Many network parameters that are secure by default are tunable, and might have been changed from the default. If site conditions permit, return the following tunable parameters to their default values.
Before You Begin
You must become an administrator who is assigned the Network Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
The default value prevents DOS attacks from spoofed packets.
# ipadm set-prop -p _forward_src_routed=0 ipv4 # ipadm set-prop -p _forward_src_routed=0 ipv6 # ipadm show-prop -p _forward_src_routed ipv4 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv4 _forward_src_routed rw 0 -- 0 0,1 # ipadm show-prop -p _forward_src_routed ipv6 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 _forward_src_routed rw 0 -- 0 0,1
For more information, see _forwarding_src_routed Parameter (IPv4 or IPv6) in Oracle Solaris 11.4 Tunable Parameters Reference Manual.
The default value prevents the dissemination of information about the network topology.
# ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip # ipadm show-prop -p _respond_to_address_mask_broadcast ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _respond_to_address_mask_broadcast rw 0 -- 0 0,1
The default value removes additional CPU demands on systems and prevents the dissemination of information about the network.
# ipadm set-prop -p _respond_to_timestamp=0 ip # ipadm show-prop -p _respond_to_timestamp ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _respond_to_timestamp rw 0 -- 0 0,1
The default value removes additional CPU demands on systems and prevents dissemination of information about the network.
# ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip # ipadm show-prop -p _respond_to_timestamp_broadcast ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _respond_to_timestamp_broadcast rw 0 -- 0 0,1
The default value prevents packets from bypassing network security measures. Source-routed packets allow the source of the packet to suggest a path different from the path configured on the router.
# ipadm set-prop -p _rev_src_routes=0 tcp # ipadm show-prop -p _rev_src_routes tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp _rev_src_routes rw 0 -- 0 0,1
For more information, see _rev_src_routes Parameter in Oracle Solaris 11.4 Tunable Parameters Reference Manual.
The default value, which is set in the /etc/default/inetinit file, ensures that the TCP initial sequence number generation parameter complies with Defending against Sequence Number Attacks (https://www.rfc-editor.org/info/rfc6528).
# pfedit /etc/default/inetinit TCP_STRONG_ISS=2 # /usr/sbin/reboot
See Also
ipadm(8) man page