我想通过sysctl.conf
/ loader.conf
/ KENCONF
/ 等分享有关 FreeBSD 调优的知识。它最初基于 Igor Sysoev(nginx 的作者)的演示,该演示介绍了 FreeBSD 调优至 100,000-200,000 个活动连接。较新版本的 FreeBSD 可以处理更多。
调优适用于 FreeBSD7 - FreeBSD-CURRENT。自 7.2 amd64 以来,其中一些已默认调优。在 7.0 之前,其中一些仅用于启动(通过 设置
/boot/loader.conf
)或根本不存在。
sysctl.conf
:
# No zero mapping feature
# May break wine
# (There are also reports about broken samba3)
#security.bsd.map_at_zero=0
# Servers with threading software apache2 / Pound may want to rise following sysctl
#kern.threads.max_threads_per_proc=4096
# Max backlog size
# Note Application can still limit it by passing second argument to listen(2) syscall
# Note: Listen queue be monitored via `netstat -Lan`
kern.ipc.somaxconn=4096
# Shared memory
# Note: Only FreeBSD 7.2+ can use shared memory > 2Gb
#kern.ipc.shmmax=2147483648
# Sockets
kern.ipc.maxsockets=204800
# Mbuf 2k clusters (on amd64 7.2+ 25600 is default)
# Note: defaults for other variables depend on this variable, for example `tcpreass`
# Note: FreeBSD-7 and older: For such high value vm.kmem_size must be increased to 3G
kern.ipc.nmbclusters=262144
# Jumbo pagesize(_SC_PAGESIZE)/9k/16k clusters
# Used as general packet storage for jumbo frames on some network cards
# Can be monitored via `netstat -m`
#kern.ipc.nmbjumbop=262144
#kern.ipc.nmbjumbo9=65536
#kern.ipc.nmbjumbo16=32768
# For lower latency you can decrease schedulers maximum time slice
# default: stathz/10 (~ 13)
kern.sched.slice=1
# Increase max command-line length showed in `ps` (e.g for Tomcat/Java)
# Default is PAGE_SIZE / 16 or 256 on x86
# This avoids commands to be presented as [executable] in `ps`
# For more info see: http://www.freebsd.org/cgi/query-pr.cgi?pr=120749
kern.ps_arg_cache_limit=4096
# Every socket is a file, so increase them
kern.maxfiles=204800
kern.maxfilesperproc=200000
kern.maxvnodes=200000
# On some systems HPET is almost 2 times faster than default ACPI-fast
# Useful on systems with lots of clock_gettime / gettimeofday calls
# See http://old.nabble.com/ACPI-fast-default-timecounter,-but-HPET-83--faster-td23248172.html
# After revision 222222 HPET became default: http://svnweb.freebsd.org/base?view=revision&revision=222222
#kern.timecounter.hardware=HPET
# Small receive space, only usable on http-server
# Note: fileservers should increase it to 65535 or even more
#net.inet.tcp.recvspace=8192
# This is useful on Fat-Long-Pipes
#kern.ipc.maxsockbuf=10485760
#net.inet.tcp.recvbuf_max=10485760
#net.inet.tcp.recvbuf_inc=65535
# Small send space is useful for http servers that serve small files
# Note: Autotuned since 7.x
#net.inet.tcp.sendspace=16384
# This is useful on Fat-Long-Pipes
#net.inet.tcp.sendbuf_max=10485760
#net.inet.tcp.sendbuf_inc=65535
# Turn off send/receive autotuning if think you know better.
#net.inet.tcp.recvbuf_auto=0
#net.inet.tcp.sendbuf_auto=0
# This should be enabled if you going to use big spaces (>64k)
# Also timestamp field is useful when using syncookies
net.inet.tcp.rfc1323=1
# Turn this off on high-speed, lossless connections (LAN 1Gbit+)
#net.inet.tcp.delayed_ack=0
# This feature is useful if you are serving data over modems, Gigabit Ethernet,
# or even high speed WAN links (or any other link with a high bandwidth delay product),
# especially if you are also using window scaling or have configured a large send window.
# Automatically disables on small RTT ( http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_subr.c?#rev1.237 )
# This sysctl was removed in 10-CURRENT:
# See: http://www.mail-archive.com/[email protected]/msg06178.html
#net.inet.tcp.inflight.enable=0
# TCP slowstart algorithm tunings
# Here we are assuming VERY uncongested network
# Note: Only takes effect if net.inet.tcp.rfc3390 is set to 0,
# otherwise formula taken from http://tools.ietf.org/html/rfc3390
#net.inet.tcp.slowstart_flightsize=10
#net.inet.tcp.local_slowstart_flightsize=100
# Disable randomizing of ports to avoid false RST
# Before use check SA here www.bsdcan.org/2006/papers/ImprovingTCPIP.pdf
# Note: Port randomization autodisables at high connection rates
#net.inet.ip.portrange.randomized=0
# Increase portrange
# For outgoing connections only. Good for seed-boxes and ftp servers.
net.inet.ip.portrange.first=1024
net.inet.ip.portrange.last=65535
# Dtops route cache degradation during a DDoS.
# http://www.freebsd.org/doc/en/books/handbook/securing-freebsd.html
#net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=1024
# Security
net.inet.ip.redirect=0
net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.drop_synfin=1
#
# There is also good example of sysctl.conf with comments:
# http://www.thern.org/projects/sysctl.conf
#
# icmp may NOT rst, helpful for those pesky spoofed
# icmp/udp floods that end up taking up your outgoing
# bandwidth/ifqueue due to all that outgoing RST traffic.
#
#net.inet.tcp.icmp_may_rst=0
# Security
# Do not send responses on attempts to connect to the closed ports
#net.inet.udp.blackhole=1
#net.inet.tcp.blackhole=2
# IPv6 Security
# For more info see http://www.fosslc.org/drupal/content/security-implications-ipv6
# Disable Node info replies
# To see this vulnerability in action run `ping6 -a sglAac ::1` or `ping6 -w ::1` on unprotected node
net.inet6.icmp6.nodeinfo=0
# Turn on IPv6 privacy extensions
# For more info see proposal http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2008-06/msg00103.html
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
# Disable ICMP redirect
net.inet6.icmp6.rediraccept=0
# Disable acceptation of RA and auto link-local generation if you don't use them
#net.inet6.ip6.accept_rtadv=0
#net.inet6.ip6.auto_linklocal=0
# Increases default TTL
# Default is 64
#net.inet.ip.ttl=128
# Lessen max segment life to conserve resources
# ACK waiting time in milliseconds
# (default: 30000. RFC from 1979 recommends 120000)
net.inet.tcp.msl=5000
# Max number of time-wait sockets
net.inet.tcp.maxtcptw=200000
# Don't use tw on local connections
# As of 15 Apr 2009. Igor Sysoev says that nolocaltimewait has some buggy implementaion.
# So disable it or now till get fixed
#net.inet.tcp.nolocaltimewait=1
# FIN_WAIT_2 state fast recycle
net.inet.tcp.fast_finwait2_recycle=1
# Time before tcp keepalive probe is sent
# default is 2 hours (7200000)
#net.inet.tcp.keepidle=60000
# Use HTCP congestion control (don't forget to load cc_htcp kernel module)
net.inet.tcp.cc.algorithm=htcp
# Should be increased until net.inet.ip.intr_queue_drops is zero
net.inet.ip.intr_queue_maxlen=4096
# Protocol decoding in interrupt thread.
# If you have NIC that automatically sets flow_id then it's better to not
# use direct_force, and use advantages of multithreaded netisr(9)
# If you have Yandex drives you better off with `net.isr.direct_force=1` and
# `net.inet.tcp.read_locking=0` otherwise you may run into some TCP related
# problems.
# Note: If you have old NIC that don't set flow_ids you may need to
# patch `ip_input` to manually set FLOW_ID via `nh_m2flow`.
#
# FreeBSD 8+
#net.isr.direct=1
#net.isr.direct_force=1
# In FreeBSD 9+ it was renamed to
#net.isr.dispatch=direct
# This is for routers only
#net.inet.ip.forwarding=1
#net.inet.ip.fastforwarding=1
# This speed ups dummynet when channel isn't saturated
net.inet.ip.dummynet.io_fast=1
# Increase dummynet(4) hash
#net.inet.ip.dummynet.hash_size=65535
#net.inet.ip.dummynet.max_chain_len=8
# Should be increased when you have A LOT of files on server
# (Increase until vfs.ufs.dirhash_mem becomes lower)
vfs.ufs.dirhash_maxmem=67108864
# Note from commit http://svn.freebsd.org/base/head@211031 :
# For systems with RAID volumes and/or virtualization environments, where
# read performance is very important, increasing this sysctl tunable to 32
# or even more will demonstratively yield additional performance benefits.
vfs.read_max=32
# Explicit Congestion Notification
# (See http://en.wikipedia.org/wiki/Explicit_Congestion_Notification)
net.inet.tcp.ecn.enable=1
# Flowtable - flow caching mechanism
# Useful for routers
#net.inet.flowtable.enable=1
#net.inet.flowtable.nmbflows=65535
# IPFW dynamic rules and timeouts tuning
# Increase dyn_buckets till net.inet.ip.fw.curr_dyn_buckets is lower
net.inet.ip.fw.dyn_buckets=65536
net.inet.ip.fw.dyn_max=65536
net.inet.ip.fw.dyn_ack_lifetime=120
net.inet.ip.fw.dyn_syn_lifetime=10
net.inet.ip.fw.dyn_fin_lifetime=2
net.inet.ip.fw.dyn_short_lifetime=10
# Make packets pass firewall only once when using dummynet
# i.e. packets going thru pipe are passing out from firewall with accept
#net.inet.ip.fw.one_pass=1
# shm_use_phys Wires all shared pages, making them unswappable
# Use this to lessen Virtual Memory Manager's work when using Shared Mem.
# Useful for databases
#kern.ipc.shm_use_phys=1
# ZFS
# Enable prefetch. Useful for sequential load type i.e fileserver.
# FreeBSD sets vfs.zfs.prefetch_disable to 1 on any i386 systems and
# on any amd64 systems with less than 4GB of available memory
# See: http://old.nabble.com/Samba-read-speed-performance-tuning-td27964534.html
#vfs.zfs.prefetch_disable=0
# On highload servers you may notice following message in dmesg:
# "Approaching the limit on PV entries, consider increasing either the
# vm.pmap.shpgperproc or the vm.pmap.pv_entry_max tunable"
vm.pmap.shpgperproc=2048
loader.conf
:
# Accept filters for data, http and DNS requests
# Useful when your software creates process/thread on each request (i.e. apache)
# Note: DNS accf available on 8.0+
# Note: In case of badly written software this can increase performance,
# but I still would recommend against using accept filters in production because of
# their opacity - they really break abstractions. Also it's not trivial to debug/monitor
# their state.
#accf_data_load="YES"
#accf_http_load="YES"
#accf_dns_load="YES"
# Async IO system calls
aio_load="YES"
# Linux specific devices in /dev
# As for 8.1 it only /dev/full
#lindev_load="YES"
# Adds NCQ support in FreeBSD
# WARNING! all ad[0-9]+ devices will be renamed to ada[0-9]+
# 8.0+ only
#ahci_load="YES"
#siis_load="YES"
# FreeBSD 9+
# New Congestion Control for FreeBSD
cc_htcp_load="YES"
#cc_cubic_load="YES"
# Increase kernel memory size to 3G.
#
# Use ONLY if you have KVA_PAGES in kernel configuration, and you have more than 3G RAM
# Otherwise panic will happen on next reboot!
#
# It's required for high buffer sizes: kern.ipc.nmbjumbop, kern.ipc.nmbclusters, etc
# Useful on highload stateful firewalls, proxies or ZFS fileservers
# (FreeBSD 7.2+ amd64 users: Check that current value is lower!)
#vm.kmem_size="3G"
# If you have really busy forking webserver (i.e. apache13) you may run out of processes
#kern.maxproc=10000
# If your server has lots of swap (>4Gb) you should increase following value
# according to http://lists.freebsd.org/pipermail/freebsd-hackers/2009-October/029616.html
# Otherwise you'll be getting errors
# "kernel: swap zone exhausted, increase kern.maxswzone"
#kern.maxswzone="256M"
# Older versions of FreeBSD can't tune maxfiles on the fly
#kern.maxfiles="200000"
# Useful for databases
# Sets maximum data size to 1G
# (FreeBSD 7.2+ amd64 users: Check that current value is lower!)
#kern.maxdsiz="1G"
# Maximum buffer size(vfs.maxbufspace)
# You can check current one via vfs.bufspace
# Should be lowered/upped depending on server's load-type
# Usually decreased to preserve kmem
# (default is 10% of mem)
#kern.maxbcache="512M"
# Sendfile buffers
# Note: i386 only
#kern.ipc.nsfbufs=10240
# syncache tuning
net.inet.tcp.syncache.hashsize=32768
net.inet.tcp.syncache.bucketlimit=32
net.inet.tcp.syncache.cachelimit=1048576
# Send RST on listen queue overflow / memory shortage.
# Hosts behind Load-Balancer should set it to 1 to fail fast.
# Hosts facing clients should set it to 0 for client to retry connection.
#net.inet.tcp.syncache.rst_on_sock_fail=0
# Increased hostcache
# Later host cache can be viewed via net.inet.tcp.hostcache.list hidden sysctl
# Very useful for it's RTT RTTVAR
# Must be power of two
net.inet.tcp.hostcache.hashsize=65536
# hashsize * bucketlimit (which is 30 by default)
# It allocates 255Mb (1966080*136) of RAM
net.inet.tcp.hostcache.cachelimit=1966080
# TCP control-block Hash table tuning
# See: http://serverfault.com/questions/372512/why-change-net-inet-tcp-tcbhashsize-in-freebsd
net.inet.tcp.tcbhashsize=524288
# Disable ipfw deny all
# Should be uncommented when there is a chance that
# kernel and ipfw binary may be out-of sync on next reboot
#net.inet.ip.fw.default_to_accept=1
#
# SIFTR (Statistical Information For TCP Research) is a kernel module that
# logs a range of statistics on active TCP connections to a log file.
# See prerelease notes:
# http://groups.google.com/group/mailing.freebsd.current/browse_thread/thread/b4c18be6cdce76e4
# and man 4 sitfr
#siftr_load="YES"
# Enable superpages, for 7.2+ only
# See: http://lists.freebsd.org/pipermail/freebsd-hackers/2009-November/030094.html
vm.pmap.pg_ps_enabled=1
# Useful if you are using Intel-Gigabit NIC
#hw.em.rxd=4096
#hw.em.txd=4096
#hw.em.rx_process_limit=-1
# Also if you have A LOT interrupts on NIC - play with following parameters
# NOTE: You should set them for every NIC
#dev.em.0.rx_int_delay: 250
#dev.em.0.tx_int_delay: 250
#dev.em.0.rx_abs_int_delay: 250
#dev.em.0.tx_abs_int_delay: 250
# There is also multithreaded version of em/igb drivers that can be found here:
# http://people.yandex-team.ru/~wawa/
#
# for additional em monitoring and statistics use
# sysctl dev.em.0.stats=1 ; dmesg
# sysctl dev.em.0.debug=1 ; dmesg
# Also after r209242 (-CURRENT) there is a separate sysctl for each stat variable;
# Same tunings for igb
#hw.igb.rxd=4096
#hw.igb.txd=4096
#hw.igb.rx_process_limit=-1
# Some useful netisr tunables. See sysctl net.isr
#net.isr.maxthreads=4
#net.isr.defaultqlimit=10240
#net.isr.maxqlimit=10240
# Bind netisr threads to CPUs
#net.isr.bindthreads=1
#
# FreeBSD 9.x+
# Increase interface send queue length
# See commit message http://svn.freebsd.org/viewvc/base?view=revision&revision=207554
#net.link.ifqmaxlen=1024
# Nicer boot logo =)
loader_logo="beastie"
最后是KERNCONF
:
# Just some of them, see also
# cat /sys/{i386,amd64,}/conf/NOTES
# This one useful only on i386
#options KVA_PAGES=512
# From UPDATING 20121223:
# After switching to Clang as the default compiler some users of ZFS
# on i386 systems started to experience stack overflow kernel panics.
# Please consider using 'options KSTACK_PAGES=4' in such configurations.
#options KSTACK_PAGES=4
# You can play with HZ in environments with high interrupt rate (default is 1000)
# 100 is for my notebook to prolong it's battery life
#options HZ=100
# Eliminate datacopy on socket read-write
# To take advantage with zero copy sockets you should have an MTU >= 4k
# This req. is only for receiving data.
# Read more in man zero_copy_sockets
# Also this epic thread on kernel trap:
# http://kerneltrap.org/node/6506
# In conclusion Linus says:
# "anybody that does it that way (FreeBSD) is totally incompetent"
#
# Also see /usr/src/UPDATING 20121023 for notes about
# SOCKET_SEND_COW and SOCKET_RECV_PFLIP
#options ZERO_COPY_SOCKETS
# Support TCP sign. Used for IPSec
options TCP_SIGNATURE
# There was stackoverflow found in KAME IPSec stack:
# See http://secunia.com/advisories/43995/
# For quick workaround you can use `ipfw add deny proto ipcomp`
options IPSEC
# This ones can be loaded as modules. They described in loader.conf section
#options ACCEPT_FILTER_DATA
#options ACCEPT_FILTER_HTTP
# Adding ipfw, also can be loaded as modules
options IPFIREWALL
# On 8.1+ you can disable verbose to see blocked packets on ipfw0 interface.
# Also there is no point in compiling verbose into the kernel, because
# now there is net.inet.ip.fw.verbose tunable.
#options IPFIREWALL_VERBOSE
#options IPFIREWALL_VERBOSE_LIMIT=10
# The IPFIREWALL_FORWARD kernel option has been removed. Its
# functionality now turned on by default.
#options IPFIREWALL_FORWARD
# Adding kernel NAT
options IPFIREWALL_NAT
options LIBALIAS
# Traffic shaping
options DUMMYNET
# Divert, i.e. for userspace NAT
options IPDIVERT
# This is for OpenBSD's pf firewall
device pf
device pflog
# pf's QoS - ALTQ
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
# Pretty console
# Manual can be found here http://forums.freebsd.org/showthread.php?t=6134
#options VESA
#options SC_PIXEL_MODE
# Disable reboot on Ctrl Alt Del
#options SC_DISABLE_REBOOT
# Change normal|kernel messages color
options SC_NORM_ATTR=(FG_GREEN|BG_BLACK)
options SC_KERNEL_CONS_ATTR=(FG_YELLOW|BG_BLACK)
# More scroll space
options SC_HISTORY_SIZE=8192
# Adding hardware crypto device
device crypto
device cryptodev
# Useful network interfaces
device vlan
device tap #Virtual Ethernet driver
device gre #IP over IP tunneling
device if_bridge #Bridge interface
device pfsync #synchronization interface for PF
device carp #Common Address Redundancy Protocol
device enc #IPsec interface
device lagg #Link aggregation interface
device stf #IPv4-IPv6 port
# Also for my notebook, but may be used with Opteron
device amdtemp
# Same for Intel processors
device coretemp
# man 4 cpuctl
device cpuctl # CPU control pseudo-device
# Support for ECMP. More than one route for destination
# Works even with default route so one can use it as LB for two ISP
# For now code is unstable and panics (panic: rtfree 2) on route deletions.
#options RADIX_MPATH
# Multicast routing
#options MROUTING
#options PIM
# Debug & DTrace
options KDB # Kernel debugger related code
options KDB_TRACE # Print a stack trace for a panic
options KDTRACE_FRAME # amd64-only(?)
options KDTRACE_HOOKS # all architectures - enable general DTrace hooks
#options DDB
#options DDB_CTF # all architectures - kernel ELF linker loads CTF data
# Adaptive spining in lockmgr (8.x+)
# See http://www.mail-archive.com/[email protected]/msg10782.html
options ADAPTIVE_LOCKMGRS
# UTF-8 in console (8.x+)
#options TEKEN_UTF8
# FreeBSD 8.1+
# Deadlock resolver thread
# For additional information see http://www.mail-archive.com/[email protected]/msg18124.html
# (FYI: "resolution" is panic so use with caution)
#options DEADLKRES
# Increase maximum size of Raw I/O and sendfile(2) readahead
#options MAXPHYS=(1024*1024)
#options MAXBSIZE=(1024*1024)
# For scheduler debug enable following option.
# Debug will be available via `kern.sched.stats` sysctl
# For more information see http://svnweb.freebsd.org/base/head/sys/conf/NOTES?view=markup
#options SCHED_STATS
# A framework for very efficient packet I/O from userspace, capable of
# line rate at 10G (FreeBSD10+)
# See http://svnweb.freebsd.org/base?view=revision&revision=227614
#device netmap
如果您正在调整网络以获得最佳性能,您可能希望使用
ifconfig
以下选项:
# You can list all capabilities via `ifconfig -m`
ifconfig [-]rxcsum [-]txcsum [-]tso [-]lro mtu
如果你已经在内核配置中启用了 DDB,那么你应该编辑你的配置
/etc/ddb.conf
并添加如下内容以启用自动重启(以及文本转储作为奖励):
script kdb.enter.panic=textdump set; capture on; show pcpu; bt; ps; alltrace; capture off; call doadump; reset
script kdb.enter.default=textdump set; capture on; bt; ps; capture off; call doadump; reset
不要忘记ddb_enable="YES"
添加/etc/rc.conf
从 FreeBSD 9 开始,您可以选择在 NIC 上启用/禁用流量控制:
# See http://en.wikipedia.org/wiki/Ethernet_flow_control and
# http://www.mail-archive.com/[email protected]/msg07927.html for additional info
ifconfig bge0 media auto mediaopt flowcontrol
FreeBSD 的大部分限制都可以通过以下方式监控:
# vmstat -z
和
# limits
可以通过以下方式监控各种网络计数器
# netstat -s
在 FreeBSD-8+ 中,netstat 的 -Q 选项出现,请尝试以下命令显示
netisr
统计信息
# netstat -Q
为了解决非平凡的 TCP 问题,可以使用net.inet.tcp.log_debug
,它会产生类似于以下内容的 dmesg 输出:
host kernel: TCP: [0.0.0.0]:0 to [1.1.1.1]:1; syncache_socket: Socket create failed due to limits or memory shortage
host kernel: TCP: [0.0.0.0]:0 to [1.1.1.1]:1 tcpflags 0x10<ACK>; tcp_input: Listen socket: Socket allocation failed due to limits or memory shortage, sending RST
注意!
