# example entries for /etc/sysctl.conf # forwarding is needed for subnet or l2tp connections net.ipv4.ip_forward = 1 # rp_filter protects against packets "appearing out of nowhere". It is not # always clear to the kernel that a packet appeared as a result of decryption. # One such case is using KLIPS or MAST IPsec stacks, as they receive on one # interface but inject the packet on another interface. Another known case is # "appendix mode" using the XFRM/NETKEY stack. Here, packets are receiving, # decrypted and sent onwards on the same single interface. (these can also cause # bad redirects, see below net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 # when using 1 interface for two networks when using NETKEY, the kernel # kernel thinks it can be clever by sending a redirect (cause it cannot # tell an encrypted packet came in, but a decrypted packet came out), # so it sends a bogus ICMP redirect net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.all.log_martians = 0 # seems the martian settings are not always enough. If not receiving packets # try running this: # for n in eth0 mast0 ipsec0 ipsec1 all default ; do # sysctl net.ipv4.conf.$n.rp_filter=0; # done # # these are non-ipsec specific security policies you should use net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # When using KLIPS in some situations, you will see errors like: # [ 8648.409997] __ratelimit: 168 messages suppressed # [ 8648.410009] Neighbour table overflow. # Especially when on large cable networks, though we've also # seen it when using combinations of xen/bridging/VM's. # If you do, and you are SURE there are no routing loops, # you can try these below: # net.ipv4.neigh.default.gc_thresh1 = 1024 net.ipv4.neigh.default.gc_thresh2 = 2048 net.ipv4.neigh.default.gc_thresh3 = 4096 # for enableing core dumps, see # http://fcp.surfsite.org/modules/smartfaq/faq.php?faqid=2746