37 lines
1.7 KiB
Nix
37 lines
1.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
with lib;
|
|
{
|
|
|
|
# ###########################################################################
|
|
# Options taken from hardened kernel profile, see
|
|
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
|
|
# ###########################################################################
|
|
# Enable strict reverse path filtering (that is, do not attempt to route
|
|
# packets that "obviously" do not belong to the iface's network; dropped
|
|
# packets are logged as martians).
|
|
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
|
|
boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
|
|
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
|
|
|
|
# Ignore broadcast ICMP (mitigate SMURF)
|
|
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
|
|
|
|
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
|
|
# setting is applied to interfaces added after the sysctls are set)
|
|
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
|
|
|
|
# Ignore outgoing ICMP redirects (this is ipv4 only)
|
|
boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
|
|
boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
|
|
}
|