diff --git a/core-files/etc/sysctl.d/trident-core.conf b/core-files/etc/sysctl.d/trident-core.conf index d567d78..5e7cc66 100644 --- a/core-files/etc/sysctl.d/trident-core.conf +++ b/core-files/etc/sysctl.d/trident-core.conf @@ -8,3 +8,49 @@ # Libinput and friends kern.evdev.rcpt_mask=12 + +# ========= +# Sysctl tuning below was *selectively* taken from +# https://gist.github.com/clemensg/8828061 +# Written by Clemens Gruber : Feb 5th, 2014 +# Copied here by Ken Moore, August 13, 2018 +# ========= +# Increase VFS read-ahead (better disk performance - particularly for SSDs) +# FreeBSD Default: 64 +vfs.read_max=128 + +# maximum segment size (MSS) specifies the largest amount of data in a single TCP segment +# For most networks 1460 is optimal, but you may want to be cautious and use +# 1440. This smaller MSS allows an extra 20 bytes of space for those client which are on a +# DSL line which may use PPPoE. These networks have extra header data stored in +# the packet and if there is not enough space, must be fragmented over additional +# partially filled packets. +# Default: 536 +net.inet.tcp.mssdflt=1440 + +# Loopback interface tuning +net.inet.tcp.nolocaltimewait=1 #Do not create compressed TCP TIME_WAIT entries for local connections + +# General Security and DoS mitigation. +net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0) +net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1) +net.inet.ip.random_id=1 # assign a random IP_ID to each packet leaving the system (default 0) +net.inet.ip.redirect=0 # do not send IP redirects (default 1) +net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0) +net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1) +net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0) +net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1) +net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000) +net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1) +net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1) +net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0) +net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0) + +## IPv6 Security +# Disable Node info replies (default 3) +net.inet6.icmp6.nodeinfo=0 #Mask of enabled RF4620 node information query types +# Turn on IPv6 privacy extensions (default 0) +net.inet6.ip6.use_tempaddr=1 #Create RFC3041 temporary addresses for autoconfigured addresses +net.inet6.ip6.prefer_tempaddr=1 #Prefer RFC3041 temporary addresses in source address selection +# Disable ICMP redirect (default 1) +net.inet6.icmp6.rediraccept=0 #Accept ICMPv6 redirect messages