Created
February 5, 2014 16:50
-
-
Save clemensg/8828061 to your computer and use it in GitHub Desktop.
My FreeBSD /etc/sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/sysctl.conf | |
| # Clemens Gruber, 2014 | |
| # | |
| # Uncomment this to prevent users from seeing information about processes that | |
| # are being run under another UID. | |
| security.bsd.see_other_uids=0 | |
| ## I/O | |
| # Increase VFS read-ahead | |
| # (Samsung 830 SSD drives went from 310 MB/sec to 372 MB/sec) | |
| # Default: 64 | |
| vfs.read_max=128 | |
| # Unbound needs big socket buffers | |
| #kern.ipc.maxsockbuf=10000000 | |
| ## Settings for FreeBSD as a router | |
| # A speedup of 40 to 60% in packet forwarding performance! | |
| #net.inet.ip.forwarding=1 | |
| #net.inet.ip.fastforwarding=1 | |
| # 3900 seconds allows clients who connect regularly to stay in our hostcache | |
| #net.inet.tcp.hostcache.expire=3900 | |
| # The OS buffer / backlog queue depth for accepting new TCP connections | |
| #kern.ipc.somaxconn=1024 | |
| # maximum segment size (MSS) specifies the largest amount of data in a single TCP segment | |
| # For most networks 1460 is optimal, but you may want to be cautious and use | |
| # 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a | |
| # DSL line which may use PPPoE. These networks have extra header data stored in | |
| # the packet and if there is not enough space, must be fragmented over additional | |
| # partially filled packets. | |
| # Default: 536 | |
| net.inet.tcp.mssdflt=1440 | |
| # Loopback interface tuning | |
| net.inet.tcp.nolocaltimewait=1 | |
| # Allow the web server to quickly dump the entire requested page set into | |
| # the network buffer (SOCK_STREAM) and free web server resources | |
| # Set it to 256KB, should be enough for most pages | |
| # Default 32KB | |
| #net.inet.tcp.sendspace=262144 | |
| # Syncookies are only useful when under DOS attack | |
| net.inet.tcp.syncookies=0 | |
| # If under DOS, set it to 1 | |
| # Also, uncomment the following: | |
| #net.inet.tcp.syncache.rexmtlimit=0 | |
| # disable flow control for intel nics. many isp's abuse flow control to slow down | |
| # customers even though you are not using your full bandwidth. (default 3) | |
| #dev.em.0.fc=0 | |
| # General Security and DoS mitigation. | |
| net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0) | |
| net.inet.ip.portrange.randomized=1 # randomize outgoing upper ports (default 1) | |
| net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1) | |
| net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0) | |
| net.inet.ip.redirect=0 # do not send IP redirects (default 1) | |
| net.inet.ip.accept_sourceroute=0 # drop source routed packets since they can not be trusted (default 0) | |
| net.inet.ip.sourceroute=0 # if source routed packets are accepted the route data is ignored (default 0) | |
| net.inet.icmp.bmcastecho=0 # do not respond to ICMP packets sent to IP broadcast addresses (default 0) | |
| net.inet.icmp.maskfake=0 # do not fake reply to ICMP Address Mask Request packets (default 0) | |
| net.inet.icmp.maskrepl=0 # replies are not sent for ICMP address mask requests (default 0) | |
| net.inet.icmp.log_redirect=0 # do not log redirected ICMP packet attempts (default 0) | |
| net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0) | |
| net.inet.icmp.icmplim_output=1 # show "Limiting open port RST response" messages (default 1) | |
| net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1) | |
| net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0) | |
| #net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0) | |
| net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1) | |
| net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000) | |
| net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1) | |
| net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1) | |
| net.inet.tcp.sack.enable=1 # TCP Selective Acknowledgments are needed for high throughput (default 1) | |
| net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0) | |
| net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0) | |
| ## IPv6 Security | |
| # Disable Node info replies | |
| net.inet6.icmp6.nodeinfo=0 | |
| # Turn on IPv6 privacy extensions | |
| net.inet6.ip6.use_tempaddr=1 | |
| net.inet6.ip6.prefer_tempaddr=1 | |
| # Disable ICMP redirect | |
| net.inet6.icmp6.rediraccept=0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment