# /etc/sysctl.d/90-firewall.conf# Turn on Source Address Verification in all i

1. # /etc/sysctl.d/90-firewall.conf
2.  
3. # Turn on Source Address Verification in all interfaces to
4. # prevent some spoofing attacks
5. net.ipv4.conf.all.rp_filter=1
6.  
7. # Uncomment the next line to enable TCP/IP SYN cookies
8. net.ipv4.tcp_syncookies=1
9. net.ipv4.tcp_max_syn_backlog = 2048
10. net.ipv4.tcp_synack_retries = 2
11. net.ipv4.tcp_syn_retries = 5
12.  
13. # Do not accept ICMP redirects (prevent MITM attacks)
14. net.ipv4.conf.all.accept_redirects = 0
15. net.ipv6.conf.all.accept_redirects = 0
16. net.ipv4.conf.default.accept_redirects = 0
17. net.ipv6.conf.default.accept_redirects = 0
18.  
19. # Do not send ICMP redirects (we are not a router)
20. net.ipv4.conf.all.send_redirects = 0
21. net.ipv4.conf.default.send_redirects = 0
22.  
23. # Do not accept IP source route packets (we are not a router)
24. net.ipv4.conf.all.accept_source_route = 0
25. net.ipv6.conf.all.accept_source_route = 0
26. net.ipv4.conf.default.accept_source_route = 0
27. net.ipv6.conf.default.accept_source_route = 0
28.  
29. # Log Martian Packets
30. net.ipv4.conf.all.log_martians = 1
31. net.ipv4.icmp_ignore_bogus_error_responses = 1
32.  
33. # Ignore ICMP broadcast requests
34. net.ipv4.icmp_echo_ignore_broadcasts = 1
35.  
36. # Ignore Directed pings
37. #net.ipv4.icmp_echo_ignore_all = 1