carlodicelico
6/27/2018 - 11:06 PM
FreeBSD DO sysctl.conf part 2
Some sysctl settings for performance and hardening on FreeBSD
# $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# see https://calomel.org/freebsd_network_tuning.html
# https://www.c0ffee.net/blog/freebsd-server-guide
# https://en.wikipedia.org/wiki/TCP_tuning
# https://en.wikipedia.org/wiki/TCP_window_scale_option
# https://en.wikipedia.org/wiki/Bandwidth-delay_product
# https://www.freebsd.org/doc/handbook/configtuning-sysctl.html
# https://www.freebsd.org/cgi/man.cgi?query=sysctl&sektion=8&manpath=freebsd-release-ports
#
# Tuned for DigitalOcean's instances' (with private networking) 2 Ethernet 10Gbase-T
# VirtIO NICs supporting Intel features (Intel inside); see sysctl.hw, dmesg, and ifconfig -m
#
net.inet.ip.forwarding=1 # allow forwarding for firewall and jails
net.inet.tcp.cc.algorithm=htcp
net.inet.tcp.cc.htcp.adaptive_backoff=1
net.inet.tcp.cc.htcp.rtt_scaling=1
security.bsd.hardlink_check_gid=1 # unprivileged processes may not create hard links to files owned by other groups, DISABLE WITH Mailman (default 0)
security.bsd.hardlink_check_uid=1 # unprivileged processes may not create hard links to files owned by other users, DISABLE WITH Mailman (default 0)
security.bsd.see_other_gids=0 # groups only see their own processes. root can see all (default 1)
security.bsd.see_other_uids=0 # users only see their own processes. root can see all (default 1)
security.bsd.stack_guard_page=1 # insert a stack guard page ahead of growable segments, stack smashing protection (SSP) (default 0)
security.bsd.unprivileged_proc_debug=0 # unprivileged processes may not use process debugging (default 1)
security.bsd.unprivileged_read_msgbuf=0 # unprivileged processes may not read the kernel message buffer (default 1)
security.jail.allow_raw_sockets=1 # let jails create raw sockets for ping, etc.
vfs.read_max=128 # tune SSD perf