in this case i altered through the /proc file system or by using sysctl coz many kernel parameters can be altered through the /proc file system or by using sysctl.

Deactivate IP forwarding

#echo "0" > /proc/sys/net/ipv4/ip_forward

if you are not router Make sure that IP forwarding is turned off

Drop ping packets

#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

sometimes many attacker identify host up with ping the ip,you can drop ping packets in order that your machine can’t respon the ping.

root@bsd:~# ping 192.168.182.250
PING 192.168.182.250 (192.168.182.250) 56(84) bytes of data.

_

Ignore broadcast pings

#echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts


This disables response to ICMP broadcasts and will prevent Smurf attacks. The Smurf attack works by sending an ICMP type 0 (ping) message to the broadcast address of a network. Typically the attacker will use a spoofed source address. All the computers on the network will respond to the ping message and thereby flood the host at the spoofed source address.

Disable source routed packets

#echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it.

Disable redirect acceptance

#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not accept ICMP redirect packets. ICMP redirects can be used to alter your routing tables, possibly to a malicious end.

Protect against bad error messages

#echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses


Enable protection against bogus error message responses.

Enable reverse path filtering

for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
done


Turn on reverse path filtering. This helps make sure that packets use legitimate source addresses by automatically rejecting incoming packets if the routing table entry for their source address does not match the network interface they are arriving on. This has security advantages because it prevents IP spoofing. We need to enable it for each net/ipv4/conf/* otherwise source validation isn’t fully functional.

Log all spoofed, source routed and redirect packets

#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians


Log spoofed packets, source routed packets and redirect packets.

/*done*/

but after reboot his configuration are reset,so you must edit /etc/sysctl.conf

ex:

(Manual using echo):
#echo "0" > /proc/sys/net/ipv4/ip_forward

(Automatic in sysctl.conf:)
net.ipv4.ip_forward = 0

Also, the update brings you a new GLIBC and also GCC (which actually moved from /testing directory after sitting there for some time). This means that future Slackware release base packages will be based on this toolchains.

Anyways, here’s the latest -Current Changelog:

Mon Jan 4 21:43:02 UTC 2010
New kernels… and this deserves a mention/warning: the last bits of the “old” IDE/ATA system have been removed now. Everything should be using the libata based drivers now, so if you have any drives that are currently running as /dev/hda, /dev/hdb, etc., when you reboot with these kernels all drives will be renamed as /dev/sda, /dev/sdb, etc. If you had any /dev/sd* already, they might get renamed. Adjustments may be required in /etc/lilo.conf, /etc/fstab, the initrd, and elsewhere. Good luck!

a/glibc-solibs-2.11.1-i486-1.txz: Upgraded.

a/glibc-zoneinfo-2.11.1-noarch-1.txz: Upgraded.

a/kernel-firmware-2.6.32.2-noarch-1.txz: Upgraded.

a/kernel-generic-2.6.32.2-i486-1.txz: Upgraded.

a/kernel-generic-smp-2.6.32.2_smp-i686-1.txz: Upgraded.

a/kernel-huge-2.6.32.2-i486-1.txz: Upgraded.

a/kernel-huge-smp-2.6.32.2_smp-i686-1.txz: Upgraded.

a/kernel-modules-2.6.32.2-i486-1.txz: Upgraded.

a/kernel-modules-smp-2.6.32.2_smp-i686-1.txz: Upgraded.

d/gcc-4.4.2-i486-1.txz: Moved from /testing.

d/gcc-g++-4.4.2-i486-1.txz: Moved from /testing.

d/gcc-gfortran-4.4.2-i486-1.txz: Moved from /testing.

d/gcc-gnat-4.4.2-i486-1.txz: Moved from /testing.

d/gcc-java-4.4.2-i486-1.txz: Moved from /testing.

d/gcc-objc-4.4.2-i486-1.txz: Moved from /testing.

d/kernel-headers-2.6.32.2_smp-x86-1.txz: Upgraded.

k/kernel-source-2.6.32.2_smp-noarch-1.txz: Upgraded.

l/glibc-2.11.1-i486-1.txz: Upgraded.

l/glibc-i18n-2.11.1-i486-1.txz: Upgraded.

l/glibc-profile-2.11.1-i486-1.txz: Upgraded.

n/wireless-tools-29-i486-6.txz: Rebuilt.
In rc.wireless, look for /sys/class/net/$dev/wireless rather than at the contents of /proc/net/wireless to determine if an interface is wireless.
In recent kernels, interfaces that are not active will not appear in /proc/net/wireless. Thanks to Marin Glibic and Piter Punk.

extra/linux-2.6.32.2-nosmp-sdk/: Upgraded.

isolinux/initrd.img: Rebuilt.

kernels/*: Upgraded.

usb-and-pxe-installers/usbboot.img: Rebuilt.