Re: Questions to /proc/sys/net/ipv4/ "settings"
On Mon, Sep 22, 2003 at 09:21:32AM +0200, FrankP@Teilnehmer.BFZ-Peters.de wrote:
> Could somebody explain a bit more detailed what the following
> settings do, what effect they have:
Look into /usr/src/linux/Documentation/networking/ip-sysctl.txt
most of them are self explanatory:
> for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo "1" > ${interface}
> done
this will switch on rp_filter on all interfaces, this will make the kernel
drop packages on interfaces which originate from a network which are not
routed to that interface. Kernel will print "martian source"
> echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
this will not respond to broadcast pings, which is good to avoid beeing an
DOS amplifier (smurf attacks used to use that)
> echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
source routed ip packets are evil, dont honor them
> echo "0" > /proc/sys/net/ipv4/tcp_timestamps
this is a tcp extension, might cause some interoperability problems.
> echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
routers on the same wire can send icmp redirects to dynamically add routes,
this is not a good idea on a firewall.
> echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
well, i gues this will be a bit more strict in accpeting icmp errors
> echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
this will log some of the packets which otherwise get silently dropped.
> echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
well, this defines the local port range for applications running on the
firewall connecting to outside, not sure what this is used for. most likely
some inneeded extra filtering.
> echo "2048" > /proc/sys/net/ipv4/ip_conntrack_max
this is setting the ipfilter connection tracking number of allowed
conenctions.
> echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
> echo "1200" > /proc/sys/net/ipv4/tcp_keepalive_time
this is setting the tcp timer settings, most likely to make connections
vanish faster in case of a problem.
> echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
> echo "0" > /proc/sys/net/ipv4/tcp_sack
this is switching off two more tcp extensions, i am not sure if this is good
or bad. it only affects connections from/to the firewall anyway.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
Reply to: