mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 19:15:54 +02:00
d5fe332283
Change this setting from 1 to 2 so kernel addresses are not displayed even if a user has CAPS_SYSLOG privileges. See also: - https://lwn.net/Articles/420403/ - https://tails.boum.org/contribute/design/kernel_hardening/ Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
51 lines
1.3 KiB
Plaintext
51 lines
1.3 KiB
Plaintext
net.ipv4.ip_forward = 1
|
|
net.ipv4.ip_dynaddr = 1
|
|
|
|
# Disable Path MTU Discovery
|
|
net.ipv4.ip_no_pmtu_disc = 1
|
|
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
net.ipv4.icmp_ratelimit = 1000
|
|
net.ipv4.icmp_ratemask = 6168
|
|
|
|
net.ipv4.tcp_syncookies = 1
|
|
net.ipv4.tcp_fin_timeout = 30
|
|
net.ipv4.tcp_syn_retries = 3
|
|
net.ipv4.tcp_synack_retries = 3
|
|
|
|
net.ipv4.conf.default.arp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_source_route = 0
|
|
net.ipv4.conf.default.log_martians = 1
|
|
|
|
net.ipv4.conf.all.arp_filter = 1
|
|
net.ipv4.conf.all.rp_filter = 0
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
net.ipv4.conf.all.log_martians = 1
|
|
|
|
kernel.printk = 1 4 1 7
|
|
vm.swappiness=0
|
|
vm.mmap_min_addr = 4096
|
|
vm.min_free_kbytes = 8192
|
|
|
|
# Disable IPv6 by default.
|
|
net.ipv6.conf.all.disable_ipv6 = 1
|
|
net.ipv6.conf.default.disable_ipv6 = 1
|
|
|
|
# Enable netfilter accounting
|
|
net.netfilter.nf_conntrack_acct=1
|
|
|
|
# Disable netfilter on bridges.
|
|
net.bridge.bridge-nf-call-ip6tables = 0
|
|
net.bridge.bridge-nf-call-iptables = 0
|
|
net.bridge.bridge-nf-call-arptables = 0
|
|
|
|
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
|
|
kernel.kptr_restrict = 2
|
|
|
|
# Avoid kernel memory address exposures via dmesg.
|
|
kernel.dmesg_restrict = 1
|