# # sysctl.conf # # Default sysctl's for a dual-use webhosting/shell server # # Developed and used on FreeBSD 4.x server(s) # # Zoidial, Inc. # Eric Thern eric@zoidial.com # # v0.1 06/03/2001 - initial release # v0.2 01/02/2002 - added more net.inet options # v0.3 01/03/2002 - added kern.ipc and kern.randompid stuff # v0.4 01/08/2003 - added some more nonsense and such. # v0.5 06/03/2003 - kern.maxfiles # AU/UK date scheme change, I think. oops? # v0.6 25/06/2003 - net.inet.ip.fw.one_pass=0 (from 1) # v0.7 08/07/2003 - net.inet.ip.fw.one_pass=1 (yeah, seems better this way?) # v0.8 15/10/2003 - net.inet.ip.dummynet.hash_size=2048 (added, more queue buckets) # v0.9 25/01/2004 - 5.2 COMPLIANT! , security.* stuff added for 5.x # - showallprocs sysctl from 4.x is now incorporated into the # - security.* sysctl's of 5.x systems. # ############################# # // NETWORKING SYSCTL's // # ############################# # # limit responses to ICMP for bandwidth purposes # net.inet.icmp.icmplim=100 net.inet.icmp.maskrepl=0 net.inet.icmp.drop_redirect=1 net.inet.icmp.bmcastecho=0 # # icmp may NOT rst, thank you very much # this is helpful for those pesky spoofed icmp/udp floods # that end up taking up your outgoing bandwidth due to # all that outgoing RST traffic. # net.inet.tcp.icmp_may_rst=0 # # drop synfin packets -- we don't need no stinkin' synfin! # net.inet.tcp.drop_synfin=1 # # up the maximum connections allowed, good for ddos's # kern.ipc.somaxconn=65536 # # Forces a single pass through the firewall. If set to 0, # packets coming out of a pipe will be reinjected into the # firewall starting with the rule after the matching one. # NOTE: there is always one pass for bridged packets. # net.inet.ip.fw.one_pass=1 # # adds more queue buckets for ipfw dummynet # net.inet.ip.dummynet.hash_size=2048 # # increase the size of network mbufs to allocate # kern.ipc.nmbclusters=32768 # # this is actually a read-only sysctl variable # must be set in kernel to REALLY be set :( # to add to kernel: # options NMBCLUSTERS=32768 # # In FreeBSD 5.x this should work, however. # # # stealth IP networking ( 0 = off ) # net.inet.ip.stealth=0 # # set rfc extensions (time stamps on netcraft) # set to 0 if you don't want this to show # net.inet.tcp.rfc1323=1 # # security against stealth port scans and some DoS attacks # net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 # # stops some syn flood attacks, and route cache degregation during a high-bandwidth flood # net.inet.ip.rtexpire=2 net.inet.ip.rtminexpire=2 net.inet.ip.rtmaxcache=256 # # don't accept sourcerouted packets (they are evil, gross, and have cooties) # net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 # # don't log arp responses when you have two interfaces # this gets way annoying when you have , say, fxp1 and fxp0 on two separate networks # but are on the same physical line or hub/switch # net.link.ether.inet.log_arp_wrong_iface=0 ########################## # // PROCESS SYSCTL's // # ########################## # # show only those processes of which you own # #kern.ps_showallprocs=0 # # NOTE: in FreeBSD 5.x, this is no longer a sysctl variable. # please see the security sysctl's below, there are two variables there # that restrict process viewing by UID and GID. # # # show only the basic process, no arguments # examples (non root user running ps on a specific PID): # # with this set to 1: # PID TT STAT TIME COMMAND # 3989 ?? SNs 0:19.86 /usr/sbin/named -u bind -g bind -c named.conf -t /etc/namedb # # with this set to 0: # PID TT STAT TIME COMMAND # 3989 ?? SNs 0:19.86 (named) # # obviously obscures things in a more fundamental way when set to zero. # kern.ps_argsopen=0 # # randomize process ID's ... keep them guessing! # kern.randompid=348 ####################### # // JAIL SYSCTL's // # ####################### # # settings to secure a jail a bit # security.jail.set_hostname_allowed=0 security.jail.socket_unixiproute_only=1 # # setting sysvipc to 1 allows for shared memory segments to be viewable throughout # the entire system, this COULD BE USED MALICIOUSLY. # However, I need this to run things within jails that require SYSVIPC. # # a possible fix for this would be to install some patches to the jail system that provide # unique memory segments for each jail. Found at http://garage.freebsd.pl # I haven't played with this much, the only time i've tried it, it would never patch my source cleanly # so I gave up. # security.jail.sysvipc_allowed=1 ########################### # // SECURITY SYSCTL's // # ########################### # # settings to secure the system a bit # # default here is '1' security.bsd.suser_enabled=1 # # don't want normal users seeing what other people or groups are running! # (this also applies to all jailed systems) # security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 # # these two are set to defaults security.bsd.conservative_signals=1 security.bsd.unprivileged_proc_debug=1 # # We don't want people being able to read msgbuf of the entire system # ESPECIALLY not client jails! With this enabled, they can see the logs of the subsystem! # (and thats no good, in case you weren't thinking) # security.bsd.unprivileged_read_msgbuf=0 # # by default this is '0' security.bsd.unprivileged_get_quota=0 ######################### # // KERNEL SYSCTL's // # ######################### # # update maximum files allowed for the kernel # kern.maxfiles=65536 # # increase shared memory sizes (useful for apache/php/etc.) # kern.ipc.shmmax=33554432 kern.ipc.shmall=32768