[freebsd][sysctl]freebsd sysctl 项目描述 Options

[猫猫草]

https://klaver.it/bsd/sysctl.conf

代码

# Kernel sysctl configuration file for BSD
#
# Version 1.5 - 2010-08-09
# Michiel Klaver - IT Professional
# http://klaver.it/bsd/ for the latest version - http://klaver.it/linux/ for a linux variant
#
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# /etc/rc.d/sysctl start
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
#
# Tested with: FreeBSD 7.2-RELEASE-p4
#              FreeBSD 6.2-RELEASE-p3
#              MacOS-X 10.6 Snow Leopard

# Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
# Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
# DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
# ----------

# Increase some buffers
kern.ipc.somaxconn=32768
kern.ipc.maxsockets=32768
kern.ipc.nmbclusters=32768
kern.ipc.maxsockbuf=16777216
net.inet.tcp.sendspace=1048576
net.inet.tcp.recvspace=1048576
net.inet.tcp.recvbuf_auto=1
net.inet.tcp.sendbuf_auto=1
net.inet.tcp.sendbuf_max=16777216
net.inet.tcp.recvbuf_max=16777216
net.inet.udp.maxdgram=57344
net.inet.udp.recvspace=256960
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
net.inet.tcp.win_scale_factor=8
net.inet.tcp.maxtcptw=65535
net.inet.ip.intr_queue_maxlen=4096
net.inet.ip.portrange.first=16384
net.inet.ip.portrange.last=65535
net.inet.ip.portrange.randomized=0

# Set extra network options
net.inet.tcp.msl=5000
net.inet.ip.process_options=0
net.inet.tcp.inflight.enable=0
net.inet.tcp.hostcache.expire=1
net.inet.tcp.sack.enable=1
net.inet.tcp.log_in_vain=0
net.inet.udp.log_in_vain=0
net.inet.udp.checksum=1
net.inet.tcp.icmp_may_rst=0
net.inet.icmp.icmplim=200
net.inet.icmp.icmplim_output=0
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.delayed_ack=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.keepidle=60000
net.inet.tcp.ecn.enable=1

# Enable window scaling
net.inet.tcp.rfc1323=1

# Enable SYN cookies
net.inet.tcp.syncookies=1

# Disable forwarding
net.inet.ip.forwarding=0
net.inet6.ip6.forwarding=0

# Do not accept any redirects
net.inet.ip.redirect=0
net.inet.ip6.redirect=0
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
net.inet.icmp.maskfake=0

# Some custom security settings for jailed environments
security.bsd.see_other_uids=0
security.jail.allow_raw_sockets=1
security.jail.enforce_statfs=2
security.jail.set_hostname_allowed=0
security.jail.socket_unixiproute_only=1
security.jail.sysvipc_allowed=0
security.jail.chflags_allowed=0

# filesystem options
vfs.ufs.dirhash_maxmem=67108864
vfs.read_max=32

# Increase some extra kernel features
kern.maxproc=16384
kern.maxprocperuid=16000
kern.maxfiles=262144
kern.maxfilesperproc=200000

# make things difficult for portscanners (this breaks RFCs)
# net.inet.tcp.blackhole=2
# net.inet.udp.blackhole=1
# net.inet.ip.random_id=1
# net.inet.ip.stealth=1
# net.inet.ip.portrange.randomized=1



# kernel loader options, put these in /boot/loader.conf
#
# kern.ipc.nsfbufs=10240
# net.inet.tcp.tcbhashsize=4096
# net.inet.tcp.syncache.hashsize=1024
# net.inet.tcp.syncache.bucketlimit=512
# net.inet.tcp.syncache.cachelimit=65536
# net.inet.tcp.hostcache.hashsize=1024
# net.inet.tcp.hostcache.bucketlimit=512
# net.inet.tcp.hostcache.cachelimit=65536