#!/sbin/sh ############################################################################ # $Id: nettune,v 3.22 2000/07/13 19:34:53 chouanar Exp $ # # Author: Jens-S. Vöckler # Jean Chouanard # ############################################################################ # # /etc/rcS.d/S31nettune -> /etc/init.d/nettune # # See : http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/nettune # and : http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html # # insanity checks if [ "`uname`" != "SunOS" ]; then echo "This is not a Solaris system!" exit 1 fi # parameter "stop" is a noop, exit ASAP. test "$1" = "stop" && exit 0 # insert configuration from secure installation tool, # see: http://yassp.parc.xerox.com/ test -r /etc/yassp.conf && . /etc/yassp.conf # determine security settings if [ "X${NET_SECURITY}" = "X" ]; then NET_SECURITY=YES fi # set secure defaults PATH=/usr/sbin:/usr/bin # Further legal parameters are "start" (tweak), and no parameter (show) if [ "$1" = "start" ]; then TWEAK=1 action='tweaking' echo "Tweaking Solaris TCP/IP: \c" else TWEAK=0 action='showing' echo "Showing Solaris TCP/IP: \c" fi modlist () { # purpose: show and/or set a parameter # paramtr: $1: device to use # $2: name of parameter # $3..$n: advised value(s) # globals: $TWEAK: 0: show, 1: tweak # $YASSP_VERBOSE: show content before setting device=$1; shift parameter=$1; shift test $TWEAK -eq 0 -o "$YASSP_VERBOSE" -gt 0 && echo "$parameter `ndd $device $parameter` advised $@" test $TWEAK -eq 1 && ndd -set $device $parameter $@ } # determine, if SunOS 5.6 (Solaris 2.6) or above is installed (care w/ 2.5.1!) osver=`uname -r | sed 's/\.//' | awk '{ print $1*10 }'` if [ $osver -lt 560 ]; then # do some additional processing, if the environment is < Solaris 2.6 # only call, if the strings command is available (was installed) if [ -x /usr/bin/strings ]; then # determine, if patch 10358[123]-12 or above is installed # (2.5.1: x86+Sparc) if you are using Solaris < 2.5.1, you # must modify this to suit your needs. Since /var is usually # not yet mounted, we must look into the kernel module. patch=`/usr/bin/strings -a /kernel/drv/tcp | egrep '10358[123]' | awk '{ print $4 }'` if [ -z "$patch" ]; then patch="0-0"; fi patch=`echo $patch | awk -F- '{ print $2*1 }'` if [ $patch -gt 0 ]; then echo "TCP patch pl-$patch found \c" if [ $patch -ge 12 ]; then echo "(good)" else echo "(too low)" fi else echo "TCP patch missing (bad)" patch=0 fi else echo "cannot check TCP (strings missing)" patch=0 fi elif [ $osver -gt 560 ]; then echo "Solaris 7 or above (excellent)" patch=0 else echo "Solaris 2.6 (good)" patch=0 fi # # connection Q: *INCREASE* if you suffer from SYN floods, or many drops... # # tcp_conn_req_max_q 128 # tcp_conn_req_max_q0 1024 # if [ $osver -ge 560 -o $patch -ge 12 ]; then # Solaris 2.6 *OR* patch 103582-12 or above applied echo " $action separate connection queues" modlist /dev/tcp tcp_conn_req_max_q 512 # 128 for restrictions if [ "YES${NET_SECURITY}" = "YESYES" ] ; then # use 10240 for SYN flood symptom treatment echo " $action against SYN flood symptoms" modlist /dev/tcp tcp_conn_req_max_q0 10240 else modlist /dev/tcp tcp_conn_req_max_q0 1024 fi else # Solaris 2.5.1 or below, no patch echo " $action single connection queue" modlist /dev/tcp tcp_conn_req_max 512 # Hmmm, how about 1024 fi # # retransmission timeouts Sol8 # # tcp_rexmit_interval_initial 3000 # tcp_rexmit_interval_min 200 400 # tcp_ip_abort_interval 480000 # tcp_ip_abort_cinterval 180000 # tcp_rexmit_interval_max 60000 # echo " $action timeouts" modlist /dev/tcp tcp_rexmit_interval_initial 3000 # 500 for laboratories modlist /dev/tcp tcp_rexmit_interval_min 2000 # 200 for laboratories modlist /dev/tcp tcp_ip_abort_interval 600000 # 10 min before drop modlist /dev/tcp tcp_ip_abort_cinterval 60000 # 60 sec to estab. conn. modlist /dev/tcp tcp_rexmit_interval_max 60000 # free nw resources quickly # # slow start bug / feature Sol8 # # tcp_slow_start_initial 2 4 # tcp_slow_start_after_idle 2 4 # if [ $osver -lt 580 ]; then if [ $osver -ge 560 -o $patch -ge 15 ]; then # Solaris 2.6 *OR* patch 103582-15 or above applied echo " $action slow start bug/feature" modlist /dev/tcp tcp_slow_start_initial 2 # Solaris 8 uses 4 modlist /dev/tcp tcp_slow_start_after_idle 2 # Solaris 8 uses 4 fi fi # # path MTU discovery, common timers # # ip_ire_pathmtu_Interval 600000 # tcp_keepalive_interval 72000000 # tcp_fin_wait_2_flush_interval 675000 # tcp_time_wait_interval 240000 # echo " $action pMTU discovery interval and common timers" modlist /dev/ip ip_ire_pathmtu_interval 600000 modlist /dev/tcp tcp_keepalive_interval 3600000 modlist /dev/tcp tcp_fin_wait_2_flush_interval 67500 if [ $osver -le 560 ] ; then # Before Solaris 7 modlist /dev/tcp tcp_close_wait_interval 60000 # 2MSL value else # Solaris 7 has changed the name. It's now named for for it does. modlist /dev/tcp tcp_time_wait_interval 60000 # 2MSL value fi # # common parameters # # ip_icmp_err_interval 500 # ip_forward_src_routed 1 # tcp_smallest_anon_port 32768 # udp_smallest_anon_port 32768 # echo " $action misc. parameters" modlist /dev/ip ip_icmp_err_interval 0 modlist /dev/ip ip_forward_src_routed 0 modlist /dev/tcp tcp_smallest_anon_port 8192 modlist /dev/udp udp_smallest_anon_port 8192 if [ $osver -ge 580 ]; then # ip6_forward_src_routed 1 modlist /dev/ip ip6_forward_src_routed 0 fi # # security relevant features Sol8 # # ip_forward_directed_broadcasts 1 1 # ip_forwarding !=0 !=0 # ip_respond_to_echo_broadcast 1 1 # ip_ignore_redirect 0 0 # ip_send_redirects 1 1 # ip_ire_flush_interval 1200000 - # ip_ire_arp_interval - 120000 # arp_cleanup_interval 300000 300000 # ip_strict_dst_multihoming 0 0 # # ip6_forwarding - !=0 # ip6_respond_to_echo_multicast - 1 # ip6_ignore_redirect - 0 # ip6_send_redirects - 0 # ip6_strict_dst_multihoming - 0 # if [ "YES${NET_SECURITY}" = "YESYES" ] ; then echo " applying security tweaks..." # pointed out by Jean Chouanard (see Stevens 12.3 and E.4): # - uncomment, if you don't want to forward pings or other broadcasts # to the broadcast address(es) of your installed interface(s). modlist /dev/ip ip_forward_directed_broadcasts 0 # - uncomment, if you have multiple interfaces installed, but don't # want to act as a router (no forwarding). Reasonable for most hosts. modlist /dev/ip ip_forwarding 0 test $osver -ge 580 && modlist /dev/ip ip6_forwarding 0 # - uncomment, if you don't want to respond to a ping to any of your # broadcast addresses. On one hand, it is rumored to have caused # panics. On the other hand, it is a valid response, and often # used to determine the UP hosts on a particular network. modlist /dev/ip ip_respond_to_echo_broadcast 0 test $osver -ge 580 && modlist /dev/ip ip6_respond_to_echo_multicast 0 # - uncomment, if you don't want to respond to a timestamp # request, unicast or braodcast modlist /dev/ip ip_respond_to_timestamp 0 modlist /dev/ip ip_respond_to_timestamp_broadcast 0 # - For ICMP redirect protection modlist /dev/ip ip_ignore_redirect 1 test $osver -ge 580 && modlist /dev/ip ip6_ignore_redirect 1 modlist /dev/ip ip_send_redirects 0 test $osver -ge 580 && modlist /dev/ip ip6_send_redirects 0 # Next 3 from Titan ( See http://www.fish.com/titan/ ) # - Unconditionally flush ARP info from IP routing table if [ $osver -le 570 ]; then modlist /dev/ip ip_ire_flush_interval 120000 else # is this the correct parameter? modlist /dev/ip ip_ire_arp_interval 120000 fi # - discard ARP entry from ARP cache after this interval modlist /dev/arp arp_cleanup_interval 60000 # - Enable the 'strong end system' model from RFC 1122 # Beware, this might break some interface routing policies in # combination with static routes - disable, if you need such. modlist /dev/ip ip_strict_dst_multihoming 1 test $osver -ge 580 && modlist /dev/ip ip6_strict_dst_multihoming 1 # - add the NFS port (TCP and UDP) as priviledged ports ndd /dev/udp udp_extra_priv_ports | grep 2049 1>/dev/null 2>&1 if [ $? -ne 0 ]; then modlist /dev/udp udp_extra_priv_ports_add 2049 fi ndd /dev/tcp tcp_extra_priv_ports| grep 2049 1>/dev/null 2>&1 if [ $? -ne 0 ]; then modlist /dev/tcp tcp_extra_priv_ports_add 2049 fi fi # # windows # # udp_xmit_hiwat 8192 # udp_recv_hiwat 8192 # tcp_xmit_hiwat 8192 # tcp_recv_hiwat 8192 # echo " $action windows, buffers and watermarks" modlist /dev/udp udp_xmit_hiwat 16384 # max. UDP PDU size for sending modlist /dev/udp udp_recv_hiwat 64000 # queue for UDP modlist /dev/tcp tcp_xmit_hiwat 32768 # Cockroft's recommendation modlist /dev/tcp tcp_recv_hiwat 32768 # Cockroft's recommendation # Note: Starting with Solaris 2.6 you can use tcp_host_param to boost # just selected networks, with Solaris 8 IPv6 hosts separately, see: # http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html#thp # echo "done." # ****************************************************************************** # $Log: nettune,v $ # Revision 3.22 2000/07/13 19:34:53 chouanar # corrected a typo on the ip6 params # # Revision 3.21 2000/07/07 21:38:25 chouanar # Updated to the latest version provided by Jens-S. Vöckler, which include IPv6 tuning # # Revision 3.20 2000/05/25 16:54:13 chouanar # rc.conf -> yassp.conf # # Revision 3.19 2000/05/21 18:25:02 chouanar # use rc.conf # # Revision 3.18 2000/05/19 21:19:10 chouanar # Support Solaris 8 # add no respond to timestamp and timestamp_broadcast # # Revision 3.17 2000/05/19 19:36:27 chouanar # typo # # Revision 3.16 2000/05/19 19:35:52 chouanar # add missing CR at the end of the file + addition for 2.8 # # Revision 3.15 2000/05/19 19:35:07 chouanar # *** empty log message *** # # Revision 3.14 2000/04/12 15:30:46 chouanar # *** empty log message *** # # Revision 3.13 2000/04/12 05:54:30 chouanar # *** empty log message *** # # Revision 3.12 2000/04/12 05:48:46 chouanar # *** empty log message *** # # Revision 3.11 2000/04/12 05:47:42 chouanar # *** empty log message *** # # Revision 3.10 2000/04/12 05:42:37 chouanar # correction for extra_priv_ports # # Revision 3.9 2000/04/11 20:59:29 chouanar # add NFS ports as priviledged ports (2049 udp and TCP) # # Revision 3.8 2000/04/11 14:37:03 chouanar # *** empty log message *** # # Revision 3.7 2000/04/10 23:21:54 chouanar # corrected arp_cleanup_interval # Correct the patch computation for Solaris 2.5.x # # Revision 3.6 2000/03/16 02:51:05 chouanar # Add : # sourcing the yassp.conf to see if we apply the NET_SECURITY extras # # Revision 3.5 2000/03/09 00:55:20 chouanar # check that /usr/bin/strings exist before calling it for 2.5 # get rid off /usr/ucb/echo # # Revision 3.4 1999/07/19 18:21:54 chouanar # Reflect the lastest nettune script from Jens # # Revision 3.3 1999/07/01 23:36:44 chouanar # indentation # # Revision 3.2 1999/07/01 19:46:43 chouanar # Add the $SECURITY variable and the arp stuff from the titan pkg # # Revision 3.1 1999/03/15 21:17:33 chouanar # add minor correction for 2.7 + author change # # Revision 3.0 1999/03/14 23:24:26 chouanar # *** empty log message *** # # Revision 2.0 1998/11/17 22:48:51 jean # *** empty log message *** # # #