### Rozhuk Ivan 2009.06 - 2014 ### sysctl.conf ### base tunings, resource independended kern.sync_on_panic=1 # Do a sync before rebooting from a panic #kern.securelevel=2 # Current secure level # SECURITY security.bsd.map_at_zero=0 # Permit processes to map an object at virtual address 0. security.bsd.suser_enabled=1 # processes with uid 0 have privilege security.bsd.unprivileged_mlock=0 # Allow non-root users to call mlock(2) security.bsd.see_other_uids=1 # prevent users from seeing processes that are being run under another UID. security.bsd.see_other_gids=1 # disable is break some scripts, like rc.d scripts. security.bsd.conservative_signals=0 # disable some signals for setuid/setgid processes security.bsd.unprivileged_proc_debug=0 # disable debug for unprivileged users security.bsd.unprivileged_idprio=0 # Allow non-root users to set an idle priority security.bsd.unprivileged_read_msgbuf=1 # Unprivileged processes may read the kernel message buffer security.bsd.hardlink_check_uid=1 # Unprivileged processes cannot create hard links to files owned by other users security.bsd.hardlink_check_gid=1 # Unprivileged processes cannot create hard links to files owned by other groups security.bsd.unprivileged_get_quota=0 # Unprivileged processes may retrieve quotas for other uids and gids security.bsd.stack_guard_page=1 # Insert stack guard page ahead of the growable segments. kern.logsigexit=1 # Log processes quitting on abnormal signals to syslog(3) vfs.usermount=0 # disable mount for unprivileged users kern.elf32.nxstack=1 # enable non-executable stack kern.elf64.nxstack=1 # enable non-executable stack net.link.ether.inet.log_arp_permanent_modify=1 # log arp replies from MACs different than the one in the permanent arp entry net.link.ether.inet.log_arp_movements=1 # log arp replies from MACs different than the one in the cache net.link.ether.inet.log_arp_wrong_iface=1 # log arp packets arriving on the wrong interface net.link.log_link_state_change=1 # log interface link state change events net.inet.ip.sourceroute=0 # Enable forwarding source routed IP packets net.inet.ip.accept_sourceroute=0 # Enable accepting source routed IP packets net.inet.ip.random_id=1 # random IP packet identifier net.inet.ip.redirect=0 # generate ICMP REDIRECT net.inet6.ip6.redirect=0 # generate ICMP6 REDIRECT net.inet6.ip6.auto_linklocal=0 # do not generate a link-local automatically: nd6 options= net.inet.icmp.log_redirect=0 # log ICMP REDIRECT packets net.inet.icmp.drop_redirect=1 # drop ICMP REDIRECT packets net.inet.icmp.maskrepl=0 # Reply to ICMP Address Mask Request packets net.inet.icmp.maskfake=1 # Fake reply to ICMP Address Mask Request packets. net.inet.icmp.bmcastecho=0 # disable broadcast ping reply net.inet.icmp.icmplim=100 # rate limit per sec for dst unrch/tcp-rst messages net.inet.igmp.default_version=2 # Default version of IGMP to run on each interface net.inet.igmp.legacysupp=1 # Allow v1/v2 reports to suppress v3 group responses net.inet.tcp.drop_synfin=1 # Drop TCP packets with SYN+FIN set net.inet.tcp.blackhole=2 # Do not send RST on segments to closed ports net.inet.udp.blackhole=1 # Do not send port unreachables for refused connects # BASE KERNEL kern.random.sys.harvest.ethernet=0 # Harvest NIC entropy kern.random.sys.harvest.point_to_point=0 # Harvest serial net entropy kern.random.sys.harvest.interrupt=0 # Harvest IRQ entropy kern.random.sys.harvest.swi=0 # Harvest SWI entropy # BASE NET TUNINGS (for any resourses) net.isr.dispatch=deferred # direct / hybrid / deffered // Interrupt handling via multiple CPU, but with context switch. #net.isr.bindthreads=1 # Bind netisr threads to CPUs net.route.netisr_maxqlen=1024 # maximum routing socket dispatch queue length net.inet.ip.intr_queue_maxlen=4096 # Maximum size of the IP input queue. Should be