-
-
Notifications
You must be signed in to change notification settings - Fork 14
/
sysctl.conf
189 lines (189 loc) · 11.1 KB
/
sysctl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# /etc/sysctl.conf
# Console logging level
kernel.printk = 4 4 1 7
# The value in this file represents the number of seconds the kernel waits before rebooting on a panic
kernel.panic = 10
# Disable magic keys
kernel.sysrq = 0
# This value can be used to query and set the run time limit on the maximum shared memory segment size that can be created.
kernel.shmmax = 4294967296
# This parameter sets the total amount of shared memory pages that can be used system wide.
kernel.shmall = 4194304
# The default coredump filename is "core". By setting core_uses_pid to 1, the coredump filename becomes core.PID.
kernel.core_uses_pid = 1
# Defines the maximum size in bytes of a single message queue.
kernel.msgmnb = 65536
# Defines the maximum allowable size in bytes of any single message in a message queue. This value must not exceed the size of the queue (msgmnb).
kernel.msgmax = 65536
# This control is used to define how aggressive the kernel will swap memory pages.
vm.swappiness = 20
# Contains, as a percentage of total available memory that contains free pages
# and reclaimable pages, the number of pages at which a process which is
# generating disk writes will itself start writing out dirty data.
vm.dirty_ratio = 80
# Contains, as a percentage of total available memory that contains free pages
# and reclaimable pages, the number of pages at which the background kernel
# flusher threads will start writing out dirty data.
vm.dirty_background_ratio = 5
# This value denotes the maximum number of file-
# handles that the Linux kernel will allocate.
fs.file-max = 2097152
# Maximum number of packets, queued on the INPUT side, when the interface
# receives packets faster than kernel can process them.
net.core.netdev_max_backlog = 262144
# The default setting of the socket receive buffer in bytes
net.core.rmem_default = 31457280
# The maximum receive socket buffer size in bytes.
net.core.rmem_max = 67108864
# The default setting (in bytes) of the socket send buffer.
net.core.wmem_default = 31457280
# The maximum send socket buffer size in bytes.
net.core.wmem_max = 67108864
# Limit of socket listen() backlog
net.core.somaxconn = 65535
# Maximum ancillary buffer size allowed per socket. Ancillary data is a sequence
# of struct cmsghdr structures with appended data.
net.core.optmem_max = 25165824
# Minimum number of stored ARP records is indicated which is not cleared.
net.ipv4.neigh.default.gc_thresh1 = 4096
# The amount after which the records begin to be cleaned after 5 seconds
net.ipv4.neigh.default.gc_thresh2 = 8192
# The amount upon reaching which the records begin to be cleared immediately
net.ipv4.neigh.default.gc_thresh3 = 16384
# How frequently the garbage collector for neighbour entries should attempt to run.
net.ipv4.neigh.default.gc_interval = 5
# Determines how often to check for stale neighbour entries. When a neighbour entry is considered stale it is resolved again before sending data to it.
net.ipv4.neigh.default.gc_stale_time = 120
# Size of connection tracking table.
net.netfilter.nf_conntrack_max = 10000000
# If it is set to zero, we disable picking up already established connections.
net.netfilter.nf_conntrack_tcp_loose = 0
# Timeout for established (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_established = 1800
# Timeout for close (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_close = 10
# Timeout for close wait (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
# Timeout for fin wait (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20
# Timeout for last ack (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20
# Timeout for syn recv (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20
# Timeout for syn sent (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20
# Timeout for time wait (in seconds)
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
# The congestion window size in MSS of a TCP connection after it has been idled (no segment received) for a period of one retransmission timeout (RTO).
net.ipv4.tcp_slow_start_after_idle = 0
# That defines the minimum and maximum port a networking connection can use as its source (local) port.
net.ipv4.ip_local_port_range = 1024 65000
# The maximum number of IPv4 routes allowed
net.ipv4.route.max_size = 8048576
# Ignore all incoming ICMP echo requests
net.ipv4.icmp_echo_ignore_all = 0
# Ignore ICMP echo requests to broadcast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Don't log invalid responses to broadcast
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Set the congestion control algorithm to be used for new connections.
# Possible values: reno (default), cubic, bic, htcp, vegas, westwood.
net.ipv4.tcp_congestion_control = htcp
# First param: below this number of pages TCP is not bothered about its memory appetite.
# Second param: when amount of memory allocated by TCP exceeds this number of pages, TCP moderates its memory consumption and enters memory
# pressure mode, which is exited when memory consumption falls under "min".
# Third param: Number of pages allowed for queueing by all TCP sockets.
net.ipv4.tcp_mem = 65536 131072 262144
# The same as above but for the UDP protocol.
net.ipv4.udp_mem = 65536 131072 262144
# First param: Minimal size of receive buffer used by TCP sockets. It is guaranteed to each TCP socket, even under moderate memory pressure.
# Second param: Initial size of receive buffer used by TCP sockets. This value overrides net.core.rmem_default used by other protocols.
