Am 06.11.2015 um 16:43 schrieb Johannes Ernst:
On Nov 6, 2015, at 1:09, Reindl Harald <[email protected] <mailto:[email protected]>> wrote: defaults should have security in mind, …IMHO the current behavior is actually less secure:
no, it maybe unpredictable by the desciptions below but for sure not less secure
If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that.
depends on the number of networks NIC1: wan NIC2: lan with forwarding / nat NIC3: SIP phonesNIC3 shouldn't forward because SIP phones connected to a asterisk tyoically don#t need to touch the internet directly in no direction
But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl. (Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.)
well, because the sysctl stuff was unpredictable years ago i solved that by simply call "sysctl -p" after the network is up and never touch "systemd-sysctl"
[root@srv-rhsoft:~]$ cat /etc/systemd/system/sysctl-post-network.service [Unit] Description=apply settings after networkAfter=network.service systemd-networkd.service network-online.target openvpn.service hostapd.service network-wlan-bridge.service
[Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/sysctl -p ExecStartPost=/usr/sbin/ifconfig wan -multicast -allmulti txqueuelen 100 StandardOutput=null [Install] WantedBy=multi-user.target
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
