http://support.mozilla.com/hu/kb/Firefox+Help?style_mode=inproduct kicsi világ: Kernel finomhangolás - hálózat, biztonság

péntek, augusztus 08, 2008

Kernel finomhangolás - hálózat, biztonság

(forrás:http://www.dd-wrt.com/wiki/index.php/Useful_Scripts#Small_Security_Script_.28Firewall.29)
Szerző oldala nem elérhető.


#!/bin/sh
#
# Warning! As I don't use Emule or similiar programs I can't guaranty their function.
# If you find a workable solution just add it to this wiki.
# I found testing some of the setting manually that the ipfrag settings will break emule,
# maybe some others too...
#
# Enjoy your enhanced security,
#
# St. Karitzl
# info@user1.walztech.de
# http://daywalker81.de.vu
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward
# the following two parametes will break at least emule and are way too low to make sense.
#echo 1024 > /proc/sys/net/ipv4/ipfrag_high_thresh
#echo 512 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 64000 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 48000 > /proc/sys/net/ipv4/ipfrag_low_thresh
#
echo 10 > /proc/sys/net/ipv4/ipfrag_time
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth1/log_martians
echo 10 > /proc/sys/net/ipv4/neigh/eth1/locktime
echo 0 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 50 > /proc/sys/net/ipv4/neigh/eth1/gc_stale_time
#
# The following entries secure the last bit and provide a
# moderate protection against man-in-the-middle attacks.
#
echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth1/secure_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 5 > /proc/sys/net/ipv4/igmp_max_memberships
echo 2 > /proc/sys/net/ipv4/igmp_max_msf
echo 1024 > /proc/sys/net/ipv4/tcp_max_orphans
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/route/redirect_number
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 61 > /proc/sys/net/ipv4/ip_default_ttl
# DoS protection by tweaking the timeouts
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
# Check network overload (explicit congestion notification)
echo 1 > /proc/sys/net/ipv4/tcp_ecn
# Change port range for outgoing traffic
# ez nem tudom mi
echo "30000 60000" > /proc/sys/net/ipv4/ip_local_port_range
# Change default queue size
# Modified for DD-WRT because of missing proc entries
echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max

Nincsenek megjegyzések: