API tools faq
paste
netmd123

sysctl-tweaked

netmd123
Oct 4th, 2019
921
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.63 KB | None | 0 0
raw download clone embed print report
  1. <sysctl>
  2. <item>
  3. <descr>Disable the pf ftp proxy handler.</descr>
  4. <tunable>debug.pfftpproxy</tunable>
  5. <value>default</value>
  6. </item>
  7. <item>
  8. <tunable>vfs.read_max</tunable>
  9. <value>default</value>
  10. <descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
  11. </item>
  12. <item>
  13. <descr>Set the ephemeral port range to be lower.</descr>
  14. <tunable>net.inet.ip.portrange.first</tunable>
  15. <value>default</value>
  16. </item>
  17. <item>
  18. <descr>Drop packets to closed TCP ports without returning a RST</descr>
  19. <tunable>net.inet.tcp.blackhole</tunable>
  20. <value>default</value>
  21. </item>
  22. <item>
  23. <descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
  24. <tunable>net.inet.udp.blackhole</tunable>
  25. <value>default</value>
  26. </item>
  27. <item>
  28. <descr>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</descr>
  29. <tunable>net.inet.ip.random_id</tunable>
  30. <value>default</value>
  31. </item>
  32. <item>
  33. <descr>
  34. Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
  35. It can also be used to probe for information about your internal networks. These functions come enabled
  36. as part of the standard FreeBSD core system.
  37. </descr>
  38. <tunable>net.inet.ip.sourceroute</tunable>
  39. <value>default</value>
  40. </item>
  41. <item>
  42. <descr>
  43. Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
  44. It can also be used to probe for information about your internal networks. These functions come enabled
  45. as part of the standard FreeBSD core system.
  46. </descr>
  47. <tunable>net.inet.ip.accept_sourceroute</tunable>
  48. <value>default</value>
  49. </item>
  50. <item>
  51. <descr>
  52. Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
  53. to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
  54. packets without returning a response.
  55. </descr>
  56. <tunable>net.inet.icmp.drop_redirect</tunable>
  57. <value>default</value>
  58. </item>
  59. <item>
  60. <descr>
  61. This option turns off the logging of redirect packets because there is no limit and this could fill
  62. up your logs consuming your whole hard drive.
  63. </descr>
  64. <tunable>net.inet.icmp.log_redirect</tunable>
  65. <value>default</value>
  66. </item>
  67. <item>
  68. <descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
  69. <tunable>net.inet.tcp.drop_synfin</tunable>
  70. <value>default</value>
  71. </item>
  72. <item>
  73. <descr>Enable sending IPv4 redirects</descr>
  74. <tunable>net.inet.ip.redirect</tunable>
  75. <value>default</value>
  76. </item>
  77. <item>
  78. <descr>Enable sending IPv6 redirects</descr>
  79. <tunable>net.inet6.ip6.redirect</tunable>
  80. <value>default</value>
  81. </item>
  82. <item>
  83. <descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
  84. <tunable>net.inet6.ip6.use_tempaddr</tunable>
  85. <value>default</value>
  86. </item>
  87. <item>
  88. <descr>Prefer privacy addresses and use them over the normal addresses</descr>
  89. <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
  90. <value>default</value>
  91. </item>
  92. <item>
  93. <descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
  94. <tunable>net.inet.tcp.syncookies</tunable>
  95. <value>default</value>
  96. </item>
  97. <item>
  98. <descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
  99. <tunable>net.inet.tcp.recvspace</tunable>
  100. <value>default</value>
  101. </item>
  102. <item>
  103. <descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
  104. <tunable>net.inet.tcp.sendspace</tunable>
  105. <value>default</value>
  106. </item>
  107. <item>
  108. <descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
  109. <tunable>net.inet.tcp.delayed_ack</tunable>
  110. <value>default</value>
  111. </item>
  112. <item>
  113. <descr>Maximum outgoing UDP datagram size</descr>
  114. <tunable>net.inet.udp.maxdgram</tunable>
  115. <value>default</value>
  116. </item>
  117. <item>
  118. <descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
  119. <tunable>net.link.bridge.pfil_onlyip</tunable>
  120. <value>default</value>
  121. </item>
  122. <item>
  123. <descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
  124. <tunable>net.link.bridge.pfil_local_phys</tunable>
  125. <value>default</value>
  126. </item>
  127. <item>
  128. <descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
  129. <tunable>net.link.bridge.pfil_member</tunable>
  130. <value>default</value>
  131. </item>
  132. <item>
  133. <descr>Set to 1 to enable filtering on the bridge interface</descr>
  134. <tunable>net.link.bridge.pfil_bridge</tunable>
  135. <value>default</value>
  136. </item>
  137. <item>
  138. <descr>Allow unprivileged access to tap(4) device nodes</descr>
  139. <tunable>net.link.tap.user_open</tunable>
  140. <value>default</value>
  141. </item>
  142. <item>
  143. <descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
  144. <tunable>kern.randompid</tunable>
  145. <value>default</value>
  146. </item>
  147. <item>
  148. <tunable>net.inet.ip.intr_queue_maxlen</tunable>
  149. <value>default</value>
  150. <descr>Maximum size of the IP input queue</descr>
  151. </item>
  152. <item>
  153. <descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
  154. <tunable>hw.syscons.kbd_reboot</tunable>
  155. <value>default</value>
  156. </item>
  157. <item>
  158. <descr>Enable TCP extended debugging</descr>
  159. <tunable>net.inet.tcp.log_debug</tunable>
  160. <value>default</value>
  161. </item>
  162. <item>
  163. <descr>Set ICMP Limits</descr>
  164. <tunable>net.inet.icmp.icmplim</tunable>
  165. <value>default</value>
  166. </item>
  167. <item>
  168. <tunable>net.inet.tcp.tso</tunable>
  169. <value>0</value>
  170. <descr>TCP Offload Engine</descr>
  171. </item>
  172. <item>
  173. <tunable>net.inet.udp.checksum</tunable>
  174. <value>default</value>
  175. <descr>UDP Checksums</descr>
  176. </item>
  177. <item>
  178. <tunable>kern.ipc.maxsockbuf</tunable>
  179. <value>default</value>
  180. <descr>Maximum socket buffer size</descr>
  181. </item>
  182. <item>
  183. <descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
  184. <tunable>vm.pmap.pti</tunable>
  185. <value>default</value>
  186. </item>
  187. <item>
  188. <descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
  189. <tunable>hw.ibrs_disable</tunable>
  190. <value>default</value>
  191. </item>
  192. <item>
  193. <descr>Hide processes running as other groups</descr>
  194. <tunable>security.bsd.see_other_gids</tunable>
  195. <value>default</value>
  196. </item>
  197. <item>
  198. <descr>Hide processes running as other users</descr>
  199. <tunable>security.bsd.see_other_uids</tunable>
  200. <value>default</value>
  201. </item>
  202. <item>
  203. <tunable>net.inet.ip.redirect</tunable>
  204. <value>default</value>
  205. <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,&#xD;
  206. and for the sender directly reachable, route and next hop is known.&#xD;
  207. </descr>
  208. </item>
  209. <item>
  210. <tunable>net.inet.icmp.drop_redirect</tunable>
  211. <value>default</value>
  212. <descr>Enable/disable dropping of ICMP Redirect packets</descr>
  213. </item>
  214. <item>
  215. <tunable>hw.em.0.eee_setting</tunable>
  216. <value>1</value>
  217. <descr>hw.em.0.eee_setting</descr>
  218. </item>
  219. <item>
  220. <tunable>hw.em.1.eee_setting</tunable>
  221. <value>1</value>
  222. <descr/>
  223. </item>
  224. <item>
  225. <tunable>dev.igb.0.eee_disabled</tunable>
  226. <value>1</value>
  227. <descr/>
  228. </item>
  229. <item>
  230. <tunable>dev.igb.1.eee_disabled</tunable>
  231. <value>1</value>
  232. <descr/>
  233. </item>
  234. <item>
  235. <tunable>legal.intel_ipw.license_ack</tunable>
  236. <value>1</value>
  237. <descr/>
  238. </item>
  239. <item>
  240. <tunable>legal.intel_iwi.license_ack</tunable>
  241. <value>1</value>
  242. <descr/>
  243. </item>
  244. <item>
  245. <tunable>kern.ipc.nmbclusters</tunable>
  246. <value>1000000</value>
  247. <descr>kern.ipc.nmbclusters</descr>
  248. </item>
  249. <item>
  250. <tunable>vm.kmem_size</tunable>
  251. <value>1g</value>
  252. <descr>vm.kmem_size</descr>
  253. </item>
  254. <item>
  255. <descr>cluster</descr>
  256. <tunable>kern.ipc.nmbclusters</tunable>
  257. <value>1000000</value>
  258. </item>
  259. <item>
  260. <descr>flow controll default full 3</descr>
  261. <tunable>hw.ix.fc_setting</tunable>
  262. <value>0</value>
  263. </item>
  264. <item>
  265. <descr>receive descriptors allocated by the driver max 4096</descr>
  266. <tunable>hw.ix.rxd</tunable>
  267. <value>4096</value>
  268. </item>
  269. <item>
  270. <descr>transmit descriptors allocated by the driver max 4096</descr>
  271. <tunable>hw.ix.txd</tunable>
  272. <value>4096</value>
  273. </item>
  274. <item>
  275. <descr>Number of queues used for data transfer</descr>
  276. <tunable>hw.ix.num_queues</tunable>
  277. <value>4</value>
  278. </item>
  279. <item>
  280. <descr>enable Adaptive Interrupt Moderation def 1</descr>
  281. <tunable>hw.ix.enable_aim</tunable>
  282. <value>1</value>
  283. </item>
  284. <item>
  285. <descr>xxxxxxxxxxxxxx</descr>
  286. <tunable>net.pf.states_hashsize</tunable>
  287. <value>2097152</value>
  288. </item>
  289. <item>
  290. <descr>xxxxxxxxxxxxxx</descr>
  291. <tunable>net.pf.source_nodes_hashsize</tunable>
  292. <value>65536</value>
  293. </item>
  294. <item>
  295. <descr>xxxxxxxxxxxxxx</descr>
  296. <tunable>net.link.ifqmaxlen - sum receive descriptors allocated</tunable>
  297. <value>8192</value>
  298. </item>
  299. <item>
  300. <descr>interrupt rate</descr>
  301. <tunable>hw.ix.max_interrupt_rate</tunable>
  302. <value>96000</value>
  303. </item>
  304. <item>
  305. <descr>Allows NIC to process packets as fast as they are received</descr>
  306. <tunable>hw.ix.enable_msix</tunable>
  307. <value>1</value>
  308. </item>
  309. <item>
  310. <descr>Allows NIC to process packets as fast as they are received</descr>
  311. <tunable>hw.pci.enable_msix</tunable>
  312. <value>1</value>
  313. </item>
  314. <item>
  315. <descr>Disable Energy Efficiency</descr>
  316. <tunable>dev.ix.0.eee_disabled</tunable>
  317. <value>1</value>
  318. </item>
  319. <item>
  320. <descr>Disable Energy Efficiency</descr>
  321. <tunable>dev.ix.1.eee_disabled</tunable>
  322. <value>1</value>
  323. </item>
  324. <item>
  325. <descr>Disable Energy Efficiency ee driver def1</descr>
  326. <tunable>hw.em.eee_setting</tunable>
  327. <value>1</value>
  328. </item>
  329. <item>
  330. <descr>Energy Efficiency ee driver</descr>
  331. <tunable>dev.em.0.eee_control</tunable>
  332. <value>0</value>
  333. </item>
  334. <item>
  335. <descr>Energy Efficiency ee driver</descr>
  336. <tunable>dev.em.1.eee_control</tunable>
  337. <value>0</value>
  338. </item>
  339. <item>
  340. <descr>Allows NIC to process packets as fast as they are received</descr>
  341. <tunable>dev.ix.0.eee_disabled</tunable>
  342. <value>1</value>
  343. </item>
  344. <item>
  345. <descr>maximum number of received packets to process at a time, The default is 100 -1 unlimited</descr>
  346. <tunable>hw.em.rx_process_limit</tunable>
  347. <value>-1</value>
  348. </item>
  349. <item>
  350. <descr>Allows NIC to process packets as fast as they are received</descr>
  351. <tunable>dev.ix.0.eee_disabled</tunable>
  352. <value>1</value>
  353. </item>
  354. <item>
  355. <descr>Larger hashes eat more memory, but I can make the buckets smaller while supporting the same number of cookies</descr>
  356. <tunable>net.inet.tcp.syncache.hashsize</tunable>
  357. <value>2048</value>
  358. </item>
  359. <item>
  360. <descr>This is linear scaling. Larger buckets result in longer worst case times</descr>
  361. <tunable>net.inet.tcp.syncache.bucketlimit</tunable>
  362. <value>16</value>
  363. </item>
  364. <item>
  365. <descr>roughly hash size times bucket limit</descr>
  366. <tunable>net.inet.tcp.syncache.cachelimit</tunable>
  367. <value>32768</value>
  368. </item>
  369. <item>
  370. <descr>hw.pci.do_power_suspend=</descr>
  371. <tunable>hw.pci.do_power_suspend=</tunable>
  372. <value>0</value>
  373. </item>
  374. <item>
  375. <descr>net.inet.tcp.recvbuf_inct</descr>
  376. <tunable>net.inet.tcp.recvbuf_inc</tunable>
  377. <value>65536</value>
  378. </item>
  379. <item>
  380. <descr>net.inet.tcp.recvbuf_max</descr>
  381. <tunable>net.inet.tcp.recvbuf_max</tunable>
  382. <value>4194304</value>
  383. </item>
  384. <item>
  385. <descr>net.inet.tcp.recvspace</descr>
  386. <tunable>net.inet.tcp.recvspace</tunable>
  387. <value>65536</value>
  388. </item>
  389. <item>
  390. <descr>net.inet.tcp.sendbuf_inc</descr>
  391. <tunable>net.inet.tcp.sendbuf_inc</tunable>
  392. <value>65536</value>
  393. </item>
  394. <item>
  395. <descr>net.inet.tcp.sendbuf_max</descr>
  396. <tunable>net.inet.tcp.sendbuf_max</tunable>
  397. <value>4194304</value>
  398. </item>
  399. <item>
  400. <descr>net.inet.tcp.sendspace</descr>
  401. <tunable>net.inet.tcp.sendspace</tunable>
  402. <value>65536</value>
  403. </item>
  404. <item>
  405. <descr>net.inet.tcp.mssdflt=</descr>
  406. <tunable>net.inet.tcp.mssdflt=</tunable>
  407. <value>1460</value>
  408. </item>
  409. <item>
  410. <descr>net.inet.tcp.minmss</descr>
  411. <tunable>net.inet.tcp.minmss</tunable>
  412. <value>536</value>
  413. </item>
  414. <item>
  415. <descr>net.inet.tcp.cc.abe</descr>
  416. <tunable>net.inet.tcp.cc.abe</tunable>
  417. <value>1</value>
  418. </item>
  419. <item>
  420. <descr>dev.ix.0.iflib.rx_budget</descr>
  421. <tunable>dev.ix.0.iflib.rx_budget</tunable>
  422. <value>65535</value>
  423. </item>
  424. <item>
  425. <descr>dev.ix.1.iflib.rx_budget</descr>
  426. <tunable>dev.ix.1.iflib.rx_budget</tunable>
  427. <value>65535</value>
  428. </item>
  429. <item>
  430. <descr>hw.ix.rx_process_limit</descr>
  431. <tunable>hw.ix.rx_process_limit</tunable>
  432. <value>-1</value>
  433. </item>
  434. <item>
  435. <descr>hw.ix.tx_process_limit</descr>
  436. <tunable>hw.ix.tx_process_limit</tunable>
  437. <value>-1</value>
  438. </item>
  439. <item>
  440. <descr>legal.intel_ix.license_ack</descr>
  441. <tunable>legal.intel_ix.license_ack</tunable>
  442. <value>1</value>
  443. </item>
  444. <item>
  445. <descr>legal.intel_ix.license_ack</descr>
  446. <tunable>legal.intel_ix.license_ack</tunable>
  447. <value>1</value>
  448. </item>
  449. </sysctl>sysctl
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!