diff options
| -rw-r--r-- | core/network.html | 40 |
1 files changed, 19 insertions, 21 deletions
diff --git a/core/network.html b/core/network.html index d9844ec..b6f1234 100644 --- a/core/network.html +++ b/core/network.html @@ -225,37 +225,37 @@ # Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1 - ## protect against tcp time-wait assassination hazards - ## drop RST packets for sockets in the time-wait state - ## (not widely supported outside of linux, but conforms to RFC) - net.ipv4.tcp_rfc1337 = 1 - - ## tcp timestamps - ## + protect against wrapping sequence numbers (at gigabit speeds) - ## + round trip time calculation implemented in TCP - ## - causes extra overhead and allows uptime detection by scanners like nmap - ## enable @ gigabit speeds - net.ipv4.tcp_timestamps = 0 - #net.ipv4.tcp_timestamps = 1 + ## protect against tcp time-wait assassination hazards + ## drop RST packets for sockets in the time-wait state + ## (not widely supported outside of linux, but conforms to RFC) + net.ipv4.tcp_rfc1337 = 1 + + ## tcp timestamps + ## + protect against wrapping sequence numbers (at gigabit speeds) + ## + round trip time calculation implemented in TCP + ## - causes extra overhead and allows uptime detection by scanners like nmap + ## enable @ gigabit speeds + net.ipv4.tcp_timestamps = 0 + #net.ipv4.tcp_timestamps = 1 # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 - ## ignore echo broadcast requests to prevent being part of smurf attacks (default) - net.ipv4.icmp_echo_ignore_broadcasts = 1 + ## ignore echo broadcast requests to prevent being part of smurf attacks (default) + net.ipv4.icmp_echo_ignore_broadcasts = 1 # No source routed packets here net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) - ## will do source validation of the packet's recieved from all the interfaces on the machine - ## protects from attackers that are using ip spoofing methods to do harm + ## sets the kernels reverse path filtering mechanism to value 1(on) + ## will do source validation of the packet's recieved from all the interfaces on the machine + ## protects from attackers that are using ip spoofing methods to do harm net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv6.conf.default.rp_filter = 1 - net.ipv6.conf.all.rp_filter = 1 + net.ipv6.conf.all.rp_filter = 1 # Make sure no one can alter the routing tables net.ipv4.conf.all.accept_redirects = 0 @@ -299,7 +299,7 @@ # End of file </pre> - <p>Change to act as a router;</p> + <p>Change to act as a router (default of conf/sysctl.conf);</p> <pre> # Act as a router, necessary for Access Point @@ -308,7 +308,6 @@ net.ipv4.conf.default.send_redirects = 1 </pre> - <p>Load new settings;</p> <pre> @@ -323,6 +322,5 @@ See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> - </body> </html> |