1 # /etc/sysctl.d/20-net-related.conf - System control for the network.
3 # Values: [0] disable, [1] enable
6 # Forward Packets between interfaces.
8 # This variable is special, its change resets all configuration
9 # parameters to their default state (RFC1122 for hosts, RFC1812
12 net.ipv4.ip_forward = 0
14 # Reverse path filter.
16 # 0 - No source validation.
17 # 1 - Strict mode as defined in RFC3704 Strict Reverse Path
18 # Each incoming packet is tested against the FIB and if the interface
19 # is not the best reverse path the packet check will fail.
20 # By default failed packets are discarded.
21 # 2 - Loose mode as defined in RFC3704 Loose Reverse Path
22 # Each incoming packet's source address is also tested against the FIB
23 # and if the source address is not reachable via any interface
24 # the packet check will fail.
26 # Current recommended practice in RFC3704 is to enable strict mode
27 # to prevent IP spoofing from DDos attacks. If using asymmetric routing
28 # or other complicated routing, then loose mode is recommended.
30 net.ipv4.conf.all.rp_filter = 1
34 # If set true, then the kernel will ignore all ICMP ECHO,
35 # this to prevent a "smurf" attack:
37 net.ipv4.icmp_echo_ignore_broadcasts = 1
41 # Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
42 # Send out syncookies when the syn backlog queue of a socket
43 # overflows. This is to prevent against the common
46 net.ipv4.tcp_syncookies = 1
50 # Enable timestamps as defined in RFC1323:
52 net.ipv4.tcp_timestamps = 1
56 # Log packets with impossible addresses to kernel log:
58 net.ipv4.conf.all.log_martians = 1