Created
January 13, 2016 15:32
-
-
Save jahil/69265ffbefd86a588649 to your computer and use it in GitHub Desktop.
calomel.org freebsd network tuning
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # FreeBSD 10.2 -- /etc/sysctl.conf version 0.47 | |
| # https://calomel.org/freebsd_network_tuning.html | |
| # | |
| # low latency is important so we highly recommend that you disable hyper | |
| # threading on Intel CPUs as it has an unpredictable affect on latency, cpu | |
| # cache misses and load. | |
| # | |
| # These settings are specifically tuned for a "low" latency FIOS (300/300) and | |
| # gigabit LAN connections. If you have 10gig or 40gig you will need to increase | |
| # the network buffers as proposed. "man tuning" for more information. | |
| # | |
| # Before tuning the following two(2) sections on maxsockbuf and buf_max take | |
| # some time to read PSC's tips on Enabling High Performance Data Transfers. | |
| # http://www.psc.edu/index.php/networking/641-tcp-tune | |
| # A standard guide to the socket buffer size is: latency to the host times | |
| # bandwidth in megabits per second divided by 8 bits = socket buffer size. For | |
| # a 150 megabit network which pings 0.1 seconds from our server we calculate | |
| # 0.1 seconds * 150 Mbps / 8 bits = 1.875 megabyte buffer which is below the | |
| # default of 2MB (2097152). If the host is farther away then the latency will | |
| # be higher and the buffer will need to be larger. You may want to increase to | |
| # 4MB if the upload bandwidth is greater the 150 Mbit and latency is over | |
| # 200ms. For 10GE hosts set to at least 16MB as well as to increase the TCP | |
| # window size to 65535 and window scale to 9. For 10GE hosts with RTT over | |
| # 100ms you will need to set a buffer of 150MB and a wscale of 12. "2097152 = | |
| # 2*1024*1024". | |
| # network: 1 Gbit maxsockbuf: 2MB wsize: 6 2^6*65KB = 4MB (default) | |
| # network: 2 Gbit maxsockbuf: 4MB wsize: 7 2^7*65KB = 8MB | |
| # network: 10 Gbit maxsockbuf: 16MB wsize: 9 2^9*65KB = 32MB | |
| # network: 40 Gbit maxsockbuf: 150MB wsize: 12 2^12*65KB = 260MB | |
| # network: 100 Gbit maxsockbuf: 600MB wsize: 14 2^14*65KB = 1064MB | |
| kern.ipc.maxsockbuf=4194304 # (default 2097152) | |
| #kern.ipc.maxsockbuf=16777216 # (default 2097152) | |
| # set auto tuning maximums to the same value as the kern.ipc.maxsockbuf above. | |
| # Use at least 16MB for 10GE hosts with RTT of less then 100ms. For 10GE hosts | |
| # with RTT of greater then 100ms set buf_max to 150MB. | |
| net.inet.tcp.sendbuf_max=4194304 # (default 2097152) | |
| net.inet.tcp.recvbuf_max=4194304 # (default 2097152) | |
| #net.inet.tcp.sendbuf_max=16777216 # (default 2097152) | |
| #net.inet.tcp.recvbuf_max=16777216 # (default 2097152) | |
| # maximum segment size (MSS) specifies the largest payload of data in a single | |
| # TCP segment not including TCP headers or options. mssdflt is also called MSS | |
| # clamping. With an interface MTU of 1500 bytes we suggest an | |
| # net.inet.tcp.mssdflt of 1460 bytes. 1500 MTU minus 20 byte IP header minus 20 | |
| # byte TCP header is 1460. With net.inet.tcp.rfc1323 enabled, tcp timestamps | |
| # are added to the packets and the mss is automatically reduced from 1460 bytes | |
| # to 1448 bytes total payload. Note: if you are using PF with an outgoing scrub | |
| # rule then PF will re-package the data using an MTU of 1460 by default, thus | |
| # overriding this mssdflt setting and Pf scrub might slow down the network. | |
| # http://www.wand.net.nz/sites/default/files/mss_ict11.pdf | |
| net.inet.tcp.mssdflt=1460 # (default 536) | |
| # minimum, maximum segment size (mMSS) specifies the smallest payload of data | |
| # in a single TCP segment our system will agree to send when negotiating with | |
| # the client. By default, FreeBSD limits the maximum segment size to no lower | |
| # then 216 bytes. RFC 791 defines the minimum IP packet size as 68 bytes, but | |
| # in RFC 793 the minimum MSS is specified to be 536 bytes which is the same | |
| # value Windows Vista uses. The attack vector is when a malicious client sets | |
| # the negotiated MSS to a small value this may cause a packet flood DoS attack | |
| # from our server. The attack scales with the available bandwidth and quickly | |
| # saturates the CPU and network interface with packet generation and | |
| # transmission. By default, if the client asks for a one(1) megabyte file with | |
| # an MSS of 216 we have to send back 4,630 packets. If the minimum MSS is set | |
| # to 1300 we send back only 769 packets which is six times more efficient. For | |
| # standard Internet connections we suggest a minimum mss of 1300 bytes. 1300 | |
| # will even work on networks making a VOIP (RTP) call using a TCP connection with | |
| # TCP options over IPSEC though a GRE tunnel on a mobile cellular network with | |
| # the DF (don't fragment) bit set. | |
| net.inet.tcp.minmss=1300 # (default 216) | |
| # H-TCP congestion control: The Hamilton TCP (HighSpeed-TCP) algorithm is a | |
| # packet loss based congestion control and is more aggressive pushing up to max | |
| # bandwidth (total BDP) and favors hosts with lower TTL / VARTTL then the | |
| # default "newreno". Understand "newreno" works well in most conditions and | |
| # enabling HTCP may only gain a you few percentage points of throughput. | |
| # http://www.sigcomm.org/sites/default/files/ccr/papers/2008/July/1384609-1384613.pdf | |
| # make sure to also add 'cc_htcp_load="YES"' to /boot/loader.conf then check | |
| # available congestion control options with "sysctl net.inet.tcp.cc.available" | |
| net.inet.tcp.cc.algorithm=htcp # (default newreno) | |
| # H-TCP congestion control: adaptive backoff will increase bandwidth | |
| # utilization by adjusting the additive-increase/multiplicative-decrease (AIMD) | |
| # backoff parameter according to the amount of buffers available on the path. | |
| # adaptive backoff ensures no queue along the path will remain completely empty | |
| # after a packet loss event which increases buffer efficiency. | |
| net.inet.tcp.cc.htcp.adaptive_backoff=1 # (default 0 ; disabled) | |
| # H-TCP congestion control: RTT scaling will increase the fairness between | |
| # competing TCP flows traversing different RTT paths through a common | |
| # bottleneck. rtt_scaling increases the Congestion Window Size (CWND) | |
| # independent of path round-trip time (RTT) leading to lower latency for | |
| # interactive sessions when the connection is saturated by bulk data | |
| # transfers. Default is 0 (disabled) | |
| net.inet.tcp.cc.htcp.rtt_scaling=1 # (default 0 ; disabled) | |
| # Ip Forwarding to allow packets to traverse between interfaces and is used for | |
| # firewalls, bridges and routers. When fast IP forwarding is also enabled, IP packets | |
| # are forwarded directly to the appropriate network interface with direct | |
| # processing to completion, which greatly improves the throughput. All packets | |
| # for local IP addresses, non-unicast, or with IP options are handled by the | |
| # normal IP input processing path. All features of the normal (slow) IP | |
| # forwarding path are supported by fast forwarding including firewall (through | |
| # pfil(9) hooks) checking, except ipsec tunnel brokering. The IP fast | |
| # forwarding path does not generate ICMP redirect or source quench messages | |
| # though. Compared to normal IP forwarding, fast forwarding can give a speedup | |
| # of 40 to 60% in packet forwarding performance which is great for interactive | |
| # connections like online games or VOIP where low latency is critical. | |
| #net.inet.ip.forwarding=1 # (default 0) | |
| #net.inet.ip.fastforwarding=1 # (default 0) | |
| #net.inet6.ip6.forwarding=1 # (default 0) | |
| # Reduce the amount of SYN/ACKs the server will re-transmit to an ip address | |
| # whom did not respond to the first SYN/ACK. On a client's initial connection | |
| # our server will always send a SYN/ACK in response to the client's initial | |
| # SYN. Limiting retranstited SYN/ACKS reduces local syn cache size and a "SYN | |
| # flood" DoS attack's collateral damage by not sending SYN/ACKs back to spoofed | |
| # ips, multiple times. If we do continue to send SYN/ACKs to spoofed IPs they | |
| # may send RST's back to us and an "amplification" attack would begin against | |
| # our host. If you do not wish to send retransmits at all then set to zero(0) | |
| # especially if you are under a SYN attack. If our first SYN/ACK gets dropped | |
