Ultimate FreeBSD sysctl tunables & security hardening

In FreeBSD and BSD related operation systems the sysctl.conf file is located in /etc/sysctl.conf and these settings also work perfectly fine in PfSense and OPNsense when go to System > Settings > Tunables

To explore all FreeBSD system sysctl tunables open a terminal and enter sysctl -a and to filter out specific keywords then enter sysctl -a | grep “keyword“

Checkout these articles FreeBSD Tuning and Optimization and FreeBSD – a lesson in poor defaults.

#############################################################
#### Credits: infohack.eu - FreeBSD sysctl.conf tunables #### #############################################################

# Enable H-TCP congestion control: The Hamilton TCP (HighSpeed-TCP) algorithm is a packet loss based congestion control and is more aggressive pushing up to max bandwidth. 	
net.inet.tcp.cc.algorithm=htcp 	
net.inet.tcp.cc.htcp.adaptive_backoff=1 	
net.inet.tcp.cc.htcp.rtt_scaling=1

# Enable Explicit Congestion Notification (ECN) if both ends support it. Set ECN=0 if problems. ECN=1 on Clients for incoming & outgoing connections. ECN=2 on Router only for incoming connections.
net.inet.tcp.ecn.enable=2

# Increase TCP & UDP network buffers for better performance.
kern.ipc.maxsockbuf=4262144	
net.raw.recvspace=65536 	
net.raw.sendspace=65536 	
net.inet.raw.maxdgram=131072 	
net.inet.raw.recvspace=131072 	
net.inet.tcp.recvspace=65536 
net.inet.tcp.recvbuf_inc=65536 	
net.inet.tcp.recvbuf_max=4194304 	
net.inet.tcp.sendbuf_inc=65536 	
net.inet.tcp.sendbuf_max=4194304 	
net.inet.tcp.sendspace=65536 	
net.inet.udp.maxdgram=57344
net.inet.udp.recvspace=1048576
net.local.dgram.maxdgram=8192	
net.local.stream.recvspace=16384 	
net.local.stream.sendspace=16384 	

# Increase maximum number of jumbo clusters.
kern.ipc.nmbjumbo9=65536 	
kern.ipc.nmbjumbo16=32768 	
kern.ipc.nmbjumbop=524288

# Disable SACK against TCP vulnerabilities. 	
net.inet.tcp.sack.enable=0 

# Disable TCP Timestamps against timestamp security vulnerabilities. TCP Timestamps can remotely calculate the system uptime, boot time and host's clock with millisecond precision.
net.inet.tcp.rfc1323=0  	

# Disable Bypassing 3-way handshake. Prevent SYN & FIN bits.
net.inet.tcp.rfc1379=0 	

# TCP Fast Recovery behavior if 3 duplicate ACKs haven't been received. 
net.inet.tcp.rfc3042=1

# Increases the accuracy of TCP Fast Recovery.
net.inet.tcp.rfc6675_pipe=1

# Disable TCP Offload Engine.
net.inet.tcp.tso=0 

# Disable Flow Control for WAN (igb.0) to utilize full network bandwidth. (For Intel igb NIC).
dev.igb.0.fc=0 	 

# Increase maximum number of receive packets to process interrupts. (For Intel igb NIC). 
dev.igb.0.iflib.rx_budget=65535 	 	
dev.igb.1.iflib.rx_budget=65535 	
dev.igb.2.iflib.rx_budget=65535 	

# Increase maximum number of interrupts per second on any interrupt level.
hw.intr_storm_threshold=32000 

# Atheros (ath.0) WiFi adapter optimizations to improve stability & performance (For ath wireless NIC).
hw.ath.rxbuf=4096 	
hw.ath.txbuf=4096 	
hw.ath.txbuf_mgmt=256 
hw.ath.bstuck=44 
dev.ath.0.diversity=0
dev.ath.0.tpc=1 	
dev.ath.0.tpscale=1 

# Enable Stack Smashing Protection (SSP) against buffer overflows.
kern.elf32.nxstack=1
kern.elf64.nxstack=1
security.bsd.stack_guard_page=1

