Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
linux:sysctl [2006/02/10 12:38]
193.77.56.193 created
linux:sysctl [2016/02/23 10:52] (current)
zagi
Line 1: Line 1:
 ====== Linux sysctl options ====== ====== Linux sysctl options ======
 +
 +
 +===== Optimized sysctl  =====
 +<code conf |f sysctl.conf>
 +# the following stops low-level messages on console
 +kernel.printk = 4 4 1 7
 +
 +# enable /proc/$pid/maps privacy so that memory relocations are not
 +# visible to other users.  (Added in kernel 2.6.22.)
 +kernel.maps_protect = 1
 +
 +# Increase inotify availability
 +fs.inotify.max_user_watches = 524288
 +
 +# protect bottom 64k of memory from mmap to prevent NULL-dereference
 +# attacks against potential future kernel security vulnerabilities.
 +# (Added in kernel 2.6.23.)
 +vm.mmap_min_addr = 65536
 +
 +##############################################################3
 +# Functions previously found in netbase
 +#
 +
 +# Comment the next two lines to disable Spoof protection (reverse-path filter)
 +# Turn on Source Address Verification in all interfaces to
 +# prevent some spoofing attacks
 +net.ipv4.conf.default.rp_filter = 1
 +net.ipv4.conf.all.rp_filter = 1
 +
 +# Uncomment the next line to enable TCP/IP SYN cookies
 +# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)
 +net.ipv4.tcp_syncookies = 1
 +
 +# Uncomment the next line to enable packet forwarding for IPv4
 +net.ipv4.ip_forward = 1
 +
 +# Uncomment the next line to enable packet forwarding for IPv6
 +net.ipv6.ip_forward=0
 +
 +
 +###################################################################
 +# Additional settings - these settings can improve the network
 +# security of the host and prevent against some network attacks
 +# including spoofing attacks and man in the middle attacks through
 +# redirection. Some network environments, however, require that these
 +# settings are disabled so review and enable them as needed.
 +#
 +# Ignore ICMP broadcasts
 +net/ipv4/icmp_echo_ignore_broadcasts = 1
 +#
 +# Ignore bogus ICMP errors
 +net/ipv4/icmp_ignore_bogus_error_responses = 1
 +
 +# Do not accept ICMP redirects (prevent MITM attacks)
 +net/ipv4/conf/all/accept_redirects = 0
 +# _or_
 +# Accept ICMP redirects only for gateways listed in our default
 +# gateway list (enabled by default)
 +net/ipv4/conf/all/secure_redirects = 0
 +#
 +# Do not send ICMP redirects (we are not a router)
 +net/ipv4/conf/all/send_redirects = 0
 +# Do not accept IP source route packets (we are not a router)
 +net/ipv4/conf/all/accept_source_route = 0
 +
 +# tcp/ip tweak - window size
 +net.core.wmem_max = 262144
 +net.core.rmem_max = 262144
 +net.core.wmem_default = 262144
 +net.core.rmem_default = 262144
 +
 +#
 +# Log Martian Packets
 +net/ipv4/conf/all/log_martians = 1
 +
 +# Always defragment packets
 +net/ipv4/ip_always_defrag = 1
 +
 +### tnt.aufbix.org tips
 +
 +#default#vm/page-cluster = 3
 +vm.page-cluster = 6
 +
 +#default#net.ipv4.ipfrag_time = 30
 +net.ipv4.ipfrag_time = 30
 +
 +net.ipv4.tcp_ecn = 0
 +net.ipv4.tcp_syncookies = 1
 +net.ipv4.tcp_timestamps = 1
 +net.ipv4.tcp_sack = 1
 +
 +# Linux 2.6 has only 32Mb shared memory
 +kernel.shmmax = 67108864
 +kernel.random.poolsize = 8192
 +# reboot on panic
 +kernel.panic = 5
 +
 +#net.core.somaxconn=512
 +
 +# recommended for hosts with jumbo frames enabled
 +net.ipv4.tcp_mtu_probing=1
 +
 +net.ipv4.tcp_allowed_congestion_control = highspeed  lp cubic reno
 +net.ipv4.tcp_congestion_control = highspeed
 +
 +net.ipv4.tcp_slow_start_after_idle=0
 +
 +</code>
 +
 +
 +
 +
 +**TNT's default sysctl.conf**
 +
 +Download {{linux:sysctl.conf}}
 +
 +
 +==== Linux as dedicated server ====
 +FIXME
 +
 +
 +
 +
 +<html><div float=left></html>
 +<box 40% round green right|2.6 net/ipv4 options>
 +   * [[:linux:sysctl:26netipv4|/proc/net/ipv4]]
 +   * [[http://dsd.lbl.gov/TCP-tuning/linux.html|Linux TCP tunning]]
 +</box>
 +<html></div></html>
 +
 +==== Linux as router ====
 +  -  The ARP behaviour can be fixed by using **''arp_ignore''**  and **''arp_announce''** on the WAN interface:
 +  -   If you have multiple interfaces on the same subnet, you may also want to enable **''arp_filter''**
 +      *  This prevents the ARP entry for an interface to fluctuate between two or more MAC addresses. However, you need to use source routing to make this work correctly. From the //Documentation/networking/ip-sysctl-2.6.txt//  file in the kernel source
 +  -  The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface
 +       * **change it so it's between 2 and 6 hours, and not 30 min as default.**
 +  -  You may need to turn off the //Reverse Path Filter// (''**rp_filter**'') functionality on a Linux-based router to allow asymmetric routing, particularly on your WAN interface.
 +
 +''**/etc/sysctl.conf**''
 +   # These settings should be duplicated for all interfaces that are
 +   # on a peering LAN.
 +     
 +   ### Typical stuff you really want on a router
 +   
 +   # Fix the "promiscuous ARP" thing...
 +   net/ipv4/conf/ifname/arp_ignore=1
 +   net/ipv4/conf/ifname/arp_announce=1
 +   
 +   # Turn off RP filtering to allow asymmetric routing:
 +   net/ipv4/conf/ifname/rp_filter=0
 +   
 +   # Multiple (non-aggregated) interfaces on the same peering LAN.
 +   # READ THE MANUAL FIRST!
 +   #net/ipv4/conf/ifname/arp_filter=1
 +   
 +   ### Keep the AMS-IX ARP Police happy. :-)
 +   
 +   net/ipv4/neigh/ifname/base_reachable_time=14400
 +   net/ipv6/neigh/ifname/base_reachable_time=14400
 +
 +===== Misc add-on options on good to know bases  =====
 +
 +==== TCP "thin streams" optimisation in Linux ====
 +
 +If you're using ssh logins over lossy networks (such as many mesh networks), you may be annoyed at the random delays you get after a loss event.  This is due to the fact that modern TCP is optimised for bulk transfer, and that it behaves badly in the presence of packet loss when there are less than 4 packets in flight.
 +
 +Linux 2.6.34 and later is able to use a more aggressive variant of TCP when a given TCP flow is detected as being "thin", i.e. as having less than 4 packets in flight.  While this violates a number of TCP RFCs, the
 +aggressive TCP variant is only used with "thin" streams, and hence should not cause any congestion issues.  However, please do not enable this feature on web servers and more generally systems that handle lots
 +of connections.
 +
 +This optimisation is enabled by putting the following in ''/etc/sysctl.conf'':
 +
 +   net.ipv4.tcp_thin_dupack = 1
 +   net.ipv4.tcp_thin_linear_timeouts = 1
 +
 +Since it's a sender-only modification to TCP, the effect will be most dramatic if you do that on the client.
 +
 +For more information, please see ''/usr/src/linux/Documentation/networking/tcp-thin.txt''
  
