This document is conceptually similar to and inspired by Bruce Hamilton's Rosetta Stone for Unix.
The goal of this document is to relate standard network and system variables across all OS' that we will encounter in our careers and hobbies. Unlike the Rosetta Stone for Unix, this table focuses on design choices, specifically network performance and security tuning, and not daily operations. This document originated as a Slashdot post that tried to enumerate the ways to re-configure the TCP TIME_WAIT (or 2*MSL) state delay across various Operating Systems. Who would have guessed that Windows 2000 exposes this, but linux does not?
Recommended values are defined. Their default values follow in parenthesis.
There are conflicts. Blindly following the recommendations without researching and understanding the implications may result in degraded performance or compromised security. As an example, TCP timestamping may be used to remotely gather system uptime. TCP timestamping is a TCP option used with TCP SACK to allow a system to selectively acknowledge discontiguous blocks of packets, to make effective use of packets actually received when one or more are lost inside a single TCP window. Enabling RFC 1323 for window scaling and timestamps may improve TCP performance, but it may expose your system to uptime enumeration as well, a potential information disclosure risk.
Attempts were made to condense the table without losing pertinent information. We exclude the exact CLI arguments and don't enumerate the various ways a change may be committed (modifying /proc vs using sysctl as an example). GNU/Linux, *BSD (including Darwin) systems may be modified dynamically using sysctl, Solaris and HP-UX using ndd, IRIX with systune, AIX with no, and Windows with regedit. To force the modification to persist across reboots, the appropriate configuration file (sysctl.conf, rc.conf, system) must be updated.
Author: Lyle Tagawa
Date: 2004/11/04 18:52:01
$Date: 2009/10/26 23:37:24 $ $Revision: 1.4 $ - Added OpenBSD, NetBSD, MacOSX
| network performance | |
|---|---|
|
TCP SYN cookiesSYN Cookies are the key
element of a technique used to guard against SYN flood attacks. Daniel
J. Bernstein, the technique's primary inventor, defines SYN Cookies as
"particular choices of initial TCP sequence numbers by TCP servers." In
particular, the use of SYN Cookies allows a server to avoid dropping
connections when the SYN queue fills up. http://cr.yp.to/syncookies.html http://support.microsoft.com/default.aspx?scid=kb;en-us;315669 |
net.inet.tcp.syncookies=1 (1)FreeBSD 4.x net.inet.tcp.syncachelimit (10255)OpenBSD net.inet.tcp.synbucketlimit (105)OpenBSD net.ipv[46].tcp_syncookies=1 (0)GNU/Linux 2.4.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect Dword:2 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxPortsExhausted Dword:5 (5)Windows 2000 |
| TCP max SYN backlogMaximum number of pending connection requests |
kern.ipc.somaxconn=4096 (128)FreeBSD 4.x net.ipv4.tcp_max_syn_backlog=4096 (256)GNU/Linux 2.2.x net.ipv4.tcp_max_syn_backlog=4096 (1024)GNU/Linux 2.4.x tcp_conn_req_max_q0=4096 (128)Solaris 2.5.1 tcp_conn_req_max_q0=4096 (1024)Solaris 2.6 HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog Dword:1 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog Dword:20 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog Dword:20000 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta Dword:10 (0)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen Dword:500 (100)Windows NT 3.51 tcp_syn_rcvd_max=4096 (500)HP-UX 11.00 |
| TCP max connectionsMaximum number of remembered connection requests |
kern.ipc.somaxconn=4096 (128)FreeBSD 4.x, Mac OS X tcp_conn_req_max_q=4096 (128)Solaris 2.5.1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpNumConnections Dword:16777214 (16777214)Windows 2000 |
| TCP SYN-ACK retriesNumber of times SYNACKs for a passive TCP connection attempt will be retransmitted |
net.ipv4.tcp_synack_retries=4 (5)GNU/Linux 2.4.x tcp_rexmit_interval_initial 3000 (3000)Solaris 2.5.1 tcp_rexmit_interval_min 3000 (200)Solaris 2.5.1 tcp_rexmit_interval_min 3000 (400)Solaris 2.8 tcp_rexmit_interval_max 240000 (240000)Solaris 2.6 tcp_rexmit_interval_max 240000 (60000)Solaris 2.8 tcp_ip_abort_interval 600000 (480000)Solaris 2.5.1 tcp_ip_abort_interval 600000 (120000)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions Dword:2 (2)Windows NT 3.51 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRetransmissions Dword:2 (2)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions Dword:3 (5)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried Dword:190 (80)Windows 2000 |
|
TCP FIN-WAIT-2 timeoutTime to hold socket in state FIN-WAIT-2, the time spent waiting for the FIN packet following the initial (one-way) FIN+ACK. RFC 793 |
net.ipv4.tcp_fin_timeout=30 (60)GNU/Linux 2.4.x tcp_fin_wait_2_flush_interval=67500 (67500)Solaris 2.5.1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpFinWait2Delay Dword:30 (120)Windows 2000 |
|
TCP TIME_WAITTime to hold socket in state TIME-WAIT, which represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. RFC 793 |
(TCP_TIMEWAIT_LEN == 60*HZ)GNU/Linux 2.4.x net.ipv4.tcp_tw_reuse=1GNU/Linux 2.4.x net.ipv4.tcp_tw_recycle=1 (1)GNU/Linux 2.4.x tcp_close_wait_interval=60000 (240000 == 2MSL)Solaris 2.6 tcp_time_wait_interval=60000 (240000 == 2MSL)Solaris 7 tcp_time_wait_interval=60000 (60000)Solaris 9 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay Dword:60 (240)Windows 2000 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay Dword:60 (120)Windows XP/2003 tcp_2msl=60IRIX |
|
TCP Maximum Segment LifeThis is the maximum amount of time to wait for an ACK in reply to a SYN-ACK or FIN-ACK RFC 1753 |
net.inet.tcp.msl=30000 (30000ms)FreeBSD 4.x net.inet.tcp.mslMac OS X |
| TCP KeepaliveTCP begins a countdown timer upon receipt of a TCP packet. When the keepalive timer reaches zero, a packet is sent to the peer requesting acknowledgement. |
net.inet.tcp.keepintvlFreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.tcp_keepalive_time=3600 (2*60*60)GNU/Linux 2.4.x net.ipv4.tcp_keepalive_probes=9 (9)GNU/Linux 2.4.x net.ipv4.tcp_keepalive_intvl=75 (75)GNU/Linux 2.4.x tcp_keepalive_interval=3600000 (7200000)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval Dword:1000 (1000ms)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime Dword:3600000 (7200000)Windows 2000 |
|
TCP window scalingThe TCP window scale option is an option to increase the TCP receive window size above its maximum value of 65,535 bytes. RFC 1323 |
net.inet.tcp.rfc1323=1 (1)FreeBSD 4.x, NetBSD 1.2 net.ipv4.tcp_window_scaling=1 (1)GNU/Linux 2.4.x tcp_wscale_always=1 (0; negotiated)Solaris 2.6 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts Dword:2 (0)Windows 2000 |
|
TCP send/receive window sizeThe theoretical value (in bytes) for [wstd] is bps / 8 * rtt, where bps is bandwidth in bits/second, rtt=round-trip-time, and wstd is the maximum size (in bytes) of the TCP window. http://proj.sunet.se/E2E/tcptune.html |
net.inet.tcp.sendspace=32768FreeBSD 4.x, OpenBSD, Mac OS X net.inet.tcp.recvspace=32768 (57344)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.udp.sendspace=32768 (9216)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.udp.recvspace=32768 (42080)FreeBSD 4.x, OpenBSD, Mac OS X tcp_xmit_hiwat=32768 (8192)Solaris 2.x tcp_xmit_hiwat=32768 (16384)Solaris 2.8 tcp_recv_hiwat=32768 (8192)Solaris 2.x tcp_recv_hiwat=32768 (24576)Solaris 2.8 udp_xmit_hiwat=16384 (8192)Solaris 2.x udp_recv_hiwat=16384 (8192)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize (8760)Windows 2000 HKLM\System\CurrentControlSet\Services\VxD\MSTCP\DefaultRcvWindowWindows 2000 |
|
TCP delayed ACK
A host that is receiving a stream of TCP data segments can
increase efficiency in both the Internet and the hosts by
sending fewer than one ACK (acknowledgment) segment per data
segment received. RFC 1122 |
net.inet.tcp.delayed_ack=1FreeBSD, Mac OS X net.ipv4.tcp_delack_min=40 (40ms)FreeBSD tcp_deferred_ack_interval=200 (50)Solaris 2.x tcp_deferred_ack_interval=200 (100)Solaris 2.8 |
|
TCP selective ACKWith selective
acknowledgments, the data receiver can inform the sender about all
segments that have arrived successfully, so the sender need
retransmit only the segments that have actually been lost.
RFC 2018 |
net.inet.tcp.sack=1 (1)OpenBSD net.inet.tcp.sack?=1 (1)Mac OS X 10.4.6 net.inet.tcp.sack.enable=1 (1)FreeBSD 5.3 net.ipv4.tcp_dsack=1 (1)GNU/Linux 2.4.x net.ipv4.tcp_sack=1 (1)GNU/Linux 2.4.x tcp_sack_permitted=2 (2)Solaris 9 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ Dword=1 (1)Windows 2000 |
| network security | |
| ARP cache cleanup interval |
net.link.ether.inet.max_age=60 (1200)FreeBSD 4.x, Mac OS X arp_cleanup_interval=60000 (300000)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ArpCacheLife Dword:60 (600)Windows 2000 arpt_killc=20AIX |
| Broadcast Proxy |
net.ipv4.conf.all.bootp_relay=0GNU/Linux 2.4.x net.ipv4.conf.all.proxy_arp=0GNU/Linux 2.4.x ip_forward_directed_broadcasts=0 (1)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ForwardBroadcasts=0 (0)Windows 2000 |
| IP max fragments |
net.inet.(ip|ip6).maxfragpackets=16384 (16384)FreeBSD 4.x net.ipv[46].ipfrag_(low|high)_thresh=(?) (?)GNU/Linux 2.4.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableFragmentChecking Dword:1 (0)Windows 2000 |
| IP reverse path filtering |
net.ipv4.conf.all.rp_filter=1 (0)GNU/Linux 2.4.x net.ipv4.conf.default.rp_filter=1 (0)GNU/Linux 2.4.x ip_strict_dst_multihoming=1 (0)Solaris 2.x ip6_strict_dst_multihoming=1 (0)Solaris 2.x HKLM\System\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatching Dword:1Windows 2000 |
| IP route flush interval |
net.inet.(ip|ip6).rtexpire=? (?)FreeBSD 4.x ip_ire_flush_interval=60000 (1200000)Solaris 2.x ip_ire_arp_interval=60000 (1200000)Solaris 2.x |
| IP forwarding |
net.inet.ip.forwarding=0 (1)FreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.conf.all.forwarding=0 (1)GNU/Linux 2.4.x net.ipv4.conf.default.forwarding=0 (1)GNU/Linux 2.4.x ip_forwarding=0 (2)Solaris 2.x ip_forwarding=0 (1)Solaris 2.8 ip6_forwarding=0 (1)Solaris 2.8 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter Dword:0 (0)Windows 2000 |
| IP source routing |
net.inet.ip.sourceroute=0 (0)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.ip6.sourceroute=0 (0)FreeBSD 4.x, OpenBSD net.inet.ip.accept_sourceroute=0FreeBSD 4.x, Mac OS X net.inet.ip6.accept_sourceroute=0FreeBSD 4.x net.ipv4.conf.all.accept_source_route=0 (1)GNU/Linux 2.x net.ipv4.conf.all.mc_forwarding=0 (0)GNU/Linux 2.x net.ipv[46].conf.all.forwarding=0 (0)GNU/Linux 2.x (ip|ip6)_forward_src_routed=0 (1)Solaris 2.x tcp_rev_src_routes=0 (0)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting Dword:2 (1)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting Dword:2 (0)Windows 2003 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceRoute Dword:0Windows 2000 ipsrcroutesend=0AIX ipsrcrouteforward=0AIX ip_src_route_forward=0HP-UX |
| IP dead gateway detection |
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect Dword:0 (1)Windows 2000 |
|
ICMP redirectICMP type 5 contains a redirect message to send data packets on alternative route. Disable ICMP redirects to disallow a rogue host to manipulate host routes (usually combined with ARP spoofing). RFC 792 |
net.inet.ip.redirect=0 (0)FreeBSD 4.x, OpenBSD, Mac OS X net.inet.ip6.redirect=0 (0)FreeBSD 4.x, OpenBSD net.inet.icmp.drop_redirect=1 (0)FreeBSD 4.x, Mac OS X net.inet.icmp.log_redirect=1 (0)FreeBSD 4.x, Mac OS X net.inet.icmp.rediraccept=0OpenBSD net.inet6.icmp.rediraccept=0OpenBSD net.ipv[46].conf.all.(send|accept)_redirects=0 (1)GNU/Linux 2.4.x (ip|ip6)_ignore_redirect=1 (0)Solaris 2.x (ip|ip6)_send_redirects=0 (1)Solaris 2.x HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableICMPRedirect Dword:0 (1)Windows 2000 icmp_dropredirects=0IRIX ip_send_redirects=0HP-UX ipignoreredirects=1AIX ipsendredirects=0AIX |
|
ICMP path MTU DiscoveryPath MTU discovery (PMTUD) is a technique for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. ICMP Type 3, Code 4 should be enabled to prevent "black hole connections" where "small" TCP packets are allowed, such as the 3-way handshake, but large
data packets are lost. RFC 1191 |
net.inet.tcp.path_mtu_discovery=1 (1)FreeBSD, Mac OS X net.inet.ip.mtudisc=1 (1)NetBSD, OpenBSD net.ipv4.ip_no_pmtu_disc=0 (0)GNU/Linux 2.4.x ip_path_mtu_discovery=1 (1)Solaris 2.x tcp_mss_def_ipv4=536 (536)Solaris 2.8 tcp_mss_def_ipv6=1460 (1460)Solaris 2.8 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery Dword:1 (1)Windows 2000 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUBHDetect Dword:0 (0)Windows 2000 |
|
ICMP rate-limitFreeBSD option limits ICMP Unreachable and TCP RST pkts per second |
net.inet.icmp.icmplim=50 (200)FreeBSD 4.x, MAC OS X net.inet.icmp.errppslimit=50OpenBSD, NetBSD net.inet6.icmp6.errppslimit=50OpenBSD, NetBSD net.ipv4.icmp_ratelimit=50 (100 == 1pps)GNU/Linux 2.4.x ip_icmp_err_interval=100 (100ms)Solaris 9 ip_icmp_err_burst=10 (10)Solaris 9 |
| ICMP netmask requestICMP types 17 (netmask request); 18 (netmask response) contains the remote host's network mask (on the interface that processed the request) and can be used to accurately map your subnet structures, determining the broadcast addresses in use, and which routers are responsible for which subnets. |
-A input -p icmp --icmp-type address-mask-request -j DROPGNU/Linux 2.4.x -A output -p icmp --icmp-type address-mask-reply -j DROPGNU/Linux 2.4.x net.inet.icmp.maskrepl=0 (?)FreeBSD 4.x, NetBSD, OpenBSD, Mac OS X ip_respond_to_address_mask_broadcast=0 (0)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskReply Dword:0 (0)Windows 2000 no ip mask-replyCisco IOS icmpaddressmask=0AIX ip_respond_to_address_mask_broadcast=0HP-UX |
|
ICMP broadcast echo request IP directed broadcast |
net.inet.icmp.bmcastecho=0 (1)FreeBSD 4.x, Mac OS X net.inet.ip.directed-broadcast=0 (0)NetBSD, OpenBSD net.ipv4.icmp_echo_ignore_broadcasts=1 (0)GNU/Linux 2.4.x (ip|ip6)_respond_to_echo_broadcast=0 (1)Solaris 2.x ip_respond_to_echo_broadcast=0 (1)Solaris 2.x ip6_respond_to_echo_multicast=0 (1)Solaris 2.x allow_brdaddr_srcaddr=0IRIX directed_broadcast=0AIX bcastping=0AIX ip_forward_directed_broadcasts=0HP-UX ip_respond_to_echo_broadcast=0HP-UX |