最后但并非最不重要的一点:如果您热衷于网络调优 - 购买您能负担得起的最佳网卡是一种很好的做法。我个人更喜欢英特尔的igb(4)
,型号列表可以在如果_igb.c
附言:还看
# man 7 tuning
和FreeBSD Wiki 上的网络性能调优由开发人员自己制作。
附注。 Calomel.org - 开源研究和参考博客有很好的文章网络性能以及最近关于FreeBSD 调优与优化。
谢谢
我要感谢 FreeBSD 社区,尤其是 nginx 的作者 - Igor Sysoev、nginx-ru@ 和 FreeBSD-performance@ 邮件列表,他们提供了有关 FreeBSD 调优的有用信息。来自noc@
和 的 Yandex BSD 爱好者search-admin@
,尤其是melifaro@
和zont@
。
免责声明
这绝对不是您应该复制/粘贴到生产配置中的东西!一些提供的“调整”甚至可能是有害的。使用提供的数据作为进一步调查或 A/B 测试的参考。我再说一遍只是为了明确:不要盲目应用您在互联网上找到的“调整”!。
在将任何内容sysctl
应用于生产系统之前,您应该调查其影响(查看内核源代码至关重要)并在测试环境中测量其性能优势(如果有)。
使用此帖子需要您自担风险。
FreeBSD 正在进行中
*FreeBSD 7 有什么新进展?
*FreeBSD 8 有什么新进展?
*FreeBSD 9 有什么新进展?
*FreeBSD 10 有哪些新功能?
*FreeBSD 11 有哪些新功能?
向观众提问
您在 FreeBSD 服务器上使用了哪些调整?
您还可以发布您的/etc/sysctl.conf
、/boot/loader.conf
内核选项等,并附上其含义的说明(请勿从中复制粘贴sysctl -d
)。不要忘记指定服务器类型(前端、后端、缓存、数据库、存储、网关等)
我们来分享一下经验吧!
答案1
我建议不要这样做options IPFIREWALL_DEFAULT_TO_ACCEPT
。默认设置为“默认拒绝”。防火墙只提出一条规则deny ip from any to any
,并保持这种状态,直到脚本准确配置了哪些流量应该通过。
后续说明:RSA(世界领先的安全技术公司之一)最近被黑客入侵在维护期间,防火墙的一部分被禁用。这确实凸显了在适当条件下系统被入侵的速度有多快。
如果您坚持要禁用防火墙,直到您明确阻止不需要的流量为止,请考虑使用添加到 的 sysctl net.inet.ip.fw.default_to_accept=1
。loader.conf
如果您将来某个时候改变主意,这还有一个额外的好处,那就是可以轻松修改(无需重新编译内核)。
答案2
我通常也会在我的 /etc/sysctl.conf 中添加以下内容...
网.inet.tcp.黑洞=2 网.inet.udp.黑洞=1
并且两者
安全.bsd.see_other_uids=0 安全.bsd.see_other_gids=0
当我们讨论调整主题时,我还建议看一下这里:
NGINX + PHP-FPM + APC = 棒极了
所以,这个关于 FreeBSD 的教程 + 那个关于 NGINX 的教程 = 真的很棒!;)
答案3
从默认的 sysctl.conf 开始,它提供了“安全性”,防止脚本小子以非 root 帐户强行入侵。启用它不会有什么坏处(在大多数情况下,例外情况是非特权守护进程需要查看进程列表)。
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0
答案4
安全权限
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.conservative_signals=1
security.bsd.unprivileged_proc_debug=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.hardlink_check_uid=1
security.bsd.hardlink_check_gid=1
vfs.usermount=0
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1