The /proc/sys Sub-Directory

The role of this subdirectory is to report different kernel parameters, and to allow you to interactively change some of them. As opposed to all other files in /proc, some files in this directory can be written to, but only by root.

A list of directories and files would take too long to describe, mostly because the contents of the directories are system-dependent and that most files will only be useful for very specialized applications. However, here are three common uses of this subdirectory:

  1. Allow routing: Even if the default kernel from Mandrake Linux is able to route, you must explicitly allow it to do so. For this, you just have to type the following command as root:

    $ echo 1 >/proc/sys/net/ipv4/ip_forward

    Replace the 1 by a 0 if you want to forbid routing.

  2. Prevent IP spoofing: IP spoofing consists in making one believe that a packet coming from the outside world comes from the interface by which it arrives. This technique is very commonly used by crackers [26], but you can make the kernel prevent this kind of intrusion. Type:

    $ echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

    and this kind of attack becomes impossible.

  3. Increase the size of the table of open files and the inode table: The size of the table of open files and the inode table is dynamic under GNU/Linux. The default values are usually sufficient for normal use, but they may be too conservative if your machine is a huge server (a database server for example). You will know that you need to increase the size of the table if you get messages that processes cannot open any more files because the table is full. If you increase the size of the open file table, then don't forget that the size of the inode table has to be increased as well. These two lines will solve the problem:

    $ echo 8192 >/proc/sys/fs/file-max
    $ echo 16384 >/proc/sys/fs/inode-max

These changes will only remain in effect while the system is running. If the system is rebooted, then the values will go back to their defaults. To reset the values to something other than the default at boot time, you can take the commands that you typed at the shell prompt and add them to /etc/rc.d/rc.local so that you avoid typing them each time. Another solution is to modify /etc/sysctl.conf, see sysctl.conf (5).



[26] And not hackers!