| ICMP broadcast mask requests |
net.inet.icmp.masqrepl=0 (?)FreeBSD 4.x net.ipv[46].icmp_echo_ignore_broadcasts=1 (0)GNU/Linux 2.4.x ip_respond_to_address_mask_broadcast=0 (?)Windows 2000 |
| ICMP broadcast timestamp requests |
net.inet.icmp.maskrepl=0FreeBSD 4.x net.ipv4.icmp_echo_ignore_broadcasts=1 (0)GNU/Linux 2.4.x ip_respond_to_timestamp_broadcast=0Solaris 2.x ip_respond_to_timestamp_broadcast=0HP-UX |
| ICMP timestampICMP Type 14, Code 0, consists of the originating timestamp sent by the sender of the ICMP Timestamp as well as a receive timestamp and a transmit timestamp. |
net.inet.icmp.timestamp=0 (0)Mac OS X ip_respond_to_timestamp=0 (1)Solaris 2.x ip_respond_to_timestamp_broadcast=0 (1)Solaris 2.x |
| Invalid Protocol |
net.inet.tcp.icmp_may_rst=0 (1)FreeBSD 4.x, Mac OS X net.inet.tcp.drop_synfin=1 (1)FreeBSD, Mac OS X net.ipv[46].conf.all.log_martians=0 (0)GNU/Linux 2.4.x net.ipv[46].conf.default.log_martians=0 (0)GNU/Linux 2.4.x net.ipv4.icmp_ignore_bogus_error_responses=1GNU/Linux 2.4.x |
|
TCP/UDP packet received on a closed portTCP ACK, TCP RST, or ICMP Unreachable |
net.inet.tcp.blackhole=2 (0)FreeBSD 4.x, Mac OS X net.inet.udp.blackhole=1 (0)FreeBSD 4.x, Mac OS X |
| Network MBUFs |
kern.ipc.nmbclusters=65536 (NMBCLUSTERS)FreeBSD 4.x |
| Non-privileged port rangeDefines the local port range that is used by TCP and UDP |
net.inet.ip.portrange.first=1024 (1024)FreeBSD 4.x, Mac OS X net.inet.ip.portrange.last=16383 (5000)FreeBSD 4.x, Mac OS X net.ipv4.ip_local_port_range=16384-65535 (32768-61000)GNU/Linux 2.4.x tcp_smallest_nonpriv_port=1024 (1024)Solaris 2.x udp_smallest_nonpriv_port=1024 (1024)Solaris 2.x tcp_smallest_anon_port=8192 (32768)Solaris 2.x tcp_largest_anon_port=65535 (65535)Solaris 2.x udp_smallest_anon_port=8192 (32768)Solaris 2.x udp_largest_anon_port=65535 (65535)Solaris 2.x |
| TCP initial sequence numbers |
tcp_strong_iss=2 (1)Solaris 2.x |
| file system security/performance | |
| Maximum inodes |
fs.inode-max=131072GNU/Linux 2.2.x |
| Maximum file descriptors |
kern.maxfiles=32768 (MAXUSERS == 2048)FreeBSD 4.x fs.file-max=32768 (8192)GNU/Linux 2.4.x rlim_fd_max=32768 (1024; > 2*tcp_conn_req_max)Solaris 2.x |
| information disclosure | |
| IP default TTL |
net.inet.ip.ttl=64 (64)FreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.ip_default_ttl=64 (64)GNU/Linux 2.4.x ip_def_ttl=64 (255)Solaris 2.x HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL Dword:64 (128)Windows 2000 |
| TCP TimestampingBugTraq: Obtaining System Uptime Remotely |
net.inet.tcp.rfc1323=1 (1)FreeBSD 4.x, OpenBSD, Mac OS X net.ipv4.tcp_timestamps=1 (1)GNU/Linux 2.4.x tcp_tstamp_always=0 (1)Solaris 2.x |
The data was collected through various sources.