Some sysctl settings for performance and hardening on FreeBSD

sysctl.conf

# $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# see https://calomel.org/freebsd_network_tuning.html
#     https://www.c0ffee.net/blog/freebsd-server-guide
#     https://en.wikipedia.org/wiki/TCP_tuning
#     https://en.wikipedia.org/wiki/TCP_window_scale_option
#     https://en.wikipedia.org/wiki/Bandwidth-delay_product
#     https://www.freebsd.org/doc/handbook/configtuning-sysctl.html
#     https://www.freebsd.org/cgi/man.cgi?query=sysctl&sektion=8&manpath=freebsd-release-ports
#
#     Tuned for DigitalOcean's instances' (with private networking) 2 Ethernet 10Gbase-T
#     VirtIO NICs supporting Intel features (Intel inside); see sysctl.hw, dmesg, and ifconfig -m
#

net.inet.ip.forwarding=1                # allow forwarding for firewall and jails
net.inet.tcp.cc.algorithm=htcp
net.inet.tcp.cc.htcp.adaptive_backoff=1
net.inet.tcp.cc.htcp.rtt_scaling=1
security.bsd.hardlink_check_gid=1       # unprivileged processes may not create hard links to files owned by other groups, DISABLE WITH Mailman (default 0)
security.bsd.hardlink_check_uid=1       # unprivileged processes may not create hard links to files owned by other users, DISABLE WITH Mailman (default 0)
security.bsd.see_other_gids=0           # groups only see their own processes. root can see all (default 1)
security.bsd.see_other_uids=0           # users only see their own processes. root can see all (default 1)
security.bsd.stack_guard_page=1         # insert a stack guard page ahead of growable segments, stack smashing protection (SSP) (default 0)
security.bsd.unprivileged_proc_debug=0  # unprivileged processes may not use process debugging (default 1)
security.bsd.unprivileged_read_msgbuf=0 # unprivileged processes may not read the kernel message buffer (default 1)
security.jail.allow_raw_sockets=1       # let jails create raw sockets for ping, etc.
vfs.read_max=128                        # tune SSD perf