sysctl-config-PFSENSE-A.home.arpa-20260129203910.xml - pfSense - pfSense bugtracker

Feature #15221 » sysctl-config-PFSENSE-A.home.arpa-20260129203910.xml

Glenn Hall, 01/30/2026 01:44 AM

    
      <sysctl>

      	<item>

      		<tunable>vfs.read_max</tunable>

      		<value>128</value>

      		<descr><![CDATA[Increase UFS read-ahead speeds to match the state of hard drives and NCQ.]]></descr>

      	</item>

      	<item>

      		<descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>

      		<tunable>net.inet.ip.portrange.first</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.blackhole</tunable>

      		<value>3</value>

      		<descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>

      	</item>

      	<item>

      		<descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>

      		<tunable>net.inet.udp.blackhole</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<descr><![CDATA[Randomize the ID field in IP packets]]></descr>

      		<tunable>net.inet.ip.random_id</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<tunable>net.inet.ip.sourceroute</tunable>

      		<value>0</value>

      		<descr><![CDATA[        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.        It can also be used to probe for information about your internal networks. These functions come enabled        as part of the standard FreeBSD core system.      ]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.accept_sourceroute</tunable>

      		<value>0</value>

      		<descr><![CDATA[        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.        It can also be used to probe for information about your internal networks. These functions come enabled        as part of the standard FreeBSD core system.      ]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.icmp.log_redirect</tunable>

      		<value>0</value>

      		<descr><![CDATA[        This option turns off the logging of redirect packets because there is no limit and this could fill        up your logs consuming your whole hard drive.      ]]></descr>

      	</item>

      	<item>

      		<descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>

      		<tunable>net.inet.tcp.drop_synfin</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.redirect</tunable>

      		<value>0</value>

      		<descr><![CDATA[Enable sending IPv6 redirects]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.use_tempaddr</tunable>

      		<value>1</value>

      		<descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.prefer_tempaddr</tunable>

      		<value>1</value>

      		<descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.syncookies</tunable>

      		<value>0</value>

      		<descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.recvspace</tunable>

      		<value>2097152</value>

      		<descr><![CDATA[Initial receive socket buffer size ]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.sendspace</tunable>

      		<value>1048576</value>

      		<descr><![CDATA[Initial send socket buffer size ]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.delayed_ack</tunable>

      		<value>0</value>

      		<descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.udp.maxdgram</tunable>

      		<value>65536</value>

      		<descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>

      	</item>

      	<item>

      		<descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>

      		<tunable>net.link.bridge.pfil_onlyip</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<tunable>net.link.bridge.pfil_local_phys</tunable>

      		<value>0</value>

      		<descr><![CDATA[Set to 1 to additionally filter on the physical interface for locally destined packets]]></descr>

      	</item>

      	<item>

      		<descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>

      		<tunable>net.link.bridge.pfil_member</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>

      		<tunable>net.link.bridge.pfil_bridge</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>

      		<tunable>net.link.tap.user_open</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<descr><![CDATA[Randomize PID&amp;#039;s (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>

      		<tunable>kern.randompid</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<tunable>net.inet.ip.intr_queue_maxlen</tunable>

      		<value>2048</value>

      		<descr><![CDATA[Maximum size of the IP input queue]]></descr>

      	</item>

      	<item>

      		<descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>

      		<tunable>hw.syscons.kbd_reboot</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<descr><![CDATA[Enable TCP extended debugging]]></descr>

      		<tunable>net.inet.tcp.log_debug</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<descr><![CDATA[Set ICMP Limits]]></descr>

      		<tunable>net.inet.icmp.icmplim</tunable>

      		<value>default</value>

      	</item>

      	<item>

      		<tunable>kern.ipc.maxsockbuf</tunable>

      		<value>614400000</value>

      		<descr><![CDATA[Maximum socket buffer size]]></descr>

      	</item>

      	<item>

      		<tunable>security.bsd.see_other_gids</tunable>

      		<value>0</value>

      		<descr><![CDATA[Hide processes running as other groups]]></descr>

      	</item>

      	<item>

      		<tunable>security.bsd.see_other_uids</tunable>

      		<value>0</value>

      		<descr><![CDATA[Hide processes running as other users]]></descr>

      	</item>

      	<item>

      		<descr><![CDATA[Enable/disable sending of ICMP redirects in response to IP packets for which a better,

              and for the sender directly reachable, route and next hop is known.

            ]]></descr>

      		<tunable>net.inet.ip.redirect</tunable>

      		<value>0</value>

      	</item>

      	<item>

      		<descr><![CDATA[        Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects

              to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect

              packets without returning a response.

            ]]></descr>

      		<tunable>net.inet.icmp.drop_redirect</tunable>

      		<value>1</value>

      	</item>

      	<item>

      		<tunable>net.local.dgram.maxdgram</tunable>

      		<value>65536</value>

      		<descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.recvbuf_max</tunable>

      		<value>16777216</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.sendbuf_max</tunable>

      		<value>16777216</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.rfc1323</tunable>

      		<value>2</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.sack.enable</tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.ecn.enable </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.path_mtu_discovery </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.minmss </tunable>

      		<value>536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.rfc3042 </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.rfc3390 </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.sendbuf_auto </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.recvbuf_auto </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.recvbuf_inc </tunable>

      		<value>262144</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.sendbuf_inc </tunable>

      		<value>65536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.raw.maxdgram</tunable>

      		<value>16384</value>

      		<descr><![CDATA[Maximum outgoing raw IP datagram size]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.abc_l_var </tunable>

      		<value>10</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.initcwnd_segments </tunable>

      		<value>10</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.local.stream.sendspace </tunable>

      		<value>65536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.local.stream.recvspace </tunable>

      		<value>65536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.sctp.blackhole </tunable>

      		<value>2</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.portrange.randomized </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.portrange.randomcps </tunable>

      		<value>9999</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.portrange.randomtime </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.auto_linklocal </tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.icmp6.rediraccept </tunable>

      		<value>0</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.icmp6.nodeinfo </tunable>

      		<value>0</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>kern.ipc.somaxconn </tunable>

      		<value>16384</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.udp.recvspace </tunable>

      		<value>65536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.local.dgram.recvspace </tunable>

      		<value>65536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.process_options</tunable>

      		<value>1</value>

      		<descr><![CDATA[Enable IP options processing ([LS]SRR, RR, TS)]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.cc.algorithm</tunable>

      		<value>cdg</value>

      		<descr><![CDATA[TCP Congestion Control Algorithm]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.cc.abe</tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.cc.htcp.adaptive_backoff</tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.cc.htcp.rtt_scaling</tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.cc.cdg.alpha_inc</tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.cc.cdg.smoothing_factor</tunable>

      		<value>10</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.raw.recvspace</tunable>

      		<value>16384</value>

      		<descr><![CDATA[Maximum space for incoming raw IP datagrams]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.delacktime</tunable>

      		<value>20</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.intr_queue_maxlen</tunable>

      		<value>2048</value>

      		<descr><![CDATA[Maximum size of the IPv6 input queue]]></descr>

      	</item>

      	<item>

      		<tunable>kern.crypto.iimb.enable_multiq</tunable>

      		<value>2</value>

      		<descr><![CDATA[enable multi-Q]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.fast_finwait2_recycle</tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.route.netisr_maxqlen</tunable>

      		<value>2048</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.maxfrags</tunable>

      		<value>-1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.maxfragsperpacket </tunable>

      		<value>512</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.ip.maxfragpackets</tunable>

      		<value>-1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.maxfrags</tunable>

      		<value>-1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.maxfragsperpacket</tunable>

      		<value>512</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet6.ip6.maxfragpackets</tunable>

      		<value>-1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>hw.acpi.cpu.cx_lowest</tunable>

      		<value>C1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.mssdflt</tunable>

      		<value>1460</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.v6mssdflt</tunable>

      		<value>1440</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.pmtud_blackhole_detection</tunable>

      		<value>1</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.pmtud_blackhole_mss</tunable>

      		<value>1280</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.v6pmtud_blackhole_mss</tunable>

      		<value>1280</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.tcp.tso</tunable>

      		<value>0</value>

      		<descr><![CDATA[Enable TCP Segmentation Offload]]></descr>

      	</item>

      	<item>

      		<tunable>net.inet.udp.sendspace</tunable>

      		<value>65536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.local.dgram.sendspace </tunable>

      		<value>65536</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>net.inet.raw.sendspace</tunable>

      		<value>16384</value>

      		<descr></descr>

      	</item>

      	<item>

      		<tunable>hw.intr_storm_threshold</tunable>

      		<value>0</value>

      		<descr></descr>

      	</item>

      </sysctl>

(1-1/1)

Project

General

Profile

pfSense

Feature #15221 » sysctl-config-PFSENSE-A.home.arpa-20260129203910.xml