On Mon, Apr 30, 2012 at 3:48 PM, Eric Bélanger <[email protected]> wrote: > On Mon, Apr 30, 2012 at 3:18 PM, Eric Bélanger <[email protected]> > wrote: >> On Mon, Apr 30, 2012 at 3:03 PM, Dan McGee <[email protected]> wrote: >>> On Mon, Apr 30, 2012 at 2:00 PM, Eric Bélanger <[email protected]> >>> wrote: >>>> On Mon, Apr 30, 2012 at 8:34 AM, Dan McGee <[email protected]> wrote: >>>>> On Sat, Apr 28, 2012 at 8:01 PM, Eric Bélanger <[email protected]> >>>>> wrote: >>>>>> >>>>>> Here's a tentative sysctl.conf : >>>>>> https://dev.archlinux.org/~eric/sysctl.conf >>>>>> that I obtained with the help of Jan and Dave on IRC. The unusefull >>>>>> stuff from the upstream config have been dropped and the rest has been >>>>>> commented out. I've also cleaned the syntax. >>>>> >>>>> >>>>> I'd change this comment to at least drop the silly ascii smiley face: >>>>> # makes you vulnerable or not :-) >>>>> and try to elaborate more, e.g. >>>>> # if not functioning as a router, there is no need to accept >>>>> redirects or source routes >>>>> >>>>> And maybe add the corresponding ipv6 settings too, since this is 2012. >>>> >>>> Sure. I also got an email from a user who suggested to remove them >>>> (the accept_redirects and source_route) as well as the forwarding as >>>> they are are turned off by default. What do you think about that? I >>>> think we can keep them. The old procps sysctl.conf has the forward >>>> option and the redirect is probably a common option too. >>> >>> My kernel says otherwise about accept_redirects, at least: >>> >>> dmcgee@galway ~ >>> $ sudo sysctl -a | grep all.accept_redirects >>> net.ipv4.conf.all.accept_redirects = 1 >>> net.ipv6.conf.all.accept_redirects = 1 >>> >>> dmcgee@galway ~ >>> $ sudo sysctl -a | grep all.accept_source_route >>> net.ipv4.conf.all.accept_source_route = 0 >>> net.ipv6.conf.all.accept_source_route = 0 >> >> I just checked and it's the same here. Let's keep them then and I'll >> make the changes you suggested. > > I've uploaded a fixed config file: https://dev.archlinux.org/~eric/sysctl.conf >
Is that sysctl.conf fine with everyone? Does it need other changes (like the ones I suggested below)? If I don't get feedback in the next 2 days, then I'll assume it's OK and will push a procps-ng in testing with that sysctl.conf > BTW, Should I add a net.ipv4.conf.all.forwarding option? Can it > replace the current net.ipv4.ip_forward ? > > Eric
