]>
Commit | Line | Data |
---|---|---|
de1fc6ce JR |
1 | ### IPV4 NETWORKING |
2 | ||
3 | # Disables IPv4 packet forwarding | |
4 | net.ipv4.ip_forward = 0 | |
5 | ||
6 | # Enables source route verification | |
7 | net.ipv4.conf.all.rp_filter = 1 | |
3055ce8f | 8 | net.ipv4.conf.default.rp_filter = 1 |
de1fc6ce JR |
9 | |
10 | # Accept ICMP redirect messages (suggested 1 for hosts and 0 for routers) | |
11 | # net.ipv4.conf.all.accept_redirects = 1 | |
12 | ||
13 | # Accept source routed packages (suggested 0 for hosts and 1 for routers) | |
14 | # net.ipv4.conf.all.accept_source_route = 1 | |
15 | ||
16 | # Log packets with source addresses with no known route to kernel log | |
17 | # net.ipv4.conf.all.log_martians = 1 | |
18 | ||
19 | # Do multicast routing ? The kernel needs to be compiled with | |
20 | # CONFIG_MROUTE and a multicast routing daemon is required. | |
21 | # net.ipv4.conf.all.mc_forwarding = 1 | |
22 | ||
d062c2a4 PG |
23 | # If you get message "Neighbour table overflow" try to play with this values. |
24 | # Needed in huge networks. These example values are sufficent in networks with | |
25 | # mask 21. | |
26 | # net.ipv4.neigh.default.gc_thresh3 = 4096 | |
27 | # net.ipv4.neigh.default.gc_thresh2 = 2048 | |
28 | # net.ipv4.neigh.default.gc_thresh1 = 512 | |
29 | # net.ipv6.neigh.default.gc_thresh3 = 1024 | |
30 | # net.ipv6.neigh.default.gc_thresh2 = 512 | |
31 | # net.ipv6.neigh.default.gc_thresh1 = 128 | |
32 | ||
de1fc6ce JR |
33 | # Do proxy ARP ? |
34 | # net.ipv4.conf.all.proxy_arp = 1 | |
35 | ||
36 | # Accept ICMP redirect messages only for gateways, listed in | |
37 | # default gateway list ? | |
38 | # net.ipv4.conf.all.secure_redirects = 1 | |
39 | ||
40 | # Send ICMP redirects to other hosts ? | |
41 | # net.ipv4.conf.all.send_redirects = 1 | |
42 | ||
43 | # Ignore all ICMP echo requests ? | |
44 | # net.ipv4.icmp_echo_ignore_all = 1 | |
45 | ||
46 | # Ignore ICMP echo requests to broadcast and multicast addresses ? | |
47 | # net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
48 | ||
49 | # Enable MTU discovery patch ? (KERNEL MUST SUPPORT THIS) | |
50 | # MTU (maximal transfer unit) is the size of the chunks we send out | |
51 | # over the net. "Path MTU Discovery" means that, instead of always | |
52 | # sending very small chunks, we start out sending big ones and if we | |
53 | # then discover that some host along the way likes its chunks smaller, | |
54 | # we adjust to a smaller size. | |
55 | # net.ipv4.ip_no_pmtu_disc = 1 | |
56 | ||
57 | # Enable debugging of IP masquerading ? | |
58 | # net.ipv4.ip_masq_debug = 1 | |
59 | ||
60 | # Bug-to-bug compatibility with some broken printers. On retransmit | |
61 | # try to send bigger packets to work around bugs in certain TCP | |
62 | # stacks. Can be turned off by setting IPV4_RETRANS_COLLAPSE to ,,yes''. | |
63 | # net.ipv4.tcp_retrans_collapse = 1 | |
64 | ||
65 | # Disable select acknowledgments after RFC2018 ? | |
66 | # TCP may experience poor performance when multiple packets are lost | |
67 | # from one window of data. With the limited information available | |
68 | # from cumulative acknowledgments, a TCP sender can only learn about a | |
69 | # single lost packet per round trip time. An aggressive sender could | |
70 | # choose to retransmit packets early, but such retransmitted segments | |
