From: Adams Kevin J (kevin.adams@PHS.COM)
Date: Fri Sep 05 2003 - 13:24:39 EDT
Unless you are memory constrained, you should probably up "thewall" to the
max which is the same value as your "sb_max".
I'm not sure if you are running a routing protocol, but the following
settings are recommended in the redbook "Additional Security Tools for AIX
Systems, SG24-5971". These settings can help you from a security and
performance standpoint. Make sure they are appropriate for your environment.
clean_partial_conns=0
bcastping=0
directed_broadcast=0
ipsendredirects=0
ipsrcroutesend=0
ipsrcrouterecv=0
ipsrcrouteforward=0
ip6srcrouteforward=0
icmpaddressmask=0
nonlocsrcroute=0
tcp_pmtu_discover=0
udp_pmtu_discover=0
ipforwarding=0
ipignoreredirects=1
Kevin Adams
PacifiCare Behavioral Health
Principal Systems Analyst
AIX Certified Advanced Technical Expert
-----Original Message-----
From: Patrick B. O'Brien [mailto:pobrien@DOIT.NV.GOV]
Sent: Thursday, September 04, 2003 3:16 PM
To: aix-l@Princeton.EDU
Subject: Re: [aix-l] Bind 8 on AIX 5.1
For speed, if I know an IP I put it into my /etc/hosts, your node will not
need to go to another DNS Server for a lookup.
Is it the clients that are complaining about speed?
-----Original Message-----
From: Yard, John [mailto:jyard@AIS.UCLA.EDU]
Sent: Thursday, September 04, 2003 3:11 PM
To: aix-l@Princeton.EDU
Subject: Bind 8 on AIX 5.1
I am running named 8.2.2-P5 on an AIX
5.1 machine. The interface is gigabit ethernet;
Performance seems good. I was wondering if anyone had any performance
suggestions for DNS. My no -a output is :
xtendednetstats = 0
thewall = 524240
sockthresh = 85
sb_max = 1048576
somaxconn = 1024
clean_partial_conns = 0
net_malloc_police = 0
rto_low = 1
rto_high = 64
rto_limit = 7
rto_length = 13
inet_stack_size = 16
arptab_bsiz = 7
arptab_nb = 25
tcp_ndebug = 100
ifsize = 8
arpqsize = 12
ndpqsize = 50
route_expire = 1
send_file_duration = 300
fasttimo = 200
routerevalidate = 0
dgd_packets_lost = 3
dgd_retry_time = 5
dgd_ping_time = 5
passive_dgd = 0
sodebug = 0
nbc_limit = 393168
nbc_max_cache = 131072
nbc_min_cache = 1
nbc_pseg = 0
nbc_pseg_limit = 524240
strmsgsz = 0
strctlsz = 1024
nstrpush = 8
strthresh = 85
psetimers = 20
psebufcalls = 20
strturncnt = 15
pseintrstack = 12288
lowthresh = 90
medthresh = 95
psecache = 1
subnetsarelocal = 1
maxttl = 255
ipfragttl = 60
ipsendredirects = 1
ipforwarding = 0
udp_ttl = 30
tcp_ttl = 60
arpt_killc = 20
tcp_sendspace = 131072
tcp_recvspace = 131072
udp_sendspace = 65536
udp_recvspace = 65536
tcp_bad_port_limit = 0
udp_bad_port_limit = 0
rfc1122addrchk = 0
nonlocsrcroute = 0
tcp_keepintvl = 150
tcp_keepidle = 14400
bcastping = 0
udpcksum = 1
tcp_mssdflt = 512
icmpaddressmask = 0
tcp_keepinit = 150
ie5_old_multicast_mapping = 0
rfc1323 = 1
pmtu_default_age = 10
pmtu_rediscover_interval = 30
udp_pmtu_discover = 1
tcp_pmtu_discover = 1
ipqmaxlen = 100
directed_broadcast = 0
ipignoreredirects = 0
ipsrcroutesend = 1
ipsrcrouterecv = 0
ipsrcrouteforward = 1
ip6srcrouteforward = 1
ip6_defttl = 64
ndpt_keep = 120
ndpt_reachable = 30
ndpt_retrans = 1
ndpt_probe = 5
ndpt_down = 3
ndp_umaxtries = 3
ndp_mmaxtries = 3
ip6_prune = 2
ip6forwarding = 0
multi_homed = 1
main_if6 = 0
main_site6 = 0
site6_index = 0
maxnip6q = 20
llsleep_timeout = 3
tcp_timewait = 1
tcp_ephemeral_low = 32768
tcp_ephemeral_high = 65535
udp_ephemeral_low = 32768
udp_ephemeral_high = 65535
delayack = 0
delayackports = {}
sack = 0
use_isno = 1
tcp_newreno = 1
tcp_nagle_limit = 65535
rfc2414 = 0
tcp_init_window = 0
tcp_ecn = 0
tcp_limited_transmit = 1
icmp6_errmsg_rate = 10
tcp_maxburst = 0
tcp_nodelayack = 0
tcp_finwait2 = 1200
The interface bind uses looks like:
[viper2:/workarea] # lsattr -E -l en2
mtu 1500 Maximum IP Packet Size for This
Device True
remmtu 576 Maximum IP Packet Size for
REMOTE Networks True
netaddr 164.67.134.5 Internet Address
True
state up Current Interface Status
True
arp on Address Resolution Protocol
(ARP) True
netmask 255.255.255.0 Subnet Mask
True
security none Security Level
True
authority Authorized Users
True
broadcast Broadcast Address
True
netaddr6 N/A
True
alias6 N/A
True
prefixlen N/A
True
alias4 164.67.134.3,255.255.255.0 N/A
True
rfc1323 N/A
True
tcp_nodelay N/A
True
tcp_sendspace N/A
True
tcp_recvspace N/A
True
tcp_mssdflt
Thxs,
John Yard
UCLA
This electronic message transmission, including any attachments, contains information from PacifiCare Health Systems Inc. which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.
If you have received this electronic transmission in error, please notify the sender immediately by a "reply to sender only" message and destroy all electronic and hard copies of the communication, including attachments.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:17:10 EDT