Differences

This shows you the differences between two versions of the page.

--- linux:sysctl [2006/02/10 12:38]
193.77.56.193 created
+++ linux:sysctl [2006/10/25 23:01]
a
@@ Line 1: / Line 1: @@
 ====== Linux sysctl options ======
+===== linux as router =====
+  -  The ARP behaviour can be fixed by using **''arp_ignore''**  and **''arp_announce''** on the WAN interface:
+  -   If you have multiple interfaces on the same subnet, you may also want to enable **''arp_filter''**
+      *  This prevents the ARP entry for an interface to fluctuate between two or more MAC addresses. However, you need to use source routing to make this work correctly. From the //Documentation/networking/ip-sysctl-2.6.txt//  file in the kernel source
+  -  The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface
+       * **change it so it's between 2 and 6 hours, and not 30 min as default.**
+  -  You may need to turn off the //Reverse Path Filter// (''**rp_filter**'') functionality on a Linux-based router to allow asymmetric routing, particularly on your WAN interface.
+''**/etc/sysctl.conf**''
+   # These settings should be duplicated for all interfaces that are
+   # on a peering LAN.
+   ### Typical stuff you really want on a router
+   # Fix the "promiscuous ARP" thing...
+   net/ipv4/conf/ifname/arp_ignore=1
+   net/ipv4/conf/ifname/arp_announce=1
+   # Turn off RP filtering to allow asymmetric routing:
+   net/ipv4/conf/ifname/rp_filter=0
+   # Multiple (non-aggregated) interfaces on the same peering LAN.
+   # READ THE MANUAL FIRST!
+   #net/ipv4/conf/ifname/arp_filter=1
+   ### Keep the AMS-IX ARP Police happy. :-)
+   net/ipv4/neigh/ifname/base_reachable_time=14400
+   net/ipv6/neigh/ifname/base_reachable_time=14400
+==== 2.6 net/ipv4 options ====
+more detailed: [[:linux:sysctl:26netipv4|/proc/net/ipv4]] and [[http://dsd.lbl.gov/TCP-tuning/linux.html|Linux TCP tunning]]
 ==== Reboot on kernel panic ====
@@ Line 8: / Line 42: @@
 |  n  | number of seconds to wait before reboot |
+==== Linux 2.6 has only 32Mb shared memory ====
-==== TNT's default sysctl.conf ====
+  kernel.shmmax = 67108864
-Download here
+==== ip_conntrack: maximum limit of XXX entries exceeded ====
+If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).
+You can easily increase the number of maximal tracked connections, but be **aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!** ''Your kernel will crash for sure, althouh routing/forwarding should still be "working".''
+To increase this limit to e.g. 8192, type:
+   echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
+To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.
+Example (with 1023 buckets):
+   modprobe ip_conntrack hashsize=1023
+[[http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7]]
+===== GrSecurity options =====
+{{page>linux:grsec#sysctl}}
+About GrSecurity see [[linux:grsec#sysctl|this page]]
+==== TNT's default sysctl.conf ====
+Download {{linux:sysctl.conf}}