ufw

Merge lp:~lool/ufw/sysctl-default-before-all into lp:~jdstrand/ufw/trunk

  1. sysctl-default-before-all
  2. Merge into trunk
Proposed by Loïc Minier
Status: Merged
Merge reported by: Jamie Strandboge
Merged at revision: not available
Proposed branch: lp:~lool/ufw/sysctl-default-before-all
Merge into: lp:~jdstrand/ufw/trunk
Diff against target: 41 lines (+6/-6)
1 file modified
conf/sysctl.conf (+6/-6)
To merge this branch: bzr merge lp:~lool/ufw/sysctl-default-before-all
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve
Review via email: mp+17812@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Loïc Minier (lool) wrote :

This is a nitpick, but I'm used to setting "default" values in /proc before setting "all" because in theory an interface could be created between the two sets. I did not actually check whether sysctl can commit all values atomically, or whether it processes values in the order or reverse order of the config file.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'conf/sysctl.conf'
2--- conf/sysctl.conf 2009-02-02 23:17:03 +0000
3+++ conf/sysctl.conf 2010-01-21 13:08:12 +0000
4@@ -10,22 +10,22 @@
5
6 # Turn on Source Address Verification in all interfaces to prevent some
7 # spoofing attacks
8+net/ipv4/conf/default/rp_filter=1
9 net/ipv4/conf/all/rp_filter=1
10-net/ipv4/conf/default/rp_filter=1
11
12 # Do not accept IP source route packets (we are not a router)
13+net/ipv4/conf/default/accept_source_route=0
14 net/ipv4/conf/all/accept_source_route=0
15-net/ipv4/conf/default/accept_source_route=0
16+net/ipv6/conf/default/accept_source_route=0
17 net/ipv6/conf/all/accept_source_route=0
18-net/ipv6/conf/default/accept_source_route=0
19
20 # Disable ICMP redirects. ICMP redirects are rarely used but can be used in
21 # MITM (man-in-the-middle) attacks. Disabling ICMP may disrupt legitimate
22 # traffic to those sites.
23+net/ipv4/conf/default/accept_redirects=0
24 net/ipv4/conf/all/accept_redirects=0
25-net/ipv4/conf/default/accept_redirects=0
26+net/ipv6/conf/default/accept_redirects=0
27 net/ipv6/conf/all/accept_redirects=0
28-net/ipv6/conf/default/accept_redirects=0
29
30 # Ignore bogus ICMP errors
31 net/ipv4/icmp_echo_ignore_broadcasts=1
32@@ -33,8 +33,8 @@
33 net/ipv4/icmp_echo_ignore_all=0
34
35 # Don't log Martian Packets (impossible packets)
36+net/ipv4/conf/default/log_martians=0
37 net/ipv4/conf/all/log_martians=0
38-net/ipv4/conf/default/log_martians=0
39
40 # Change to '1' to enable TCP/IP SYN cookies This disables TCP Window Scaling
41 # (http://lkml.org/lkml/2008/2/5/167)

Subscribers

People subscribed via source and target branches

to status/vote changes: