位置: 编程技术 - 正文
FREEBSD系统优化精华(freebsd版本选择)
编辑:rootadmin1、优化内核mkdir /usr/kerncp /usr/src/sys/i/conf/GENERIC /usr/kern/proxyln -s /usr/kern/proxy /usr/src/sys/i/conf/proxycd /sys/i/conf ee proxyoptions IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_DEFAULT_BLOCK #block all packets by default options TCP_DROP_SYNFINoptions PQ_LARGECACHE## 为k二级缓存的CPU提供支持options SC_DISABLE_REBOOT##屏蔽Ctrl+Del+Alt热键重启系统#To make an SMP kernel,the netx two are neededoptions SMP #Symmetric MultiProcess Kerneldevice apic # I/O APIC#如果没有双cpu就不需要了#####加入对polling的支持###################################options DEVICE_POLLING#options HZ=在/sys/kern/kern_pool.c里面找到#error一行删掉。 在/etc/sysctl.conf里面加入 kern.polling.enable=1DEVICE_POLLING不能跟SMP同时使用,所以本服务器可省略。###########################################################其余的优化选项可参考其他内核优化的文章。2、系统资源优化ee /etc/sysctl.conf#######################/etc/sysctl.conf############################################net.inet.tcp.rfc=1net.inet.tcp.rfc=1net.inet.tcp.rfc=1net.inet.tcp.rfc=1#### 某些加快网络性能的协议,请参考RFC文章。net.inet.ip.forwarding=1##作路由必须打开net.inet.ip.sourceroute=0net.inet.ip.accept_sourceroute=0##安全方面的参数kern.ipc.maxsockbuf=##最大的套接字缓冲区kern.ipc.somaxconn=##最大的等待连接完成的套接字队列大小,高负载服务器和受到分布式服务阻塞攻击的系统也许会因为这个队列被塞满而不能提供正常服务。默认仅为,根据机器和实际情况需要改动,太大就浪费了内存kern.maxfiles=##系统中允许的最多文件数量,缺省的是几千个但如果你在运行数据库或大的很吃描述符的进程可以把它设到1万或2万个kern.maxfilesperproc=##每个进程能够同时打开的最大文件数量net.inet.tcp.delayed_ack=0##当一台计算机发起TCP连接请求时,系统会回应ACK应答数据包。该选项设置是否延迟ACK应答数据包,把它和包含数据的数据包一起发送,在高速网络和低负载的情况下会略微提高性能,但在网络连接较差的时候,对方计算机得不到应答会持续发起连接请求,反而会降低性能。net.inet.tcp.sendspace=##最大的待发送TCP数据缓冲区空间,应用程序将数据放到这里就认为发送成功了,系统TCP堆栈保证数据的正常发送net.inet.tcp.recvspace=##最大的接受TCP缓冲区空间,系统从这里将数据分发给不同的套接字,增大该空间可提高系统瞬间接受数据的能力以提高性能。net.inet.udp.recvspace=##最大的接受UDP缓冲区大小net.inet.udp.maxdgram=##最大的发送UDP数据缓冲区大小net.local.stream.recvspace=##本地套接字连接的数据接收空间net.local.stream.sendspace=##本地套接字连接的数据发送空间net.inet.icmp.drop_redirect=1net inet.icmp.log_redirect=1‘net.inet.ip.redirect=0#net.inet6.ip6.redirect=0##屏蔽ICMP重定向功能net.inet.icmp.bmcastecho=0net.inet.icmp.maskrepl=0##防止广播风暴net.inet.icmp.icmplim=##限制系统发送ICMP速率net.inet.icmp.icmplim_output=0net.inet.tcp.drop_synfin=1##安全参数,编译内核的时候加了options TCP_DROP_SYNFIN才可以用net.inet.tcp.always_keepalive=0##设置为1会帮助系统清除没有正常断开的TCP连接,这增加了一些网络带宽的使用,但是一些死掉的连接最终能被识别并清除。死的TCP连接是被拨号用户存取的系统的一个特别的问题,因为用户经常断开modem而不正确的关闭活动的连接。net.inet.ip.intr_queue_maxlen=##若看到net.inet.ip.intr_queue_drops这个在增加,就要调大net.inet.ip.intr_queue_maxlen,为0最好####以下为防止dos攻击#####net.inet.tcp.msl=##freebsd默认为net.inet.tcp.blackhole=2##接收到一个已经关闭的端口发来的所有包,直接drop,如果设置为1则是只针对TCP包net.inet.udp.blackhole=1##接收到一个已经关闭的端口发来的所有UDP包直接drop########end#################net.inet.ipf.fr_tcpidletimeout=net.inet.ipf.fr_tcpclosewait=net.inet.ipf.fr_tcplastack=net.inet.ipf.fr_tcptimeout=net.inet.ipf.fr_tcpclosed=net.inet.ipf.fr_udptimeout=net.inet.ipf.fr_icmptimeout=net.inet.ipf.fr_tcphalfclosed=net.inet.ipf.fr_defnatage=net.inet.tcp.inflight.enable=1## 为网络数据连接时提供缓冲net.inet.ip.fastforwarding=0##如果打开的话每个目标地址一次转发成功以后它的数据都将被记录进路由表和arp数据表,节约路由的计算时间,但会需要大量的内核内存空间来保存路由表。#kern.polling.enable=1##打开POLLING功能##SMP不能和polling一起用#########################The end##################################################3、设置rc.sysctl, rc.conf 和 sysctl.conf 权限: chmod /etc/rc.sysctl chmod /etc/rc.conf chmod /etc/sysctl.conf 4、优化启动选项##################编辑/boot/loader.conf优化启动########autoboot_delay="2"## 设置启动等待时间为2秒。