On Fri, Oct 18, 2019 at 07:21:42AM +0200, Remi Locherer wrote: > On Thu, Oct 17, 2019 at 10:33:41PM -0600, Theo de Raadt wrote: > > > Setting net.inet.ip.check_interface=1 on FreeBSD stopped any ICMP Echo > > > replies immediately. > > > > > > On NetBSD I set net.inet.ip.checkinterface=1 and it showed the same > > > behaviour like FreeBSD. No replies anymore, whenever the "wrong" > > > interface was contacted. > > > > How many users set those variables? > > > > A global seems this is a misguided place to establish such a policy. > > > > If it was good and neccessary for everyone on all interfaces and had no > > downsides, they would have turned it on. But they didn't. > > > > A similar feature "urpf-failed" which is more nuanced is available in > > pf.conf, and you can properly use it on a per-interface basis, also > > selecting to do so based un other per-rule options, rather than having > > a 'global rule'. > > > > Something blocked FreeBSD or NetBSD from turning this into the default. > > What was that reason -- was it too damaging? > > > > (I'm going to assume the people with so-called 'strong' views didn't win > > the battle, and the so-called 'weak' view pervailed, probably because > > the 'strong' option created breakage and prevents the dominant > > operational model of Getting-Shit-Done. That's why I ask how many > > people in real life subscribe the 'strong' view by turning on this > > option in FreeBSD/NetBSD. 3 people or is it 2? In my experience, > > everyone is so busy getting on about their lives they don't flip any > > knobs which don't provide an immediately confirmable and neccessary > > value). > > > > from source port source os source to dest port dest > > This rule applies only to packets with the specified source and > > destination addresses and ports. > > > > Addresses can be specified in CIDR notation (matching > > netblocks), > > as symbolic host names, interface names or interface group > > names, > > or as any of the following keywords: > > > > any Any address. > > no-route Any address which is not currently routable. > > route label Any address matching the given route(8) label. > > self Expands to all addresses assigned to all > > interfaces. > > <table> Any address matching the given table. > > urpf-failed Any source address that fails a unicast reverse > > path > > forwarding (URPF) check, i.e. packets coming in on > > an interface other than that which holds the route > > back to the packet's source address. > > > > Convince us we should change to the strong model, and I'll embrace it. > > > > You won't convince us to make a global which people don't understand... > > > > This "strong" model is a bad fit for routers. > > When this model is needed we have pf (antispoof or urpf-failed). > Alternatively rdomains can be used (put a network interface with management > services on it in a separate rdomain). >
The BSD systems and IIRC most unix systems have been following the weak host model. As mentioned the weak model has a lot of benefits. I see no point in changing this. -- :wq Claudio
