## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #### meta start #### project Kicksecure #### category networking and security #### description ## TCP/IP stack hardening ## Protects against time-wait assassination. ## It drops RST packets for sockets in the time-wait state. net.ipv4.tcp_rfc1337=1 ## Disables ICMP redirect acceptance. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 ## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 ## Enables TCP syncookies. net.ipv4.tcp_syncookies=1 ## Disable source routing. net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 ## Enable reverse path filtering to prevent IP spoofing and ## mitigate vulnerabilities such as CVE-2019-14899. ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 #### meta end