To achieve a higher level of system security, there are several network options that you can change using 0 to disable and 1 to enable. The following list identifies these parameters you can use with the no command.
Parameter | Command | Purpose |
---|---|---|
bcastping | /usr/sbin/no -o bcastping=0 | Allows response to ICMP echo packets to the broadcast address. Disabling this prevents Smurf attacks. |
clean_partial_conns | /usr/sbin/no -o clean_partial_conns=1 | Specifies whether or not SYN (synchronizes the sequence number) attacks are being avoided. |
directed_broadcast | /usr/sbin/no -o directed_broadcast=0 | Specifies whether to allow a directed broadcast to a gateway. Setting to 0 helps prevent directed packets from reaching a remote network. |
icmpaddressmask | /usr/sbin/no -o icmpaddressmask=0 | Specifies whether the system responds to an ICMP address mask request. Disabling this prevents access through source routing attacks. |
ipforwarding | /usr/sbin/no -o ipforwarding=0 | Specifies whether the kernel should forward packets. Disabling this prevents redirected packets from reaching remote network. |
ipignoreredirects | /usr/sbin/no -o ipignoreredirects=1 | Specifies whether to process redirects that are received. |
ipsendredirects | /usr/sbin/no -o ipsendredirects=0 | Specifies whether the kernel should send redirect signals. Disabling this prevents redirected packets from reaching remote network. |
ip6srcrouteforward | /usr/sbin/no -o ip6srcrouteforward=0 | Specifies whether the system forwards source-routed IPv6 packets. Disabling this prevents access through source routing attacks. |
ipsrcrouteforward | /usr/sbin/no -o ipsrcrouteforward=0 | Specifies whether the system forwards source-routed packets. Disabling this prevents access through source routing attacks. |
ipsrcrouterecv | /usr/sbin/no -o ipsrcrouterecv=0 | Specifies whether the system accepts source-routed packets. Disabling this prevents access through source routing attacks |
ipsrcroutesend | /usr/sbin/no -o ipsrcroutesend=0 | Specifies whether applications can send source-routed packets. Disabling this prevents access through source routing attacks. |
nonlocsroute | /usr/sbin/no -o nonlocsrcroute=0 | Tells the Internet Protocol that strictly source-routed packets may be addressed to hosts outside the local network. Disabling this prevents access through source routing attacks. |
tcp_pmtu_discover | /usr/sbin/no -o tcp_pmtu_discover=0 | Disabling this prevents access through source routing attacks. |
udp_pmtu_discover | /usr/sbin/no -o udp_pmtu_discover=0 | Enables or disables path MTU discovery for TCP applications. Disabling this prevents access through source routing attacks. |
For more information about network-tunable options, see AIX 5L Version 5.2 Performance Management Guide.