| # the client will re-send another SYN if they still want to connect. Also set | |
| # "net.inet.tcp.msl" to two(2) times the average round trip time of a client, | |
| # but no lower then 2000ms (2s). Test with "netstat -s -p tcp" and look under | |
| # syncache entries. | |
| # http://people.freebsd.org/~jlemon/papers/syncache.pdf | |
| # http://www.ouah.org/spank.txt | |
| net.inet.tcp.syncache.rexmtlimit=0 # (default 3) | |
| # Spoofed packet attacks may be used to overload the kernel route cache. A | |
| # spoofed packet attack uses random source IPs to cause the kernel to generate | |
| # a temporary cached route in the route table, Route cache is an extraneous | |
| # caching layer mapping interfaces to routes to IPs and saves a lookup to the | |
| # Forward Information Base (FIB); a routing table within the network stack. The | |
| # IPv4 routing cache was intended to eliminate a FIB lookup and increase | |
| # performance. While a good idea in principle, unfortunately it provided a very | |
| # small performance boost in less than 10% of connections and opens up the | |
| # possibility of a DoS vector. Setting rtexpire and rtminexpire to ten(10) | |
| # seconds should be sufficient to protect the route table from attack. | |
| # http://www.es.freebsd.org/doc/handbook/securing-freebsd.html | |
| net.inet.ip.rtexpire=10 # (default 3600) | |
| #net.inet.ip.rtminexpire=10 # (default 10 ) | |
| #net.inet.ip.rtmaxcache=128 # (default 128 ) | |
| # Syncookies have a certain number of advantages and disadvantages. Syncookies | |
| # are useful if you are being DoS attacked as this method helps filter the | |
| # proper clients from the attack machines. But, since the TCP options from the | |
| # initial SYN are not saved in syncookies, the tcp options are not applied to | |
| # the connection, precluding use of features like window scale, timestamps, or | |
| # exact MSS sizing. As the returning ACK establishes the connection, it may be | |
| # possible for an attacker to ACK flood a machine in an attempt to create a | |
| # connection. Another benefit to overflowing to the point of getting a valid | |
| # SYN cookie is the attacker can include data payload. Now that the attacker | |
| # can send data to a FreeBSD network daemon, even using a spoofed source IP | |
| # address, they can have FreeBSD do processing on the data which is not | |
| # something the attacker could do without having SYN cookies. Even though | |
| # syncookies are helpful during a DoS, we are going to disable them at this | |
| # time. | |
| net.inet.tcp.syncookies=0 # (default 1) | |
| # TCP segmentation offload (TSO), also called large segment offload (LSO), | |
| # should be disabled on NAT firewalls and routers. TSO/LSO works by queuing up | |
| # large buffers and letting the network interface card (NIC) split them into | |
| # separate packets. The problem is the NIC can build a packet that is the wrong | |
| # size and would be dropped by a switch or the recieving machine, like for NFS | |
| # fragmented traffic. If the packet is dropped the overall sending bandwidth is | |
| # reduced significantly. You can also disable TSO in /etc/rc.conf using the | |
| # "-tso" directive after the network card configuration; for example, | |
| # ifconfig_igb0="inet 10.10.10.1 netmask 255.255.255.0 -tso". Verify TSO is off | |
| # on the hardware by making sure TSO4 and TSO6 are not seen in the "options=" | |
| # section using ifconfig. | |
| # http://www.peerwisdom.org/2013/04/03/large-send-offload-and-network-performance/ | |
| net.inet.tcp.tso=0 # (default 1) | |
| # Flow control stops and resumes the transmission of network traffic between | |
| # two connected peer nodes on a full-duplex Ethernet physical link. Ethernet | |
| # "PAUSE" frames pause transmission of all traffic on a physical Ethernet link. | |
| # Some ISP's abuse flow control to slow down customers' traffic even though | |
| # full bandwidth is not being used. By disabling physical link flow control the | |
| # link instead relies on TCP's internal flow control which is peer based on IP | |
| # address. The values are: (0=No Flow Control) (1=Receive Pause) (2=Transmit | |
| # Pause) (3=Full Flow Control, Default). We will be disabling flow control on | |
| # the igb interfaces. | |
| # http://virtualthreads.blogspot.com/2006/02/beware-ethernet-flow-control.html | |
| #dev.igb.0.fc=0 # (default 3) | |
| # General Security and DoS mitigation | |
| #net.bpf.optimize_writers=0 # bpf are write-only unless program explicitly specifies the read filter (default 0) | |
| #net.bpf.zerocopy_enable=0 # zero-copy BPF buffers, breaks dhcpd ! (default 0) | |
| net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0) | |
| #net.inet.ip.portrange.randomized=1 # randomize outgoing upper ports (default 1) | |
| net.inet.ip.process_options=0 # ignore IP options in the incoming packets (default 1) | |
| net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0) | |
| net.inet.ip.redirect=0 # do not send IP redirects (default 1) | |
| #net.inet.ip.accept_sourceroute=0 # drop source routed packets since they can not be trusted (default 0) | |
| #net.inet.ip.sourceroute=0 # if source routed packets are accepted the route data is ignored (default 0) | |
| #net.inet.ip.stealth=1 # do not reduce the TTL by one(1) when a packets goes through the firewall (default 0) | |
| #net.inet.icmp.bmcastecho=0 # do not respond to ICMP packets sent to IP broadcast addresses (default 0) | |
| #net.inet.icmp.maskfake=0 # do not fake reply to ICMP Address Mask Request packets (default 0) | |
| #net.inet.icmp.maskrepl=0 # replies are not sent for ICMP address mask requests (default 0) | |
| #net.inet.icmp.log_redirect=0 # do not log redirected ICMP packet attempts (default 0) | |
| net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0) | |
| #net.inet.icmp.icmplim=200 # number of ICMP/TCP RST packets/sec, increase for bittorrent or many clients. (default 200) | |
| #net.inet.icmp.icmplim_output=1 # show "Limiting open port RST response" messages (default 1) | |
| #net.inet.tcp.abc_l_var=2 # increment the slow-start Congestion Window (cwnd) after two(2) segments (default 2) | |
| net.inet.tcp.always_keepalive=0 # disable tcp keep alive detection for dead peers, keepalive can be spoofed (default 1) | |
| net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0) | |
| net.inet.tcp.ecn.enable=1 # explicit congestion notification (ecn) warning: some ISP routers may abuse ECN (default 0) | |
| net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0) | |
| net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1) | |
| #net.inet.tcp.maxtcptw=50000 # max number of tcp time_wait states for closing connections (default ~27767) | |
| net.inet.tcp.msl=5000 # Maximum Segment Lifetime is the time a TCP segment can exist on the network and is | |
| # used to determine the TIME_WAIT interval, 2*MSL (default 30000 which is 60 seconds) | |
| net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since many hosts drop ICMP type 3 packets (default 1) | |
| #net.inet.tcp.rfc3042=1 # on packet loss trigger the fast retransmit algorithm instead of tcp timeout (default 1) | |
| net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0) | |
| net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0) | |
| security.bsd.see_other_gids=0 # groups only see their own processes. root can see all (default 1) | |
| security.bsd.see_other_uids=0 # users only see their own processes. root can see all (default 1) | |
| vfs.zfs.min_auto_ashift=12 # ZFS 4k alignment | |
| ### | |
| ###### | |
| ######### OFF BELOW HERE ######### | |
| # | |
| # Other options not enabled, but included for future reference. The following | |
| # may be needed in high load environments or against DDOS attacks. Take a look | |
| # at the detailed comments for more information and make an informed decision. | |
| # NOTE: The packet limit of net.inet.icmp.icmplim controls the following | |
| # methods: ICMP echo-reply, ICMP timestamp reply, ICMP port unreachable | |
| # (generated as a response to a packet received on a UDP port with no listening | |
| # application) and for limiting the transmission of TCP reset packets on open | |
| # and closed TCP ports. net.inet.icmp.icmplim limits the number of ICMP/TCP RST | |
| # packets per second, but may have to be increased for bit torrent or many | |
| # connectiong clients if you see the log message, "response from xxx to 200 | |
| # packets per second". (default 200) | |
| # CUBIC congestion control: is a time based congestion control algorithm | |
| # optimized for high speed, high latency networks and a decent choice for | |
| # networks with minimal packet loss; most internet connections are in this | |
| # catagory. CUBIC can improve startup throughput of bulk data transfers and | |
| # burst transfers of a web server by up to 2x compared to packet loss based | |
| # algorithms like newreno and H-TCP. make sure to also add | |
| # 'cc_cubic_load="YES"' to /boot/loader.conf then check available congestion | |
| # control options with "sysctl net.inet.tcp.cc.available". If you have a | |
| # network with greater then one percent packet loss then the next congestion | |
| # control called H-TCP should be tested. | |
| #net.inet.tcp.cc.algorithm=cubic # (default newreno) | |
| # The TCP window scale (rfc3390) option is used to increase the TCP receive | |
| # window size above its maximum value of 65,535 bytes (64k). TCP Time Stamps | |
| # (rfc1323) allow nearly every segment, including retransmissions, to be | |
| # accurately timed at negligible computational cost. Both options should be | |
| # enabled by default. | |
| #net.inet.tcp.rfc1323=1 # (default 1) | |
| #net.inet.tcp.rfc3390=1 # (default 1) | |
| # somaxconn is the OS buffer, backlog queue depth for accepting new TCP | |
| # connections. Your application will have its own separate max queue length | |
| # (maxqlen) which can be checked with "netstat -Lan". The default is 128 | |
| # connections per application thread. Lets say your Nginx web server normally | |
| # receives 100 connections/sec and is single threaded application. If clients | |
| # are bursting in at a total of 250 connections/sec you may want to set the | |
| # somaxconn at 512 to be a 512 deep connection buffer so the extra 122 clients | |
| # (250-128=122) do not get denied service since you would have 412 | |
| # (512-100=412) extra queue slots. Also, a large listen queue will do a better | |
| # job of avoiding Denial of Service (DoS) attacks if, and only if, your | |
| # application can handle the TCP load at the cost of more RAM and CPU time. | |
| # Nginx sets is backlog queue to the same as the OS somaxconn by default. | |
| # Note: "kern.ipc.somaxconn" is not shown in "sysctl -a" output, but searching | |
| # for "kern.ipc.soacceptqueue" gives the same value and both directives stand | |
| # for the same buffer value. | |
| #kern.ipc.soacceptqueue=1024 # (default 128 ; same as kern.ipc.somaxconn) | |
| # Selective Acknowledgment (SACK) allows the receiver to inform the sender of | |
| # packets which have been received and if any packets were dropped. The sender | |
| # can then selectively retransmit the missing data without needing to | |
| # retransmit entire blocks of data that have already been received | |
| # successfully. SACK option is not mandatory and support must be negotiated | |
| # when the connection is established using TCP header options. An attacker | |
| # downloading large files can abuse SACK by asking for many random segments to | |
| # be retransmitted. The server in response wastes system resources trying to | |
| # fulfill superfluous requests. If you are serving small files to low latency | |
| # clients then SACK can be disabled. If you see issues of flows randomly | |
| # pausing, try disabling SACK to see if there is equipment in the path which | |
| # does not handle SACK correctly. | |
| #net.inet.tcp.sack.enable=1 # (default 1) | |
| # Intel PRO 1000 inetwork cards maximum recieve packet processsing limit. Make | |
| # sure to enable hw.igb.rxd and hw.igb.txd in /boot/loader.conf as well. | |
| # https://fasterdata.es.net/host-tuning/nic-tuning/ | |
| #hw.igb.rx_process_limit="4096" # (default 100) | |
| #dev.igb.0.rx_processing_limit="4096" # (default 100) | |
| #dev.igb.1.rx_processing_limit="4096" # (default 100) | |
| #dev.em.0.rx_processing_limit="4096" # (default 100) | |
| #dev.em.1.rx_processing_limit="4096" # (default 100) | |
| # SlowStart Flightsize is TCP's initial congestion window as the number of | |
| # packets on the wire at the start of the connection or after congestion. | |
| # Google recommends ten(10), so an MTU of 1460 bytes times ten(10) initial | |
| # congestion window is a 14.6 kilobytes. If you are running FreeBSD 9.1 or | |
| # earlier we recommend testing with a value of 44. A window of 44 packets of | |
| # 1460 bytes easily fits into a client's 64 kilobyte receive buffer space. | |
| # Note, slowstart_flightsize was removed from FreeBSD 9.2 and now we can only | |
| # set the initial congestion window to 10. | |
| # http://www.igvita.com/2011/10/20/faster-web-vs-tcp-slow-start/ | |
| #net.inet.tcp.experimental.initcwnd10=1 # (default 1 for FreeBSD 10.1) | |
| #net.inet.tcp.experimental.initcwnd10=1 # (default 0 for FreeBSD 9.2) | |
| #net.inet.tcp.local_slowstart_flightsize=44 # (default 4 for FreeBSD 9.1) | |
| #net.inet.tcp.slowstart_flightsize=44 # (default 4 for FreeBSD 9.1) | |
| # control the amount of send and receive buffer space allowed for any given TCP | |
| # connection. The default sending buffer is 32K; the default receiving buffer | |
| # is 64K. You can often improve bandwidth utilization by increasing the default | |
| # at the cost of eating up more kernel memory for each connec- tion. We do not | |
| # recommend increasing the defaults if you are serving hundreds or thousands of | |
| # simultaneous connections because it is possible to quickly run the system out | |
| # of memory. To calculate: bandwidth divided by 8 bits divided by the MSS times | |
| # 1 million will be the size of the byffer in in kilobytes. For a 60 Mbit FIOS | |
| # connection the buffer should be at least, (60/8/1460*1000000=5136 bytes). | |
| # Since the default buffers are larger then 5136 we stay with the default. | |
| #net.inet.tcp.sendspace=32768 # (default 32768 ) | |
| #net.inet.tcp.recvspace=65536 # (default 65536 ) | |
| # Increase auto-tuning TCP step size of the TCP transmit and receive buffers. | |
| # The TCP buffer starts at "net.inet.tcp.sendspace" and | |
| # "net.inet.tcp.recvspace" and increases by these increments up to | |
| # "net.inet.tcp.recvbuf_max" and "net.inet.tcp.sendbuf_max" as auto tuned by | |
| # FreeBSD. http://fasterdata.es.net/host-tuning/freebsd/ | |
| #net.inet.tcp.sendbuf_inc=32768 # (default 8192 ) | |
| #net.inet.tcp.recvbuf_inc=65536 # (default 16384 ) | |
| # host cache is the client's cached tcp connection details and metrics (TTL, | |
| # SSTRESH and VARTTL) the server can use to improve future performance of | |
| # connections between the same two hosts. When a tcp connection is completed, | |
| # our server will cache information about the connection until an expire | |
| # timeout. If a new connection between the same client is initiated before the | |
| # cache has expired, the connection will use the cached connection details to | |
| # setup the connection's internal variables. This pre-cached setup allows the | |
| # client and server to reach optimal performance significantly faster because | |
| # the server will not need to go through the usual steps of re-learning the | |
| # optimal parameters for the connection. Unfortunately, this can also make | |
| # performance worse because the hostcache will apply the exception case to | |
| # every new connection from a client within the expire time. In other words, in | |
| # some cases, one person surfing your site from a mobile phone who has some | |
| # random packet loss can reduce your server's performance to this visitor even | |
| # when their temporary loss has cleared. 3900 seconds allows clients who | |
| # connect regularly to stay in our hostcache. To view the current host cache | |
| # stats use "sysctl net.inet.tcp.hostcache.list" . If you have | |
| # "net.inet.tcp.hostcache.cachelimit=0" like in our /boot/loader.conf example | |
| # then this expire time is negated and not uesd. | |
| #net.inet.tcp.hostcache.expire=3900 # (default 3600) | |
| # By default, acks are delayed by 100 ms or sent every other packet in order to | |
| # improve the chance of being added to another returned data packet which is | |
| # full. This method can cut the number of tiny packets flowing across the | |
| # network and is efficient. But, delayed ACKs cause issues on modern, short | |
| # hop, low latency networks. TCP works by increasing the congestion window, | |
| # which is the amount of data currently traveling on the wire, based on the | |
| # number of ACKs received per time frame. Delaying the timing of the ACKs | |
| # received results in less data on the wire, time in TCP slowstart is doubled | |
| # and in congestion avoidance after packet loss the congestion window growth is | |
| # slowed. Setting delacktime higher then 100 will to slow downloads as ACKs | |
| # are queued too long. On low latecy 10gig links we find a value of 20ms is | |
| # optimal. http://www.tel.uva.es/personales/ignmig/pdfs/ogonzalez_NOC05.pdf | |
| #net.inet.tcp.delayed_ack=1 # (default 1) | |
| #net.inet.tcp.delacktime=20 # (default 100) | |
| # Do not create a socket or compressed tcpw for TCP connections restricted to | |
| # the local machine connecting to itself on localhost. An example connection | |
| # would be a web server and a database server running on the same machine or | |
| # freebsd jails connecting to each other. | |
| #net.inet.tcp.nolocaltimewait=1 # (default 0) | |
| # The number of frames the NIC's receive (rx) queue will accept befroe sending | |
| # a kernel inturrupt. If the queue is full and the kernel can not process the | |
| # packets then the packets are dropped. Use "sysctl | |
| # net.inet.ip.intr_queue_drops" and "netstat -Q" and increase if queue_drops is | |
| # greater then zero(0). The real problem is the machine is simply not fast | |
| # enough to handle the traffic. Upgrading the hardware is a better solution. | |
| #net.inet.ip.intr_queue_maxlen=256 # (default 256) | |
| #net.route.netisr_maxqlen=256 # (default 256) | |
| # security settings for jailed environments. it is generally a good idea to | |
| # separately jail any service which is accessible by an external client like | |
| # the web or mail server. This is especially true for public facing services. | |
| # take a look at ezjail, http://forums.freebsd.org/showthread.php?t=16860 | |
| #security.jail.allow_raw_sockets=1 # (default 0) | |
| #security.jail.enforce_statfs=2 # (default 2) | |
| #security.jail.set_hostname_allowed=0 # (default 1) | |
| #security.jail.socket_unixiproute_only=1 # (default 1) | |
| #security.jail.sysvipc_allowed=0 # (default 0) | |
| #security.jail.chflags_allowed=0 # (default 0) | |
| # decrease the scheduler maximum time slice for lower latency program calls. | |
| # by default we use stathz/10 which equals thirteen(13). also, decrease the | |
| # scheduler maximum time for interactive programs as this is a dedicated | |
| # server (default 30). Also make sure you look into "kern.hz=100" in /boot/loader.conf | |
| #kern.sched.interact=5 # (default 30) | |
| #kern.sched.slice=3 # (default 12) | |
| # increase localhost network buffers. For example, if you run many high | |
| # bandwidth services on lo0 like an http or local DB server and forward public | |
| # external traffic using Pf. Also, if running many jails on lo0 then these may | |
| # help. set to 10x(lo0 mtu 16384 + 40 bytes for header) = 164240 | |
| #net.local.stream.sendspace=164240 # (default 8192) | |
| #net.local.stream.recvspace=164240 # (default 8192) | |
| # threads per process | |
| #kern.threads.max_threads_per_proc=9000 | |
| # create core dump file on "exited on signal 6" | |
| #kern.coredump=1 # (default 1) | |
| #kern.sugid_coredump=1 # (default 0) | |
| #kern.corefile="/tmp/%N.core" # (default %N.core) | |
| # ZFS L2ARC tuning - If you have read intensive workloads and limited RAM make | |
| # sure to use an SSD for your L2ARC. Verify noprefetch is enabled(1) and | |
| # increase the speed at which the system can fill the L2ARC device. By default, | |
| # when the L2ARC is being populated FreeBSD will only write at 16MB/sec to the | |
| # SSD. 16MB calculated by adding the speed of write_boost and write_max. | |
| # 16MB/sec is too slow as many SSD's made today which can easily sustain | |
| # 500MB/sec. It is recommend to set both write_boost and write_max to at least | |
| # 256MB each so the L2ARC can be quickly seeded. Contrary to myth, enterprise | |
| # class SSDs can last for many years under constant read/write abuse of a web | |
| # server. | |
| #vfs.zfs.l2arc_noprefetch=1 # (default 1) | |
| #vfs.zfs.l2arc_write_boost=268435456 # (default 8388608) | |
| #vfs.zfs.l2arc_write_max=268435456 # (default 8388608) | |
