# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls the System Request debugging functionality of the kernel
kernel.sysrq=1

# If X locks, Alt-SysRq-r regains control of your keyboard by taking the console out of Raw mode.
# Alt-SysRq-k kills everthing on the current virtual terminal.
# If the entire machine hangs, use the following:
# Alt-SysRq-s (sync)
# Alt-SysRq-u (unmount)
# Alt-SysRq-b (boot)

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
#echo "Enabling core dump PID appending."
#kernel.core_uses_pid=1

# Enables dynamic address hacking. Might help with dynamic IP addresses \(e.g. slip, ppp, dhcp\).
net.ipv4.ip_dynaddr=1

# Disable ECN
net.ipv4.tcp_ecn=0

# This option can be used to accept or refuse source routed
# packets.  It is usually on by default, but is generally
# considered a security risk.  This option turns it off.
net.ipv4.conf.all.accept_source_route=0

# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
net.ipv4.tcp_syncookies=1

# Ensure the secure_redirects option is on.
# This option accepts only from gateways in the default gateways list.
net.ipv4.conf.all.secure_redirects=1

# This option can disable ICMP redirects. ICMP redirects
# are generally considered a security risk and shouldn't be
# needed by most systems using this generator.
net.ipv4.conf.all.accept_redirects=0

# Don't send any redirects either. (Only use if you're
# not acting as a router that needs to send redirects.)
net.ipv4.conf.all.send_redirects=0

# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent?  It's recommended for single-homed
# systems and routers on stub networks.  Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
net.ipv4.conf.all.rp_filter=1

# Reassemble fragmented packets.  Usually a good idea.
#net.ipv4.ip_always_defrag=1

# Controls IP packet forwarding. Required to enable IPv4 forwarding.
# if providing NAT/gateway/routing service then enable
net.ipv4.ip_forward=0

# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ. Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: http://www.sjdjweis.com/linux/proxyarp/
# net.ipv4.conf.all.proxy_arp="1"

# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address. This prevents
# a number of smurfs and similar DoS nasty attacks.
net.ipv4.icmp_echo_ignore_broadcasts=1

# The following overrides the previous setting, including the LAN:
net.ipv4.icmp_echo_ignore_all=0

#Related to the above:
net.ipv4.icmp_ignore_bogus_error_responses=1

# This option logs packets from impossible addresses.
net.ipv4.conf.all.log_martians=1

# increase TCP maximum buffer size
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

# increase Linux autotuning TCP buffer limits
# min, default, and maximum number of bytes to use
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_mem = 8388608 8388608 16777216

# Reduce using swap; for 2.6 kernel only
# echo "Reducing swappiness."
# vm.swappiness=10