71 | # may have already been successfully received. | |
72 | # net.ipv4.tcp_sack = 0 | |
73 | ||
74 | # Disable timestamps as defined in RFC1323 ? | |
75 | # Timestamps are designed to provide compatible interworking with | |
76 | # TCP's that do not implement the TCP Extensions for High Performance | |
77 | # net.ipv4.tcp_timestamps = 0 | |
78 | ||
79 | # Enable the strict RFC793 interpretation of the TCP urgent pointer field. | |
80 | # net.ipv4.tcp_stdurg = 1 | |
81 | ||
82 | # Enable tcp_syncookies | |
36c96e2d | 83 | # net.ipv4.tcp_syncookies = 1 |
de1fc6ce JR |
84 | |
85 | # Disable window scaling as defined in RFC1323 ? | |
86 | # The window scale extension expands the definition of the TCP | |
87 | # window to 32 bits and then uses a scale factor to carry this | |
88 | # 32-bit value in the 16-bit Window field of the TCP header. | |
89 | # net.ipv4.tcp_window_scaling = 0 | |
90 | ||
91 | # Enable dynamic socket address rewriting on interface address change. | |
92 | # This is useful for dialup interface with changing IP addresses. | |
93 | # sys.net.ipv4.ip_dynaddr = 7 | |
94 | ||
95 | # Range of ports used by TCP and UDP to choose the local | |
96 | # port. Contains two numbers, the first number is the lowest port, | |
97 | # the second number the highest local port. Default is "1024 4999". | |
98 | # Should be changed to "32768 61000" for high-usage systems. | |
e9316a42 | 99 | # net.ipv4.ip_local_port_range = 4096 61000 |
de1fc6ce JR |
100 | |
101 | # Disables automatic defragmentation (needed for masquerading, LVS) | |
102 | # Non existant on Linux 2.4 | |
103 | # net.ipv4.ip_always_defrag = 0 | |
104 | ||
105 | ### IPV6 NETWORKING | |
106 | ||
107 | # Disables IPv6 packet forwarding | |
02c86657 | 108 | # net.ipv6.conf.all.forwarding = 0 |
de1fc6ce JR |
109 | |
110 | # Do you want IPv6 address autoconfiguration? Kernel default is yes. | |
111 | # net.ipv6.conf.all.autoconf = 0 | |
ddd9b958 | 112 | # net.ipv6.conf.default.autoconf = 0 |
de1fc6ce JR |
113 | |
114 | # Do you want kernel to add default route for IPv6 interfaces if | |
115 | # there is no router on the link? Kernel default is yes. | |
116 | # Kernel 2.4.0-test? or later (after ANK accepts my patch - baggins). | |
117 | # net.ipv6.conf.all.autoconf_route = 0 | |
118 | ||
119 | ### OTHER SETTINGS | |
120 | ||
121 | # Adjust number of inodes and file handles available in the system. | |
122 | # If you have a havily loaded system and kernel complains about | |
123 | # file/inode limit reached in VFS, increase this 2x. The default | |
124 | # value is 4096 (file) and 8192 (inode). The inode number should be | |
125 | # always 2-3 times the file number. For most systems this should not | |
126 | # be changed | |
127 | # fs.file-max = 8192 | |
128 | # fs.inode-max = 16384 | |
129 | ||
73507983 ER |
130 | # Controls whether core dumps will append the PID to the core filename. |
131 | # Useful for debugging multi-threaded applications. | |
132 | #kernel.core_uses_pid = 1 | |
133 | ||
de1fc6ce JR |
134 | # Enable the magic-sysrq key |
135 | kernel.sysrq = 1 | |
ddd9b958 JR |
136 | |
137 | # | |
938c78a9 | 138 | # GRSECURITY http://www.grsecurity.org |
ddd9b958 JR |
139 | # |
140 | # WARNING! | |
141 | # These values are SET ONCE! | |
142 | # | |
b7b53a3f | 143 | #kernel.grsecurity.linking_restrictions = 1 |
144 | #kernel.grsecurity.fifo_restrictions = 1 | |
04aaee73 | 145 | #kernel.grsecurity.destroy_unused_shm = 0 |
b7b53a3f | 146 | #kernel.grsecurity.chroot_caps = 0 |
04aaee73 | 147 | #kernel.grsecurity.chroot_deny_chmod = 0 |
148 | #kernel.grsecurity.chroot_deny_chroot = 1 | |
149 | #kernel.grsecurity.chroot_deny_fchdir = 0 | |
150 | #kernel.grsecurity.chroot_deny_mknod = 1 | |
151 | #kernel.grsecurity.chroot_deny_mount = 1 | |
152 | #kernel.grsecurity.chroot_deny_pivot = 1 | |
153 | #kernel.grsecurity.chroot_deny_shmat = 0 | |
154 | #kernel.grsecurity.chroot_deny_sysctl = 1 | |
155 | #kernel.grsecurity.chroot_deny_unix = 0 | |
156 | #kernel.grsecurity.chroot_enforce_chdir = 0 | |
157 | #kernel.grsecurity.chroot_execlog = 0 | |
158 | #kernel.grsecurity.chroot_findtask = 1 | |
159 | #kernel.grsecurity.chroot_restrict_nice = 0 | |
b7b53a3f | 160 | |
161 | #kernel.grsecurity.exec_logging = 0 | |
b7b53a3f | 162 | #kernel.grsecurity.signal_logging = 1 |
163 | #kernel.grsecurity.forkfail_logging = 0 | |
164 | #kernel.grsecurity.timechange_logging = 1 | |
04aaee73 | 165 | #kernel.grsecurity.audit_chdir = 0 |
166 | #kernel.grsecurity.audit_gid = 65505 | |
167 | #kernel.grsecurity.audit_group = 0 | |
168 | #kernel.grsecurity.audit_ipc = 0 | |
169 | #kernel.grsecurity.audit_mount = 0 | |
b7b53a3f | 170 | |
171 | #kernel.grsecurity.execve_limiting = 1 | |
04aaee73 | 172 | #kernel.grsecurity.dmesg = 1 |
173 | #kernel.grsecurity.tpe = 1 | |
b7b53a3f | 174 | #kernel.grsecurity.tpe_gid = 65500 |
175 | #kernel.grsecurity.tpe_glibc = 0 | |
176 | #kernel.grsecurity.tpe_restrict_all = 0 | |
177 | ||
04aaee73 | 178 | #kernel.grsecurity.rand_pids = 1 |
b7b53a3f | 179 | #kernel.grsecurity.socket_all = 1 |
180 | #kernel.grsecurity.socket_all_gid = 65501 | |
181 | #kernel.grsecurity.socket_client = 1 | |
182 | #kernel.grsecurity.socket_client_gid = 65502 | |
183 | #kernel.grsecurity.socket_server = 1 | |
184 | #kernel.grsecurity.socket_server_gid = 65503 | |
185 | ||
04aaee73 | 186 | #kernel.grsecurity.disable_modules = 0 |
187 | #kernel.grsecurity.grsec_lock = 0 | |
fd0c8683 | 188 | |
01856c0d | 189 | # kernel.randomize_va_space = 2 |
5e8ec2c4 PS |
190 | # 0 - Turn the process address space randomization off by default. |
191 | # 1 - Conservative address space randomization makes the addresses of | |
192 | # mmap base and VDSO page randomized. This, among other things, | |
193 | # implies that shared libraries will be loaded to random addresses. | |
194 | # Also for PIE binaries, the location of code start is randomized. | |
195 | # 2 - This includes all the features that Conservative randomization | |
196 | # provides. In addition to that, also start of the brk area is randomized. | |
197 | # There a few legacy applications out there (such as some ancient | |
198 | # versions of libc.so.5 from 1996) that assume that brk area starts | |
199 | # just after the end of the code+bss. These applications break when | |
200 | # start of the brk area is randomized. There are however no known | |
201 | # non-legacy applications that would be broken this way, so for most | |
202 | # systems it is safe to choose Full randomization. | |
db0719b8 ER |
203 | |
204 | # for mplayer | |
205 | #dev.rtc.max-user-freq = 1024 | |
5063529d AM |
206 | # |
207 | ||
208 | # protect hard/symlins | |
209 | fs.protected_hardlinks = 1 | |
210 | fs.protected_symlinks = 1 |