Bug 132006 - Suggestion: Disallow source routed packets by default
Suggestion: Disallow source routed packets by default
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-07 15:36 EDT by Troels Arvin
Modified: 2014-03-16 22:48 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-17 03:32:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Troels Arvin 2004-09-07 15:36:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040808 Firefox/0.9.3

Description of problem:
Fedora's default /etc/sysctl.conf disallows ip forwarding by default,
and it turns on the rp_filter sanity checks. That's nice.

However, I believe that sysctl.conf should also contain a line like this:
net.ipv4.conf.default.accept_source_route = 0

I've looked over various articles about source routed packets, and
they all suggest that an operating system should normally be
configured to drop them (openbsd and recent Solaris versions drops
them by default, I've heard - while Linux and Windows don't drop such
packets). Except for certain debugging purposes, handling of source
routed packets seem to be relevant only in some large
router-installations, it seems.

Source routed packets are bad because they can be used for IP spoofing.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Check out /etc/sysctl.conf in any recent version of the initscript
package, and check out the value of
/proc/sys/net/ipv4/conf/default/accept_source_route on a fresh Fedora
installation (don't know about pre-RH62 installations).

Additional info:
Comment 1 Troels Arvin 2004-11-17 03:33:53 EST
Bug report was for FC2. Seems fixed in FC3, thanks.

Note You need to log in before you can comment on or make changes to this bug.