Provide network-related hardening options via sysctl's#279
Provide network-related hardening options via sysctl's#279adrelanos merged 7 commits intoKicksecure:masterfrom raja-grewal:arp
sysctl's#279Conversation
|
https://github.com/k4yt3x/sysctl/blob/master/sysctl.conf is using is that better or worse than ? |
|
It should be technically the same as per #261. The simplified syntax is cleaner and covers all network interfaces in a single line. See also other sources: |
|
But does it also cover newly brought up interfaces or only interfaces that existed at the time of systemd-sysctl? |
|
Yes, is equivalent to and also explicitly encompasses all other interfaces such as Basically, using Therefore, I think it is fair to say the setting applies to all interfaces at all times. Additionally, based on my testing the setting works fine and does not have a bug like |
sysctl's
|
Based largely on https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf, I think providing these options may be useful in certain scenarios. Whether any of them should be enabled by default is not something I am currently ready to propose. Any and all feedback is appreciated. |
|
After testing these settings myself, I think they could be applied by default moving forward. This however, will be done in separate PRs for each |
|
I think the urgency of utilsing https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium |
Provide option to drop gratuitous ARP packets.
Observed no issues using the
systclin my own testing.Changes
Currently commented-out.
Can enable the
systclafter comprehensive testing.Mandatory Checklist
Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint
Optional Checklist
The following items are optional but might be requested in certain cases.