一、升级内核及配置内核
用SSH(我用的是PUTTY)工具登入系统后,按顺序执行下以命令,先复制,然后到系统#号光标闪处,点下右键,就过去了,注意大小写,UNIX有的地方对大小写敏感
pkg_add -r cvsup-without-gui \\安装cvsup工具
rehash \\刷新系统
cd /usr/share/examples/cvsup \\进入CVSUP工具目录
ee standard-supfile \\编辑内核源码配置文件
找到
*default host=CHANGE_THIS.FreeBSD.org
改成
*default host=cvsup2.cn.freebsd.org \\改成国内的服务器
按ESC,退出保存,
cvsup -g -l 2 standard-supfile \\进行内核升级
cd /usr/src/sys/i386/conf \\进入内核源码目录
mkdir /root/kernels \\建个文件夹放新的内核
cp GENERIC /root/kernels/NEWKER \\把公共内核拷过去,名字取为NEWKER
ln -s /root/kernels/NEWKER \\建个链接
ee NEWKER \\编辑内核
#
# GENERIC — Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you’ve installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ../../conf/NOTES and NOTES files.
# If you are in doubt as to the purpose or necessity of a line, check first
# in NOTES.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.429.2.13 2006/10/09 18:41:36 simon Exp $
machine i386
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident NEWKER \\这里改成你内核的新名字
# To statically compile in device wiring instead of /boot/device.hints
#hints “GENERIC.hints” # Default places to look for devices.
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options SCHED_4BSD # 4BSD scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
#options MD_ROOT # MD is a potential root device
#options NFSCLIENT # Network Filesystem Client
#options NFSSERVER # Network Filesystem Server
#options NFS_ROOT # NFS usable as /, requires NFSCLIENT
#options MSDOSFS # MSDOS Filesystem
#options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
#options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
#options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
\\以下为新加的
options SC_DISABLE_REBOOT \\在控制台禁用CTRL+ALT+DEL键
\\加入防火墙
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options TCP_DROP_SYNFIN
\\下面这两条不加 apache2有点问题
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options DEVICE_POLLING \\ RTL8139网卡不支持
options AUTO_EOI_1
\\以下是1G内存的配置,让FREEBSD用到最大内存
options MAXDSIZ=”(1024*1024*1024)”
options MAXSSIZ=”(1024*1024*1024)”
options DFLDSIZ=”(1024*1024*1024)”
device apic # I/O APIC
# Bus support.
#device eisa
device pci
# Floppy drives
#device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
#device ataraid # ATA RAID drives
#device atapicd # ATAPI CDROM drives
#device atapifd # ATAPI floppy drives
#device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI Controllers
#device ahb # EISA AHA1742 family
#device ahc # AHA2940 and onboard AIC7xxx devices
#options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
#device amd # AMD 53C974 (Tekram DC-390(T))
#device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
#device mpt # LSI-Logic MPT-Fusion
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets + those of `ncr’)
#device trm # Tekram DC395U/UW/F DC315U adapters
#device adv # Advansys SCSI adapters
#device adw # Advansys wide SCSI adapters
#device aha # Adaptec 154x SCSI adapters
#device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
#device bt # Buslogic/Mylex MultiMaster SCSI adapters
#device ncv # NCR 53C500
#device nsp # Workbit Ninja SCSI-3
#device stg # TMC 18C30/18C50
# SCSI peripherals
#device scbus # SCSI bus (required for SCSI)
#device ch # SCSI media changers
#device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct SCSI access)
#device ses # SCSI Environmental Services (and SAF-TE)
# RAID controllers interfaced to the SCSI subsystem
#device amr # AMI MegaRAID
#device arcmsr # Areca SATA II RAID
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device ciss # Compaq Smart RAID 5*
#device dpt # DPT Smartcache III, IV – See NOTES for options
#device hptmv # Highpoint RocketRAID 182x
#device rr232x # Highpoint RocketRAID 232x
#device iir # Intel Integrated RAID
#device ips # IBM (Adaptec) ServeRAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device twa # 3ware 9000 series PATA/SATA RAID
# RAID controllers
#device aac # Adaptec FSA RAID
#device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device mfi # LSI MegaRAID SAS
