Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 | /proc/sys/net/ipv4/* Variables: ip_forward - BOOLEAN 0 - disabled (default) not 0 - enabled Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers) ip_default_ttl - INTEGER default 64 ip_addrmask_agent - BOOLEAN Reply to ICMP ADDRESS MASK requests. default TRUE (router) FALSE (host) ip_bootp_agent - BOOLEAN Accept packets with source address of sort 0.b.c.d and destined to this host, broadcast or multicast. Such packets are silently ignored otherwise. default FALSE ip_no_pmtu_disc - BOOLEAN Disable Path MTU Discovery. default FALSE ip_fib_model - INTEGER 0 - (DEFAULT) Standard model. All routes are in class MAIN. 1 - default routes go to class DEFAULT. This mode should be very convenient for small ISPs making policy routing. 2 - RFC1812 compliant model. Interface routes are in class MAIN. Gateway routes are in class DEFAULT. IP Fragmentation: ipfrag_high_thresh - INTEGER Maximum memory used to reassemble IP fragments. When ipfrag_high_thresh bytes of memory is allocated for this purpose, the fragment handler will toss packets until ipfrag_low_thresh is reached. ipfrag_low_thresh - INTEGER See ipfrag_high_thresh ipfrag_time - INTEGER Time in seconds to keep an IP fragment in memory. TCP variables: tcp_syn_retries - INTEGER Number of times initial SYNs for an TCP connection attempt will be retransmitted. Should not be higher than 255. tcp_keepalive_time - INTEGER How often TCP sends out keepalive messages when keepalive is enabled. Default: 2hours. tcp_keepalive_probes - INTEGER How many keepalive probes TCP sends out, until it decides that the connection is broken. tcp_retries1 - INTEGER tcp_retries2 - INTEGER tcp_max_delay_acks - INTEGER tcp_fin_timeout - INTEGER tcp_max_ka_probes - INTEGER tcp_hoe_retransmits - INTEGER Undocumented for now. tcp_syncookies - BOOLEAN Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'syn flood attack' Default: FALSE tcp_stdurg - BOOLEAN Use the Host requirements interpretation of the TCP urg pointer field. Most hosts use the older BSD interpretation, so if you turn this on Linux might not communicate correctly with them. Default: FALSE tcp_syn_taildrop - BOOLEAN tcp_max_syn_backlog - INTEGER Undocumented (work in progress) tcp_window_scaling - BOOLEAN Enable window scaling as defined in RFC1323. tcp_timestamps - BOOLEAN Enable timestamps as defined in RFC1323. tcp_sack - BOOLEAN Enable select acknowledgements. tcp_retrans_collapse - BOOLEAN Bug-to-bug compatibility with some broken printers. On retransmit try to send bigger packets to work around bugs in certain TCP stacks. ip_local_port_range - 2 INTEGERS Defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first, the second the last local port number. For high-usage systems change this to 32768-61000. icmp_echo_ignore_all - BOOLEAN icmp_echo_ignore_broadcasts - BOOLEAN If either is set to true, then the kernel will ignore either all ICMP ECHO requests sent to it or just those to broadcast/multicast addresses, respectively. icmp_destunreach_rate - INTEGER icmp_paramprob_rate - INTEGER icmp_timeexceed_rate - INTEGER icmp_echoreply_rate - INTEGER (not enabled per default) Limit the maximal rates for sending ICMP packets to specifc targets. 0 to disable any limiting, otherwise the maximal rate in jiffies(1) See the source for more information. (1) Jiffie: internal timeunit for the kernel. On the i386 1/100s, on the Alpha 1/1024s. See the HZ define in /usr/include/asm/param.h for the exact value on your system. conf/interface/*: conf/all/* is special and changes the settings for all interfaces. Change special settings per interface. log_martians - BOOLEAN Log packets with impossible addresses to kernel log. accept_redirects - BOOLEAN Accept ICMP redirect messages. default TRUE (host) FALSE (router) forwarding - BOOLEAN Enable IP forwarding on this interface. mc_forwarding - BOOLEAN Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE and a multicast routing daemon is required. proxy_arp - BOOLEAN Do proxy arp. shared_media - BOOLEAN undocumented. secure_redirects - BOOLEAN Accept ICMP redirect messages only for gateways, listed in default gateway list. default TRUE redirects - BOOLEAN Send(router) or accept(host) RFC1620 shared media redirects. Overrides ip_secure_redirects. default TRUE (should be FALSE for distributed version, but I use it...) bootp_relay - BOOLEAN Accept packets with source address 0.b.c.d destined not to this host as local ones. It is supposed, that BOOTP relay deamon will catch and forward such packets. default FALSE Not Implemented Yet. accept_source_route - BOOLEAN Accept packets with SRR option. default TRUE (router) FALSE (host) rp_filter - INTEGER 2 - do source validation by reversed path, as specified in RFC1812 Recommended option for single homed hosts and stub network routers. Could cause troubles for complicated (not loop free) networks running a slow unreliable protocol (sort of RIP), or using static routes. 1 - (DEFAULT) Weaker form of RP filtering: drop all the packets that look as sourced at a directly connected interface, but were input from another interface. 0 - No source validation. NOTE: do not disable this option! All BSD derived routing software (sort of gated, routed etc. etc.) is confused by such packets, even if they are valid. When enabled it also prevents ip spoofing in some limited fashion. NOTE: this option is turned on per default only when ip_forwarding is on. For non-forwarding hosts it doesn't make much sense and makes some legal multihoming configurations impossible. Alexey Kuznetsov. kuznet@ms2.inr.ac.ru Updated by: Andi Kleen ak@muc.de $Id: ip-sysctl.txt,v 1.7 1998/05/02 12:05:00 davem Exp $ |