Author: Diesel@bsdvault.net
The Following is the basic structure I use when Tuning my FreeBSD tcp stack to optimize performance. Most of what follows is my deduction from UNIX IP Stack Tuning Guide v2.7 written by Rob Thomas. I have found this to be very effective way of increasing performance on my box. lets begin!
First lets understand that the following will be managed with sysctl commands being run from /etc/sysctl.conf at startup. This is a very easy way to manage your kernel and how you want your stack to be modified. If anyone has suggestions on how to improve the following, please email me at diesel@bsdvault.net. Furthermore I know several of you may not know of or understand sysctl command. You can find a tutorial on the command itself here as well. You should do fine without really understand sysctl except to know that it allows you to dynamically load kernel modules.
Lets get started....
1) The first thing we want to do is to increase the size of our TCP window. If you are not familiar with TCP architecture then I suggest getting yourself TCP illustrated by Stevens. It is truely a great book.
Basically what this does is increases the size of your TCP window to allow for more efficient transfers, particularly bulk transfers such as FTP. The maximum I have found suggested is 32768 bytes so that is what we will work with for now. To change your settings to accomidate this you should run the following commands :
#sysctl -w net.inet.tcp.sendspace=32768
#sysctl -w net.inet.tcp.recvspace=32768
Be sure to add the following, and all other lines mentioned in this tutorial, to your /etc/sysctl.conf file so you do not need to run the command ever time and it will be configured at boot time. The convention is to remove the "sysctl -w" part from the command. The entries for the above lines would look like the following in /etc/sysctl.conf:
net.inet.tcp.sendspace=32768
net.inet.tcp.recvspace=32768
2) The next step is to secure your box from possible SYN attacks more commonly known as SYNFLOOD attacks. Rob Thomas says "To defend against such attacks, certain UNIX variants maintain separate queues for inbound socket connection requests. One queue is for half-open sockets (SYN received, YYN|ACK sent), the other queue for fully-open sockets awaiting an accept() call from the application. These two queues should be increased so that an attack of low to moderate intensity will have little to no effect on the stability or availability of the server". To achieve this on your box you should first run the following command then add it to your /etc/rc.conf file:
#sysctl -w kern.ipc.somaxconn=1024
3)The third concept that we want to strengthen our box agains is redirects. " In a well-designed network, redirects to the end stations should not be required. Both the sending and accepting of redirects should be disabled".
Again to achieve this first run the command and then add to /etc/rc.conf:
#sysctl -w net.inet.icmp.drop_redirect=1
#sysctl -w net.inet.icmp.log_redirect=1
#sysctl -w net.inet.ip.redirect=0
#sysctl -w net.inet6.ip6.redirect=0
4) Source routing is another way for an attacker to try to reach non routable addresses behind your box. It is a good Idea to stop passing of source routed packets as well to prevent someone from probing information about your internal networks. To disable this function run the following commands and add them to /etc/rc.conf:
#sysctl -w net.inet.ip.sourceroute=0
#sysctl -w net.inet.ip.accept_sourceroute=0
5) By allowing aged ARP entries to remain cached or lying around allows for the possibility for a hacker to create a resource exhaustion or performance degredation by filling the IP route cache with bogus ARP entries. This in turn can be used as Denial of Service attack. To prevent this sort of problem you should run the following then add to /etc/rc.conf:
#sysctl -w net.link.ether.inet.max_age=1200
6) By using the following stack command, you can protect your box from the well publicised SMURF attack. This attack works by sending ICMP 8 0 (ECHO REQUEST) messages to a broadcast address from a spoofed address. If the host is a firewall (router), it should not propogate directed broadcasts. Run the following and add to /etc/rc.conf:
#sysctl -w net.inet.icmp.bmcastecho=0
Thats it! Good Luck!
Lates
Diesel