[systemd-devel] ip forwarding
johannes.ernst at gmail.com
Fri Nov 6 07:43:27 PST 2015
> On Nov 6, 2015, at 1:09, Reindl Harald <h.reindl at thelounge.net> wrote:
> defaults should have security in mind, …
IMHO the current behavior is actually less secure:
If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that.
But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl.
(Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the systemd-devel