_source_route =3D 0 >> net.ipv4.conf.all.log_martians =3D 1 >> --=20 >> 2.31.1 >=20 --===============4478368443379944367==--