kernel hardening + sync skel on start

2025-10-30 14:23:03 +01:00 · 2025-10-30 14:23:03 +01:00 · 25f5f0bec7
commit 25f5f0bec7
parent b5de726919
4 changed files with 235 additions and 0 deletions
--- a/system_files/usr/etc/sysctl.d/98-network.conf
+++ b/system_files/usr/etc/sysctl.d/98-network.conf
@ -0,0 +1,45 @@
+net.ipv4.neigh.default.gc_thresh3 = 2048
+net.ipv4.neigh.default.gc_thresh2 = 1024
+net.ipv4.neigh.default.gc_thresh1 = 32
+net.ipv4.neigh.default.gc_interval = 30
+net.ipv4.neigh.default.proxy_qlen = 96
+net.ipv4.neigh.default.unres_qlen = 6
+
+net.ipv4.tcp_rmem = "8192 87380 16777216"
+net.ipv4.tcp_wmem = "8192 65536 16777216"
+
+net.ipv4.tcp_max_orphans = 16384
+net.ipv4.tcp_orphan_retries = 0
+
+net.ipv4.tcp_no_metrics_save = 1
+net.ipv4.tcp_moderate_rcvbuf = 1
+net.ipv4.tcp_window_scaling = 1
+
+net.ipv4.tcp_fastopen = 3
+net.ipv4.tcp_slow_start_after_idle = 0
+
+net.ipv4.tcp_syncookies = 1
+
+net.ipv4.tcp_tw_reuse=1
+net.ipv4.tcp_rfc1337=1
+net.ipv4.tcp_max_tw_buckets=1440000
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.tcp_ecn=1
+
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.icmp_echo_ignore_all=1
+net.ipv4.route.flush=1
+
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.accept_redirects=0
+net.ipv6.conf.default.disable_ipv6=1
+net.ipv6.route.flush=1
+
+net.unix.max_dgram_qlen=50