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
#device psm # PS/2 mouse
#device kbdmux # keyboard multiplexer
device vga # VGA video card driver
#device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc \\这个不能去掉
# Enable this for the pcvt (VT220 compatible) console driver
#device vt
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
#device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
#device apm
# Add suspend/resume support for the i8254.
#device pmtimer
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
#device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
#device sio # 8250, 16[45]50 based serial ports
# Parallel port
#device ppc
#device ppbus # Parallel port bus (required)
#device lpt # Printer
#device plip # TCP/IP over parallel
#device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# If you’ve got a “dumb” serial or parallel PCI card that is
# supported by the puc(4) glue driver, uncomment the following
# line to enable it (connects to the sio and/or ppc drivers):
#device puc
# PCI Ethernet NICs.
#device de # DEC/Intel DC21x4x (“Tulip”)
#device em # Intel PRO/1000 adapter Gigabit Ethernet Card
#device ixgb # Intel PRO/10GbE Ethernet Card
#device txp # 3Com 3cR990 (“Typhoon”)
#device vx # 3Com 3c590, 3c595 (“Vortex”)
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the ‘device miibus’ line in order to use these NICs!
device miibus # MII bus support \\这个不能去掉
#device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device dc # DEC/Intel 21143 and various workalikes
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device lge # Level 1 LXT1001 gigabit Ethernet
#device nge # NatSemi DP83820 gigabit Ethernet
#device nve # nVidia nForce MCP on-board Ethernet Networking
#device pcn # AMD Am79C97x PCI 10/100(precedence over ‘lnc’)
#device re # RealTek 8139C+/8169/8169S/8110S
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (“Starfire”)
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device stge # Sundance/Tamarack TC9021 gigabit Ethernet
#device ti # Alteon Networks Tigon I/II gigabit Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 “EPIC”)
#device vge # VIA VT612x gigabit Ethernet
device vr # VIA Rhine, Rhine II \\这是我的网卡型号, 不知道的用 ifconfig 可以查到
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (“Boomerang”, “Cyclone”)
# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# ‘device ed’ requires ‘device miibus’
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device ie # EtherExpress 8/16, 3C507, StarLAN 10 etc.
#device lnc # NE2100, NE32-VL Lance Ethernet cards
#device sn # SMC’s 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# Wireless NIC cards
#device wlan # 802.11 support
#device wlan_wep # 802.11 WEP support
#device wlan_ccmp # 802.11 CCMP support
#device wlan_tkip # 802.11 TKIP support
#device an # Aironet 4500/4800 802.11 wireless NICs.
#device ath # Atheros pci/cardbus NIC’s
#device ath_hal # Atheros HAL (Hardware Access Layer)
#device ath_rate_sample # SampleRate tx rate control for ath
#device awi # BayStack 660 and others
#device ral # Ralink Technology RT2500 wireless NICs.
#device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
#device wl # Older non 802.11 Wavelan wireless NIC.
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
#device sl # Kernel SLIP
#device ppp # Kernel PPP
#device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
#device md # Memory “disks”
#device gif # IPv6 and IPv4 tunneling
#device faith # IPv6-to-IPv4 relaying (translation)
# The `bpf’ device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that ‘bpf’ is required for DHCP.
#device bpf # Berkeley packet filter
# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
#device ehci # EHCI PCI->USB interface (USB 2.0)
#device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
#device ugen # Generic
#device uhid # “Human Interface Devices”
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage – Requires scbus and da
#device ums # Mouse
#device ural # Ralink Technology RT2500USB wireless NICs
#device urio # Diamond Rio 500 MP3 player
#device uscanner # Scanners
# USB Ethernet, requires miibus
#device aue # ADMtek USB Ethernet
#device axe # ASIX Electronics USB Ethernet
#device cdce # Generic USB over Ethernet
#device cue # CATC USB Ethernet
#device kue # Kawasaki LSI USB Ethernet
#device rue # RealTek RTL8150 USB Ethernet
# FireWire support
#device firewire # FireWire bus code
#device sbp # SCSI over FireWire (Requires scbus and da)
#device fwe # Ethernet over FireWire (non-standard!)
红字的都是必不可少的,其它没用的全部删掉
二、编译内核
cd /usr/src \\进入源码目录
make buildkernel KERNCONF=NEWKER \\编译内核,估计得二十分钟
make installkernel KERNCONF=NEWKER \\安装内核
编完后不要重启,选得把防火墙配好,不然用SSH登不进去
三、配置防火墙
ee /etc/rc.conf
\\加入以下内容
firewall_enable=”YES”
firewall_script=”/etc/rc.firewall”
firewall_type=”/etc/ipfw.rules” \\这是防火墙自定义脚本
firewall_quiet=”NO”
firewall_logging_enable=”YES”
log_in_vain=”NO”
tcp_drop_synfin=”NO”
tcp_restrict_rst=”YES”
icmp_drop_redirect=”YES”
保存退出
ee /etc/ipfw.rules
\\ 大家注意 -q 前面要加一个空格
-q -f flush
-q add 00301 allow all from any to any via lo0
-q add 00302 check-state
-q add 00303 allow tcp from any to 10.72.255.131 53 out via vr0 setup keep-state \\ 10.72.255.131 是DNS地址,大家根据本地的改下
-q add 00400 allow udp from any to 10.72.255.131 53 out via vr0 keep-state \\ vr0 是我网卡的名称,大家根据己的改,以下都是一样
-q add 00500 allow tcp from any to any 80 in via vr0 setup keep-state
-q add 00900 allow tcp from any to any 25 out via vr0 setup keep-state
-q add 01200 allow tcp from any to any via vr0 setup keep-state uid root
-q add 01300 allow icmp from any to any in via vr0 keep-state
-q add 01400 allow tcp from any to any 21 in via vr0 setup keep-state
-q add 01500 allow tcp from any to me 21 in via vr0 setup limit src-addr 2
-q add 01600 allow tcp from any to any 22 in via vr0 setup keep-state
-q add 01800 allow tcp from any to me 22 in via vr0 setup limit src-addr 2
保存退出
四、配置SSH,以便让SSH脱离INETD运行
ee /etc/ssh/sshd_config
#Protocol 2,1
修改为:
Protocol 2
#ListenAddress 0.0.0.0
修改为:
ListenAddress 0.0.0.0
#PermitRootLogin no
修改为
PermitRootLogin no
保存退出
五、配置匿名服务器,把组件全部传到服器上来
cd /var
chmod 777 ftp \\加上权限,不然FTP不能上传
用FTP工具把组件全部传上来,注意要用二进制方式传。
六、配置VSFTP服务器
cd /var/ftp
tar zxvf vsftpd-2.0.5.tar.gz
cd vsftpd-2.0.5
make
make install
\\ 手工复制以下文件到相应目录,
cp vsftpd /usr/local/sbin/vsftpd
cp vsftpd.conf.5 /usr/local/man/man5
cp vsftpd.8 /usr/local/man/man8
cp vsftpd.conf /etc
\\建立FTP专用用户
pw groupadd vsftpd –g 1002 \\建立一个用户,名为 vsftpd 可以随便取
pw useradd test –g 1002 –d /usr/ftp –s /usr/sbin/nologin \\建立一个test用户,放入VSFTPD用户组
mkdir /usr/ftp \\建立该用户目录
passwd test \\设置该用户密码,输两次
chgrp -R vsftpd /usr/ftp \\把目录划到VSFTPD用户组
chown -R test /usr/ftp
\\上面可以直接用sysinstall 工具添加用户的,大家在安装时候添加过一个,应该记得吧,
