Control: reassign -1 linux-sysctl-defaults 4.10 Control: tag -1 moreinfo Better late than never: we now have a package providing a default sysctl configuration file, which will (soon) be added to Depends or Recommends of systemd and procps.
You wrote: > I think it would be a good idea to use at least the settings blow per > default: > net.ipv4.conf.all.rp_filter=1 This is (effectively) set to 2 by the new configuration. > net.ipv4.conf.all.accept_redirects = 0 This is not set by the new configuration. The kernel default for this is the inverse of net.ipv4.conf.all.forwarding, so it will be set on routers but not hosts. > net.ipv6.conf.all.accept_redirects = 0 This is not set and the kernel default is still 1. > net.ipv4.conf.all.send_redirects = 0 This is not set and the kernel default is still 1. It's documented to only affect routers but I'm not sure if that's true. > net.ipv4.conf.all.accept_source_route = 0 This is (effectively) set to 0 by the new configuration. > net.ipv6.conf.all.accept_source_route = 0 That has always been the kernel default value. [...] > 1) The vast majority of Debian installations are NOT used as rooter I think this is longer true: anything hosting VMs or containers that have networking acts a router. > 2) It's better to ship hardened settings per default, even if this > "breaks" some things. > 3) As the "broken" things are usually special setups (e.g. router) > people that need them should be aware of what they're doing, and thus be > able to set the sysctl settings they need. > The "normal" end-user does usually however not know of these settings, > their security impact and whether or not he should set them. I think it can be acceptable to break really unusual configurations if we provide appropriate notification in NEWS and release notes. But like I said, I don't think routers are that rare now. Which of the above would be a problem for routers? > btw: I'd also suggest to activate syncookies per default, but this is > already requested in #520668. This has been the kernel default since 2.6.33. Ben. -- Ben Hutchings Power corrupts. Absolute power is kind of neat. - John Lehman
signature.asc
Description: This is a digitally signed message part
