# # /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables. # See sysctl.conf (5) for information. # #kernel.domainname = example.com # Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3 ##############################################################3 # Functions previously found in netbase # # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 #net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too #net.ipv4.tcp_syncookies=1 # Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host #net.ipv6.conf.all.forwarding=1 ################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # # Do not accept ICMP redirects (prevent MITM attacks) #net.ipv4.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # # Do not send ICMP redirects (we are not a router) #net.ipv4.conf.all.send_redirects = 0 # # Do not accept IP source route packets (we are not a router) #net.ipv4.conf.all.accept_source_route = 0 #net.ipv6.conf.all.accept_source_route = 0 # # Log Martian Packets #net.ipv4.conf.all.log_martians = 1 # ################################################################### # Magic system request Key # 0=disable, 1=enable all # Debian kernels have this set to 0 (disable the key) # See https://www.kernel.org/doc/Documentation/sysrq.txt # for what other values do #kernel.sysrq=1 ################################################################### # Protected links # # Protects against creating or following links under certain conditions # Debian kernels have both set to 1 (restricted) # See https://www.kernel.org/doc/Documentation/sysctl/fs.txt #fs.protected_hardlinks=0 #fs.protected_symlinks=0 ################################################################### # Improving performance # Virtual memory # Consensus is that setting vm.dirty_ratio to 10% of RAM is a sane value if RAM is say 1 GB (so 10% is 100 MB). But if the machine has much more RAM, say 16 GB (10% is 1.6 # GB), the percentage may be out of proportion as it becomes several seconds of writeback on spinning disks. A more sane value in this case may be 3 (3% of 16 GB is #approximately 491 MB). vm.swappiness=10 vm.dirty_ratio=10 vm.dirty_background_ratio=5 vm.vfs_cache_pressure=50 vm.dirty_background_bytes=4194304 vm.dirty_bytes=4194304 # Networking # Increasing the size of the receive queue. net.core.netdev_max_backlog=100000 net.core.netdev_budget=50000 net.core.netdev_budget_usecs=5000 # # Increase the maximum connections default 128 net.core.somaxconn=1024 # # Increase the memory dedicated to the network interfaces net.core.rmem_default=1048576 net.core.rmem_max=16777216 net.core.wmem_default=1048576 net.core.wmem_max=16777216 net.core.optmem_max=65536 net.ipv4.tcp_rmem=4096 1048576 2097152 net.ipv4.tcp_wmem=4096 65536 16777216 # # increase the default 4096 UDP limits net.ipv4.udp_rmem_min=8192 net.ipv4.udp_wmem_min=8192 # # Enable TCP Fast Open net.ipv4.tcp_fastopen=3 # # Tweak the pending connection handling net.ipv4.tcp_max_syn_backlog=30000 net.ipv4.tcp_max_tw_buckets=2000000 net.ipv4.tcp_tw_reuse=1 net.ipv4.tcp_fin_timeout=10 net.ipv4.tcp_slow_start_after_idle=0 # # Change TCP keepalive parameters net.ipv4.tcp_keepalive_time=60 net.ipv4.tcp_keepalive_intvl=10 net.ipv4.tcp_keepalive_probes=6 # # Enable MTU probing net.ipv4.tcp_mtu_probing=1 # # TCP Timestamps net.ipv4.tcp_timestamps=0 # # TCP/IP stack hardening # TCP SYN cookie protection net.ipv4.tcp_syncookies=1 # # TCP rfc1337 net.ipv4.tcp_rfc1337=1 # # Reverse path filtering net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 # # Log martian packets net.ipv4.conf.default.log_martians=1 net.ipv4.conf.all.log_martians=1 # # Disable ICMP redirecting net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 # # disable ICMP redirect sending when on a non router net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 # # Enable Ignoring to ICMP Request net.ipv4.icmp_echo_ignore_all=1
Source : https://wiki.archlinux.org/index.php/Sysctl
