From 16f1b7c8d418db7a3f3497784fd319ea345be9b9 Mon Sep 17 00:00:00 2001 From: Tim Niemeyer Date: Tue, 23 Oct 2012 21:24:22 +0200 Subject: [PATCH] Do not accept RAs and other stuff Fixes #396 Signed-off-by: Tim Niemeyer --- bsp/default/root_file_system/etc/sysctl.conf | 46 +++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/bsp/default/root_file_system/etc/sysctl.conf b/bsp/default/root_file_system/etc/sysctl.conf index 3d82b9f..37466de 100644 --- a/bsp/default/root_file_system/etc/sysctl.conf +++ b/bsp/default/root_file_system/etc/sysctl.conf @@ -1,24 +1,58 @@ kernel.panic=3 net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1 -net.ipv4.ip_forward=1 -net.ipv4.icmp_echo_ignore_broadcasts=1 -net.ipv4.icmp_ignore_bogus_error_responses=1 +net.ipv4.conf.all.forwarding=0 +net.ipv4.conf.all.send_redirects=0 net.ipv4.tcp_ecn=0 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_keepalive_time=120 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_timestamps=0 -net.core.netdev_max_backlog=30 -net.netfilter.nf_conntrack_checksum=0 net.ipv4.netfilter.ip_conntrack_checksum=0 net.ipv4.netfilter.ip_conntrack_max=16384 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3600 net.ipv4.netfilter.ip_conntrack_udp_timeout=60 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 +net.core.netdev_max_backlog=30 +net.netfilter.nf_conntrack_checksum=0 + +#Controls source route verification +net.ipv4.conf.default.rp_filter=1 + +#Do not accept source routing +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.icmp_echo_ignore_broadcasts=1 +net.ipv4.icmp_ignore_bogus_error_responses=1 +net.ipv4.ip_forward=0 # net.ipv6.conf.all.forwarding=1 # disable bridge firewalling by default net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=0 -net.bridge.bridge-nf-call-iptables=0 \ No newline at end of file +net.bridge.bridge-nf-call-iptables=0 + +net.ipv6.conf.all.accept_dad=0 +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.all.accept_redirects=0 +# Number of Router Solicitations to send until assuming no routers are present. +# This is host and not router +net.ipv6.conf.default.router_solicitations = 0 + +# Accept Router Preference in RA? +net.ipv6.conf.default.accept_ra_rtr_pref = 0 + +# Learn Prefix Information in Router Advertisement +net.ipv6.conf.default.accept_ra_pinfo = 0 + +# Setting controls whether the system will accept Hop Limit settings from a router advertisement +net.ipv6.conf.default.accept_ra_defrtr = 0 + +#router advertisements can cause the system to assign a global unicast address to an interface +net.ipv6.conf.default.autoconf = 0 + +#how many neighbor solicitations to send out per address? +net.ipv6.conf.default.dad_transmits = 0 + +# How many global unicast IPv6 addresses can be assigned to each interface? +net.ipv6.conf.default.max_addresses = 1