# ======================================================================= # $Id: advanced.conf 127 2005-12-08 02:41:56Z trappist $ # ======================================================================= #### Advanced Configuration Options ############################# ############################################################# ## Feel free to modify these settings if you know what you ## ## are doing, but most people won't need to mess with this ## ## section. Please read the README and FAQ for more info. ## ############################################################# # If you are trying to get an internet game to work # through your IP MASQ box, and you have set it up to # the best of your ability without it working, try # enabling this option. This option is disabled by # default due to possible internal machine UDP port # scanning vulnerabilities. # Set to 1 for yes 0 for no LOOSE_UDP_PATCH=0 # Log spoofed packets coming in on your external interface # This is not done via iptables, so the logs will be in # the syslog file for your kernel even if you use ulogd. LOG_MARTIANS=1 # There is a bug in current (at the time of this release) # Linux kernels that may allow some packets to leave the # local network with their original source IP address # intact. This does not pose a significant risk, but by # default we try to prevent it with this rule by # disallowing packets whose conntrack state is 'INVALID' # in the FORWARD chain. Comment this directive or set it # to 0 to disable. MASQUERADE_FIX=1 # From the tcp man page: # How many seconds to wait for a final FIN packet # before the socket is forcibly closed. This is # strictly a violation of the TCP specification, but # required to prevent denial-of-service attacks. FIN_TIMEOUT=30 # The number of seconds after no data has been trans- # mitted before a keep-alive will be sent on a con- # nection. TCP_KEEPALIVE=1800 # See rfc 1323 # http://rfc.net/rfc1323.html TCP_WINDOW_SCALING=1 # See rfc 2018 # http://rfc.net/rfc2018.html TCP_SACK=0 # man tcp for more info MAX_SYN_BACKLOG=1280 # man icmp ICMP_ECHO_IGNORE_BROADCASTS=1 # See http://www.linuxia.de/netfilter.en.html#221 # This setting won't have any effect right now # since ipkungfu doesn't use the QUEUE target IP_QUEUE_MAXLEN=2048 # man tcp TCP_TIMESTAMPS=0 # This option will cause the kernel to drop packets with malformed # headers, bad checksums, etc. The default is 0 because it is # considered experimental and can possible drop legal packets. DROP_UNCLEAN=0 # You may want to increase this number for servers SYN_FLOOD=10 SYN_FLOOD_BURST=24 # Support for tcp syn cookies (must be enabled in your # kernel, check kernel docs for details) SYN_COOKIES=1 # Uncomment this field to set the TTL for outgoing packets. This # helps to foil ISPs (or anyone else) who's trying to determine # whether this machine is a gateway for other machines on your # network. # A too low value will effectively break your internet connection. # See also: # http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TTLTARGET #TTL=126 # By default ipkungfu uses the multiport match from iptables to # match multiple ports for a number of situations. This is more # efficient, since a single rule is parsed rather than one for # each port. If your kernel lacks this functionality, or if you # need to use more ports than are supported (15), ipkungfu can # create a rule for each port instead, with some cost to # efficiency. ALLOWED_TCP_IN_USE_MULTIPORT=1 ALLOWED_UDP_IN_USE_MULTIPORT=1 DONT_LOG_TCP_USE_MULTIPORT=1 DONT_LOG_UDP_USE_MULTIPORT=1