Red Hat Bugzilla – Bug 132006
Suggestion: Disallow source routed packets by default
Last modified: 2014-03-16 22:48:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Description of problem:
Fedora's default /etc/sysctl.conf disallows ip forwarding by default,
and it turns on the rp_filter sanity checks. That's nice.
However, I believe that sysctl.conf should also contain a line like this:
net.ipv4.conf.default.accept_source_route = 0
I've looked over various articles about source routed packets, and
they all suggest that an operating system should normally be
configured to drop them (openbsd and recent Solaris versions drops
them by default, I've heard - while Linux and Windows don't drop such
packets). Except for certain debugging purposes, handling of source
routed packets seem to be relevant only in some large
router-installations, it seems.
Source routed packets are bad because they can be used for IP spoofing.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Check out /etc/sysctl.conf in any recent version of the initscript
package, and check out the value of
/proc/sys/net/ipv4/conf/default/accept_source_route on a fresh Fedora
installation (don't know about pre-RH62 installations).
Bug report was for FC2. Seems fixed in FC3, thanks.