6 Dec
2019
6 Dec
'19
3:59 p.m.
Once upon a time, Stephen John Smoogen smooge@gmail.com said:
So for ipv4 CentOS 7 and 8 may not be vulnerable out of the door (they set to 1 versus 0 which the announcement says is kernel default and sfe). However, they found ipv6 works without rp_filter so this is a problem.
Yeah, I didn't realize until recently that the Linux kernel only supports uRPF-style filtering on IPv4, not IPv6. That's not good IMHO.
There is an iptables rpfilter extension, and I believe firewalld includes it on IPv6 by default, but firewalld isn't appropriate for all setups.
--
Chris Adams linux@cmadams.net