/usr/home/lex: FreeBSD: Tunning

Tem, experimente trabalhar com as técnicas de tunning de Matt Dilon.
Exemplo de meu sysctl particular.

# Tunning 1 - Stack TCP/IP & kernel tuning

kern.maxfiles=131392
kern.maxfilesperproc=16424
kern.ipc.somaxconn=8192
kern.ipc.maxsockbuf=8388608

# Ideal, segundo Matt Dillon - man tuning

net.inet.tcp.always_keepalive=1
net.inet.tcp.keepidle=24000
net.inet.tcp.keepintvl=3000
net.inet.tcp.keepinit=70000
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc1644=1
net.inet.ip.intr_queue_maxlen=50

# Tuning 2 - Stack TCP/IP - Firewalling

net.inet.ip.fw.enable=1
net.inet.ip.fw.debug=1
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=500
net.inet.ip.fw.dyn_buckets=256
net.inet.ip.fw.dyn_max=3000
net.inet.ip.fw.dyn_ack_lifetime=300
net.inet.ip.fw.dyn_syn_lifetime=20
net.inet.ip.fw.dyn_fin_lifetime=2
net.inet.ip.fw.dyn_rst_lifetime=2
net.inet.ip.fw.dyn_udp_lifetime=10
net.inet.ip.fw.dyn_short_lifetime=5

# Blackhole - define blackhole pra tcp syn em portas sem daemon.
# Dificulta stealth portscans e diminui o impacto de ataques de DoS.

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

# ARP Exaustion - 1200 = 20 Minutos. Ideal.
net.link.ether.inet.max_age=1200
net.inet.icmp.bmcastecho=0

# Network Fine Tuning
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.link.ether.inet.max_age=1200
net.inet.icmp.bmcastecho=0
net.inet.ip.fastforwarding=1
net.inet.ip.forwarding=1
net.inet.ip.fw.one_pass=1
net.inet.icmp.maskrepl=0
net.inet.tcp.delayed_ack=0
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535

# Ideal segundo Marcelo Araujo ;)
# T/TCP -- Tcp extensions for Transactions
net.inet.tcp.rfc1644=1

# Tuning de SOM
hw.snd.pcm0.vchans=4
hw.snd.maxautovchans=4

# Tunning memoria compartilhada para o XFREE
kern.ipc.shmmax=67108864
kern.ipc.shmall=32768

# Calcula o atraso de banda para cada conexao e
# limita a quantidade de dados enfileirados para
# apenas a quantidade requerida
net.inet.tcp.inflight_enable=1

# Prevenindo ataque DOS

net.inet.tcp.msl=7500
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.icmp.icmplin=50
kern.ipc.somaxconn=32768

# Usuarios nao veêm processos de outros usuarios
kern.ps_showallprocs=0

/usr/home/lex

Páginas

sexta-feira, 27 de agosto de 2010

FreeBSD: Tunning

Nenhum comentário:

Postar um comentário