Sysctl.conf

From Alpine Linux
Jump to: navigation, search

Sysctl.conf is the configuration file at /etc/sysctl.conf for sysctl and is used to configure kernel parameters at boot time. You can load the configuration file with

sysctl -p

or simply with a reboot.

This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment. The config examples are well commented so should provide all the information you need. If further information is required on anything, please make a note in this page or in the 'discussion' area.

Some of the options shown in the below examples may already be as default in your release. Check with

sysctl -a|grep <somestring>

Lines beginning with a hash '#' are comments and are thus not read until the # is removed.


IPv6

Although IPv6 is configured in /etc/network/interfaces more advanced options are configured in /etc/sysctl.conf:

## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
## You should also add it explicitly per interface:
net.ipv6.conf.eth0.use_tempaddr = 2

####Turn off IPv6 Routing####
## if not functioning as a router, there is no need
## to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
## if not functioning as a router, disable packet forwarding
net.ipv6.conf.all.forwarding = 0
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
net.ipv6.conf.default.router_solicitations = 2

## Router advertisements can cause the system to assign a global 
## unicast address to an interface
## Turn on/off below (default is 0, off)
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1

##Force IPv6 off
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1

General networking and performance

Do not enable (uncomment) any of this unless you know what you are doing!! Be prepared to perform thorough testing and potentially break stuff!

### Disable routing
## disable ALL packet forwarding (not a router, disable it)
net.ipv4.ip_forward = 0
## if not functioning as a router, there is no need to accept redirects or source routes
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
## IP source routing (insecure, disable it)
net.ipv4.conf.all.accept_source_route = 0
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## log martian packets
#net.ipv4.conf.all.log_martians = 1

### Memory and buffer changes. See http://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php for more information.
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824 
## Improve file system performance 
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2 
## This will increase the amount of memory available for socket input/output queues 
#net.ipv4.tcp_rmem = 4096 87380 524288  
#net.core.rmem_max = 1048576 
#net.core.rmem_default = 524288 
#net.ipv4.tcp_wmem = 4096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288 
#net.core.optmem_max = 25165824

## Increase system file descriptor limit    
fs.file-max = 65535

## Allow for more PID's
kernel.pid_max = 65536

## Swapping too much or not enough? Disks spinning up when you'd
## rather they didn't? Tweak these.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

## Set small dirty bytes values (overcomes random short system freezes)
## If you uncomment the below, it is set to 4MB
#vm.dirty_background_bytes = 4194304
#vm.dirty_bytes = 4194304

## reuse/recycle time-wait sockets (this is often needed on busy servers)
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

## Controls the number of syn retries (default is 6)
#net.ipv4.tcp_syn_retries = 3
## Controls the number of tcp syn-ack retries (default is 5)
#net.ipv4.tcp_synack_retries = 3

## Change the time default value for tcp_fin_timeout connection 
## (i.e. time to hold socket in FIN-WAIT-2 if it was closed by us)
## Default is 60 seconds
#net.ipv4.tcp_fin_timeout = 15 
## Decrease the time default value for tcp_keepalive_time connection
## (i.e. how often to send TCP keepalive message)
## Default is 2 hours! 
#net.ipv4.tcp_keepalive_time = 360 
## Turn on tcp_window_scaling 
#net.ipv4.tcp_window_scaling = 1 
## Turn on the tcp_sack 
#net.ipv4.tcp_sack = 1 
## tcp_fack should be on because of sack 
#net.ipv4.tcp_fack = 1

## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
#net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_timestamps = 1 

## Set the port range used for outgoing connections
#net.ipv4.ip_local_port_range = 1200    65000

## the number of packets to queue on input when they arrive faster
## than they can be processed by the kernel (the socket queue)
#net.core.netdev_max_backlog = 3000

## Maximum number of remembered connection requests which have not
## received an ack from connecting client.  Increases in proportion
## to available memory.  Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000

Security

Lots of really cool things can be configured in /etc/sysctl.conf, some of these are already enabled by default like tcp syncookies (checked against Alpine 2.7.0):

## Prevent CVE-2013-2094 (only affects Linux kernel before 3.8.9)
kernel.perf_event_paranoid = 2

## Help prevent TOCTOU vulnerabilities - these attacks can likely never be fully prevented
## (see https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=800179c9b8a1e796e441674776d11cd4c05d61d7)
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

## Disable magic-sysrq key
kernel.sysrq = 0

## TCP SYN cookie protection
## helps protect against SYN flood attacks but apparently breaks RFC's
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1

## source address verification (sanity checking) as specified in RFC1812
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

## ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

## ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1

Ginjachris (talk) 21:41, 22 November 2013 (UTC)