Description of Problem: The default /etc/sysctl.conf as distributed with RedHat 7.1 leaves the machine open to IP spoofing attacks but lulls the user into a false sense that it does not. In particular the file contains these lines: # Enables source route verification net.ipv4.conf.all.rp_filter = 1 However, this doesn't really have any effect at the time the sysctl.conf is processed since the interfaces have not been brought up yet. To be effective, in addition to the above rule, you also need net.ipv4.conf.default.rp_filter = 1 Basically, the system behaves exactly as configured, but the comment makes you think you have more protection than you actually do based on the order in which things are evaluated, etc. How Reproducible: always reprodcible Steps to Reproduce: Configure three machines as follows: box1 eth0: a.a.a.2 router eth0: a.a.a.1 router eth1: b.b.b.1 box2 eth1: b.b.b.2 On router, no ipchains/iptables settings are needed. IP forwarding should be enabled (by setting sys.net.ipv4.ip_forward = 1 or by directly manipulating the file in /proc) Run tcpdump -n icmp on all three machines. On box1: ifconfig eth0:0 b.b.b.2 up ping b.b.b.1 -I b.b.b.2 Actual Results: box1 shows echo requests from b.b.b.1 to b.b.b.2 router shows echo requests from b.b.b.1 to b.b.b.2 coming in through eth0 and echo replies from b.b.b.2 to b.b.b.1 going out through eth1. box2 shows echo replies from b.b.b.2 to b.b.b.1 Of course, the ping doesn't work, but the point is that the router accepts packets with b source addresses on eth0. /proc/sys/net/ipv4/conf/eth[01]/rp_filter are both 0 on the router. Expected Results: Well, the above is actually what is expected given the configuration, but the comment leads you to believe that you are protected. Once you enable rp_filter, you get the message From b.b.b.2: Destination Host Unreachable which is what you would expect. Additional Information: Add sys.net.ipv4.conf.default.rp_filter = 1 in /etc/sysctl.conf and reboot. Then the above ping setup fails and the only icmp packets you see are those generated on box1. box2 sees nothing, and router drops the packets. You can verify by setting /proc/sys/net/ipv4/conf/eth0/log_martians to 1 and checking /var/log/messages. Note that when changing these dynamically, it may be necessary to run ip route flush cache to have the changes take effect. It took me a while to realize this. I finally found mention of it in the linux-net.org mailing list archives. Rebooting is not necessary to effect the change, but the reason for doing this and rebooting is to make sure that the proper protections are enabled immediately after the machine boots and that filtering is not disabled at any time during the boot process. Doing a continuous ping from box1 through a reboot cycle of the router does in fact show that with default.rp_filter = 1 and all.rp_filter = 1, there is no opening for an IP spoofing attack.
Note: I accidentally typed sys.net.ipv4.... instead of net.ipv4..... in some places in the above. Sorry about that. It should always be net.ipv4.... -- I assume the person to whom this bug will be assigned will be familiar enough with /proc/sys, sysctl, etc. to understand my bug report even if there are a couple of typos, though I apologize for that. If this seems not to hold up, let me know -- I have definitely performed the exact experiment I described with my real ip addresses instead of a.a.a and b.b.b....
Will be fixed in 6.13-1 - thanks!