Skip to content

Commit

Permalink
Set net.ipv4 sysctl flags via server metapackage
Browse files Browse the repository at this point in the history
Instead of setting these via ansible, let's ship them in this package so
it's easier to tweak them in the future without needing future ansible
runs.

This should be safe to ship even with these values in /etc/sysctld.conf
since they're the same values for now; but we'll have the next server
version remove them from that file now that they're owned by the kernel
packaging.

Fixes <freedomofpress/securedrop#7323>.
  • Loading branch information
legoktm committed Nov 1, 2024
1 parent 4f9a3dc commit feb6335
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
Original file line number Diff line number Diff line change
@@ -1 +1,16 @@
vm.heap_stack_gap=1048576

net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

0 comments on commit feb6335

Please sign in to comment.