From 6d09271d70fa528b1e546dad0d6f5d1697e5c027 Mon Sep 17 00:00:00 2001
From: ficus <ficus@robocracy.org>
Date: Fri, 23 Nov 2012 19:18:56 +0100
Subject: add IPv6 randomization and misc spoofing protections

---
 config/includes.chroot/etc/sysctl.conf | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/config/includes.chroot/etc/sysctl.conf b/config/includes.chroot/etc/sysctl.conf
index 916e972..b8460d0 100644
--- a/config/includes.chroot/etc/sysctl.conf
+++ b/config/includes.chroot/etc/sysctl.conf
@@ -3,3 +3,18 @@ vm.laptop_mode=5
 vm.swappiness=0
 vm.dirty_writeback_centisecs=1500
 vm.dirty_expire_centisecs=1500
+
+# Use randomized addresses for IPv6
+net.ipv6.conf.all.use_tempaddr=2
+net.ipv6.conf.default.use_tempaddr=2
+
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+net.ipv4.conf.all.secure_redirects = 1
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+
-- 
cgit v1.2.3