sysctl.conf

Maximilian Wilhelm max at rfc2324.org
Tue Jan 16 20:08:25 CET 2018 

Anno domini 2018 Mike Neo scripsit:

Hi,

> could you tell me what is the best practice for sysctl.conf configuration
> (2 or 3 bgp peers, possible asym routing)?

What exactly are you looking for?

The first things that come to mind would be

  * forwarding enabled

    Old style: global option:

      net.ipv4.ip_forward = 1

    or in the new style (per interface option):

      net.ipv4.conf.default.forwarding = 1
      net.ipv4.conf.all.forwarding = 1

    If you do not want to enable forwarding on all interface, you could
    just add the interfaces you care about to that list (instead of "all"
    and "default"), but beware, that this will only have an effect an
    interfaces already created before sysctls are applied. Therefore this
    would be risky when we are talking about some kind of tunnels like
    OpenVPN / Wireguard / IPse /, etc. which might be recreated while the
    system is running.

    Also beware, that for IPv6 there only is the new style config:

      net.ipv6.conf.default.forwarding = 1
      net.ipv6.conf.all.forwarding = 1


    When using the new style, you probably want to have both settings
    to be safe in all scenarios (interfaces which already are present
    when sysctl is applied + interfaces which (re)emerge later.


  * rp_filter disabled

    Similar to the forwarding setting there is reverse path filtering

      net.ipv4.conf.default.rp_filter = 0
      net.ipv4.conf.all.rp_filter = 0

    which has to be disabled at least on the interfaces which could be
    involved in asymetric routing. Please make sure to provide some
    other means of BCP38 (like netfilter) to make sure, your routers
    prevent people from spoofing source IPs as early as possible.


  * Ignore ICMP redirects

    When your routers are the only ones in a potentially untrusted
    network, you probaly want to ignore ICMP redirects sent to your
    boxes, to prevent MITM attacks:

      net.ipv4.conf.default.accept_redirects = 0
      net.ipv4.conf.all.accept_redirects = 0
      net.ipv6.conf.default.accept_redirects = 0
      net.ipv6.conf.all.accept_redirects = 0


Hope that helps

Best
Max
-- 
Fortschritt bedeutet, einen Schritt so zu machen,
daß man den nächsten auch noch machen kann.

More information about the Bird-users mailing list