# This file is derived from recommendations made by the Center for Internet 
# Security (CIS) Debian Linux 12 benchmark, v1.1.0.

# 3.3 Configure Network Kernel Parameters

# 3.3.1 Ensure ip forwarding is disabled
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forward = 0

# 3.3.3 Ensure packet redirect sending is disabled
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# 3.3.3 Ensure bogus icmp responses are ignored
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 3.3.4 Ensure broadcast icmp requests are ignored
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 3.3.5 Ensure icmp redirects are not accepted
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# 3.3.6 Ensure secure icmp redirects are not accepted
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# 3.3.7 Ensure reverse path filtering is enabled
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# 3.3.8 Ensure source routed packets are not accepted
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# 3.3.9 Ensure suspicious packets are logged
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# 3.3.10 Ensure tcp syn cookies is enabled
net.ipv4.tcp_syncookies = 1

# 3.3.11 Ensure ipv6 router advertisements are not accepted
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0