increased until net.inet.ip.intr_queue_drops is zero #net.link.ether.inet.proxyall=1 # Enable proxy ARP for all suitable requests net.link.ether.inet.max_age=120 # ARP entry lifetime in seconds, def 1200 #net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces IPv4: gateway_enable="YES" #net.inet6.ip6.forwarding=1 # enable routing IPv6: ipv6_gateway_enable="YES" net.inet.ip.fastforwarding=0 # packets are forwarded directly to the appropriate network interface with a min validity checking, which greatly improves the throughput net.inet.ip.portrange.randomized=1 # Disable randomizing of ports to avoid false RST net.inet.ip.portrange.first=1024 # Increase portrange net.inet.ip.portrange.last=65535 # For outgoing connections only. Good for seed-boxes and ftp servers. net.inet.ip.ttl=128 # Maximum TTL on IP packets. Default is 64 net.inet.tcp.always_keepalive=0 # Assume SO_KEEPALIVE on all TCP connections net.inet.tcp.rfc1323=1 # Enable rfc1323 (high performance TCP) extensions. This should be enabled if you going to use big spaces (>64k) net.inet.tcp.rfc3042=1 # Enable RFC 3042 (Limited Transmit) net.inet.tcp.rfc3390=1 # Enable RFC 3390 (Increasing TCP's Initial Congestion Window) net.inet.tcp.rfc3465=1 # Enable RFC 3465 (Appropriate Byte Counting) net.inet.tcp.experimental.initcwnd10=1 # Enable draft-ietf-tcpm-initcwnd-05 (Increasing initial CWND to 10) net.inet.tcp.mssdflt=65500 # Default TCP Maximum Segment Size net.inet.tcp.v6mssdflt=65500 # Default TCP Maximum Segment Size for IPv6 net.inet.tcp.minmss=512 # Minimum TCP Maximum Segment Size net.inet.tcp.msl=15000 # Maximum segment lifetime. ACK waiting time in miliseconds (default: 30000 from RFC) net.inet.tcp.nolocaltimewait=1 # Do not create compressed TCP TIME_WAIT entries for local connections net.inet.tcp.fast_finwait2_recycle=1 # FIN_WAIT_2 state fast recycle net.inet.tcp.always_keepalive=1 # Assume SO_KEEPALIVE on all TCP connections net.inet.tcp.keepidle=60000 # Time before tcp keepalive probe is sent default is 2 hours (7200000) net.inet.tcp.ecn.enable=1 # (8.0+) Explicit Congestion Notification (see http://en.wikipedia.org/wiki/Explicit_Congestion_Notification) net.inet.tcp.syncookies=1 # Use TCP SYN cookies if the syncache overflows net.inet.tcp.syncookies_only=0 # Use only TCP SYN cookies net.inet.tcp.sack.enable=1 # Enable/Disable TCP SACK support net.inet.tcp.sack.maxholes=1024 # Maximum number of TCP SACK holes allowed per connection net.inet.tcp.sack.globalmaxholes=65536 # Global maximum number of TCP SACK holes net.inet.tcp.delayed_ack=1 # Delay ACK to try and piggyback it onto a data packet. Turn this off on highspeed, lossless connections (LAN 1Gbit+) net.inet.tcp.delacktime=10 # Time before a delayed ACK is sent net.inet.tcp.syncache.rexmtlimit=7 # Limit on SYN/ACK retransmissions net.inet.tcp.per_cpu_timers=1 # run tcp timers on all cpus net.inet.tcp.cc.algorithm=htcp # TCP cognestion algoritm net.inet.tcp.cc.htcp.rtt_scaling=1 # enable H-TCP RTT scaling net.inet.tcp.cc.htcp.adaptive_backoff=1 # enable H-TCP adaptive backoff net.inet.tcp.tso=1 # Enable TCP Segmentation Offload net.inet.tcp.soreceive_stream=0 # Using soreceive_stream for TCP sockets net.inet.udp.checksum=1 # compute udp checksum net.inet.udp.maxdgram=65507 # Maximum outgoing UDP datagram size # ng_socket net.graph.maxdgram=128000 # Maximum outgoing Netgraph datagram size / really max datagram size net.graph.recvspace=128000 # Maximum space for incoming Netgraph datagrams / # RESOURCE TUNINGS # Every socket is a file, so increase them #kern.maxproc=2048 # Maximum number of processes kern.maxfiles=262144 # Maximum files kern.maxfilesperproc=262144 # Maximum files allowed open per process kern.maxvnodes=262144 # Maximum number of vnodes kern.ipc.somaxconn=4096 # Max. backlog size for listen