Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
73 lines (63 sloc) 3.53 KB
#==============================
# Project Trident system tuning defaults
# DO NOT CHANGE
# Will be replaced on every update
# Overwrite these settings via /etc/sysctl.conf
#==============================
# define EVDEV_RCPT_SYSMOUSE (1<<0)
# define EVDEV_RCPT_KBDMUX (1<<1)
# define EVDEV_RCPT_HW_MOUSE (1<<2)
# define EVDEV_RCPT_HW_KBD (1<<3)
# Legacy mode
#kern.evdev.rcpt_mask=3
# Libinput and friends
#kern.evdev.rcpt_mask=12
# Indirect Branch Restricted Speculation
# Ensure that the restrictions are enabled by default (not disabled)
hw.ibrs_disable=0
# 4K block size for ZFS by default (better performance)
# This matches what the installer already sets up.
vfs.zfs.min_auto_ashift=12
# Ensure that
# =========
# Sysctl tuning below was *selectively* taken from
# https://gist.github.com/clemensg/8828061
# Written by Clemens Gruber : Feb 5th, 2014
# Copied here by Ken Moore, August 13, 2018
# =========
# Increase VFS read-ahead (better disk performance - particularly for SSDs)
# FreeBSD Default: 64
vfs.read_max=128
# maximum segment size (MSS) specifies the largest amount of data in a single TCP segment
# For most networks 1460 is optimal, but you may want to be cautious and use
# 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a
# DSL line which may use PPPoE. These networks have extra header data stored in
# the packet and if there is not enough space, must be fragmented over additional
# partially filled packets.
# Default: 536
net.inet.tcp.mssdflt=1440
# Loopback interface tuning
net.inet.tcp.nolocaltimewait=1 #Do not create compressed TCP TIME_WAIT entries for local connections
# General Security and DoS mitigation.
net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0)
net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1)
net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0)
net.inet.ip.redirect=0 # do not send IP redirects (default 1)
net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0)
net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1)
net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000)
net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)
net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1)
net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0)
net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0)
net.inet.tcp.reass.maxqueuelen=1448 # Relax the TCP reassembly queue length limit to improve performance in the event of packet loss or reordering.
## IPv6 Security
# Disable Node info replies (default 3)
net.inet6.icmp6.nodeinfo=0 #Mask of enabled RF4620 node information query types
# Turn on IPv6 privacy extensions (default 0)
net.inet6.ip6.use_tempaddr=1 #Create RFC3041 temporary addresses for autoconfigured addresses
net.inet6.ip6.prefer_tempaddr=1 #Prefer RFC3041 temporary addresses in source address selection
# Disable ICMP redirect (default 1)
net.inet6.icmp6.rediraccept=0 #Accept ICMPv6 redirect messages
You can’t perform that action at this time.