在添加时 LOGIN SHELL 一定要改成 /usr/sbin/nologin 不然别人可以用这个用户登上你的服务器
大家如果开了我上面配的防火墙,请用FTP工具登录时候把连接模式改成主动连接,即不用PASV模式,切记
ee /etc/vsftpd.conf
\\以下三项系统中有,只要把前面的#号去掉,具体的设置在此不多讲,大家在网上搜很多
write_enable=YES
local_enable=YES
anonymous_enable=NO
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
\\以下几项要手工加
pam_service_name=vsftpd
chroot_local_user=NO
secure_chroot_dir=/var/ftp
listen=YES
listen_address=172.26.52.88 \\填你服务器的IP
保存退出
//下面这个文件是允许哪些用户登入服务器,把刚刚的那个用户加入
ee /etc/vsftpd.chroot_list
test
保存退出
ee /usr/local/etc/rc.d/vsftpd.sh \\添加VSFTPD启动文件,让VSFTPD随系统启动
/usr/local/sbin/vsftpd& \\注意后面加个&
保存退出
chmod 755 /usr/local/etc/rc.d/vsftpd.sh \\加上权限,不然后脚本不能运行
\\启动VSFTP服务器,不过inetd服务器的FTP没关,应该是有冲突,关了INETD,重启下,VSFTP应该会起
/usr/local/etc/rc.d/vsftpd.sh start
\\删掉VSFTPD.CORE 不然会根分区撑爆
rm /vsftpd.core
七、现在可以关掉inetd超级服务器了
ee /etc/rc.conf
把
inetd_enable=”YES”
改为
inetd_enable=”NO”
保存退出
关于 /etc/sysctl.conf 系统内核参数优化,网上也很多,大家参照使用
kern.ipc.somaxconn=8192
kern.ipc.maxsockbuf=2097152
kern.maxfilesperproc=32768
kern.maxfiles=65536
kern.securelevel=2
net.inet.tcp.sendspace=65536
net.inet.tcp.recvspace=65536
net.inet.udp.maxdgram=65536
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=0
net.inet.ip.redirect=0
net.inet.icmp.icmplim=100
net.inet.tcp.always_keepalive=0
net.inet.tcp.delayed_ack=0
net.inet.tcp.log_in_vain=0
net.inet.udp.log_in_vain=0
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.local.stream.sendspace=65535
net.local.stream.recvspace=32768
net.inet.ip.fastforwarding=1
vfs.vmiodirenable=1
net.inet.tcp.syncookies=1
net.inet.icmp.icmplim_output=0
net.inet.tcp.drop_synfin=1
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.icmp.icmplim=100
很多人想优化自己的FreeBSD,特别是在网络性能以及内核调整上,因为这些是最直接的优化方式。在这里我收集整理并用中文注释了一下,相信很多人用得到。
#最大的待发送TCP数据缓冲区空间
net.inet.tcp.sendspace=65536
#最大的接受TCP缓冲区空间
net.inet.tcp.recvspace=65536
#最大的接受UDP缓冲区大小
net.inet.udp.sendspace=65535
#最大的发送UDP数据缓冲区大小
net.inet.udp.maxdgram=65535
#本地套接字连接的数据发送空间
net.local.stream.sendspace=65535
#加快网络性能的协议
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc1644=1
net.inet.tcp.rfc3042=1
net.inet.tcp.rfc3390=1
#最大的套接字缓冲区
kern.ipc.maxsockbuf=2097152
#系统中允许的最多文件数量
kern.maxfiles=65536
#每个进程能够同时打开的最大文件数量
kern.maxfilesperproc=32768
#当一台计算机发起TCP连接请求时,系统会回应ACK应答数据包。
#该选项设置是否延迟ACK应答数据包,把它和包含数据的数据包一起发送,
#在高速网络和低负载的情况下会略微提高性能,但在网络连接较差的时候,
#对方计算机得不到应答会持续发起连接请求,反而会降低性能。
net.inet.tcp.delayed_ack=0
#屏蔽ICMP重定向功能
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1
net.inet.ip.redirect=0
net.inet6.ip6.redirect=0
#防止ICMP广播风暴
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskrepl=0
#限制系统发送ICMP速率
net.inet.icmp.icmplim=100
#安全参数,编译内核的时候加了options TCP_DROP_SYNFIN才可以用
net.inet.icmp.icmplim_output=0
net.inet.tcp.drop_synfin=1
#设置为1会帮助系统清除没有正常断开的TCP连接,这增加了一些网络带宽的使用,但是一些死掉的连接最终能被识别并清除。死的TCP连接是被拨号用户存取的系统的一个特别的问题,因为用户经常断开modem而不正确的关闭活动的连接
net.inet.tcp.always_keepalive=1
#若看到net.inet.ip.intr_queue_drops这个在增加,就要调大net.inet.ip.intr_queue_maxlen,为0最好
net.inet.ip.intr_queue_maxlen=1000
#防止DOS攻击,默认为30000
net.inet.tcp.msl=7500
#接收到一个已经关闭的端口发来的所有包,直接drop,如果设置为1则是只针对TCP包
net.inet.tcp.blackhole=2
#接收到一个已经关闭的端口发来的所有UDP包直接drop
net.inet.udp.blackhole=1
#为网络数据连接时提供缓冲
net.inet.tcp.inflight.enable=1
#如果打开的话每个目标地址一次转发成功以后它的数据都将被记录进路由表和arp数据表,节约路由的计算时间,但会需要大量的内核内存空间来保存路由表
net.inet.ip.fastforwarding=0
##kernel编译打开options POLLING功能,高负载情况下使用低负载不推荐
##SMP不能和polling一起用
#kern.polling.enable=1
#并发连接数,默认为128,推荐在1024-4096之间,数字越大占用内存也越大
kern.ipc.somaxconn=32768
#禁止用户查看其他用户的进程
security.bsd.see_other_uids=0
#设置kernel安全级别
kern.securelevel=0
#记录下任何TCP连接
net.inet.tcp.log_in_vain=1
#记录下任何UDP连接
net.inet.udp.log_in_vain=1
#防止不正确的udp包的攻击
net.inet.udp.checksum=1
#防止DOS攻击
net.inet.tcp.syncookies=1
#仅为线程提供物理内存支持,需要256兆以上内存
kern.ipc.shm_use_phys=1
# 线程可使用的最大共享内存
kern.ipc.shmmax=67108864
# 最大线程数量
kern.ipc.shmall=32768
# 程序崩溃时不记录
kern.coredump=0
# lo本地数据流接收和发送空间
net.local.stream.recvspace=65536
net.local.dgram.maxdgram=16384
net.local.dgram.recvspace=65536
# 数据包数据段大小,ADSL为1452。
net.inet.tcp.mssdflt=1460
# 为网络数据连接时提供缓冲
net.inet.tcp.inflight_enable=1
# 数据包数据段最小值,ADSL为1452
net.inet.tcp.minmss=1460
# 本地数据最大数量
net.inet.raw.maxdgram=65536
# 本地数据流接收空间
net.inet.raw.recvspace=65536
#ipfw防火墙动态规则数量,默认为4096,增大该值可以防止某些病毒发送大量TCP连接,导致不能建立正常连接
net.inet.ip.fw.dyn_max=65535
#设置ipf防火墙TCP连接空闲保留时间,默认8640000(120小时)
net.inet.ipf.fr_tcpidletimeout=864000
#所有MPSAFE的网络ISR对包做立即响应
net.isr.direct=1
]]>