Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#17262 - [iptables] enables ip forwarding by default

Attached to Project: Arch Linux
Opened by Pete (tam1138) - Tuesday, 24 November 2009, 00:58 GMT
Last edited by Ronald van Haren (pressh) - Wednesday, 16 December 2009, 17:21 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Ronald van Haren (pressh)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

When IPTABLES_FORWARD is set to 1 in /etc/conf.d/iptables, the iptables rc script executes "echo 1 > /proc/sys/net/ipv4/ip_forward". This is all well and good, except that the shipped default is to turn forwarding on, which is unexpected and potentially dangerous from a security perspective. It assumes that people who install iptables are doing so to run NAT, which isn't always true. Furthermore, from a security and "knowing your system" point of view, I believe turning something like forwarding on should be an active measure, even if most people end up doing so.

Additional info:
* package version(s)
$ pacman -Q iptables
iptables 1.4.5-1

* config and/or log files etc.
$ grep IPTABLES_FORWARD /etc/conf.d/iptables
IPTABLES_FORWARD=0 # enable IP forwarding?


Steps to reproduce:
$ sudo pacman -S iptables
$ sudo /etc/rc.d/iptables start
$ cat /proc/sys/net/ipv4/ip_forward
1
This task depends upon

Closed by  Ronald van Haren (pressh)
Wednesday, 16 December 2009, 17:21 GMT
Reason for closing:  Implemented
Additional comments about closing:  iptables 1.4.6

Loading...