#
# sysctl.conf
# Default settings for Dedicated servers
#
# Zoidial, Inc.
# Eric Thern   eric@zoidial.com
#
# v0.1 06/03/2001 - initial release
# v0.2 01/02/2002 - added more net.inet options
# v0.3 01/03/2002 - added kern.ipc and kern.randompid stuff
#

# limit responses to ICMP for bandwidth purposes
net.inet.icmp.icmplim=10
net.inet.icmp.maskrepl=0
net.inet.icmp.drop_redirect=1 
net.icmp.bmcastecho=0

# icmp may NOT rst, thank you very much
net.inet.tcp.icmp_may_rst=0

# drop synfin packets -- we don't need no stinkin' synfin!
net.inet.tcp.drop_synfin=1

# up the maximum connections allowed, good for ddos's
kern.ipc.somaxconn=65536

# increase the size of network mbufs to allocate
kern.ipc.nmbclusters=32768
# this is actually a read-only sysctl variable
# must be set in kernel to REALLY be set :(
# to add to kernel:
# options         NMBCLUSTERS=32768

# stealth IP networking
net.inet.ip.stealth=0

# set rfc extensions
net.inet.tcp.rfc1323=1

# security against stealth port scans and some DoS attacks
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

# show only those processes of which you own
kern.ps_showallprocs=0
# randomize process ID's ... keep them guessing!
kern.randompid=348

# stops syn flood attacks, and route cache degregation during a high-bandwidth flood
net.inet.ip.rtexpire=2 
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=256

# don't accept sourcerouted packets
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0

# settings to secure a jail a bit
jail.set_hostname_allowed=0
jail.socket_unixiproute_only=1
jail.sysvipc_allowed=0