mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-11 11:35:54 +02:00
d21e6d94cb
For historical reasons, we were always reluctant to reverse path
filtering, since configuration changes were tricky to evaluate for a
larger userbase, IPFire permits a number of complex scenarios, and due
to limited resources.
As a compromise, this patch suggests to enable Loose Reverse Path
Filtering, as specified in RFC 3704 (section 2.4), to gain at least some
security achievement on this end.
To quote from that:
Loose Reverse Path Forwarding (Loose RPF) is algorithmically similar
to strict RPF, but differs in that it checks only for the existence
of a route (even a default route, if applicable), not where the route
points to. Practically, this could be considered as a "route
presence check" ("loose RPF is a misnomer in a sense because there is
no "reverse path" check in the first place).
The questionable benefit of Loose RPF is found in asymmetric routing
situations: a packet is dropped if there is no route at all, such as
to "Martian addresses" or addresses that are not currently routed,
but is not dropped if a route exists.
There is no legitimate reason why we cannot enable this: If IPFire
receives a packet on some interface it cannot route on _any_ interface
at all, there is no sense in processing it.
While testing this change, I was unable to produce a situation where it
actually causes any harm. In theory, it shouldn't do so anyways.
In the future, we will hopefully be able to set these sysctl's to "1",
using Strict Reverse Path Filtering, as specified in RFC 3704 (section
2.2). Doing so was found to work fine in my testing environment as well,
but there is no asymmetric routing in place there.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
104 lines
3.3 KiB
Plaintext
104 lines
3.3 KiB
Plaintext
net.ipv4.ip_forward = 1
|
|
net.ipv4.ip_dynaddr = 1
|
|
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
net.ipv4.icmp_ratelimit = 1000
|
|
net.ipv4.icmp_ratemask = 6168
|
|
|
|
net.ipv4.tcp_syncookies = 1
|
|
net.ipv4.tcp_fin_timeout = 30
|
|
net.ipv4.tcp_syn_retries = 3
|
|
net.ipv4.tcp_synack_retries = 3
|
|
|
|
net.ipv4.conf.default.arp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 2
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_source_route = 0
|
|
net.ipv4.conf.default.log_martians = 1
|
|
|
|
net.ipv4.conf.all.arp_filter = 1
|
|
net.ipv4.conf.all.rp_filter = 2
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
net.ipv4.conf.all.log_martians = 1
|
|
|
|
kernel.printk = 1 4 1 7
|
|
vm.mmap_min_addr = 4096
|
|
vm.min_free_kbytes = 8192
|
|
|
|
# Disable IPv6 by default.
|
|
net.ipv6.conf.all.disable_ipv6 = 1
|
|
net.ipv6.conf.default.disable_ipv6 = 1
|
|
|
|
# Enable netfilter accounting
|
|
net.netfilter.nf_conntrack_acct = 1
|
|
|
|
# Disable netfilter on bridges.
|
|
net.bridge.bridge-nf-call-ip6tables = 0
|
|
net.bridge.bridge-nf-call-iptables = 0
|
|
net.bridge.bridge-nf-call-arptables = 0
|
|
|
|
# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
|
|
# from loading vulnerable line disciplines with the TIOCSETD ioctl.
|
|
dev.tty.ldisc_autoload = 0
|
|
|
|
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
|
|
kernel.kptr_restrict = 2
|
|
|
|
# Avoid kernel memory address exposures via dmesg.
|
|
kernel.dmesg_restrict = 1
|
|
|
|
# Turn on hard- and symlink protection
|
|
fs.protected_symlinks = 1
|
|
fs.protected_hardlinks = 1
|
|
|
|
# Don't allow writes to files and FIFOs that we don't own in world writable sticky
|
|
# directories, unless they are owned by the owner of the directory.
|
|
fs.protected_fifos = 2
|
|
fs.protected_regular = 2
|
|
|
|
# If a workload mostly uses anonymous memory and it hits this limit, the entire
|
|
# working set is buffered for I/O, and any more write buffering would require
|
|
# swapping, so it's time to throttle writes until I/O can catch up. Workloads
|
|
# that mostly use file mappings may be able to use even higher values.
|
|
#
|
|
# The generator of dirty data starts writeback at this percentage (system default
|
|
# is 20%)
|
|
vm.dirty_ratio = 10
|
|
|
|
# Start background writeback (via writeback threads) at this percentage (system
|
|
# default is 10%)
|
|
vm.dirty_background_ratio = 3
|
|
|
|
# The swappiness parameter controls the tendency of the kernel to move
|
|
# processes out of physical memory and onto the swap disk.
|
|
# 0 tells the kernel to avoid swapping processes out of physical memory
|
|
# for as long as possible
|
|
# 100 tells the kernel to aggressively swap processes out of physical memory
|
|
# and move them to swap cache
|
|
vm.swappiness = 1
|
|
|
|
# Increase kernel buffer size maximums
|
|
net.ipv4.tcp_mem = 16777216 16777216 16777216
|
|
net.ipv4.tcp_rmem = 4096 87380 16777216
|
|
net.ipv4.tcp_wmem = 4096 16384 16777216
|
|
net.ipv4.udp_mem = 3145728 4194304 16777216
|
|
|
|
# Prefer low latency over higher throughput
|
|
net.ipv4.tcp_low_latency = 1
|
|
|
|
# Reserve more socket space for the TCP window
|
|
net.ipv4.tcp_adv_win_scale = 2
|
|
|
|
# Enable TCP fast-open
|
|
net.ipv4.tcp_fastopen = 3
|
|
|
|
# Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337.
|
|
# This protects against various TCP attacks, such as DoS against or injection
|
|
# of arbitrary segments into prematurely closed connections.
|
|
net.ipv4.tcp_rfc1337 = 1
|
|
|
|
# Include PID in file names of generated core dumps
|
|
kernel.core_uses_pid = 1
|