Re: Default kernel network variables, sysctl, not secure enough.
Hi.
On Sun, 02 Feb 2014 13:47:36 +1300
"C.T.F. Jansen" <frank.jansen@actrix.gen.nz> wrote:
> Installed them and looked for man pages, nothing found, then through
> /usr/share/doc again. This had a number of extra files in it that seemed
> relevant but the variables set were not found as such. A look in
>
> /usr/share/doc/linux-doc-32/Documentation/networking/ip-sysctl.txt
Actually, this file should be called:
/usr/share/doc/linux-doc-3.2/Documentation/networking/ip-sysctl.txt.gz
And rp_filter is there.
> defines the values for the previously mentioned variable, with rp_filter
> at the end of it. The variable itself was not listed in this file so a
> grep did not find it.
Consider using zgrep, since all kernel documentation is compressed with
gzip.
> Editing /etc/sysctl.conf and uncommenting most of the settings will
> improve the situation.
Or, break networking completely, if host in question has multiple
network interfaces with different IPs, looking into the same network.
This sysctl variable is disabled by default for the reason.
> Someone put a README* in /etc/sysctl.d that suggested one put a
> local.conf file in /etc/sysctl.d . This may be a better way to do it
> but isn't documented anywhere, I think. It is less than obvious and may
> be hard to find later.
Editing /etc/sysctl.conf will ask you to merge maintainer's changes
to /etc/sysctl.conf once you upgrade procps package.
Adding arbitrary named (.conf extension is necessary) file
to /etc/sysctl.d won't have such effect.
Whenever file is called local.conf or my_secure_sysctl_variables.conf
is irrelevant.
> Putting sysctl commands in start-up scripts may be challenging to find
> later but site procedures vary. The variables can be set using sysctl as
> well.
Take a look on /etc/init.d/procps.
Reco
Reply to: