Re: [systemd-devel] ip forwarding
Am 06.11.2015 um 16:43 schrieb Johannes Ernst: On Nov 6, 2015, at 1:09, Reindl Harald mailto:h.rei...@thelounge.net>> wrote: defaults should have security in mind, … IMHO the current behavior is actually less secure: no, it maybe unpredictable by the desciptions below but for sure not less secure If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that. depends on the number of networks NIC1: wan NIC2: lan with forwarding / nat NIC3: SIP phones NIC3 shouldn't forward because SIP phones connected to a asterisk tyoically don#t need to touch the internet directly in no direction But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl. (Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.) well, because the sysctl stuff was unpredictable years ago i solved that by simply call "sysctl -p" after the network is up and never touch "systemd-sysctl" [root@srv-rhsoft:~]$ cat /etc/systemd/system/sysctl-post-network.service [Unit] Description=apply settings after network After=network.service systemd-networkd.service network-online.target openvpn.service hostapd.service network-wlan-bridge.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/sysctl -p ExecStartPost=/usr/sbin/ifconfig wan -multicast -allmulti txqueuelen 100 StandardOutput=null [Install] WantedBy=multi-user.target signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
> On Nov 6, 2015, at 1:09, Reindl Harald wrote: > > defaults should have security in mind, … IMHO the current behavior is actually less secure: If I set net.ipv4.ip_forward=1, I intentionally set forwarding on all interfaces, as documented in countless tutorials, so it’s very unlikely I didn’t mean to do that. But if I set net.ipv4.ip_forward=1 in /etc/sysctl.d, and it only works sometimes and on some interfaces, I do have a security problem because it may come on when I least expect it. For example, when I execute systemctl restart systemd-sysctl. (Because networkd doesn’t actually “manage” the interface, it only sets certain attributes at certain times, which can still be changed outside of networkd any time. If net.ipv4.ip_forward were turned into a read-only setting, for example, that would be different.) Cheers, Johannes. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
Johannes Ernst [2015-11-05 23:11 -0800]: > This makes my point. The default = 0 is counter intuitive and costs much time > for the lucky ones among us who can figure it out. The rest will just give > up... It's less counter-intuitive, but the problem is that it breaks a lot of existing tools that expect that the global kernel settings actually work. Note that this was discussed recently already here, but rejected: https://github.com/systemd/systemd/issues/1411 Thus at least CoreOS and Ubuntu now change the default to "kernel", which pretty much DTRT. (I'm still pondering doing that in Debian too). If you don't explicitly configure it in your .network then the global setting is applied, and as that defaults to 0 the "secure by default" aspect is also satisfied. Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
Am 06.11.2015 um 10:20 schrieb Mantas Mikulėnas: On Fri, Nov 6, 2015 at 11:09 AM, Reindl Harald mailto:h.rei...@thelounge.net>> wrote: Am 06.11.2015 um 08:11 schrieb Johannes Ernst: This makes my point. The default = 0 is counter intuitive and costs much time for the lucky ones among us who can figure it out. The rest will just give up... defaults should have security in mind, most setups don't need it enabled and the ones which will just give up don't understand what they are doing anyways and so bette don't mess with it The _kernel_ default is also 0 anyway, for both global and per-interface settings. The problem is that now you cannot _enable_ it via the usual routes (sysctl) anymore, because networkd mindlessly overrides that. As a long-time sysadmin, surely you wouldn't like your explicit configuration having been broken that way? ok, *that* must not happen, the place for such settings is sysctl.conf or /etc/sysctl.d/ signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
On Fri, Nov 6, 2015 at 11:09 AM, Reindl Harald wrote: > > > Am 06.11.2015 um 08:11 schrieb Johannes Ernst: > >> This makes my point. The default = 0 is counter intuitive and costs much >> time for the lucky ones among us who can figure it out. The rest will just >> give up... >> > > defaults should have security in mind, most setups don't need it enabled > and the ones which will just give up don't understand what they are doing > anyways and so bette don't mess with it > The _kernel_ default is also 0 anyway, for both global and per-interface settings. The problem is that now you cannot _enable_ it via the usual routes (sysctl) anymore, because networkd mindlessly overrides that. As a long-time sysadmin, surely you wouldn't like your explicit configuration having been broken that way? -- Mantas Mikulėnas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
Am 06.11.2015 um 08:11 schrieb Johannes Ernst: This makes my point. The default = 0 is counter intuitive and costs much time for the lucky ones among us who can figure it out. The rest will just give up... defaults should have security in mind, most setups don't need it enabled and the ones which will just give up don't understand what they are doing anyways and so bette don't mess with it (no i am not a systemd developer but delevoper and sysadmin for many years) On Nov 5, 2015, at 22:32, Peter Paule wrote: Hi Johannes, I had the same problem, I even wrote an article about that (https://www.fedux.org/articles/2015/09/09/having-no-fun-with-rubygems-systemd-docker-and-networking.html). I think, you use `systemd-networkd`. Correct? The behaviour is documented in "systemd.network-manual". Note: unless this option is turned on, or set to “kernel”, no IP forwarding is done on this interface, even if this is globally turned on in the kernel, with the net.ipv4.ip_forward, net.ipv4.conf.all.forwarding, and net.ipv6.conf.all.forwarding sysctl options. I took me by surprise, too. But a new tool needs some learning. Unfortunately. Though I would suggest to add some example to the manual `systemd.network` or at least add a comment like that signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
This makes my point. The default = 0 is counter intuitive and costs much time for the lucky ones among us who can figure it out. The rest will just give up... Sent from my iPad. > On Nov 5, 2015, at 22:32, Peter Paule wrote: > > Hi Johannes, > > I had the same problem, I even wrote an article about that > (https://www.fedux.org/articles/2015/09/09/having-no-fun-with-rubygems-systemd-docker-and-networking.html). > > I think, you use `systemd-networkd`. Correct? The behaviour is documented > in "systemd.network-manual". > > Note: unless this option is turned on, or set to “kernel”, no IP > forwarding is done on this interface, even if this is globally turned on > in the kernel, with the net.ipv4.ip_forward, > net.ipv4.conf.all.forwarding, and net.ipv6.conf.all.forwarding sysctl > options. > > I took me by surprise, too. But a new tool needs some learning. > Unfortunately. Though I would suggest to add some example to the manual > `systemd.network` or at least add a comment like that. > > ~~~ > Example 2. /etc/systemd/network/80-dhcp.network > > [Match] > Name=en* > > [Network] > DHCP=yes > # enable ip forwarding for that interface, defaults to "no" > # IPForward=yes > ~~~ > > Cheers, > Dennis > > Excerpts from Johannes Ernst's message of 2015-11-05 16:08:26 -0800: >> TL;DR: I propose to have IPForward default to “no change”, rather than 0, as >> 0 has unexpected consequences for non-expert users. >> >> Details: A few months ago there where some threads about ip_forwarding >> needing a toggle from 1 to 0 and back to 1 before it would work. [1][2][3] >> >> It appears I found the reason for this. With "net.ipv4.ip_forward = 1” in >> sysctl.d, after a fresh boot: >> >>> for i in /proc/sys/net/ipv4/ip_forward >>> /proc/sys/net/ipv4/conf/*/forwarding; do echo -n $i: ; cat $i; done >>/proc/sys/net/ipv4/ip_forward:1 >>/proc/sys/net/ipv4/conf/all/forwarding:1 >>/proc/sys/net/ipv4/conf/default/forwarding:1 >>/proc/sys/net/ipv4/conf/enp0s3/forwarding:0<= Why? >>/proc/sys/net/ipv4/conf/lo/forwarding:1 >> >> If I then do the toggle dance: >> >>> sysctl net.ipv4.ip_forward=0 >>> sysctl net.ipv4.ip_forward=1 >> >> I get what I expected in the first place: >> >>/proc/sys/net/ipv4/ip_forward:1 >>/proc/sys/net/ipv4/conf/all/forwarding:1 >>/proc/sys/net/ipv4/conf/default/forwarding:1 >>/proc/sys/net/ipv4/conf/enp0s3/forwarding:1 >>/proc/sys/net/ipv4/conf/lo/forwarding:1 >> >> Adding net.ipv4.conf.enp0s3.forwarding = 1 to sysctl.d does not have the >> desired effect. >> >> Turns out my innocent-looking .network file is the culprit: >> >>[Match] >>Name=en* >> >>[Network] >>DHCP=ipv4 >> >> Without that file, after boot the enp0s3 flag remains 1 as expected. >> >> The problem: I thought I created that file to say “get an IP address via >> DHCP” because that’s all it talks about. But due to the IPForward default, I >> also specified “and turn off ip forwarding”, which is non-obvious (e.g. I >> just found out, and I originally ran into this in June). So I suggest the >> default should be “don’t touch this setting” instead of 0. >> >> Cheers, >> >> >> >> Johannes. >> >> >> [1] http://lists.freedesktop.org/archives/systemd-devel/2015-June/033239.html >> [2] http://lists.freedesktop.org/archives/systemd-devel/2015-July/033738.html >> [3] https://github.com/systemd/systemd/issues/468 >> > ___ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] ip forwarding
