Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <sysctl>
- <item>
- <descr>Disable the pf ftp proxy handler.</descr>
- <tunable>debug.pfftpproxy</tunable>
- <value>default</value>
- </item>
- <item>
- <tunable>vfs.read_max</tunable>
- <value>default</value>
- <descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
- </item>
- <item>
- <descr>Set the ephemeral port range to be lower.</descr>
- <tunable>net.inet.ip.portrange.first</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Drop packets to closed TCP ports without returning a RST</descr>
- <tunable>net.inet.tcp.blackhole</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
- <tunable>net.inet.udp.blackhole</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</descr>
- <tunable>net.inet.ip.random_id</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>
- Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
- It can also be used to probe for information about your internal networks. These functions come enabled
- as part of the standard FreeBSD core system.
- </descr>
- <tunable>net.inet.ip.sourceroute</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>
- Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
- It can also be used to probe for information about your internal networks. These functions come enabled
- as part of the standard FreeBSD core system.
- </descr>
- <tunable>net.inet.ip.accept_sourceroute</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>
- Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
- to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
- packets without returning a response.
- </descr>
- <tunable>net.inet.icmp.drop_redirect</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>
- This option turns off the logging of redirect packets because there is no limit and this could fill
- up your logs consuming your whole hard drive.
- </descr>
- <tunable>net.inet.icmp.log_redirect</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
- <tunable>net.inet.tcp.drop_synfin</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Enable sending IPv4 redirects</descr>
- <tunable>net.inet.ip.redirect</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Enable sending IPv6 redirects</descr>
- <tunable>net.inet6.ip6.redirect</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
- <tunable>net.inet6.ip6.use_tempaddr</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Prefer privacy addresses and use them over the normal addresses</descr>
- <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
- <tunable>net.inet.tcp.syncookies</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
- <tunable>net.inet.tcp.recvspace</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
- <tunable>net.inet.tcp.sendspace</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
- <tunable>net.inet.tcp.delayed_ack</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Maximum outgoing UDP datagram size</descr>
- <tunable>net.inet.udp.maxdgram</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
- <tunable>net.link.bridge.pfil_onlyip</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
- <tunable>net.link.bridge.pfil_local_phys</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
- <tunable>net.link.bridge.pfil_member</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Set to 1 to enable filtering on the bridge interface</descr>
- <tunable>net.link.bridge.pfil_bridge</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Allow unprivileged access to tap(4) device nodes</descr>
- <tunable>net.link.tap.user_open</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
- <tunable>kern.randompid</tunable>
- <value>default</value>
- </item>
- <item>
- <tunable>net.inet.ip.intr_queue_maxlen</tunable>
- <value>default</value>
- <descr>Maximum size of the IP input queue</descr>
- </item>
- <item>
- <descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
- <tunable>hw.syscons.kbd_reboot</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Enable TCP extended debugging</descr>
- <tunable>net.inet.tcp.log_debug</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Set ICMP Limits</descr>
- <tunable>net.inet.icmp.icmplim</tunable>
- <value>default</value>
- </item>
- <item>
- <tunable>net.inet.tcp.tso</tunable>
- <value>0</value>
- <descr>TCP Offload Engine</descr>
- </item>
- <item>
- <tunable>net.inet.udp.checksum</tunable>
- <value>default</value>
- <descr>UDP Checksums</descr>
- </item>
- <item>
- <tunable>kern.ipc.maxsockbuf</tunable>
- <value>default</value>
- <descr>Maximum socket buffer size</descr>
- </item>
- <item>
- <descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
- <tunable>vm.pmap.pti</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
- <tunable>hw.ibrs_disable</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Hide processes running as other groups</descr>
- <tunable>security.bsd.see_other_gids</tunable>
- <value>default</value>
- </item>
- <item>
- <descr>Hide processes running as other users</descr>
- <tunable>security.bsd.see_other_uids</tunable>
- <value>default</value>
- </item>
- <item>
- <tunable>net.inet.ip.redirect</tunable>
- <value>default</value>
- <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
- and for the sender directly reachable, route and next hop is known.
- </descr>
- </item>
- <item>
- <tunable>net.inet.icmp.drop_redirect</tunable>
- <value>default</value>
- <descr>Enable/disable dropping of ICMP Redirect packets</descr>
- </item>
- <item>
- <tunable>hw.em.0.eee_setting</tunable>
- <value>1</value>
- <descr>hw.em.0.eee_setting</descr>
- </item>
- <item>
- <tunable>hw.em.1.eee_setting</tunable>
- <value>1</value>
- <descr/>
- </item>
- <item>
- <tunable>dev.igb.0.eee_disabled</tunable>
- <value>1</value>
- <descr/>
- </item>
- <item>
- <tunable>dev.igb.1.eee_disabled</tunable>
- <value>1</value>
- <descr/>
- </item>
- <item>
- <tunable>legal.intel_ipw.license_ack</tunable>
- <value>1</value>
- <descr/>
- </item>
- <item>
- <tunable>legal.intel_iwi.license_ack</tunable>
- <value>1</value>
- <descr/>
- </item>
- </sysctl>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement