My FreeBSD /etc/sysctl.conf

etc_sysctl.conf

# /etc/sysctl.conf
# Clemens Gruber, 2014
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0

## I/O

# Increase VFS read-ahead
# (Samsung 830 SSD drives went from 310 MB/sec to 372 MB/sec)
# Default: 64
vfs.read_max=128

# Unbound needs big socket buffers
#kern.ipc.maxsockbuf=10000000

## Settings for FreeBSD as a router
# A speedup of 40 to 60% in packet forwarding performance!
#net.inet.ip.forwarding=1
#net.inet.ip.fastforwarding=1
# 3900 seconds allows clients who connect regularly to stay in our hostcache
#net.inet.tcp.hostcache.expire=3900
# The OS buffer / backlog queue depth for accepting new TCP connections
#kern.ipc.somaxconn=1024

# maximum segment size (MSS) specifies the largest amount of data in a single TCP segment
# For most networks 1460 is optimal, but you may want to be cautious and use
# 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a
# DSL line which may use PPPoE. These networks have extra header data stored in
# the packet and if there is not enough space, must be fragmented over additional
# partially filled packets.
# Default: 536
net.inet.tcp.mssdflt=1440

# Loopback interface tuning
net.inet.tcp.nolocaltimewait=1

# Allow the web server to quickly dump the entire requested page set into
# the network buffer (SOCK_STREAM) and free web server resources
# Set it to 256KB, should be enough for most pages
# Default 32KB
#net.inet.tcp.sendspace=262144

# Syncookies are only useful when under DOS attack
net.inet.tcp.syncookies=0
# If under DOS, set it to 1
# Also, uncomment the following:
#net.inet.tcp.syncache.rexmtlimit=0

# disable flow control for intel nics. many isp's abuse flow control to slow down
# customers even though you are not using your full bandwidth. (default 3)
#dev.em.0.fc=0

# General Security and DoS mitigation.
net.inet.ip.check_interface=1         # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.randomized=1    # randomize outgoing upper ports (default 1)
net.inet.ip.process_options=0         # IP options in the incoming packets will be ignored (default 1)
net.inet.ip.random_id=1               # assign a random IP_ID to each packet leaving the system (default 0)
net.inet.ip.redirect=0                # do not send IP redirects (default 1)
net.inet.ip.accept_sourceroute=0      # drop source routed packets since they can not be trusted (default 0)
net.inet.ip.sourceroute=0             # if source routed packets are accepted the route data is ignored (default 0)
net.inet.icmp.bmcastecho=0            # do not respond to ICMP packets sent to IP broadcast addresses (default 0)
net.inet.icmp.maskfake=0              # do not fake reply to ICMP Address Mask Request packets (default 0)
net.inet.icmp.maskrepl=0              # replies are not sent for ICMP address mask requests (default 0)
net.inet.icmp.log_redirect=0          # do not log redirected ICMP packet attempts (default 0)
net.inet.icmp.drop_redirect=1         # no redirected ICMP packets (default 0)
net.inet.icmp.icmplim_output=1        # show "Limiting open port RST response" messages (default 1)
net.inet.tcp.always_keepalive=0       # tcp keep alive detection for dead peers, can be spoofed (default 1)
net.inet.tcp.drop_synfin=1            # SYN/FIN packets get dropped on initial connection (default 0)
#net.inet.tcp.fast_finwait2_recycle=1  # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)
net.inet.tcp.icmp_may_rst=0           # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.msl=15000                # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000)
net.inet.tcp.path_mtu_discovery=0     # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)
net.inet.tcp.rfc3042=0                # disable limited transmit mechanism which can slow burst transmissions (default 1)
net.inet.tcp.sack.enable=1            # TCP Selective Acknowledgments are needed for high throughput (default 1)
net.inet.udp.blackhole=1              # drop udp packets destined for closed sockets (default 0)
net.inet.tcp.blackhole=2              # drop tcp packets destined for closed ports (default 0)

## IPv6 Security
# Disable Node info replies
net.inet6.icmp6.nodeinfo=0
# Turn on IPv6 privacy extensions
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
# Disable ICMP redirect
net.inet6.icmp6.rediraccept=0

This gist should be updated and assigned to FreeBSD or derivative, maybe you were pfSensing?

Did you actually use this in production?

This pair could cause lots of trouble in some configurations where interface binding is present or jails is a decent amount of scenarios.

net.inet.ip.accept_sourceroute=0      # drop source routed packets since they can not be trusted (default 0)
net.inet.ip.sourceroute=0             # if source routed packets are accepted the route data is ignored (default 0)

But what I really came here to say is that when some AI products like Perplexity when asked about BSD Security, particularly drop_synfin which I wrote an excellent article on, it cites as an information source, the first one? a clone of your gist

;)

Hi, yes I used this in production 10+ years ago but I don't even remember why I threw it on Github. I did not use jails back then. It's really funny that AI products cite random gists as a trustworthy source of information. I think I will delete it, because this was never maintained and will not be maintained in the future. Cheers

Odd behavior, but Perplexity is now using this gist and crediting your account name, as the true source and not the identical fork after I reported it! It's an excellent list I wouldn't delete it. This conf is quality, good for historical purposes too, legacy systems, but if you got no time to update maybe just list at the top the FreeBSD version you were using at the time maybe?

Cheers.