From f42059a82316c0cd46b1b35eb872dd211a561e32 Mon Sep 17 00:00:00 2001 From: Bertrand Jacquin Date: Sat, 4 Aug 2018 11:18:08 +0100 Subject: factory-default: Add default sysctl.conf for sys-apps/baselayout --- .../sys-apps/baselayout/etc/sysctl.conf | 158 +++++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 factory-default/sys-apps/baselayout/etc/sysctl.conf (limited to 'factory-default') diff --git a/factory-default/sys-apps/baselayout/etc/sysctl.conf b/factory-default/sys-apps/baselayout/etc/sysctl.conf new file mode 100644 index 00000000..336a9b26 --- /dev/null +++ b/factory-default/sys-apps/baselayout/etc/sysctl.conf @@ -0,0 +1,158 @@ +# /etc/sysctl.conf +# +# For more information on how this file works, please see +# the manpages sysctl(8) and sysctl.conf(5). +# +# In order for this file to work properly, you must first +# enable 'Sysctl support' in the kernel. +# +# Look in /proc/sys/ for all the things you can setup. + +# Enable Magic SysRQ Trigger +kernel.sysrq = 1 + +# When the kernel panics, automatically reboot in 5 seconds +kernel.panic = 5 + +# Make the processes addresses of mmap base, stack and VDSO page +# randomized. This, among other things, implies that shared libraries +# will be loaded to random addresses. Also for PIE-linked binaries, the +# location of code start is randomized. Additionally enable heap +# randomization. +kernel.randomize_va_space = 2 + +# Uses a "never overcommit" policy that attempts to prevent any overcommit +# of memory +vm.overcommit_memory = 2 + +# The committed address space is not permitted to exceed swap plus this +# percentage of physical RAM +vm.overcommit_ratio = 75 + +# Serves as a higher bound for all of the system's SYN backlogs. Put it at +# least as high as tcp_max_syn_backlog, otherwise clients may experience +# difficulties to connect at high rates or under SYN attacks. Default: 128 +net.core.somaxconn = 32767 + +# Maximum number of packets, queued on the INPUT side, when the +# interface receives packets faster than kernel can process them. +net.core.netdev_max_backlog = 5000 + +# Disable packet forwarding +net.ipv4.ip_forward = 0 + +# Disable IP dynaddr +net.ipv4.ip_dynaddr = 0 + +# Respond to ARP request from incoming interface +net.ipv4.conf.all.arp_filter = 1 +net.ipv4.conf.default.arp_filter = 1 + +# Use the best local address for annoucing local IP +net.ipv4.conf.all.arp_announce = 2 +net.ipv4.conf.default.arp_announce = 2 + +# Reply to ARP request that come from the right interface +net.ipv4.conf.all.arp_ignore = 2 +net.ipv4.conf.default.arp_ignore = 2 + +# Send ARP gratuitous on IP changes +net.ipv4.conf.all.arp_notify = 1 +net.ipv4.conf.default.arp_notify = 1 + +# Disable redirects +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 + +# Disable sending redirects +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +# Disable secure redirects +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 + +# Disable source route +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +# Enable source route verification +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Log bad packet +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Ignore ICMP broadcasts +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Ignore bogus responses to broadcast +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Enable SYN cookies +net.ipv4.tcp_syncookies = 1 + +# Enable ECN server side +net.ipv4.tcp_ecn = 2 + +# Enable reuse TIME-WAIT sockets for new connections +net.ipv4.tcp_tw_reuse = 1 + +# Enable TCP Fast Open +net.ipv4.tcp_fastopen = 3 + +# Limit the per-socket default receive/send buffers to limit memory usage +# when running with a lot of concurrent connections. Values are in bytes +# and represent minimum, default and maximum. Defaults: 4096 87380 4194304 +net.ipv4.tcp_rmem = 4096 87380 1048576 +net.ipv4.tcp_wmem = 4096 87380 1048576 + +# Extend the source port range for outgoing TCP connections. This limits early +# port reuse and makes use of 64000 source ports. Defaults: 32768 61000 +net.ipv4.ip_local_port_range = 1024 65534 + +# Increase the TCP SYN backlog size. This is generally required to support very +# high connection rates as well as to resist SYN flood attacks. Setting it too +# high will delay SYN cookie usage though. Defaults: 1024 +net.ipv4.tcp_max_syn_backlog = 32767 + +# Timeout in seconds for the TCP FIN_WAIT state. Lowering it speeds up release +# of dead connections, though it will cause issues below 25-30 seconds. It is +# preferable not to change it if possible. Default: 60 +net.ipv4.tcp_fin_timeout = 30 + +# Limit the number of outgoing SYN-ACK retries. This value is a direct +# amplification factor of SYN floods, so it is important to keep it reasonably +# low. However, too low will prevent clients on lossy networks from connecting. +# Using 3 as a default value gives good results (4 SYN-ACK total) and lowering +# it to 1 under SYN flood attack can save a lot of bandwidth. Default: 5 +net.ipv4.tcp_synack_retries = 3 + +# Set this to one to allow local processes to bind to an IP which is not yet +# present on the system. This is typically what happens with a shared VRRP +# address, where you want both master and backup to be started eventhough the +# IP is not yet present. Always leave it to 1. Default: 0 +net.ipv4.ip_nonlocal_bind = 1 + +# How often TCP sends out keepalive messages +net.ipv4.tcp_keepalive_time = 60 + +# Disable IPv6, except for loopback +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 0 + +# Restrict use of the IPv6 socket to IPv6 communication +net.ipv6.bindv6only = 1 + +# Size of connection tracking table +net.netfilter.nf_conntrack_max = 1048576 + +# Maximum size of expectation table +net.netfilter.nf_conntrack_expect_max = 65536 + +# Log packets of any protocol +net.netfilter.nf_conntrack_log_invalid = 255 + +# Enable automatic conntrack helper assignment +net.netfilter.nf_conntrack_helper = 1 -- cgit v1.2.3