factory-default: Add default sysctl.conf for sys-apps/baselayout

1 files changed, 158 insertions, 0 deletions

diff --git a/factory-default/sys-apps/baselayout/etc/sysctl.conf b/factory-default/sys-apps/baselayout/etc/sysctl.conf
new file mode 100644
index 00000000..336a9b26
--- /dev/null
+++ b/factory-default/sys-apps/baselayout/etc/sysctl.conf
@@ -0,0 +1,158 @@
+# /etc/sysctl.conf
+#
+# For more information on how this file works, please see
+# the manpages sysctl(8) and sysctl.conf(5).
+#
+# In order for this file to work properly, you must first
+# enable 'Sysctl support' in the kernel.
+#
+# Look in /proc/sys/ for all the things you can setup.
+
+# Enable Magic SysRQ Trigger
+kernel.sysrq = 1
+
+# When the kernel panics, automatically reboot in 5 seconds
+kernel.panic = 5
+
+# Make the processes addresses of mmap base, stack and VDSO page
+# randomized. This, among other things, implies that shared libraries
+# will be loaded to random addresses. Also for PIE-linked binaries, the
+# location of code start is randomized. Additionally enable heap
+# randomization.
+kernel.randomize_va_space = 2
+
+# Uses a "never overcommit" policy that attempts to prevent any overcommit
+# of memory
+vm.overcommit_memory = 2
+
+# The committed address space is not permitted to exceed swap plus this
+# percentage of physical RAM
+vm.overcommit_ratio = 75
+
+# Serves as a higher bound for all of the system's SYN backlogs. Put it at
+# least as high as tcp_max_syn_backlog, otherwise clients may experience
+# difficulties to connect at high rates or under SYN attacks. Default: 128
+net.core.somaxconn = 32767
+
+# Maximum number of packets, queued on the INPUT side, when the
+# interface receives packets faster than kernel can process them.
+net.core.netdev_max_backlog = 5000
+
+# Disable packet forwarding
+net.ipv4.ip_forward = 0
+
+# Disable IP dynaddr
+net.ipv4.ip_dynaddr = 0
+
+# Respond to ARP request from incoming interface
+net.ipv4.conf.all.arp_filter = 1
+net.ipv4.conf.default.arp_filter = 1
+
+# Use the best local address for annoucing local IP
+net.ipv4.conf.all.arp_announce = 2
+net.ipv4.conf.default.arp_announce = 2
+
+# Reply to ARP request that come from the right interface
+net.ipv4.conf.all.arp_ignore = 2
+net.ipv4.conf.default.arp_ignore = 2
+
+# Send ARP gratuitous on IP changes
+net.ipv4.conf.all.arp_notify = 1
+net.ipv4.conf.default.arp_notify = 1
+
+# Disable redirects
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+
+# Disable sending redirects
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+# Disable secure redirects
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+
+# Disable source route
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+
+# Enable source route verification
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Log bad packet
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Ignore ICMP broadcasts
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Ignore bogus responses to broadcast
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Enable SYN cookies
+net.ipv4.tcp_syncookies = 1
+
+# Enable ECN server side
+net.ipv4.tcp_ecn = 2
+
+# Enable reuse TIME-WAIT sockets for new connections
+net.ipv4.tcp_tw_reuse = 1
+
+# Enable TCP Fast Open
+net.ipv4.tcp_fastopen = 3
+
+# Limit the per-socket default receive/send buffers to limit memory usage
+# when running with a lot of concurrent connections. Values are in bytes
+# and represent minimum, default and maximum. Defaults: 4096 87380 4194304
+net.ipv4.tcp_rmem = 4096 87380 1048576
+net.ipv4.tcp_wmem = 4096 87380 1048576
+
+# Extend the source port range for outgoing TCP connections. This limits early
+# port reuse and makes use of 64000 source ports. Defaults: 32768 61000
+net.ipv4.ip_local_port_range = 1024 65534
+
+# Increase the TCP SYN backlog size. This is generally required to support very
+# high connection rates as well as to resist SYN flood attacks. Setting it too
+# high will delay SYN cookie usage though. Defaults: 1024
+net.ipv4.tcp_max_syn_backlog = 32767
+
+# Timeout in seconds for the TCP FIN_WAIT state. Lowering it speeds up release
+# of dead connections, though it will cause issues below 25-30 seconds. It is
+# preferable not to change it if possible. Default: 60
+net.ipv4.tcp_fin_timeout = 30
+
+# Limit the number of outgoing SYN-ACK retries. This value is a direct
+# amplification factor of SYN floods, so it is important to keep it reasonably
+# low. However, too low will prevent clients on lossy networks from connecting.
+# Using 3 as a default value gives good results (4 SYN-ACK total) and lowering
+# it to 1 under SYN flood attack can save a lot of bandwidth. Default: 5
+net.ipv4.tcp_synack_retries = 3
+
+# Set this to one to allow local processes to bind to an IP which is not yet
+# present on the system. This is typically what happens with a shared VRRP
+# address, where you want both master and backup to be started eventhough the
+# IP is not yet present. Always leave it to 1. Default: 0
+net.ipv4.ip_nonlocal_bind = 1
+
+# How often TCP sends out keepalive messages
+net.ipv4.tcp_keepalive_time = 60
+
+# Disable IPv6, except for loopback
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6  = 0
+
+# Restrict use of the IPv6 socket to IPv6 communication
+net.ipv6.bindv6only = 1
+
+# Size of connection tracking table
+net.netfilter.nf_conntrack_max = 1048576
+
+# Maximum size of expectation table
+net.netfilter.nf_conntrack_expect_max = 65536
+
+# Log packets of any protocol
+net.netfilter.nf_conntrack_log_invalid = 255
+
+# Enable automatic conntrack helper assignment
+net.netfilter.nf_conntrack_helper = 1