[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [NETVAERK] NAT timeout (ip_conntrack)



Hejsa
Sjovt problem I har - det hører vi gerne mere om både med problemer og løsninger ;-)
Jeg lavede på et tidspunkt et lille shellscript som skulle optimere forskellige netværksparametre i linux. Jeg blev aldrig færdig, men bruger selv det som jeg nåede. Måske I kan bruge noget af det ?
Kommer nedenfor, blot som text.
/Jeppe


PS. Havde selv problemet med de 5 dages timeout, men på en OpenBSD firewall. Her satte vi også denne timer ned (jeg mener til 4 timer) hvilket ikke gav problemer....

=================
#!/bin/sh

echo "Tuning ip stack ... "
# Enable syn-cookies (syn-flooding attacks)
       echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable tcp-timestamps (f.x uptime using nmap )
       echo "0" >/proc/sys/net/ipv4/tcp_timestamps

# Set frag timeout
       echo "25" >/proc/sys/net/ipv4/ipfrag_time
# Set tcp-fin timeout
       echo "60" >/proc/sys/net/ipv4/tcp_fin_timeout
# Set keep-alive timeout
       echo "1800" >/proc/sys/net/ipv4/tcp_keepalive_time
# Set backlog
       echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

# For better logging performance over fast LAN links, turn off SACKS and windows scaling
# - for better local(on fw) servers performance over slow/noisy WAN links, turn SACKS and windows scaling on.
# Set tcp-sack
# /proc/sys/net/ipv4/tcp_sack
# Use Selective ACK which can be used to signify that specific packets are missing - helping fast recovery.
echo "0" >/proc/sys/net/ipv4/tcp_sack
# Set window scaling
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
# Tcp-tuning
echo "5" >/proc/sys/net/ipv4/tcp_syn_retries
echo "5" >/proc/sys/net/ipv4/tcp_synack_retries



# Disable ICMP echo-request to broadcast addresses (Smurf amplifier) echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Set echo-reply rate # echo "5" >/proc/sys/net/ipv4/icmp_echoreply_rate # Disable ICMP echo-request altogether # echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all # Starting IP Bogus Error Response Protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Set local port range
# - increase the number of TCP ephemeral (short lived) ports:
       echo "30000 60999" >/proc/sys/net/ipv4/ip_local_port_range
sslug@sslug init.d]# cat ip_tune
#!/bin/sh

echo "Tuning ip stack ... "
# Enable syn-cookies (syn-flooding attacks)
       echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable tcp-timestamps (f.x uptime using nmap )
       echo "0" >/proc/sys/net/ipv4/tcp_timestamps

# Set frag timeout
       echo "25" >/proc/sys/net/ipv4/ipfrag_time
# Set tcp-fin timeout
       echo "60" >/proc/sys/net/ipv4/tcp_fin_timeout
# Set keep-alive timeout
       echo "1800" >/proc/sys/net/ipv4/tcp_keepalive_time
# Set backlog
       echo "1024" >/proc/sys/net/ipv4/tcp_max_syn_backlog

# For better logging performance over fast LAN links, turn off SACKS and windows scaling
# - for better local(on fw) servers performance over slow/noisy WAN links, turn SACKS and windows scaling on.
# Set tcp-sack
# /proc/sys/net/ipv4/tcp_sack
# Use Selective ACK which can be used to signify that specific packets are missing - helping fast recovery.
echo "0" >/proc/sys/net/ipv4/tcp_sack
# Set window scaling
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
# Tcp-tuning
echo "5" >/proc/sys/net/ipv4/tcp_syn_retries
echo "5" >/proc/sys/net/ipv4/tcp_synack_retries



# Disable ICMP echo-request to broadcast addresses (Smurf amplifier) echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Set echo-reply rate # echo "5" >/proc/sys/net/ipv4/icmp_echoreply_rate # Disable ICMP echo-request altogether # echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all # Starting IP Bogus Error Response Protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Set local port range
# - increase the number of TCP ephemeral (short lived) ports:
       echo "30000 60999" >/proc/sys/net/ipv4/ip_local_port_range

# Set default TTL
       echo "50" >/proc/sys/net/ipv4/ip_default_ttl

# Disable ECN
       echo "0" > /proc/sys/net/ipv4/tcp_ecn

# Increase the amount of memory associated with input and output socket buffers:
TOTALMEM=768


# On 2.6.X kernel increase kernel free mem: (vm.min_free_kbytes)
# 1024 kb pr 64 mb of memory
echo `expr $TOTALMEM / 64 \* 1024` > /proc/sys/vm/min_free_kbytes
# /proc/sys/vm/page-cluster = 2/3/4 (io tuning)
#
# 1 mb pr 64 mb of memory (65535 bytes)
echo `expr $TOTALMEM / 64 \* 65535` > /proc/sys/net/core/rmem_default
echo `expr $TOTALMEM / 64 \* 65535` > /proc/sys/net/core/rmem_max
echo `expr $TOTALMEM / 64 \* 65535` > /proc/sys/net/core/wmem_default
echo `expr $TOTALMEM / 64 \* 65535` > /proc/sys/net/core/wmem_max
#
#
TCPMEM1=`expr $TOTALMEM / 64 \* 7168`
TCPMEM2=`expr $TOTALMEM / 64 \* 8192`
TCPWMEM=`expr $TOTALMEM / 64 \* 4096`
echo "$TCPWMEM `expr 4 \* $TCPWMEM` `expr 8 \* $TCPWMEM`" > /proc/sys/net/ipv4/tcp_wmem
TCPRMEM=`expr 3 \* $TCPWMEM`
echo "$TCPRMEM `expr 4 \* $TCPRMEM` `expr 8 \* $TCPRMEM`" > /proc/sys/net/ipv4/tcp_rmem
####
# tcp buckets (180000 pr 64 mb of memory)
# Maximal number of timewait sockets held by system simultaneously. If this number is exceeded
# time-wait socket is immediately destroyed and warning is printed. This limit exists only to
# prevent simple DoS attacks, you _must_ not lower the limit artificially, but rather increase
# it (probably, after increasing installed memory), if network conditions require more than default value.
echo `expr $TOTALMEM / 64 \* 180000` > /proc/sys/net/ipv4/tcp_max_tw_buckets
####
# Frag memory
# /proc/sys/net/ipv4/ipfrag_high_thresh
# Maximum memory used to reassemble IP fragments. When ipfrag_high_thresh bytes of memory is
# allocated for this purpose, the fragment handler will toss packets until ipfrag_low_thresh is reached.
# /proc/sys/net/ipv4/ipfrag_low_thresh
# Minimum memory used to reassemble IP fragments.
echo `expr $TOTALMEM \* 1024` > /proc/sys/net/ipv4/ipfrag_high_thresh
echo `expr $TOTALMEM \* 872` > /proc/sys/net/ipv4/ipfrag_low_thresh
####
# Opt mem
echo `expr $TOTALMEM / 64 \* 7168` > /proc/sys/net/core/optmem_max
# echo $TOTALMEM > /proc/sys/net/core/hot_list_length


#=====================================================================================================
#===================================================================================================
#===================================================================================================
#===================================================================================================
#===================================================================================================
#===================================================================================================
#===================================================================================================
#====================================================================================================
#====================================================================================================
#====================================================================================================
#====================================================================================================
#====================================================================================================
#/proc/sys/net/ipv4/icmp_destunreach_rate
#If the kernel decides that it can't deliver a packet, it will drop it, and send the source of the packet an ICMP notice to this effect.
#
#/proc/sys/net/ipv4/icmp_echo_ignore_all
#Don't act on echo packets at all. Please don't set this by default, but if you are used as a relay in a DoS attack, it may be useful.
#
#/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]
#If you ping the broadcast address of a network, all hosts are supposed to respond. This makes for a dandy denial-of-service tool. Set this to 1 to ignore these broadcast messages.
#
#/proc/sys/net/ipv4/icmp_echoreply_rate
#The rate at which echo replies are sent to any one destination.
#
#/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Set this to ignore ICMP errors caused by hosts in the network reacting badly to frames sent to what they perceive to be the broadcast address.
#
#/proc/sys/net/ipv4/icmp_paramprob_rate
#A relatively unknown ICMP message, which is sent in response to incorrect packets with broken IP or TCP headers. With this file you can control the rate at which it is sent.
#
#/proc/sys/net/ipv4/icmp_timeexceed_rate
#This the famous cause of the 'Solaris middle star' in traceroutes. Limits number of ICMP Time Exceeded messages sent.
#
#/proc/sys/net/ipv4/igmp_max_memberships
#Maximum number of listening igmp (multicast) sockets on the host. FIXME: Is this true?
#
#/proc/sys/net/ipv4/inet_peer_gc_maxtime
#FIXME: Add a little explanation about the inet peer storage? Minimum interval between garbage collection passes. This interval is in effect under low (or absent) memory pressure on the pool. Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_gc_mintime
#Minimum interval between garbage collection passes. This interval is in effect under high memory pressure on the pool. Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_maxttl
#Maximum time-to-live of entries. Unused entries will expire after this period of time if there is no memory pressure on the pool (i.e. when the number of entries in the pool is very small). Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_minttl
#Minimum time-to-live of entries. Should be enough to cover fragment time-to-live on the reassembling side. This minimum time-to-live is guaranteed if the pool size is less than inet_peer_threshold. Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_threshold
#The approximate size of the INET peer storage. Starting from this threshold entries will be thrown aggressively. This threshold also determines entries' time-to-live and time intervals between garbage collection passes. More entries, less time-to-live, less GC interval.
#
#/proc/sys/net/ipv4/ip_autoconfig
#This file contains the number one if the host received its IP configuration by RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.
#
#/proc/sys/net/ipv4/ip_default_ttl
#Time To Live of packets. Set to a safe 64. Raise it if you have a huge network. Don't do so for fun - routing loops cause much more damage that way. You might even consider lowering it in some circumstances.
#
#/proc/sys/net/ipv4/ip_dynaddr
#You need to set this if you use dial-on-demand with a dynamic interface address. Once your demand interface comes up, any local TCP sockets which haven't seen replies will be rebound to have the right address. This solves the problem that the connection that brings up your interface itself does not work, but the second try does.
#
#/proc/sys/net/ipv4/ip_forward
#If the kernel should attempt to forward packets. Off by default.
#
#/proc/sys/net/ipv4/ip_local_port_range
#Range of local ports for outgoing connections. Actually quite small by default, 1024 to 4999.
#
#/proc/sys/net/ipv4/ip_no_pmtu_disc
#Set this if you want to disable Path MTU discovery - a technique to determine the largest Maximum Transfer Unit possible on your path. See also the section on Path MTU discovery in the Cookbook chapter.
#
#
#/proc/sys/net/ipv4/ip_nonlocal_bind
#Set this if you want your applications to be able to bind to an address which doesn't belong to a device on your system. This can be useful when your machine is on a non-permanent (or even dynamic) link, so your services are able to start up and bind to a specific address when your link is down.
#
#
#/proc/sys/net/ipv4/ipfrag_time
#Time in seconds to keep an IP fragment in memory.
#
#/proc/sys/net/ipv4/tcp_abort_on_overflow
#A boolean flag controlling the behaviour under lots of incoming connections. When enabled, this causes the kernel to actively send RST packets when a service is overloaded.
#
#/proc/sys/net/ipv4/tcp_fin_timeout
#Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer can be broken and never close its side, or even died unexpectedly. Default value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it, but remember that if your machine is even underloaded WEB server, you risk to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but they tend to live longer. Cf. tcp_max_orphans.
#
#/proc/sys/net/ipv4/tcp_keepalive_time
#How often TCP sends out keepalive messages when keepalive is enabled. Default: 2hours.
#
#/proc/sys/net/ipv4/tcp_keepalive_intvl
#How frequent probes are retransmitted, when a probe isn't acknowledged. Default: 75 seconds.
#
#/proc/sys/net/ipv4/tcp_keepalive_probes
#How many keepalive probes TCP will send, until it decides that the connection is broken. Default value: 9. Multiplied with tcp_keepalive_intvl, this gives the time a link can be non-responsive after a keepalive has been sent.
#
#/proc/sys/net/ipv4/tcp_max_orphans
#Maximal number of TCP sockets not attached to any user file handle, held by system. If this number is exceeded orphaned connections are reset immediately and warning is printed. This limit exists only to prevent simple DoS attacks, you _must_ not rely on this or lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value, and tune network services to linger and kill such states more aggressively. Let me remind you again: each orphan eats up to 64K of unswappable memory.
#
#/proc/sys/net/ipv4/tcp_orphan_retries
#How may times to retry before killing TCP connection, closed by our side. Default value 7 corresponds to 50sec-16min depending on RTO. If your machine is a loaded WEB server, you should think about lowering this value, such sockets may consume significant resources. Cf. tcp_max_orphans.
#
#/proc/sys/net/ipv4/tcp_max_syn_backlog
#Maximal number of remembered connection requests, which still did not receive an acknowledgment from connecting client. Default value is 1024 for systems with more than 128Mb of memory, and 128 for low memory machines. If server suffers of overload, try to increase this number. Warning! If you make it greater than 1024, it would be better to change TCP_SYNQ_HSIZE in include/net/tcp.h to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog and to recompile kernel.
#
#
#/proc/sys/net/ipv4/tcp_retrans_collapse
#Bug-to-bug compatibility with some broken printers. On retransmit try to send bigger packets to work around bugs in certain TCP stacks.
#
#/proc/sys/net/ipv4/tcp_retries1
#How many times to retry before deciding that something is wrong and it is necessary to report this suspicion to network layer. Minimal RFC value is 3, it is default, which corresponds to 3sec-8min depending on RTO.
#
#/proc/sys/net/ipv4/tcp_retries2
#How may times to retry before killing alive TCP connection. RFC 1122 says that the limit should be longer than 100 sec. It is too small number. Default value 15 corresponds to 13-30min depending on RTO.
#
#/proc/sys/net/ipv4/tcp_rfc1337
#This boolean enables a fix for 'time-wait assassination hazards in tcp', described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state. Default: 0
#
#
#/proc/sys/net/ipv4/tcp_stdurg
#Use the Host requirements interpretation of the TCP urg pointer field. Most hosts use the older BSD interpretation, so if you turn this on Linux might not communicate correctly with them. Default: FALSE
#
#/proc/sys/net/ipv4/tcp_syn_retries
#Number of SYN packets the kernel will send before giving up on the new connection.
#
#/proc/sys/net/ipv4/tcp_synack_retries
#To open the other side of the connection, the kernel sends a SYN with a piggybacked ACK on it, to acknowledge the earlier received SYN. This is part 2 of the threeway handshake. This setting determines the number of SYN+ACK packets sent before the kernel gives up on the connection.
#
#/proc/sys/net/ipv4/tcp_timestamps
#Timestamps are used, amongst other things, to protect against wrapping sequence numbers. A 1 gigabit link might conceivably re-encounter a previous sequence number with an out-of-line value, because it was of a previous generation. The timestamp will let it recognize this 'ancient packet'.
#
#/proc/sys/net/ipv4/tcp_tw_recycle
#Enable fast recycling TIME-WAIT sockets. Default value is 1. It should not be changed without advice/request of technical experts.
#
#/proc/sys/net/ipv4/icmp_destunreach_rate
