diff --git a/CHANGELOG b/CHANGELOG index a59c655..29c5425 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ +2.00 Release + - Add common options for sysctl/proc tweaking of network settings + - Yay stable release! + 2.00 Alpha 3 - - Give people knobs to tinker with regarding state matching. Kills multiple birds with one stone. diff --git a/bin/srfirewall b/bin/srfirewall index 77731d8..bfa54d3 100755 --- a/bin/srfirewall +++ b/bin/srfirewall @@ -236,5 +236,6 @@ if [ "${EnableIPv6}" == "yes" ]; then [[ ${Enablev6Forwarding} == "yes" ]] && enable_forwarding ipv6 [[ ${Enablev6NAT} == "yes" ]] && enable_nat ipv6 [[ ${Enablev6PortForwarding} == "yes" ]] && enable_portfw ipv6 + [[ ${EnableSysctlTweaks} == "yes" ]] && sysctl_tweaks fi diff --git a/etc/tweaks.conf b/etc/tweaks.conf new file mode 100644 index 0000000..11b4ef1 --- /dev/null +++ b/etc/tweaks.conf @@ -0,0 +1,47 @@ +# Tweak Common Network Settings +# These are common settings that you can change to adjust how +# the kernel networking works. This file is passed to sysctl via +# the -p flag and will override existing settings. +# +# Playing with these settings could break things, so change them +# at your own risk. + +#net.ipv4.conf.all.forwarding=0 +#net.ipv4.conf.default.forwarding=0 +#net.ipv4.tcp_tw_recycle=0 +#net.ipv4.tcp_tw_reuse=0 +#net.ipv4.tcp_mtu_probing=1 +#net.ipv4.ip_local_port_range=20000 65535 +#net.ipv4.tcp_window_scaling=1 +#net.ipv4.tcp_sack=1 +#net.ipv4.conf.all.accept_source_route=0 +#net.ipv4.conf.all.secure_redirects=1 + +#net.ipv6.conf.all.forwarding=0 +#net.ipv6.conf.default.forwarding=0 + + +#net.netfilter.nf_conntrack_tcp_timeout_time_wait=30 +#net.netfilter.nf_conntrack_timestamp=1 + +#net.ipv4.netfilter.ip_conntrack_generic_timeout = 600 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent2 = 120 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 30 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10 +#net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300 +#net.ipv4.netfilter.ip_conntrack_udp_timeout = 30 +#net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180 +#net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30 +#net.ipv4.netfilter.ip_conntrack_sctp_timeout_closed = 10 +#net.ipv4.netfilter.ip_conntrack_sctp_timeout_cookie_wait = 3 +#net.ipv4.netfilter.ip_conntrack_sctp_timeout_cookie_echoed = 3 +#net.ipv4.netfilter.ip_conntrack_sctp_timeout_established = 432000 +#net.ipv4.netfilter.ip_conntrack_sctp_timeout_shutdown_sent = 0 +#net.ipv4.netfilter.ip_conntrack_sctp_timeout_shutdown_recd = 0 +#net.ipv4.netfilter.ip_conntrack_sctp_timeout_shutdown_ack_sent = 3 \ No newline at end of file diff --git a/lib/binaries.inc b/lib/binaries.inc index ceac2b7..1ef6292 100644 --- a/lib/binaries.inc +++ b/lib/binaries.inc @@ -23,6 +23,8 @@ MODPROBE=`which modprobe` IPTABLES=`which iptables` IP6TABLES=`which ip6tables` GREP=`which grep` +SYSCTL=`which sysctl` IP4TablesMod="ip_tables" -IP6TablesMod="ip6_tables" \ No newline at end of file +IP6TablesMod="ip6_tables" +SysCTL=`which sysctl` \ No newline at end of file diff --git a/lib/kernel.inc b/lib/kernel.inc index 78a89da..7b61ee7 100644 --- a/lib/kernel.inc +++ b/lib/kernel.inc @@ -27,4 +27,12 @@ function load_kernel_modules { ${MODPROBE} ${i} done ${debug} ${DebugColor} "\n${FUNCNAME}:${DEFAULT_COLOR} done." +} + +function sysctl_tweaks { + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" + if [ -e "${FWCONFIGDIR}/tweaks.conf" ]; then + ${SYSCTL} -p "${FWCONFIGDIR}/tweaks.conf" + fi + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done" } \ No newline at end of file