Friday, September 26, 2008

SYSCTL.conf

Has anyone tweaked their sysctl.conf lately to get the best desktop performance?

I've been playing with it for the last couple months. Thought I would pass on my sysctl.conf and see if anyone has any suggestions to improve it. It's rather long but I think if it helps anyone out get better performance or if anyone has any input on how I can make it better than what the hell.

Here it is :

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# the following stops low-level messages on console
kernel.printk = 4 4 1 7

# enable /proc/$pid/maps privacy so that memory relocations are not
# visible to other users. (Added in kernel 2.6.22.)
kernel.maps_protect = 1

# Increase inotify availability
fs.inotify.max_user_watches = 524288

# protect bottom 64k of memory from mmap to prevent NULL-dereference
# attacks against potential future kernel security vulnerabilities.
# (Added in kernel 2.6.23.)
vm.mmap_min_addr = 65536

##############################################################3
# Functions previously found in netbase
#

# Comment the next two lines to disable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.ip_forward=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
#net/ipv4/icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
net/ipv4/icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
net/ipv4/conf/all/accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net/ipv4/conf/all/secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net/ipv4/conf/all/send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
net/ipv4/conf/all/accept_source_route = 0
#
# Log Martian Packets
#net/ipv4/conf/all/log_martians = 1
#
# Always defragment packets
#net/ipv4/ip_always_defrag = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0

########## MY #######################
# Enable ignoring ping request
net.ipv4.icmp_echo_ignore_all = 0

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Disable ICMP Redirect Acceptance
#net.ipv4.conf.all.accept_redirects = 1
#net.ipv4.conf.default.accept_redirects = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable IP spoofing protection, turn on Source Address Verification
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Allowed local port range
#net.ipv4.ip_local_port_range = 32768 61000

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Enable packet forwarding
# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Improve file system performance
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2

# Improve virtual memory performance
#vm.buffermem = 80 10 60

# Improve and better control swapping into the system
#vm.freepages = 383 766 1149

# Increase swap bandwith system performance
#vm.kswapd = 1024 32 16

# Increase number of pages kernel reads in at once
vm.page-cluster = 10

# Improve files memory mapping and generic caching
#vm.pagecache = 50 80 100

# Improve number of page tables keeps in a per-proccessor cache
#vm.pagetable_cache = 45 75

# Improve the number of open files
fs.file-max = 16384
#fs.file-max = 8192

# Improve the number of inodes opened
#fs.inode-nr = 32768

#vm.max-readahead=128
#vm.min-readahead=64

#net.core.hot_list_length=256
net.ipv4.tcp_reordering=5
net.ipv4.tcp_fin_timeout=25
net.ipv4.route.flush=1
vm.swappiness=15

vm.vfs_cache_pressure=50
net.core.rmem_default = 524288
net.core.rmem_max = 524288
net.core.wmem_default = 524288
net.core.wmem_max = 524288
net.ipv4.tcp_wmem = 4096 87380 524288
net.ipv4.tcp_rmem = 4096 87380 524288
net.ipv4.tcp_mem = 524288 524288 524288
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_fack = 1
net.ipv4.tcp_ecn = 0
kernel.shmmax = 268435456
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

net.core.optmem_max = 57344

# tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# tcp_sack
net.ipv4.tcp_sack = 1

# tcp_timestamps
net.ipv4.tcp_timestamps = 1

2 comments:

TRON-DELTA.ORG said...

Hello!

I'm a Xubuntu developer and TCO. What you set up in the first part looks really good and the only thing I actually do at home and in my office/our company is to block all IGMP since I hate this annoying stuff. One may tell me when it comes to such parallel streaming/broadcasting to legitimate such a protocol.

The MY-section is a good idea too and I really agree with your settings. Nevertheless we use good netfilters whih catches some of the first few settings. To speak for the other ones I haven't testet them excessively yet. I think the defaults and the amount of pre-set sysctl.conf also varies with DNU/Linux distibutions.

Antonio Sosa said...

Hi Aquina,

Thanks

I've been trying to compile a good set of sysctl presets which work on ubuntu/xubuntu and are compatible with fedora as well as that is a distro I use sometimes. So far all the settings work and do not complain on those. It takes quite a while to find the right tweaks as it varies from machine to machine but based on my specs these work fine with pcs with more than 1024 MB of ram and run fairly well on pcs with 512MB of ram.

My goal was to make the pcs more secure via tcpip and also utilize higher throughput as I found some of the limits are kinda based on older hardware which is understandable considering it shoudl run on older hardware and older environments. I just think in todays world and in my environment I want it to run at a higher level and most people can open the tcp window size and amount of packets that they send etc. Most people have more than 1GB of ram and can handle higher congestion, etc.

If you have any suggestions or have some of your own sysctl.conf files - please send them my way and I check them out - I am going to build a new build of my lava based on 9.10 soon.

Thanks for reading my posts.