Network hardening

etc/sysctl.d/30-vpn-firewall.conf

@@ -0,0 +1,49 @@
+### Based on https://wiki.archlinux.org/index.php/Sysctl#TCP.2FIP_stack_hardening
+
+#### ipv4 networking and equivalent ipv6 parameters ####
+
+## TCP SYN cookie protection (default)
+## helps protect against SYN flood attacks
+## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
+net.ipv4.tcp_syncookies = 1
+
+## protect against tcp time-wait assassination hazards
+## drop RST packets for sockets in the time-wait state
+## (not widely supported outside of linux, but conforms to RFC)
+net.ipv4.tcp_rfc1337 = 1
+
+## sets the kernels reverse path filtering mechanism to value 1 (on)
+## will do source validation of the packet's recieved from all the interfaces on the machine
+## protects from attackers that are using ip spoofing methods to do harm
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+## tcp timestamps
+## + protect against wrapping sequence numbers (at gigabit speeds)
+## + round trip time calculation implemented in TCP
+## - causes extra overhead and allows uptime detection by scanners like nmap
+## enable @ gigabit speeds
+net.ipv4.tcp_timestamps = 0
+#net.ipv4.tcp_timestamps = 1
+
+## log martian packets
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.conf.all.log_martians = 1
+
+## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+## ignore bogus icmp errors (default)
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+## send redirects (not a router, disable it)
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.send_redirects = 0
+
+## ICMP routing redirects (only secure)
+#net.ipv4.conf.default.secure_redirects = 1 (default)
+#net.ipv4.conf.all.secure_redirects = 1 (default)
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
+net.ipv6.conf.all.accept_redirects=0