48 lines
1.8 KiB
Nix
48 lines
1.8 KiB
Nix
{
|
|
config,
|
|
inputs,
|
|
...
|
|
}: let
|
|
cfg = config.sneeuwvlok.system.security.boot;
|
|
in {
|
|
options.sneeuwvlok.system.security.boot = {};
|
|
|
|
config = {
|
|
boot = {
|
|
kernelModules = ["tcp_bbr"];
|
|
kernel.sysctl = {
|
|
## TCP hardening
|
|
# Prevent bogus ICMP errors from filling up logs.
|
|
"net.ipv4.icmp_ignore_bogus_error_responses" = 1;
|
|
# Reverse path filtering causes the kernel to do source validation of
|
|
# packets received from all interfaces. This can mitigate IP spoofing.
|
|
"net.ipv4.conf.default.rp_filter" = 1;
|
|
"net.ipv4.conf.all.rp_filter" = 1;
|
|
# Do not accept IP source route packets (we're not a router)
|
|
"net.ipv4.conf.all.accept_source_route" = 0;
|
|
"net.ipv6.conf.all.accept_source_route" = 0;
|
|
# Don't send ICMP redirects (again, we're on a router)
|
|
"net.ipv4.conf.all.send_redirects" = 0;
|
|
"net.ipv4.conf.default.send_redirects" = 0;
|
|
# Refuse ICMP redirects (MITM mitigations)
|
|
"net.ipv4.conf.all.accept_redirects" = 0;
|
|
"net.ipv4.conf.default.accept_redirects" = 0;
|
|
"net.ipv4.conf.all.secure_redirects" = 0;
|
|
"net.ipv4.conf.default.secure_redirects" = 0;
|
|
"net.ipv6.conf.all.accept_redirects" = 0;
|
|
"net.ipv6.conf.default.accept_redirects" = 0;
|
|
# Protects against SYN flood attacks
|
|
"net.ipv4.tcp_syncookies" = 1;
|
|
# Incomplete protection again TIME-WAIT assassination
|
|
"net.ipv4.tcp_rfc1337" = 1;
|
|
|
|
## TCP optimization
|
|
# Enable TCP Fast Open for incoming and outgoing connections
|
|
"net.ipv4.tcp_fastopen" = 3;
|
|
# Bufferbloat mitigations + slight improvement in throughput & latency
|
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
|
"net.core.default_qdisc" = "cake";
|
|
};
|
|
};
|
|
};
|
|
}
|