[CentOS] VPN connections subject to hijack attack

Fri Dec 6 15:59:29 UTC 2019
Chris Adams <linux at cmadams.net>

Once upon a time, Stephen John Smoogen <smooge at gmail.com> said:
> So for ipv4 CentOS 7 and 8 may not be vulnerable out of the door (they
> set to 1 versus 0 which the announcement says is kernel default and
> sfe). However, they found ipv6 works without rp_filter so this is a
> problem.

Yeah, I didn't realize until recently that the Linux kernel only
supports uRPF-style filtering on IPv4, not IPv6.  That's not good IMHO.

There is an iptables rpfilter extension, and I believe firewalld
includes it on IPv6 by default, but firewalld isn't appropriate for all

Chris Adams <linux at cmadams.net>