### Rozhuk Ivan 2009.06-2022 ### sysctl.conf ### 13.x #kern.securelevel=2 # Current secure level # Debug kernel debug.minidump=1 # Enable mini crash dumps kern.sync_on_panic=0 # Do a sync before rebooting from a panic / 0 - required for coredump write kern.panic_reboot_wait_time=16 # Seconds to wait before rebooting after a panic kern.kerneldump_gzlevel=3 # Kernel crash dump compression level # Debug userspace kern.logsigexit=1 # Log processes quitting on abnormal signals to syslog(3). kern.forcesigexit=1 # Force trap signal to be handled. kern.lognosys=3 # Log invalid syscalls kern.sugid_coredump=1 # Allow setuid and setgid processes to dump core kern.capmode_coredump=1 # Allow processes in capability mode to dump core. kern.coredump=1 # Enable/Disable coredumps. kern.nodump_coredump=1 # Enable setting the NODUMP flag on coredump files. kern.coredump_devctl=1 # Generate a devctl notification when processes coredump. kern.corefile=/tmp/%N.%I.core # Process corefile name format string kern.compress_user_cores=1 # Compression of user corefiles kern.compress_user_cores_level=3 # Corefile compression level debug.ncores=16 # Limiting the number of corefiles generated by a particular process # SECURITY security.bsd.map_at_zero=0 # Permit processes to map an object at virtual address 0. security.bsd.suser_enabled=1 # processes with uid 0 have privilege security.bsd.unprivileged_mlock=0 # Allow non-root users to call mlock(2) security.bsd.see_other_uids=1 # prevent users from seeing processes that are being run under another UID. security.bsd.see_other_gids=1 # disable is break some scripts, like rc.d scripts. security.bsd.conservative_signals=0 # disable some signals for setuid/setgid processes security.bsd.unprivileged_proc_debug=0 # disable debug for unprivileged users security.bsd.unprivileged_idprio=0 # Allow non-root users to set an idle priority security.bsd.unprivileged_read_msgbuf=0 # Unprivileged processes may read the kernel message buffer security.bsd.hardlink_check_uid=1 # Unprivileged processes cannot create hard links to files owned by other users security.bsd.hardlink_check_gid=1 # Unprivileged processes cannot create hard links to files owned by other groups security.bsd.unprivileged_get_quota=0 # Unprivileged processes may retrieve quotas for other uids and gids security.bsd.unprivileged_chroot=0 # Unprivileged processes can use chroot(2) security.bsd.stack_guard_page=1 # Insert stack guard page ahead of the growable segments. kern.randompid=1 # Random PID modulus vfs.usermount=0 # disable mount for unprivileged users kern.elf32.allow_wx=0 # ELF32: Allow pages to be mapped simultaneously writable and executable kern.elf32.nxstack=1 # ELF32: enable non-executable stack kern.elf64.allow_wx=0 # ELF64: Allow pages to be mapped simultaneously writable and executable kern.elf64.aslr.stack=1 # ELF64: enable stack address randomization kern.elf64.aslr.honor_sbrk=1 # ELF64: assume sbrk is used kern.elf64.aslr.pie_enable=0 # ELF64: enable address map randomization for PIE binaries kern.elf64.aslr.enable=0 # ELF64: enable address map randomization kern.elf64.nxstack=1 #!!!!!do not change at runtime!!!!!ELF64: enable non-executable stack net.inet.tcp.log_in_vain=0 # Log all incoming TCP segments to closed ports net.inet.udp.log_in_vain=0 # Log all incoming UDP packets net.link.bridge.inherit_mac=1 # Inherit MAC address from the first bridge member net.link.ether.inet.log_arp_permanent_modify=1 # log arp replies from MACs different than the one in the permanent arp entry net.link.ether.inet.log_arp_movements=1 # log arp replies from MACs different than the one in the cache net.link.ether.inet.log_arp_wrong_iface=1 # log arp packets arriving on the wrong interface net.link.log_link_state_change=1 # log interface link state change events net.link.tap.up_on_open=1 # Bring interface up when /dev/tap is opened net.inet.ip.sourceroute=0 # Enable forwarding source routed IP packets net.inet.ip.accept_sourceroute=0 # Enable accepting source routed IP packets net.inet.ip.random_id=1 # random IP packet identifier net.inet.ip.redirect=0 # generate ICMP REDIRECT net.inet.ip.check_interface=1 # Verify packet arrives on correct interface net.inet.ip.process_options=1 # Enable IP options processing ([LS]SRR, RR, TS) net.inet.ip.stealth=0 # IP stealth mode, no TTL decrementation on forwarding net.inet6.ip6.redirect=0 # generate ICMP6 REDIRECT net.inet6.ip6.auto_linklocal=0 # do not generate a link-local automatically: nd6 options= net.inet6.ip6.use_tempaddr=1 # Create RFC3041 temporary addresses for autoconfigured addresses net.inet6.ip6.prefer_tempaddr=1 # Prefer RFC3041 temporary addresses in source address selection net.inet6.ip6.temppltime=86400 # net.inet6.ip6.tempvltime=604800 # net.inet6.icmp6.nd6_debug=0 # Log NDP debug messages net.inet.icmp.log_redirect=0 # log ICMP REDIRECT packets net.inet.icmp.drop_redirect=1 # drop ICMP REDIRECT packets net.inet.icmp.maskfake=0 # Fake reply to ICMP Address Mask Request packets. net.inet.icmp.maskrepl=0 # Reply to ICMP Address Mask Request packets net.inet.icmp.bmcastecho=0 # disable broadcast ping reply net.inet.icmp.icmplim=1 # Maximum number of ICMP responses per second net.inet.icmp.icmplim_output=0 # Enable logging of ICMP response rate limiting net.inet.tcp.drop_synfin=1 # Drop TCP packets with SYN+FIN set net.inet.tcp.blackhole=2 # Do not send RST on segments to closed ports net.inet.tcp.isn_reseed_interval=1200 # Seconds between reseeding of ISN secret net.inet.udp.blackhole=1 # Do not send port unreachables for refused connects # BASE KERNEL kern.random.harvest.mask=65535 # UMA,FS_ATIME,SWI,INTERRUPT,NET_NG,NET_ETHER,NET_TUN,MOUSE,KEYBOARD,ATTACH,CACHED kern.random.fortuna.minpoolsize=128 # Restore strong entropy value. kern.vt.kbd_panic=0 # Enable request to panic. See kbdmap(5) to configure. kern.vt.kbd_debug=0 # Enable key combination to enter debugger. See kbdmap(5) to configure (typically Ctrl-Alt-Esc). kern.vt.kbd_reboot=0 # Enable reboot keyboard combination. See kbdmap(5) to configure (typically Ctrl-Alt-Delete). kern.vt.kbd_poweroff=0 # Enable Power Off keyboard combination. See kbdmap(5) to configure. kern.vt.kbd_halt=0 # Enable halt keyboard combination. See kbdmap(5) to configure. kern.vt.suspendswitch=0 # Switch to VT0 before suspend kern.vt.deadtimer=15 # Time to wait busy process in VT_PROCESS mode kern.vt.debug=0 # vt(9) debug level kern.vt.enable_bell=0 # Enable bell kern.vt.enable_altgr=1 # Enable AltGr key (Do not assume R.Alt as Alt) # Signal queue: POSIX real time signal kern.sigqueue.max_pending_per_proc=1024 # Max pending signals per proc. # BASE VM #vm.cluster_anon=2 # Cluster anonymous mappings: 0 = no, 1 = yes if no hint, 2 = always // def: 1 vm.overcommit=0 # Configure virtual memory overcommit behavior. See tuning(7) for details. vm.pageout_update_period=20 # Maximum active LRU update period (seconds) vm.lowmem_period=2 # Low memory callback period (seconds) vm.swap_enabled=0 # Enable entire process swapout vm.swap_idle_enabled=1 # vm.swap_idle_threshold1=4 # Guaranteed swapped in time for a process vm.swap_idle_threshold2=16 # Time before a process will be swapped out vm.disable_swapspace_pageouts=0 # Disallow swapout of dirty pages vm.kstack_cache_size=512 # Maximum number of cached kernel stacks # BASE NET TUNINGS (for any resourses) net.isr.dispatch=deferred # direct / hybrid / deffered // Interrupt handling via multiple CPU, but with context switch. #net.isr.bindthreads=1 # Bind netisr threads to CPUs net.route.netisr_maxqlen=65536 # maximum routing socket dispatch queue length net.inet.ip.intr_queue_maxlen=65536 # Maximum size of the IP input queue. Should be increased until net.inet.ip.intr_queue_drops is zero #net.link.ether.inet.proxyall=1 # Enable proxy ARP for all suitable requests net.link.ether.inet.max_age=120 # ARP entry lifetime in seconds, def 1200 #net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces IPv4: gateway_enable="YES" #net.inet6.ip6.forwarding=1 # enable routing IPv6: ipv6_gateway_enable="YES" net.inet.ip.portrange.randomized=1 # Disable randomizing of ports to avoid false RST net.inet.ip.portrange.randomcps=8192 # Maximum number of random port allocations before switching to a sequental one net.inet.ip.portrange.randomtime=1 # Minimum time to keep sequental port allocation before switching to a random one net.inet.ip.portrange.first=1024 # Increase portrange net.inet.ip.portrange.last=65535 # For outgoing connections only. Good for seed-boxes and ftp servers. net.inet.ip.ttl=128 # Maximum TTL on IP packets. Default is 64 net.inet.tcp.rfc1323=1 # Enable rfc1323 (high performance TCP) extensions. This should be enabled if you going to use big spaces (>64k) net.inet.tcp.tolerate_missing_ts=1 # Tolerate TCP segments missing timestamps / d2b3ceddccac60b563f642898e3a314647666a10 net.inet.tcp.rfc3042=1 # Enable RFC 3042 (Limited Transmit) net.inet.tcp.rfc3390=1 # Enable RFC 3390 (Increasing TCP's Initial Congestion Window) net.inet.tcp.rfc3465=1 # Enable RFC 3465 (Appropriate Byte Counting) net.inet.tcp.rfc6675_pipe=1 # Use calculated pipe/in-flight bytes per RFC 6675 net.inet.tcp.do_prr=1 # Enable Proportional Rate Reduction per RFC 6937 net.inet.tcp.do_prr_conservative=1 # Do conservative Proportional Rate Reduction net.inet.tcp.mssdflt=1200 # Default TCP Maximum Segment Size for IPv4 (pmtud_blackhole_mss) net.inet.tcp.v6mssdflt=1220 # Default TCP Maximum Segment Size for IPv6 (v6pmtud_blackhole_mss) net.inet.tcp.minmss=216 # Minimum TCP Maximum Segment Size net.inet.tcp.msl=15000 # Maximum segment lifetime. ACK waiting time in miliseconds (default: 30000 from RFC) net.inet.tcp.abc_l_var=44 # Cap the max cwnd increment during slow-start to this number of segments net.inet.tcp.initcwnd_segments=44 # Slow-start flight size (initial congestion window) in number of segments net.inet.tcp.keepinit=8000 # time to establish connection net.inet.tcp.keepidle=60000 # Time before tcp keepalive probe is sent default is 2 hours (7200000) net.inet.tcp.nolocaltimewait=1 # Do not create compressed TCP TIME_WAIT entries for local connections net.inet.tcp.fast_finwait2_recycle=1 # FIN_WAIT_2 state fast recycle net.inet.tcp.always_keepalive=1 # Assume SO_KEEPALIVE on all TCP connections net.inet.tcp.ecn.enable=0 # (8.0+) Explicit Congestion Notification (see http://en.wikipedia.org/wiki/Explicit_Congestion_Notification) net.inet.tcp.cc.abe=1 # Enable draft-ietf-tcpm-alternativebackoff-ecn (TCP Alternative Backoff with ECN) net.inet.tcp.cc.algorithm=htcp # TCP cognestion algoritm net.inet.tcp.cc.htcp.rtt_scaling=1 # enable H-TCP RTT scaling net.inet.tcp.cc.htcp.adaptive_backoff=1 # enable H-TCP adaptive backoff net.inet.tcp.syncookies=1 # Use TCP SYN cookies if the syncache overflows net.inet.tcp.syncookies_only=0 # Use only TCP SYN cookies net.inet.tcp.sack.enable=1 # Enable/Disable TCP SACK support net.inet.tcp.sack.maxholes=1024 # Maximum number of TCP SACK holes allowed per connection net.inet.tcp.sack.globalmaxholes=65536 # Global maximum number of TCP SACK holes net.inet.tcp.delayed_ack=1 # Delay ACK to try and piggyback it onto a data packet. Turn this off on highspeed, lossless connections (LAN 1Gbit+) net.inet.tcp.delacktime=10 # Time before a delayed ACK is sent net.inet.tcp.syncache.rexmtlimit=7 # Limit on SYN/ACK retransmissions net.inet.tcp.per_cpu_timers=1 # run tcp timers on all cpus net.inet.tcp.functions_default=rack # Use TCP stack: freebsd / rack net.inet.tcp.tso=0 # Enable TCP Segmentation Offload net.inet.tcp.fastopen.client_enable=1 # Enable/disable TCP Fast Open client functionality net.inet.tcp.fastopen.server_enable=1 # Enable/disable TCP Fast Open server functionality net.inet.tcp.fastopen.autokey=120 # Number of seconds between auto-generation of a new key; zero disables net.inet.tcp.fastopen.acceptany=0 # Accept any non-empty cookie net.inet.tcp.do_tcpdrain=1 # Enable tcp_drain routine for extra help when low on mbufs net.inet.tcp.rack.misc.shared_cwnd=0 # Should RACK try to use the shared cwnd on connections where allowed net.inet.tcp.rack.misc.clientlowbuf=32 # Client low buffer level (below this we are more aggressive in DGP exiting recovery (0 = off)? net.inet.tcp.rack.misc.prr_addback_max=16 # What is the maximum number of MSS we allow to be added back if prr can't send all its data? net.inet.tcp.rack.tlp.tlpminto=80000 # TLP minimum timeout per the specification (in microseconds) net.inet.udp.checksum=1 # compute udp checksum net.inet.udp.maxdgram=65507 # Maximum outgoing UDP datagram size net.inet.igmp.default_version=2 # Default version of IGMP to run on each interface net.inet.igmp.legacysupp=1 # Allow v1/v2 reports to suppress v3 group responses # ng_socket net.graph.maxdgram=262144 # Maximum outgoing Netgraph datagram size / really max datagram size net.graph.recvspace=262144 # Maximum space for incoming Netgraph datagrams / # RESOURCE TUNINGS # Every socket is a file, so increase them #kern.maxproc=2048 # Maximum number of processes kern.maxfiles=262144 # Maximum files kern.maxfilesperproc=262144 # Maximum files allowed open per process kern.maxvnodes=262144 # Maximum number of vnodes kern.ipc.maxsockbuf=33554432 # Do not use lager sockbufs on 8.0+ kern.ipc.maxsockets=262144 # Maximum number of sockets avaliable kern.ipc.nmbjumbop=262144 # Maximum number of mbuf page size jumbo clusters allowed. pagesize(4k/8k) kern.ipc.nmbclusters=262144 # Maximum number of mbuf clusters allowed // netstat -m kern.ipc.nmbjumbo9=262144 # Maximum number of mbuf 9k jumbo clusters allowed kern.ipc.nmbjumbo16=262144 # Maximum number of mbuf 16k jumbo clusters allowed kern.ipc.soacceptqueue=4096 # (somaxconn) Maximum listen socket pending connection accept queue size # NET TUNINGS net.inet.tcp.recvspace=65536 # Initial receive socket buffer size net.inet.tcp.recvbuf_auto=1 # Enable automatic receive buffer sizing net.inet.tcp.recvbuf_max=4194304 # Max size of automatic receive buffer net.inet.tcp.sendspace=65536 # Initial send socket buffer size net.inet.tcp.sendbuf_auto=1 # Enable automatic send buffer sizing net.inet.tcp.sendbuf_inc=65536 # Incrementor step size of automatic send buffer net.inet.tcp.sendbuf_max=4194304 # Max size of automatic send buffer net.inet.tcp.maxtcptw=40960 # Maximum number of compressed TCP TIME_WAIT entries net.inet.udp.recvspace=4194304 # Maximum space for incoming UDP datagrams net.inet.raw.maxdgram=4194304 # Maximum outgoing raw IP datagram size net.inet.raw.recvspace=4194304 # Maximum space for incoming raw IP datagrams net.local.stream.recvspace=8388608 # Default stream receive space. net.local.stream.sendspace=8388608 # Default stream send space. net.local.dgram.recvspace=8388608 # Default datagram receive space. net.local.dgram.maxdgram=8388608 # Default datagram send space. net.local.seqpacket.recvspace=8388608 # Default seqpacket receive space. net.local.seqpacket.maxseqpacket=8388608 # Default seqpacket send space. net.raw.recvspace=4194304 # Default raw socket receive space net.raw.sendspace=4194304 # Default raw socket send space # FILE SYSTEM vfs.ufs.dirhash_docheck=0 # enable extra sanity tests vfs.ufs.dirhash_minsize=8388608 # minimum directory size in bytes for which to use hashed lookup vfs.ufs.dirhash_maxmem=67108864 # Should be increased when you have A LOT of files on server (Increase until vfs.ufs.dirhash_mem becames lower) vfs.read_max=1 # Cluster read-ahead max block count // 0=1 - low read delay (2ms) and high command rate, 2~32 - read 1 track, low command rate, 8ms delay, [cam] eat ~x2 then disabled. vfs.write_behind=1 # Cluster write-behind; 0: disable, 1: enable, 2: backed off vfs.buf_pager_relbuf=1 # Make buffer pager release buffers after reading vfs.vmiodirenable=1 # Use the VM system for directory writes vfs.hirunningspace=67108864 # Maximum amount of space to use for in-progress I/O vfs.nfsd.enable_stringtouid=1 # Enable nfsd to accept numeric owner_names # AIO: Async IO management vfs.aio.target_aio_procs=4 # Preferred number of ready kernel threads for async IO vfs.aio.max_aio_procs=4 # Maximum number of kernel threads to use for handling async IO vfs.aio.aiod_lifetime=30000 # Maximum lifetime for idle aiod vfs.aio.max_aio_queue=65536 # Maximum number of aio requests to queue, globally vfs.aio.max_aio_queue_per_proc=65536 # Maximum queued aio requests per process (stored in the process) vfs.aio.max_aio_per_proc=8192 # Maximum active aio requests per process (stored in the process) vfs.aio.max_buf_aio=8192 # Maximum buf aio requests per process (stored in the process) # POWER SAVING: https://wiki.freebsd.org/TuningPowerConsumption hw.pci.do_power_nodriver=3 # off power on devices without driver hw.pci.do_power_resume=3 # Transition from D3 -> D0 on resume # Do this to keep suspend from hanging the system at resume. hw.usb.no_suspend_wait=1 # No USB device waiting at system suspend. hw.pci.do_power_suspend=0 # Transition from D0 -> D3 on suspend. # HARDWARE TUNINGS machdep.idle=hlt # currently selected idle function / Workaround Ryzen hw.intr_storm_threshold=0 # Number of consecutive interrupts before storm protection is enabled hw.usb.no_cs_fail=1 # USB clear stall failures are ignored, if set // CH340 USB<->RS232 requires this and it seems that Linux and Windows do this by default