[systemd-devel] ip forwarding
Johannes Ernst
johannes.ernst at gmail.com
Fri Nov 6 07:43:27 PST 2015
> On Nov 6, 2015, at 1:09, Reindl Harald <h.reindl at thelounge.net> wrote:
>
> defaults should have security in mind, …
IMHO the current behavior is actually less secure:
If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that.
But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl.
(Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.)
Cheers,
Johannes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151106/0babf7ec/attachment.html>
More information about the systemd-devel
mailing list