# # sysctl.conf # # Default sysctl's for a dual-use webhosting/shell server # # Developed and used on FreeBSD 4.x server(s) # # Zoidial, Inc. # Eric Thern eric@zoidial.com # # v0.1 06/03/2001 - initial release # v0.2 01/02/2002 - added more net.inet options # v0.3 01/03/2002 - added kern.ipc and kern.randompid stuff # v0.4 01/08/2003 - added some more nonsense and such. # v0.5 06/03/2003 - kern.maxfiles # v0.6 25/06/2003 - net.inet.ip.fw.one_pass=0 (from 1) # ############################# # // NETWORKING SYSCTL's // # ############################# # # limit responses to ICMP for bandwidth purposes # net.inet.icmp.icmplim=10 net.inet.icmp.maskrepl=0 net.inet.icmp.drop_redirect=1 net.icmp.bmcastecho=0 # # icmp may NOT rst, thank you very much # this is helpful for those pesky spoofed icmp/udp floods # that end up taking up your outgoing bandwidth due to # all that outgoing RST traffic. # net.inet.tcp.icmp_may_rst=0 # # drop synfin packets -- we don't need no stinkin' synfin! # net.inet.tcp.drop_synfin=1 # # up the maximum connections allowed, good for ddos's # kern.ipc.somaxconn=65536 # # Forces a single pass through the firewall. If set to 0, # packets coming out of a pipe will be reinjected into the # firewall starting with the rule after the matching one. # NOTE: there is always one pass for bridged packets. # net.inet.ip.fw.one_pass=0 # # increase the size of network mbufs to allocate # kern.ipc.nmbclusters=32768 # # this is actually a read-only sysctl variable # must be set in kernel to REALLY be set :( # to add to kernel: # options NMBCLUSTERS=32768 # # In FreeBSD 5.x this should work, however. # # # update maximum files allowed for the kernel # kern.maxfiles=65536 # # stealth IP networking # net.inet.ip.stealth=0 # # set rfc extensions (time stamps on netcraft) # set to 0 if you don't want this to show # net.inet.tcp.rfc1323=1 # # security against stealth port scans and some DoS attacks # net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 # # stops some syn flood attacks, and route cache degregation during a high-bandwidth flood # net.inet.ip.rtexpire=2 net.inet.ip.rtminexpire=2 net.inet.ip.rtmaxcache=256 # # don't accept sourcerouted packets (they are evil, gross, and have cooties) # net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 # # don't log arp responses when you have two interfaces # this gets way annoying when you have , say, fxp1 and fxp0 on two separate networks # but are on the same physical line or hub/switch # net.link.ether.inet.log_arp_wrong_iface=0 ########################## # // PROCESS SYSCTL's // # ########################## # # show only those processes of which you own # kern.ps_showallprocs=0 # # show only the basic process, no arguments # examples (non root user running ps on a specific PID): # # with this set to 1: # PID TT STAT TIME COMMAND # 3989 ?? SNs 0:19.86 /usr/sbin/named -u bind -g bind -c named.conf -t /etc/namedb # # with this set to 0: # PID TT STAT TIME COMMAND # 3989 ?? SNs 0:19.86 (named) # # obviously obscures things in a more fundamental way when set to zero. # kern.ps_argsopen=0 # # randomize process ID's ... keep them guessing! # kern.randompid=348 ####################### # // JAIL SYSCTL's // # ####################### # # settings to secure a jail a bit # jail.set_hostname_allowed=0 jail.socket_unixiproute_only=1 jail.sysvipc_allowed=1 ######################### # // KERNEL SYSCTL's // # ######################### # # update maximum files allowed for the kernel # kern.maxfiles=65536