# Third param: maximal size of receive buffer allowed for automatically selected receiver buffers for TCP socket.
# This value does not override net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables
# automatic tuning of that socket's receive buffer size, in which case this value is ignored.
net.ipv4.tcp_rmem = 4096 87380 33554432
# First param: Amount of memory reserved for send buffers for TCP sockets. Each TCP socket has rights to use it due to fact of its birth.
# Second param: initial size of send buffer used by TCP sockets.
# Third param: Maximal amount of memory allowed for automatically tuned send buffers for TCP sockets.
net.ipv4.tcp_wmem = 4096 87380 33554432
# Minimal size of receive buffer used by UDP sockets in moderation.
net.ipv4.udp_rmem_min = 16384
# Minimal size of send buffer used by UDP sockets in moderation.
net.ipv4.udp_wmem_min = 16384
# Maximal number of timewait sockets held by system simultaneously. If this number is exceeded time-wait socket is immediately destroyed
net.ipv4.tcp_max_tw_buckets = 1440000
# Enable or disable fast recycling of TIME_WAIT sockets. Known to cause some issues with hoststated (Load balancing and fail over)
net.ipv4.tcp_tw_recycle = 0
# This allows reusing sockets in TIME_WAIT state for new connections when it is safe from protocol viewpoint
net.ipv4.tcp_tw_reuse = 1
# Maximal number of TCP sockets not attached to any user file handle, held by system.
# If this number is exceeded orphaned connections are reset immediately and warning is printed.
net.ipv4.tcp_max_orphans = 400000
# Enable or disable window scaling as defined in RFC1323.
net.ipv4.tcp_window_scaling = 1
# If set, the TCP stack behaves conforming to RFC1337.
# If unset, we are not conforming to RFC, but prevent TCP TIME_WAIT assassination.
net.ipv4.tcp_rfc1337 = 1
# Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack'
net.ipv4.tcp_syncookies = 1
# Number of times SYNACKs for a passive TCP connection attempt will be retransmitted.
net.ipv4.tcp_synack_retries = 1
# Number of times initial SYNs for an active TCP connection attempt will be retransmitted.
net.ipv4.tcp_syn_retries = 2
# Maximal number of remembered connection requests (SYN_RECV), which have not received an acknowledgment from connecting client.
net.ipv4.tcp_max_syn_backlog = 16384
# Enable or disable timestamps as defined in RFC1323 and use random offset for each connection rather than only using the current time.
net.ipv4.tcp_timestamps = 1
# Enable or disable select acknowledgments (SACKS)
net.ipv4.tcp_sack = 1
# Control use of Explicit Congestion Notification (ECN) by TCP. ECN is used only when both ends of the TCP connection indicate support for it.
# 0 Disable ECN
# 1 Enable ECN when requested by incoming connections and also request ECN on outgoing connection attempts.
# 2 Enable ECN when requested by incoming connections but do not request ECN on outgoing connections.
net.ipv4.tcp_ecn = 2
# The length of time an orphaned (no longer referenced by any application) connection will remain in the FIN_WAIT_2 state before it is aborted at the local end.
net.ipv4.tcp_fin_timeout = 10
# How often TCP sends out keepalive messages when keepalive is enabled.
net.ipv4.tcp_keepalive_time = 600
# How frequently the probes are send out. Multiplied by tcp_keepalive_probes it is time to kill not responding connection, after probes started.
net.ipv4.tcp_keepalive_intvl = 60
# How many keepalive probes TCP sends out, until it decides that the connection is broken.
net.ipv4.tcp_keepalive_probes = 10
# By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the
# near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation.
# If set, TCP will not cache metrics on closing connections.
net.ipv4.tcp_no_metrics_save = 1
# Forward Packets between interfaces.
net.ipv4.ip_forward = 0
# Accept ICMP redirect messages. (0 = Disabled)
net.ipv4.conf.all.accept_redirects = 0
# Send redirects, if router. (0 = Disabled)
net.ipv4.conf.all.send_redirects = 0
# Accept packets with SRR option. (0 = Disabled)
net.ipv4.conf.all.accept_source_route = 0
# 0 - No source validation.
# 1 - Strict mode as defined in RFC3704 Strict Reverse Path
# Each incoming packet is tested against the FIB and if the interface
# is not the best reverse path the packet check will fail.
# By default failed packets are discarded.
# 2 - Loose mode as defined in RFC3704 Loose Reverse Path
# Each incoming packet's source address is also tested against the FIB
# and if the source address is not reachable via any interface
# the packet check will fail.
net.ipv4.conf.all.rp_filter = 1
# Do multicast routing (0 = Disabled)
net.ipv4.conf.all.mc_forwarding = 0
# Log packets with impossible addresses to kernel log.
net.ipv4.conf.all.log_martians = 1
# This option can be used to select the type of process address space randomization that is used in the system, for architectures that support this feature.
kernel.randomize_va_space = 1
# Exec Shield is a project that got started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems.
kernel.exec-shield = 1
# Disable proxy arp
net.ipv4.conf.all.proxy_arp = 0
# Enable secure redirects, i.e. only accept ICMP redirects for gateways
net.ipv4.conf.all.secure_redirects = 1
# Disable bootp_relay
net.ipv4.conf.all.bootp_relay = 0
# Ensure that subsequent connections use the new values
net.ipv4.route.flush = 1