| conceptually similar to http://bhami.com/rosetta.html, but this table focuses on design choices, specifically performance and security tuning, not daily operations. The default value is followed in parenthesis. |
Author: Lyle Tagawa Modified: $Date: 2004/11/04 18:52:01 |
| "task" | FreeBSD 4.x | GNU/Linux 2.4.x | Solaris 2.8-2.9 | Windows NT5 |
|---|---|---|---|---|
| network security/performance | ||||
| TCP SYN cookiesA server that uses SYN cookies doesn't have to drop connections when its SYN queue fills up. Instead it sends back a SYN+ACK, exactly as if the SYN queue had been larger. http://cr.yp.to/syncookies.html http://support.microsoft.com/default.aspx?scid=kb;en-us;315669 |
net.inet.tcp.syncookies=1 (1) | net.ipv[46].tcp_syncookies=1 (0) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect Dword:2 (0) | |
| TCP max SYN backlogMaximal number of remembered connection requests | kern.ipc.somaxconn=1024 (128) | net.ipv[46].tcp_max_syn_backlog=4096 (1024) | tcp_conn_req_max_q0=4096 (128) | HKLM\System\CurrentControlSet\Services\AFD\Parameters\DynamicBacklog Dword:1 (0) HKLM\System\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog Dword:14 HKLM\System\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog Dword:4E20 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen Dword:1F4 (100) |
| TCP max connections | kern.ipc.somaxconn=1024 (128) | tcp_conn_req_max_q=1024 (128) | ||
| TCP SYN-ACK retriesNumber of times SYNACKs for a passive TCP connection attempt will be retransmitted | net.ipv[46].tcp_synack_retries=4 (5) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions Dword:2 (3) HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectRetransmissions Dword:2 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions Dword:3 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried Dword:190 (80) |
||
| TCP FIN timeoutTime to hold socket in state FIN-WAIT-2 | net.ipv[46].tcp_fin_timeout=30 (60) | |||
| TCP TIME_WAIT interval | deprecated (60) | tcp_time_wait_interval=60000 (240000 = 4*60*1000) | HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay Dword:F0 (240) | |
| TCP Keepalive interval | net.ipv[46].tcp_keepalive_time=3600 (2*60*60) net.ipv[46].tcp_keepalive_probes=9 (9) net.ipv[46].tcp_keepalive_intvl=75 (75) |
tcp_keepalive_interval=900000 (?) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime Dword:493E0 (7200000) | |
| TCP send/receive window sizeThe theoretical value (in bytes) for [wstd] is bps / 8 * rtt, where bps is bandwidth in bits/second, rtt=round-trip-time, and wstd is the maximum size (in bytes) of the TCP window. http://proj.sunet.se/E2E/tcptune.html |
net.inet.tcp.(send|recv)space=32768 | tcp_(xmit|recv)_hiwat=65535 (16384|24576) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TCPWindowSize HKLM\System\CurrentControlSet\Services\VxD\MSTCP\DefaultRcvWindow |
|
| network security | ||||
| ARP cleanup interval | net.link.ether.inet.max_age=1200 () | arp_cleanup_interval=60000 (300000) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ArpCacheLife Dword:? | |
| IP route flush interval | net.inet.(ip|ip6).rtexpire=? (?) | ip_ire_flush_interval=60000 (1200000) ip_ire_arp_interval=60000 (1200000) |
||
| IP source routing | net.inet.(ip|ip6).sourceroute=0 net.inet.(ip|ip6).accept_sourceroute=0 |
net.ipv[46].conf.all.accept_source_route=0 (1) net.ipv[46].conf.all.forwarding=0 (0) net.ipv[46].conf.all.mc_forwarding=0 (0) |
(ip|ip6)_forward_src_routed=0 (1) tcp_rev_src_routes=0 (0) |
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting Dword:2 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ArpAlwaysSourceRoute Dword:0 |
| IP max fragments | net.inet.(ip|ip6).maxfragpackets=16384 (16384) | net.ipv[46].ipfrag_(low|high)_thresh=(?) (?) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableFragmentChecking Dword:1 (0) | |
| IP reverse path filtering | net.ipv[46].conf.all.rp_filter=1 (0) | (ip|ip6)_strict_dst_multihoming=1 (0) | HKLM\System\CurrentControlSet\Services\DnsCache\Parameters\QueryIPMatching Dword:1 | |
| IP log and drop MartiansLog packets with impossible addresses to kernel log | net.ipv[46].conf.all.log_martians=0 (0) | |||
| ICMP path MTU Discovery | net.ipv[46].ip_no_pmtu_disc=0 (0) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery Dword:0 (1) | ||
| ICMP rate-limit | net.inet.icmp.icmplim=200 (200) | net.ipv[46].icmp_ratelimit=100 (100 == 1pps) | ||
| ICMP redirects | net.inet.(ip|ip6).redirect=0 (?) net.inet.icmp.(drop|log)_redirect=1 |
net.ipv[46].conf.all.(send|accept)_redirects=0 (1) | (ip|ip6)_ignore_redirect=1 (0) (ip|ip6)_send_redirects=0 (1) |
HKLM\System\CurrentControlSet\Services\AFD\Parameters\EnableICMPRedirect Dword:0 (1) |
| ICMP netmask request | net.inet.icmp.maskrepl=0 (?) | ip_respond_to_address_mask_broadcast=0 (0) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableAddrMaskReply Dword:0 | |
| ICMP broadcast echo request | net.inet.icmp.bmcastecho=0 (?) | net.ipv[46].icmp_echo_ignore_broadcasts=1 (0) | (ip|ip6)_respond_to_echo_broadcast=0 (1) ip_forward_directed_broadcasts=0 (1) |
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableBCastArpReply Dword:0 |
| ICMP broadcast mask requests | net.inet.icmp.masqrepl=0 (?) | net.ipv[46].icmp_echo_ignore_broadcasts=1 (0) | ip_respond_to_address_mask_broadcast=0 (?) | |
| ICMP broadcast timestamp requests | net.inet.icmp.masqrepl=0 (?) | net.ipv[46].icmp_echo_ignore_broadcasts=1 (0) | ip_respond_to_timestamp_broadcast=0 (?) | |
| ICMP timestamp | ip_respond_to_timestamp=0 (1) ip_respond_to_timestamp_broadcast=0 (1) |
|||
| kern.ipc.nmbclusters=? (NMBCLUSTERS) |
ndd -set /dev/tcp tcp_rexmit_interval_initial 3000 ndd -set /dev/tcp tcp_rexmit_interval_min 3000 ndd -set /dev/tcp tcp_rexmit_interval_max 240000 ndd -set /dev/tcp tcp_close_wait_interval 60000 ndd -set /dev/tcp tcp_ip_abort_interval 600000 |
|||
| Non-privileged port rangeDefines the local port range that is used by TCP and UDP | net.inet.(ip|ip6).portrange.first= (1024) net.inet.(ip|ip6).portrange.last= (5000) |
net.ipv[46].ip_local_port_range=16384-65535 (32768-61000) | tcp_smallest_nonpriv_port=1024 (1024) udp_smallest_nonpriv_port=1024 (1024) tcp_smallest_anon_port=32768 (32768) tcp_largest_anon_port=65535 (65535) udp_smallest_anon_port=32768 (32768) udp_largest_anon_port=65535 (65535) |
|
| file system security/performance | ||||
| Maximum file descriptors | kern.maxfiles=? (MAXUSERS) | fs.file-max=? (dynamic) | ||
| information disclosure | ||||
| IP default TTL | net.inet.(ip|ip6).ttl=? (?) | net.ipv[46].ip_default_ttl=64 (64) | ip_def_ttl=255 (255) | HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL |
| TCP TimestampingBugTraq: Obtaining System Uptime Remotely | net.inet.tcp.rfc1323=1 (1) | net.ipv4.tcp_timestamps=1 (1) | tcp_tstamp_always=0 (1) | |