Tomato Kernel Security

Discussion in 'Tomato Firmware' started by GreenThumb, Oct 28, 2008.

  1. GreenThumb

    GreenThumb Addicted to LI Member

    I posted this question on another Linksys forum and received nothing but crickets chirping. Maybe I will have better luck here.

    When I typically harden my Linux box (I use Gentoo as my main rig), I will perform a few tweaks to:


    This is where you can set some kernel parameters relating to TCP/IP and what types of packets the kernel itself will respond to. For instance, you can make the kernel drop all ICMP packets as well as ignore spoofed packets and source routed packets (among other things).

    When I ssh into my Tomato router and go through the /proc/sys/net/ipv4/* files, I see that the Tomato Linux kernel, by default, doesn't block some of these types of packets. I am interested in forcing the tomato kernel to drop the following types of packets (just as I set my local Gentoo machine to do):

    By default, the tomato *kernel* has the following already set like I want them:

    accept_source_route = 0  
    accept_redirects = 0  
    rp_filter = 1  
    So the above is fine.

    The following are *not* set like I want them:

    ip_forward = 1  
    icmp_echo_ignore_all = 0  
    icmp_echo_ignore_broadcasts = 0  
    icmp_ignore_bogus_error_responses = 0  

    My questions:

    1) Does the tomato firewall (iptables) do the job independent of whether the kernel itself is configured to block these packets? In other words, is there a way for an attacker to "break through" the firewall by sending some types of "bogus" packets? It seems to me that setting the router's kernel to ignore these packets is "more secure" than relying on iptables. Or am I wrong?

    2) If I turn off ip_forward, will it negatively effect my router's ability to properly route packets within my LAN? The Gentoo handbook says that ip_forward is only needed for "multi-homed hosts." I am not quite sure what a multi-homed host is, even after a lot of research on Google. I think it has to do with a host that has more than one interface (like a host serving more than one LAN), which I don't think my router does.

    3) Will I see any ill effects of making Tomato's kernel ignore all ICMP packets as outlined above?

    Can any security gurus (specifically those familiar with Linux) help me out? ;)
  2. mstombs

    mstombs Network Guru Member

    iptables is just the userspace app that is used to configure the kernel netfilter packet filter firewall.

    I'm pretty sure ip_forward is required - all routers with multiple interfaces I have seen have it set.

    I don't know how disabling icmp increases security, just makes it harder to fault find on your own network if ping and tracert etc don't work.

    Tomato is a standard Linux OS, try changing the values from a command prompt and see what happens, worst case is you have to power cycle the router. If no ill effect you can add them to the init script.

    See this thread for all the proc/net entries you can play with - only a few are configurable by the web gui.
  3. humba

    humba Network Guru Member

    At least the ping reply you can also configure from the gui.. it's in advanced - firewall. I'm not sure what it sets though (have you checked? does it use iptables?)

    Multihomed means a machine that has multiple network cards that are used for outside connectivity. Do you know what ip_forward would do on a non multihomed machine though? I understand the principle of deny all - however, I wonder what could possibly happen if you allow this and only have one wan interface..

    For the rest I'm afraid I'm not qualified to comment.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice