Changes to /etc/init.d/networking

To: debian-firewall@lists.debian.org
Subject: Changes to /etc/init.d/networking
From: Stefan Srdic <linuxbox@telusplanet.net>
Date: Fri, 13 Apr 2001 03:42:32 -0600
Message-id: <3AD6CA08.3105A4EC@telusplanet.net>

I've made some changes to the networking init file. My primary goal was
to
increase network throughput and to increase system security as well. So
far I've made
some progress but have also ran into several questions that need some
anwsers.

I found the original /etc/init.d/networking script easy to follow and to

modify, so I kept it and simply edited it to provide me with what I
needed. I added
the following operations to the networking script.


icmpredirects () {
    if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
    echo -n "Disabling ICMP Redirect Acceptance: "
        for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
            echo 0 > $f
        done
    echo "Done."
    fi
}

sourceroute () {
    if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
    echo -n "Disabling Source Routed Packets: "
        for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
            echo 0 > $f
        done
    echo "Done."
    fi
}

logpackets () {
    if [ -e /proc/sys/net/ipv4/conf/all/log_martians ] ; then
    echo -n "Logging Spoofed Packets, Source Routed Packets, and
Redirected
Packets: "
        for f in /proc/sys/net/ipv4/conf/*/log_martians ; do
            echo 1 > $f
        done
    echo "Done."
    fi
}

tcptweaks () {
    echo -n "Performing TCP/IP enhancements: "
    echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
    echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
    echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
    echo 1 > /proc/sys/net/ipv4/tcp_sack
    echo 1 > /proc/sys/net/ipv4/tcp_dsack
    echo 1 > /proc/sys/net/ipv4/tcp_fack
    echo 1 > /proc/sys/net/ipv4/tcp_timestamps
    echo 1 > /proc/sys/net/ipv4/tcp_ecn
    echo 5 > /proc/sys/net/ipv4/tcp_reordering
    echo '8196 174760 349520' > /proc/sys/net/ipv4/tcp_rmem
    echo '8196 32768 262140' > /proc/sys/net/ipv4/tcp_wmem
    echo 262140 > /proc/sys/net/core/rmem_default
    echo 262140 > /proc/sys/net/core/rmem_max
    echo 131070 > /proc/sys/net/core/wmem_default
    echo 131070 > /proc/sys/net/core/wmem_max
    echo "Done."
}

icmpbroadcast () {
    if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] ; then
    echo -n "Enable ICMP Broadcast Echo Protection: "
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "Done."
    fi
}

With this script being as robust as it is, all you need to do is add the

following operations to the /etc/network/options file as stated under
the doopt
function and your singing.

What boogles me is a few TCP/IP parameters under the /proc filesystem.
Are
there any major settings that I missed? Is it recomended to play with
the ipfrag
settings of the kernel?

Also, I am currently experimenting with an IPTables script, would it be
recomended to write it to the /etc/network directory and have it
executed via the
networking init file?

Thanks

Stef

Reply to:

Follow-Ups:
- Re: Changes to /etc/init.d/networking
  - From: Daniel Stone <daniel@kabuki.openfridge.net>

Prev by Date: max routes
Next by Date: Iptables logging
Previous by thread: RE: max routes
Next by thread: Re: Changes to /etc/init.d/networking
Index(es):
- Date
- Thread