Package: procps Version: 1:3.2.8-7 Severity: wishlist Hi.
I think it would be a good idea to use at least the settings blow per default: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 At least rp_filter should not have effect for most systems, even for routers, right? I'm not an expert how much the other would affect Debian boxes used as a router but: 1) The vast majority of Debian installations are NOT used as rooter 2) It's better to ship hardened settings per default, even if this "breaks" some things. 3) As the "broken" things are usually special setups (e.g. router) people that need them should be aware of what they're doing, and thus be able to set the sysctl settings they need. The "normal" end-user does usually however not know of these settings, their security impact and whether or not he should set them. Cheers, Chris. btw: I'd also suggest to activate syncookies per default, but this is already requested in #520668. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-fermat (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages procps depends on: ii initscripts 2.87dsf-8.1 scripts for initializing and shutt ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libncurses5 5.7+20090803-2 shared libraries for terminal hand ii libncursesw5 5.7+20090803-2 shared libraries for terminal hand ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip Versions of packages procps recommends: ii psmisc 22.10-1 utilities that use the proc file s procps suggests no packages. -- no debconf information
smime.p7s
Description: S/MIME cryptographic signature
