Really this should be done per-interface, in the /etc/init.d/net.* scripts,
so the user can configure it when he configures the rest of the ethX settings.
IMHO we should also add flags for net.* interfaces for every sysctl/proc
option, such as proxy_arp, rp_filter, bootp_relay, etc., as well as the option
to turn it on 'globally' for every interface. (Did I just volunteer to do this?
I am super busy with work, but if I have the chance I will add this to the
scripts if it is not already there).

quote: IMHO we should also add flags for net.* interfaces for every sysctl/proc
option

so you want to make iptables template rules which are going to be applyed on interfaces when you switch the global option on? (like: -P FORWARD DROP, -A FORWARD -i $IN -o $OUT -j ACCEPT, for every depency?)
Personally I think this should not be done this way, and if there is a way to do it for real per interface (like: net.eth0.ipv4.ip_forward), that would be really cool.

Because, if you don't allow forwarding it seems to me that forwarding on it self is disabled (on all interfaces), without having a -P FORWARD DROP for example. I find it a bit strange it was taken out before any else was put back in. Though I knew the official way is sysctl.conf, newbies doesn't search here before they read the book/viewed the PDF about linux security.

No, I am not talking about iptables at all. I'm talking about the options
which reside under their respective interfaces. For example:

net.ipv4.conf.eth0.forwarding
net.ipv4.conf.eth0.proxy_arp
net.ipv4.conf.eth0.bootp_relay
net.ipv4.conf.eth0.arp_announce

... etc etc

These should all be configured when the /etc/init.d/net.* scripts get run. I
believe some of them already are, in a more limited capacity (rp_filter
is enabled if you don't specify it already in your sysctl.conf, etc).

Comment 4 SpanKY 2005-01-09 21:37:55 UTC

should be all set now ... no init scripts screw with /proc/sys anymore

setup your sysctl.conf instead