Tweaks Sysctl

[[Admin] tierrilopes]

Alguns tweaks que podem ser utilizados no freebsd para vários fins, desde aumento de performance até ajuda perante ataques dos.

 

Adicionar o seguinte ao vosso ficheiro /etc/sysctl.conf

 

 

 

 

# /etc/sysctl.conf

# Uncomment this to prevent users from seeing information about processes that

# are being run under another UID.

security.bsd.see_other_uids=0

## I/O

# Increase VFS read-ahead

# (Samsung 830 SSD drives went from 310 MB/sec to 372 MB/sec)

# Default: 64

vfs.read_max=128

# Unbound needs big socket buffers

#kern.ipc.maxsockbuf=10000000

## Settings for FreeBSD as a router

# A speedup of 40 to 60% in packet forwarding performance!

net.inet.ip.forwarding=1

net.inet.ip.fastforwarding=1

# 3900 seconds allows clients who connect regularly to stay in our hostcache

#net.inet.tcp.hostcache.expire=3900

# The OS buffer / backlog queue depth for accepting new TCP connections

#kern.ipc.somaxconn=1024

# maximum segment size (MSS) specifies the largest amount of data in a single TCP segment

# For most networks 1460 is optimal, but you may want to be cautious and use

# 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a

# DSL line which may use PPPoE. These networks have extra header data stored in

# the packet and if there is not enough space, must be fragmented over additional

# partially filled packets.

# Default: 536

net.inet.tcp.mssdflt=1440

# Loopback interface tuning

net.inet.tcp.nolocaltimewait=1

# Allow the web server to quickly dump the entire requested page set into

# the network buffer (SOCK_STREAM) and free web server resources

# Set it to 256KB, should be enough for most pages

# Default 32KB

net.inet.tcp.sendspace=262144

# Syncookies are only useful when under DOS attack

net.inet.tcp.syncookies=0

# If under DOS, set it to 1

# Also, uncomment the following:

#net.inet.tcp.syncache.rexmtlimit=0

# disable flow control for intel nics. many isp's abuse flow control to slow down

# customers even though you are not using your full bandwidth. (default 3)

#dev.em.0.fc=0

# General Security and DoS mitigation.

net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0)

net.inet.ip.portrange.randomized=1 # randomize outgoing upper ports (default 1)

net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1)

net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0)

net.inet.ip.redirect=0 # do not send IP redirects (default 1)

net.inet.ip.accept_sourceroute=0 # drop source routed packets since they can not be trusted (default 0)

net.inet.ip.sourceroute=0 # if source routed packets are accepted the route data is ignored (default 0)

net.inet.icmp.bmcastecho=0 # do not respond to ICMP packets sent to IP broadcast addresses (default 0)

net.inet.icmp.maskfake=0 # do not fake reply to ICMP Address Mask Request packets (default 0)

net.inet.icmp.maskrepl=0 # replies are not sent for ICMP address mask requests (default 0)

net.inet.icmp.log_redirect=0 # do not log redirected ICMP packet attempts (default 0)

net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0)

net.inet.icmp.icmplim_output=1 # show "Limiting open port RST response" messages (default 1)

net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1)

net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0)

#net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)

net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)

net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000)

net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)

net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1)

net.inet.tcp.sack.enable=1 # TCP Selective Acknowledgments are needed for high throughput (default 1)

net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0)

net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0)

## IPv6 Security

# Disable Node info replies

net.inet6.icmp6.nodeinfo=0

# Turn on IPv6 privacy extensions

net.inet6.ip6.use_tempaddr=1

net.inet6.ip6.prefer_tempaddr=1

# Disable ICMP redirect

net.inet6.icmp6.rediraccept=0

net.link.ether.inet.log_arp_movements=0

net.inet6.ip6.accept_rtadv=0

net.inet6.ip6.auto_linklocal=0

net.inet.tcp.log_in_vain=1

net.inet.udp.log_in_vain=1

net.inet.tcp.blackhole=2

net.inet.udp.blackhole=1

net.inet.ip.rtexpire=2

net.inet.ip.rtminexpire=2

kern.maxfiles=32768

kern.maxfilesperproc=32768

kern.ipc.somaxconn=32768

net.inet.tcp.sendspace=8192

net.inet.tcp.recvspace=16384

net.inet.tcp.always_keepalive=1

kern.ipc.maxsockbuf=2097152

net.inet.tcp.msl=7500

net.inet.icmp.icmplim=1

net.inet.icmp.bmcastecho=1

 

 

 

 

Reiniciar o servidor ou fazer service sysctl reload

[Dynamic Things]

Obrigado pelo tutorial.

 

(Mensagem anterior removida, erro detectado, falta de atenção minha)