# Enable Address Space Layout Randomization (ASLR) and Position Independent Executable (PIE) to prevent exploitation of memory corruption vulnerabilities.
kern.elf32.aslr.enable=1 
kern.elf64.aslr.enable=1 	
kern.elf32.aslr.pie_enable=1
kern.elf64.aslr.pie_enable=1 

# Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation).
hw.ibrs_disable=1 

# Disable Page Table Isolation (Meltdown mitigation).
vm.pmap.pti=0

# Increase Fortuna Pseudorandom Number Generator (PRNG) poolsize for higher entropy accumulation. 
kern.random.fortuna.minpoolsize=512  	

# Exclude INTERRUPT and NET_ETHER for entropy harvest for few % performance NIC benefit.
kern.random.harvest.mask=351	

# Randomize PID's for better security.
kern.randompid=1 	

# Randomize the ID Field in IP Packets to increase security.
net.inet.ip.random_id=1	

# Set securelevel=0 when the system is first booting it offers no special features. When the system reaches multi-user mode the securelevel is raised to 1. Nobody can write to /dev/mem & /dev/kmem. Many old security exploits relied upon this. Raw disk devices of all mounted file systems are read-only. Programs should only access mounted file systems through the standard devices. This doesn't change day-to-day operations. The schg and sappnd flags cannot be removed. You will need to reboot into single-user mode again to remove these flags. (*set securelevel=-1 manually and reboot for every system update!*)
kern.securelevel=0 		

# Prevent Bogus & Spoofed ICMP Packets.
net.inet.tcp.icmp_may_rst=0 
net.inet.icmp.bmcastecho=0 	
net.inet.icmp.drop_redirect=1 	
net.inet.icmp.icmplim=1 	
net.inet.icmp.icmplim_output=0 	
net.inet.icmp.log_redirect=0 	
net.inet.icmp.maskfake=0 	
net.inet.icmp.maskrepl=0 	
net.inet.icmp.quotelen=8 	
net.inet.icmp.reply_from_interface=0 	
net.inet.icmp.reply_src=0 	
net.inet.icmp.tstamprepl=0 	

# Prevent Fragmented IP Packets.
net.inet.ip.maxfragpackets=0 	
net.inet.ip.maxfrags=0 	
net.inet.ip.maxfragsperpacket=0 	
net.inet6.ip6.maxfragpackets=0 	
net.inet6.ip6.maxfrags=0 	
net.inet6.ip6.maxfragsperpacket=0 

# Disable IP Process Options in the incoming packets.
net.inet.ip.process_options=0 	

# Disable sending ICMP redirects to prevent attacker to reach non-routable addresses, route and next hop to be known.
net.inet.ip.redirect=0 
net.inet6.ip6.redirect=0 
net.inet6.icmp6.rediraccept=0 	
net.inet6.icmp6.redirtimeout=1 	
 
# Disable Source Routing to prevent attacker to reach non-routable addresses. 
net.inet.ip.sourceroute=0 
net.inet.ip.accept_sourceroute=0	
	
# Enable packet verification to check on correct interface.
net.inet.ip.check_interface=1 	

# Enable Fast forwarding to increase 40-60% packet performance.
net.inet.ip.fastforwarding=1

# Drop packets to closed TCP ports without returning a RST. 
net.inet.tcp.blackhole=2 	

# Do not send ICMP port unreachable messages for closed UDP ports.
net.inet.udp.blackhole=1 

# Prevent touching the TTL of packets when goes through the firewall.
net.inet.ip.stealth=1 
net.inet6.ip6.stealth=1

# Slow-start flight size (initial congestion window) in number of segments.
net.inet.tcp.initcwnd_segments=44 	

# Cap the max cwnd increment during slow-start to this number of segments.
net.inet.tcp.abc_l_var=44 	

# Assume SO_KEEPALIVE on all TCP connections.
net.inet.tcp.always_keepalive=0 	

# Time before a delayed ACK is sent.
net.inet.tcp.delacktime=15 	

# Do not delay ACK to try and piggyback it onto a data packet. 
net.inet.tcp.delayed_ack=0 	

# Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway).
net.inet.tcp.drop_synfin=1 	

# TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close.
net.inet.tcp.finwait2_timeout=15 

# Recycle closed FIN_WAIT_2 connections faster.
net.inet.tcp.fast_finwait2_recycle=1 	

# TCP Fast Open (TFO) [RFC7413]. Disable TCP Fast Open client side, enforce three way TCP handshake.
net.inet.tcp.fastopen.client_enable=0 	

# Pre-shared key (PSK) mode is enabled for all TFO servers for consistency. Disable TCP Fast Open client side, enforce three way TCP handshake. 	
net.inet.tcp.fastopen.psk_enable=0 	

# TCP Fast Open (TFO) [RFC7413]. Disable TCP Fast Open client side, enforce three way TCP handshake.
net.inet.tcp.fastopen.server_enable=0 	

# Disabling the hostcache increases burst data rates.
net.inet.tcp.hostcache.cachelimit=0 	

# Disabling the hostcache increases burst data rates.
net.inet.tcp.hostcache.expire=0 	

# In order to defend against Sequence Number Attacks the ISN secret key should not be used sufficiently often that it would be regarded as predictable, and thus insecure.
net.inet.tcp.isn_reseed_interval=4500 	

# Amount of tcp keep alive probe failures before socket is forced closed. 
net.inet.tcp.keepcnt=2 	

# Time before keepalive probes begin.
net.inet.tcp.keepidle=10000 	

# Time between keepalive probes.
net.inet.tcp.keepintvl=5000 	

# TCP extended debugging.
net.inet.tcp.log_debug=0 	

# Log all incoming TCP segments to closed ports.
net.inet.tcp.log_in_vain=0 	

# Minimum TCP Maximum Segment Size.
net.inet.tcp.minmss=536 	

# Maximum Segment Lifetime, time the connection spends in TIME_WAIT state.
net.inet.tcp.msl=2500 	

# Default TCP Maximum Segment Size.
net.inet.tcp.mssdflt=1460 	

# Do not create compressed TCP TIME_WAIT entries for local connections.
net.inet.tcp.nolocaltimewait=1 	

# Disable MTU Discovery against security vulnerabilities.
net.inet.tcp.pmtud_blackhole_detection=0 

# Disable Path MTU Discovery against security vulnerabilities.
net.inet.tcp.path_mtu_discovery=0 	

# Drop TCP options from 3rd and later retransmitted SYN.
net.inet.tcp.rexmit_drop_options=1 	

# Reduce the TCP retransmit timer.
net.inet.tcp.rexmit_slop=100 	

# Using soreceive_stream for TCP sockets.
net.inet.tcp.soreceive_stream=1 	

# Per-bucket hash limit for syncache.
net.inet.tcp.syncache.bucketlimit=100 	

# Size of TCP syncache hashtable.
net.inet.tcp.syncache.hashsize=1024 	

# Limiting retranstited SYN/ACKS reduces local syn cache size and a "SYN flood" DoS attack's collateral damage by not sending SYN/ACKs back to spoofed ips, multiple times.
net.inet.tcp.syncache.rexmtlimit=0 	

# Send reset on socket allocation failure.
net.inet.tcp.syncache.rst_on_sock_fail=0 	

# As the returning ACK establishes the connection, it may be possible for an attacker to ACK flood a machine in an attempt to create a connection. Another benefit to overflowing to the point of getting a valid SYN cookie is the attacker can include data payload. Now that the attacker can send data to a FreeBSD network daemon, even using a spoofed source IP address, they can have FreeBSD do processing on the data which is not something the attacker could do without having SYN cookies. Even though syncookies are helpful during a DoS, we are going to disable syncookies at this time. 	
net.inet.tcp.syncookies=0 	

# Generate UDP Checksums.
net.inet.udp.checksum=1 	

# Log all incoming UDP packets.
net.inet.udp.log_in_vain=0 	

# Restrict AF_INET6 sockets to IPv6 addresses only.
net.inet6.ip6.v6only=1

# The hashtable increase is necessary for HTTP/3 UDP traffic due to the sheer number of malicious UDP packets creating states. 
net.pf.source_nodes_hashsize=1048576 	

# Increase size of pf states hashtable.
net.pf.states_hashsize=1048576 

# Maximum routing socket dispatch queue length.
net.route.netisr_maxqlen=2048 	

# Protect the route table from DoS attacks.
net.inet.ip.rtexpire=2 	

# Enable locking of shared memory pages in core. 	
kern.ipc.shm_use_phys=1 	

# Increase shared memory for more performance.
kern.ipc.shmall=256000 	
kern.ipc.shmmax=1000000000 	
kern.ipc.shmmni=1024 	
kern.ipc.shmseg=1024 	

# Maximum listen socket pending connection accept queue size.
kern.ipc.soacceptqueue=2048 	

# Increase size of the listen queue for accepting new TCP connections.
kern.ipc.somaxconn=2048 	

# Max open files.
kern.openfiles=1024 	

# Maximum number of files open.
kern.maxfiles=100000 	

# Maximum process shared memory.
kern.maxproc=100000 	

# Maximum number of file descriptors on your system. 
kern.maxusers=1024 	

# Interactivity score threshold.
kern.sched.interact=5 	

# Quantum for timeshare threads in stathz ticks.
kern.sched.slice=1 

# Time to delay syncing directories, metadata & files.
kern.dirdelay=3 
kern.metadelay=2 	
kern.filedelay=5 	
	
# Increase length of the arguments exceeding the kernel.
kern.ps_arg_cache_limit=4096 	

# Disable forwarding of a signal to a process on a different CPU.
kern.smp.forward_signal_enabled=0 	

# Raise the number of allowed threads per process.
kern.threads.max_threads_per_proc=4096 	

# Flush L1 Data Cache on NMI exit, software bhyve L1TF mitigation assist.
machdep.nmi_flush_l1d_sw=1 	

# Increase maximum size of the IP input queue.
net.inet.ip.intr_queue_maxlen=4096 	

# First Portrange for outgoing connections.
net.inet.ip.portrange.first=10000 	

# Maximum number of random port allocations before switching to a sequental one. 	
net.inet.ip.portrange.randomcps=9999 	

# Enable random port allocation.
net.inet.ip.portrange.randomized=1 	

# Minimum time to keep sequental port allocation before switching to a random one.
net.inet.ip.portrange.randomtime=1 	

# Increase UFS read-ahead speeds (better disk performance - particularly for SSDs) to match the state of hard drives and NCQ.
vfs.read_max=128 	

# Disable Internet Group Management Protocol (IGMP).
net.inet.igmp.recvifkludge=0 	
net.inet.igmp.sendlocal=0 	
net.inet.igmp.sendra=0 	
net.inet.igmp.v1enable=0 	
net.inet.igmp.v2enable=0 	

# Disable loopback multicast datagrams.
net.inet.ip.mcast.loop=0 	

# Disable Multicast Listener Discovery (MLD).
net.inet6.mld.use_allow=0 	
net.inet6.mld.v1enable=0 	
net.inet6.mld.v2enable=0 	

# Disable Panic on NMI raised by hardware failure.
machdep.panic_on_nmi=0 	

# For best performance set to 1. bpf is write-only unless program explicitly specifies the read filter. *Don't enable or opnsense firewall logs stop working*.
net.bpf.optimize_writers=0 	

# No ABORT is sent back in response to an out-of-the-blue packet.	
net.inet.sctp.blackhole=2 	

# Disable sending of the SACK-IMMEDIATELY-bit.
net.inet.sctp.enable_sack_immediately=0 	

# Enable SCTP PKTDROP.
net.inet.sctp.pktdrop_enable=1 	

# Default congestion control module. Default value is 0. The minimum is 0, and the maximum is 3. A value of 0 enables the default congestion control algorithm. A value of 1 enables the High Speed congestion control algorithm. A value of 2 enables the HTCP congestion control algorithm. A value of 3 enables the data center congestion control (DCCC) algorithm.
net.inet.sctp.default_cc_module=2
	     
