#
# Random IP tuning for Solaris - tested up to Solaris 10 01/06
# To be placed in /etc/init.d/networking, nddconfig or similar
#
# Last updated 28/03/06
#
# Paul Day, paul ( at ) bur.st
#

## Ether
# ARP cleanup
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
## IP
# Disable redirects
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
# Disable source routing
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
# Modify the IP TTL to help confuse OS finger-printing tools
/usr/sbin/ndd -set /dev/ip ip_def_ttl 250
# Ensure machine is not routing between its multi-homed interfaces
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 0
# Don't respond to ICMP timestamp requests
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
## ICMP
# ECHO - do not respond to or forward directed broadcasts
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_multicast 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
# Prevent address mask queries
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
## TCP
# Increase TCP send and receive spaces
/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768
/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768
# Socket queue defense against SYN attacks
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 4096
# Don't linger in TIME_WAIT
/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
# Don't longer in TCP TIME_WAIT
/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000
# Turn on strong TCP sequencing
/usr/sbin/ndd -set /dev/tcp tcp_strong_iss 2