]>
Commit | Line | Data |
---|---|---|
1 | net.ipv4.ip_forward = 1 | |
2 | net.ipv4.ip_dynaddr = 1 | |
3 | ||
4 | # Disable Path MTU Discovery | |
5 | net.ipv4.ip_no_pmtu_disc = 1 | |
6 | ||
7 | net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
8 | net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
9 | net.ipv4.icmp_ratelimit = 1000 | |
10 | net.ipv4.icmp_ratemask = 6168 | |
11 | ||
12 | net.ipv4.tcp_syncookies = 1 | |
13 | net.ipv4.tcp_fin_timeout = 30 | |
14 | net.ipv4.tcp_syn_retries = 3 | |
15 | net.ipv4.tcp_synack_retries = 3 | |
16 | ||
17 | net.ipv4.conf.default.arp_filter = 1 | |
18 | net.ipv4.conf.default.rp_filter = 0 | |
19 | net.ipv4.conf.default.accept_redirects = 0 | |
20 | net.ipv4.conf.default.accept_source_route = 0 | |
21 | net.ipv4.conf.default.log_martians = 1 | |
22 | ||
23 | net.ipv4.conf.all.arp_filter = 1 | |
24 | net.ipv4.conf.all.rp_filter = 0 | |
25 | net.ipv4.conf.all.accept_redirects = 0 | |
26 | net.ipv4.conf.all.accept_source_route = 0 | |
27 | net.ipv4.conf.all.log_martians = 1 | |
28 | ||
29 | kernel.printk = 1 4 1 7 | |
30 | vm.swappiness=1 | |
31 | vm.mmap_min_addr = 4096 | |
32 | vm.min_free_kbytes = 8192 | |
33 | ||
34 | # Disable IPv6 by default. | |
35 | net.ipv6.conf.all.disable_ipv6 = 1 | |
36 | net.ipv6.conf.default.disable_ipv6 = 1 | |
37 | ||
38 | # Enable netfilter accounting | |
39 | net.netfilter.nf_conntrack_acct=1 | |
40 | ||
41 | # Disable netfilter on bridges. | |
42 | net.bridge.bridge-nf-call-ip6tables = 0 | |
43 | net.bridge.bridge-nf-call-iptables = 0 | |
44 | net.bridge.bridge-nf-call-arptables = 0 | |
45 | ||
46 | # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). | |
47 | kernel.kptr_restrict = 2 | |
48 | ||
49 | # Avoid kernel memory address exposures via dmesg. | |
50 | kernel.dmesg_restrict = 1 |