[[linux:sysctl]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
linux:sysctl [2006/10/25 23:01]
a 		linux:sysctl [2009/03/04 13:31]
greebo
Line 1: Line 1:
 ====== Linux sysctl options ====== ====== Linux sysctl options ======
  
-===== linux as router =====+ 
 + 
 + 
 +===== Optimized sysctl  ===== 
 +<code conf |f sysctl.conf> 
 +# the following stops low-level messages on console 
 +kernel.printk = 4 4 1 7 
 + 
 +# enable /proc/$pid/maps privacy so that memory relocations are not 
 +# visible to other users.  (Added in kernel 2.6.22.) 
 +kernel.maps_protect = 1 
 + 
 +# Increase inotify availability 
 +fs.inotify.max_user_watches = 524288 
 + 
 +# protect bottom 64k of memory from mmap to prevent NULL-dereference 
 +# attacks against potential future kernel security vulnerabilities. 
 +# (Added in kernel 2.6.23.) 
 +vm.mmap_min_addr = 65536 
 + 
 +##############################################################
 +# Functions previously found in netbase 
 +
 + 
 +# Comment the next two lines to disable Spoof protection (reverse-path filter) 
 +# Turn on Source Address Verification in all interfaces to 
 +# prevent some spoofing attacks 
 +net.ipv4.conf.default.rp_filter = 1 
 +net.ipv4.conf.all.rp_filter = 1 
 + 
 +# Uncomment the next line to enable TCP/IP SYN cookies 
 +# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167) 
 +net.ipv4.tcp_syncookies = 1 
 + 
 +# Uncomment the next line to enable packet forwarding for IPv4 
 +net.ipv4.ip_forward = 1 
 + 
 +# Uncomment the next line to enable packet forwarding for IPv6 
 +net.ipv6.ip_forward=0 
 + 
 + 
 +################################################################### 
 +# Additional settings - these settings can improve the network 
 +# security of the host and prevent against some network attacks 
 +# including spoofing attacks and man in the middle attacks through 
 +# redirection. Some network environments, however, require that these 
 +# settings are disabled so review and enable them as needed. 
 +
 +# Ignore ICMP broadcasts 
 +net/ipv4/icmp_echo_ignore_broadcasts = 1 
 +
 +# Ignore bogus ICMP errors 
 +net/ipv4/icmp_ignore_bogus_error_responses = 1 
 +#  
 +# Do not accept ICMP redirects (prevent MITM attacks) 
 +net/ipv4/conf/all/accept_redirects = 0 
 +# _or_ 
 +# Accept ICMP redirects only for gateways listed in our default 
 +# gateway list (enabled by default) 
 +net/ipv4/conf/all/secure_redirects = 0 
 +
 +# Do not send ICMP redirects (we are not a router
 +net/ipv4/conf/all/send_redirects 
 +# Do not accept IP source route packets (we are not a router) 
 +net/ipv4/conf/all/accept_source_route = 1 
 + 
 +# tcp/ip tweak - window size 
 +net.core.wmem_max = 262144 
 +net.core.rmem_max = 262144 
 +net.core.wmem_default = 262144 
 +net.core.rmem_default = 262144 
 + 
 +
 +# Log Martian Packets 
 +net/ipv4/conf/all/log_martians = 1 
 + 
 +# Always defragment packets 
 +net/ipv4/ip_always_defrag = 1 
 + 
 +### tnt.aufbix.org tips 
 + 
 +#default#vm/page-cluster = 3 
 +vm.page-cluster = 6 
 + 
 +#default#net.ipv4.ipfrag_time = 30 
 +net.ipv4.ipfrag_time = 30 
 + 
 +net.ipv4.tcp_ecn = 1 
 +net.ipv4.tcp_syncookies = 1 
 +net.ipv4.tcp_timestamps = 1 
 + 
 +# Linux 2.6 has only 32Mb shared memory 
 +kernel.shmmax = 67108864 
 +kernel.random.poolsize = 8192 
 +# reboot on panic 
 +kernel.panic = 5 
 + 
 +#net.core.somaxconn=512 
 +</code> 
 + 
 + 
 + 
 + 
 +**TNT's default sysctl.conf** 
 + 
 +Download {{linux:sysctl.conf}} 
 + 
 + 
 +==== Linux as dedicated server ==== 
 +FIXME 
 + 
 + 
 + 
 + 
 +<html><div float=left></html> 
 +<box 40% round green right|2.6 net/ipv4 options> 
 +   * [[:linux:sysctl:26netipv4|/proc/net/ipv4]] 
 +   * [[http://dsd.lbl.gov/TCP-tuning/linux.html|Linux TCP tunning]] 
 +</box> 
 +<html></div></html> 
 + 
 +==== Linux as router ====
   -  The ARP behaviour can be fixed by using **''arp_ignore''**  and **''arp_announce''** on the WAN interface:   -  The ARP behaviour can be fixed by using **''arp_ignore''**  and **''arp_announce''** on the WAN interface:
   -   If you have multiple interfaces on the same subnet, you may also want to enable **''arp_filter''**   -   If you have multiple interfaces on the same subnet, you may also want to enable **''arp_filter''**
Line 31: Line 152:
    net/ipv6/neigh/ifname/base_reachable_time=14400    net/ipv6/neigh/ifname/base_reachable_time=14400
  
-==== 2.6 net/ipv4 options ==== +===== Misc add-on options on good to know bases  =====
- +
-more detailed: [[:linux:sysctl:26netipv4|/proc/net/ipv4]] and [[http://dsd.lbl.gov/TCP-tuning/linux.html|Linux TCP tunning]]+
  
 ==== Reboot on kernel panic ==== ==== Reboot on kernel panic ====
Line 62: Line 181:
  
 [[http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7]] [[http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7]]
 +
 +
 +
 +
  
 ===== GrSecurity options ===== ===== GrSecurity options =====
Line 71: Line 194:
  
  
-==== TNT's default sysctl.conf ==== 
- 
-Download {{linux:sysctl.conf}} 
linux/sysctl.txt · Last modified: 2016/02/23 10:52 by zagi
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready