May we share our experience in tuning sysctl.conf? Here is what I did on my machine:
I still wonder a lot about to use syncookies or not.
Code:
security.bsd.see_other_uids=0 # Disallow users to see uids
security.bsd.see_other_gids=0 # Disallow users to see gids
security.bsd.unprivileged_read_msgbuf=0 # Disallow jails to read system buffer
security.bsd.unprivileged_proc_debug=0 # Disallow users to use ptrace(2)
security.bsd.stack_guard_page=1 # Additional stack protection
net.inet6.ip6.v6only=0 # Wildcard ipv6 bindings also bind to ipv4
net.inet.tcp.msl=15000 # Max time (ms) to wait for ACK
net.inet.tcp.blackhole=2 # Don't answer on closed TCP ports
net.inet.udp.blackhole=1 # Don't answer on closed UDP ports
net.inet.icmp.icmplim=200 # Limit icmp requests per second
kern.ipc.somaxconn=32768 # Max parallel sockets
net.inet.tcp.maxtcptw=40960 # Max compressed TCP TIME_WAIT
net.inet.tcp.nolocaltimewait=1 # No compressed TCP TIME_WAIT for local conns
net.inet.ip.portrange.first=1024 # First port for outbound
net.inet.ip.portrange.last=65535 # Last port for outbound
net.inet.ip.portrange.randomized=0 # Enable random port allocation
net.inet.tcp.finwait2_timeout=15000 # Finwait2 timeout
net.inet.tcp.fast_finwait2_recycle=1 # Recycle closed FIN_WAIT_2 connections faster
net.inet.ip.fw.dyn_buckets=4096 # Max dyn buckets (ipfw)
net.inet.ip.fw.dyn_max=65536 # Max number of dyn rules
net.inet.ip.fw.dyn_keepalive=1 # Enable keepalive for ipfw
net.inet.ip.forwarding=0 # Disable ip forwarding
net.inet.icmp.drop_redirect=1 # Ignore ICMP redirects
net.inet.ip.redirect=0 # Disable sending IP redirects
net.inet.icmp.log_redirect=0 # No prints of icmp redirects in console
net.inet.ip.intr_queue_maxlen=512 # Maximum size of the IP input queue
net.inet.ip.random_id=1 # Random id's for IP packets
net.inet.tcp.drop_synfin=1 # Drop TCP packets with SYN+FIN
net.inet.tcp.syncookies=1 # Use cookies if cache is filled
net.inet.tcp.delayed_ack=0 # No delays for ACK
net.inet.udp.maxdgram=57344 # Maximum outgoing UDP datagram size
net.inet.icmp.maskrepl=0 # Don't reply to ICMP mask
#net.inet.icmp.bmcastecho=0 # Don't respond to broadcast (smurf attacks)
net.inet.tcp.icmp_may_rst=0 # Certain ICMP unreachable messages may abort connections in SYN_SENT
net.inet.ip.fw.one_pass=0 # No single pass through ipfw when using dummynet(4)
kern.maxfiles=65536 # Max number of files
kern.maxfilesperproc=32000 # Max number of files per process
net.inet.ip.accept_sourceroute=0 # Disable accepting source routed IP packets
net.inet.ip.sourceroute=0 # Disable forwarding source routed IP packets
net.inet.ip.fw.verbose=1 # Log matches to ipfw rules
net.inet.ip.fw.verbose_limit=5 # Upper limit of matches of ipfw rules logged
#net.inet.tcp.fastopen.enabled=1 # To use, it must be enabled in custom kernel first
kern.ipc.maxsockbuf=2097152 # Global maximum socket buffer
net.inet.tcp.recvspace=262144 # TCP recieve socket buffer
net.inet.tcp.sendspace=262144 # TCP send socket buffer
net.inet.udp.recvspace=262144 # UDP receive socket buffer
net.inet.udp.sendspace=262144 # UDP send socket buffer
net.inet.tcp.mssdflt=1452 # maximum segment size (1452 from scrub pf.conf)
vm.defer_swapspace_pageouts=1 # try to avoid using swap
vm.pmap.pg_ps_enabled=1 # for huge pages support
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=256
I still wonder a lot about to use syncookies or not.