Parameteters of the kernel can be changed (by root) by editing
the writable files under
(Not all files are writable, some just report information from
A typical action looks like this:
# cd /proc/sys/net/ipv4 # cat ip_forward 0 # echo 1 > ip_forward #
The above commands show that the kernal was not acting as a router, but now it is.
On some Unixes you put these sort of echo commands in
some bootup script such as
However Linux has a neat way to manage these, from the
You can edit this file to change settings at boot time.
You can also run the "
sysctl" command to make
changes or to examine the settings.
In this file you can have blank lines, comments
(lines starting with "
#" are comments), and
lines of the form:
parameter = value
parameter is the absolute pathname
of the file to change, minus a leading
and with slashes ("
/") changed to periods
For example the change shown above to enable routing (packet forwarding)
would like like this in the
# Turn on IP packet forwarding: net.ipv4.ip_forward = 1
Some of the security parameters of the Linux 2.6 kernel are shown below,
in a sample
sysctl.conf snippit I copied
# Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls the use of TCP syncookies net.ipv4.tcp_syncookies = 1 # Disables replies to broadcast ICMP echo (ping), to # prevent a common DoS attack: net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable all source routing and ICMP redirects: net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 # Enable (basic) source IP address verification: net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1