Scott Baker | 761e106 | 2016-06-20 17:18:17 -0700 | [diff] [blame] | 1 | # |
| 2 | # Configuration file for setting network variables. Please note these settings |
| 3 | # override /etc/sysctl.conf. If you prefer to use /etc/sysctl.conf, please |
| 4 | # adjust IPT_SYSCTL in /etc/default/ufw. |
| 5 | # |
| 6 | |
| 7 | # Uncomment this to allow this host to route packets between interfaces |
| 8 | #net/ipv4/ip_forward=1 |
| 9 | #net/ipv6/conf/default/forwarding=1 |
| 10 | #net/ipv6/conf/all/forwarding=1 |
| 11 | |
| 12 | # Turn on Source Address Verification in all interfaces to prevent some |
| 13 | # spoofing attacks |
| 14 | net/ipv4/conf/default/rp_filter=1 |
| 15 | net/ipv4/conf/all/rp_filter=1 |
| 16 | |
| 17 | # Do not accept IP source route packets (we are not a router) |
| 18 | net/ipv4/conf/default/accept_source_route=0 |
| 19 | net/ipv4/conf/all/accept_source_route=0 |
| 20 | net/ipv6/conf/default/accept_source_route=0 |
| 21 | net/ipv6/conf/all/accept_source_route=0 |
| 22 | |
| 23 | # Disable ICMP redirects. ICMP redirects are rarely used but can be used in |
| 24 | # MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate |
| 25 | # traffic to those sites. |
| 26 | net/ipv4/conf/default/accept_redirects=0 |
| 27 | net/ipv4/conf/all/accept_redirects=0 |
| 28 | net/ipv6/conf/default/accept_redirects=0 |
| 29 | net/ipv6/conf/all/accept_redirects=0 |
| 30 | |
| 31 | # Ignore bogus ICMP errors |
| 32 | net/ipv4/icmp_echo_ignore_broadcasts=1 |
| 33 | net/ipv4/icmp_ignore_bogus_error_responses=1 |
| 34 | net/ipv4/icmp_echo_ignore_all=0 |
| 35 | |
| 36 | # Don't log Martian Packets (impossible packets) |
| 37 | net/ipv4/conf/default/log_martians=0 |
| 38 | net/ipv4/conf/all/log_martians=0 |
| 39 | |
| 40 | # Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling |
| 41 | # (http://lkml.org/lkml/2008/2/5/167) |
| 42 | net/ipv4/tcp_syncookies=0 |
| 43 | |
| 44 | #net/ipv4/tcp_fin_timeout=30 |
| 45 | #net/ipv4/tcp_keepalive_intvl=1800 |
| 46 | |
| 47 | # normally allowing tcp_sack is ok, but if going through OpenBSD 3.8 RELEASE or |
| 48 | # earlier pf firewall, should set this to 0 |
| 49 | net/ipv4/tcp_sack=1 |
| 50 | |
| 51 | # Uncomment this to turn off ipv6 autoconfiguration |
| 52 | #net/ipv6/conf/default/autoconf=0 |
| 53 | #net/ipv6/conf/all/autoconf=0 |
| 54 | |
| 55 | # Uncomment this to enable ipv6 privacy addressing |
| 56 | #net/ipv6/conf/default/use_tempaddr=2 |
| 57 | #net/ipv6/conf/all/use_tempaddr=2 |