| # ZFS - Set TXG write limit to a lower threshold. This helps "level out" the | |
| # throughput rate (see "zpool iostat"). A value of 256MB works well for | |
| # systems with 4 GB of RAM, while 1 GB works well for us w/ 8 GB on disks which | |
| # have 64 MB cache. | |
| #vfs.zfs.write_limit_override=1073741824 | |
| # For slow drives, set outstanding vdev I/O to "1" to prevent parallel | |
| # reads/writes per zfs vdev. By limiting read write streams we effectually force | |
| # drive access into long sequential disk access for drives like a single | |
| # 5400rpm disk. A value of one is not good for multiple disk spindles. | |
| #vfs.zfs.vdev.min_pending="1" | |
| #vfs.zfs.vdev.max_pending="1" | |
| # TCP keep alive can help detecting network errors and signaling connection | |
| # problems. Keep alives will increase signaling bandwidth used, but as | |
| # bandwidth utilized by signaling channels is low from its nature, the increase | |
| # is insignificant. the system will disconnect a dead TCP connection when the | |
| # remote peer is dead or unresponsive for: 10000 + (5000 x 8) = 50000 msec (50 | |
| # sec) | |
| #net.inet.tcp.keepidle=10000 # (default 7200000 ) | |
| #net.inet.tcp.keepintvl=5000 # (default 75000 ) | |
| #net.inet.tcp.always_keepalive=1 # (default 1) | |
| # UFS hard drive read ahead equivalent to 4 MiB at 32KiB block size. Easily | |
| # increases read speeds from 60 MB/sec to 80 MB/sec on a single spinning hard | |
| # drive. Samsung 830 SSD drives went from 310 MB/sec to 372 MB/sec (SATA 6). | |
| # use Bonnie++ to performance test file system I/O | |
| #vfs.read_max=128 | |
| # global limit for number of sockets in the system. If kern.ipc.numopensockets | |
| # plus net.inet.tcp.maxtcptw is close to kern.ipc.maxsockets then increase this | |
| # value | |
| #kern.ipc.maxsockets = 25600 | |
| # spread tcp timer callout load evenly across cpus. We did not see any speed | |
| # benefit from enabling per cpu timers. The default is off(0) | |
| #net.inet.tcp.per_cpu_timers = 0 | |
| # Increase maxdgram length for jumbo frames (9000 mtu) OSPF routing. Safe for | |
| # 1500 mtu too. | |
| #net.inet.raw.maxdgram=9216 | |
| #net.inet.raw.recvspace=9216 | |
| # seeding cryptographic random number generators is provided by the /dev/random | |
| # device, which provides psudo "real" randomness. The arc4random(3) library call | |
| # provides a pseudo-random sequence which is generally reckoned to be suitable | |
| # for simple cryptographic use. The OpenSSL library also provides functions for | |
| # managing randomness via functions such as RAND_bytes(3) and RAND_add(3). Note | |
| # that OpenSSL uses the random device /dev/random for seeding automatically. | |
| # http://manpages.ubuntu.com/manpages/lucid/man4/random.4freebsd.html | |
| #kern.random.yarrow.gengateinterval=10 # default 10 [4..64] | |
| #kern.random.yarrow.bins=10 # default 10 [2..16] | |
| #kern.random.yarrow.fastthresh=192 # default 192 [64..256] | |
| #kern.random.yarrow.slowthresh=256 # default 256 [64..256] | |
| #kern.random.yarrow.slowoverthresh=2 # default 2 [1..5] | |
| #kern.random.sys.seeded=1 # default 1 | |
| #kern.random.sys.harvest.ethernet=1 # default 1 | |
| #kern.random.sys.harvest.point_to_point=1 # default 1 | |
| #kern.random.sys.harvest.interrupt=1 # default 1 | |
| #kern.random.sys.harvest.swi=0 # default 0 and actually does nothing when enabled | |
| # IPv6 Security | |
| # For more info see http://www.fosslc.org/drupal/content/security-implications-ipv6 | |
| # Disable Node info replies | |
| # To see this vulnerability in action run `ping6 -a sglAac ::1` or `ping6 -w ::1` on unprotected node | |
| #net.inet6.icmp6.nodeinfo=0 | |
| # Turn on IPv6 privacy extensions | |
| # For more info see proposal http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2008-06/msg00103.html | |
| #net.inet6.ip6.use_tempaddr=1 | |
| #net.inet6.ip6.prefer_tempaddr=1 | |
| # Disable ICMP redirect | |
| #net.inet6.icmp6.rediraccept=0 | |
| # Disable acceptation of RA and auto linklocal generation if you don't use them | |
| ##net.inet6.ip6.accept_rtadv=0 | |
| ##net.inet6.ip6.auto_linklocal=0 | |
| # | |
| ## | |
| ### EOF ### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment