About

This file is based on the work of Michiel Klaver and provides some optimisations for current Linux kernels. It should either replace /etc/sysctl.conf or placed at /etc/sysctl.d/local.conf on Debian-like Linux distributions.

In order to load the file without rebooting, one can issue:

sysctl --system

Code

local.conf
# Kernel sysctl configuration file for Linux
 
# These settings are meant for busy linux servers and not for DSL or Cable. The file is 
# based on the original provided by Michiel Klaver and includes additional optimizations 
# by the Wizardry and Steamworks group.
 
# The file should either replace /etc/sysctl.conf or, on Debian-like distributions, placed 
# at /etc/sysctl.d/local.conf and the distribution will load them on reboot or by issuing 
# sysctl --system
 
# Originally created by:
# Michiel Klaver - IT Professional
# Linux: http://klaver.it/linux/ 
# BSD: http://klaver.it/bsd/ for a BSD variant
 
# Credits:
# http://www.enigma.id.au/linux_tuning.txt
# http://www.securityfocus.com/infocus/1729
# http://fasterdata.es.net/TCP-tuning/linux.html
# http://fedorahosted.org/ktune/browser/sysctl.ktune
# http://www.cymru.com/Documents/ip-stack-tuning.html
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
# http://knol.google.com/k/linux-performance-tuning-and-measurement
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
# http://www.speedguide.net/read_articles.php?id=121
# http://lartc.org/howto/lartc.kernel.obscure.html
# http://en.wikipedia.org/wiki/Sysctl
 
 
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###
 
# Auto-reboot linux 30 seconds after a kernel panic
kernel.panic = 30
kernel.panic_on_oops = 30
kernel.printk = 3 4 1 3
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
 
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
 
# Allow for more PIDs
kernel.pid_max = 65536
 
# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
#kernel.maps_protect = 1
 
#Enable ExecShield protection
#kernel.exec-shield = 1
kernel.randomize_va_space = 1
 
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
 
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
 
###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###
 
# Increase size of file handles and inode cache
fs.file-max = 209708
 
# CFS
kernel.sched_min_granularity_ns = 10000000
kernel.sched_wakeup_granularity_ns = 15000000
 
# HugePages
vm.nr_hugepages = 1024
vm.hugepages_treat_as_movable = 1
# vm.hugetlb_shm_group = 2021
 
# Do less swapping
#vm.swappiness = 10
vm.dirty_ratio = 40
#vm.dirty_background_ratio = 2
 
#vm.dirty_expire_centisecs = 1800
#vm.dirty_writeback_centisecs = 6000
 
#vm.dirty_writeback_centisecs=60000
#vm.dirty_expire_centisecs=120000
 
# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096
 
# No overcommitment of available memory
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
 
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456
 
# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65536
 
###
### GENERAL NETWORK SECURITY OPTIONS ###
###
 
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
 
# Disables packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
 
# Disables IP source routing
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 1
net.ipv4.conf.default.accept_source_route = 1
net.ipv6.conf.all.accept_source_route = 1
net.ipv6.conf.default.accept_source_route = 1
 
# Enable IP spoofing protection, turn on source route verification
# Conflicts on bridges, disable.
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
 
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.default.accept_redirects = 1
 
# Disable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
 
# Time to hold socket in state FIN-WAIT-2,
# if it was closed by our side. Peer can be broken and never close its
# side, or even die unexpectedly. The default value is 60 seconds.
# Usual value used in 2.2 was 180 seconds, you may restore it, but
# remember that if your machine is even underloaded web server, you risk
# to overflow memory with lots of dead sockets. FIN-WAIT-2 sockets are
# less dangerous than FIN-WAIT-1, because they eat maximum 1.5 kilobytes
# of memory, but they tend to live longer.
net.ipv4.tcp_fin_timeout = 15
 
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
 
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0
 
# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 1
 
# Turn on SACK
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
 
# Turn off FRTO for a server
net.ipv4.tcp_frto = 0
net.ipv4.tcp_frto_response = 0
 
# If enabled, assume that no receipt of a window-scaling option means that 
# the remote TCP is broken and treats the window as a signed quantity.
net.ipv4.tcp_workaround_signed_windows = 1
 
# Determine from MTU
net.ipv4.ip_no_pmtu_disc = 1
 
# Jumbo frames
net.ipv4.tcp_mtu_probing = 1
 
# Kernel 3.6+
#net.ipv4.tcp_fastopen = 1
# Turn on low latency (disable pre-queue)
net.ipv4.tcp_low_latency = 1
 
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
 
# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0
 
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
# Allowed local port range
#net.ipv4.ip_local_port_range = 16384 65536
 
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1
 
###
### TUNING NETWORK PERFORMANCE ###
###
 
# Do a 'modprobe illinois' first
net.ipv4.tcp_congestion_control = illinois
 
# Increase port range
net.ipv4.ip_local_port_range = 1025 65535
 
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
 
# Disable netfilter on bridges
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
 
# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
 
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 262144
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 131072
net.core.rmem_max = 262144
 
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 262144
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 131072
net.core.wmem_max = 262144
 
# Increase number of incoming connections
net.core.somaxconn = 32768
 
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 32768
net.core.dev_weight = 64
 
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65536
 
# Increase the maximum number of skb-heads to be cached
#net.core.hot_list_length = 1024
 
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
# Allow to reuse TIME-WAIT sockets for new connections when it is safe
# from protocol viewpoint. The default value is 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
 
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 65536
net.ipv4.tcp_orphan_retries = 1
 
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
 
# This removes an odd behavior in the 2.6 kernels, whereby the kernel stores 
# the slow start threshold for a client between TCP sessions. This can cause 
# undesired results, as a single period of congestion can affect many 
# subsequent connections.
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
 
# Disable slow start (SPDY)
net.ipv4.tcp_slow_start_after_idle = 0
 
# Increase RPC slots
#sunrpc.tcp_slot_table_entries = 32
#sunrpc.udp_slot_table_entries = 32
 
# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50
 
# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048
 
# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024
 
# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32
 
# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30
 
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
 
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
#net.ipv4.tcp_ecn = 2
net.ipv4.tcp_reordering = 3
 
# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
 
# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1