Re: Questions to /proc/sys/net/ipv4/ "settings"

To: FrankP@Teilnehmer.BFZ-Peters.de
Cc: debian-firewall@lists.debian.org
Subject: Re: Questions to /proc/sys/net/ipv4/ "settings"
From: Bernd Eckenfels <lists@lina.inka.de>
Date: Mon, 22 Sep 2003 19:20:33 +0200
Message-id: <[🔎] 20030922172033.GA13298@lina.inka.de>
In-reply-to: <[🔎] F38926548D80F946BE956C5847541A757EFF88@colorado.peters.tc>
References: <[🔎] F38926548D80F946BE956C5847541A757EFF88@colorado.peters.tc>

On Mon, Sep 22, 2003 at 09:21:32AM +0200, FrankP@Teilnehmer.BFZ-Peters.de wrote:
> Could somebody explain a bit more detailed what the following
> settings do, what effect they have:

Look into /usr/src/linux/Documentation/networking/ip-sysctl.txt

most of them are self explanatory:

> for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo "1" > ${interface}
> done

this will switch on rp_filter on all interfaces, this will make the kernel
drop packages on interfaces which originate from a network which are not
routed to that interface. Kernel will print "martian source"

> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

this will not respond to broadcast pings, which is good to avoid beeing an
DOS amplifier (smurf attacks used to use that)

> echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

source routed ip packets are evil, dont honor them

> echo "0" > /proc/sys/net/ipv4/tcp_timestamps

this is a tcp extension, might cause some interoperability problems.

> echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

routers on the same wire can send icmp redirects to dynamically add routes,
this is not a good idea on a firewall.

> echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

well, i gues this will be a bit more strict in accpeting icmp errors

> echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

this will log some of the packets which otherwise get silently dropped.

> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

well, this defines the local port range for applications running on the
firewall connecting to outside, not sure what this is used for. most likely
some inneeded extra filtering.

> echo "2048" > /proc/sys/net/ipv4/ip_conntrack_max

this is setting the ipfilter connection tracking number of allowed
conenctions.

> echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
> echo "1200" > /proc/sys/net/ipv4/tcp_keepalive_time

this is setting the tcp timer settings, most likely to make connections
vanish faster in case of a problem.

> echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
> echo "0" > /proc/sys/net/ipv4/tcp_sack

this is switching off two more tcp extensions, i am not sure if this is good
or bad. it only affects connections from/to the firewall anyway.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to:

References:
- Questions to /proc/sys/net/ipv4/ "settings"
  - From: <FrankP@Teilnehmer.BFZ-Peters.de>

Prev by Date: Re: Questions to /proc/sys/net/ipv4/ "settings"
Next by Date: subscribe
Previous by thread: Re: Questions to /proc/sys/net/ipv4/ "settings"
Next by thread: subscribe
Index(es):
- Date
- Thread