[Firehol-devs] more interface protections

Andrew Schulman andrex at alumni.utexas.net
Sun Jul 29 07:27:38 BST 2007

Here are some kernel variables that can, and IMO should, be set to enable
additional interface protections.
http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html, sections
3.3-3.5, has some good information about them.  


* Protections that affect all interfaces:

# Ignore broadcast echo requests
# (don't participate in smurf attacks):
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

# Enable TCP SYN cookie protection
# (block SYN flood attacks):
/sbin/sysctl -w net.ipv4.tcp_syncookies=1

* Interface-specific protections:  Here $IFNAME can be either an interface
name, or 'all' to activate the protections for all interfaces.

# Drop spoofed packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.rp_filter=1

# Only accept redirects from a known gateway:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.shared_media=1
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.secure_redirects=1

# Don't accept source-routed packets:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.accept_source_route=0

# Don't accept or send ICMP redirects:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.send_redirects=0

# Log packets with impossible addresses:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.log_martians=1

More information about the Firehol-devs mailing list