-
Notifications
You must be signed in to change notification settings - Fork 88
/
sysctl.conf
184 lines (131 loc) · 6.08 KB
/
sysctl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
### KERNEL TUNING ###
# Increase size of file handles and inode cache
fs.file-max = 1000000
# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2
# Sets the time before the kernel considers migrating a process to another core
kernel.sched_migration_cost_ns = 5000000
### GENERAL NETWORK SECURITY OPTIONS ###
# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 2
# Control Syncookies, asociated with security
net.ipv4.tcp_syncookies = 0
# How many times to try to retransmit the initial SYN packet for an active TCP connection attempt.
net.ipv4.tcp_syn_retries = 2
# Maximum number of remembered connection requests, which are still did not receive an acknowledgment
# from connecting client.
net.ipv4.tcp_max_syn_backlog = 4096
# Allowed local port range
net.ipv4.ip_local_port_range = 1024 65535
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# The maximum number of packets which may be queued for each unresolved address by other network layers.
net.ipv4.neigh.default.unres_qlen = 101
# Size of connection tracking table. Default value is nf_conntrack_buckets value * 4.
net.netfilter.nf_conntrack_max = 1048576
### TUNING NETWORK PERFORMANCE ###
# Increase number of incoming connections
net.core.somaxconn = 65535
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536
# Maximum number of packets taken from all interfaces in one polling cycle (NAPI poll).
net.core.netdev_budget = 500
# Maximum Socket Send Buffer
net.core.wmem_max = 33554432
# Default Socket Send Buffer
net.core.wmem_default = 31457280
# Maximum Socket Receive Buffer
net.core.rmem_max = 33554432
# Default Socket Receive Buffer
net.core.rmem_default = 31457280
# The default queuing discipline to use for network devices. This allows
# overriding the default of pfifo_fast with an alternative. Since the default
# queuing discipline is created without additional parameters so is best suited
# to queuing disciplines that work well without configuration like stochastic
# fair queue (sfq), CoDel (codel) or fair queue CoDel (fq_codel).
net.core.default_qdisc = fq_codel
# The maximum number of packets that kernel can handle on a NAPI interrupt, it's a Per-CPU variable.
net.core.dev_weight = 64
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 4096 5242880 33554432
net.ipv4.udp_wmem_min = 16384
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 4096 5242880 33554432
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# Number of orphans
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 786432 1048576 26777216
net.ipv4.udp_mem = 65536 131072 262144
# Minimal size, in bytes, of receive buffers used by UDP sockets in moderation.
net.ipv4.udp_rmem_min = 16384
# If set, provide RFC2861 behavior and time out the congestion window after an
# idle period. An idle period is defined at the current RTO. If unset, the
# congestion window will not be timed out after an idle period. Default: 1
net.ipv4.tcp_slow_start_after_idle = 0
# By default, TCP saves various connection metrics in the route cache when
# the connection closes, so that connections established in the near future
# can use these to set initial conditions.
net.ipv4.tcp_no_metrics_save = 0
# Enable IP forwarding
net.ipv4.ip_forward = 1
# Enable timestamps as defined in RFC1323
net.ipv4.tcp_timestamps = 1
# Enable window scaling as defined in RFC1323
net.ipv4.tcp_window_scaling = 1
# Enable reuse of TIME-WAIT sockets for new connections when it is safe from protocol viewpoint.
# 0 - disable
# 1 - global enable
# 2 - enable for loopback traffic only
net.ipv4.tcp_tw_reuse = 1
# Maximum memory used to reassemble IP fragments before the kernel begins to remove incomplete fragment
# queues to free up resources.
net.ipv4.ipfrag_low_thresh = 196608
# Time in seconds to keep an IP fragment in memory.
net.ipv4.ipfrag_time = 30
# Count buffering overhead as bytes/2^tcp_adv_win_scale
# (if tcp_adv_win_scale > 0) or bytes-bytes/2^(-tcp_adv_win_scale),
# if it is <= 0.
# Possible values are [-31, 31], inclusive.
# Default: 1
net.ipv4.tcp_adv_win_scale = 3
# Enable select acknowledgments (SACKS)
net.ipv4.tcp_sack = 1
# Maximum time-to-live of entries in seconds
net.ipv4.inet_peer_maxttl = 600
# Minimum time-to-live of entries in seconds
net.ipv4.inet_peer_minttl = 120
# The approximate size of the storage
net.ipv4.inet_peer_threshold = 65664
# Accept packets with SRR option conf/all/accept_source_route must also be set to TRUE to accept packets
# with SRR option on the interface. Default TRUE (router), FALSE (host)
net.ipv4.conf.all.accept_source_route = 0
# Network types
# low latency, high bandwidth - htcp, default = cubic
# Set the congestion control algorithm to be used for new connections. The algorithm "reno" is always available, but
# additional choices may be available based on kernel configuration. Default is set as part of kernel configuration.
# For passive connections, the listener congestion control choice is inherited.
# [see setsockopt(listenfd, SOL_TCP, TCP_CONGESTION, "name" ...) ]
net.ipv4.tcp_congestion_control = htcp
# TCP queue length
net.ipv4.neigh.default.proxy_qlen = 64
# Disable IPv6, Note that you must list all of the targeted interfaces explicitly, as disabling all.disable_ipv6
# does not apply to interfaces that are already "up" when sysctl settings are applied. Note 2, if disabling IPv6
# by sysctl, you should comment out the IPv6 hosts in your /etc/hosts
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1