# $FreeBSD: releng/11.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ # With thanks to Calomel.org and HardenedBSD project # sysctls set by FreeBSD installer with default security options security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0 security.bsd.stack_guard_page=1 # additional commonsense checks security.bsd.hardlink_check_gid=1 security.bsd.hardlink_check_uid=1 # general tweaks kern.maxfiles=65000 # check during runtime via kern.openfiles # carp -- mostly no changes needed # net.inet.carp.ifdown_demotion_factor: 240 # net.inet.carp.senderr_demotion_factor: 240 # net.inet.carp.demotion: 0 # net.inet.carp.log: 1 # net.inet.carp.allow: 1 net.inet.carp.preempt=1 # (default 0) # help CouchDB ramp up replications on restart kern.ipc.soacceptqueue=65000 # thanks https://fasterdata.es.net/host-tuning/freebsd/ # set to at least 16MB for 10GE hosts kern.ipc.maxsockbuf=16000000 # set autotuning maximum to at least 16MB too net.inet.tcp.sendbuf_max=16000000 net.inet.tcp.recvbuf_max=16000000 # enable send/recv autotuning net.inet.tcp.sendbuf_auto=1 net.inet.tcp.recvbuf_auto=1 # increase autotuning step size net.inet.tcp.sendbuf_inc=16384 net.inet.tcp.recvbuf_inc=524288 # turn off inflight limiting net.inet.tcp.inflight.enable=0 # set this on test/measurement hosts net.inet.tcp.hostcache.expire=1 # http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html#FreeBSD # net.inet.ip.portrange.first=32768 # net.inet.ip.portrange.last=49151 # net.inet.ip.portrange.hifirst=49152 # net.inet.ip.portrange.hilast=65535 # FreeBSD 11.0 -- /etc/sysctl.conf version 0.51 # https://calomel.org/freebsd_network_tuning.html net.inet.ip.forwarding=1 # (default 0) net.inet.tcp.cc.algorithm=htcp # (default newreno) net.inet.tcp.cc.htcp.adaptive_backoff=1 # (default 0 ; disabled) net.inet.tcp.cc.htcp.rtt_scaling=1 # (default 0 ; disabled) net.inet.tcp.rfc6675_pipe=1 # (default 0) net.inet.tcp.minmss=536 # (default 216) net.inet.tcp.syncache.rexmtlimit=0 # (default 3) net.inet.ip.maxfragpackets=0 # (default 13687) net.inet.ip.maxfragsperpacket=0 # (default 16) net.inet.tcp.abc_l_var=44 # (default 2) net.inet.tcp.syncookies=0 # (default 1) net.inet.tcp.tso=0 # (default 1) kern.random.fortuna.minpoolsize=256 # (default 64) # HardenedBSD and DoS mitigation # calculate PIDs by the modulus of the integer given, choose a random int (default 0) kern.randompid={{ range(6000, 60000) | random }} hw.kbd.keymap_restrict_change=4 # Disallow keymap changes for non-privileged users kern.msgbuf_show_timestamp=1 # display timestamp in msgbuf (default 0) net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0) net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0) net.inet.ip.process_options=0 # ignore IP options in the incoming packets (default 1) net.inet.ip.random_id=1 # assign a random IP id to each packet leaving the system (default 0) net.inet.ip.redirect=0 # do not send IP redirects (default 1) net.inet.tcp.always_keepalive=0 # disable tcp keep alive detection for dead peers, keepalive can be spoofed (default 1) net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0) net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0) net.inet.tcp.fast_finwait2_recycle=0 # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0) net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1) net.inet.tcp.msl=50000 # Maximum Segment Lifetime a TCP segment can exist on the network, 2*MSL (default 30000, 60 sec) net.inet.tcp.nolocaltimewait=1 # remove TIME_WAIT states for the loopback interface (default 0) net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since many hosts drop ICMP type 3 packets (default 1) net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0)