ItsTheNetwork

TCP Nonlocal Bind Linux Kernel Setting

tcp nonlocal bind This setting allows binding (by applications etc.) to IP addresses that are not assigned to a network interface on the host (thus nonlocal). This may be required when using VRRP with Keepalived in conjunction with HA Proxy for instance. If it is not enabled, HA Proxy cannot bind to a VRRP addresses unless the local host is the VRRP master for it. You can check the current setting like so:

SYN ACK Retry Linux Kernel Setting

SYN/ACK Retries The number of times a SYN/ACK response to a SYN is retried. Passive, inbound. A lower value means less memory usage and lower impact of SYN flood attacks but on lossy networks a 5+ value is probably worthwhile. Also see the SYN Cookies section. You can check the current setting like so: $ sysctl net.ipv4.tcp_synack_retries net.ipv4.tcp_synack_retries = 5 The interval between each resend is doubled every time, starting from 3s.

IGMP Linux Kernel Settings

You can check the current settings like so: $ sysctl net.ipv4.igmp_max_memberships net.ipv4.igmp_max_memberships = 20 $ sysctl net.ipv4.igmp_max_msf net.ipv4.igmp_max_msf = 10 net.ipv4.igmp_max_memberships specifies the maximum number of multicast groups the host can subscribe to. net.ipv4.igmp_max_msf specifies the maximum number of multicast source filters the host will support. Dynamic Configuration To change the running configuration, use this command with your desired value: $ sysctl -w net.ipv4.igmp_max_memberships=NN $ sysctl -w net.ipv4.igmp_max_msf=NN You can confirm like so:

Linux Capabilities Required By Containerised Contemporary Network Applications

To minimise the privileges you assign to a Linux container, to increase security and minimise risk, Linux capabilities should be used instead of granting full root privileges. These provide the least privilege necessary. Here’s the capabilities required by contemporary network applications. HAProxy : None Pacemaker & Corosync : NET_ADMIN and NET_BROADCAST Keepalived : NET_ADMIN and NET_BROADCAST Mounting NFS : SYS_ADMIN Mounting SMB : CAP_SYS_ADMIN and CAP_DAC_READ_SEARCH Note: You should omit any leading CAP_ when specifiying capabilities in a Docker Compose file or with the docker run command.

What a Good Curl TLS Connection Looks Like

$ curl -vv https://itsthe.network/ * Trying 51.255.44.46... * Trying fe80::f816:3eff:febc:5e15... * Immediate connect fail for fe80::f816:3eff:febc:5e15: Invalid argument * Connected to itsthe.network (51.255.44.46) port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 697 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification OK * server certificate status verification SKIPPED * common name: itsthe.network (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=itsthe.