4285ch04.fm Draft Document for Review May 4, 2007 11:35 am
130 Linux Performance and Tuning Guidelines
sysctl -w net.ipv4.conf.lo.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.conf.all.accept_source_route=0
These commands configure the server to ignore redirects from machines that are listed as
gateways. Redirect can be used to perform attacks, so we only want to allow them from
trusted sources:
sysctl -w net.ipv4.conf.eth0.secure_redirects=1
sysctl -w net.ipv4.conf.lo.secure_redirects=1
sysctl -w net.ipv4.conf.default.secure_redirects=1
sysctl -w net.ipv4.conf.all.secure_redirects=1
You could allow the interface to accept or not accept any ICMP redirects. The ICMP
redirect is a mechanism for routers to convey routing information to hosts. For example,
the gateway can send a redirect message to a host when the gateway receives an Internet
datagram from a host on a network to which the gateway is attached. The gateway checks
the routing table to get the address of the next gateway, and the second gateway routes
the Internet datagram to the network destination. Disable these redirects using the
following commands:
sysctl -w net.ipv4.conf.eth0.accept_redirects=0
sysctl -w net.ipv4.conf.lo.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.accept_redirects=0
If this server does not act as a router, it does not have to send redirects, so they can be
disabled:
sysctl -w net.ipv4.conf.eth0.send_redirects=0
sysctl -w net.ipv4.conf.lo.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
Configure the server to ignore broadcast pings and smurf attacks:
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
Ignore all kinds of icmp packets or pings:
sysctl -w net.ipv4.icmp_echo_ignore_all=1
Some routers send invalid responses to broadcast frames, and each one generates a
warning that is logged by the kernel. These responses can be ignored:
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
We should set the ipfrag parameters, particularly for NFS and Samba servers. Here, we
can set the maximum and minimum memory used to reassemble IP fragments. When the
value of ipfrag_high_thresh in bytes of memory is allocated for this purpose, the fragment
handler will drop packets until ipfrag_low_thres is reached.
Fragmentation occurs when there is an error during the transmission of TCP packets.
Valid packets are stored in memory (as defined with these parameters) while corrupted
packets are retransmitted.
For example, to set the range of available memory to between 256 MB and 384 MB, use:
sysctl -w net.ipv4.ipfrag_low_thresh=262144
sysctl -w net.ipv4.ipfrag_high_thresh=393216
