Created
July 23, 2015 10:38
-
-
Save mhahl/1999767c09d337d3e056 to your computer and use it in GitHub Desktop.
Router sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sysctl settings are defined through files in | |
| # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. | |
| # | |
| # Vendors settings live in /usr/lib/sysctl.d/. | |
| # To override a whole file, create a new file with the same in | |
| # /etc/sysctl.d/ and put new settings there. To override | |
| # only specific settings, add a file with a lexically later | |
| # name in /etc/sysctl.d/ and put new settings there. | |
| # | |
| # For more information, see sysctl.conf(5) and sysctl.d(5). | |
| # Controls IP packet forwarding | |
| net.ipv4.ip_forward = 1 | |
| # Do accept source routing | |
| net.ipv4.conf.default.accept_source_route = 1 | |
| # Controls the System Request debugging functionality of the kernel | |
| kernel.sysrq = 0 | |
| # Controls whether core dumps will append the PID to the core filename | |
| # Useful for debugging multi-threaded applications | |
| kernel.core_uses_pid = 1 | |
| # Number of times SYNACKs for a passive TCP connection attempt will | |
| # be retransmitted. | |
| net.ipv4.tcp_synack_retries = 2 | |
| # Send redirects, if router, but this is just server | |
| net.ipv4.conf.all.send_redirects = 1 | |
| net.ipv4.conf.default.send_redirects = 1 | |
| # Accept packets with SRR option? No | |
| net.ipv4.conf.all.accept_source_route = 1 | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Accept Redirects? No, this is not router | |
| net.ipv4.conf.all.accept_redirects = 1 | |
| net.ipv4.conf.all.secure_redirects = 1 | |
| # Log packets with impossible addresses to kernel log? yes | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.accept_source_route = 1 | |
| net.ipv4.conf.default.accept_redirects = 1 | |
| net.ipv4.conf.default.secure_redirects = 1 | |
| # Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Prevent against the common 'syn flood attack' | |
| net.ipv4.tcp_syncookies = 1 | |
| # Enable source validation by reversed path, as specified in RFC1812 | |
| net.ipv4.conf.all.rp_filter = 2 | |
| net.ipv4.conf.default.rp_filter = 2 | |
| # reuse/recycle time-wait sockets (this is often needed on busy servers) | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_tw_recycle = 1 | |
| net.ipv4.tcp_fin_timeout = 15 | |
| net.ipv4.tcp_keepalive_time = 360 | |
| net.ipv4.tcp_window_scaling = 1 | |
| net.ipv4.tcp_sack = 1 | |
| net.ipv4.tcp_fack = 1 | |
| net.ipv4.tcp_timestamps = 1 | |
| # Disable ipv6 | |
| net.ipv6.conf.all.disable_ipv6 = 1 | |
| net.ipv6.conf.default.disable_ipv6 = 1 | |
| net.ipv6.conf.lo.disable_ipv6 = 1 | |
| kernel.randomize_va_space = 2 | |
| # TCP and memory optimization (doesnt this increase buffer bloat!?) | |
| # increase TCP max buffer size setable using setsockopt() | |
| net.ipv4.tcp_rmem = 4096 87380 16777216 | |
| net.ipv4.tcp_wmem = 4096 87380 16777216 | |
| # increase Linux auto tuning TCP buffer limits | |
| net.core.rmem_max = 16777216 | |
| net.core.wmem_max = 16777216 | |
| net.core.netdev_max_backlog = 5000 | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Buffer bloat ftl | |
| net.ipv4.tcp_ecn=1 | |
| net.ipv4.tcp_sack=1 | |
| net.ipv4.tcp_dsack=1 | |
| # increase system file descriptor limit | |
| # increase system file descriptor limit | |
| fs.file-max = 65535 | |
| # Allow for more PIDs | |
| kernel.pid_max = 65536 | |
| # Increase system IP port limits | |
| net.ipv4.ip_local_port_range = 2000 65000 | |
| # Help prevent TOCTOU vulnerabilities | |
| fs.protected_hardlinks = 1 | |
| fs.protected_symlinks = 1 | |
| # drop RST packets for sockets in the time-wait state | |
| net.ipv4.tcp_rfc1337 = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment