Yes, that helps - thx a lot.
2018-01-16 20:08 GMT+01:00 Maximilian Wilhelm <m...@rfc2324.org>: > Anno domini 2018 Mike Neo scripsit: > > Hi, > > > could you tell me what is the best practice for sysctl.conf configuration > > (2 or 3 bgp peers, possible asym routing)? > > What exactly are you looking for? > > The first things that come to mind would be > > * forwarding enabled > > Old style: global option: > > net.ipv4.ip_forward = 1 > > or in the new style (per interface option): > > net.ipv4.conf.default.forwarding = 1 > net.ipv4.conf.all.forwarding = 1 > > If you do not want to enable forwarding on all interface, you could > just add the interfaces you care about to that list (instead of "all" > and "default"), but beware, that this will only have an effect an > interfaces already created before sysctls are applied. Therefore this > would be risky when we are talking about some kind of tunnels like > OpenVPN / Wireguard / IPse /, etc. which might be recreated while the > system is running. > > Also beware, that for IPv6 there only is the new style config: > > net.ipv6.conf.default.forwarding = 1 > net.ipv6.conf.all.forwarding = 1 > > > When using the new style, you probably want to have both settings > to be safe in all scenarios (interfaces which already are present > when sysctl is applied + interfaces which (re)emerge later. > > > * rp_filter disabled > > Similar to the forwarding setting there is reverse path filtering > > net.ipv4.conf.default.rp_filter = 0 > net.ipv4.conf.all.rp_filter = 0 > > which has to be disabled at least on the interfaces which could be > involved in asymetric routing. Please make sure to provide some > other means of BCP38 (like netfilter) to make sure, your routers > prevent people from spoofing source IPs as early as possible. > > > * Ignore ICMP redirects > > When your routers are the only ones in a potentially untrusted > network, you probaly want to ignore ICMP redirects sent to your > boxes, to prevent MITM attacks: > > net.ipv4.conf.default.accept_redirects = 0 > net.ipv4.conf.all.accept_redirects = 0 > net.ipv6.conf.default.accept_redirects = 0 > net.ipv6.conf.all.accept_redirects = 0 > > > Hope that helps > > Best > Max > -- > Fortschritt bedeutet, einen Schritt so zu machen, > daß man den nächsten auch noch machen kann. >