[CentOS] VPN connections subject to hijack attack
Chris Adams
linux at cmadams.net
Fri Dec 6 15:59:29 UTC 2019
Once upon a time, Stephen John Smoogen <smooge at gmail.com> said:
> So for ipv4 CentOS 7 and 8 may not be vulnerable out of the door (they
> set to 1 versus 0 which the announcement says is kernel default and
> sfe). However, they found ipv6 works without rp_filter so this is a
> problem.
Yeah, I didn't realize until recently that the Linux kernel only
supports uRPF-style filtering on IPv4, not IPv6. That's not good IMHO.
There is an iptables rpfilter extension, and I believe firewalld
includes it on IPv6 by default, but firewalld isn't appropriate for all
setups.
--
Chris Adams <linux at cmadams.net>
More information about the CentOS
mailing list