kern.ipc.nmbclusters=""##设置系统的mbuf大小,系统的缓冲区kern.ipc.maxsockets=""## 增大线程间套接数量net.inet.tcp.tcbhashsize=""## 增大TCP控制块数量beastie_disable="YES"## 关闭小恶魔图像启动菜单#############################################5、增强ipfilter功能修改/sys/contrib/ipfilter/netinet/ip_nat.h,把里面的LARGE_NAT前面的注释去掉,改为#define LARGE_NAT修改/sys/contrib/ipfilter/netinet/ip_state.hIPSTATE_SIZE IPSTATE_MAX IP_STATE_MAX=IPSTATE_SIZE*0.7左右 第一个可以调到万左右 注意都要是质数6、编译内核##############打系统补丁以后重新编译内核#############cd /usr/src fetch patch 重新编译内核并重新启动。#这是针对5.3 SMP的delphij大哥做的补丁,cd /sys/contrib/ipfilter/netinet/patch 这个是针对ip_nat的一个补丁,也可以自己手动注释,改了ip_nat的参数以后编译内核会提示两个变量没有定义。cd /usr/srcmake buildkernel KERNCONF=proxymake installkernel KERNCONF=proxyreboot这种编译方法将保留原来的kernel为kernel.old,这样如果你做错了什么,就有机会通过boot:出现时输入kernel.old来恢复。######如果用config/make编译内核的会在/usr/src产生很多中间文件#########cd /usr/src/sys/i/conf /usr/sbin/config proxycd ../compile/proxymake dependmakemake installreboot#########################################################################7、自动备份日志目 前方法不太成熟,我曾经试过把nat.log清空,但是也许是因为系统正在频繁的写入该文件,所以我只能是先暂停记录,备份完记录以后再重新开始记录,好 在我是一个小时备份一个日志文件,拷贝这一小时的记录不用很长时间的,所以基本上不会少记录东西的,看到本文的兄弟们如果有更好的切实可行的方法,望告诉 我一声,多谢!#################/usr/local/beifen.sh#!/bin/shyear=$(date +%Y)month=$(date +%m)date=$(date +%d)time=$(date +%Y%m%d%H%M)mkdir -p /usr/local/logbak/$year/$month/$datekillall ipmoncp /var/nat.log /usr/local/logbak/$year/$month/$date/$time.logcat >; /var/nat.log; /var/nat.log &#############################################chmod +x /usr/local/beifen.shcrontab -e编辑一个文件:0 0 * * * /usr/local/beifen.sh0 1 * * * /usr/local/beifen.sh0 2 * * * /usr/local/beifen.sh0 3 * * * /usr/local/beifen.sh2 3 * * 1 /sbin/reboot0 4 * * * /usr/local/beifen.sh0 5 * * * /usr/local/beifen.sh0 6 * * * /usr/local/beifen.sh0 7 * * * /usr/local/beifen.sh0 8 * * * /usr/local/beifen.sh0 9 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh0 * * * /usr/local/beifen.sh(七) 邮件服务器安装与设置第一部分:安装邮件服务器:postfix+vm-pop3d+openwebmail以下的安装在FreeBSD 5.2.1系统上完成1.更新 ports# cvsup -gL 2 -h cvsup.freebsdchina.org /usr/share/examples/cvsup/ports-supfile 2. 安装 openssl+apache 服务器 # cd /usr/ports/security/openssl# make install# make clean# cd /usr/ports/www/apache2# make install # make clean # vi /etc/rc.confapache2_enable="YES"3. 安装 openwebmail # cd /usr/ports/mail/openwebmail/ # make WITH_QUOTA=yes install# make clean 4. 安装 postfix ,在安装过程中用yes回答提出的问题# cd /usr/ports/mail/postfix/ # make install# make clean # vi /etc/rc.conf为了能启动postfix加入: sendmail_enable="YES" sendmail_flags="-bd" sendmail_pidfile="/var/spool/postfix/pid/master.pid" sendmail_outbound_enable="NO" sendmail_submit_enable="NO" 5. 安装 vm-pop3d # cd /usr/ports/mail/vm-pop3d # make install # make clean 6. 配置 postfix # vi /usr/local/etc/postfix/main.cf 添加:myhostname = nero..orgmydomain = nero..orgvirtual_alias_maps=hash:/usr/local/etc/postfix/virtual alias_maps=hash:/usr/local/etc/postfix/aliases default_privs=nobody allow_mail_to_commands = alias,forward,include allow_mail_to_files = alias,forward,include 下面我加入一个 nero..org 的虚拟域,并添加一个用户llzqq# vi /usr/local/etc/postfix/virtual 添加: nero..org anything //之间用[tab]llzqq@nero..org llzqq.nero..org //之间用[tab] 执行下面的命令,生成 virtual.db: # cd /usr/local/etc/postfix/# postmap virtual# vi /usr/local/etc/postfix/aliases添加: llzqq.nero..org:/var/spool/virtual/nero..org/llzqq执行下面的命令,生成 aliases.db: # cd /usr/local/etc/postfix# postalias aliases7. 配置 vm-pop3d 使其开机自动执行 # cd /usr/local/etc/rc.d# mv vm-pop3d.sh.sample vm-pop3d.sh配置 openwebmail 支持 nero..org 域,创建下面的文件:# vi /usr/local/www/cgi-bin/openwebmail/etc/sites.conf/nero..org =========================== nero..org =======================auth_module auth_vdomain.plauth_withdomain yes mailspooldir /var/spool/virtual/nero..orguse_syshomedir no use_homedirspools no enable_autoreply no enable_setforward no enable_vdomain yes vdomain_admlist llzqq //这里设置了这个域的管理员vdomain_maxuser vdomain_vmpop3_pwdpath /usr/local/etc/virtualvdomain_vmpop3_pwdname passwd vdomain_vmpop3_mailpath /var/spool/virtual vdomain_postfix_aliases /usr/local/etc/postfix/aliases vdomain_postfix_virtual /usr/local/etc/postfix/virtual vdomain_postfix_postalias /usr/local/sbin/postalias vdomain_postfix_postmap /usr/local/sbin/postmap # quota设置部分quota_module quota_du.plquota_limit //定义了邮箱大小quota_threshold delmail_ifquotahit no delfile_ifquotahit no=========================== nero..org =======================# mkdir -p /var/spool/virtual/nero..org # chown nobody /var/spool/virtual/nero..org # chgrp mail /var/spool/virtual/nero..org # mkdir -p /usr/local/etc/virtual/nero..org # touch /usr/local/etc/virtual/nero..org/passwd # chmod /usr/local/etc/virtual/nero..org/passwd # htpasswd /usr/local/etc/virtual/nero..org/passwd llzqq# chmod /usr/local/www/cgi-bin/openwebmail/etc/users # sync# reboot8. 最后通过浏览器登陆到OPENWEBMAIL第二部分:防病毒、垃圾邮件:clamav+amavisd-new+spam1.0 安装clamav:# cd /usr/ports/security/clamav# make install# make clean# vi /usr/local/etc/clamav.conf ===============================clamav.conf============================# Comment or remove the line below.# ExampleLogFile /var/log/clamav/clamd.logLogFileMaxSize 1MLogTimeLogVerbosePidFile /var/run/clamav/clamd.pidDataDirectory /usr/local/share/clamavLocalSocket /tmp/clamdStreamMaxLength MMaxThreads MaxDirectoryRecursion User clamavScanMailScanArchiveScanRARArchiveMaxFileSize MArchiveMaxRecursion 5ArchiveMaxFiles ClamukoScanOnOpenClamukoScanOnCloseClamukoScanOnExecClamukoIncludePath /var/spool/virtualClamukoMaxFileSize 6MClamukoScanArchive===============================clamav.conf============================1.1 更新病毒库# /usr/local/etc/rc.d/clamav-freshclam.sh start2.0 安装amavisd-new# cd /usr/ports/security/amavisd-new# make install# make clean# cd /usr/local/etc# mv amavisd.conf-dist amavisd.conf# vi amavisd.conf============================== amavisd.conf ===============================$MYHOME = '/var/amavis'; # (default is '/var/amavis')$mydomain = 'nero..org'; # (no useful default)$daemon_user = 'vscan'; # (no default; customary: vscan or amavis)$daemon_group = 'vscan'; # (no default; customary: vscan or amavis)$log_level = 0; $sa_spam_subject_tag = '***SPAM***'$virus_admin = "root@$mydomain";$spam_admin = "llzqq@$mydomain";$mailfrom_notify_admin = "llzqq@$mydomain";$mailfrom_notify_recip = "llzqq@$mydomain";$mailfrom_notify_spamadmin = "llzqq@$mydomain";$inet_socket_bind = '.0.0.1';$forward_method = 'smtp:.0.0.1:';$notify_method = $forward_method; $inet_socket_port = ; $max_servers = 2;['Clam Antivirus-clamd',&ask_daemon, ["CONTSCAN {}n", '/tmp/clamd'],qr/bOK$/, qr/bFOUND$/,qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],============================== amavisd.conf ===============================2.1 要启动clamav和amavisd-new需要配置一下/etc/rc.conf# vi /etc/rc.confspamd_enable="YES"amavisd_enable="YESclamav_clamd_enable="YES"3.0 由于在安装amavisd-new时spamassassin被一起安装了下面对其进行配置3.1 建立过滤规则:# cd /usr/local/etc/mail/spamassassin# env LANG=C vi local.cf=============================== local.cf ===============================# SpamAssassin config file for version x.xx# generated by (version 1.)# How many hits before a message is considered spam.required_hits 4.0# Whether to change the subject of suspected spamrewrite_subject 1# Text to prepend to subject if rewrite_subject is usedsubject_tag *****SPAM*****# Encapsulate spam in an attachmentreport_safe 1# Use terse version of the spam reportuse_terse_report 0# Enable the Bayes systemuse_bayes 1# Enable Bayes auto-learningauto_learn 1# Enable or disable network checksskip_rbl_checks 1use_razor2 0use_dcc 0use_pyzor 0# Mail using languages used in these country codes will not be marked# as being possibly spam in a foreign language.# - chinese english ok_languages zh en # Mail using locales used in these country codes will not be marked# as being possibly spam in a foreign language.ok_locales en zhscore SUBJ_FULL_OF_8BITS 2score NO_REAL_NAME 4.0=============================== local.cf ===============================3.2 下载新的垃圾邮件地址列表文件# cd /usr/local/share/spamassassin# fetch 对POSFIX进行配置,在他的配置文件中添加下面的一些内容# vi /usr/local/etc/postfix/master.cf---------------------- master.cf ---------------------smtp-amavis unix - - n - 2 smtp-o smtp_data_done_timeout=-o disable_dns_lookups=yes.0.0.1: inet n - n - - smtpd-o content_filter=-o local_recipient_maps=-o relay_recipient_maps=-o smtpd_restriction_classes=-o smtpd_client_restrictions=-o smtpd_helo_restrictions=-o smtpd_sender_restrictions=-o mynetworks=.0.0.0/8---------------------- master.cf ---------------------# vi /usr/local/etc/postfix/main.cfcontent_filter = smtp-amavis:[.0.0.1]:好了,现在一个基于FreeBSD的功能相对完整的邮件服务器就建立起来了,虚拟域的管理员可以登陆OPENWEBMAIL进行用户的添加、删除等操作,虚拟用户可以通过OPENWEBMAIL修改自己的密码。 
推荐整理分享FREEBSD系统优化精华(freebsd版本选择),希望有所帮助,仅作参考,欢迎阅读内容。
文章相关热门搜索词:freebsd ufs,freebsd更新源,freebsd更新源,freebsd更新源,freertos优化,freebsd更新源,freebsd性能,freebsd更新命令,内容如对您有帮助,希望把文章链接给更多的朋友!
FreeBSD su Sorry问题解决办法 FreeBSD系统下su:sorry的解决办法在FreeBSD上要使用su命令成为root用户,不但要知道root的口令,还需要经过特别设置,否则就不能成功使用这个命令。这是因
FreeBSD学习笔记 1、进入单用户模式BOOT:/kernel-s就进了单用户了,然后/sbin/mount-rw/把/设置成可写然后vipw把root口令置空2、开机自动fsck硬盘fsck_y_enable=YES3、FreeBSD弹出光驱cdco
FREEBSD服务器端的ARP绑定脚本 #!/bin/sh_PATH=/home/shwbif[-s$_PATH/md5]&&[-s$_PATH/arp.txt];thennew=`md5$_PATH/arp.txt|cut-d''-f4`old=`cat$_PATH/md5`if[$new!=$old];thenarp-a-darp-f$_PATH/arp.txtdate+DATE:%Y-%m-%d-%H:%M:%S/var/log/
标签: freebsd版本选择
本文链接地址:https://www.jiuchutong.com/biancheng/353957.html 转载请保留说明!
