Table of Contents

Linux sysctl options

Optimized sysctl

f sysctl.conf

# the following stops low-level messages on console
kernel.printk = 4 4 1 7

# enable /proc/$pid/maps privacy so that memory relocations are not
# visible to other users.  (Added in kernel 2.6.22.)
kernel.maps_protect = 1

# Increase inotify availability
fs.inotify.max_user_watches = 524288

# protect bottom 64k of memory from mmap to prevent NULL-dereference
# attacks against potential future kernel security vulnerabilities.
# (Added in kernel 2.6.23.)
vm.mmap_min_addr = 65536

##############################################################3
# Functions previously found in netbase
#

# Comment the next two lines to disable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)
net.ipv4.tcp_syncookies = 1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1

# Uncomment the next line to enable packet forwarding for IPv6
net.ipv6.ip_forward=0


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
net/ipv4/icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
net/ipv4/icmp_ignore_bogus_error_responses = 1
# 
# Do not accept ICMP redirects (prevent MITM attacks)
net/ipv4/conf/all/accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
net/ipv4/conf/all/secure_redirects = 0
#
# Do not send ICMP redirects (we are not a router)
net/ipv4/conf/all/send_redirects = 0
# Do not accept IP source route packets (we are not a router)
net/ipv4/conf/all/accept_source_route = 0

# tcp/ip tweak - window size
net.core.wmem_max = 262144
net.core.rmem_max = 262144
net.core.wmem_default = 262144
net.core.rmem_default = 262144

#
# Log Martian Packets
net/ipv4/conf/all/log_martians = 1

# Always defragment packets
net/ipv4/ip_always_defrag = 1

### tnt.aufbix.org tips

#default#vm/page-cluster = 3
vm.page-cluster = 6

#default#net.ipv4.ipfrag_time = 30
net.ipv4.ipfrag_time = 30

net.ipv4.tcp_ecn = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1

# Linux 2.6 has only 32Mb shared memory
kernel.shmmax = 67108864
kernel.random.poolsize = 8192
# reboot on panic
kernel.panic = 5

#net.core.somaxconn=512

# recommended for hosts with jumbo frames enabled
net.ipv4.tcp_mtu_probing=1

net.ipv4.tcp_allowed_congestion_control = highspeed  lp cubic reno
net.ipv4.tcp_congestion_control = highspeed

net.ipv4.tcp_slow_start_after_idle=0

TNT's default sysctl.conf

Download sysctl.conf

Linux as dedicated server

FIXME

Linux as router

  1. The ARP behaviour can be fixed by using arp_ignore and arp_announce on the WAN interface:
  2. If you have multiple interfaces on the same subnet, you may also want to enable arp_filter
    • This prevents the ARP entry for an interface to fluctuate between two or more MAC addresses. However, you need to use source routing to make this work correctly. From the Documentation/networking/ip-sysctl-2.6.txt file in the kernel source
  3. The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface
    • change it so it's between 2 and 6 hours, and not 30 min as default.
  4. You may need to turn off the Reverse Path Filter (rp_filter) functionality on a Linux-based router to allow asymmetric routing, particularly on your WAN interface.

/etc/sysctl.conf

 # These settings should be duplicated for all interfaces that are
 # on a peering LAN.
   
 ### Typical stuff you really want on a router
 
 # Fix the "promiscuous ARP" thing...
 net/ipv4/conf/ifname/arp_ignore=1
 net/ipv4/conf/ifname/arp_announce=1
 
 # Turn off RP filtering to allow asymmetric routing:
 net/ipv4/conf/ifname/rp_filter=0
 
 # Multiple (non-aggregated) interfaces on the same peering LAN.
 # READ THE MANUAL FIRST!
 #net/ipv4/conf/ifname/arp_filter=1
 
 ### Keep the AMS-IX ARP Police happy. :-)
 
 net/ipv4/neigh/ifname/base_reachable_time=14400
 net/ipv6/neigh/ifname/base_reachable_time=14400

Misc add-on options on good to know bases

TCP "thin streams" optimisation in Linux

If you're using ssh logins over lossy networks (such as many mesh networks), you may be annoyed at the random delays you get after a loss event. This is due to the fact that modern TCP is optimised for bulk transfer, and that it behaves badly in the presence of packet loss when there are less than 4 packets in flight.

Linux 2.6.34 and later is able to use a more aggressive variant of TCP when a given TCP flow is detected as being “thin”, i.e. as having less than 4 packets in flight. While this violates a number of TCP RFCs, the aggressive TCP variant is only used with “thin” streams, and hence should not cause any congestion issues. However, please do not enable this feature on web servers and more generally systems that handle lots of connections.

This optimisation is enabled by putting the following in /etc/sysctl.conf:

 net.ipv4.tcp_thin_dupack = 1
 net.ipv4.tcp_thin_linear_timeouts = 1

Since it's a sender-only modification to TCP, the effect will be most dramatic if you do that on the client.

For more information, please see /usr/src/linux/Documentation/networking/tcp-thin.txt

Reboot on kernel panic

kernel.panic = 0
argv comment
0 won't reboot on kernel panic
n number of seconds to wait before reboot

Linux 2.6 has only 32Mb shared memory

kernel.shmmax = 67108864

ip_conntrack: maximum limit of XXX entries exceeded

If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, …).

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory! Your kernel will crash for sure, althouh routing/forwarding should still be “working”.

To increase this limit to e.g. 8192, type:

 echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max

To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.

Example (with 1023 buckets):

 modprobe ip_conntrack hashsize=1023

http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7

GrSecurity options

About GrSecurity see this page