 ==== Reboot on kernel panic ==== ==== Reboot on kernel panic ====
Line 7: Line 185:
 |  0  | won't reboot on kernel panic | |  0  | won't reboot on kernel panic |
 |  n  | number of seconds to wait before reboot | |  n  | number of seconds to wait before reboot |
 +
 +==== Linux 2.6 has only 32Mb shared memory ====
 +
 +  kernel.shmmax = 67108864
 +
 +==== ip_conntrack: maximum limit of XXX entries exceeded ====
 +If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).
 +
 +You can easily increase the number of maximal tracked connections, but be **aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!** ''Your kernel will crash for sure, althouh routing/forwarding should still be "working".''
 +
 +To increase this limit to e.g. 8192, type:
 +
 +   echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
 +
 +To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.
 +
 +Example (with 1023 buckets):
 +
 +   modprobe ip_conntrack hashsize=1023
 +
 +[[http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7]]
 +
 +
 +
 +
 +
 +===== GrSecurity options =====
 +{{page>linux:grsec#sysctl}}
 +
 +About GrSecurity see [[linux:grsec#sysctl|this page]]
  
  
-==== TNT's default sysctl.conf ==== 
  
-Download here 
  
linux/sysctl.1139571530.txt.gz ยท Last modified: 2009/05/25 00:34 (external edit)
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready