FREEBSD系统优化精华

佳鹤發表於 2008-9-8 18:49:23

1、优化内核 
mkdir /usr/kern 
cp /usr/src/sys/i386/conf/GENERIC /usr/kern/proxy 
ln -s /usr/kern/proxy /usr/src/sys/i386/conf/proxy 
 
cd /sys/i386/conf 
ee proxy 
 
options IPFILTER #ipfilter support 
options IPFILTER_LOG #ipfilter logging 
options IPFILTER_DEFAULT_BLOCK #block all packets by default 
 
options TCP_DROP_SYNFIN 
 
options PQ_LARGECACHE 
## 为512k二级缓存的CPU提供支持 
options SC_DISABLE_REBOOT 
##屏蔽Ctrl+Del+Alt热键重启<a target="_blank" href="#" class="UBBWordLink">系统</a> 
 
#To make an SMP kernel,the netx two are needed 
options SMP #Symmetric MultiProcess Kernel 
device apic # I/O APIC 
#如果没有双cpu就不需要了 
 
#####加入对polling的支持################################## 
#options DEVICE_POLLING 
#options HZ=1193 
在/sys/kern/kern_pool.c里面找到#error一行删掉。 
在/etc/sysctl.conf里面加入 kern.polling.enable=1 
DEVICE_POLLING不能跟SMP同时使用，所以本<a target="_blank" href="#" class="UBBWordLink">服务</a>器可省略。 
########################################################### 
其余的优化选项可参考其他内核优化的文章。 
 
2、<a target="_blank" href="#" class="UBBWordLink">系统</a>资源优化 
 
ee /etc/sysctl.conf 
 
#######################/etc/sysctl.conf############################################ 
net.inet.tcp.rfc1323=1 
net.inet.tcp.rfc1644=1 
net.inet.tcp.rfc3042=1 
net.inet.tcp.rfc3390=1 
#### 某些加快<a target="_blank" href="#" class="UBBWordLink">网络</a>性能的协议，请参考RFC文章。 
 
net.inet.ip.forwarding=1 
##作路由必须打开 
net.inet.ip.sourceroute=0 
net.inet.ip.accept_sourceroute=0 
##安全方面的参数 
 
kern.ipc.maxsockbuf=8388608 
##最大的套接字缓冲区 
kern.ipc.somaxconn=8192 
##最大的等待连接完成的套接字队列大小，高负载<a target="_blank" href="#" class="UBBWordLink">服务</a>器和受到分布式<a target="_blank" href="#" class="UBBWordLink">服务</a>阻塞攻击的<a target="_blank" href="#" class="UBBWordLink">系统</a>也许 
会因为这个队列被塞满而不能提供正常<a target="_blank" href="#" class="UBBWordLink">服务</a>。默认仅为128，根据机器和实际情况需要改动，太大就浪费了内存 
kern.maxfiles=65536 
##<a target="_blank" href="#" class="UBBWordLink">系统</a>中允许的最多文件数量，缺省的是几千个但如果你在运行数据库或大的很吃描述符的进程可以把它设到1万或2万个 
kern.maxfilesperproc=32768 
##每个进程能够同时打开的最大文件数量 
net.inet.tcp.delayed_ack=0 
##当一台计算机发起TCP连接请求时，<a target="_blank" href="#" class="UBBWordLink">系统</a>会回应ACK应答数据包。该选项<a target="_blank" href="#" class="UBBWordLink">设置</a>是否延迟ACK应答数据包，把它和包含数据的数据包一起发送，在高速<a target="_blank" href="#" class="UBBWordLink">网络</a>和低负载的情况下会略微提高性能，但在<a target="_blank" href="#" class="UBBWordLink">网络</a>连接较差的时候，对方计算机得不到应答会持续发起连接请求，反而会降低性能。 
net.inet.tcp.sendspace=65535 
##最大的待发送TCP数据缓冲区空间，应用程序将数据放到这里就认为发送成功了，<a target="_blank" href="#" class="UBBWordLink">系统</a>TCP堆栈保证数据的正常发送 
net.inet.tcp.recvspace=65535 
##最大的接受TCP缓冲区空间，<a target="_blank" href="#" class="UBBWordLink">系统</a>从这里将数据分发给不同的套接字，增大该空间可提高<a target="_blank" href="#" class="UBBWordLink">系统</a>瞬间接受数据的能力以提高性能。 
net.inet.udp.recvspace=65535 
##最大的接受UDP缓冲区大小 
net.inet.udp.maxdgram=57344 
##最大的发送UDP数据缓冲区大小 
net.local.stream.recvspace=32768 
##本地套接字连接的数据接收空间 
net.local.stream.sendspace=65535 
##本地套接字连接的数据发送空间 
net.inet.icmp.drop_redirect=1 
net inet.icmp.log_redirect=1‘ 
net.inet.ip.redirect=0 
#net.inet6.ip6.redirect=0 
##屏蔽ICMP重定向功能 
net.inet.icmp.bmcastecho=0 
net.inet.icmp.maskrepl=0 
##防止广播风暴 
net.inet.icmp.icmplim=100 
##限制<a target="_blank" href="#" class="UBBWordLink">系统</a>发送ICMP速率 
net.inet.icmp.icmplim_output=0 
net.inet.tcp.drop_synfin=1 
##安全参数，编译内核的时候加了options TCP_DROP_SYNFIN才可以用 
net.inet.tcp.always_keepalive=0 
##<a target="_blank" href="#" class="UBBWordLink">设置</a>为1会帮助<a target="_blank" href="#" class="UBBWordLink">系统</a>清除没有正常断开的TCP连接，这增加了一些<a target="_blank" href="#" class="UBBWordLink">网络</a>带宽的使用，但是一些死掉的连接最终能被识别并清除。死的TCP连接是被拨号用户存取的<a target="_blank" href="#" class="UBBWordLink">系统</a>的一个特别的问题，因为用户经常断开modem而不正确的关闭活动的连接。 
net.inet.ip.intr_queue_maxlen=1000 
##若看到net.inet.ip.intr_queue_drops这个在增加，就要调大net.inet.ip.intr_queue_maxlen，为0最好 
 
####以下为防止dos攻击##### 
net.inet.tcp.msl=7500 
##freebsd默认为30000 
net.inet.tcp.blackhole=2 
##接收到一个已经关闭的端口发来的所有包，直接drop，如果<a target="_blank" href="#" class="UBBWordLink">设置</a>为1则是只针对TCP包 
net.inet.udp.blackhole=1 
##接收到一个已经关闭的端口发来的所有UDP包直接drop 
########end################# 
 
net.inet.ipf.fr_tcpidletimeout=7200 
net.inet.ipf.fr_tcpclosewait=60 
net.inet.ipf.fr_tcplastack=120 
net.inet.ipf.fr_tcptimeout=120 
net.inet.ipf.fr_tcpclosed=60 
net.inet.ipf.fr_udptimeout=90 
net.inet.ipf.fr_icmptimeout=35 
net.inet.ipf.fr_tcphalfclosed=300 
net.inet.ipf.fr_defnatage=600 
 
net.inet.tcp.inflight.enable=1 
## 为<a target="_blank" href="#" class="UBBWordLink">网络</a>数据连接时提供缓冲 
net.inet.ip.fastforwarding=0 
##如果打开的话每个目标地址一次转发成功以后它的数据都将被记录进路由表和arp数据表，节约路由的计算时间,但会需要大量的内核内存空间来保存路由表。 
 
#kern.polling.enable=1 
##打开POLLING功能 
##SMP不能和polling一起用 
#########################The end################################################## 
 
3、<a target="_blank" href="#" class="UBBWordLink">设置</a>rc.sysctl, rc.conf 和 sysctl.conf 权限： 
 
chmod 600 /etc/rc.sysctl 
chmod 600 /etc/rc.conf 
chmod 600 /etc/sysctl.conf 
 
4、优化启动选项 
##################编辑/boot/loader.conf优化启动######## 
 
autoboot_delay="2" 
## <a target="_blank" href="#" class="UBBWordLink">设置</a>启动等待时间为2秒。 
 
kern.ipc.nmbclusters="32768" 
##<a target="_blank" href="#" class="UBBWordLink">设置</a><a target="_blank" href="#" class="UBBWordLink">系统</a>的mbuf大小，<a target="_blank" href="#" class="UBBWordLink">系统</a>的缓冲区 
 
kern.ipc.maxsockets="16384" 
## 增大线程间套接数量 
 
net.inet.tcp.tcbhashsize="10240" 
## 增大TCP控制块数量 
 
beastie_disable="YES" 
## 关闭小恶魔图像启动菜单 
############################################# 
 
5、增强ipfilter功能 
 
修改/sys/contrib/ipfilter/netinet/ip_nat.h，把里面的LARGE_NAT前面的注释去掉，改为#define LARGE_NAT 
 
修改/sys/contrib/ipfilter/netinet/ip_state.h 
 
IPSTATE_SIZE 64997 
IPSTATE_MAX 45497 
 
IP_STATE_MAX=IPSTATE_SIZE*0.7左右 
第一个可以调到10万左右 
注意都要是质数 
 
6、编译内核 
##############打<a target="_blank" href="#" class="UBBWordLink">系统</a>补丁以后重新编译内核############# 
 
cd /usr/src 
fetch http://people.freebsd.org/~delphij/patch-SMP 
patch 重新编译内核并重新启动。 
#这是针对5.3 SMP的delphij大哥做的补丁， 
 
cd /sys/contrib/ipfilter/netinet/ 
patch 这个是针对ip_nat的一个补丁，也可以自己手动注释，改了ip_nat的参数以后编译内核会提示两个变量没有定义。 
 
cd /usr/src 
make buildkernel KERNCONF=proxy 
make installkernel KERNCONF=proxy 
reboot 
这种编译<a target="_blank" href="#" class="UBBWordLink">方法</a>将保留原来的kernel为kernel.old， 
这样如果你做错了什么，就有机会通过boot:出现时输入kernel.old来恢复。 
 
######如果用config/make编译内核的会在/usr/src产生很多中间文件######### 
cd /usr/src/sys/i386/conf 
/usr/sbin/config proxy 
cd ../compile/proxy 
make depend 
make 
make install 
reboot 
######################################################################### 
 
7、自动备份日志 
目前<a target="_blank" href="#" class="UBBWordLink">方法</a>不太成熟，我曾经试过把nat.log清空，但是也许是因为<a target="_blank" href="#" class="UBBWordLink">系统</a>正在频繁的写入该文件，所以我只能是先暂停记录，备份完记录以后再重新开始记录，好在我是一个小时备份一个日志文件，拷贝这一小时的记录不用很长时间的，所以基本上不会少记录东西的，看到本文的兄弟们如果有更好的切实可行的<a target="_blank" href="#" class="UBBWordLink">方法</a>，望告诉我一声，多谢！ 
 
#################/usr/local/beifen.sh 
#!/bin/sh 
year=$(date +%Y) 
month=$(date +%m) 
date=$(date +%d) 
time=$(date +%Y%m%d%H%M) 
mkdir -p /usr/local/logbak/$year/$month/$date 
killall ipmon 
cp /var/nat.log /usr/local/logbak/$year/$month/$date/$time.log 
cat >; /var/nat.log; /var/nat.log & 
############################################# 
 
chmod +x /usr/local/beifen.sh 
 
crontab -e 
编辑一个文件： 
 
0 0 * * * /usr/local/beifen.sh 
0 1 * * * /usr/local/beifen.sh 
0 2 * * * /usr/local/beifen.sh 
0 3 * * * /usr/local/beifen.sh 
2 3 * * 1 /sbin/reboot 
0 4 * * * /usr/local/beifen.sh 
0 5 * * * /usr/local/beifen.sh 
0 6 * * * /usr/local/beifen.sh 
0 7 * * * /usr/local/beifen.sh 
0 8 * * * /usr/local/beifen.sh 
0 9 * * * /usr/local/beifen.sh 
0 10 * * * /usr/local/beifen.sh 
0 11 * * * /usr/local/beifen.sh 
0 12 * * * /usr/local/beifen.sh 
0 13 * * * /usr/local/beifen.sh 
0 14 * * * /usr/local/beifen.sh 
0 15 * * * /usr/local/beifen.sh 
0 16 * * * /usr/local/beifen.sh 
0 17 * * * /usr/local/beifen.sh 
0 18 * * * /usr/local/beifen.sh 
0 19 * * * /usr/local/beifen.sh 
0 20 * * * /usr/local/beifen.sh 
0 21 * * * /usr/local/beifen.sh 
0 22 * * * /usr/local/beifen.sh 
0 23 * * * /usr/local/beifen.sh 
 
 
 
 
 
(七) 邮件<a target="_blank" href="#" class="UBBWordLink">服务</a>器<a target="_blank" href="#" class="UBBWordLink">安装</a>与<a target="_blank" href="#" class="UBBWordLink">设置</a> 
 
 
 
第一部分：<a target="_blank" href="#" class="UBBWordLink">安装</a>邮件<a target="_blank" href="#" class="UBBWordLink">服务</a>器：postfix+vm-pop3d+openwebmail 
 
以下的<a target="_blank" href="#" class="UBBWordLink">安装</a>在FreeBSD 5.2.1系统上完成 
 
1．更新 ports 
 
# cvsup -gL 2 -h cvsup.freebsdchina.org /usr/share/examples/cvsup/ports-supfile 
 
2. <a target="_blank" href="#" class="UBBWordLink">安装</a> openssl+apache <a target="_blank" href="#" class="UBBWordLink">服务</a>器 
 
# cd /usr/ports/security/openssl 
# make install 
# make clean 
# cd /usr/ports/www/apache2 
# make install 
# make clean 
# vi /etc/rc.conf 
 
apache2_enable="YES" 
 
3. <a target="_blank" href="#" class="UBBWordLink">安装</a> openwebmail 
 
# cd /usr/ports/mail/openwebmail/ 
# make WITH_QUOTA=yes install 
# make clean 
 
4. <a target="_blank" href="#" class="UBBWordLink">安装</a> postfix ，在<a target="_blank" href="#" class="UBBWordLink">安装</a>过程中用yes回答提出的问题 
 
# cd /usr/ports/mail/postfix/ 
# make install 
# make clean 
 
# vi /etc/rc.conf 
 
为了能启动postfix加入： 
 
sendmail_enable="YES" 
sendmail_flags="-bd" 
sendmail_pidfile="/var/spool/postfix/pid/master.pid" 
sendmail_outbound_enable="NO" 
sendmail_submit_enable="NO" 
 
5. <a target="_blank" href="#" class="UBBWordLink">安装</a> vm-pop3d 
 
# cd /usr/ports/mail/vm-pop3d 
# make install 
# make clean 
 
6. 配置 postfix 
 
# vi /usr/local/etc/postfix/main.cf 
 
添加： 
 
myhostname = nero.3322.org 
mydomain = nero.3322.org 
virtual_alias_maps=hash:/usr/local/etc/postfix/virtual 
alias_maps=hash:/usr/local/etc/postfix/aliases 
default_privs=nobody 
allow_mail_to_commands = alias,forward,include 
allow_mail_to_files = alias,forward,include 
 
下面我加入一个 nero.3322.org 的虚拟域，并添加一个用户llzqq 
# vi /usr/local/etc/postfix/virtual 
 
添加： 
 
nero.3322.org anything //之间用 
llzqq@nero.3322.org llzqq.nero.3322.org //之间用 
 
执行下面的命令，生成 virtual.db： 
 
# cd /usr/local/etc/postfix/ 
# postmap virtual 
 
# vi /usr/local/etc/postfix/aliases 
 
添加： 
 
llzqq.nero.3322.org:/var/spool/virtual/nero.3322.org/llzqq 
 
执行下面的命令，生成 aliases.db: 
 
# cd /usr/local/etc/postfix 
# postalias aliases 
 
7. 配置 vm-pop3d 使其开机自动执行 
 
# cd /usr/local/etc/rc.d 
# mv vm-pop3d.sh.sample vm-pop3d.sh 
 
配置 openwebmail 支持 nero.3322.org 域，创建下面的文件： 
 
# vi /usr/local/www/cgi-bin/openwebmail/etc/sites.conf/nero.3322.org 
 
=========================== nero.3322.org ======================= 
auth_module auth_vdomain.pl 
auth_withdomain yes 
mailspooldir /var/spool/virtual/nero.3322.org 
use_syshomedir no 
use_homedirspools no 
enable_autoreply no 
enable_setforward no 
enable_vdomain yes 
vdomain_admlist llzqq //这里<a target="_blank" href="#" class="UBBWordLink">设置</a>了这个域的管理员 
vdomain_maxuser 500 
vdomain_vmpop3_pwdpath /usr/local/etc/virtual 
vdomain_vmpop3_pwdname passwd 
vdomain_vmpop3_mailpath /var/spool/virtual 
vdomain_postfix_aliases /usr/local/etc/postfix/aliases 
vdomain_postfix_virtual /usr/local/etc/postfix/virtual 
vdomain_postfix_postalias /usr/local/sbin/postalias 
vdomain_postfix_postmap /usr/local/sbin/postmap 
# quota设置部分 
quota_module quota_du.pl 
quota_limit 52400 //定义了邮箱大小 
quota_threshold 85 
delmail_ifquotahit no 
delfile_ifquotahit no 
=========================== nero.3322.org ======================= 
 
# mkdir -p /var/spool/virtual/nero.3322.org 
# chown nobody /var/spool/virtual/nero.3322.org 
# chgrp mail /var/spool/virtual/nero.3322.org 
 
# mkdir -p /usr/local/etc/virtual/nero.3322.org 
# touch /usr/local/etc/virtual/nero.3322.org/passwd 
# chmod 644 /usr/local/etc/virtual/nero.3322.org/passwd 
 
# htpasswd /usr/local/etc/virtual/nero.3322.org/passwd llzqq 
# chmod 755 /usr/local/www/cgi-bin/openwebmail/etc/users 
 
# sync 
# reboot 
 
8. 最后通过浏览器登陆到OPENWEBMAIL 
 
 
 
第二部分：防病毒、垃圾邮件：clamav+amavisd-new+spam 
 
1．0 <a target="_blank" href="#" class="UBBWordLink">安装</a>clamav: 
 
# cd /usr/ports/security/clamav 
# make install 
# make clean 
 
# vi /usr/local/etc/clamav.conf 
===============================clamav.conf============================ 
# Comment or remove the line below. 
# Example 
LogFile /var/log/clamav/clamd.log 
LogFileMaxSize 1M 
LogTime 
LogVerbose 
PidFile /var/run/clamav/clamd.pid 
DataDirectory /usr/local/share/clamav 
LocalSocket /tmp/clamd 
StreamMaxLength 10M 
MaxThreads 10 
MaxDirectoryRecursion 15 
User clamav 
ScanMail 
ScanArchive 
ScanRAR 
ArchiveMaxFileSize 10M 
ArchiveMaxRecursion 5 
ArchiveMaxFiles 1000 
ClamukoScanOnOpen 
ClamukoScanOnClose 
ClamukoScanOnExec 
ClamukoIncludePath /var/spool/virtual 
ClamukoMaxFileSize 6M 
ClamukoScanArchive 
===============================clamav.conf============================ 
 
1.1 更新病毒库 
 
# /usr/local/etc/rc.d/clamav-freshclam.sh start 
 
2.0 <a target="_blank" href="#" class="UBBWordLink">安装</a>amavisd-new 
 
# cd /usr/ports/security/amavisd-new 
# make install 
# make clean 
 
# cd /usr/local/etc 
# mv amavisd.conf-dist amavisd.conf 
# vi amavisd.conf 
============================== amavisd.conf =============================== 
$MYHOME = '/var/amavis'; # (default is '/var/amavis') 
$mydomain = 'nero.3322.org'; # (no useful default) 
$daemon_user = 'vscan'; # (no default; customary: vscan or amavis) 
$daemon_group = 'vscan'; # (no default; customary: vscan or amavis) 
 
$log_level = 0; 
 
$sa_spam_subject_tag = '***SPAM***' 
 
$virus_admin = "root\@$mydomain"; 
$spam_admin = "llzqq\@$mydomain"; 
$mailfrom_notify_admin = "llzqq\@$mydomain"; 
$mailfrom_notify_recip = "llzqq\@$mydomain"; 
$mailfrom_notify_spamadmin = "llzqq\@$mydomain"; 
 
$inet_socket_bind = '127.0.0.1'; 
$forward_method = 'smtp:127.0.0.1:10025'; 
$notify_method = $forward_method; 
$inet_socket_port = 10024; 
$max_servers = 2; 
 
['Clam Antivirus-clamd', 
\&ask_daemon, ["CONTSCAN {}\n", '/tmp/clamd'], 
qr/\bOK$/, qr/\bFOUND$/, 
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], 
============================== amavisd.conf =============================== 
 
2.1 要启动clamav和amavisd-new需要配置一下/etc/rc.conf 
 
# vi /etc/rc.conf 
 
spamd_enable="YES" 
amavisd_enable="YES 
clamav_clamd_enable="YES" 
 
3.0 由于在<a target="_blank" href="#" class="UBBWordLink">安装</a>amavisd-new时spamassassin被一起<a target="_blank" href="#" class="UBBWordLink">安装</a>了下面对其进行配置 
 
3.1 建立过滤规则： 
 
# cd /usr/local/etc/mail/spamassassin 
# env LANG=C vi local.cf 
=============================== local.cf =============================== 
# SpamAssassin config file for version x.xx 
# generated by http://www.yrex.com/spam/spamconfig.php (version 1.01) 
 
# How many hits before a message is considered spam. 
required_hits 4.0 
 
# Whether to change the subject of suspected spam 
rewrite_subject 1 
 
# Text to prepend to subject if rewrite_subject is used 
subject_tag *****SPAM***** 
 
# Encapsulate spam in an attachment 
report_safe 1 
 
# Use terse version of the spam report 
use_terse_report 0 
 
# Enable the Bayes system 
use_bayes 1 
 
# Enable Bayes auto-learning 
auto_learn 1 
 
# Enable or disable network checks 
skip_rbl_checks 1 
use_razor2 0 
use_dcc 0 
use_pyzor 0 
 
# Mail using languages used in these country codes will not be marked 
# as being possibly spam in a foreign language. 
# - chinese english 
ok_languages zh en 
 
# Mail using locales used in these country codes will not be marked 
# as being possibly spam in a foreign language. 
ok_locales en zh 
score SUBJ_FULL_OF_8BITS 2 
score NO_REAL_NAME 4.0 
=============================== local.cf =============================== 
 
3.2 下载新的垃圾邮件地址列表文件 
 
# cd /usr/local/share/spamassassin 
# fetch http://anti-spam.org.cn/rules/sa/55_diy_score.cf 
 
4.0 对POSFIX进行配置，在他的配置文件中添加下面的一些内容 
 
# vi /usr/local/etc/postfix/master.cf 
 
---------------------- master.cf --------------------- 
smtp-amavis unix - - n - 2 smtp 
-o smtp_data_done_timeout=1200 
-o disable_dns_lookups=yes 
 
127.0.0.1:10025 inet n - n - - smtpd 
-o content_filter= 
-o local_recipient_maps= 
-o relay_recipient_maps= 
-o smtpd_restriction_classes= 
-o smtpd_client_restrictions= 
-o smtpd_helo_restrictions= 
-o smtpd_sender_restrictions= 
-o mynetworks=127.0.0.0/8 
---------------------- master.cf --------------------- 
 
# vi /usr/local/etc/postfix/main.cf 
 
content_filter = smtp-amavis::10024 
 
好了，现在一个基于FreeBSD的功能相对完整的邮件<a target="_blank" href="#" class="UBBWordLink">服务</a>器就建立起来了，虚拟域的管理员可以登陆OPENWEBMAIL进行用户的添加、删除等<a target="_blank" href="#" class="UBBWordLink">操作</a>，虚拟用户可以通过OPENWEBMAIL修改自己的密码。

頁: [1]

琼殿技术论坛's Archiver

FREEBSD系统优化精华