ipv6/. By altering the files within these directories, system administrators are able to adjust the network configuration on a running system.
/proc/sys/net/directories are discussed.
/proc/sys/net/core/directory contains a variety of settings that control the interaction between the kernel and networking layers. The most important of these files are:
message_burst— Sets the amount of time in tenths of a second required to write a new warning message. This setting is used to mitigate Denial of Service (DoS) attacks. The default setting is
message_cost— Sets a cost on every warning message. The higher the value of this file (default of
5), the more likely the warning message is ignored. This setting is used to mitigate DoS attacks.The idea of a DoS attack is to bombard the targeted system with requests that generate errors and fill up disk partitions with log files or require all of the system's resources to handle the error logging. The settings in
message_costare designed to be modified based on the system's acceptable risk versus the need for comprehensive logging.
netdev_max_backlog— Sets the maximum number of packets allowed to queue when a particular interface receives packets faster than the kernel can process them. The default value for this file is
optmem_max— Configures the maximum ancillary buffer size allowed per socket.
rmem_default— Sets the receive socket buffer default size in bytes.
rmem_max— Sets the receive socket buffer maximum size in bytes.
wmem_default— Sets the send socket buffer default size in bytes.
wmem_max— Sets the send socket buffer maximum size in bytes.
/proc/sys/net/ipv4/directory contains additional networking settings. Many of these settings, used in conjunction with one another, are useful in preventing attacks on the system or when using the system to act as a router.
icmp_timeexeed_rate— Set the maximum ICMP send packet rate, in 1/100 of a second, to hosts under certain conditions. A setting of
0removes any delay and is not a good idea.
icmp_echo_ignore_broadcasts— Allows the kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses, respectively. A value of
0allows the kernel to respond, while a value of
1ignores the packets.
ip_default_ttl— Sets the default Time To Live (TTL), which limits the number of hops a packet may make before reaching its destination. Increasing this value can diminish system performance.
ip_forward— Permits interfaces on the system to forward packets to one other. By default, this file is set to
0. Setting this file to
1enables network packet forwarding.
ip_local_port_range— Specifies the range of ports to be used by TCP or UDP when a local port is needed. The first number is the lowest port to be used and the second number specifies the highest port. Any systems that expect to require more ports than the default 1024 to 4999 should use a range from 32768 to 61000.
tcp_syn_retries— Provides a limit on the number of times the system re-transmits a SYN packet when attempting to make a connection.
tcp_retries1— Sets the number of permitted re-transmissions attempting to answer an incoming connection. Default of
tcp_retries2— Sets the number of permitted re-transmissions of TCP packets. Default of
/proc/sys/net/ipv4/directory and each covers a different aspect of the network stack. The
/proc/sys/net/ipv4/conf/directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the
/proc/sys/net/ipv4/conf/default/subdirectory) and settings that override all special configurations (in the
/proc/sys/net/ipv4/neigh/directory contains settings for communicating with a host directly connected to the system (called a network neighbor) and also contains different settings for systems more than one hop away.
/proc/sys/net/ipv4/route/directory contains specifications that apply to routing with any interfaces on the system. Many of these settings, such as
min_delay, relate to controlling the size of the routing cache. To clear the routing cache, write any value to the