# $FreeBSD: src/etc/sysctl.conf,v 1.1.2.3 2002/04/15 00:44:13 dougb Exp $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # # http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2004-01/0120.html # # # -- san2(at)linuxchannel.net # -- 2005.09.21: add more # 2005.01.01: add more # # -- reference # http://thern.org/projects/sysctl.conf # http://thern.org/projects/sysctl-5.2.1.conf # http://www.emsl.pnl.gov/docs/global/support.html # ## [kern] ## kern.ipc.maxsockbuf=2097152 kern.ipc.somaxconn=32768 kern.ipc.shmmax=134217728 ## bytes, useful for apache/php/etc ## cf) Linux `kern.shmmax' segment bytes kern.ipc.shmall=32768 ## pages, 1page = 4KB, shared memory(32768 * 4KB = 134217728 = 128M) ## cf) Linux `kern.shmall' segment bytes kern.maxfiles=65536 kern.maxfilesperproc=32768 #kern.polling.enable=1 ## polling #kern.ps_showallprocs=0 ## show only those processes of which you own ## [machdep] ## #machdep.hlt_cpus=0 ## if you have SMP kernel and HTT enabled, use this ## [net.link] ## net.link.ether.inet.log_arp_wrong_iface=0 net.link.ether.inet.max_age=1200 ## [net.inet.tcp && net.inet.udp] ## net.inet.tcp.rfc1323=1 net.inet.tcp.delayed_ack=1 net.inet.tcp.sendspace=65536 net.inet.tcp.recvspace=65536 net.inet.tcp.msl=3000 ## Maximum Segment Life, realtime(net.inet.tcp.msl(msec) * 2) ## msec = 1/1000 sec ## http://silverwraith.com/papers/freebsd-ddos.php net.inet.tcp.inflight_enable=1 ## man tcp(4), by cjh@ 2003/2/18 net.inet.tcp.slowstart_flightsize=4 #net.inet.tcp.blackhole=2 ## security against stealth port scans and some DoS attacks #net.inet.udp.blackhole=1 ## security against stealth port scans and some DoS attacks ## [net.inet.ip] ## net.inet.ip.portrange.last=20000 net.inet.ip.portrange.hifirst=40000 net.inet.ip.sourceroute=0 ## don't accept sourcerouted packets (they are evil, gross, and have cooties) net.inet.ip.accept_sourceroute=0 net.inet.ip.redirect=0 net.inet6.ip6.redirect=0 ## [net.inet.icmp] ## net.inet.icmp.drop_redirect=1 ## http://www.cymru.com/~robt/Docs/Articles/ip-stack-tuning.html net.inet.icmp.log_redirect=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.maskrepl=0