On Thu, Oct 17, 2019 at 10:33:41PM -0600, Theo de Raadt wrote: > > Setting net.inet.ip.check_interface=1 on FreeBSD stopped any ICMP Echo > > replies immediately. > > > > On NetBSD I set net.inet.ip.checkinterface=1 and it showed the same > > behaviour like FreeBSD. No replies anymore, whenever the "wrong" > > interface was contacted. > > How many users set those variables? > > A global seems this is a misguided place to establish such a policy. > > If it was good and neccessary for everyone on all interfaces and had no > downsides, they would have turned it on. But they didn't. > > A similar feature "urpf-failed" which is more nuanced is available in > pf.conf, and you can properly use it on a per-interface basis, also > selecting to do so based un other per-rule options, rather than having > a 'global rule'. > > Something blocked FreeBSD or NetBSD from turning this into the default. > What was that reason -- was it too damaging? > > (I'm going to assume the people with so-called 'strong' views didn't win > the battle, and the so-called 'weak' view pervailed, probably because > the 'strong' option created breakage and prevents the dominant > operational model of Getting-Shit-Done. That's why I ask how many > people in real life subscribe the 'strong' view by turning on this > option in FreeBSD/NetBSD. 3 people or is it 2? In my experience, > everyone is so busy getting on about their lives they don't flip any > knobs which don't provide an immediately confirmable and neccessary > value). > > from source port source os source to dest port dest > This rule applies only to packets with the specified source and > destination addresses and ports. > > Addresses can be specified in CIDR notation (matching netblocks), > as symbolic host names, interface names or interface group names, > or as any of the following keywords: > > any Any address. > no-route Any address which is not currently routable. > route label Any address matching the given route(8) label. > self Expands to all addresses assigned to all interfaces. > <table> Any address matching the given table. > urpf-failed Any source address that fails a unicast reverse path > forwarding (URPF) check, i.e. packets coming in on > an interface other than that which holds the route > back to the packet's source address. > > Convince us we should change to the strong model, and I'll embrace it. > > You won't convince us to make a global which people don't understand... >
This "strong" model is a bad fit for routers. When this model is needed we have pf (antispoof or urpf-failed). Alternatively rdomains can be used (put a network interface with management services on it in a separate rdomain). Remi