# Make IPsec tunnel ECN-friendly when set to 1.
net.inet.ipsec.ecn=0           
net.inet6.ipsec6.ecn=0	        

# Maximum number of outgoing ICMPv6 error messages per second.
net.inet6.icmp6.errppslimit=1 	

# Disable loopback route when configuring an IPv6 address.
net.inet6.icmp6.nd6_useloopback=0 	

# Disable RF4620 node information query types.
net.inet6.icmp6.nodeinfo=0 	

# Don't join old IPv6 NI group address in draft-ietf-ipngwg-icmp-name-lookup for compatibility with KAME implementation.
net.inet6.icmp6.nodeinfo_oldmcprefix=0 

# Disable accepting ICMPv6 RA messages.
net.inet6.ip6.accept_rtadv=0 	

# Disable automatically adding an IPv6 link-local address to interfaces when attached.
net.inet6.ip6.auto_linklocal=0 	

# Number of ICMPv6 NS messages sent during duplicate address detection.
net.inet6.ip6.dad_count=0 	

# Disable Enhanced DAD, which adds a random nonce to NS messages for DAD.
net.inet6.ip6.dad_enhanced=0 	

# Disable IPv6 Forwarding. (Disable if you don't use IPV6 routing).
net.inet6.ip6.forwarding=0 	

# Default maximum number of IPv6 extension headers permitted on incoming IPv6 packets, 0 for no artificial limit.
net.inet6.ip6.hdrnestlimit=0 	

# Maximum size of the IPv6 input queue.
net.inet6.ip6.intr_queue_maxlen=2048 	

# Disable IPv6 loopback multicast datagrams.
net.inet6.ip6.mcast.loop=0 	

# Disable routers sending ICMPv6 RA messages on interfaces added into the default router list.
net.inet6.ip6.no_radr=1 	

# Disable the default router list from ICMPv6 RA messages even when packet forwarding is enabled.
net.inet6.ip6.rfc6204w3=0 	
 	
# Disable the use of IPv6 addresses whose preferred lifetimes have expired.
net.inet6.ip6.use_deprecated=0 	

# Enable privacy settings for IPv6 (RFC 4941).
net.inet6.ip6.use_tempaddr=1 	
net.inet6.ip6.prefer_tempaddr=1 	 	1 	

# When the value is zero the stack always use a new SA.
net.key.preferred_oldsa=0 	

# Enable filtering on the bridge interface.
net.link.bridge.pfil_bridge=1 	

# Enable additionally filter on the physical interface for locally destined packets.
net.link.bridge.pfil_local_phys=1 	

# Enable filtering on the incoming and outgoing member interfaces. 
net.link.bridge.pfil_member=1

# Only allow IP packets to pass (subject to firewall rules), set to 0 to unconditionally pass all non-IP Ethernet frames.
net.link.bridge.pfil_onlyip=1 	

# Allow unprivileged access to tap(4) device nodes.
net.link.tap.user_open=0 	

# CPU Power Saving.
# See 'sysctl dev.cpu.0.cx_supported' what lowest CPU sleep states are supported. (for 24/7 active router use C0 or C1 and for desktop use the highest deep sleeping state to save power!)
hw.acpi.cpu.cx_lowest=C1
# See "sysctll dev.cpu.0.freq_levels" what lowest CPU frequencies are supported.
debug.cpufreq.lowest=600

# PCI Power saving put absolutely everything in D3 state. 
hw.pci.do_power_nodriver=3 	

# Deny a process to chroot if it has a directory open.	
kern.chroot_allow_open_directories=0 	

# Revoke mmap access to files via copy-on-write semantics, or by removing all write access.
security.mac.mmap_revocation_via_cow=1 	

# Unprivileged processes prevented from sending certain signals to processes whose credentials have changed.
security.bsd.conservative_signals=1 	

