sysctl.conf

Mike Neo neomikemac at gmail.com
Tue Jan 16 20:23:27 CET 2018 

Yes, that helps - thx a lot.


2018-01-16 20:08 GMT+01:00 Maximilian Wilhelm <max at rfc2324.org>:

> Anno domini 2018 Mike Neo scripsit:
>
> Hi,
>
> > could you tell me what is the best practice for sysctl.conf configuration
> > (2 or 3 bgp peers, possible asym routing)?
>
> What exactly are you looking for?
>
> The first things that come to mind would be
>
>   * forwarding enabled
>
>     Old style: global option:
>
>       net.ipv4.ip_forward = 1
>
>     or in the new style (per interface option):
>
>       net.ipv4.conf.default.forwarding = 1
>       net.ipv4.conf.all.forwarding = 1
>
>     If you do not want to enable forwarding on all interface, you could
>     just add the interfaces you care about to that list (instead of "all"
>     and "default"), but beware, that this will only have an effect an
>     interfaces already created before sysctls are applied. Therefore this
>     would be risky when we are talking about some kind of tunnels like
>     OpenVPN / Wireguard / IPse /, etc. which might be recreated while the
>     system is running.
>
>     Also beware, that for IPv6 there only is the new style config:
>
>       net.ipv6.conf.default.forwarding = 1
>       net.ipv6.conf.all.forwarding = 1
>
>
>     When using the new style, you probably want to have both settings
>     to be safe in all scenarios (interfaces which already are present
>     when sysctl is applied + interfaces which (re)emerge later.
>
>
>   * rp_filter disabled
>
>     Similar to the forwarding setting there is reverse path filtering
>
>       net.ipv4.conf.default.rp_filter = 0
>       net.ipv4.conf.all.rp_filter = 0
>
>     which has to be disabled at least on the interfaces which could be
>     involved in asymetric routing. Please make sure to provide some
>     other means of BCP38 (like netfilter) to make sure, your routers
>     prevent people from spoofing source IPs as early as possible.
>
>
>   * Ignore ICMP redirects
>
>     When your routers are the only ones in a potentially untrusted
>     network, you probaly want to ignore ICMP redirects sent to your
>     boxes, to prevent MITM attacks:
>
>       net.ipv4.conf.default.accept_redirects = 0
>       net.ipv4.conf.all.accept_redirects = 0
>       net.ipv6.conf.default.accept_redirects = 0
>       net.ipv6.conf.all.accept_redirects = 0
>
>
> Hope that helps
>
> Best
> Max
> --
> Fortschritt bedeutet, einen Schritt so zu machen,
> daß man den nächsten auch noch machen kann.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20180116/3ea13b6e/attachment.html>

More information about the Bird-users mailing list