about summary refs log tree commit diff stats
path: root/core/network.html
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2017-02-20 09:06:21 +0000
committerSilvino Silva <silvino@bk.ru>2017-02-20 09:06:21 +0000
commit0e7880313b3a3e016c0d2e287802cc6ddff9edd1 (patch)
tree4ab03821ada4e4817dd58d161ae46041e24575b0 /core/network.html
parentfd15c7a1ea378eaea467a741253483b2f5b31ea9 (diff)
downloaddoc-0e7880313b3a3e016c0d2e287802cc6ddff9edd1.tar.gz
core revision
Diffstat (limited to 'core/network.html')
-rw-r--r--core/network.html141


1 files changed, 7 insertions, 134 deletions
diff --git a/core/network.html b/core/network.html
index c14f3db..ebea495 100644
--- a/core/network.html
+++ b/core/network.html
@@ -49,7 +49,7 @@
         described scripts then proceed to
         <a href="package.html#sysup">update system.</a></p>
 
-        <h2 id="resolv">2.1.1. Resolver</h2>
+        <h2 id="resolv">2.2.1. Resolver</h2>
 
         <p>This example will use
         <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a>
@@ -65,7 +65,7 @@
         # chattr +i /etc/resolv.conf
         </pre>
 
-        <h2 id="static">2.1.2. Static IP</h2>
+        <h2 id="static">2.2.2. Static IP</h2>
 
         <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p>
 
@@ -112,7 +112,7 @@
         # ip route add default via ${GW}
         </pre>
 
-        <h2 id="iptables">2.1.3. Iptables</h2>
+        <h2 id="iptables">2.2.3. Iptables</h2>
 
         <p>For more information about iptables read
         <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>.
@@ -147,7 +147,7 @@
 
         <p>
 
-        <h2 id="wpa">2.1.4. Wpa and dhcpd</h2>
+        <h2 id="wpa">2.2.4. Wpa and dhcpd</h2>
 
         <p>There is more information on
         <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and
@@ -165,7 +165,7 @@
         # iwconfig wlp2s0 essid NAME key s:ABCDE12345
         </pre>
 
-        <h3>2.1.4.1. Wpa Supplicant</h3>
+        <h3>2.2.4.1. Wpa Supplicant</h3>
 
         <p>Configure wpa supplicant edit;</p>
 
@@ -195,7 +195,7 @@
         init script to auto load wpa configuration and dhcp
         client.</p>
 
-        <h3>2.1.4.2. Wpa Cli</h3>
+        <h3>2.2.4.2. Wpa Cli</h3>
 
         <pre>
         # wpa_cli
@@ -235,137 +235,10 @@
         </pre>
 
 
-        <h2 id="sysctl">2.1.5. Sysctl</h2>
-
-        <p>Sysctl references
-        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
-        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
-        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
-        edit /etc/sysctl.conf;</p>
-
-        <pre>
-        #
-        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
-        #
-
-        kernel.printk = 1 4 1 7
-
-        # Disable ipv6
-        net.ipv6.conf.all.disable_ipv6 = 1
-        net.ipv6.conf.default.disable_ipv6 = 1
-        net.ipv6.conf.lo.disable_ipv6 = 1
-
-        # Tuen IPv6
-        # net.ipv6.conf.default.router_solicitations = 0
-        # net.ipv6.conf.default.accept_ra_rtr_pref = 0
-        # net.ipv6.conf.default.accept_ra_pinfo = 0
-        # net.ipv6.conf.default.accept_ra_defrtr = 0
-        # net.ipv6.conf.default.autoconf = 0
-        # net.ipv6.conf.default.dad_transmits = 0
-        # net.ipv6.conf.default.max_addresses = 0
-
-        # Avoid a smurf attack
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        # Turn on protection for bad icmp error messages
-        net.ipv4.icmp_ignore_bogus_error_responses = 1
-
-        # Turn on syncookies for SYN flood attack protection
-        net.ipv4.tcp_syncookies = 1
-
-        ## protect against tcp time-wait assassination hazards
-        ## drop RST packets for sockets in the time-wait state
-        ## (not widely supported outside of linux, but conforms to RFC)
-        net.ipv4.tcp_rfc1337 = 1
-
-        ## tcp timestamps
-        ## + protect against wrapping sequence numbers (at gigabit speeds)
-        ## + round trip time calculation implemented in TCP
-        ## - causes extra overhead and allows uptime detection by scanners like nmap
-        ## enable @ gigabit speeds
-        net.ipv4.tcp_timestamps = 0
-        #net.ipv4.tcp_timestamps = 1
-
-        # Turn on and log spoofed, source routed, and redirect packets
-        net.ipv4.conf.all.log_martians = 1
-        net.ipv4.conf.default.log_martians = 1
-
-        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
-        net.ipv4.icmp_echo_ignore_broadcasts = 1
-
-        # No source routed packets here
-        net.ipv4.conf.all.accept_source_route = 0
-        net.ipv4.conf.default.accept_source_route = 0
-
-        ## sets the kernels reverse path filtering mechanism to value 1(on)
-        ## will do source validation of the packet's recieved from all the interfaces on the machine
-        ## protects from attackers that are using ip spoofing methods to do harm
-        net.ipv4.conf.all.rp_filter = 1
-        net.ipv4.conf.default.rp_filter = 1
-        net.ipv6.conf.default.rp_filter = 1
-        net.ipv6.conf.all.rp_filter = 1
-
-        # Make sure no one can alter the routing tables
-        net.ipv4.conf.all.accept_redirects = 0
-        net.ipv4.conf.default.accept_redirects = 0
-        net.ipv4.conf.all.secure_redirects = 0
-        net.ipv4.conf.default.secure_redirects = 0
-
-        # Don't act as a router
-        net.ipv4.ip_forward = 0
-        net.ipv4.conf.all.send_redirects = 0
-        net.ipv4.conf.default.send_redirects = 0
-
-        kernel.shmmax = 500000000
-        # Turn on execshild
-        kernel.exec-shield = 1
-        kernel.randomize_va_space = 1
-
-        # Optimization for port usefor LBs
-        # Increase system file descriptor limit
-        fs.file-max = 65535
-
-        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
-        kernel.pid_max = 65536
-
-        # Increase system IP port limits
-        net.ipv4.ip_local_port_range = 2000 65000
-
-        # Increase TCP max buffer size setable using setsockopt()
-        net.ipv4.tcp_rmem = 4096 87380 8388608
-        net.ipv4.tcp_wmem = 4096 87380 8388608
-
-        # Increase Linux auto tuning TCP buffer limits
-        # min, default, and max number of bytes to use
-        # set max to at least 4MB, or higher if you use very high BDP paths
-        # Tcp Windows etc
-        net.core.rmem_max = 8388608
-        net.core.wmem_max = 8388608
-        net.core.netdev_max_backlog = 5000
-        net.ipv4.tcp_window_scaling = 1
-
-        # End of file
-        </pre>
-
-        <p>Change to act as a router (default of conf/sysctl.conf);</p>
-
-        <pre>
-        # Act as a router, necessary for Access Point
-        net.ipv4.ip_forward = 1
-        net.ipv4.conf.all.send_redirects = 1
-        net.ipv4.conf.default.send_redirects = 1
-        </pre>
-
-        <p>Load new settings;</p>
-
-        <pre>
-        # sysctl -p
-        </pre>
-
         <a href="index.html">Core OS Index</a>
         <p>
         This is part of the c9-doc Manual.
-        Copyright (C) 2016
+        Copyright (C) 2017
         c9 team.
         See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
         for copying conditions.</p>

 

generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2025-04-06 23:44:06 +0000