I believe IPv6 is not that important for our connection to the Tor network, since we can still easily do everything with IPv4. So therefore I disable it by setting the following parameters for our external interface. The last line leaves it active for special cases on the loopback interface.


net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 0

Since we are trying to achieve a little more protection, it is not bad to harden the filesystem a little too


fs.protected_fifos = 2
fs.protected_regular = 2

… and to completely eliminate attacks via kexec…


kernel.kexec_load_disabled = 1

Since we are already at kernel level, we hide its pointers and safeguard the memory mapping with more randomness


kernel.kptr_restrict=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16

If I do recall it correctly, this is all about privacy – so we might as well restrict the timestamping of TCP packets to thin out the info we broadcast


net.ipv4.tcp_timestamps=0