Created
April 10, 2015 15:26
-
-
Save jackyyf/ff6044648f461a505ae4 to your computer and use it in GitHub Desktop.
Gist by paste.py @ 2015-04-10 23:26:17.734757
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# /etc/sysctl.conf - Configuration file for setting system variables | |
# See /etc/sysctl.d/ for additonal system variables | |
# See sysctl.conf (5) for information. | |
# | |
#kernel.domainname = example.com | |
# Uncomment the following to stop low-level messages on console | |
#kernel.printk = 3 4 1 3 | |
##############################################################3 | |
# Functions previously found in netbase | |
# | |
# Uncomment the next two lines to enable Spoof protection (reverse-path filter) | |
# Turn on Source Address Verification in all interfaces to | |
# prevent some spoofing attacks | |
#net.ipv4.conf.default.rp_filter=1 | |
#net.ipv4.conf.all.rp_filter=1 | |
# Uncomment the next line to enable TCP/IP SYN cookies | |
# See http://lwn.net/Articles/277146/ | |
# Note: This may impact IPv6 TCP sessions too | |
#net.ipv4.tcp_syncookies=1 | |
# Uncomment the next line to enable packet forwarding for IPv4 | |
net.ipv4.ip_forward=1 | |
# Uncomment the next line to enable packet forwarding for IPv6 | |
# Enabling this option disables Stateless Address Autoconfiguration | |
# based on Router Advertisements for this host | |
net.ipv6.conf.all.forwarding=1 | |
################################################################### | |
# Additional settings - these settings can improve the network | |
# security of the host and prevent against some network attacks | |
# including spoofing attacks and man in the middle attacks through | |
# redirection. Some network environments, however, require that these | |
# settings are disabled so review and enable them as needed. | |
# | |
# Do not accept ICMP redirects (prevent MITM attacks) | |
#net.ipv4.conf.all.accept_redirects = 0 | |
#net.ipv6.conf.all.accept_redirects = 0 | |
# _or_ | |
# Accept ICMP redirects only for gateways listed in our default | |
# gateway list (enabled by default) | |
# net.ipv4.conf.all.secure_redirects = 1 | |
# | |
# Do not send ICMP redirects (we are not a router) | |
#net.ipv4.conf.all.send_redirects = 0 | |
# | |
# Do not accept IP source route packets (we are not a router) | |
#net.ipv4.conf.all.accept_source_route = 0 | |
#net.ipv6.conf.all.accept_source_route = 0 | |
# | |
# Log Martian Packets | |
#net.ipv4.conf.all.log_martians = 1 | |
# | |
# Prefer empty disk cache instead of using swap. | |
vm.swappiness = 2 | |
# Reserve 64M RAM for kernel | |
vm.min_free_kbytes = 65536 | |
# Per socket read/write buffer size. | |
net.core.rmem_max = 8388608 | |
net.core.wmem_max = 4194304 | |
net.ipv4.tcp_rmem = 16384 262144 8388608 | |
net.ipv4.tcp_wmem = 8192 131072 4194304 | |
# Max global SYN_RECV connections | |
net.ipv4.tcp_max_syn_backlog = 16384 | |
# Max queued packets for kernel handing | |
net.core.netdev_max_backlog = 4096 | |
# Max per-socket SYN_RECV connections | |
net.core.somaxconn = 2048 | |
# Max global TIME_WAIT connections. | |
net.ipv4.tcp_max_tw_buckets = 131072 | |
# Refer to this article: https://en.wikipedia.org/wiki/TCP_congestion-avoidance_algorithm | |
net.ipv4.tcp_congestion_control = westwood | |
# Enlarge max pids | |
kernel.pid_max = 4194303 | |
# Enlarge max connections, since there may be many connections from many clients. | |
net.ipv4.netfilter.ip_conntrack_max = 1048576 | |
# TCP connection timed out after 2 hour of inactivity, which should be long enough for normal use. | |
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 7200 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment