Closed ghost closed 6 years ago
Interesting! Did you see this recommended anywhere or used ever anywhere else?
Could / should we log this so we notice in case we break anything?
How to test this? Any examples causing such traffic?
//cc @marmarek What do you think? If this is useful, we should also use it for Whonix and maybe even Qubes?
If we are going to use this, we also need this for IPv6, right?
This is done by default by "rp_filter" (reverse-path filter), unless disabled by writing 0
to /proc/sys/net/ipv4/conf/all/rp_filter
. It is simple mechanism that filter packets based on their source addresses and route table. So, route table entry of 127.0.0.0/8 dev lo
is enough.
For IPv6 apparently this needs to be done at ip6tables level, using rpfilter match.
I agree, it should be left to /proc/sys/net/ipv4/conf/all/rp_filter
setting. However I don't know if touching sysctls should be in scope of this project.
In IPv6 case as I can't test I'm not touching it.
Prevents spoofing