### KERNEL ###

# Reboot after 10sec. on kernel panic
kernel.panic = 10

### IMPROVE SYSTEM MEMORY MANAGEMENT ###

# Increase size of file handles and inode cache
fs.file-max = 2097152

# Insure we always have enough memory
vm.min_free_kbytes = 8192

# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 10
vm.dirty_background_ratio = 2


### GENERAL NETWORK SECURITY OPTIONS ###

# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 8192


# Turn on timestamping
net.ipv4.tcp_timestamps = 1
 
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
 
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
 
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 2

# Allowed local port range
net.ipv4.ip_local_port_range = 1024 65000

# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# This means that the keepalive process waits 300 seconds for socket 
# activity before sending the first keepalive probe, and then resend
# it every 15 seconds. If no ACK response is received for 5 consecutive 
# times (75s in this case), the connection is marked as broken.

### TUNING NETWORK PERFORMANCE ###

# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Default Socket Receive Buffer
net.core.rmem_default = 31457280

# Maximum Socket Receive Buffer
net.core.rmem_max = 12582912

# Default Socket Send Buffer
net.core.wmem_default = 31457280

# Maximum Socket Send Buffer
net.core.wmem_max = 12582912

# Increase number of incoming connections
net.core.somaxconn = 5000

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536

# Enable TCP window scaling
net.ipv4.tcp_window_scaling = 1

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824


# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384


# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1800000

# TIME_WAIT socket policy
# Note: if both enabled then disable
# net.ipv4.tcp_timestamps for servers 
# behind NAT to prevent dropped incoming connections
#net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

# Enable TCP MTU probing (in case of Jumbo Frames enabled)
#net.ipv4.tcp_mtu_probing = 1

# Speedup retrans (Google recommended)
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_early_retrans = 1

# Conntrack
# 288bytes x 131072 = 37748736 (~38MB) max memory usage
#net.netfilter.nf_conntrack_max = 131072
#net.netfilter.nf_conntrack_tcp_loose = 1

#TCP的直接拥塞通告(tcp_ecn)关掉
net.ipv4.tcp_ecn = 0

#路由缓存刷新频率，当一个路由失败后多长时间跳到另一个路由，默认是300。
net.ipv4.route.gc_timeout = 100

#设定系统中最多允许在多少TCP套接字不被关联到任何一个用户文件句柄上。
#如果超过这个数字，没有与用户文件句柄关联的TCP 套接字将立即被复位
#防简单Dos
net.ipv4.tcp_max_orphans = 655360

# NOTE: Enable this if machine support it
# -- 10gbe tuning from Intel ixgb driver README -- #
# turn off selective ACK and timestamps
#net.ipv4.tcp_sack = 0
#net.ipv4.tcp_timestamps = 1