The /proc/sys Sub-Directory

The role of this subdirectory is to report different kernel parameters, and to allow you to interactively change some of them. As opposed to all other files in /proc, some files in this directory can be written to, but only by root.

A list of directories and files would take too long to describe, mostly because the content of the directories are system-dependent and that most files will only be useful for very specialized applications. However, here are two common uses of this subdirectory:

  1. Allow routing: Even if the default kernel from Mandrakelinux is able to route, you must explicitly allow it to do so. For this, you just have to type the following command as root:

    $ echo 1 >/proc/sys/net/ipv4/ip_forward

    Replace the 1 by a 0 if you want to forbid routing.

  2. Prevent IP spoofing: IP spoofing consists of making one believe that a packet coming from the outside world comes from the interface by which it arrives. This technique is very commonly used by crackers [27]. You can make the kernel prevent this kind of intrusion. Type:

    $ echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

    and this kind of attack becomes impossible.

These changes will only remain in effect while the system is running. If the system is rebooted, then the values will go back to their defaults. To reset the values to something other than the default at boot time, you can take the commands that you typed at the shell prompt and add them to /etc/rc.d/rc.local so that you avoid typing them each time. Another solution is to modify /etc/sysctl.conf, see sysctl.conf(5).



[27] But not hackers!