[nylug-talk] sysctl command

Jon Stanley jonstanley at gmail.com
Thu Jul 5 20:38:55 EDT 2007 

On 7/5/07, Y. Ph. <philolospher at yahoo.com> wrote:

> I type the sysctl in command line, it menitoned /etc/sysctl.conf, so I opened the sysctl.conf file, should I uncomment all the listed items in order to have more protection. Here are the list of functions in the file:
>
sysctl is a facility for manipulating various kernel tunables.  I
don't have any experience on Ubuntu, I'm a RHEL guy.  But
/etc/sysctl.conf contains lines like the below that control various
aspects of the kernel's behavior (for better or worse).  I'll go to
each of these below.

> # Uncomment the next line  to enable spoof protection (reverse-path filter)
> #net.ipv4.conf.default.rp_filter=1
This control whether the kernel does reverse path verification.  For a
machine that only has one network interface (most workstations), it's
not very useful.  For a router, however, it's extremely useful, as it
determines that a packet coming in over an interface could in fact
really come via that interface via it's routing table.
> #Uncomment the next line to enable TCP/IP SYN cookies
> #net. ipv4.tcp_syncookies=1

Syncookies are really useless these days, they are simply for
mitigating a basic SYN flood DoS attack.

> #Uncomment the next line to enable packet forwarding for Ipv4
> #net.ipv4.conf.default.forwarding =1

Unless your box is a router/firewall, you explicitly DO NOT want this.
 It turns your machine into a router out of it's various network
interfaces.

> #Uncomment the next line to enable packet forwarding for Ipv6
> #net.ipv6.conf.default.forwarding=1

Same as above, for IPv6.

>
> And, how to echoing a value to a kernel process file under the /proc directory? Which is the kernel process file under the /proc directory that I need to echo?

How a sysctl from sysctl.conf is read is a directory pathname, with /
replaced by .  For example, the net.ipv4.conf.default.rp_filter=1
above could be accomplished non-persistently by doing:

# echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

However for persistent configuration, I'd put it in /etc/sysctl.conf
and run sysctl -p to re-read the file and populate the appropriate
places in the /proc filesystem.

More information about the nylug-talk mailing list