projects / ipfire-2.x.git / blame
| Commit | Line | Data |
|---|---|---|
| cd1a2927 MT |
1 | net.ipv4.ip_forward = 1 |
| 2 | net.ipv4.ip_dynaddr = 1 | |
| fa822954 | 3 | |
| cd1a2927 MT |
4 | net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| 5 | net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| 32c6ebdc MT |
6 | net.ipv4.icmp_ratelimit = 1000 |
| 7 | net.ipv4.icmp_ratemask = 6168 | |
| cd1a2927 | 8 | |
| cd1a2927 MT |
9 | net.ipv4.tcp_syncookies = 1 |
| 10 | net.ipv4.tcp_fin_timeout = 30 | |
| cd1a2927 MT |
11 | net.ipv4.tcp_syn_retries = 3 |
| 12 | net.ipv4.tcp_synack_retries = 3 | |
| 13 | ||
| ed37f707 | 14 | net.ipv4.conf.default.arp_filter = 1 |
| 1af975dc | 15 | net.ipv4.conf.default.rp_filter = 1 |
| cd1a2927 MT |
16 | net.ipv4.conf.default.accept_redirects = 0 |
| 17 | net.ipv4.conf.default.accept_source_route = 0 | |
| 18 | net.ipv4.conf.default.log_martians = 1 | |
| 19 | ||
| ed37f707 | 20 | net.ipv4.conf.all.arp_filter = 1 |
| 1af975dc | 21 | net.ipv4.conf.all.rp_filter = 1 |
| cd1a2927 MT |
22 | net.ipv4.conf.all.accept_redirects = 0 |
| 23 | net.ipv4.conf.all.accept_source_route = 0 | |
| 24 | net.ipv4.conf.all.log_martians = 1 | |
| 25 | ||
| 26 | kernel.printk = 1 4 1 7 | |
| dc931fba | 27 | vm.mmap_min_addr = 4096 |
| d1605d08 | 28 | vm.min_free_kbytes = 8192 |
| a30c7aa3 MT |
29 | |
| 30 | # Disable IPv6 by default. | |
| 31 | net.ipv6.conf.all.disable_ipv6 = 1 | |
| 32 | net.ipv6.conf.default.disable_ipv6 = 1 | |
| 1108a15c | 33 | |
| 84d6e931 PM |
34 | # However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6. |
| 35 | net.ipv6.conf.all.accept_redirects = 0 | |
| 36 | net.ipv6.conf.default.accept_redirects = 0 | |
| 37 | ||
| 1108a15c | 38 | # Enable netfilter accounting |
| dc5a89c9 | 39 | net.netfilter.nf_conntrack_acct = 1 |
| 0f1cda21 JS |
40 | |
| 41 | # Disable netfilter on bridges. | |
| 42 | net.bridge.bridge-nf-call-ip6tables = 0 | |
| 43 | net.bridge.bridge-nf-call-iptables = 0 | |
| 44 | net.bridge.bridge-nf-call-arptables = 0 | |
| 373590b7 | 45 | |
| 4d622b7e MT |
46 | # Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers |
| 47 | # from loading vulnerable line disciplines with the TIOCSETD ioctl. | |
| 48 | dev.tty.ldisc_autoload = 0 | |
| 49 | ||
| 373590b7 | 50 | # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). |
| d5fe3322 | 51 | kernel.kptr_restrict = 2 |
| 373590b7 PM |
52 | |
| 53 | # Avoid kernel memory address exposures via dmesg. | |
| 54 | kernel.dmesg_restrict = 1 | |
| d03916e5 | 55 | |
| 29a8992b PM |
56 | # Turn on hard- and symlink protection |
| 57 | fs.protected_symlinks = 1 | |
| 58 | fs.protected_hardlinks = 1 | |
| 59 | ||
| b7b65e73 PM |
60 | # Don't allow writes to files and FIFOs that we don't own in world writable sticky |
| 61 | # directories, unless they are owned by the owner of the directory. | |
| 62 | fs.protected_fifos = 2 | |
| 63 | fs.protected_regular = 2 | |
| 64 | ||
| d03916e5 MT |
65 | # If a workload mostly uses anonymous memory and it hits this limit, the entire |
| 66 | # working set is buffered for I/O, and any more write buffering would require | |
| 67 | # swapping, so it's time to throttle writes until I/O can catch up. Workloads | |
| 68 | # that mostly use file mappings may be able to use even higher values. | |
| 69 | # | |
| 70 | # The generator of dirty data starts writeback at this percentage (system default | |
| 71 | # is 20%) | |
| 72 | vm.dirty_ratio = 10 | |
| 73 | ||
| 74 | # Start background writeback (via writeback threads) at this percentage (system | |
| 75 | # default is 10%) | |
| 76 | vm.dirty_background_ratio = 3 | |
| 77 | ||
| 78 | # The swappiness parameter controls the tendency of the kernel to move | |
| 79 | # processes out of physical memory and onto the swap disk. | |
| 80 | # 0 tells the kernel to avoid swapping processes out of physical memory | |
| 81 | # for as long as possible | |
| 82 | # 100 tells the kernel to aggressively swap processes out of physical memory | |
| 83 | # and move them to swap cache | |
| 84 | vm.swappiness = 1 | |
| 85 | ||
| d03916e5 | 86 | # Increase kernel buffer size maximums |
| 58b3c9b5 | 87 | net.ipv4.tcp_mem = 16777216 16777216 16777216 |
| d03916e5 MT |
88 | net.ipv4.tcp_rmem = 4096 87380 16777216 |
| 89 | net.ipv4.tcp_wmem = 4096 16384 16777216 | |
| 90 | net.ipv4.udp_mem = 3145728 4194304 16777216 | |
| 91 | ||
| 58b3c9b5 | 92 | # Prefer low latency over higher throughput |
| dc5a89c9 | 93 | net.ipv4.tcp_low_latency = 1 |
| 58b3c9b5 MT |
94 | |
| 95 | # Reserve more socket space for the TCP window | |
| dc5a89c9 | 96 | net.ipv4.tcp_adv_win_scale = 2 |
| 58b3c9b5 | 97 | |
| d03916e5 MT |
98 | # Enable TCP fast-open |
| 99 | net.ipv4.tcp_fastopen = 3 | |
| dc5a89c9 PM |
100 | |
| 101 | # Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337. | |
| 102 | # This protects against various TCP attacks, such as DoS against or injection | |
| 103 | # of arbitrary segments into prematurely closed connections. | |
| 104 | net.ipv4.tcp_rfc1337 = 1 | |
| b474e87b PM |
105 | |
| 106 | # Include PID in file names of generated core dumps | |
| 107 | kernel.core_uses_pid = 1 | |
| 400c4e8e PM |
108 | |
| 109 | # Block non-uid-0 profiling | |
| 110 | kernel.perf_event_paranoid = 3 | |
| f62b488f | 111 | |
| 5086ed68 PM |
112 | # Only processes with CAP_SYS_PTRACE may use ptrace |
| 113 | kernel.yama.ptrace_scope = 2 |