On Mon, Apr 30, 2012 at 3:03 PM, Dan McGee <[email protected]> wrote: > On Mon, Apr 30, 2012 at 2:00 PM, Eric Bélanger <[email protected]> > wrote: >> On Mon, Apr 30, 2012 at 8:34 AM, Dan McGee <[email protected]> wrote: >>> On Sat, Apr 28, 2012 at 8:01 PM, Eric Bélanger <[email protected]> >>> wrote: >>>> >>>> Here's a tentative sysctl.conf : >>>> https://dev.archlinux.org/~eric/sysctl.conf >>>> that I obtained with the help of Jan and Dave on IRC. The unusefull >>>> stuff from the upstream config have been dropped and the rest has been >>>> commented out. I've also cleaned the syntax. >>> >>> >>> I'd change this comment to at least drop the silly ascii smiley face: >>> # makes you vulnerable or not :-) >>> and try to elaborate more, e.g. >>> # if not functioning as a router, there is no need to accept >>> redirects or source routes >>> >>> And maybe add the corresponding ipv6 settings too, since this is 2012. >> >> Sure. I also got an email from a user who suggested to remove them >> (the accept_redirects and source_route) as well as the forwarding as >> they are are turned off by default. What do you think about that? I >> think we can keep them. The old procps sysctl.conf has the forward >> option and the redirect is probably a common option too. > > My kernel says otherwise about accept_redirects, at least: > > dmcgee@galway ~ > $ sudo sysctl -a | grep all.accept_redirects > net.ipv4.conf.all.accept_redirects = 1 > net.ipv6.conf.all.accept_redirects = 1 > > dmcgee@galway ~ > $ sudo sysctl -a | grep all.accept_source_route > net.ipv4.conf.all.accept_source_route = 0 > net.ipv6.conf.all.accept_source_route = 0
I just checked and it's the same here. Let's keep them then and I'll make the changes you suggested.
