TCP Nonlocal Bind Linux Kernel Setting

November 26, 2015

tcp nonlocal bind This setting allows binding (by applications etc.) to IP addresses that are not assigned to a network interface on the host (thus nonlocal). This may be required when using VRRP with Keepalived in conjunction with HA Proxy for instance. If it is not enabled, HA Proxy cannot bind to a VRRP addresses unless the local host is the VRRP master for it. You can check the current setting like so: ... Read more

SYN ACK Retry Linux Kernel Setting

November 26, 2015

SYN/ACK Retries The number of times a SYN/ACK response to a SYN is retried. Passive, inbound. A lower value means less memory usage and lower impact of SYN flood attacks but on lossy networks a 5+ value is probably worthwhile. Also see the SYN Cookies section. You can check the current setting like so: $ sysctl net.ipv4.tcp_synack_retries net.ipv4.tcp_synack_retries = 5 The interval between each resend is doubled every time, starting from 3s. ... Read more

IGMP Linux Kernel Settings

November 26, 2015

You can check the current settings like so: $ sysctl net.ipv4.igmp_max_memberships net.ipv4.igmp_max_memberships = 20 $ sysctl net.ipv4.igmp_max_msf net.ipv4.igmp_max_msf = 10 net.ipv4.igmp_max_memberships specifies the maximum number of multicast groups the host can subscribe to. net.ipv4.igmp_max_msf specifies the maximum number of multicast source filters the host will support. Dynamic Configuration To change the running configuration, use this command with your desired value: $ sysctl -w net.ipv4.igmp_max_memberships=NN $ sysctl -w net.ipv4.igmp_max_msf=NN You can confirm like so: ... Read more


November 26, 2015

Powered by Hugo and Hyde-X


November 25, 2015

Who Writes This Stuff? Just some friendly guy. Why No Comments? I’m proud to say this site is advertising-ID and web-tracker free; helping you maintain your privacy and anonymity whether you like it or not. Using a popular comments system like Disqus would make that impossible. What Are You Running? This site is powered by Hugo and is using the Blackburn theme.

Linux Capabilities Required By Containerised Contemporary Network Applications

November 21, 2015

To minimise the privileges you assign to a Linux container, to increase security and minimise risk, Linux capabilities should be used instead of granting full root privileges. These provide the least privilege necessary. Here’s the capabilities required by contemporary network applications. HAProxy : None Pacemaker & Corosync : NET_ADMIN and NET_BROADCAST Keepalived : NET_ADMIN and NET_BROADCAST Mounting NFS : SYS_ADMIN Mounting SMB : CAP_SYS_ADMIN and CAP_DAC_READ_SEARCH Note: You should omit any leading CAP_ when specifiying capabilities in a Docker Compose file or with the docker run command. ... Read more

What a Good Curl TLS Connection Looks Like

January 1, 0001

$ curl -vv * Trying * Trying fe80::f816:3eff:febc:5e15... * Immediate connect fail for fe80::f816:3eff:febc:5e15: Invalid argument * Connected to ( port 443 (#0) * found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 697 certificates in /etc/ssl/certs * ALPN, offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification OK * server certificate status verification SKIPPED * common name: (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #3 * subject: CN=itsthe. ... Read more

© 2015 - 2016 Some Guy. All rights reserved.