Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

How to Reset Network Parameters to Secure Values

Many network parameters that are secure by default are tunable, and might have been changed from the default. If site conditions permit, return the following tunable parameters to their default values.

Before You Begin

You must become an administrator who is assigned the Network Management rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Set the source packet forwarding property to 0 for IP packets, then verify the current value.

    The default value prevents DOS attacks from spoofed packets.

    # ipadm set-prop -p _forward_src_routed=0 ipv4
    # ipadm set-prop -p _forward_src_routed=0 ipv6
    # ipadm show-prop -p _forward_src_routed ipv4
    PROTO  PROPERTY             PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
    ipv4  _forward_src_routed   rw   0         --           0         0,1
    # ipadm show-prop -p _forward_src_routed ipv6
    PROTO  PROPERTY             PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
    ipv6  _forward_src_routed   rw   0         --           0         0,1

    For more information, see _forwarding_src_routed (IPv4 or IPv6) in Oracle Solaris 11.3 Tunable Parameters Reference Manual.

  2. Set the netmask response property to 0 for IP packets, then verify the current value.

    The default value prevents the dissemination of information about the network topology.

    # ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip
    # ipadm show-prop -p _respond_to_address_mask_broadcast ip
    PROTO PROPERTY                           PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
    ip    _respond_to_address_mask_broadcast rw   0         --           0         0,1
  3. Set the timestamp response property to 0 for IP packets, then verify the current value.

    The default value removes additional CPU demands on systems and prevents the dissemination of information about the network.

    # ipadm set-prop -p _respond_to_timestamp=0 ip
    # ipadm show-prop -p _respond_to_timestamp ip
    PROTO  PROPERTY                        PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
    ip    _respond_to_timestamp            rw   0         --           0         0,1
  4. Set the broadcast timestamp response property to 0 for IP packets, then verify the current value.

    The default value removes additional CPU demands on systems and prevents dissemination of information about the network.

    # ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip
    # ipadm show-prop -p _respond_to_timestamp_broadcast ip
    PROTO  PROPERTY                        PERM CURRENT   PERSISTENT   DEFAULT   POSSIBLE
    ip    _respond_to_timestamp_broadcast  rw   0         --           0         0,1
  5. Prevent IP source routing.

    The default value prevents packets from bypassing network security measures. Source-routed packets allow the source of the packet to suggest a path different from the path configured on the router.


    Note - This parameter might be set to 1 for diagnostic purposes. After diagnosis is complete, return the value to 0.
    # ipadm set-prop -p _rev_src_routes=0 tcp
    # ipadm show-prop -p _rev_src_routes tcp
    PROTO PROPERTY          PERM CURRENT  PERSISTENT  DEFAULT  POSSIBLE
    tcp   _rev_src_routes   rw   0        --          0        0,1

    For more information, see _rev_src_routes in Oracle Solaris 11.3 Tunable Parameters Reference Manual.

See Also

ipadm(1M) man page