[people/pmueller/ipfire-2.x.git] / config / etc / sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ratelimit = 1000
net.ipv4.icmp_ratemask = 6168

net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 3

net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1

net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1

kernel.printk = 1 4 1 7
vm.mmap_min_addr = 4096
vm.min_free_kbytes = 8192

# Disable IPv6 by default.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Enable netfilter accounting
net.netfilter.nf_conntrack_acct = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 2

# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1

# Turn on hard- and symlink protection
fs.protected_symlinks = 1
fs.protected_hardlinks = 1

# Don't allow writes to files and FIFOs that we don't own in world writable sticky
# directories, unless they are owned by the owner of the directory.
fs.protected_fifos = 2
fs.protected_regular = 2

# Minimal preemption granularity for CPU-bound tasks:
# (default: 1 msec#  (1 + ilog(ncpus)), units: nanoseconds)
kernel.sched_min_granularity_ns = 10000000

# If a workload mostly uses anonymous memory and it hits this limit, the entire
# working set is buffered for I/O, and any more write buffering would require
# swapping, so it's time to throttle writes until I/O can catch up.  Workloads
# that mostly use file mappings may be able to use even higher values.
#
# The generator of dirty data starts writeback at this percentage (system default
# is 20%)
vm.dirty_ratio = 10

# Start background writeback (via writeback threads) at this percentage (system
# default is 10%)
vm.dirty_background_ratio = 3

# The swappiness parameter controls the tendency of the kernel to move
# processes out of physical memory and onto the swap disk.
# 0 tells the kernel to avoid swapping processes out of physical memory
# for as long as possible
# 100 tells the kernel to aggressively swap processes out of physical memory
# and move them to swap cache
vm.swappiness = 1

# The total time the scheduler will consider a migrated process
# "cache hot" and thus less likely to be re-migrated
# (system default is 500000, i.e. 0.5 ms)
kernel.sched_migration_cost_ns = 5000000

# Increase kernel buffer size maximums
net.ipv4.tcp_mem = 16777216 16777216 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 16384 16777216
net.ipv4.udp_mem = 3145728 4194304 16777216

