OSX Snippets: /etc/sysctl.conf extra settings
admin on October 22nd, 2007
You don’t NEED them, you may not WANT them, but if you have trouble finding what you can and cannot stick in sysctl.conf, this list may help:
# Max number of incoming connections in queue kern.ipc.somaxconn=512 # Maximum number of processes kern.maxproc=2048 kern.maxprocperuid=1024 # Network buffers; 2K each; check current usage with `netstat -m` kern.ipc.nmbclusters=2048 kern.ipc.maxsockets=2048 # Maximum segment size; other possible values are 1452 and 1460 net.inet.tcp.mssdflt=1440 # Window scaling is only necessary if buffers > 64K net.inet.tcp.rfc1323=0 # Increase buffer sizes kern.ipc.maxsockbuf=131070 net.inet.tcp.sendspace=32768 net.inet.tcp.recvspace=65535 net.inet.udp.recvspace=65535 net.inet.udp.maxdgram=57344 net.inet.raw.recvspace=65535 # Max number of ICMP "Unreachable" and also TCP RST packets per second net.inet.icmp.icmplim=50 # Stop redirects net.inet.icmp.drop_redirect=1 net.inet.icmp.log_redirect=1 net.inet.ip.redirect=0 # Stop source routing net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 # Stop broadcast ECHO response net.inet.icmp.bmcastecho=0 # Stop other broadcast probes net.inet.icmp.maskrepl=0 # Cuts down on the number of tiny packets net.inet.tcp.delayed_ack=1 # Turn off forwarding/routing net.inet.ip.forwarding=0 # Defend against sequence number attacks net.inet.tcp.strict_rfc1948=1 # Defend agains stealth simple port scans net.inet.udp.blackhole=1 net.inet.tcp.blackhole=2 # Expire dead connections net.inet.tcp.always_keepalive=1 net.inet.tcp.keepintvl: 1500 net.inet.tcp.keepinit: 3000 # Verbose firewall logging net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=65535 # Prevent core dumps kern.coredump=0
Bookmark to:
