[systemd-devel] ip forwarding

Reindl Harald h.reindl at thelounge.net
Fri Nov 6 07:55:01 PST 2015 


Am 06.11.2015 um 16:43 schrieb Johannes Ernst:
>> On Nov 6, 2015, at 1:09, Reindl Harald <h.reindl at thelounge.net
>> <mailto:h.reindl at thelounge.net>> wrote:
>>
>> defaults should have security in mind, …
>
> IMHO the current behavior is actually less secure:

no, it maybe unpredictable by the desciptions below but for sure not 
less secure

> If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all
> interfaces, as documented in countless tutorials, so it’s very unlikely
> I didn’t mean to do that.

depends on the number of networks

NIC1: wan
NIC2: lan with forwarding / nat
NIC3: SIP phones

NIC3 shouldn't forward because SIP phones connected to a asterisk 
tyoically don#t need to touch the internet directly in no direction

> But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works
> sometimes and on some interfaces, I do have a security problem because
> it may come on when I least expect it. For example, when I execute
> systemctl restart systemd-sysctl.
>
> (Because networkd doesn’t actually “manage” the interface, it only sets
> certain attributes at certain times, which can still be changed outside
> of networkd any time. If net.ipv4.ip_forward were turned into a
> read-only setting, for example, that would be different.)

well, because the sysctl stuff was unpredictable years ago i solved that 
by simply call "sysctl -p" after the network is up and never touch 
"systemd-sysctl"

[root at srv-rhsoft:~]$ cat /etc/systemd/system/sysctl-post-network.service
[Unit]
Description=apply settings after network
After=network.service systemd-networkd.service network-online.target 
openvpn.service hostapd.service network-wlan-bridge.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/sysctl -p
ExecStartPost=/usr/sbin/ifconfig wan -multicast -allmulti txqueuelen 100
StandardOutput=null

[Install]
WantedBy=multi-user.target

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151106/b5f5e4f9/attachment.sig>

More information about the systemd-devel mailing list