diff options
author | Silvino Silva <silvino@bk.ru> | 2021-02-12 03:59:34 +0000 |
---|---|---|
committer | Silvino Silva <silvino@bk.ru> | 2021-02-12 03:59:34 +0000 |
commit | a3628fc49db4d88ff3e4067268650710d1da3f6f (patch) | |
tree | 8fdac6dfc8cabb9f85a2db3a3bd628cfe44438cd /core/conf/sysctl.conf | |
parent | 0a6b0fc9769daf0932cb207c3285baa31547b489 (diff) | |
download | doc-a3628fc49db4d88ff3e4067268650710d1da3f6f.tar.gz |
initial openbsd support
Diffstat (limited to 'core/conf/sysctl.conf')
-rw-r--r-- | core/conf/sysctl.conf | 160 |
1 files changed, 0 insertions, 160 deletions
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf deleted file mode 100644 index 7b14b46..0000000 --- a/core/conf/sysctl.conf +++ /dev/null @@ -1,160 +0,0 @@ -# -# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) -# - -#KERN_EMERG "0" Emergency messages, system is about to crash or is unstable pr_emerg -#KERN_ALERT "1" Something bad happened and action must be taken immediately pr_alert -#KERN_CRIT "2" A critical condition occurred like a serious hardware/software failure pr_crit -#KERN_ERR "3" An error condition, often used by drivers to indicate difficulties with the hardware pr_err -#KERN_WARNING "4" A warning, meaning nothing serious by itself but might indicate problems pr_warning -#KERN_NOTICE "5" Nothing serious, but notably nevertheless. Often used to report security events. pr_notice -#KERN_INFO "6" Informational message e.g. startup information at driver initialization pr_info -#KERN_DEBUG "7" Debug messages -# current | default | minimum | boot-time-default -kernel.printk = 7 1 1 4 - -# set to 0 when profiling with apparmor -kernel.printk_ratelimit=0 - -kernel.randomize_va_space = 2 - -# Shared Memory -#kernel.shmmax = 500000000 -# Total allocated file handlers that can be allocated -# fs.file-nr= -vm.mmap_min_addr=65536 - -# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 -kernel.pid_max = 65536 - -#Yama LSM by default -kernel.yama.ptrace_scope = 1 - -# -# Filesystem Protections -# - -# Optimization for port usefor LBs -# Increase system file descriptor limit -fs.file-max = 65535 - -# Hide symbol addresses in /proc/kallsyms -kernel.kptr_restrict = 2 - -# -# Network Protections -# - -net.core.bpf_jit_enable = 0 -# harden all code -net.core.bpf_jit_harden = 2 - -# disable tunnels by default user space create -# them as needed -net.core.fb_tunnels_only_for_init_net = 1 - -# Increase Linux auto tuning TCP buffer limits -# min, default, and max number of bytes to use -# set max to at least 4MB, or higher if you use very high BDP paths -# Tcp Windows etc -net.core.rmem_max = 8388608 -net.core.wmem_max = 8388608 -net.core.netdev_max_backlog = 5000 -net.ipv4.tcp_window_scaling = 1 - -#A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. -net.ipv4.tcp_sack = 0 - -# Both ports linux-blob and linux-libre don't build with ipv6 -# Disable ipv6 -net.ipv6.conf.all.disable_ipv6 = 1 -net.ipv6.conf.default.disable_ipv6 = 1 -net.ipv6.conf.lo.disable_ipv6 = 1 - -# Tuen IPv6 -net.ipv6.conf.default.router_solicitations = 0 -net.ipv6.conf.default.accept_ra_rtr_pref = 0 -net.ipv6.conf.default.accept_ra_pinfo = 0 -net.ipv6.conf.default.accept_ra_defrtr = 0 -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.default.dad_transmits = 0 -net.ipv6.conf.default.max_addresses = 0 - -# Avoid a smurf attack, ping scanning -net.ipv4.icmp_echo_ignore_broadcasts = 1 - -# Turn on protection for bad icmp error messages -net.ipv4.icmp_ignore_bogus_error_responses = 1 - -# Turn on syncookies for SYN flood attack protection -net.ipv4.tcp_syncookies = 1 - -## protect against tcp time-wait assassination hazards -## drop RST packets for sockets in the time-wait state -## (not widely supported outside of linux, but conforms to RFC) -net.ipv4.tcp_rfc1337 = 1 - -## tcp timestamps -## + protect against wrapping sequence numbers (at gigabit speeds) -## + round trip time calculation implemented in TCP -## - causes extra overhead and allows uptime detection by scanners like nmap -## enable @ gigabit speeds -net.ipv4.tcp_timestamps = 0 -#net.ipv4.tcp_timestamps = 1 - -# Turn on and log spoofed, source routed, and redirect packets -net.ipv4.conf.all.log_martians = 1 -net.ipv4.conf.default.log_martians = 1 - -## ignore echo broadcast requests to prevent being part of smurf attacks (default) -net.ipv4.icmp_echo_ignore_broadcasts = 1 - -## sets the kernels reverse path filtering mechanism to value 1(on) -## will do source validation of the packet's recieved from all the interfaces on the machine -## protects from attackers that are using ip spoofing methods to do harm -net.ipv4.conf.all.rp_filter = 1 -net.ipv4.conf.default.rp_filter = 1 -#net.ipv6.conf.default.rp_filter = 1 -#net.ipv6.conf.all.rp_filter = 1 - - -# Make sure no one can alter the routing tables -# Act as a router, necessary for Access Point -net.ipv4.conf.all.accept_redirects = 0 -net.ipv4.conf.default.accept_redirects = 0 -net.ipv4.conf.all.secure_redirects = 0 -net.ipv4.conf.default.secure_redirects = 0 -# No source routed packets here -# Discard packets with source routes, ip spoofing -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 - - -net.ipv4.conf.all.send_redirects = 0 -net.ipv4.conf.default.send_redirects = 0 - -net.ipv4.ip_forward = 0 - -# Increase system IP port limits -net.ipv4.ip_local_port_range = 2000 65000 - -# Increase TCP max buffer size setable using setsockopt() -net.ipv4.tcp_rmem = 4096 87380 8388608 -net.ipv4.tcp_wmem = 4096 87380 8388608 - -# Disable proxy_arp -net.ipv4.conf.default.proxy_arp = 0 -net.ipv4.conf.all.proxy_arp = 0 - -# Disable bootp_relay -net.ipv4.conf.default.bootp_relay = 0 -net.ipv4.conf.all.bootp_relay = 0 - -# Decrease TCP fin timeout -net.ipv4.tcp_fin_timeout = 30 -# Decrease TCP keep alive time -net.ipv4.tcp_keepalive_time = 1800 -# Sen SynAck retries to 3 -net.ipv4.tcp_synack_retries = 3 - -# End of file |