Sysctl tuning

wattie

Verified User
Joined
May 31, 2008
Messages
1,234
Location
Bulgaria
May we share our experience in tuning sysctl.conf? Here is what I did on my machine:

Code:
security.bsd.see_other_uids=0           # Disallow users to see uids
security.bsd.see_other_gids=0           # Disallow users to see gids
security.bsd.unprivileged_read_msgbuf=0 # Disallow jails to read system buffer
security.bsd.unprivileged_proc_debug=0  # Disallow users to use ptrace(2)
security.bsd.stack_guard_page=1         # Additional stack protection
net.inet6.ip6.v6only=0                  # Wildcard ipv6 bindings also bind to ipv4
net.inet.tcp.msl=15000                  # Max time (ms) to wait for ACK
net.inet.tcp.blackhole=2                # Don't answer on closed TCP ports
net.inet.udp.blackhole=1                # Don't answer on closed UDP ports
net.inet.icmp.icmplim=200               # Limit icmp requests per second
kern.ipc.somaxconn=32768                # Max parallel sockets
net.inet.tcp.maxtcptw=40960             # Max compressed TCP TIME_WAIT
net.inet.tcp.nolocaltimewait=1          # No compressed TCP TIME_WAIT for local conns
net.inet.ip.portrange.first=1024        # First port for outbound
net.inet.ip.portrange.last=65535        # Last port for outbound
net.inet.ip.portrange.randomized=0      # Enable random port allocation
net.inet.tcp.finwait2_timeout=15000		# Finwait2 timeout
net.inet.tcp.fast_finwait2_recycle=1	# Recycle closed FIN_WAIT_2 connections faster
net.inet.ip.fw.dyn_buckets=4096			# Max dyn buckets (ipfw)
net.inet.ip.fw.dyn_max=65536			# Max number of dyn rules
net.inet.ip.fw.dyn_keepalive=1			# Enable keepalive for ipfw
net.inet.ip.forwarding=0				# Disable ip forwarding
net.inet.icmp.drop_redirect=1			# Ignore ICMP redirects
net.inet.ip.redirect=0					# Disable sending IP redirects
net.inet.icmp.log_redirect=0			# No prints of icmp redirects in console
net.inet.ip.intr_queue_maxlen=512		# Maximum size of the IP input queue
net.inet.ip.random_id=1					# Random id's for IP packets
net.inet.tcp.drop_synfin=1				# Drop TCP packets with SYN+FIN
net.inet.tcp.syncookies=1				# Use cookies if cache is filled
net.inet.tcp.delayed_ack=0				# No delays for ACK
net.inet.udp.maxdgram=57344				# Maximum outgoing UDP datagram size
net.inet.icmp.maskrepl=0				# Don't reply to ICMP mask
#net.inet.icmp.bmcastecho=0				# Don't respond to broadcast (smurf attacks)
net.inet.tcp.icmp_may_rst=0				# Certain ICMP unreachable messages may abort connections in SYN_SENT
net.inet.ip.fw.one_pass=0				# No single pass through ipfw when using dummynet(4)
kern.maxfiles=65536						# Max number of files
kern.maxfilesperproc=32000				# Max number of files per process
net.inet.ip.accept_sourceroute=0		# Disable accepting source routed IP packets
net.inet.ip.sourceroute=0				# Disable forwarding source routed IP packets
net.inet.ip.fw.verbose=1				# Log matches to ipfw rules
net.inet.ip.fw.verbose_limit=5			# Upper limit of matches of ipfw rules logged
#net.inet.tcp.fastopen.enabled=1		# To use, it must be enabled in custom kernel first
kern.ipc.maxsockbuf=2097152				# Global maximum socket buffer
net.inet.tcp.recvspace=262144           # TCP recieve socket buffer
net.inet.tcp.sendspace=262144           # TCP send socket buffer
net.inet.udp.recvspace=262144           # UDP receive socket buffer
net.inet.udp.sendspace=262144           # UDP send socket buffer
net.inet.tcp.mssdflt=1452               # maximum segment size (1452 from scrub pf.conf)
vm.defer_swapspace_pageouts=1           # try to avoid using swap
vm.pmap.pg_ps_enabled=1        			# for huge pages support
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=256

I still wonder a lot about to use syncookies or not.
 
I know this is old but thanks

would most of this still be relevant on 12.1?
 
Back
Top