--- /etc/sysctl.conf 2006-06-28 19:57:05.000000000 -0400 +++ /root/sysctl.conf 2006-08-10 03:00:26.000000000 -0400 @@ -3,9 +3,6 @@ # See sysctl.conf (5) for information. # -#kernel.domainname = example.com -#net/ipv4/icmp_echo_ignore_broadcasts=1 - # Uncomment the following to stop low-level messages on console #kernel.printk = 4 4 1 7 @@ -13,14 +10,62 @@ # Functions previously found in netbase # -# Uncomment the next line to enable Spoof protection (reverse-path filter) -#net.ipv4.conf.default.rp_filter=1 - -# Uncomment the next line to enable TCP/IP SYN cookies -#net.ipv4.tcp_syncookies=1 - -# Uncomment the next line to enable packet forwarding for IPv4 -#net.ipv4.conf.default.forwarding=1 - # Uncomment the next line to enable packet forwarding for IPv6 #net.ipv6.conf.default.forwarding=1 + + +# Spoof protection (reverse-path filter) +# Check to make sure the source address for packets is routed out +# the same interface the packet came in from. If not, drop the +# packet. +net.ipv4.conf.all.rp_filter=1 + +# Turn off redirects +# Redirects let other devices change your routing tables. This +# can be used to reroute packets for eaves dropping. Screw that; +# you rarely need this, turn it on when you do. +net.ipv4.conf.all.accept_redirects=0 + +# Turn off source routing +# Source routed packets have some or all of the route specified by +# the sender. This is generally considered bad for security, and +# quite possibly could route a packet INTO your private IP address +# and through a firewall. +net.ipv4.conf.all.accept_source_route=0 + +# Enabled RFC 1337 fix F1 +# Fix for abuse of TCP TIME-WAIT extension. Fix F1 from the RFC. +net.ipv4.tcp_rfc1337=1 + +# TCP/IP SYN cookies +# When the SYN queue fills, use SYN cookies. These are +# mathematically calculated, so they take no memory; but they also +# can't use TCP extensions. They are only used in situations where +# we wouldn't make a connection at all, so this is a net gain. +net.ipv4.tcp_syncookies=1 + +# Ignore broadcast pings +# Broadcast pings are annoying and can be used for SMURF attacks. +net.ipv4.icmp_echo_ignore_broadcasts=1 + +# Ignore junk error messages from routers +# Some routers break RFC 1122 and send us junk errors, which get +# logged. This logging can fill up the disk; and it's likely +# somebody, somewhere can figure out how to spoof this and fill +# your disk. +net.ipv4.icmp_ignore_bogus_error_responses=1 + +# Ratelimit ICMP +# Rate limit to 5 per second of the below. +net.ipv4.icmp_ratelimit=20 + +# ICMP ratelimit mask +# We are ratelimiting: +# 0: ICMP Echo Reply +# 3: ICMP Destination Unreachable (default) +# 4: ICMP Source Quench (default) +# 11: ICMP Time Exceeded (default) +# 12: ICMP Parameter Problem (default) +# 14: ICMP Timestamp Reply +# 16: ICMP Information Reply +net.ipv4.icmp_ratemask=88089