Provide network-related hardening options via sysctl's

[raja-grewal]

Provide option to drop gratuitous ARP packets.

Observed no issues using the systcl in my own testing.

Changes

Currently commented-out.

Can enable the systcl after comprehensive testing.

Mandatory Checklist

• Legal agreements accepted. By contributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements:

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

• I have tested it locally
• I have reviewed and updated any documentation if relevant
• I am providing new code and test(s) for it

[adrelanos]

https://github.com/k4yt3x/sysctl/blob/master/sysctl.conf is using

net.ipv4.conf.default.drop_gratuitous_arp = 1
net.ipv4.conf.all.drop_gratuitous_arp = 1

is that better or worse than

net.ipv4.conf.*.drop_gratuitous_arp=1

?

[raja-grewal]

It should be technically the same as per #261.

The simplified syntax is cleaner and covers all network interfaces in a single line.

See also other sources:
https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf (cntrl+f search drop_gratuitous)
https://ato-pathways.com/catalogs/xccdf/items/15921

[adrelanos]

But does it also cover newly brought up interfaces or only interfaces that existed at the time of systemd-sysctl?

[raja-grewal]

Yes,

net.ipv4.conf.*.drop_gratuitous_arp=1

is equivalent to

net.ipv4.conf.default.drop_gratuitous_arp=1
net.ipv4.conf.all.drop_gratuitous_arp=1

and also explicitly encompasses all other interfaces such as

net.ipv4.conf.lo.drop_gratuitous_arp=1
net.ipv4.conf.wlan0.drop_gratuitous_arp=1

Basically, using *, covers all interfaces a user might have in /proc/sys/net/ipv4/conf/.

Therefore, I think it is fair to say the setting applies to all interfaces at all times.

Additionally, based on my testing the setting works fine and does not have a bug like rp_filter, see #261 (comment).

[raja-grewal]

Based largely on https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf, I think providing these options may be useful in certain scenarios.

Whether any of them should be enabled by default is not something I am currently ready to propose.

Any and all feedback is appreciated.

[raja-grewal]

After testing these settings myself, I think they could be applied by default moving forward. This however, will be done in separate PRs for each sysctl (for easier tracking and referencing).

[raja-grewal]

I think the urgency of utilsing net.ipv4.conf.*.arp_ignore=2 has dramatically increased given the recent Mullvad VPN audit also resulting in enabling the same parameter setting. Note, this setting also has implications to non-VPN traffic as well.

https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium
mullvad/mullvadvpn-app#7141
https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf