forked from freifunk-franken/firmware
Fabian Bläse
3147a33c52
Source address filtering (RFC3704) can be used to mitigate source address spoofing. However, strict mode only works when routes are strictly symmetric. If routes are asymmetric, it can happen that the best route to the source address of a packet is via a different interface. Because there is no guarantee that routes have to be symmetric in the Freifunk Franken backbone network, we cannot use strict mode. Because default routes are used in the Freifunk Franken backone, loose mode could be used, but does not make any sense. Instead, revert back to the kernel default setting, which currently is 0 (disabled). While this change affects both layer3 and node variant, nothing changes for the node firmware, because it does not forward packets. Fixes: #123 Signed-off-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Christian Dresel <freifunk@dresel.systems>
47 lines
1.5 KiB
Plaintext
47 lines
1.5 KiB
Plaintext
net.ipv4.conf.default.arp_ignore=1
|
|
net.ipv4.conf.all.arp_ignore=1
|
|
net.ipv4.conf.all.forwarding=0
|
|
net.ipv4.conf.all.send_redirects=0
|
|
net.ipv4.tcp_ecn=0
|
|
net.ipv4.tcp_fin_timeout=30
|
|
net.ipv4.tcp_keepalive_time=120
|
|
net.ipv4.tcp_syncookies=1
|
|
net.core.netdev_max_backlog=30
|
|
net.netfilter.nf_conntrack_checksum=0
|
|
|
|
#Do not accept source routing
|
|
net.ipv4.conf.all.accept_source_route=0
|
|
net.ipv4.conf.all.accept_redirects=0
|
|
net.ipv4.conf.default.accept_source_route=0
|
|
net.ipv4.conf.default.accept_redirects=0
|
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
|
net.ipv4.icmp_ignore_bogus_error_responses=1
|
|
net.ipv4.ip_forward=0
|
|
|
|
net.ipv6.conf.default.accept_dad=0
|
|
net.ipv6.conf.default.accept_ra=0
|
|
net.ipv6.conf.default.accept_redirects=0
|
|
net.ipv6.conf.all.accept_dad=0
|
|
net.ipv6.conf.all.accept_ra=0
|
|
net.ipv6.conf.all.accept_redirects=0
|
|
|
|
# Learn Prefix Information in Router Advertisement
|
|
net.ipv6.conf.default.accept_ra_pinfo = 0
|
|
net.ipv6.conf.all.accept_ra_pinfo = 0
|
|
|
|
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
|
|
net.ipv6.conf.default.accept_ra_defrtr = 0
|
|
net.ipv6.conf.all.accept_ra_defrtr = 0
|
|
|
|
#router advertisements can cause the system to assign a global unicast address to an interface
|
|
net.ipv6.conf.default.autoconf = 0
|
|
net.ipv6.conf.all.autoconf = 0
|
|
|
|
#how many neighbor solicitations to send out per address?
|
|
net.ipv6.conf.default.dad_transmits = 3
|
|
net.ipv6.conf.all.dad_transmits = 3
|
|
|
|
# Enable forwarding, otherwise not all local route are examined
|
|
net.ipv6.conf.all.forwarding=1
|
|
net.ipv6.conf.default.forwarding=0
|