Turning Kernel Network Parameters
Configure kernel variables to improve network security. Some changes might cause a system to not strictly comply with relevant RFCs and might require testing before being placed on production systems.
Configure kernel variables by performing the following tasks:
- "Configure IP Forwarding"
- "Disable Source Routing"
- "Ignore Broadcast ICMP ECHO Packets"
- "Log Invalid Addresses"
- "Configure ICMP Redirect Messages"
- "Use Source Route Verification"
- "Disable Protocol Stacks"
For more information about IP forwarding, source routing, broadcast ICMP ECHO packets, and source route verification, refer to the detailed descriptions in the Sun BluePrint OnLine article titled "Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment."
Configure IP Forwarding
During startup, the /etc/sysctl.conf file is read by the sysctl command. This file contains settings for kernel parameters.
You can disable or enable IP Forwarding by assigning net.ipv4.ip_forward to the kernel parameter. Assigning a 0 disables and assigning a 1 enables forwarding. Be aware of the following:
Assigning a 0 resets all IPv4-related variables to conform with RFC 1122 (requirements for Internet hostscommunication layers).
Assigning a 1 resets all variables to conform with RFC 1812 (requirements for IP version 4 routers).
It is important to set this kernel parameter first, before changing any other related parameters.
To Disable or Enable IP Forwarding
To disable IP forwarding, set the parameter in the /etc/sysctl.conf file as follows:
net.ipv4.ip_forward = 0
To enable IP Forwarding, set the parameter in the /etc/sysctl.conf file as follows.
net.ipv4.ip_forward = 1
Disable Source Routing
Source routing has been used in attacks, and legitimate uses of source routing are few. It is a good idea to discard all packets that use source routing, unless you have a specific need for them.
To Disable Source Routing
Add the following lines to the /etc/sysctl.conf file:
net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0
The first line disables source routing on all current interfaces. The second line provides a default for any new interfaces that might be configured later.
Ignore Broadcast ICMP ECHO Packets
Many operating systems respond to ICMP ECHO (ping) packets that are sent to the network broadcast address. This behavior has been used to mount denial-of-service attacks by causing all hosts on a network segment to send ICMP REPLY packets to a host under attack. Our advice is to disable this behavior.
To Disable Echo Broadcasts
Add the following line to the /etc/sysctl.conf file:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Log Invalid Addresses
When a kernel receives packets with obviously invalid addresses, they are discarded.
To Log Invalid Addresses
Add the following two lines to the /etc/sysctl.conf file.
net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.all.log_martians = 1
Configure ICMP Redirect Messages
ICMP redirect messages are used by network gateways to inform a host sending data to forward packets to a different gateway. If a Sun Linux system is not configured to act as a gateway, that is the net.ipv4.ip_forward parameter is set to 0, then the system should never need to send ICMP redirect messages.
To configure the system to never send ICMP redirect messages, add the following line to the /etc/sysctl.conf file.
net.ipv4.send_redirects = 0
Similarly, if you only have one gateway on the network to which the host is attached, then it is safe to ignore any incoming ICMP redirect messages. These messages could not be generated in such a case, because there is only one path out of the network.
An attacker can forge redirect messages to install bogus routes. This action might initiate a denial of service attack if a newly specified router is not a router at all. Similarly, this technique could be used to force network packets to be routed through an attacker's machine, where the packets could be inspected, captured, or modified. Although there are rules governing valid ICMP redirect messages, all of them can be easily spoofed.
If possible, configure the system to ignore ICMP redirect messages by adding the following line to the /etc/sysctl.conf file.
net.ipv4.accept_redirects = 0"
Use Source Route Verification
The Sun Linux source route verification mechanism verifies that a packet comes in on an expected network interface. The routing table is consulted for each incoming packet. The interface the packet comes in on must match the interface that would be used to reach the source of the packet. If these interfaces do not match, the packet is discarded. This feature is enabled by default.
Source route verification adds overhead to packet processing and might not work in environments where asymmetric routing occurs. Source route verification is controlled by the following parameters.
Our recommendation is to leave it enabled unless it causes performance or routing problems.
To Disable Source Route Verification
Add the following lines to the /etc/sysctl.conf file:
net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0
Disable Protocol Stacks
The kernel supports on-demand loading of kernel modules. Many components of the kernel such as file systems, protocol stacks, and device drivers are loaded the first time they are needed. The process of loading a required kernel module is quite simple: the kernel creates a new user process and runs the program /sbin/modprobe, which loads the required module.
This simple and effective mechanism has one drawback: protocol stacks other than TCP/IP might be loaded inadvertently. When a network socket is created for protocol family N, the kernel executes the following command.
# /sbin/modprobe -s net-pf-N
The protocol stack is loaded. We recommend that you disable all unnecessary protocol stacks.
To Disable All Unnecessary Protocol Stacks
Modify the following lines to the /etc/modules.conf file:
alias net-pf-4 off # IPX alias net-pf-5 off # Appletalk alias net-pf-10 off # IPv6 alias net-pf-12 off # Decnet