updated assumptions; enabled more optimizations by default

k4yt3x · Oct 12, 2021 · 1991676 · 1991676
1 parent eacf468
commit 1991676
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -13,7 +13,16 @@ This repository hosts my hardened version of `sysctl.conf`. This configuration f
 
 **Please review the configuration file carefully before applying it.** You are responsible for actions done to your system. If you need some guidance understanding what each of the settings is for, [sysctl-explorer](https://sysctl-explorer.net/) might come in handy. You may also consult [Linux's kernel documentation](https://www.kernel.org/doc/Documentation/sysctl/).
 
-Please be aware that this `sysctl.conf` is **designed for 64-bit endpoint hosts that do not act as a router**. If you would like to use this configuration file on a router, please go over the configuration file and make the necessary changes (e.g., set `net.ipv4.ip_forward` to `1`).
+## Assumptions
+
+This configuration file is written with a few assumptions about your OS. You can still use this configuration as a template if your OS does not match these assumptions (e.g., set `net.ipv4.ip_forward` to `1` on a router). Making these assumptions helps us to develop a configuration file with the most number of optimizations enabled for common systems.
+
+- Security is valued over performance and convenience
+- The OS does not act as a router
+- The OS is running on a 64-bit system
+- The OS is on a network that is relatively stable (e.g., wired vs. LTE)
+- No debugging features are required (e.g., no need for GDB/kdump)
+- ICMP echo messages are not regarded as harmful
 
 ## Configuration Deployment
 

diff --git a/sysctl.conf b/sysctl.conf
@@ -124,11 +124,11 @@ net.core.netdev_max_backlog = 250000
 net.core.bpf_jit_harden = 2
 
 # increase TCP max buffer size setable using setsockopt()
-#net.core.rmem_max = 8388608
-#net.core.wmem_max = 8388608
-#net.core.rmem_default = 8388608
-#net.core.wmem_default = 8388608
-#net.core.optmem_max = 8388608
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.rmem_default = 8388608
+net.core.wmem_default = 8388608
+#net.core.optmem_max = 40960
 
 ########## IPv4 Networking ##########
 
@@ -218,22 +218,24 @@ net.ipv4.tcp_timestamps = 0
 # enabling SACK can increase the throughput
 # but SACK is commonly exploited and rarely used
 net.ipv4.tcp_sack = 0
+net.ipv4.tcp_dsack = 0
+net.ipv4.tcp_fack = 0
 
 # divide socket buffer evenly between TCP window size and application
 net.ipv4.tcp_adv_win_scale = 1
 
 # SSR could impact TCP's performance on a fixed-speed network (e.g., wired)
 #   but it could be helpful on a variable-speed network (e.g., LTE)
 # uncomment this if you are on a fixed-speed network
-#net.ipv4.tcp_slow_start_after_idle = 0
+net.ipv4.tcp_slow_start_after_idle = 0
 
 # enabling MTU probing helps mitigating PMTU blackhole issues
 # this may not be desirable on congested networks
-#net.ipv4.tcp_mtu_probing = 1
+net.ipv4.tcp_mtu_probing = 1
 
 # increase memory thresholds to prevent packet dropping
-#net.ipv4.tcp_rmem = 4096 87380 8388608
-#net.ipv4.tcp_wmem = 4096 87380 8388608
+net.ipv4.tcp_rmem = 4096 87380 8388608
+net.ipv4.tcp_wmem = 4096 87380 8388608
 
 ########## IPv6 Networking ##########