Created
May 8, 2023 04:58
config /etc/sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ----------------------------------------------------------------------------- | |
| # file: /etc/sysctl.conf > /etc/sysctl.d/99-sysctl.conf | |
| # ----------------------------------------------------------------------------- | |
| # | |
| # updated: 2020/11/24 | |
| # revision: 2 | |
| # | |
| # ----------------------------------------------------------------------------- | |
| # ----------------------------------------------------------------------------- | |
| # Disk Cache and Memory Management | |
| # | |
| # disk cache tuning | |
| vm.swappiness=10 | |
| vm.vfs_cache_pressure=50 | |
| # configure memory allocation management | |
| vm.overcommit_ratio=100 | |
| vm.overcommit_memory=1 | |
| vm.dirty_background_bytes=4194304 | |
| vm.dirty_bytes=4194304 | |
| vm.dirty_writeback_centisecs=60000 | |
| vm.dirty_expire_centisecs=60000 | |
| vm.dirty_ratio=10 | |
| vm.dirty_background_ratio=5 | |
| vm.min_free_kbytes=65536 | |
| # enable kernel control with SysRQ | |
| kernel.sysrq=1 | |
| # The maximum number of inotify objects that a single user can create. | |
| fs.inotify.max_user_watches=16777216 | |
| # The maximum number of events that can be queued. | |
| fs.inotify.max_queued_events=65536 | |
| # ----------------------------------------------------------------------------- | |
| # Network Stack Settings | |
| # | |
| # ipv6 config | |
| net.ipv6.conf.all.disable_ipv6=1 | |
| net.ipv6.conf.default.disable_ipv6=1 | |
| net.ipv6.conf.lo.disable_ipv6=1 | |
| net.ipv6.conf.eth1.disable_ipv6=1 | |
| # increase TCP max buffer size | |
| net.core.rmem_max=16777216 | |
| net.core.wmem_max=16777216 | |
| net.core.rmem_default=16777216 | |
| net.core.wmem_default=16777216 | |
| net.core.optmem_max=40960 | |
| # increase Linux autotuning TCP buffer limits | |
| # min, default, and max number of bytes to use | |
| net.ipv4.tcp_rmem=4096 87380 16777216 | |
| net.ipv4.tcp_wmem=4096 65536 16777216 | |
| # recommended default congestion control is htcp | |
| net.ipv4.tcp_congestion_control=bbr | |
| # recommended for hosts with jumbo frames enabled | |
| net.ipv4.tcp_mtu_probing=1 | |
| # recommended for CentOS7+/Debian8+ hosts | |
| net.core.default_qdisc=cake | |
| # don't cache ssthresh from previous connection | |
| net.ipv4.tcp_no_metrics_save=1 | |
| # recommended to increase this for 1000 BT or higher | |
| net.core.netdev_max_backlog=50000 | |
| # turn on window scaling which can be an option to enlarge the transfer window | |
| net.ipv4.tcp_window_scaling=1 | |
| # enable timestamps as defined in RFC1323 | |
| net.ipv4.tcp_timestamps=1 | |
| # enable select acknowledgments | |
| net.ipv4.tcp_sack=1 | |
| # also up these limits | |
| net.ipv4.udp_rmem_min=8192 | |
| net.ipv4.udp_wmem_min=8192 | |
| # the number of multicast connections per socket | |
| net.ipv4.igmp_max_memberships=50 | |
| # set the maximum number of TCP sockets allowed in the system | |
| net.ipv4.tcp_max_orphans=65536 | |
| # set the time to keep the socket in state FIN-WAIT-2 after it is closed by the local party | |
| net.ipv4.tcp_fin_timeout=10 | |
| # set how often the connection should be checked if it has not been used for a long time, the sample transfer interval and the time after which the connection will be disconnected if there are no responses | |
| net.ipv4.tcp_keepalive_time=60 | |
| net.ipv4.tcp_keepalive_intvl=10 | |
| net.ipv4.tcp_keepalive_probes=6 | |
| # the number of simultaneous semi-open connections | |
| net.ipv4.tcp_max_syn_backlog=30000 | |
| # maximal number of timewait sockets held by system simultaneously | |
| net.ipv4.tcp_max_tw_buckets=2000000 | |
| # set the number of attempts to retransmit SYNACK packets for passive TCP connections | |
| net.ipv4.tcp_synack_retries=1 | |
| # the number of failed attempts after which a TCP connection closed on the local side is destroyed | |
| net.ipv4.tcp_orphan_retries=0 | |
| # allow TIME-WAIT sockets to be reused if the protocol considers it secure | |
| net.ipv4.tcp_tw_reuse=1 | |
| # flushing routes | |
| net.ipv4.route.flush=1 | |
| # TCP Fast Open for both incoming and outgoing connections | |
| net.ipv4.tcp_fastopen=3 | |
| # provide RFC2861 behavior and time out the congestion window after an idle period | |
| net.ipv4.tcp_slow_start_after_idle=0 | |
| # defend against TIME_WAIT attacks | |
| net.ipv4.tcp_rfc1337=1 | |
| # increase the range of local ports available for outbound connections | |
| net.ipv4.ip_local_port_range=1024 65535 | |
| # the maximum number of open sockets waiting to be connected | |
| net.core.somaxconn=15000 | |
| # log packets with impossible addresses for security | |
| net.ipv4.conf.default.log_martians=1 | |
| net.ipv4.conf.all.log_martians=1 | |
| # activate IP spoofing protection | |
| net.ipv4.conf.all.rp_filter=1 | |
| net.ipv4.conf.default.rp_filter=1 | |
| net.ipv4.conf.lo.rp_filter=1 | |
| net.ipv4.conf.eth1.rp_filter=1 | |
| # eliminate ARP Flux Problem | |
| net.ipv4.conf.all.arp_filter=1 | |
| net.ipv4.conf.default.arp_filter=1 | |
| # disable routing from the source | |
| net.ipv4.conf.all.accept_source_route=0 | |
| net.ipv4.conf.default.accept_source_route=0 | |
| net.ipv4.conf.lo.accept_source_route=0 | |
| net.ipv4.conf.eth1.accept_source_route=0 | |
| # disable redirection reception | |
| net.ipv4.conf.all.accept_redirects=0 | |
| net.ipv4.conf.all.secure_redirects=0 | |
| net.ipv4.conf.all.send_redirects=0 | |
| net.ipv4.conf.default.accept_redirects=0 | |
| net.ipv4.conf.default.secure_redirects=0 | |
| # increase the number of entries in the ARP cache | |
| net.ipv4.neigh.default.gc_thresh1=1024 | |
| net.ipv4.neigh.default.gc_thresh2=2048 | |
| net.ipv4.neigh.default.gc_thresh3=4096 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment