Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Network stack hardening #286
Comments
thestinger
added
the
Type: enhancement
label
May 30, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
thestinger
May 30, 2016
Contributor
CopperheadOS already makes TCP/IP configuration changes. It would make sense to do more, but the changes need to be justified. There's far too much going on in that configuration file, and most of it is performance tuning. It's also doing stuff like disabling IPv6 support which isn't sensible by default.
If there are specific configuration options that should be changed, that would make sense as individual issues.
|
CopperheadOS already makes TCP/IP configuration changes. It would make sense to do more, but the changes need to be justified. There's far too much going on in that configuration file, and most of it is performance tuning. It's also doing stuff like disabling IPv6 support which isn't sensible by default. If there are specific configuration options that should be changed, that would make sense as individual issues. |
thestinger
closed this
May 30, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
HulaHoopWhonix
Jun 1, 2016
For privacy you'll want to disable TCP timestamps that leak system uptime and make its traffic fingerprintable across different hotspots:
net.ipv4.tcp_timestamps = false
HulaHoopWhonix
commented
Jun 1, 2016
|
For privacy you'll want to disable TCP timestamps that leak system uptime and make its traffic fingerprintable across different hotspots: net.ipv4.tcp_timestamps = false |
HulaHoopWhonix commentedMay 30, 2016
•
edited
Edited 1 time
-
HulaHoopWhonix
edited May 30, 2016
The AFWall dev has also created a sysctl configuration file that disables features of the kernel that are security and privacy risks. CopperheadOS can benefit by including them in releases:
https://github.com/ukanth/afwall/wiki/TCP-security#known-attacks
https://gist.github.com/CHEF-KOCH/0001e66a8c10b1177abe#file-tweaked-sysctl-conf