#If the kernel decides that it can't deliver a packet, it will drop it, and send the source of the packet an ICMP notice to this effect.
#
#/proc/sys/net/ipv4/icmp_echo_ignore_all
#Don't act on echo packets at all. Please don't set this by default, but if you are used as a relay in a DoS attack, it may be useful.
#
#/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [Useful]
#If you ping the broadcast address of a network, all hosts are supposed to respond. This makes for a dandy denial-of-service tool. Set this to 1 to ignore these broadcast messages.
#
#/proc/sys/net/ipv4/icmp_echoreply_rate
#The rate at which echo replies are sent to any one destination.
#
#/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Set this to ignore ICMP errors caused by hosts in the network reacting badly to frames sent to what they perceive to be the broadcast address.
#
#/proc/sys/net/ipv4/icmp_paramprob_rate
#A relatively unknown ICMP message, which is sent in response to incorrect packets with broken IP or TCP headers. With this file you can control the rate at which it is sent.
#
#/proc/sys/net/ipv4/icmp_timeexceed_rate
#This the famous cause of the 'Solaris middle star' in traceroutes. Limits number of ICMP Time Exceeded messages sent.
#
#/proc/sys/net/ipv4/igmp_max_memberships
#Maximum number of listening igmp (multicast) sockets on the host. FIXME: Is this true?
#
#/proc/sys/net/ipv4/inet_peer_gc_maxtime
#FIXME: Add a little explanation about the inet peer storage? Minimum interval between garbage collection passes. This interval is in effect under low (or absent) memory pressure on the pool. Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_gc_mintime
#Minimum interval between garbage collection passes. This interval is in effect under high memory pressure on the pool. Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_maxttl
#Maximum time-to-live of entries. Unused entries will expire after this period of time if there is no memory pressure on the pool (i.e. when the number of entries in the pool is very small). Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_minttl
#Minimum time-to-live of entries. Should be enough to cover fragment time-to-live on the reassembling side. This minimum time-to-live is guaranteed if the pool size is less than inet_peer_threshold. Measured in jiffies.
#
#/proc/sys/net/ipv4/inet_peer_threshold
#The approximate size of the INET peer storage. Starting from this threshold entries will be thrown aggressively. This threshold also determines entries' time-to-live and time intervals between garbage collection passes. More entries, less time-to-live, less GC interval.
#
#/proc/sys/net/ipv4/ip_autoconfig
#This file contains the number one if the host received its IP configuration by RARP, BOOTP, DHCP or a similar mechanism. Otherwise it is zero.
#
#/proc/sys/net/ipv4/ip_default_ttl
#Time To Live of packets. Set to a safe 64. Raise it if you have a huge network. Don't do so for fun - routing loops cause much more damage that way. You might even consider lowering it in some circumstances.
#
#/proc/sys/net/ipv4/ip_dynaddr
#You need to set this if you use dial-on-demand with a dynamic interface address. Once your demand interface comes up, any local TCP sockets which haven't seen replies will be rebound to have the right address. This solves the problem that the connection that brings up your interface itself does not work, but the second try does.
#
#/proc/sys/net/ipv4/ip_forward
#If the kernel should attempt to forward packets. Off by default.
#
#/proc/sys/net/ipv4/ip_local_port_range
#Range of local ports for outgoing connections. Actually quite small by default, 1024 to 4999.
#
#/proc/sys/net/ipv4/ip_no_pmtu_disc
#Set this if you want to disable Path MTU discovery - a technique to determine the largest Maximum Transfer Unit possible on your path. See also the section on Path MTU discovery in the Cookbook chapter.
#
#/proc/sys/net/ipv4/ipfrag_high_thresh
#Maximum memory used to reassemble IP fragments. When ipfrag_high_thresh bytes of memory is allocated for this purpose, the fragment handler will toss packets until ipfrag_low_thresh is reached.
#
#/proc/sys/net/ipv4/ip_nonlocal_bind
#Set this if you want your applications to be able to bind to an address which doesn't belong to a device on your system. This can be useful when your machine is on a non-permanent (or even dynamic) link, so your services are able to start up and bind to a specific address when your link is down.
#
#/proc/sys/net/ipv4/ipfrag_low_thresh
#Minimum memory used to reassemble IP fragments.
#
#/proc/sys/net/ipv4/ipfrag_time
#Time in seconds to keep an IP fragment in memory.
#
#/proc/sys/net/ipv4/tcp_abort_on_overflow
#A boolean flag controlling the behaviour under lots of incoming connections. When enabled, this causes the kernel to actively send RST packets when a service is overloaded.
#
#/proc/sys/net/ipv4/tcp_fin_timeout
#Time to hold socket in state FIN-WAIT-2, if it was closed by our side. Peer can be broken and never close its side, or even died unexpectedly. Default value is 60sec. Usual value used in 2.2 was 180 seconds, you may restore it, but remember that if your machine is even underloaded WEB server, you risk to overflow memory with kilotons of dead sockets, FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1, because they eat maximum 1.5K of memory, but they tend to live longer. Cf. tcp_max_orphans.
#
#/proc/sys/net/ipv4/tcp_keepalive_time
#How often TCP sends out keepalive messages when keepalive is enabled. Default: 2hours.
#
#/proc/sys/net/ipv4/tcp_keepalive_intvl
#How frequent probes are retransmitted, when a probe isn't acknowledged. Default: 75 seconds.
#
#/proc/sys/net/ipv4/tcp_keepalive_probes
#How many keepalive probes TCP will send, until it decides that the connection is broken. Default value: 9. Multiplied with tcp_keepalive_intvl, this gives the time a link can be non-responsive after a keepalive has been sent.
#
#/proc/sys/net/ipv4/tcp_max_orphans
#Maximal number of TCP sockets not attached to any user file handle, held by system. If this number is exceeded orphaned connections are reset immediately and warning is printed. This limit exists only to prevent simple DoS attacks, you _must_ not rely on this or lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value, and tune network services to linger and kill such states more aggressively. Let me remind you again: each orphan eats up to 64K of unswappable memory.
#
#/proc/sys/net/ipv4/tcp_orphan_retries
#How may times to retry before killing TCP connection, closed by our side. Default value 7 corresponds to 50sec-16min depending on RTO. If your machine is a loaded WEB server, you should think about lowering this value, such sockets may consume significant resources. Cf. tcp_max_orphans.
#
#/proc/sys/net/ipv4/tcp_max_syn_backlog
#Maximal number of remembered connection requests, which still did not receive an acknowledgment from connecting client. Default value is 1024 for systems with more than 128Mb of memory, and 128 for low memory machines. If server suffers of overload, try to increase this number. Warning! If you make it greater than 1024, it would be better to change TCP_SYNQ_HSIZE in include/net/tcp.h to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog and to recompile kernel.
#
#/proc/sys/net/ipv4/tcp_max_tw_buckets
#Maximal number of timewait sockets held by system simultaneously. If this number is exceeded time-wait socket is immediately destroyed and warning is printed. This limit exists only to prevent simple DoS attacks, you _must_ not lower the limit artificially, but rather increase it (probably, after increasing installed memory), if network conditions require more than default value.
#
#/proc/sys/net/ipv4/tcp_retrans_collapse
#Bug-to-bug compatibility with some broken printers. On retransmit try to send bigger packets to work around bugs in certain TCP stacks.
#
#/proc/sys/net/ipv4/tcp_retries1
#How many times to retry before deciding that something is wrong and it is necessary to report this suspicion to network layer. Minimal RFC value is 3, it is default, which corresponds to 3sec-8min depending on RTO.
#
#/proc/sys/net/ipv4/tcp_retries2
#How may times to retry before killing alive TCP connection. RFC 1122 says that the limit should be longer than 100 sec. It is too small number. Default value 15 corresponds to 13-30min depending on RTO.
#
#/proc/sys/net/ipv4/tcp_rfc1337
#This boolean enables a fix for 'time-wait assassination hazards in tcp', described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state. Default: 0
#
#
#/proc/sys/net/ipv4/tcp_stdurg
#Use the Host requirements interpretation of the TCP urg pointer field. Most hosts use the older BSD interpretation, so if you turn this on Linux might not communicate correctly with them. Default: FALSE
#
#/proc/sys/net/ipv4/tcp_syn_retries
#Number of SYN packets the kernel will send before giving up on the new connection.
#
#/proc/sys/net/ipv4/tcp_synack_retries
#To open the other side of the connection, the kernel sends a SYN with a piggybacked ACK on it, to acknowledge the earlier received SYN. This is part 2 of the threeway handshake. This setting determines the number of SYN+ACK packets sent before the kernel gives up on the connection.
#
#/proc/sys/net/ipv4/tcp_timestamps
#Timestamps are used, amongst other things, to protect against wrapping sequence numbers. A 1 gigabit link might conceivably re-encounter a previous sequence number with an out-of-line value, because it was of a previous generation. The timestamp will let it recognize this 'ancient packet'.
#
#/proc/sys/net/ipv4/tcp_tw_recycle
#Enable fast recycling TIME-WAIT sockets. Default value is 1. It should not be changed without advice/request of technical experts.
#
#/proc/sys/net/ipv4/tcp_window_scaling
#TCP/IP normally allows windows up to 65535 bytes big. For really fast networks, this may not be enough. The window scaling options allows for almost gigabyte windows, which is good for high bandwidth*delay products.
#
#
exit 0






 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 22:42 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *