What settings Digitalocean suggested for tuning of FreeBSD installation

June 16, 2015 2.2k views
Security Server Optimization FreeBSD

When I getting your Ubuntu, sysctl.conf is populated with suggested values per droplet, unfortunately there is not defaults for the FreeBSD fresh installation, so my settings looks like:

# $FreeBSD: releng/10.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
# security.bsd.see_other_uids=0

#unix socket
kern.ipc.numopensockets = 2048
# Spoofed packet attacks may be used to overload the kernel route cache. A
# spoofed packet attack uses random source IPs to cause the kernel to generate
# a temporary cached route in the route table, Route cache is an extraneous
# caching layer mapping interfaces to routes to IPs and saves a lookup to the
# Forward Information Base (FIB); a routing table within the network stack. The
# IPv4 routing cache was intended to eliminate a FIB lookup and increase
# performance. While a good idea in principle, unfortunately it provided a very
# small performance boost in less than 10% of connections and opens up the
# possibility of a DoS vector. Setting rtexpire and rtminexpire to two(2)
# seconds should be sufficient to protect the route table from attack.
# http://www.es.freebsd.org/doc/handbook/securing-freebsd.html
net.inet.ip.rtexpire=2       # (default 3600)
net.inet.ip.rtminexpire=2    # (default 10  )a
# Syncookies have a certain number of advantages and disadvantages. Syncookies
# are useful if you are being DoS attacked as this method helps filter the
# proper clients from the attack machines. But, since the TCP options from the
# initial SYN are not saved in syncookies, the tcp options are not applied to
# the connection, precluding use of features like window scale, timestamps, or
# exact MSS sizing. As the returning ACK establishes the connection, it may be
# possible for an attacker to ACK flood a machine in an attempt to create a
# connection. Another benefit to overflowing to the point of getting a valid
# SYN cookie is the attacker can include data payload. Now that the attacker
# can send data to a FreeBSD network daemon, even using a spoofed source IP
# address, they can have FreeBSD do processing on the data which is not
# something the attacker could do without having SYN cookies. Even though
# syncookies are helpful during a DoS, we are going to disable them at this
# time.
net.inet.tcp.syncookies=0  # (default 1)

# General Security and DoS mitigation
#net.bpf.optimize_writers=0           # bpf are write-only unless program explicitly specifies the read filter (default 0)
#net.bpf.zerocopy_enable=0            # zero-copy BPF buffers, breaks dhcpd ! (default 0)
net.inet.ip.check_interface=1         # verify packet arrives on correct interface (default 0)
#net.inet.ip.portrange.randomized=1   # randomize outgoing upper ports (default 1)
net.inet.ip.process_options=0         # ignore IP options in the incoming packets (default 1)
#net.inet.ip.random_id=1              # assign a random IP_ID to each packet leaving the system (default 0)
net.inet.ip.redirect=0                # do not send IP redirects (default 1)
#net.inet.ip.accept_sourceroute=0     # drop source routed packets since they can not be trusted (default 0)
#net.inet.ip.sourceroute=0            # if source routed packets are accepted the route data is ignored (default 0)
net.inet.ip.stealth=1                 # do not reduce the TTL by one(1) when a packets goes through the firewall (default 0)
#net.inet.icmp.bmcastecho=0           # do not respond to ICMP packets sent to IP broadcast addresses (default 0)
#net.inet.icmp.maskfake=0             # do not fake reply to ICMP Address Mask Request packets (default 0)
#net.inet.icmp.maskrepl=0             # replies are not sent for ICMP address mask requests (default 0)
#net.inet.icmp.log_redirect=0         # do not log redirected ICMP packet attempts (default 0)
net.inet.icmp.drop_redirect=1         # no redirected ICMP packets (default 0)
#net.inet.icmp.icmplim=500            # number of ICMP/TCP RST packets/sec, increase for bittorrent or many clients. (default 200)
#net.inet.icmp.icmplim_output=1       # show "Limiting open port RST response" messages (default 1)
#net.inet.tcp.always_keepalive=0      # tcp keep alive detection for dead peers, can be spoofed (default 1)
net.inet.tcp.drop_synfin=1            # SYN/FIN packets get dropped on initial connection (default 0)
#net.inet.tcp.ecn.enable=1            # explicit congestion notification (ecn) warning: some ISP routers abuse ECN (default 0)
net.inet.tcp.fast_finwait2_recycle=1  # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0)
net.inet.tcp.icmp_may_rst=0           # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
#net.inet.tcp.maxtcptw=15000          # max number of tcp time_wait states for closing connections (default 5120)
net.inet.tcp.msl=5000                 # 5s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000)
net.inet.tcp.path_mtu_discovery=0     # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1)
#net.inet.tcp.rfc3042=1               # on packet loss trigger the fast retransmit algorithm instead of tcp timeout (default 1)
net.inet.udp.blackhole=1              # drop udp packets destined for closed sockets (default 0)
net.inet.tcp.blackhole=2              # drop tcp packets destined for closed ports (default 0)
#net.route.netisr_maxqlen=2048        # route queue length (rtsock using "netstat -Q") (default 256)
#security.bsd.see_other_uids=0         # users only see their own processes. root can see all (default 1)

# increase localhost network buffers. For example, if you run many high
# bandwidth services on lo0 like an http or local DB server and forward public
# external traffic using Pf. Also, if running many jails on lo0 then these may
# help. set to 10x(lo0 mtu 16384 + 40 bytes for header) = 164240
net.local.stream.sendspace=164240  # (default 8192)
net.local.stream.recvspace=164240  # (default 8192)

# TCP keep alive can help detecting network errors and signaling connection
# problems. Keep alives will increase signaling bandwidth used, but as
# bandwidth utilized by signaling channels is low from its nature, the increase
# is insignificant. the system will disconnect a dead TCP connection when the
# remote peer is dead or unresponsive for: 10000 + (5000 x 8) = 50000 msec (50
# sec)
net.inet.tcp.keepidle=10000     # (default 7200000 )
net.inet.tcp.keepintvl=5000     # (default 75000 )
net.inet.tcp.always_keepalive=1 # (default 1)

So the question is what is missing or what is your suggestion/recommendation for the best default settings or FreeBSD comes with good enough?

hardware info:

CPU: Intel(R) Xeon(R) CPU E5-2650L v3 @ 1.80GHz (1797.98-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs, 2GB of RAM

Thank you

  • I find difficult to follow your post. Could you please try to format the text to make it more readable?

    Anyway I think that sysctl.conf is not provided by DigitalOcean because the default settings of FreeBSD are a good starting point. It's the user that should change those values depending on the type of services is going to run (server? router? If server, what type: http? cache? there is a java? it has jails?).



  • Nice set of sysctl's. Thank you.

    The code could be changed to avoid italics:

    net.inet.tcp.icmpmayrst vs net.inet.tcp.icmp _ may _ rst
    net.inet.tcp.fastfinwait2recycle vs net.inet.tcp.fast _ finwait2 _ recycle
    net.inet.tcp.pathmtudiscovery vs net.inet.tcp.path _ mtu _ discovery


Be the first one to answer this question.