aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorficus <ficus@robocracy.org>2012-11-23 19:18:56 +0100
committerficus <ficus@robocracy.org>2012-11-23 19:18:56 +0100
commit6d09271d70fa528b1e546dad0d6f5d1697e5c027 (patch)
tree3c13bef864c736a4db6f3bf4ae26fc0560aabc85
parent2c2bfbecdb58042acb89fa4b2831d56a534c908a (diff)
downloadtorouter-live-6d09271d70fa528b1e546dad0d6f5d1697e5c027.tar.gz
torouter-live-6d09271d70fa528b1e546dad0d6f5d1697e5c027.zip
add IPv6 randomization and misc spoofing protections
-rw-r--r--config/includes.chroot/etc/sysctl.conf15
1 files changed, 15 insertions, 0 deletions
diff --git a/config/includes.chroot/etc/sysctl.conf b/config/includes.chroot/etc/sysctl.conf
index 916e972..b8460d0 100644
--- a/config/includes.chroot/etc/sysctl.conf
+++ b/config/includes.chroot/etc/sysctl.conf
@@ -3,3 +3,18 @@ vm.laptop_mode=5
vm.swappiness=0
vm.dirty_writeback_centisecs=1500
vm.dirty_expire_centisecs=1500
+
+# Use randomized addresses for IPv6
+net.ipv6.conf.all.use_tempaddr=2
+net.ipv6.conf.default.use_tempaddr=2
+
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+net.ipv4.conf.all.secure_redirects = 1
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+