Tunable Name | Description | Value |
net.inet.tcp.syncache.rexmtlimit | Reduce the amount of SYN/ACKs the server will re-transmit to an ip address whom did not respond to the first SYN/ACK. # (default 3) | 0 |
net.inet.ip.rtexpire | Spoofed packet attacks may be used to overload the kernel route cache. http://www.es.freebsd.org/doc/handbook/securing-freebsd.html (page is gone?) # (default 3600) | 10 |
net.inet.ip.check_interface | General security and DoS mitigation: verify packet arrives on correct interface (default 0) | 1 |
net.inet.ip.process_options | General security and DoS mitigation: ignore IP options in the incoming packets (default 1) | 0 |
net.inet.ip.random_id | General security and DoS mitigation: assign a random IP_ID to each packet leaving the system (default 0) | 1 |
net.inet.ip.redirect | General security and DoS mitigation: do not send IP redirects (default 1) | 0 |
net.inet.icmp.drop_redirect | General security and DoS mitigation: no redirected ICMP packets (default 0) | 1 |
net.inet.tcp.always_keepalive | General security and DoS mitigation: disable tcp keep alive detection for dead peers, can be spoofed (default 1) | 0 |
net.inet.tcp.drop_synfin | General security and DoS mitigation: SYN/FIN packets get dropped on initial connection (default 0) | 1 |
net.inet.tcp.fast_finwait2_recycle | General security and DoS mitigation: recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0) | 0 |
net.inet.tcp.msl | General security and DoS mitigation: Maximum Segment Lifetime is the time a TCP segment can exist on the network and is used to determine the TIME_WAIT interval, 2*MSL (default 30000 which is 60 seconds) | 5000 |
net.inet.tcp.path_mtu_discovery | General security and DoS mitigation: disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1) | 0 |
net.inet.udp.blackhole | General security and DoS mitigation: drop udp packets destined for closed sockets (default 0) | 1 |
net.inet.tcp.blackhole | General security and DoS mitigation: drop tcp packets destined for closed ports (default 0) | 2 |
security.bsd.see_other_uids | General security and DoS mitigation: users only see their own processes. root can see all (default 1) | 0 |