diff options
| author | Florian Klink <flokli@flokli.de> | 2019-08-11 13:32:24 +0200 |
|---|---|---|
| committer | Florian Klink <flokli@flokli.de> | 2019-08-18 17:54:26 +0200 |
| commit | 9be0327a4975e219957d5108b3753a7640c4a9e0 (patch) | |
| tree | f264e6c231f25fcf660af8997e665e78704fc3cb /nixos/modules/profiles/hardened.nix | |
| parent | e5965bd4897310d1f99ad75f51ef99f1f0e2c274 (diff) | |
| download | nixpkgs-9be0327a4975e219957d5108b3753a7640c4a9e0.tar nixpkgs-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.gz nixpkgs-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.bz2 nixpkgs-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.lz nixpkgs-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.xz nixpkgs-9be0327a4975e219957d5108b3753a7640c4a9e0.tar.zst nixpkgs-9be0327a4975e219957d5108b3753a7640c4a9e0.zip | |
nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit.
Diffstat (limited to 'nixos/modules/profiles/hardened.nix')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 16 |
1 files changed, 5 insertions, 11 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 3ff9a2b4fde..46417579352 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -95,23 +95,17 @@ with lib; # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; - # Enable reverse path filtering (that is, do not attempt to route packets - # that "obviously" do not belong to the iface's network; dropped packets are - # logged as martians). + # Enable strict reverse path filtering (that is, do not attempt to route + # packets that "obviously" do not belong to the iface's network; dropped + # packets are logged as martians). boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1"; boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true; - boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1"; # Ignore broadcast ICMP (mitigate SMURF) boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true; - # Ignore route information from sender - boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false; - boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false; - # Ignore incoming ICMP redirects (note: default is needed to ensure that the # setting is applied to interfaces added after the sysctls are set) boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false; |