Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide network-related hardening options via sysctl's #279

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Provide network-related hardening options via sysctl's #279

wants to merge 6 commits into from

Conversation

raja-grewal
Copy link
Contributor

@raja-grewal raja-grewal commented Nov 8, 2024
edited
Loading

Provide option to drop gratuitous ARP packets.

Observed no issues using the systcl in my own testing.

Changes

Currently commented-out.

Can enable the systcl after comprehensive testing.

Mandatory Checklist

  • Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

  • I have tested it locally
  • I have reviewed and updated any documentation if relevant
  • I am providing new code and test(s) for it

@adrelanos
Copy link
Member

https://github.com/k4yt3x/sysctl/blob/master/sysctl.conf is using

net.ipv4.conf.default.drop_gratuitous_arp = 1
net.ipv4.conf.all.drop_gratuitous_arp = 1

is that better or worse than

net.ipv4.conf.*.drop_gratuitous_arp=1

?

@raja-grewal
Copy link
Contributor Author

It should be technically the same as per #261.

The simplified syntax is cleaner and covers all network interfaces in a single line.

See also other sources:
https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf (cntrl+f search drop_gratuitous)
https://ato-pathways.com/catalogs/xccdf/items/15921

@adrelanos
Copy link
Member

But does it also cover newly brought up interfaces or only interfaces that existed at the time of systemd-sysctl?

@raja-grewal
Copy link
Contributor Author

Yes,

net.ipv4.conf.*.drop_gratuitous_arp=1

is equivalent to

net.ipv4.conf.default.drop_gratuitous_arp=1
net.ipv4.conf.all.drop_gratuitous_arp=1

and also explicitly encompasses all other interfaces such as

net.ipv4.conf.lo.drop_gratuitous_arp=1
net.ipv4.conf.wlan0.drop_gratuitous_arp=1

Basically, using *, covers all interfaces a user might have in /proc/sys/net/ipv4/conf/.

Therefore, I think it is fair to say the setting applies to all interfaces at all times.

Additionally, based on my testing the setting works fine and does not have a bug like rp_filter, see #261 (comment).

@raja-grewal raja-grewal changed the title Provide option to drop gratuitous ARP packets Provide network-related hardening options via sysctl's Nov 13, 2024
@raja-grewal
Copy link
Contributor Author

Based largely on https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf, I think providing these options may be useful in certain scenarios.

Whether any of them should be enabled by default is not something I am currently ready to propose.

Any and all feedback is appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@raja-grewal @adrelanos