Summary of network service options
To achieve a higher level of system security, there are several
network options that you can change using 0 to disable and 1 to
enable. The following list identifies these parameters you can use with the no command.
| Parameter | Command | Purpose |
|---|---|---|
| bcastping | /usr/sbin/no -o bcastping=0 | Allows response to ICMP echo packets to the broadcast address. Disabling this prevents Smurf attacks. |
| clean_partial_conns | /usr/sbin/no -o clean_partial_conns=1 | Specifies whether or not SYN (synchronizes the sequence number) attacks are being avoided. |
| directed_broadcast | /usr/sbin/no -o directed_broadcast=0 | Specifies whether to allow a directed broadcast to a gateway. Setting to 0 helps prevent directed packets from reaching a remote network. |
| icmpaddressmask | /usr/sbin/no -o icmpaddressmask=0 | Specifies whether the system responds to an ICMP address mask request. Disabling this prevents access through source routing attacks. |
| ipforwarding | /usr/sbin/no -o ipforwarding=0 | Specifies whether the kernel should forward packets. Disabling this prevents redirected packets from reaching remote network. |
| ipignoreredirects | /usr/sbin/no -o ipignoreredirects=1 | Specifies whether to process redirects that are received. |
| ipsendredirects | /usr/sbin/no -o ipsendredirects=0 | Specifies whether the kernel should send redirect signals. Disabling this prevents redirected packets from reaching remote network. |
| ip6srcrouteforward | /usr/sbin/no -o ip6srcrouteforward=0 | Specifies whether the system forwards source-routed IPv6 packets. Disabling this prevents access through source routing attacks. |
| ipsrcrouteforward | /usr/sbin/no -o ipsrcrouteforward=0 | Specifies whether the system forwards source-routed packets. Disabling this prevents access through source routing attacks. |
| ipsrcrouterecv | /usr/sbin/no -o ipsrcrouterecv=0 | Specifies whether the system accepts source-routed packets. Disabling this prevents access through source routing attacks |
| ipsrcroutesend | /usr/sbin/no -o ipsrcroutesend=0 | Specifies whether applications can send source-routed packets. Disabling this prevents access through source routing attacks. |
| nonlocsroute | /usr/sbin/no -o nonlocsrcroute=0 | Tells the Internet Protocol that strictly source-routed packets may be addressed to hosts outside the local network. Disabling this prevents access through source routing attacks. |
| tcp_icmpsecure | /usr/sbin/no -o tcp_icmpsecurer=1 | Protects TCP connections against ICMP (Internet Control Message Protocol) source quench and PMTUD (Path MTU Discovery) attacks. Checks the payload of the ICMP message to test the sequence number of the TCP header is within the range of acceptable sequence numbers. Values: 0=off (default); 1=on. |
| ip_nfrag | /usr/sbin/no -o ip_nfrag=200 | Specifies the maximum number of fragments of an IP packet that can be kept on the IP reassembly queue at a time (default value of 200 keeps up to 200 fragments of an IP packet in the IP reassembly queue). |
| tcp_pmtu_discover | /usr/sbin/no -o tcp_pmtu_discover=0 | Disabling this prevents access through source routing attacks. |
| tcp_tcpsecure | /usr/sbin/no -o tcp_tcpsecure=7 | Protects TCP connections against vulnerabilities. Values: 0=no protection; 1=sending a fake SYN to an established connection; 2=sending a fake RST to an established connection; 3=injecting data in an established TCP connection; 5–7=combination of the above vulnerabilities. |
| udp_pmtu_discover | /usr/sbin/no -o udp_pmtu_discover=0 | Enables or disables path MTU discovery for TCP applications. Disabling this prevents access through source routing attacks. |
For more information about network-tunable options, see Performance management.