FreeBSD performance tuning: Sysctl parameter, loader.conf, kernel

I'd recommend against options IPFIREWALL_DEFAULT_TO_ACCEPT. The default is to Default to Deny. The firewall comes up with just one rule deny ip from any to any and stays that way until a script configures exactly what traffic should get through.

Follow-Up Note: RSA (one of the world's leading security technology companies) was hacked recently when part of their firewall was disabled during a maintenance window. This really underscores how quickly a system can be compromised given the right conditions.

If you insist on disabling the firewall until you explicitly block unwanted traffic, please consider using the sysctl available by adding net.inet.ip.fw.default_to_accept=1 to loader.conf. This has the added benefit of being easily modified (no recompiling the kernel) if you change your mind at some point in the future.


i usually add followings to my /etc/sysctl.conf as well...

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

and both of

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0

while we're on tunning subject i'd also recommend to take a look here:

NGINX + PHP-FPM + APC = Awesome

so, this tutorial on FreeBSD + that tutorial on NGINX = Really Awesome! ;)


From the default sysctl.conf, it provides "security" against script kiddies who manage to brute their way in on a non-root account. Doesn't hurt to have it enabled (in most cases, exceptions are non-privileged daemons needing to see the process list).

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
security.bsd.see_other_uids=0

Security privileges

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.conservative_signals=1
security.bsd.unprivileged_proc_debug=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.hardlink_check_uid=1
security.bsd.hardlink_check_gid=1
vfs.usermount=0
net.inet.tcp.log_in_vain=1
net.inet.udp.log_in_vain=1