kern.ipc.maxsockets=262144 # Maximum number of sockets avaliable kern.ipc.maxsockbuf=33554432 # Do not use lager sockbufs on 8.0+ kern.ipc.nmbjumbop=262144 # Maximum number of mbuf page size jumbo clusters allowed. pagesize(4k/8k) kern.ipc.nmbclusters=262144 # Maximum number of mbuf clusters allowed // netstat -m kern.ipc.nmbjumbo9=262144 # Maximum number of mbuf 9k jumbo clusters allowed kern.ipc.nmbjumbo16=262144 # Maximum number of mbuf 16k jumbo clusters allowed # NET TUNINGS net.inet.tcp.sendspace=2097152 # Initial send socket buffer size net.inet.tcp.sendbuf_auto=0 # Enable automatic send buffer sizing net.inet.tcp.sendbuf_inc=65536 # Incrementor step size of automatic send buffer net.inet.tcp.sendbuf_max=4194304 # Max size of automatic send buffer net.inet.tcp.recvspace=2097152 # Initial receive socket buffer size net.inet.tcp.recvbuf_auto=0 # Enable automatic receive buffer sizing net.inet.tcp.recvbuf_inc=65536 # Incrementor step size of automatic receive buffer net.inet.tcp.recvbuf_max=4194304 # Max size of automatic receive buffer net.inet.tcp.maxtcptw=40960 # Maximum number of compressed TCP TIME_WAIT entries net.inet.udp.recvspace=4194304 # Maximum space for incoming UDP datagrams net.inet.raw.maxdgram=4194304 # Maximum outgoing raw IP datagram size net.inet.raw.recvspace=4194304 # Maximum space for incoming raw IP datagrams # Flowtable - flow caching mechanism # Useful for routers #net.inet.flowtable.enable=1 #net.inet.flowtable.nmbflows=65535 # IPFW dynamic rules and timeouts tuning # Increase dyn_buckets till net.inet.ip.fw.curr_dyn_buckets is lower #net.inet.ip.fw.dyn_buckets=65536 #net.inet.ip.fw.dyn_max=65536 #net.inet.ip.fw.dyn_ack_lifetime=120 #net.inet.ip.fw.dyn_syn_lifetime=10 #net.inet.ip.fw.dyn_fin_lifetime=2 #net.inet.ip.fw.dyn_short_lifetime=10 # Make packets pass firewall only once when using dummynet # i.e. packets going thru pipe are passing out from firewall with accept ##net.inet.ip.fw.one_pass=1 # DUMMYNET # This speed ups dummynet when channel isn't saturated #net.inet.ip.dummynet.io_fast=1 #net.inet.ip.dummynet.hash_size=2048 # users/peers/hosts count #net.inet.ip.dummynet.max_chain_len # SHARED MEMORY #kern.ipc.shmmax=2147483648 # (7.2+) can use shared memory > 2Gb #kern.ipc.shm_use_phys=1 # shm_use_phys Wires all shared pages, making them unswappable# Useful for databases # FILE SYSTEM vfs.vmiodirenable=1 # Use the VM system for directory writes vfs.write_behind=1 # Cluster write-behind; 0: disable, 1: enable, 2: backed off vfs.read_max=128 # Cluster read-ahead max block count vfs.ufs.dirhash_maxmem=67108864 # Should be increased when you have A LOT of files on server (Increase until vfs.ufs.dirhash_mem becames lower) vfs.hirunningspace=8388608 # Maximum amount of space to use for in-progress I/O # POWER SAVING: https://wiki.freebsd.org/TuningPowerConsumption hw.pci.do_power_nodriver=3 # off power on devices without driver hw.pci.do_power_resume=3 # Transition from D3 -> D0 on resume # HARDWARE TUNINGS hw.intr_storm_threshold=16000 # Number of consecutive interrupts before storm protection is enabled dev.em.0.fc=0 # disable flow control rx and tx #dev.em.0.rx_kthreads=2 # dev.em.0.rx_int_delay=200 # delays the generation of receive interrupts in units of 1.024 microseconds. dev.em.0.tx_int_delay=200 # delays the generation of transmit interrupts in units of 1.024 microseconds. dev.em.0.rx_abs_int_delay=1200 # limits the maximum delay in which a receive interrupt is generated. dev.em.0.tx_abs_int_delay=1200 # limits the maximum delay in which a transmit interrupt is generated. dev.em.0.rx_processing_limit=4096 # max number of rx packets to process #dev.igb.0.fc=0 # disable flow control rx and tx #dev.igb.0.enable_lro=0 #dev.igb.1.enable_lro=0 #dev.igb.0.rx_processing_limit=2048 #dev.igb.1.rx_processing_limit=2048