# Unprivileged processes cannot create hard links to files owned by other groups.
security.bsd.hardlink_check_gid=1 	

# Unprivileged processes cannot create hard links to files owned by other users.
security.bsd.hardlink_check_uid=1	 	

# Permit processes to map an object at virtual address zero.
security.bsd.map_at_zero=0 	

# Hide processes running as other groups.	
security.bsd.see_other_gids=0

# Hide processes running as other users.
security.bsd.see_other_uids=0
	
# Disable non-root users to call mlock.
security.bsd.unprivileged_mlock=0 	

# Unprivileged processes may use process debugging facilities.
security.bsd.unprivileged_proc_debug=0 	

# Unprivileged processes may read the kernel message buffer.
security.bsd.unprivileged_read_msgbuf=0 	

# Hide running running processes match jails.
security.bsd.see_jail_proc=0 

# Disable processes in jail can set their hostnames.
security.jail.set_hostname_allowed=0 

# Lower the system load average under FreeBSD. Allows to choose periodic and one-shot operation mode. In periodic mode, periodic interrupts from timer hardware are taken as the only source of time for time events. One-shot mode instead uses currently selected time counter to precisely schedule all needed events and programs event timer to generate interrupt exactly in speci-fied time. Default value depends of chosen timer capabilities, but one-shot mode is preferred, until other is forced by user or hardware. 	
kern.eventtimer.periodic=0 	

# Disable USB Enumeration if don't need it.
hw.usb.disable_enumeration=1 	
dev.uhub.0.disable_enumeration=1 	
dev.uhub.1.disable_enumeration=1 

# Disable USB Port Power if don't need it.
hw.usb.disable_port_power=1 
dev.uhub.0.disable_port_power=1 	
dev.uhub.1.disable_port_power=1 

# Disable KDB on NMI.
machdep.kdb_on_nmi=0 
	
# Restrict ability to change keymap.
hw.kbd.keymap_restrict_change=4 

# Disable key combination to enter debugger. 
kern.vt.kbd_debug=0 	

# Disable keyboard debug.
w.syscons.kbd_debug=0 	

Disable CTRL+ALT+Delete reboot from keyboard.
hw.syscons.kbd_reboot=0

# Disable coredump and text dumps.
kern.nodump_coredump=1 
kern.coredump=0 	
kern.coredump_pack_fileinfo=0 	
kern.coredump_pack_vmmapinfo=0 
debug.minidump=0 	
debug.trace_all_panics=0 	
debug.trace_on_panic=0 	
debug.ddb.textdump.do_config=0 	
debug.ddb.textdump.do_ddb=0 	
debug.ddb.textdump.do_msgbuf=0 	
debug.ddb.textdump.do_panic=0 	
debug.ddb.textdump.do_version=0 	

# Disable device nodes & metadata format if don't use them.
kern.geom.label.ext2fs.enable=0 	
kern.geom.label.msdosfs.enable=0 	
kern.geom.label.ntfs.enable=0 	
kern.geom.label.reiserfs.enable=0 	
kern.geom.raid.enable=0 
kern.geom.raid.concat.enable=0 	
kern.geom.raid.ddf.enable=0 	
kern.geom.raid.intel.enable=0 	
kern.geom.raid.jmicron.enable=0 	
kern.geom.raid.nvidia.enable=0 	
kern.geom.raid.promise.enable=0 	
kern.geom.raid.raid0.enable=0 	
kern.geom.raid.raid1.enable=0 	
kern.geom.raid.raid1e.enable=0 	
kern.geom.raid.raid5.enable=0 	
kern.geom.raid.sii.enable=0

Now for the other FreeBSD sysctl tunables you need to create a new file in /boot/loader.conf.local because can only be activated on boot.

machdep.hyperthreading_allowed="0"
machdep.disable_mtrrs="1"
machdep.syscall_ret_flush_l1d="1"
hw.spec_store_bypass_disable="1"
hw.mds_disable="3"
hw.hn.enable_udp4cs="0"  
hw.hn.enable_udp6cs="0" 
hw.hn.trust_hostudp="0"
hw.hn.trust_hostip="0"
hw.hn.trust_hosttcp="0"
hw.vtnet.rx_process_limit="-1"
hw.vtnet.mq_disable="1"
hw.vtnet.lro_disable="1"
hw.vtnet.tso_disable="1"
hw.vtnet.csum_disable="1"
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
net.inet.tcp.tcbhashsize="65536"
kern.ipc.numopensockets="2048"
net.link.ifqmaxlen="4096"
net.isr.defaultqlimit="4096"
net.isr.dispatch="deferred"
net.isr.bindthreads="1"
net.isr.maxthreads="-1"
net.isr.numthreads="-1"
kern.racct.enable="1"
kern.features.compat_freebsd_32bit="0"
kern.features.ipsec="0"
kern.features.inet6="0"
kern.features.pps_sync="0"
kern.features.nfsd="0"
kern.features.nfscl="0"
kern.features.scbus="0"
kern.features.kdtrace_hooks="0"	
kern.features.ktrace="0"	
kern.features.netdump="0"
kern.smp.maxcpus="-1"
debug.acpi.max_threads="-1"
hw.mca.enabled="0"
microcode_update_enable="YES"
cc_htcp_load="YES"
if_ath_load="YES"
if_bridge_load="NO"
if_enc_load="NO"
if_gif_load="NO"
if_gre_load="NO"
if_lagg_load="NO"
if_tap_load="NO"
if_tun_load="NO"
pfsync_load="NO"
ppp_enable="NO"
pppoed_enable="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="NO"
accept_sourceroute="NO"
forward_sourceroute="NO"
tcp_extensions="NO"
tcp_drop_synfin="YES"
tcp_rack_load="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sshguard_enable="YES"
rpcbind_enable="NO"
nfs_client_enable="NO"
nfs_server_enable="NO"
mountd_enable="NO"
inetd_enable="NO"
ftpproxy_enable="NO"
ipv6_enable="NO"
ipv6_prefer="NO"
ipv6_activate_all_interfaces="NO"
ipv6_privacy="YES"
ipv6_cpe_wanif="NO"
ipv6_ipv4mapping="NO"
ipv6_gateway_enable="NO"
ubthidhci_enable="NO"
bthidd_enable="NO"
hcsecd_enable="NO"
rfcomm_pppd_server_enable="NO"
sdpd_enable="NO"
ipsec_enable="NO"
ftpd_enable="NO"
linux_enable="NO"
lpd_enable="NO"
rtsold_enable="NO"
bsnmpd_enable="NO"
rtadvd_enable="NO"
route6d_enable="NO"
nis_server_enable="NO"
nis_ypxfrd_enable="NO"
nis_ypset_enable="NO"
nis_ypldap_enable="NO"
nis_client_enable="NO"
keyserv_enable="NO"
timed_enable="NO"
rpc_statd_enable="NO"
rpc_lockd_enable="NO"
nfscbd_enable="NO"
nfsuserd_enable="NO"
nfsv4_server_enable="NO"
rwhod_enable="NO"
fsck_y_enable="YES"
kdc_enable="NO"
kfd_enable="NO"
kadmind_enable="NO"
ctld_enable="NO"
iscsid_enable="NO"
iscsictl_enable="NO"
virecover_enable="NO"
mixer_enable="NO"
netwait_enable="NO"
cfumass_load="NO"
amd_enable="NO"
rwhod_enable="NO"
hastd_enable="NO"
harvest_mask="351"
performance_cpu_freq="LOW"
performance_cx_lowest="LOW"
economy_cx_lowest="LOW"
powerd_enable="YES"
ddb_enable="NO"
savecore_enable="NO"
dumpdev="NO"
update_motd="NO"
clear_tmp_enable="YES"
kern_securelevel_enable="YES"
kern_securelevel="0"

Please Donate to support my work and website! Thank you!

Bitcoin Bitcoin (BTC): bc1qh57ull2dlr6nyplxnylg3nknzzhjxhy0s30w6z

Ethereum Ethereum (ETH): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Polkadot Polkadot (DOT): 148kirRpkuwUnP47bRXZhQxR3P7jVrBvuq1kYTvLe5kg8dfn

Tether Tether (USDT): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Litecoin Litecoin (LTC): LhpN9rMg83CnBwEZdtRNAG718b9fts8qpE

Dogecoin Dogecoin (DOGE): DEazATJowtTJmCiMMGa3hnMYFBcZUQmLt9

Cardano Cardano (ADA): addr1qx9dy20ur3k4k5vtgqd7ez2kjq2x88sdv3xju833xnxvrzy26g5lc8rdtdgcksqmajy4dyq5vw0q6ezd9c0rzdxvcxyq07ejmp

Leave a Reply

Your email address will not be published.

Infohack.eu