Hi all. I know this topic is already been treated. The following kernel tunes are often reported on security books like dos mitigators, still I would like to know your mind about these kernel parameters settings: echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time echo 0 >/proc/sys/net/ipv4/tcp_window_scaling echo 0 >/proc/sys/net/ipv4/tcp_sack echo 0 >/proc/sys/net/ipv4/tcp_timestamps Syncookies will help for sure. Decreasing fin_timeout (from 60 to 30) and keepalive_time (from 7200 to 1800) has any real benefits? And what about turning off tcp_window_scaling and tcp_sack? Finally I think disabling tcp_timestamps is relevant only to disable uptime detection... As far as I can tell, all these options will only help the Linux firewall box itself and will not do anything to assist the hosts that the Linux box is being used to protect. So basically these parameters must be set on every host behind firewall. Is this correct? Thanks for your help and sorry for poor english. - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
