There are a few sysctl settings I can think off,
loader.conf
sysctl.conf
syctl.conf
Once I had inet settings below, but they might break rfc's , so I'm not certain it is a good idea ?
Maybe you have other idea's ?
loader.conf
Code:
security.bsd.allow_destructive_dtrace=0
Code:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
kern.elf32.allow_wx=0
kern.elf64.allow_wx=0
kern.elf32.aslr.pie_enable=1
kern.elf32.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.elf64.aslr.enable=1
Code:
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.prefer_tempaddr=1
net.inet6.ip6.temppltime=7200 # Maximum preferred lifetime for temporary addresses
net.inet6.ip6.tempvltime=14400 # Maximum valid lifetime for temporary addresses
Code:
net.inet.icmp.drop_redirect=1
net.inet.icmp.icmplim=50
net.inet.ip.check_interface=1
net.inet.ip.maxfragpackets=0
net.inet.ip.maxfragsperpacket=0
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.tcp.always_keepalive=0
net.inet.tcp.blackhole=2
net.inet.tcp.cc.algorithm=cubic
net.inet.tcp.drop_synfin=1
net.inet.tcp.nolocaltimewait=1
net.inet.udp.blackhole=1
net.inet6.icmp6.rediraccept=0
net.inet6.ip6.redirect=0
net.link.tap.up_on_open=1
net.inet.tcp.icmp_may_rst=0