Daniel Micay
01201c0ece
disable io_uring without CAP_SYS_ADMIN or io_uring group
2024-07-01 23:15:38 -04:00
Daniel Micay
f9425e3ebd
reduce conntrack UDP timeouts
...
This only applies to outbound NTP requests since we use notrack for our
UDP services and DNS-over-TLS for our local resolver. We'd have no need
for longer timeouts even if that wasn't the case.
2024-04-30 12:13:02 -04:00
Daniel Micay
6dbc014f4b
set conntrack expectation table to minimum size
2024-04-27 12:48:21 -04:00
Daniel Micay
bab3f0c14a
disable IPv4-mapped IPv6 addresses by default
2024-04-25 10:38:54 -04:00
Daniel Micay
fb40773157
reduce conntrack TCP TIME-WAIT timeout to match TCP stack
2024-04-24 21:12:12 -04:00
Daniel Micay
82cc1beccb
remove unused SYN backlog configuration
...
This isn't used anymore despite inaccurate kernel configuration
documentation. The SYN_RECV queue is set based on the backlog value
just like the separate accept queue for established connections.
2024-04-24 18:58:41 -04:00
Daniel Micay
f3ae109eac
reduce conntrack SYN timeouts to match TCP/IP stack
2024-04-24 10:45:02 -04:00
Daniel Micay
711e432a67
remove unnecessary local-reserved-ports.conf template
2024-04-13 14:17:23 -04:00
Daniel Micay
f9bce64060
enable TCP window shrinking
...
The default is a potential denial of service issue via TCP memory
exhaustion.
2024-04-13 13:52:08 -04:00
Daniel Micay
5106ec7f4a
remove redundant vm.max_map_count configuration
...
The same value we were using is now the default.
2024-04-07 15:11:35 -04:00
Daniel Micay
eb55afa3a8
reorganize sysctl configuration
2024-03-24 11:03:31 -04:00
Daniel Micay
51a4f8ca7a
extend disabling ICMP redirects
2024-03-24 10:43:37 -04:00
Daniel Micay
ec2cbbdb4e
enforce strict reverse path filtering via nftables
2024-03-23 13:35:49 -04:00
Daniel Micay
d39937fc6c
disable currently unused energy aware scheduling
2024-02-12 16:13:45 -05:00
Daniel Micay
dd9d6ff2a5
disable unused multipath TCP
2024-01-03 10:52:27 -05:00
Daniel Micay
dcb50a9085
add /etc/sysctl.d/local-reserved-ports.conf
2023-06-06 21:55:11 -04:00
Daniel Micay
6530e1a583
reboot immediately on kernel panic
...
We can adjust this if we ever need to debug a kernel panic issue which
is not expected.
2023-01-09 14:18:30 -05:00
Daniel Micay
966100eb9f
vm.max_map_count to 1048576
2022-09-25 07:48:50 -04:00
Daniel Micay
5461b3f05b
raise tcp_max_syn_backlog to 65536
2022-08-28 15:54:11 -04:00
Daniel Micay
256c3652cc
disable unused binfmt_misc
2022-08-14 13:46:00 -04:00
Daniel Micay
829ea23e8d
lower conntrack established tcp connection timeout
2022-07-03 05:28:54 -04:00
Daniel Micay
1c47cd88ab
disable loose TCP connection tracking
2022-07-03 03:50:53 -04:00
Daniel Micay
f6435cae74
reduce tcp retransmission attempts
2022-06-29 03:58:53 -04:00