Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
linux:sysctl [2006/03/30 02:05] a links |
linux:sysctl [2009/05/25 00:35] 127.0.0.1 external edit |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Linux sysctl options ====== | ====== Linux sysctl options ====== | ||
- | ==== 2.6 net/ipv4 options ==== | ||
- | more detailed: [[: | + | |
+ | |||
+ | ===== Optimized sysctl | ||
+ | <code conf |f sysctl.conf> | ||
+ | # the following stops low-level messages on console | ||
+ | kernel.printk = 4 4 1 7 | ||
+ | |||
+ | # enable / | ||
+ | # visible to other users. | ||
+ | kernel.maps_protect = 1 | ||
+ | |||
+ | # Increase inotify availability | ||
+ | fs.inotify.max_user_watches = 524288 | ||
+ | |||
+ | # protect bottom 64k of memory from mmap to prevent NULL-dereference | ||
+ | # attacks against potential future kernel security vulnerabilities. | ||
+ | # (Added in kernel 2.6.23.) | ||
+ | vm.mmap_min_addr = 65536 | ||
+ | |||
+ | ############################################################## | ||
+ | # Functions previously found in netbase | ||
+ | # | ||
+ | |||
+ | # Comment the next two lines to disable Spoof protection (reverse-path filter) | ||
+ | # Turn on Source Address Verification in all interfaces to | ||
+ | # prevent some spoofing attacks | ||
+ | net.ipv4.conf.default.rp_filter = 1 | ||
+ | net.ipv4.conf.all.rp_filter = 1 | ||
+ | |||
+ | # Uncomment the next line to enable TCP/IP SYN cookies | ||
+ | # This disables TCP Window Scaling (http:// | ||
+ | net.ipv4.tcp_syncookies = 1 | ||
+ | |||
+ | # Uncomment the next line to enable packet forwarding for IPv4 | ||
+ | net.ipv4.ip_forward = 1 | ||
+ | |||
+ | # Uncomment the next line to enable packet forwarding for IPv6 | ||
+ | net.ipv6.ip_forward=0 | ||
+ | |||
+ | |||
+ | ################################################################### | ||
+ | # Additional settings - these settings can improve the network | ||
+ | # security of the host and prevent against some network attacks | ||
+ | # including spoofing attacks and man in the middle attacks through | ||
+ | # redirection. Some network environments, | ||
+ | # settings are disabled so review and enable them as needed. | ||
+ | # | ||
+ | # Ignore ICMP broadcasts | ||
+ | net/ | ||
+ | # | ||
+ | # Ignore bogus ICMP errors | ||
+ | net/ | ||
+ | # | ||
+ | # Do not accept ICMP redirects (prevent MITM attacks) | ||
+ | net/ | ||
+ | # _or_ | ||
+ | # Accept ICMP redirects only for gateways listed in our default | ||
+ | # gateway list (enabled by default) | ||
+ | net/ | ||
+ | # | ||
+ | # Do not send ICMP redirects (we are not a router) | ||
+ | net/ | ||
+ | # Do not accept IP source route packets (we are not a router) | ||
+ | net/ | ||
+ | |||
+ | # tcp/ip tweak - window size | ||
+ | net.core.wmem_max = 262144 | ||
+ | net.core.rmem_max = 262144 | ||
+ | net.core.wmem_default = 262144 | ||
+ | net.core.rmem_default = 262144 | ||
+ | |||
+ | # | ||
+ | # Log Martian Packets | ||
+ | net/ | ||
+ | |||
+ | # Always defragment packets | ||
+ | net/ | ||
+ | |||
+ | ### tnt.aufbix.org tips | ||
+ | |||
+ | # | ||
+ | vm.page-cluster = 6 | ||
+ | |||
+ | # | ||
+ | net.ipv4.ipfrag_time = 30 | ||
+ | |||
+ | net.ipv4.tcp_ecn = 1 | ||
+ | net.ipv4.tcp_syncookies = 1 | ||
+ | net.ipv4.tcp_timestamps = 1 | ||
+ | |||
+ | # Linux 2.6 has only 32Mb shared memory | ||
+ | kernel.shmmax = 67108864 | ||
+ | kernel.random.poolsize = 8192 | ||
+ | # reboot on panic | ||
+ | kernel.panic = 5 | ||
+ | |||
+ | # | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | **TNT' | ||
+ | |||
+ | Download {{linux: | ||
+ | |||
+ | |||
+ | ==== Linux as dedicated server ==== | ||
+ | FIXME | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | < | ||
+ | <box 40% round green right|2.6 net/ipv4 options> | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | < | ||
+ | |||
+ | ==== Linux as router ==== | ||
+ | - The ARP behaviour can be fixed by using **'' | ||
+ | - If you have multiple interfaces on the same subnet, you may also want to enable **'' | ||
+ | * This prevents the ARP entry for an interface to fluctuate between two or more MAC addresses. However, you need to use source routing to make this work correctly. From the // | ||
+ | - The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface | ||
+ | * **change it so it's between 2 and 6 hours, and not 30 min as default.** | ||
+ | - You may need to turn off the //Reverse Path Filter// ('' | ||
+ | |||
+ | '' | ||
+ | # These settings should be duplicated for all interfaces that are | ||
+ | # on a peering LAN. | ||
+ | |||
+ | ### Typical stuff you really want on a router | ||
+ | |||
+ | # Fix the " | ||
+ | | ||
+ | | ||
+ | |||
+ | # Turn off RP filtering to allow asymmetric routing: | ||
+ | | ||
+ | |||
+ | # Multiple (non-aggregated) interfaces on the same peering LAN. | ||
+ | # READ THE MANUAL FIRST! | ||
+ | # | ||
+ | |||
+ | ### Keep the AMS-IX ARP Police happy. :-) | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | ===== Misc add-on options on good to know bases ===== | ||
==== Reboot on kernel panic ==== | ==== Reboot on kernel panic ==== | ||
Line 15: | Line 164: | ||
kernel.shmmax = 67108864 | kernel.shmmax = 67108864 | ||
+ | |||
+ | ==== ip_conntrack: | ||
+ | If you notice the following message in syslog, it looks like the conntrack database doesn' | ||
+ | |||
+ | You can easily increase the number of maximal tracked connections, | ||
+ | |||
+ | To increase this limit to e.g. 8192, type: | ||
+ | |||
+ | echo " | ||
+ | |||
+ | To optimize performance, | ||
+ | |||
+ | Example (with 1023 buckets): | ||
+ | |||
+ | | ||
+ | |||
+ | [[http:// | ||
+ | |||
+ | |||
+ | |||
+ | |||
===== GrSecurity options ===== | ===== GrSecurity options ===== | ||
Line 24: | Line 194: | ||
- | ==== TNT's default sysctl.conf ==== | ||
- | |||
- | Download {{linux: |