devil-linux-discuss

[Devil-Linux-discuss] /etc/sysctl.conf.SAMPLE for next DL release?

[Kari M. <kar...@tr...>]

Hello!

Please find a documented sample /etc/sysctl.conf file below.
It actually changes some values to more safe direction.

As DL init already processes sysctl.conf if it exists, one can enable it 
  by just renaming it.

If you find it useful, please include it in DL.


#------


# /etc/sysctl.conf

# A note on interfaces:
#  ..conf.all.. denotes all current and future interfaces
#  ..conf.default.. denotes all future interfaces
#  ..conf.xxx.. denotes that specified interface

# If this is a proxyarp firewall, you have to enable (1) proxyarp
# on selected interfaces. Otherwise, leave it all disabled (0).
net.ipv4.conf.all.proxy_arp = 0
#net.ipv4.conf.eth0.proxy_arp = 1
#net.ipv4.conf.eth2.proxy_arp = 1

# Enable (0) or disable (1) replying to normal pings.
net.ipv4.icmp_echo_ignore_all = 0

# Enable (0) or disable (1) replying to broadcast and multicast pings.
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable (1) normally; disable (0) on some special, complex firewalls.
net.ipv4.conf.all.rp_filter = 1

# There is really no need for source routes due to security.
net.ipv4.conf.all.accept_source_route = 0

# There is really no need to accept redirects due to security.
net.ipv4.conf.all.accept_redirects = 0

# There is really no need to accept redirects due to security.
net.ipv4.conf.all.secure_redirects = 0

# Enable (1) only on some rare router/firewall setups.
net.ipv4.conf.all.send_redirects = 0

# Enable (1) only on a firewall/router; disable (0) otherwise.
net.ipv4.ip_forward = 1

# Enable (1) or disable (0) logging packets which are received with
# illegal source address; internal IP coming in from outside etc.
net.ipv4.conf.all.log_martians = 1
#net.ipv4.conf.default.log_martians = 1
#net.ipv4.conf.eth0.log_martians = 1
#net.ipv4.conf.eth1.log_martians = 1

# Enable (1) or disable (0) TCP SYN cookie protection.
net.ipv4.tcp_syncookies = 1

# TCP FIN handshaking phase timeout in seconds.
net.ipv4.tcp_fin_timeout = 20

# Keep TCP connections open, they might auto close otherwise.
net.ipv4.tcp_keepalive_intvl = 60



#------


//Kari Mattsson

Re: [Devil-Linux-discuss] /etc/sysctl.conf.SAMPLE for next DL release?

[Heiko Z. <he...@zu...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I added a little less restrictive version as default to DL.
Thanks for the submission.

Heiko

On Wed, August 16, 2006 16:49, Kari Mattsson wrote:
>

> Hello!
>
>
> Please find a documented sample /etc/sysctl.conf file below.
> It actually changes some values to more safe direction.
>
>
> As DL init already processes sysctl.conf if it exists, one can enable it
> by just renaming it.
>
> If you find it useful, please include it in DL.
>
>
>
> #------
>
>
>
> # /etc/sysctl.conf
>
>
> # A note on interfaces:
> #  ..conf.all.. denotes all current and future interfaces
> #  ..conf.default.. denotes all future interfaces
> #  ..conf.xxx.. denotes that specified interface
>
>
> # If this is a proxyarp firewall, you have to enable (1) proxyarp
> # on selected interfaces. Otherwise, leave it all disabled (0).
> net.ipv4.conf.all.proxy_arp = 0 #net.ipv4.conf.eth0.proxy_arp = 1
> #net.ipv4.conf.eth2.proxy_arp = 1
>
>
> # Enable (0) or disable (1) replying to normal pings.
> net.ipv4.icmp_echo_ignore_all = 0
>
> # Enable (0) or disable (1) replying to broadcast and multicast pings.
> net.ipv4.icmp_echo_ignore_broadcasts = 1
>
> # Enable (1) normally; disable (0) on some special, complex firewalls.
> net.ipv4.conf.all.rp_filter = 1
>
> # There is really no need for source routes due to security.
> net.ipv4.conf.all.accept_source_route = 0
>
> # There is really no need to accept redirects due to security.
> net.ipv4.conf.all.accept_redirects = 0
>
> # There is really no need to accept redirects due to security.
> net.ipv4.conf.all.secure_redirects = 0
>
> # Enable (1) only on some rare router/firewall setups.
> net.ipv4.conf.all.send_redirects = 0
>
> # Enable (1) only on a firewall/router; disable (0) otherwise.
> net.ipv4.ip_forward = 1
>
> # Enable (1) or disable (0) logging packets which are received with
> # illegal source address; internal IP coming in from outside etc.
> net.ipv4.conf.all.log_martians = 1 #net.ipv4.conf.default.log_martians = 1
> #net.ipv4.conf.eth0.log_martians = 1
> #net.ipv4.conf.eth1.log_martians = 1
>
>
> # Enable (1) or disable (0) TCP SYN cookie protection.
> net.ipv4.tcp_syncookies = 1
>
> # TCP FIN handshaking phase timeout in seconds.
> net.ipv4.tcp_fin_timeout = 20
>
> # Keep TCP connections open, they might auto close otherwise.
> net.ipv4.tcp_keepalive_intvl = 60
>
>
>
> #------
>
>
>
> //Kari Mattsson
>
>
> -------------------------------------------------------------------------
>  Using Tomcat but need to do more? Need to support web services,
> security? Get stuff done quickly with pre-integrated technology to make
> your job easier Download IBM WebSphere Application Server v.1.0.1 based on
> Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Devil-linux-discuss mailing list
> Dev...@li...
> https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss
>
>


- -- 

Regards
  Heiko Zuerker
  http://www.devil-linux.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iEYEARECAAYFAkUBeygACgkQUcytMSbs+YVZ3wCfc5LGj3tkld48v334zxAI+zcJ
4RYAmgNNMsIqaFwP3OPhoD9i15LcBcDF
=JX96
-----END PGP SIGNATURE-----