Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some security/tuning options for networking on FreeBSD #17

Merged
merged 1 commit into from Sep 14, 2018
+46 −0
Merged

Some security/tuning options for networking on FreeBSD #17

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
46 core-files/etc/sysctl.d/trident-core.conf
View file
Open in desktop
@@ -8,3 +8,49 @@

# Libinput and friends
kern.evdev.rcpt_mask=12

# =========
# Sysctl tuning below was *selectively* taken from
# https://gist.github.com/clemensg/8828061
# Written by Clemens Gruber : Feb 5th, 2014
# Copied here by Ken Moore, August 13, 2018
# =========
# Increase VFS read-ahead (better disk performance - particularly for SSDs)
# FreeBSD Default: 64
vfs.read_max=128

# maximum segment size (MSS) specifies the largest amount of data in a single TCP segment
# For most networks 1460 is optimal, but you may want to be cautious and use
# 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a
# DSL line which may use PPPoE. These networks have extra header data stored in
# the packet and if there is not enough space, must be fragmented over additional
# partially filled packets.
# Default: 536
net.inet.tcp.mssdflt=1440

# Loopback interface tuning
net.inet.tcp.nolocaltimewait=1 #Do not create compressed TCP TIME_WAIT entries for local connections

# General Security and DoS mitigation.
net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0)
net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1)
net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0)
net.inet.ip.redirect=0 # do not send IP redirects (default 1)
net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0)
net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1)
net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000)
net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)
net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1)
net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0)
net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0)

## IPv6 Security
# Disable Node info replies (default 3)
net.inet6.icmp6.nodeinfo=0 #Mask of enabled RF4620 node information query types
# Turn on IPv6 privacy extensions (default 0)
net.inet6.ip6.use_tempaddr=1 #Create RFC3041 temporary addresses for autoconfigured addresses
net.inet6.ip6.prefer_tempaddr=1 #Prefer RFC3041 temporary addresses in source address selection
# Disable ICMP redirect (default 1)
net.inet6.icmp6.rediraccept=0 #Accept ICMPv6 redirect messages