UNIX System Administration Handbook - Evi Nemeth [196]
BOOTPROTO=dhcp
If you need to manually start pump to manage eth0, run the command
# pump -i eth0
To stop pump’s management of eth0, use
# pump -r -i eth0
dhcpcd, the supplied alternative to pump, is essentially vestigial. Its use is deprecated, but Red Hat was perhaps afraid to break existing installations by removing it. dhcpcd is configured through files in the directory /etc/dhcpc.
Dynamic reconfiguration and tuning for Red Hat
Linux has its own special way of tuning kernel and networking parameters. Instead of providing a command that reads and sets the parameters, Linux puts a representation of each variable that can be tuned into the /proc filesystem. The important networking variables are in /proc/sys/net/ipv4; here is an abridged listing:
% cd /proc/sys/net/ipv4; ls -F
conf/
icmp_destunreach_rate icmp_echo_ignore_all
icmp_echo_ignore_broadcasts icmp_echoreply_rate
icmp_ignore_bogus_error_responses icmp_paramprob_rate
icmp_timeexceed_rate igmp_max_memberships
ip_always_defrag ip_autoconfig
ip_default_ttl ip_dynaddr
ip_forward ip_local_port_range
ip_masq_debug ip_no_pmtu_disc
ipfrag_high_thresh ipfrag_low_thresh
ipfrag_time neigh/
route/ tcp_fin_timeout
tcp_keepalive_probes tcp_keepalive_time
tcp_max_ka_probes tcp_max_syn_backlog
tcp_retrans_collapse tcp_retries1
tcp_retries2 tcp_rfc1337
tcp_sack tcp_stdurg
tcp_syn_retries tcp_syncookies
tcp_timestamps tcp_window_scaling
Many of the variables with rate and max in their names are used to thwart denial of service attacks. The conf subdirectory contains variables that are set on a per-interface basis. It contains subdirectories all and default and a subdirectory for each interface (including the loopback). Each subdirectory contains the same set of files.
% ls -F
accept_redirects accept_source_route bootp_relay
forwarding log_martians mc_forwarding
proxy_arp rp_filter secure_redirects
send_redirects shared_media
If you change something in the all subdirectory, your change applies to all interfaces. If you change the same variable in, say, the eth0 subdirectory, only that interface will be affected. The default subdirectory contains the default values as shipped.
To see the value of a variable, use cat; to set it, use echo redirected to the proper filename. For example, the command
% cat icmp_echo_ignore_broadcasts
0
shows that this variable is currently set to 0, meaning that broadcast pings are not ignored. To set it to 1 (and thereby avoid falling prey to smurf-type denial of service attacks), run
% sudo csh -c "echo 1 > icmp_echo_ignore_broadcasts"25
You’ll typically be logged in over the same network you are tweaking as you adjust these variables, so be careful! You can mess things up badly enough to require a reboot from the console to recover, which might be inconvenient if the system happens to be in Point Barrow, Alaska, and it’s January. Test-tune these variables on your desktop system before you even think of attacking a production machine.
The document /usr/src/linux/Documentation/proc.txt, written by the SuSE Linux folks, is a nice primer on kernel tuning with /proc. It tells you what the variables really mean and sometimes provides suggested values.
Security, firewalls, filters, and NAT for Red Hat
Table 13.21 shows Red Hat’s default behavior with regard to various touchy network issues. For a brief description of the implications of these behaviors, see page 295.
Table 13.21 Security-related network behaviors in Linux
a. The interface can be either a specific interface name or all.
To change any of these parameters permanently (or more accurately, to reset them every time the system boots), add the appropriate echo commands to a script that is run during the boot sequence.
Red Hat comes with some pretty reasonable