Red Hat ENTERPRISE LINUX 3 Reference Manual

Also see for ENTERPRISE LINUX 3 - SECURITY GUIDE: Tuning guide Installation guide Installation guide Installation guide Manual

Contents

Chapter 5. The proc File System 73• version — Displays the date and time the kernel was last compiled. The first field in this file, suchas #3, relates to the number of times a kernel was built from the source base.5.3.9.4. /proc/sys/net/This directory contains subdirectories concerning various networking topics. Various configurationsat the time of kernel compilation make different directories available here, such as appletalk/,ethernet/, ipv4/, ipx/, and ipv6/. By altering the files within these directories, system adminis-trators are able to adjust the network configuration on a running system.Given the wide variety of possible networking options available with Linux, only the most common/proc/sys/net/ directories are discussed.The /proc/sys/net/core/ directory contains a variety of settings that control the interaction be-tween the kernel and networking layers. The most important of these files are:• message_burst — Sets the amount of time in tenths of a second required to write a new warningmessage. This setting is used to mitigate Denial of Service (DoS) attacks. The default setting is 50.• message_cost — Sets a cost on every warning message. The higher the value of this file (defaultof 5), the more likely the warning message is ignored. This setting is used to mitigate DoS attacks.The idea of a DoS attack is to bombard the targeted system with requests that generate errors and fillup disk partitions with log files or require all of the system’s resources to handle the error logging.The settings in message_burst and message_cost are designed to be modified based on thesystem’s acceptable risk versus the need for comprehensive logging.• netdev_max_backlog — Sets the maximum number of packets allowed to queue when a partic-ular interface receives packets faster than the kernel can process them. The default value for thisfile is 300.• optmem_max — Configures the maximum ancillary buffer size allowed per socket.• rmem_default — Sets the receive socket buffer default size in bytes.• rmem_max — Sets the receive socket buffer maximum size in bytes.• wmem_default — Sets the send socket buffer default size in bytes.• wmem_max — Sets the send socket buffer maximum size in bytes.The /proc/sys/net/ipv4/ directory contains additional networking settings. Many of these set-tings, used in conjunction with one another, are useful in preventing attacks on the system or whenusing the system to act as a router.CautionAn erroneous change to these files may affect remote connectivity to the system.The following is a list of some of the more important files within the /proc/sys/net/ipv4/ direc-tory:• icmp_destunreach_rate, icmp_echoreply_rate, icmp_paramprob_rate, andicmp_timeexeed_rate — Set the maximum ICMP send packet rate, in 1/100 of a second, tohosts under certain conditions. A setting of 0 removes any delay and is not a good idea.• icmp_echo_ignore_all and icmp_echo_ignore_broadcasts — Allows the kernel to ignoreICMP ECHO packets from every host or only those originating from broadcast and multicast ad-