# example entries for /etc/sysctl.conf
# forwarding is needed for subnet or l2tp connections
net.ipv4.ip_forward = 1

# rp_filter protects against packets "appearing out of nowhere". It is not
# always clear to the kernel that a packet appeared as a result of decryption.
# One such case is packets being received, decrypted and sent onwards on the
# same single interface. (these can also cause # bad redirects, see below
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

# when using 1 interface for two networks when using XFRM, the kernel
# kernel thinks it can be clever by sending a redirect (because it cannot
# tell an encrypted packet came in, but a decrypted packet came out),
# so it sends a bogus ICMP redirect
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.all.log_martians = 0

# these are non-ipsec specific security policies you should use
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# In some situations, you will see errors like:
# [ 8648.409997] __ratelimit: 168 messages suppressed
# [ 8648.410009] Neighbour table overflow.
# Especially when on large cable networks, though we've also
# seen it when using combinations of xen/bridging/VM's.
# If you do, and you are SURE there are no routing loops,
# you can try these below:
#
net.ipv4.neigh.default.gc_thresh1 = 1024
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh3 = 4096

# for enabling core dumps, see
# http://fcp.surfsite.org/modules/smartfaq/faq.php?faqid=2746