Skip to content

Commit

Permalink
Merge pull request #55 from freedomofpress/sysctl-ipv4
Browse files Browse the repository at this point in the history 
Set net.ipv4 sysctl flags via server metapackage
  • Loading branch information
@zenmonkeykstop
zenmonkeykstop authored Nov 5, 2024
2 parents 4f9a3dc + ee519c8 commit 06b8b38
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
9 changes: 9 additions & 0 deletions debian/securedrop-grsec/DEBIAN/postinst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,21 @@ start_paxctld() {
sleep 1
}

cleanup_sysctld() {
# Remove settings previously set by ansible that are now set via
# our sysctl.d/30-securedrop.conf file
sed -i '/^vm\.heap_stack_gap/d' /etc/sysctld.conf
sed -i '/^net\.ipv4\./d' /etc/sysctld.conf
}

case "$1" in
configure)
# Configure paxctld, required before update-grub runs
start_paxctld
# Ensure latest grsec kernel is used on every boot.
set_grub_default
# Remove sysctld configuration
cleanup_sysctld
;;

abort-upgrade|abort-remove|abort-deconfigure)
Expand Down
15 changes: 15 additions & 0 deletions debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
View file
Original file line number Diff line number Diff line change
@@ -1 +1,16 @@
vm.heap_stack_gap=1048576

net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

0 comments on commit 06b8b38

Please sign in to comment.