fff-network: Disable source address filtering #127

fbl · 2021-02-18T01:14:45+01:00

fbl commented

2021-02-18 01:14:45 +01:00

Source address filtering (RFC3704) can be used to mitigate source
address spoofing. However, strict mode only works when routes are
strictly symmetric. If routes are asymmetric, it can happen that
the best route to the source address of a packet is via a different
interface.

Because there is no guarantee that routes have to be symmetric in the
Freifunk Franken backbone network, we cannot use strict mode. Because
default routes are used in the Freifunk Franken backone, loose mode
could be used, but does not make any sense. Instead, revert back to the
kernel default setting, which currently is 0 (disabled).

While this change affects both layer3 and node variant, nothing changes
for the node firmware, because it does not forward packets.

Fixes: #123

Signed-off-by: Fabian Bläse fabian@blaese.de

Source address filtering (RFC3704) can be used to mitigate source address spoofing. However, strict mode only works when routes are strictly symmetric. If routes are asymmetric, it can happen that the best route to the source address of a packet is via a different interface. Because there is no guarantee that routes have to be symmetric in the Freifunk Franken backbone network, we cannot use strict mode. Because default routes are used in the Freifunk Franken backone, loose mode could be used, but does not make any sense. Instead, revert back to the kernel default setting, which currently is 0 (disabled). While this change affects both layer3 and node variant, nothing changes for the node firmware, because it does not forward packets. Fixes: #123 Signed-off-by: Fabian Bläse <fabian@blaese.de>

fbl added this to the 20210218 milestone 2021-02-18 01:14:45 +01:00

fbl added the

bug

layer3

labels 2021-02-18 01:14:45 +01:00

fbl self-assigned this 2021-02-18 01:14:45 +01:00

fbl added 1 commit 2021-02-18 01:14:46 +01:00

818d0d1210 fff-network: Disable source address filtering

Source address filtering (RFC3704) can be used to mitigate source
address spoofing. However, strict mode only works when routes are
strictly symmetric. If routes are asymmetric, it can happen that
the best route to the source address of a packet is via a different
interface.

Because there is no guarantee that routes have to be symmetric in the
Freifunk Franken backbone network, we cannot use strict mode. Because
default routes are used in the Freifunk Franken backone, loose mode
could be used, but does not make any sense. Instead, revert back to the
kernel default setting, which currently is 0 (disabled).

While this change affects both layer3 and node variant, nothing changes
for the node firmware, because it does not forward packets.

Fixes: #123

Signed-off-by: Fabian Bläse <fabian@blaese.de>

ChristianD commented

2021-02-18 08:07:41 +01:00

Reviewed-by: Christian Dresel <freifunk@dresel.systems>

``` Reviewed-by: Christian Dresel <freifunk@dresel.systems> ```

ChristianD approved these changes 2021-02-18 08:07:50 +01:00

fbl commented

2021-02-18 23:21:55 +01:00

applied.

fbl closed this pull request

2021-02-18 23:21:55 +01:00

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

No reviewers

No Label

more details required

No Milestone

No Assignees

2 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: freifunk-franken/firmware#127