projects / projects / rc-scripts.git / blame
| Commit | Line | Data |
|---|---|---|
| de1fc6ce JR |
1 | ### IPV4 NETWORKING |
| 2 | ||
| 3 | # Disables IPv4 packet forwarding | |
| 4 | net.ipv4.ip_forward = 0 | |
| 5 | ||
| 6 | # Enables source route verification | |
| 7 | net.ipv4.conf.all.rp_filter = 1 | |
| 8 | ||
| 9 | # Accept ICMP redirect messages (suggested 1 for hosts and 0 for routers) | |
| 10 | # net.ipv4.conf.all.accept_redirects = 1 | |
| 11 | ||
| 12 | # Accept source routed packages (suggested 0 for hosts and 1 for routers) | |
| 13 | # net.ipv4.conf.all.accept_source_route = 1 | |
| 14 | ||
| 15 | # Log packets with source addresses with no known route to kernel log | |
| 16 | # net.ipv4.conf.all.log_martians = 1 | |
| 17 | ||
| 18 | # Do multicast routing ? The kernel needs to be compiled with | |
| 19 | # CONFIG_MROUTE and a multicast routing daemon is required. | |
| 20 | # net.ipv4.conf.all.mc_forwarding = 1 | |
| 21 | ||
| d062c2a4 PG |
22 | # If you get message "Neighbour table overflow" try to play with this values. |
| 23 | # Needed in huge networks. These example values are sufficent in networks with | |
| 24 | # mask 21. | |
| 25 | # net.ipv4.neigh.default.gc_thresh3 = 4096 | |
| 26 | # net.ipv4.neigh.default.gc_thresh2 = 2048 | |
| 27 | # net.ipv4.neigh.default.gc_thresh1 = 512 | |
| 28 | # net.ipv6.neigh.default.gc_thresh3 = 1024 | |
| 29 | # net.ipv6.neigh.default.gc_thresh2 = 512 | |
| 30 | # net.ipv6.neigh.default.gc_thresh1 = 128 | |
| 31 | ||
| de1fc6ce JR |
32 | # Do proxy ARP ? |
| 33 | # net.ipv4.conf.all.proxy_arp = 1 | |
| 34 | ||
| 35 | # Accept ICMP redirect messages only for gateways, listed in | |
| 36 | # default gateway list ? | |
| 37 | # net.ipv4.conf.all.secure_redirects = 1 | |
| 38 | ||
| 39 | # Send ICMP redirects to other hosts ? | |
| 40 | # net.ipv4.conf.all.send_redirects = 1 | |
| 41 | ||
| 42 | # Ignore all ICMP echo requests ? | |
| 43 | # net.ipv4.icmp_echo_ignore_all = 1 | |
| 44 | ||
| 45 | # Ignore ICMP echo requests to broadcast and multicast addresses ? | |
| 46 | # net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| 47 | ||
| 48 | # Enable MTU discovery patch ? (KERNEL MUST SUPPORT THIS) | |
| 49 | # MTU (maximal transfer unit) is the size of the chunks we send out | |
| 50 | # over the net. "Path MTU Discovery" means that, instead of always | |
| 51 | # sending very small chunks, we start out sending big ones and if we | |
| 52 | # then discover that some host along the way likes its chunks smaller, | |
| 53 | # we adjust to a smaller size. | |
| 54 | # net.ipv4.ip_no_pmtu_disc = 1 | |
| 55 | ||
| 56 | # Enable debugging of IP masquerading ? | |
| 57 | # net.ipv4.ip_masq_debug = 1 | |
| 58 | ||
| 59 | # Bug-to-bug compatibility with some broken printers. On retransmit | |
| 60 | # try to send bigger packets to work around bugs in certain TCP | |
| 61 | # stacks. Can be turned off by setting IPV4_RETRANS_COLLAPSE to ,,yes''. | |
| 62 | # net.ipv4.tcp_retrans_collapse = 1 | |
| 63 | ||
| 64 | # Disable select acknowledgments after RFC2018 ? | |
| 65 | # TCP may experience poor performance when multiple packets are lost | |
| 66 | # from one window of data. With the limited information available | |
| 67 | # from cumulative acknowledgments, a TCP sender can only learn about a | |
| 68 | # single lost packet per round trip time. An aggressive sender could | |
| 69 | # choose to retransmit packets early, but such retransmitted segments | |
| 70 | # may have already been successfully received. | |
| 71 | # net.ipv4.tcp_sack = 0 | |
| 72 | ||
| 73 | # Disable timestamps as defined in RFC1323 ? | |
| 74 | # Timestamps are designed to provide compatible interworking with | |
| 75 | # TCP's that do not implement the TCP Extensions for High Performance | |
| 76 | # net.ipv4.tcp_timestamps = 0 | |
| 77 | ||
| 78 | # Enable the strict RFC793 interpretation of the TCP urgent pointer field. | |
| 79 | # net.ipv4.tcp_stdurg = 1 | |
| 80 | ||
| 81 | # Enable tcp_syncookies | |
| 82 | net.ipv4.tcp_syncookies = 1 | |
| 83 | ||
| 84 | # Disable window scaling as defined in RFC1323 ? | |
| 85 | # The window scale extension expands the definition of the TCP | |
| 86 | # window to 32 bits and then uses a scale factor to carry this | |
| 87 | # 32-bit value in the 16-bit Window field of the TCP header. | |
| 88 | # net.ipv4.tcp_window_scaling = 0 | |
| 89 | ||
| 90 | # Enable dynamic socket address rewriting on interface address change. | |
| 91 | # This is useful for dialup interface with changing IP addresses. | |
| 92 | # sys.net.ipv4.ip_dynaddr = 7 | |
| 93 | ||
| 94 | # Range of ports used by TCP and UDP to choose the local | |
| 95 | # port. Contains two numbers, the first number is the lowest port, | |
| 96 | # the second number the highest local port. Default is "1024 4999". | |
| 97 | # Should be changed to "32768 61000" for high-usage systems. | |
| 98 | net.ipv4.ip_local_port_range = 1024 4999 | |
| 99 | ||
| 100 | # Disables automatic defragmentation (needed for masquerading, LVS) | |
| 101 | # Non existant on Linux 2.4 | |
| 102 | # net.ipv4.ip_always_defrag = 0 | |
| 103 | ||
| 104 | ### IPV6 NETWORKING | |
| 105 | ||
| 106 | # Disables IPv6 packet forwarding | |
| 02c86657 | 107 | # net.ipv6.conf.all.forwarding = 0 |
| de1fc6ce JR |
108 | |
| 109 | # Do you want IPv6 address autoconfiguration? Kernel default is yes. | |
| 110 | # net.ipv6.conf.all.autoconf = 0 | |
| ddd9b958 | 111 | # net.ipv6.conf.default.autoconf = 0 |
| de1fc6ce JR |
112 | |
| 113 | # Do you want kernel to add default route for IPv6 interfaces if | |
| 114 | # there is no router on the link? Kernel default is yes. | |
| 115 | # Kernel 2.4.0-test? or later (after ANK accepts my patch - baggins). | |
| 116 | # net.ipv6.conf.all.autoconf_route = 0 | |
| 117 | ||
| 118 | ### OTHER SETTINGS | |
| 119 | ||
| 120 | # Adjust number of inodes and file handles available in the system. | |
| 121 | # If you have a havily loaded system and kernel complains about | |
| 122 | # file/inode limit reached in VFS, increase this 2x. The default | |
| 123 | # value is 4096 (file) and 8192 (inode). The inode number should be | |
| 124 | # always 2-3 times the file number. For most systems this should not | |
| 125 | # be changed | |
| 126 | # fs.file-max = 8192 | |
| 127 | # fs.inode-max = 16384 | |
| 128 | ||
| 129 | # Enable the magic-sysrq key | |
| 130 | kernel.sysrq = 1 | |
| ddd9b958 JR |
131 | |
| 132 | # | |
| 938c78a9 | 133 | # GRSECURITY http://www.grsecurity.org |
| ddd9b958 JR |
134 | # kernel 2.4 only |
| 135 | # | |
| 136 | # WARNING! | |
| 137 | # These values are SET ONCE! | |
| 138 | # | |
| b7b53a3f | 139 | #kernel.grsecurity.linking_restrictions = 1 |
| 140 | #kernel.grsecurity.fifo_restrictions = 1 | |
| 141 | #kernel.grsecurity.secure_fds = 1 | |
| 142 | #kernel.grsecurity.chroot_restrictions = 1 | |
| 143 | #kernel.grsecurity.chroot_execlog = 0 | |
| 144 | #kernel.grsecurity.chroot_caps = 0 | |
| 145 | #kernel.grsecurity.secure_kbmap = 0 | |
| 146 | ||
| 147 | #kernel.grsecurity.exec_logging = 0 | |
| 148 | #kernel.grsecurity.suid_logging = 0 | |
| 149 | #kernel.grsecurity.signal_logging = 1 | |
| 150 | #kernel.grsecurity.forkfail_logging = 0 | |
| 151 | #kernel.grsecurity.timechange_logging = 1 | |
| 152 | ||
| 153 | #kernel.grsecurity.execve_limiting = 1 | |
| 154 | #kernel.grsecurity.fork_bomb_prot = 0 | |
| 155 | #kernel.grsecurity.fork_bomb_gid = 65504 | |
| 156 | #kernel.grsecurity.fork_bomb_sec = 40 | |
| 157 | #kernel.grsecurity.fork_bomb_max = 20 | |
| 158 | #kernel.grsecurity.tpe = 0 | |
| 159 | #kernel.grsecurity.tpe_gid = 65500 | |
| 160 | #kernel.grsecurity.tpe_glibc = 0 | |
| 161 | #kernel.grsecurity.tpe_restrict_all = 0 | |
| 162 | ||
| 163 | #kernel.grsecurity.rand_pids = 0 | |
| 164 | #kernel.grsecurity.rand_ip_ids = 0 | |
| 165 | #kernel.grsecurity.rand_tcp_src_ports = 0 | |
| 166 | #kernel.grsecurity.altered_pings = 0 | |
| 167 | #kernel.grsecurity.rand_ttl = 0 | |
| 168 | #kernel.grsecurity.rand_ttl_thresh = 64 | |
| 169 | #kernel.grsecurity.rand_net = 1 | |
| 170 | #kernel.grsecurity.socket_all = 1 | |
| 171 | #kernel.grsecurity.socket_all_gid = 65501 | |
| 172 | #kernel.grsecurity.socket_client = 1 | |
| 173 | #kernel.grsecurity.socket_client_gid = 65502 | |
| 174 | #kernel.grsecurity.socket_server = 1 | |
| 175 | #kernel.grsecurity.socket_server_gid = 65503 | |
| 176 | ||
| 177 | #kernel.grsecurity.stealth_flags = 0 | |
| 178 | #kernel.grsecurity.stealth_icmp = 0 | |
| 179 | #kernel.grsecurity.stealth_igmp = 0 | |
| 180 | #kernel.grsecurity.stealth_rst = 0 | |
| 181 | #kernel.grsecurity.stealth_udp = 0 | |
| 182 | ||
| 183 | #kernel.grsecurity.coredump = 0 |