Slackware-14.1-Sysctl.conf
Posted 06-22-2014 at 06:54 PM by arniekat
This file is set up for a Slackware 14.1 Desktop Machine. The only sysctl variables enabled are the ones that need to be changed from the standard Slackware settings. It is in the bottom section.
You can copy the bottom portion as /etc/sysctl.conf and change the permissions:
chown root:root /etc/sysctl.conf
chmod 0440 /etc/sysctl.conf
NOTE - If you use the firewall script from Slax-7.0.8 as /etc/rc.d/rc.firewall be sure that it does not have sysctl variables set if you are going to use a separate file for /etc/sysctl.conf! Also, Arno-Iptables-Firewall does not require an /etc/sysctl.conf file since the application sets the kernel parameters.
You can check your own settings by the following commands:
cat /proc/sys/net/ipv4/tcp_max_syn_backlog
128
sysctl net/ipv4/tcp_max_syn_backlog
net.ipv4.tcp_max_syn_backlog = 128
sysctl net.ipv4.tcp_max_syn_backlog
net.ipv4.tcp_max_syn_backlog = 128
The following is included for reference and information. Since they are already set to recommended best practices, I am just showing them for completeness. You can read more regarding these kernel settings at:
/usr/src/linux-3.10.17/Documentation/networking/ip-sysctl.txt
Enable logging of packets with malformed IP addresses. Note that this setting uses a lot of log space in /var/log
Slackware 14.1 Default net.ipv4.conf.all.log_martians = 0
Disable source routed packets
Slackware 14.1 Default net.ipv4.conf.all.accept_source_route = 0
Turn on protection from Denial of Service (DOS) attacks
Slackware 14.1 Default net.ipv4.tcp_syncookies = 1
Disable responding to ping broadcasts
Slackware 14.1 Default net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable IP routing. Required if your firewall is protecting a network, NAT included
Slackware 14.1 Default net.ipv4.ip_forward = 0
# vi /etc/sysctl.conf
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
net.ipv4.conf.all.rp_filter = 1
# Disable redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disable acceptance of ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Disable source routing
net.ipv4.conf.default.accept_source_route = 0
# Disable TCP Timestamps
net.ipv4.tcp_timestamps = 0
# Blocks the reporting of known kernel address leaks
kernel.kptr_restrict = 1
# Turns off Kernel Module loading! Be sure whether you really need this!
# You will NOT be able to load Kernel Modules after it is set!
kernel.modules_disabled = 1
Save the file, exit, and make sure the permissions are correct.
You can copy the bottom portion as /etc/sysctl.conf and change the permissions:
chown root:root /etc/sysctl.conf
chmod 0440 /etc/sysctl.conf
NOTE - If you use the firewall script from Slax-7.0.8 as /etc/rc.d/rc.firewall be sure that it does not have sysctl variables set if you are going to use a separate file for /etc/sysctl.conf! Also, Arno-Iptables-Firewall does not require an /etc/sysctl.conf file since the application sets the kernel parameters.
You can check your own settings by the following commands:
cat /proc/sys/net/ipv4/tcp_max_syn_backlog
128
sysctl net/ipv4/tcp_max_syn_backlog
net.ipv4.tcp_max_syn_backlog = 128
sysctl net.ipv4.tcp_max_syn_backlog
net.ipv4.tcp_max_syn_backlog = 128
The following is included for reference and information. Since they are already set to recommended best practices, I am just showing them for completeness. You can read more regarding these kernel settings at:
/usr/src/linux-3.10.17/Documentation/networking/ip-sysctl.txt
Enable logging of packets with malformed IP addresses. Note that this setting uses a lot of log space in /var/log
Slackware 14.1 Default net.ipv4.conf.all.log_martians = 0
Disable source routed packets
Slackware 14.1 Default net.ipv4.conf.all.accept_source_route = 0
Turn on protection from Denial of Service (DOS) attacks
Slackware 14.1 Default net.ipv4.tcp_syncookies = 1
Disable responding to ping broadcasts
Slackware 14.1 Default net.ipv4.icmp_echo_ignore_broadcasts = 1
Enable IP routing. Required if your firewall is protecting a network, NAT included
Slackware 14.1 Default net.ipv4.ip_forward = 0
# vi /etc/sysctl.conf
# Disable routing triangulation. Respond to queries out
# the same interface, not another. Helps to maintain state
# Also protects against IP spoofing
net.ipv4.conf.all.rp_filter = 1
# Disable redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disable acceptance of ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Disable source routing
net.ipv4.conf.default.accept_source_route = 0
# Disable TCP Timestamps
net.ipv4.tcp_timestamps = 0
# Blocks the reporting of known kernel address leaks
kernel.kptr_restrict = 1
# Turns off Kernel Module loading! Be sure whether you really need this!
# You will NOT be able to load Kernel Modules after it is set!
kernel.modules_disabled = 1
Save the file, exit, and make sure the permissions are correct.
Total Comments 1
Comments
-
Don't forget to mention that you either have to reboot, or run
/sbin/sysctl -e --system
to take effect.Posted 06-01-2018 at 08:56 AM by andrixnet