# the following stops low-level messages on console
kernel.printk = 4 4 1 7
# enable /proc/$pid/maps privacy so that memory relocations are not
# visible to other users. (Added in kernel 2.6.22.)
kernel.maps_protect = 1
# Increase inotify availability
fs.inotify.max_user_watches = 524288
# protect bottom 64k of memory from mmap to prevent NULL-dereference
# attacks against potential future kernel security vulnerabilities.
# (Added in kernel 2.6.23.)
vm.mmap_min_addr = 65536
##############################################################3
# Functions previously found in netbase
#
# Comment the next two lines to disable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)
net.ipv4.tcp_syncookies = 1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Uncomment the next line to enable packet forwarding for IPv6
net.ipv6.ip_forward=0
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
net/ipv4/icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
net/ipv4/icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
net/ipv4/conf/all/accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
net/ipv4/conf/all/secure_redirects = 0
#
# Do not send ICMP redirects (we are not a router)
net/ipv4/conf/all/send_redirects = 1
# Do not accept IP source route packets (we are not a router)
net/ipv4/conf/all/accept_source_route = 1
# tcp/ip tweak - window size
net.core.wmem_max = 262144
net.core.rmem_max = 262144
net.core.wmem_default = 262144
net.core.rmem_default = 262144
#
# Log Martian Packets
net/ipv4/conf/all/log_martians = 1
# Always defragment packets
net/ipv4/ip_always_defrag = 1
### tnt.aufbix.org tips
#default#vm/page-cluster = 3
vm.page-cluster = 6
#default#net.ipv4.ipfrag_time = 30
net.ipv4.ipfrag_time = 30
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
# Linux 2.6 has only 32Mb shared memory
kernel.shmmax = 67108864
kernel.random.poolsize = 8192
# reboot on panic
kernel.panic = 5
TNT's default sysctl.conf
Download sysctl.conf
The ARP behaviour can be fixed by using
arp_ignore and
arp_announce on the
WAN interface:
If you have multiple interfaces on the same subnet, you may also want to enable arp_filter
The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface
You may need to turn off the
Reverse Path Filter (
rp_filter) functionality on a Linux-based router to allow asymmetric routing, particularly on your
WAN interface.
/etc/sysctl.conf
# These settings should be duplicated for all interfaces that are
# on a peering LAN.
### Typical stuff you really want on a router
# Fix the "promiscuous ARP" thing...
net/ipv4/conf/ifname/arp_ignore=1
net/ipv4/conf/ifname/arp_announce=1
# Turn off RP filtering to allow asymmetric routing:
net/ipv4/conf/ifname/rp_filter=0
# Multiple (non-aggregated) interfaces on the same peering LAN.
# READ THE MANUAL FIRST!
#net/ipv4/conf/ifname/arp_filter=1
### Keep the AMS-IX ARP Police happy. :-)
net/ipv4/neigh/ifname/base_reachable_time=14400
net/ipv6/neigh/ifname/base_reachable_time=14400
If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, …).
You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory! Your kernel will crash for sure, althouh routing/forwarding should still be “working”.
To increase this limit to e.g. 8192, type:
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.
Example (with 1023 buckets):
modprobe ip_conntrack hashsize=1023
http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7
