# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
# Accept ICMP redirect messages (suggested 1 for hosts and 0 for routers)
# net.ipv4.conf.all.accept_redirects = 1
# CONFIG_MROUTE and a multicast routing daemon is required.
# net.ipv4.conf.all.mc_forwarding = 1
+# If you get message "Neighbour table overflow" try to play with this values.
+# Needed in huge networks. These example values are sufficent in networks with
+# mask 21.
+# net.ipv4.neigh.default.gc_thresh3 = 4096
+# net.ipv4.neigh.default.gc_thresh2 = 2048
+# net.ipv4.neigh.default.gc_thresh1 = 512
+# net.ipv6.neigh.default.gc_thresh3 = 1024
+# net.ipv6.neigh.default.gc_thresh2 = 512
+# net.ipv6.neigh.default.gc_thresh1 = 128
+
# Do proxy ARP ?
# net.ipv4.conf.all.proxy_arp = 1
# Send ICMP redirects to other hosts ?
# net.ipv4.conf.all.send_redirects = 1
-# Ignore all ICMP echo requests ?
+# Ignore all ICMP echo requests ?
# net.ipv4.icmp_echo_ignore_all = 1
# Ignore ICMP echo requests to broadcast and multicast addresses ?
# Bug-to-bug compatibility with some broken printers. On retransmit
# try to send bigger packets to work around bugs in certain TCP
-# stacks. Can be turned off by setting IPV4_RETRANS_COLLAPSE to ,,yes''.
+# stacks. Can be turned off by setting IPV4_RETRANS_COLLAPSE to ,,yes''.
# net.ipv4.tcp_retrans_collapse = 1
-
+
# Disable select acknowledgments after RFC2018 ?
# TCP may experience poor performance when multiple packets are lost
# from one window of data. With the limited information available
# net.ipv4.tcp_stdurg = 1
# Enable tcp_syncookies
-net.ipv4.tcp_syncookies = 1
+# net.ipv4.tcp_syncookies = 1
# Disable window scaling as defined in RFC1323 ?
# The window scale extension expands the definition of the TCP
# port. Contains two numbers, the first number is the lowest port,
# the second number the highest local port. Default is "1024 4999".
# Should be changed to "32768 61000" for high-usage systems.
-net.ipv4.ip_local_port_range = 1024 4999
+# net.ipv4.ip_local_port_range = 4096 61000
# Disables automatic defragmentation (needed for masquerading, LVS)
# Non existant on Linux 2.4
### IPV6 NETWORKING
# Disables IPv6 packet forwarding
-net.ipv6.conf.all.forwarding = 0
+# net.ipv6.conf.all.forwarding = 0
# Do you want IPv6 address autoconfiguration? Kernel default is yes.
# net.ipv6.conf.all.autoconf = 0
+# net.ipv6.conf.default.autoconf = 0
# Do you want kernel to add default route for IPv6 interfaces if
# there is no router on the link? Kernel default is yes.
# fs.file-max = 8192
# fs.inode-max = 16384
+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+#kernel.core_uses_pid = 1
+
# Enable the magic-sysrq key
kernel.sysrq = 1
+
+# After how many seconds reboot system after kernel panic?
+# 0 - never reboot system (suggested 60)
+#kernel.panic = 60
+
+#
+# GRSECURITY http://www.grsecurity.org
+#
+# WARNING!
+# These values are SET ONCE!
+#
+#kernel.grsecurity.linking_restrictions = 1
+#kernel.grsecurity.fifo_restrictions = 1
+#kernel.grsecurity.destroy_unused_shm = 0
+#kernel.grsecurity.chroot_caps = 0
+#kernel.grsecurity.chroot_deny_chmod = 0
+#kernel.grsecurity.chroot_deny_chroot = 1
+#kernel.grsecurity.chroot_deny_fchdir = 0
+#kernel.grsecurity.chroot_deny_mknod = 1
+#kernel.grsecurity.chroot_deny_mount = 1
+#kernel.grsecurity.chroot_deny_pivot = 1
+#kernel.grsecurity.chroot_deny_shmat = 0
+#kernel.grsecurity.chroot_deny_sysctl = 1
+#kernel.grsecurity.chroot_deny_unix = 0
+#kernel.grsecurity.chroot_enforce_chdir = 0
+#kernel.grsecurity.chroot_execlog = 0
+#kernel.grsecurity.chroot_findtask = 1
+#kernel.grsecurity.chroot_restrict_nice = 0
+
+#kernel.grsecurity.exec_logging = 0
+#kernel.grsecurity.signal_logging = 1
+#kernel.grsecurity.forkfail_logging = 0
+#kernel.grsecurity.timechange_logging = 1
+#kernel.grsecurity.audit_chdir = 0
+#kernel.grsecurity.audit_gid = 65505
+#kernel.grsecurity.audit_group = 0
+#kernel.grsecurity.audit_ipc = 0
+#kernel.grsecurity.audit_mount = 0
+
+#kernel.grsecurity.execve_limiting = 1
+#kernel.grsecurity.dmesg = 1
+#kernel.grsecurity.tpe = 1
+#kernel.grsecurity.tpe_gid = 65500
+#kernel.grsecurity.tpe_glibc = 0
+#kernel.grsecurity.tpe_restrict_all = 0
+
+#kernel.grsecurity.rand_pids = 1
+#kernel.grsecurity.socket_all = 1
+#kernel.grsecurity.socket_all_gid = 65501
+#kernel.grsecurity.socket_client = 1
+#kernel.grsecurity.socket_client_gid = 65502
+#kernel.grsecurity.socket_server = 1
+#kernel.grsecurity.socket_server_gid = 65503
+
+#kernel.grsecurity.disable_modules = 0
+#kernel.grsecurity.grsec_lock = 0
+
+# kernel.randomize_va_space = 2
+# 0 - Turn the process address space randomization off by default.
+# 1 - Conservative address space randomization makes the addresses of
+# mmap base and VDSO page randomized. This, among other things,
+# implies that shared libraries will be loaded to random addresses.
+# Also for PIE binaries, the location of code start is randomized.
+# 2 - This includes all the features that Conservative randomization
+# provides. In addition to that, also start of the brk area is randomized.
+# There a few legacy applications out there (such as some ancient
+# versions of libc.so.5 from 1996) that assume that brk area starts
+# just after the end of the code+bss. These applications break when
+# start of the brk area is randomized. There are however no known
+# non-legacy applications that would be broken this way, so for most
+# systems it is safe to choose Full randomization.
+
+# for mplayer
+#dev.rtc.max-user-freq = 1024
+#
projects / projects / rc-scripts.git / blobdiff