From 19916769ae9b968db2e2e36c5d50bd706093b839 Mon Sep 17 00:00:00 2001 From: K4YT3X Date: Tue, 12 Oct 2021 18:14:09 +0000 Subject: [PATCH] updated assumptions; enabled more optimizations by default --- README.md | 11 ++++++++++- sysctl.conf | 20 +++++++++++--------- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 4e441a5..e25a80c 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,16 @@ This repository hosts my hardened version of `sysctl.conf`. This configuration f **Please review the configuration file carefully before applying it.** You are responsible for actions done to your system. If you need some guidance understanding what each of the settings is for, [sysctl-explorer](https://sysctl-explorer.net/) might come in handy. You may also consult [Linux's kernel documentation](https://www.kernel.org/doc/Documentation/sysctl/). -Please be aware that this `sysctl.conf` is **designed for 64-bit endpoint hosts that do not act as a router**. If you would like to use this configuration file on a router, please go over the configuration file and make the necessary changes (e.g., set `net.ipv4.ip_forward` to `1`). +## Assumptions + +This configuration file is written with a few assumptions about your OS. You can still use this configuration as a template if your OS does not match these assumptions (e.g., set `net.ipv4.ip_forward` to `1` on a router). Making these assumptions helps us to develop a configuration file with the most number of optimizations enabled for common systems. + +- Security is valued over performance and convenience +- The OS does not act as a router +- The OS is running on a 64-bit system +- The OS is on a network that is relatively stable (e.g., wired vs. LTE) +- No debugging features are required (e.g., no need for GDB/kdump) +- ICMP echo messages are not regarded as harmful ## Configuration Deployment diff --git a/sysctl.conf b/sysctl.conf index 3e7e5bb..71b4a61 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -124,11 +124,11 @@ net.core.netdev_max_backlog = 250000 net.core.bpf_jit_harden = 2 # increase TCP max buffer size setable using setsockopt() -#net.core.rmem_max = 8388608 -#net.core.wmem_max = 8388608 -#net.core.rmem_default = 8388608 -#net.core.wmem_default = 8388608 -#net.core.optmem_max = 8388608 +net.core.rmem_max = 8388608 +net.core.wmem_max = 8388608 +net.core.rmem_default = 8388608 +net.core.wmem_default = 8388608 +#net.core.optmem_max = 40960 ########## IPv4 Networking ########## @@ -218,6 +218,8 @@ net.ipv4.tcp_timestamps = 0 # enabling SACK can increase the throughput # but SACK is commonly exploited and rarely used net.ipv4.tcp_sack = 0 +net.ipv4.tcp_dsack = 0 +net.ipv4.tcp_fack = 0 # divide socket buffer evenly between TCP window size and application net.ipv4.tcp_adv_win_scale = 1 @@ -225,15 +227,15 @@ net.ipv4.tcp_adv_win_scale = 1 # SSR could impact TCP's performance on a fixed-speed network (e.g., wired) # but it could be helpful on a variable-speed network (e.g., LTE) # uncomment this if you are on a fixed-speed network -#net.ipv4.tcp_slow_start_after_idle = 0 +net.ipv4.tcp_slow_start_after_idle = 0 # enabling MTU probing helps mitigating PMTU blackhole issues # this may not be desirable on congested networks -#net.ipv4.tcp_mtu_probing = 1 +net.ipv4.tcp_mtu_probing = 1 # increase memory thresholds to prevent packet dropping -#net.ipv4.tcp_rmem = 4096 87380 8388608 -#net.ipv4.tcp_wmem = 4096 87380 8388608 +net.ipv4.tcp_rmem = 4096 87380 8388608 +net.ipv4.tcp_wmem = 4096 87380 8388608 ########## IPv6 Networking ##########