[systemd-devel] ip forwarding

Johannes Ernst johannes.ernst at gmail.com
Fri Nov 6 07:43:27 PST 2015

> On Nov 6, 2015, at 1:09, Reindl Harald <h.reindl at thelounge.net> wrote:
> defaults should have security in mind, …

IMHO the current behavior is actually less secure:

If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that.

But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl.

(Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.)



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151106/0babf7ec/attachment.html>

More information about the systemd-devel mailing list