/usr/lib/sysctl.d/50-default.conf

1. This file originated from systemd.
3. This is free software; you can redistribute it and/or modify it
4. under the terms of the GNU Lesser General Public License as published by
5. the Free Software Foundation; either version 2.1 of the License, or
6. (at your option) any later version.

1. See sysctl.d(5) and core(5) for documentation.

1. To override settings in this file, create a local file in /etc
2. (e.g. /etc/sysctl.d/90-override.conf), and put any assignments
3. there.

1. System Request functionality of the kernel (SYNC)
3. Use kernel.sysrq = 1 to allow all keys.
4. See https://docs.kernel.org/admin-guide/sysrq.html for a list
5. of values and keys.

kernel.sysrq = 0x01b6

1. Append the PID to the core filename

kernel.core_uses_pid = 1

1. Source route verification

net.ipv4.conf.default.rp_filter = 2 net.ipv4.conf.*.rp_filter = 2 -net.ipv4.conf.all.rp_filter

1. Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.*.accept_source_route = 0 -net.ipv4.conf.all.accept_source_route

1. Promote secondary addresses when the primary address is removed

net.ipv4.conf.default.promote_secondaries = 1 net.ipv4.conf.*.promote_secondaries = 1 -net.ipv4.conf.all.promote_secondaries

1. ping(8) without CAP_NET_ADMIN and CAP_NET_RAW
2. The upper limit is set to 2^31-1. Values greater than that get rejected by
3. the kernel because of this definition in linux/include/net/ping.h:
4. #define GID_T_MAX (((gid_t)~0U) >> 1)
5. That's not so bad because values between 2^31 and 2^32-1 are reserved on
6. systemd-based systems anyway: https://systemd.io/UIDS-GIDS#summary

-net.ipv4.ping_group_range = 0 2147483647

1. Fair Queue CoDel packet scheduler to fight bufferbloat

-net.core.default_qdisc = fq_codel

1. Enable hard and soft link protection

fs.protected_hardlinks = 1 fs.protected_symlinks = 1

1. Enable regular file and FIFO protection

fs.protected_regular = 2 fs.protected_fifos = 1