Hi Johannes, I had the same problem, I even wrote an article about that (https://www.fedux.org/articles/2015/09/09/having-no-fun-with-rubygems-systemd-docker-and-networking.html). I think, you use `systemd-networkd`. Correct? The behaviour is documented in "systemd.network-manual". Note: unless this option is turned on, or set to “kernel”, no IP forwarding is done on this interface, even if this is globally turned on in the kernel, with the net.ipv4.ip_forward, net.ipv4.conf.all.forwarding, and net.ipv6.conf.all.forwarding sysctl options. I took me by surprise, too. But a new tool needs some learning. Unfortunately. Though I would suggest to add some example to the manual `systemd.network` or at least add a comment like that. ~~~ Example 2. /etc/systemd/network/80-dhcp.network [Match] Name=en* [Network] DHCP=yes # enable ip forwarding for that interface, defaults to "no" # IPForward=yes ~~~ Cheers, Dennis Excerpts from Johannes Ernst's message of 2015-11-05 16:08:26 -0800: > TL;DR: I propose to have IPForward default to “no change”, rather than 0, as > 0 has unexpected consequences for non-expert users. > > Details: A few months ago there where some threads about ip_forwarding > needing a toggle from 1 to 0 and back to 1 before it would work. [1][2][3] > > It appears I found the reason for this. With "net.ipv4.ip_forward = 1” in > sysctl.d, after a fresh boot: > > > for i in /proc/sys/net/ipv4/ip_forward > /proc/sys/net/ipv4/conf/*/forwarding; do echo -n $i: ; cat $i; done > /proc/sys/net/ipv4/ip_forward:1 > /proc/sys/net/ipv4/conf/all/forwarding:1 > /proc/sys/net/ipv4/conf/default/forwarding:1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding:0<= Why? > /proc/sys/net/ipv4/conf/lo/forwarding:1 > > If I then do the toggle dance: > > > sysctl net.ipv4.ip_forward=0 > > sysctl net.ipv4.ip_forward=1 > > I get what I expected in the first place: > > /proc/sys/net/ipv4/ip_forward:1 > /proc/sys/net/ipv4/conf/all/forwarding:1 > /proc/sys/net/ipv4/conf/default/forwarding:1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding:1 > /proc/sys/net/ipv4/conf/lo/forwarding:1 > > Adding net.ipv4.conf.enp0s3.forwarding = 1 to sysctl.d does not have the > desired effect. > > Turns out my innocent-looking .network file is the culprit: > > [Match] > Name=en* > > [Network] > DHCP=ipv4 > > Without that file, after boot the enp0s3 flag remains 1 as expected. > > The problem: I thought I created that file to say “get an IP address via > DHCP” because that’s all it talks about. But due to the IPForward default, I > also specified “and turn off ip forwarding”, which is non-obvious (e.g. I > just found out, and I originally ran into this in June). So I suggest the > default should be “don’t touch this setting” instead of 0. > > Cheers, > > > > Johannes. > > > [1] http://lists.freedesktop.org/archives/systemd-devel/2015-June/033239.html > [2] http://lists.freedesktop.org/archives/systemd-devel/2015-July/033738.html > [3] https://github.com/systemd/systemd/issues/468 > ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] ip forwarding
TL;DR: I propose to have IPForward default to “no change”, rather than 0, as 0 has unexpected consequences for non-expert users. Details: A few months ago there where some threads about ip_forwarding needing a toggle from 1 to 0 and back to 1 before it would work. [1][2][3] It appears I found the reason for this. With "net.ipv4.ip_forward = 1” in sysctl.d, after a fresh boot: > for i in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/conf/*/forwarding; do echo -n $i: ; cat $i; done /proc/sys/net/ipv4/ip_forward:1 /proc/sys/net/ipv4/conf/all/forwarding:1 /proc/sys/net/ipv4/conf/default/forwarding:1 /proc/sys/net/ipv4/conf/enp0s3/forwarding:0<= Why? /proc/sys/net/ipv4/conf/lo/forwarding:1 If I then do the toggle dance: > sysctl net.ipv4.ip_forward=0 > sysctl net.ipv4.ip_forward=1 I get what I expected in the first place: /proc/sys/net/ipv4/ip_forward:1 /proc/sys/net/ipv4/conf/all/forwarding:1 /proc/sys/net/ipv4/conf/default/forwarding:1 /proc/sys/net/ipv4/conf/enp0s3/forwarding:1 /proc/sys/net/ipv4/conf/lo/forwarding:1 Adding net.ipv4.conf.enp0s3.forwarding = 1 to sysctl.d does not have the desired effect. Turns out my innocent-looking .network file is the culprit: [Match] Name=en* [Network] DHCP=ipv4 Without that file, after boot the enp0s3 flag remains 1 as expected. The problem: I thought I created that file to say “get an IP address via DHCP” because that’s all it talks about. But due to the IPForward default, I also specified “and turn off ip forwarding”, which is non-obvious (e.g. I just found out, and I originally ran into this in June). So I suggest the default should be “don’t touch this setting” instead of 0. Cheers, Johannes. [1] http://lists.freedesktop.org/archives/systemd-devel/2015-June/033239.html [2] http://lists.freedesktop.org/archives/systemd-devel/2015-July/033738.html [3] https://github.com/systemd/systemd/issues/468 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel