Quick Reference

Home
Alpine Linux Boot Process
libinput on Alpine Linux
who on Alpine
ALSA Config
Android Hacking
Android Load apkx File
Audio Stream Fu
Audio Recording (simple)
AWK
BASH quick ref
Benchmark with fio
BlackBerry as a Modem
BlackBerry Video Encoding
Building libcurl on Windows with VS
Building QEMU Images for Alpine Linux
for use with libvirt and terraform
Building TI MSP430 GCC
Certificate and Key Handling
Chart Drawing
Currency Converter
Custom Bootable Alpine Linux
Custom Alpine Kernel
Colourspace Conversion
Compile FMS from Source
Courier IMAP Server
Datasheets and Manuals
Deduplication of Files
Deleting Old Devices
Delphi 7 Dynamic Linking
Delphi Compiler Warnings
Desktop Capture with FFMPEG
X11
Desktop Capture in Sway
Dovecot IMAP
Dovecot Replication
Docker HowTo (Simple Setup)
Remove Untagged Docker Images
Docker Xvfb Alpine Howto
Docker Storage
DomainKey Identified Mail with Exim
DRBD Over OpenVPN
Eclipse and Jetty
Eclipse Themes
Edge Detection
Electronics
Emailing
ESP8266 Get Started
ESP8266 OpenSDK
Exchange 2010 and Lighttpd
Exim Process and Forward Incoming Mail
Exim with Dovecot
FFmpeg Webcam and v4l2 stuff
flickr image from file name
Force Video Output
KMS/FB and Weston
Fonts
Freenet Routing Fu
Flushing Filesystem Buffers
GDB in Windows
Gentoo eudev and udev
Gentoo omxplayer
Gentoo on Raspberry Pi
Gentoo initramfs
Gentoo Java Problems
Gentoo Stage4
Gentoo Update (portage)
Gentoo VirtualBox Install
git Quick Reference
git Workflow
GNUplot Curve Fitting
GNUplot Heart
GNUplotting
Quick Reference
GnuPG Simple
Hen*Plus
ImageMagick
Quick Reference
InspIRCd on Gentoo
Install Gentoo with Hyper-V
iproute2
iptables
iptables bwmon
IPv6 in IPv6 Tunnels STUB
IPv6 Setups STUB
ircclient
irssi
Java Anti-aliasing
Jetty JSP 9.2/9.3 Error
Jetty JSP 9.4 Error
LDAP Searching
and binding on Linux
Logging in Java
LVM Mount on Gentoo
LVM Howto Rev 2
Video File Montage Creation
MPlayer play section of file
Install macOS X on Mac Pro
Maven for Java Development
MPlayer v4l Snapshots
mpv Quick Reference
MSP430 I2C
msys2 Home Modification
mtu Sizes
Multi Homed Hosts and ARP
Multiple RDP Sessions
nginx and cgit
Oneliners
Oukitel C8 Hacking
GNU Parted Simple tutorial
PinePhone Modem
PinePhone Sleeping
Piping for msmtp

PixivUtil2 Install
powersave.sh
qemu PCI Passthrough
qemu USB Passthrough
Quick VMs with QEMU
Reset Password in Windows
Routing Traffic in Windows
rpcontinued.xpi for Pale Moon
Screen Sharing with Sway
sed and grep
sfdisk howto
Shell and File Descriptors
Spring Security Upgrade from 3 to 4
Strong Host Model for Linux
SQLite3 Compile DLL with VS2010
SSL and Lighttpd
std::string to std::wstring and back
Sway IPC with swaymsg
Terminal Codes and socat
Traffic Control (tc)
In-depth with background and quirky routing and networking configuration
Traffic Control Again
Simpler method using ifb
UEFI Booting from Shell
Update Own Number with AT Commands
Videos, Interesting
VirtualBox to QEMU
Quick start guide
Visual Studio Reminders
whatsmeow on Alpine in Docker
Word and VBA Header Protection
wpa_cli
X11 TrackMan Marble
X11 Programming

How to change the host model of TCP/IP stack from weak model to strong model?

Also related is the end of another page on this site: Multi-homed hosts and ARP.

Objective

The reason to set the strong host model is to avoid some security problems. My understanding is that it is easy to set firewall rules to achieve the same level of security and is a little easier to do so maybe that would be a better option for your setup.

Background

To demonstrate the setup the system has two network interfaces, they are named eth0 and eth1 (of course they will probably be different on a system using predictable interface naming, enp5s0 or something).

Each interface will be given its own routing table
eth0 the interface will be configured with DHCP
eth1 will be configured with a static IP address

This configuration can be error-prone and so careful verification and monitoring is necessary.

Configuration with systemd-networkd

For eth0, dhcp enabled:

# /usr/lib/systemd/network/20-wired-network-eth0.network
[Match]
Name=eth0
[Network]
DHCP=yes
[DHCPv4]
RouteTable=100
[DHCP]
UseMTU=yes
RouteMetric=10
ClientIdentifier=mac

For eth1:

# /usr/lib/systemd/network/20-wired-network-eth1.network
[Match]
Name=eth1
[Network]
DHCP=no
[Address]
Address=10.8.0.1/16
AddPrefixRoute=false
[Route]
Destination=10.8.0.0/16
Scope=link
Table=8
[RoutingPolicyRule]
From=10.8.0.0/16
To=10.8.0.0/16
IncomingInterface=eth1
Table=8
[RoutingPolicyRule]
From=10.8.0.0/16
To=10.8.0.0/16
Table=8

The [Route] line adds the same entry that AddPrefixRoute would have added to the main routing table. The default when using iproute2 is to add the scoped route to the main routing table, to prevent this behaviour the command may be postfixed with noprefixroute.

The [RoutingPolicyRule] will add the required entries to the ip rules:

# ip rule show
0: from all lookup local
32764: from 10.8.0.0/16 to 10.8.0.0/16 lookup 99
32765: from 10.8.0.0/16 to 10.8.0.0/16 iif eth1 lookup 8
32766: from all lookup main
32767: from all lookup default

Notice that there are no rules to allow the DHCP configured interface to use table 100, even though table 100 has been updated with the required entries.

# ip route show table 100
default via 192.168.1.1 dev eth0 src 192.168.1.123 metric 10
192.168.1.0/24 dev eth0 scope link src 192.168.1.123 metric 10
192.168.1.1 dev eth0 scope link src 192.168.1.123 metric 10

At this time I am not sure how to fix that except by adding [RoutingPolicyRule] entries for eth0 with the subnet of the DHCP server... obviously not a great idea.

Performing this Manually with `iproute2`

TODO: write some iproute2 commands to do the same as systemd-networkd

ARP Replies

This will prevent the system from answering ARP requests received on an interface where the requested address does not match the address assigned to that interface.

net.ipv4.conf.all.arp_filter=1 
net.ipv4.conf.all.arp_ignore=1 # or even 2
net.ipv4.conf.all.arp_announce=2

References

Quick Links: Techie Stuff | General | Personal | Quick Reference