Hi.
I have been using the following changes to some network parameters on all of my machines for a long time, and I was wondering whether they ought to be set by default.
net.ipv4.conf.all.rp_filter (current: 0, proposed: 1) net.ipv4.conf.all.accept_redirects (current: 1, proposed: 0) net.ipv4.icmp_echo_ignore_broadcasts (current: 0, proposed: 1) net.ipv4.icmp_ignore_bogus_error_responses (current: 0, proposed: 1)
While I admit that the current values can serve a certain use in some situations, I think that in the majority of configurations the proposed values are more sensible.
Hi.
Ralf Ertzinger fedora-devel@camperquake.de wrote:
net.ipv4.conf.all.rp_filter (current: 0, proposed: 1)
This already has the proposed value, sorry for that.
On Mon, 29 Nov 2004 12:40:14 +0100, Ralf Ertzinger wrote:
net.ipv4.conf.all.rp_filter (current: 0, proposed: 1)
1 is already the default in /etc/sysctl.conf although it's set as net.ipv4.conf.default.rp_filter which should be the right way, as far as I know. sysctl.conf is part of the "initscripts" package.
net.ipv4.conf.all.accept_redirects (current: 1, proposed: 0)
I don't have an opinon on this one, so for me, it's OK to use the kernel's default value.
net.ipv4.icmp_echo_ignore_broadcasts (current: 0, proposed: 1)
I actually find it useful that ping broadcasts are allowed, to be able to quickly see which hosts are up.
net.ipv4.icmp_ignore_bogus_error_responses (current: 0, proposed: 1)
No opinion.
On Mon, Nov 29, 2004 at 12:51:22PM +0100, Troels Arvin wrote:
net.ipv4.icmp_echo_ignore_broadcasts (current: 0, proposed: 1)
I actually find it useful that ping broadcasts are allowed, to be able to quickly see which hosts are up.
It can get used as a DDoS amplifier however so in general its only safe if it is behind a firewall
On Mon, 29 Nov 2004, Ralf Ertzinger wrote:
Hi.
net.ipv4.conf.all.accept_redirects (current: 1, proposed: 0)
This will break on networks with logical subnets.
regards,
-
Alan Cox -
Paul Jakma -
Ralf Ertzinger -
Troels Arvin