### IPV4 NETWORKING # Disables IPv4 packet forwarding net.ipv4.ip_forward = 0 # Enables source route verification net.ipv4.conf.all.rp_filter = 1 # Accept ICMP redirect messages (suggested 1 for hosts and 0 for routers) # net.ipv4.conf.all.accept_redirects = 1 # Accept source routed packages (suggested 0 for hosts and 1 for routers) # net.ipv4.conf.all.accept_source_route = 1 # Log packets with source addresses with no known route to kernel log # net.ipv4.conf.all.log_martians = 1 # Do multicast routing ? The kernel needs to be compiled with # CONFIG_MROUTE and a multicast routing daemon is required. # net.ipv4.conf.all.mc_forwarding = 1 # Do proxy ARP ? # net.ipv4.conf.all.proxy_arp = 1 # Accept ICMP redirect messages only for gateways, listed in # default gateway list ? # net.ipv4.conf.all.secure_redirects = 1 # Send ICMP redirects to other hosts ? # net.ipv4.conf.all.send_redirects = 1 # Ignore all ICMP echo requests ? # net.ipv4.icmp_echo_ignore_all = 1 # Ignore ICMP echo requests to broadcast and multicast addresses ? # net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable MTU discovery patch ? (KERNEL MUST SUPPORT THIS) # MTU (maximal transfer unit) is the size of the chunks we send out # over the net. "Path MTU Discovery" means that, instead of always # sending very small chunks, we start out sending big ones and if we # then discover that some host along the way likes its chunks smaller, # we adjust to a smaller size. # net.ipv4.ip_no_pmtu_disc = 1 # Enable debugging of IP masquerading ? # net.ipv4.ip_masq_debug = 1 # Bug-to-bug compatibility with some broken printers. On retransmit # try to send bigger packets to work around bugs in certain TCP # stacks. Can be turned off by setting IPV4_RETRANS_COLLAPSE to ,,yes''. # net.ipv4.tcp_retrans_collapse = 1 # Disable select acknowledgments after RFC2018 ? # TCP may experience poor performance when multiple packets are lost # from one window of data. With the limited information available # from cumulative acknowledgments, a TCP sender can only learn about a # single lost packet per round trip time. An aggressive sender could # choose to retransmit packets early, but such retransmitted segments # may have already been successfully received. # net.ipv4.tcp_sack = 0 # Disable timestamps as defined in RFC1323 ? # Timestamps are designed to provide compatible interworking with # TCP's that do not implement the TCP Extensions for High Performance # net.ipv4.tcp_timestamps = 0 # Enable the strict RFC793 interpretation of the TCP urgent pointer field. # net.ipv4.tcp_stdurg = 1 # Enable tcp_syncookies net.ipv4.tcp_syncookies = 1 # Disable window scaling as defined in RFC1323 ? # The window scale extension expands the definition of the TCP # window to 32 bits and then uses a scale factor to carry this # 32-bit value in the 16-bit Window field of the TCP header. # net.ipv4.tcp_window_scaling = 0 # Enable dynamic socket address rewriting on interface address change. # This is useful for dialup interface with changing IP addresses. # sys.net.ipv4.ip_dynaddr = 7 # Range of ports used by TCP and UDP to choose the local # port. Contains two numbers, the first number is the lowest port, # the second number the highest local port. Default is "1024 4999". # Should be changed to "32768 61000" for high-usage systems. net.ipv4.ip_local_port_range = 1024 4999 # Disables automatic defragmentation (needed for masquerading, LVS) # Non existant on Linux 2.4 # net.ipv4.ip_always_defrag = 0 ### IPV6 NETWORKING # Disables IPv6 packet forwarding # net.ipv6.conf.all.forwarding = 0 # Do you want IPv6 address autoconfiguration? Kernel default is yes. # net.ipv6.conf.all.autoconf = 0 # net.ipv6.conf.default.autoconf = 0 # Do you want kernel to add default route for IPv6 interfaces if # there is no router on the link? Kernel default is yes. # Kernel 2.4.0-test? or later (after ANK accepts my patch - baggins). # net.ipv6.conf.all.autoconf_route = 0 ### OTHER SETTINGS # Adjust number of inodes and file handles available in the system. # If you have a havily loaded system and kernel complains about # file/inode limit reached in VFS, increase this 2x. The default # value is 4096 (file) and 8192 (inode). The inode number should be # always 2-3 times the file number. For most systems this should not # be changed # fs.file-max = 8192 # fs.inode-max = 16384 # Enable the magic-sysrq key kernel.sysrq = 1 # # GETREWTED http://www.getrewted.org # kernel 2.4 only # # WARNING! # These values are SET ONCE! # #kernel.getrewted.linking_restrictions = 1 #kernel.getrewted.fifo_restrictions = 1 #kernel.getrewted.secure_fds = 1 #kernel.getrewted.chroot_restrictions = 1 #kernel.getrewted.chroot_execlog = 0 #kernel.getrewted.chroot_caps = 0 #kernel.getrewted.secure_kbmap = 0 #kernel.getrewted.exec_logging = 0 #kernel.getrewted.suid_logging = 0 #kernel.getrewted.signal_logging = 1 #kernel.getrewted.forkfail_logging = 0 #kernel.getrewted.timechange_logging = 1 #kernel.getrewted.execve_limiting = 1 #kernel.getrewted.fork_bomb_prot = 0 #kernel.getrewted.fork_bomb_gid = 65504 #kernel.getrewted.fork_bomb_sec = 40 #kernel.getrewted.fork_bomb_max = 20 #kernel.getrewted.tpe = 0 #kernel.getrewted.tpe_gid = 65500 #kernel.getrewted.tpe_glibc = 0 #kernel.getrewted.tpe_restrict_all = 0 #kernel.getrewted.rand_pids = 0 #kernel.getrewted.rand_ip_ids = 0 #kernel.getrewted.rand_tcp_src_ports = 0 #kernel.getrewted.altered_pings = 0 #kernel.getrewted.rand_ttl = 0 #kernel.getrewted.rand_ttl_thresh = 64 #kernel.getrewted.rand_net = 1 #kernel.getrewted.socket_all = 1 #kernel.getrewted.socket_all_gid = 65501 #kernel.getrewted.socket_client = 1 #kernel.getrewted.socket_client_gid = 65502 #kernel.getrewted.socket_server = 1 #kernel.getrewted.socket_server_gid = 65503 #kernel.getrewted.stealth_flags = 0 #kernel.getrewted.stealth_icmp = 0 #kernel.getrewted.stealth_igmp = 0 #kernel.getrewted.stealth_rst = 0 #kernel.getrewted.stealth_udp = 0 #kernel.getrewted.coredump = 0