Bug 132006 - Suggestion: Disallow source routed packets by default
Summary: Suggestion: Disallow source routed packets by default
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: initscripts
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-09-07 19:36 UTC by Troels Arvin
Modified: 2014-03-17 02:48 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-11-17 08:32:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Troels Arvin 2004-09-07 19:36:54 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040808 Firefox/0.9.3

Description of problem:
Fedora's default /etc/sysctl.conf disallows ip forwarding by default,
and it turns on the rp_filter sanity checks. That's nice.

However, I believe that sysctl.conf should also contain a line like this:
net.ipv4.conf.default.accept_source_route = 0

I've looked over various articles about source routed packets, and
they all suggest that an operating system should normally be
configured to drop them (openbsd and recent Solaris versions drops
them by default, I've heard - while Linux and Windows don't drop such
packets). Except for certain debugging purposes, handling of source
routed packets seem to be relevant only in some large
router-installations, it seems.

Source routed packets are bad because they can be used for IP spoofing.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Check out /etc/sysctl.conf in any recent version of the initscript
package, and check out the value of
/proc/sys/net/ipv4/conf/default/accept_source_route on a fresh Fedora
installation (don't know about pre-RH62 installations).

Additional info:

Comment 1 Troels Arvin 2004-11-17 08:33:53 UTC
Bug report was for FC2. Seems fixed in FC3, thanks.


Note You need to log in before you can comment on or make changes to this bug.