Last active
March 1, 2022 08:02
-
-
Save cdcme/82b7d062b6671de20737c5453570f6a6 to your computer and use it in GitHub Desktop.
Some sysctl settings for performance and hardening on FreeBSD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ | |
# | |
# see https://calomel.org/freebsd_network_tuning.html | |
# https://www.c0ffee.net/blog/freebsd-server-guide | |
# https://en.wikipedia.org/wiki/TCP_tuning | |
# https://en.wikipedia.org/wiki/TCP_window_scale_option | |
# https://en.wikipedia.org/wiki/Bandwidth-delay_product | |
# https://www.freebsd.org/doc/handbook/configtuning-sysctl.html | |
# https://www.freebsd.org/cgi/man.cgi?query=sysctl&sektion=8&manpath=freebsd-release-ports | |
# | |
# Tuned for DigitalOcean's instances' (with private networking) 2 Ethernet 10Gbase-T | |
# VirtIO NICs supporting Intel features (Intel inside); see sysctl.hw, dmesg, and ifconfig -m | |
# | |
net.inet.ip.forwarding=1 # allow forwarding for firewall and jails | |
net.inet.tcp.cc.algorithm=htcp | |
net.inet.tcp.cc.htcp.adaptive_backoff=1 | |
net.inet.tcp.cc.htcp.rtt_scaling=1 | |
security.bsd.hardlink_check_gid=1 # unprivileged processes may not create hard links to files owned by other groups, DISABLE WITH Mailman (default 0) | |
security.bsd.hardlink_check_uid=1 # unprivileged processes may not create hard links to files owned by other users, DISABLE WITH Mailman (default 0) | |
security.bsd.see_other_gids=0 # groups only see their own processes. root can see all (default 1) | |
security.bsd.see_other_uids=0 # users only see their own processes. root can see all (default 1) | |
security.bsd.stack_guard_page=1 # insert a stack guard page ahead of growable segments, stack smashing protection (SSP) (default 0) | |
security.bsd.unprivileged_proc_debug=0 # unprivileged processes may not use process debugging (default 1) | |
security.bsd.unprivileged_read_msgbuf=0 # unprivileged processes may not read the kernel message buffer (default 1) | |
security.jail.allow_raw_sockets=1 # let jails create raw sockets for ping, etc. | |
vfs.read_max=128 # tune SSD perf |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment