config/etc/sysctl.conf

   1 net.ipv4.ip_forward = 1
   2 net.ipv4.ip_dynaddr = 1
   3
   4 net.ipv4.icmp_echo_ignore_broadcasts = 1
   5 net.ipv4.icmp_ignore_bogus_error_responses = 1
   6 net.ipv4.icmp_ratelimit = 1000
   7 net.ipv4.icmp_ratemask = 6168
   8
   9 net.ipv4.tcp_syncookies = 1
  10 net.ipv4.tcp_fin_timeout = 30
  11 net.ipv4.tcp_syn_retries = 3
  12 net.ipv4.tcp_synack_retries = 3
  13
  14 net.ipv4.conf.default.arp_filter = 1
  15 net.ipv4.conf.default.rp_filter = 1
  16 net.ipv4.conf.default.accept_redirects = 0
  17 net.ipv4.conf.default.accept_source_route = 0
  18 net.ipv4.conf.default.log_martians = 1
  19
  20 net.ipv4.conf.all.arp_filter = 1
  21 net.ipv4.conf.all.rp_filter = 1
  22 net.ipv4.conf.all.accept_redirects = 0
  23 net.ipv4.conf.all.accept_source_route = 0
  24 net.ipv4.conf.all.log_martians = 1
  25
  26 kernel.printk = 1 4 1 7
  27 vm.mmap_min_addr = 4096
  28 vm.min_free_kbytes = 8192
  29
  30 # Disable IPv6 by default.
  31 net.ipv6.conf.all.disable_ipv6 = 1
  32 net.ipv6.conf.default.disable_ipv6 = 1
  33
  34 # Enable netfilter accounting
  35 net.netfilter.nf_conntrack_acct = 1
  36
  37 # Disable netfilter on bridges.
  38 net.bridge.bridge-nf-call-ip6tables = 0
  39 net.bridge.bridge-nf-call-iptables = 0
  40 net.bridge.bridge-nf-call-arptables = 0
  41
  42 # Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
  43 # from loading vulnerable line disciplines with the TIOCSETD ioctl.
  44 dev.tty.ldisc_autoload = 0
  45
  46 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
  47 kernel.kptr_restrict = 2
  48
  49 # Avoid kernel memory address exposures via dmesg.
  50 kernel.dmesg_restrict = 1
  51
  52 # Turn on hard- and symlink protection
  53 fs.protected_symlinks = 1
  54 fs.protected_hardlinks = 1
  55
  56 # Don't allow writes to files and FIFOs that we don't own in world writable sticky
  57 # directories, unless they are owned by the owner of the directory.
  58 fs.protected_fifos = 2
  59 fs.protected_regular = 2
  60
  61 # If a workload mostly uses anonymous memory and it hits this limit, the entire
  62 # working set is buffered for I/O, and any more write buffering would require
  63 # swapping, so it's time to throttle writes until I/O can catch up.  Workloads
  64 # that mostly use file mappings may be able to use even higher values.
  65 #
  66 # The generator of dirty data starts writeback at this percentage (system default
  67 # is 20%)
  68 vm.dirty_ratio = 10
  69
  70 # Start background writeback (via writeback threads) at this percentage (system
  71 # default is 10%)
  72 vm.dirty_background_ratio = 3
  73
  74 # The swappiness parameter controls the tendency of the kernel to move
  75 # processes out of physical memory and onto the swap disk.
  76 # 0 tells the kernel to avoid swapping processes out of physical memory
  77 # for as long as possible
  78 # 100 tells the kernel to aggressively swap processes out of physical memory
  79 # and move them to swap cache
  80 vm.swappiness = 1
  81
  82 # Increase kernel buffer size maximums
  83 net.ipv4.tcp_mem = 16777216 16777216 16777216
  84 net.ipv4.tcp_rmem = 4096 87380 16777216
  85 net.ipv4.tcp_wmem = 4096 16384 16777216
  86 net.ipv4.udp_mem = 3145728 4194304 16777216
  87
  88 # Prefer low latency over higher throughput
  89 net.ipv4.tcp_low_latency = 1
  90
  91 # Reserve more socket space for the TCP window
  92 net.ipv4.tcp_adv_win_scale = 2
  93
  94 # Enable TCP fast-open
  95 net.ipv4.tcp_fastopen = 3
  96
  97 # Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337.
  98 # This protects against various TCP attacks, such as DoS against or injection
  99 # of arbitrary segments into prematurely closed connections.
 100 net.ipv4.tcp_rfc1337 = 1
 101
 102 # Include PID in file names of generated core dumps
 103 kernel.core_uses_pid = 1
 104
 105 # Block non-uid-0 profiling
 106 kernel.perf_event_paranoid = 3