updated assumptions; enabled more optimizations by default

2025-12-17 17:56:47 +00:00 · 2021-10-12 18:14:09 +00:00 · 2021-10-12 18:14:09 +00:00 · 19916769ae
commit 19916769ae
parent eacf4688a4
2 changed files with 21 additions and 10 deletions
--- a/README.md
+++ b/README.md
@ -13,7 +13,16 @@ This repository hosts my hardened version of `sysctl.conf`. This configuration f

 **Please review the configuration file carefully before applying it.** You are responsible for actions done to your system. If you need some guidance understanding what each of the settings is for, [sysctl-explorer](https://sysctl-explorer.net/) might come in handy. You may also consult [Linux's kernel documentation](https://www.kernel.org/doc/Documentation/sysctl/).

-Please be aware that this `sysctl.conf` is **designed for 64-bit endpoint hosts that do not act as a router**. If you would like to use this configuration file on a router, please go over the configuration file and make the necessary changes (e.g., set `net.ipv4.ip_forward` to `1`).
+## Assumptions
+
+This configuration file is written with a few assumptions about your OS. You can still use this configuration as a template if your OS does not match these assumptions (e.g., set `net.ipv4.ip_forward` to `1` on a router). Making these assumptions helps us to develop a configuration file with the most number of optimizations enabled for common systems.
+
+- Security is valued over performance and convenience
+- The OS does not act as a router
+- The OS is running on a 64-bit system
+- The OS is on a network that is relatively stable (e.g., wired vs. LTE)
+- No debugging features are required (e.g., no need for GDB/kdump)
+- ICMP echo messages are not regarded as harmful

 ## Configuration Deployment

--- a/sysctl.conf
+++ b/sysctl.conf
@ -124,11 +124,11 @@ net.core.netdev_max_backlog = 250000
 net.core.bpf_jit_harden = 2

 # increase TCP max buffer size setable using setsockopt()
-#net.core.rmem_max = 8388608
-#net.core.wmem_max = 8388608
-#net.core.rmem_default = 8388608
-#net.core.wmem_default = 8388608
-#net.core.optmem_max = 8388608
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.rmem_default = 8388608
+net.core.wmem_default = 8388608
+#net.core.optmem_max = 40960

 ########## IPv4 Networking ##########

@ -218,6 +218,8 @@ net.ipv4.tcp_timestamps = 0
 # enabling SACK can increase the throughput
 # but SACK is commonly exploited and rarely used
 net.ipv4.tcp_sack = 0
+net.ipv4.tcp_dsack = 0
+net.ipv4.tcp_fack = 0

 # divide socket buffer evenly between TCP window size and application
 net.ipv4.tcp_adv_win_scale = 1
@ -225,15 +227,15 @@ net.ipv4.tcp_adv_win_scale = 1
 # SSR could impact TCP's performance on a fixed-speed network (e.g., wired)
 #   but it could be helpful on a variable-speed network (e.g., LTE)
 # uncomment this if you are on a fixed-speed network
-#net.ipv4.tcp_slow_start_after_idle = 0
+net.ipv4.tcp_slow_start_after_idle = 0

 # enabling MTU probing helps mitigating PMTU blackhole issues
 # this may not be desirable on congested networks
-#net.ipv4.tcp_mtu_probing = 1
+net.ipv4.tcp_mtu_probing = 1

 # increase memory thresholds to prevent packet dropping
-#net.ipv4.tcp_rmem = 4096 87380 8388608
-#net.ipv4.tcp_wmem = 4096 87380 8388608
+net.ipv4.tcp_rmem = 4096 87380 8388608
+net.ipv4.tcp_wmem = 4096 87380 8388608

 ########## IPv6 Networking ##########