[Firehol-devs] more interface protections
Andrew Schulman
andrex at alumni.utexas.net
Sun Jul 29 07:27:38 BST 2007
Here are some kernel variables that can, and IMO should, be set to enable
additional interface protections.
http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html, sections
3.3-3.5, has some good information about them.
Andrew.
* Protections that affect all interfaces:
# Ignore broadcast echo requests
# (don't participate in smurf attacks):
/sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# Enable TCP SYN cookie protection
# (block SYN flood attacks):
/sbin/sysctl -w net.ipv4.tcp_syncookies=1
* Interface-specific protections: Here $IFNAME can be either an interface
name, or 'all' to activate the protections for all interfaces.
# Drop spoofed packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.rp_filter=1
# Only accept redirects from a known gateway:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.shared_media=1
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.secure_redirects=1
# Don't accept source-routed packets:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.accept_source_route=0
# Don't accept or send ICMP redirects:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.accept_redirects=0
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.send_redirects=0
# Log packets with impossible addresses:
/sbin/sysctl -w net.ipv4.conf.${IFNAME}.log_martians=1
More information about the Firehol-devs
mailing list