Important /proc Security Files

• /proc/sys/net/ipv4/conf/default/rp_filter

  • Equivalent to net.ipv4.conf.default.rp_filter sysctl parameter
  • Default controls all interfaces
  • Individual interfaces each have a separate directory under conf, e.g., conf/eth0, conf/ipsec1
  • Poorly documented anti-spoof control
  • Takes 0 (disabled), 1 (check direct networks only) or 2 (check all networks?) as arguments
  • Interferes with VPN connections to the gateway
  • Should be disabled unless we use iproute2
  • Move anti-spoofing to firewall if we disable rp_filter

Notes: