#
# Default sysctl's for a dual-use webhosting/shell server
#
# Developed and used on FreeBSD 4.x server(s)
#
# Zoidial, Inc.
# Eric Thern   eric@zoidial.com
#
# v0.1 06/03/2001 - initial release
# v0.2 01/02/2002 - added more net.inet options
# v0.3 01/03/2002 - added kern.ipc and kern.randompid stuff
# v0.4 01/08/2003 - added some more nonsense and such.
# v0.5 06/03/2003 - kern.maxfiles
# v0.6 25/06/2003 - net.inet.ip.fw.one_pass=0 (from 1)
#		

#############################
# // NETWORKING SYSCTL's // #
#############################
#
# limit responses to ICMP for bandwidth purposes
#
net.inet.icmp.icmplim=10
net.inet.icmp.maskrepl=0
net.inet.icmp.drop_redirect=1 
net.icmp.bmcastecho=0

#
# icmp may NOT rst, thank you very much
# this is helpful for those pesky spoofed icmp/udp floods
# that end up taking up your outgoing bandwidth due to 
# all that outgoing RST traffic.
#
net.inet.tcp.icmp_may_rst=0

#
# drop synfin packets -- we don't need no stinkin' synfin!
#
net.inet.tcp.drop_synfin=1

#
# up the maximum connections allowed, good for ddos's
#
kern.ipc.somaxconn=65536

#
# Forces a single pass through the firewall. If set to 0,
# packets coming out of a pipe will be reinjected into the
# firewall starting with the rule after the matching one.
# NOTE: there is always one pass for bridged packets.
#
net.inet.ip.fw.one_pass=0

#
# increase the size of network mbufs to allocate
#
kern.ipc.nmbclusters=32768
#
# this is actually a read-only sysctl variable
# must be set in kernel to REALLY be set :(
# to add to kernel:
# options         NMBCLUSTERS=32768
#
# In FreeBSD 5.x this should work, however.
#

#
# update maximum files allowed for the kernel
#
kern.maxfiles=65536

#
# stealth IP networking
#
net.inet.ip.stealth=0

#
# set rfc extensions (time stamps on netcraft)
# set to 0 if you don't want this to show
#
net.inet.tcp.rfc1323=1

#
# security against stealth port scans and some DoS attacks
#
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

#
# stops some syn flood attacks, and route cache degregation during a high-bandwidth flood
#
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
net.inet.ip.rtmaxcache=256

#
# don't accept sourcerouted packets (they are evil, gross, and have cooties)
#
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0

#
# don't log arp responses when you have two interfaces
# this gets way annoying when you have , say, fxp1 and fxp0 on two separate networks
# but are on the same physical line or hub/switch
#
net.link.ether.inet.log_arp_wrong_iface=0




##########################
# // PROCESS SYSCTL's // #
##########################
#
# show only those processes of which you own
#
kern.ps_showallprocs=0

#
# show only the basic process, no arguments
# examples (non root user running ps on a specific PID):
#
# with this set to 1:
#  PID  TT  STAT      TIME COMMAND
# 3989  ??  SNs    0:19.86 /usr/sbin/named -u bind -g bind -c named.conf -t /etc/namedb
#
# with this set to 0:
#  PID  TT  STAT      TIME COMMAND
# 3989  ??  SNs    0:19.86  (named)
#
# obviously obscures things in a more fundamental way when set to zero.
#
kern.ps_argsopen=0

#
# randomize process ID's ... keep them guessing!
#
kern.randompid=348


#######################
# // JAIL SYSCTL's // #
#######################
#
# settings to secure a jail a bit
#
jail.set_hostname_allowed=0
jail.socket_unixiproute_only=1
jail.sysvipc_allowed=1


#########################
# // KERNEL SYSCTL's // #
#########################
#
# update maximum files allowed for the kernel
#
kern.maxfiles=65536