| diff --git a/src/etc/sysctl.d/60-gce-network-security.conf b/src/etc/sysctl.d/60-gce-network-security.conf |
| index b40085b..d89d87d 100644 |
| --- a/src/etc/sysctl.d/60-gce-network-security.conf |
| +++ b/src/etc/sysctl.d/60-gce-network-security.conf |
| @@ -14,45 +14,6 @@ |
| # |
| # Google-recommended kernel parameters |
| |
| -# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss |
| -# of TCP functionality/features under normal conditions. When flood |
| -# protections kick in under high unanswered-SYN load, the system |
| -# should remain more stable, with a trade off of some loss of TCP |
| -# functionality/features (e.g. TCP Window scaling). |
| -net.ipv4.tcp_syncookies=1 |
| - |
| -# Ignore source-routed packets |
| -net.ipv4.conf.all.accept_source_route=0 |
| -net.ipv4.conf.default.accept_source_route=0 |
| - |
| -# Ignore ICMP redirects from non-GW hosts |
| -net.ipv4.conf.all.accept_redirects=0 |
| -net.ipv4.conf.default.accept_redirects=0 |
| -net.ipv4.conf.all.secure_redirects=1 |
| -net.ipv4.conf.default.secure_redirects=1 |
| - |
| -# Don't pass traffic between networks or act as a router |
| -net.ipv4.ip_forward=0 |
| -net.ipv4.conf.all.send_redirects=0 |
| -net.ipv4.conf.default.send_redirects=0 |
| - |
| -# Turn on Source Address Verification in all interfaces to |
| -# prevent some spoofing attacks. |
| -net.ipv4.conf.all.rp_filter=1 |
| -net.ipv4.conf.default.rp_filter=1 |
| - |
| -# Ignore ICMP broadcasts to avoid participating in Smurf attacks |
| -net.ipv4.icmp_echo_ignore_broadcasts=1 |
| - |
| -# Ignore bad ICMP errors |
| -net.ipv4.icmp_ignore_bogus_error_responses=1 |
| - |
| # Log spoofed, source-routed, and redirect packets |
| net.ipv4.conf.all.log_martians=1 |
| net.ipv4.conf.default.log_martians=1 |
| - |
| -# Addresses of mmap base, heap, stack and VDSO page are randomized |
| -kernel.randomize_va_space=2 |
| - |
| -# Reboot the machine soon after a kernel panic. |
| -kernel.panic=10 |