> The following kernel tunes are often reported on security books like > dos mitigators, still I would like to know your mind about these > kernel parameters settings: > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout > echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time > echo 0 >/proc/sys/net/ipv4/tcp_window_scaling > echo 0 >/proc/sys/net/ipv4/tcp_sack > echo 0 >/proc/sys/net/ipv4/tcp_timestamps > > Syncookies will help for sure. Decreasing fin_timeout (from 60 to 30) > and keepalive_time (from 7200 to 1800) has any real benefits? > And what about turning off tcp_window_scaling and tcp_sack? > Finally I think disabling tcp_timestamps is relevant only to disable > uptime detection... > > As far as I can tell, all these options will only help the Linux > firewall box itself and will not do anything to assist the hosts that the > Linux box is being used to protect. > So basically these parameters must be set on every host behind > firewall. Is this correct? Anyone? Thanks - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