# Prefer low latency over higher throughput
net.ipv4.tcp_low_latency = 1

# Reserve more socket space for the TCP window
net.ipv4.tcp_adv_win_scale = 2

# Enable TCP fast-open
net.ipv4.tcp_fastopen = 3

# Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337.
# This protects against various TCP attacks, such as DoS against or injection
# of arbitrary segments into prematurely closed connections.
net.ipv4.tcp_rfc1337 = 1
Commit	Line	Data
cd1a2927 MT	1	net.ipv4.ip_forward = 1
cd1a2927 MT	2	net.ipv4.ip_dynaddr = 1
fa822954	3
cd1a2927 MT	4	net.ipv4.icmp_echo_ignore_broadcasts = 1
cd1a2927 MT	5	net.ipv4.icmp_ignore_bogus_error_responses = 1
32c6ebdc MT	6	net.ipv4.icmp_ratelimit = 1000
32c6ebdc MT	7	net.ipv4.icmp_ratemask = 6168
cd1a2927	8
cd1a2927 MT	9	net.ipv4.tcp_syncookies = 1
cd1a2927 MT	10	net.ipv4.tcp_fin_timeout = 30
cd1a2927 MT	11	net.ipv4.tcp_syn_retries = 3
	12	net.ipv4.tcp_synack_retries = 3
	13
ed37f707	14	net.ipv4.conf.default.arp_filter = 1
cd1a2927 MT	15	net.ipv4.conf.default.rp_filter = 0
	16	net.ipv4.conf.default.accept_redirects = 0
	17	net.ipv4.conf.default.accept_source_route = 0
	18	net.ipv4.conf.default.log_martians = 1
	19
ed37f707	20	net.ipv4.conf.all.arp_filter = 1
cd1a2927 MT	21	net.ipv4.conf.all.rp_filter = 0
	22	net.ipv4.conf.all.accept_redirects = 0
	23	net.ipv4.conf.all.accept_source_route = 0
	24	net.ipv4.conf.all.log_martians = 1
	25
	26	kernel.printk = 1 4 1 7
dc931fba	27	vm.mmap_min_addr = 4096
d1605d08	28	vm.min_free_kbytes = 8192
a30c7aa3 MT	29
	30	# Disable IPv6 by default.
	31	net.ipv6.conf.all.disable_ipv6 = 1
	32	net.ipv6.conf.default.disable_ipv6 = 1
1108a15c MT	33
1108a15c MT	34	# Enable netfilter accounting
dc5a89c9	35	net.netfilter.nf_conntrack_acct = 1
0f1cda21 JS	36
	37	# Disable netfilter on bridges.
	38	net.bridge.bridge-nf-call-ip6tables = 0
	39	net.bridge.bridge-nf-call-iptables = 0
	40	net.bridge.bridge-nf-call-arptables = 0
373590b7 PM	41
373590b7 PM	42	# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
d5fe3322	43	kernel.kptr_restrict = 2
373590b7 PM	44
	45	# Avoid kernel memory address exposures via dmesg.
	46	kernel.dmesg_restrict = 1
d03916e5	47
29a8992b PM	48	# Turn on hard- and symlink protection
	49	fs.protected_symlinks = 1
	50	fs.protected_hardlinks = 1
	51
b7b65e73 PM	52	# Don't allow writes to files and FIFOs that we don't own in world writable sticky
	53	# directories, unless they are owned by the owner of the directory.
	54	fs.protected_fifos = 2
	55	fs.protected_regular = 2
	56
d03916e5 MT	57	# Minimal preemption granularity for CPU-bound tasks:
	58	# (default: 1 msec# (1 + ilog(ncpus)), units: nanoseconds)
	59	kernel.sched_min_granularity_ns = 10000000
	60
	61	# If a workload mostly uses anonymous memory and it hits this limit, the entire
	62	# working set is buffered for I/O, and any more write buffering would require
	63	# swapping, so it's time to throttle writes until I/O can catch up. Workloads
	64	# that mostly use file mappings may be able to use even higher values.
	65	#
	66	# The generator of dirty data starts writeback at this percentage (system default
	67	# is 20%)
	68	vm.dirty_ratio = 10
	69
	70	# Start background writeback (via writeback threads) at this percentage (system
	71	# default is 10%)
	72	vm.dirty_background_ratio = 3
	73
	74	# The swappiness parameter controls the tendency of the kernel to move
	75	# processes out of physical memory and onto the swap disk.
	76	# 0 tells the kernel to avoid swapping processes out of physical memory
	77	# for as long as possible
	78	# 100 tells the kernel to aggressively swap processes out of physical memory
	79	# and move them to swap cache
	80	vm.swappiness = 1
	81
	82	# The total time the scheduler will consider a migrated process
	83	# "cache hot" and thus less likely to be re-migrated
	84	# (system default is 500000, i.e. 0.5 ms)
	85	kernel.sched_migration_cost_ns = 5000000
	86
	87	# Increase kernel buffer size maximums
58b3c9b5	88	net.ipv4.tcp_mem = 16777216 16777216 16777216
d03916e5 MT	89	net.ipv4.tcp_rmem = 4096 87380 16777216
	90	net.ipv4.tcp_wmem = 4096 16384 16777216
	91	net.ipv4.udp_mem = 3145728 4194304 16777216
	92
58b3c9b5	93	# Prefer low latency over higher throughput
dc5a89c9	94	net.ipv4.tcp_low_latency = 1
58b3c9b5 MT	95
58b3c9b5 MT	96	# Reserve more socket space for the TCP window
dc5a89c9	97	net.ipv4.tcp_adv_win_scale = 2
58b3c9b5	98
d03916e5 MT	99	# Enable TCP fast-open
d03916e5 MT	100	net.ipv4.tcp_fastopen = 3
dc5a89c9 PM	101
	102	# Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337.
	103	# This protects against various TCP attacks, such as DoS against or injection
	104	# of arbitrary segments into prematurely closed connections.
	105	net.ipv4.tcp_rfc1337 = 1