X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=carnet-upgrade.git;a=blobdiff_plain;f=files%2Fetc%2Fsysctl.conf.restore;h=6cd0aebad18b3414ab21b3b93e77bc4d734885a5;hp=971d61288f824e8d2ad979342cf76480510e38b4;hb=94afc1525e7d959747bae5623f438843ab1edae8;hpb=c7223f08dfea9a852f23237a6d64dab94283d5e3 diff --git a/files/etc/sysctl.conf.restore b/files/etc/sysctl.conf.restore index 971d612..6cd0aeb 100644 --- a/files/etc/sysctl.conf.restore +++ b/files/etc/sysctl.conf.restore @@ -1,10 +1,10 @@ # # /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additonal system variables # See sysctl.conf (5) for information. # #kernel.domainname = example.com -#net/ipv4/icmp_echo_ignore_broadcasts=1 # Uncomment the following to stop low-level messages on console #kernel.printk = 4 4 1 7 @@ -13,14 +13,55 @@ # Functions previously found in netbase # -# Uncomment the next line to enable Spoof protection (reverse-path filter) +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies +# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167), +# and is not recommended. #net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 -#net.ipv4.conf.default.forwarding=1 +#net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 -#net.ipv6.conf.default.forwarding=1 +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Ignore ICMP broadcasts +#net.ipv4.icmp_echo_ignore_broadcasts = 1 +# +# Ignore bogus ICMP errors +#net.ipv4.icmp_ignore_bogus_error_responses = 1 +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# +# The contents of /proc//maps and smaps files are only visible to +# readers that are allowed to ptrace() the process +# kernel.maps_protect = 1