Ultimate FreeBSD sysctl tunables & security hardening

In FreeBSD and BSD related operation systems the sysctl.conf file is located in /etc/sysctl.conf and these settings also work perfectly fine in PfSense and OPNsense when go to System > Settings > Tunables

To explore all FreeBSD system sysctl tunables open a terminal and enter sysctl -a and to filter out specific keywords then enter sysctl -a | grep “keyword“

Checkout these articles FreeBSD Tuning and Optimization and FreeBSD – a lesson in poor defaults.

####################################################################
# Credits: infohack.eu - Updated: 26/12/2023 - FreeBSD sysctl.conf # ####################################################################

# Enable H-TCP congestion control: The Hamilton TCP (HighSpeed-TCP) algorithm is a packet loss based congestion control and is more aggressive pushing up to max bandwidth. 	
net.inet.tcp.cc.algorithm=htcp 	
net.inet.tcp.cc.htcp.adaptive_backoff=1 	
net.inet.tcp.cc.htcp.rtt_scaling=1

# Enable Explicit Congestion Notification (ECN) if both ends support it. Set ECN=0 if problems. ECN=1 on Clients for incoming & outgoing connections. ECN=2 on Router only for incoming connections.
net.inet.tcp.ecn.enable=2

# Increase TCP & UDP network buffers for better performance.
kern.ipc.maxsockbuf=4262144	
net.raw.recvspace=65536 	
net.raw.sendspace=65536 	
net.inet.raw.maxdgram=131072 	
net.inet.raw.recvspace=131072 	
net.inet.tcp.recvspace=65536 
net.inet.tcp.recvbuf_inc=65536 	
net.inet.tcp.recvbuf_max=4194304 	
net.inet.tcp.sendbuf_inc=65536 	
net.inet.tcp.sendbuf_max=4194304 	
net.inet.tcp.sendspace=65536 	
net.inet.udp.maxdgram=57344
net.inet.udp.recvspace=1048576
net.local.dgram.maxdgram=8192	
net.local.stream.recvspace=16384 	
net.local.stream.sendspace=16384 	

# Increase maximum number of jumbo clusters.
kern.ipc.nmbjumbo9=65536 	
kern.ipc.nmbjumbo16=32768 	
kern.ipc.nmbjumbop=524288

# Intel Gigabit (igb) Disable Flow Control for WAN to utilize full network bandwidth. (Only for igb.0 nic)
dev.igb.0.fc=0 	 

# Intel Gigabit (igb) Increase maximum number of received packets to process interrupts. (Only for igb nic)
dev.igb.0.iflib.rx_budget=65535 	 	
dev.igb.1.iflib.rx_budget=65535 	
dev.igb.2.iflib.rx_budget=65535 	

# Atheros (ath) WiFi Router tuning to improve network stability and performance. (Tested on AR9287 [AR5B97] wireless mini pcie card)
hw.ath.rxbuf=4096 	
hw.ath.txbuf=4096 	
hw.ath.txbuf_mgmt=1024 
hw.ath.bstuck=16384 
dev.ath.0.diversity=1
dev.ath.0.rxantenna=0
dev.ath.0.txantenna=0
dev.ath.0.tpc=0 	
dev.ath.0.tpscale=0
dev.ath.0.hal.force_full_reset=0

# Disable SACK against TCP vulnerabilities. 	
net.inet.tcp.sack.enable=0 

# Disable TCP Timestamps against timestamp security vulnerabilities. TCP Timestamps can remotely calculate the system uptime, boot time and host's clock with millisecond precision.
net.inet.tcp.rfc1323=0  	

# Disable Bypassing 3-way handshake to prevent SYN & FIN bits.
net.inet.tcp.rfc1379=0 	

# TCP Fast Recovery behavior if 3 duplicate ACKs haven't been received. 
net.inet.tcp.rfc3042=1

# Increases the accuracy of TCP Fast Recovery.
net.inet.tcp.rfc6675_pipe=1

# Disable TCP Offload Engine.
net.inet.tcp.tso=0 

# Increase maximum number of interrupts per second on any interrupt level.
hw.intr_storm_threshold=32000 

# Enable Stack Smashing Protection (SSP) against buffer overflows.
kern.elf32.nxstack=1
kern.elf64.nxstack=1
security.bsd.stack_guard_page=1

# Enable Address Space Layout Randomization (ASLR) and Position Independent Executable (PIE) to prevent exploitation of memory corruption vulnerabilities.
kern.elf32.aslr.enable=1 
kern.elf64.aslr.enable=1 	
kern.elf32.aslr.pie_enable=1
kern.elf64.aslr.pie_enable=1 

# Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation).
hw.ibrs_disable=1 

# Disable Page Table Isolation (Meltdown mitigation).
vm.pmap.pti=0

# Increase Fortuna Pseudorandom Number Generator (PRNG) poolsize for higher entropy accumulation. 
kern.random.fortuna.minpoolsize=512  	

# Exclude INTERRUPT and NET_ETHER for entropy harvest for few % performance NIC benefit.
kern.random.harvest.mask=351	

# Randomize PID's for better security.
kern.randompid=1 	

# Randomize the ID Field in IP Packets to increase security.
net.inet.ip.random_id=1	

# Set securelevel=0 when the system is first booting it offers no special features. When the system reaches multi-user mode the securelevel is raised to 1. Nobody can write to /dev/mem & /dev/kmem. Many old security exploits relied upon this. Raw disk devices of all mounted file systems are read-only. Programs should only access mounted file systems through the standard devices. This doesn't change day-to-day operations. The schg and sappnd flags cannot be removed. You will need to reboot into single-user mode again to remove these flags. (*set securelevel=-1 manually and reboot for every system update!*)
kern.securelevel=-1 		

# Prevent Bogus & Spoofed ICMP Packets.
net.inet.tcp.icmp_may_rst=0 
net.inet.icmp.bmcastecho=0 	
net.inet.icmp.drop_redirect=1 	
net.inet.icmp.icmplim=1 	
net.inet.icmp.icmplim_output=0 	
net.inet.icmp.log_redirect=0 	
net.inet.icmp.maskfake=0 	
net.inet.icmp.maskrepl=0 	
net.inet.icmp.quotelen=8 	
net.inet.icmp.reply_from_interface=0 	
net.inet.icmp.reply_src=0 	
net.inet.icmp.tstamprepl=0 	

# Prevent Fragmented IP Packets.
net.inet.ip.maxfragpackets=0 	
net.inet.ip.maxfrags=0 	
net.inet.ip.maxfragsperpacket=0 	
net.inet6.ip6.maxfragpackets=0 	
net.inet6.ip6.maxfrags=0 	
net.inet6.ip6.maxfragsperpacket=0 

# Disable IP Process Options in the incoming packets.
net.inet.ip.process_options=0 	

# Disable sending ICMP redirects to prevent attacker to reach non-routable addresses, route and next hop to be known.
net.inet.ip.redirect=0 
net.inet6.ip6.redirect=0 
net.inet6.icmp6.rediraccept=0 	
net.inet6.icmp6.redirtimeout=1 	
 
# Disable Source Routing to prevent attacker to reach non-routable addresses. 
net.inet.ip.sourceroute=0 
net.inet.ip.accept_sourceroute=0	
	
# Enable packet verification to check on correct interface.
net.inet.ip.check_interface=1 	

# Enable Fast forwarding to increase 40-60% packet performance.
net.inet.ip.fastforwarding=1

# Drop packets to closed TCP ports without returning a RST. 
net.inet.tcp.blackhole=2 	

# Do not send ICMP port unreachable messages for closed UDP ports.
net.inet.udp.blackhole=1 

# Prevent touching the TTL of packets when goes through the firewall.
net.inet.ip.stealth=1 
net.inet6.ip6.stealth=1

# Slow-start flight size (initial congestion window) in number of segments.
net.inet.tcp.initcwnd_segments=44 	

# Cap the max cwnd increment during slow-start to this number of segments.
net.inet.tcp.abc_l_var=44 	

# Assume SO_KEEPALIVE on all TCP connections.
net.inet.tcp.always_keepalive=0 	

# Time before a delayed ACK is sent.
net.inet.tcp.delacktime=15 	

# Do not delay ACK to try and piggyback it onto a data packet. 
net.inet.tcp.delayed_ack=0 	

# Drop SYN-FIN packets. (breaks RFC1379, but nobody uses it anyway)
net.inet.tcp.drop_synfin=1 	

# TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close.
net.inet.tcp.finwait2_timeout=15 

# Recycle closed FIN_WAIT_2 connections faster.
net.inet.tcp.fast_finwait2_recycle=1 	

# TCP Fast Open (TFO) [RFC7413]. Disable TCP Fast Open client side to enforce three way TCP handshake.
net.inet.tcp.fastopen.client_enable=0 	

# Pre-shared key (PSK) mode is enabled for all TFO servers for consistency. Disable TCP Fast Open client side to enforce three way TCP handshake. 	
net.inet.tcp.fastopen.psk_enable=0 	

# TCP Fast Open (TFO) [RFC7413]. Disable TCP Fast Open client side to enforce three way TCP handshake.
net.inet.tcp.fastopen.server_enable=0 	

# Disabling the hostcache increases burst data rates.
net.inet.tcp.hostcache.cachelimit=0 	

# Disabling the hostcache increases burst data rates.
net.inet.tcp.hostcache.expire=0 	

# In order to defend against Sequence Number Attacks the ISN secret key should not be used sufficiently often that it would be regarded as predictable, and thus insecure.
net.inet.tcp.isn_reseed_interval=4500 	

# Amount of tcp keep alive probe failures before socket is forced closed. 
net.inet.tcp.keepcnt=2 	

# Time before keepalive probes begin.
net.inet.tcp.keepidle=10000 	

# Time between keepalive probes.
net.inet.tcp.keepintvl=5000 	

# TCP extended debugging.
net.inet.tcp.log_debug=0 	

# Log all incoming TCP segments to closed ports.
net.inet.tcp.log_in_vain=0 	

# Minimum TCP Maximum Segment Size.
net.inet.tcp.minmss=536 	

# Maximum Segment Lifetime, time the connection spends in TIME_WAIT state.
net.inet.tcp.msl=2500 	

# Default TCP Maximum Segment Size.
net.inet.tcp.mssdflt=1460 	

# Do not create compressed TCP TIME_WAIT entries for local connections.
net.inet.tcp.nolocaltimewait=1 	

# Disable MTU Discovery against security vulnerabilities.
net.inet.tcp.pmtud_blackhole_detection=0 

# Disable Path MTU Discovery against security vulnerabilities.
net.inet.tcp.path_mtu_discovery=0 	

# Drop TCP options from 3rd and later retransmitted SYN.
net.inet.tcp.rexmit_drop_options=1 	

# Reduce the TCP retransmit timer.
net.inet.tcp.rexmit_slop=100 	

# Using soreceive_stream for TCP sockets.
net.inet.tcp.soreceive_stream=1 	

# Per-bucket hash limit for syncache.
net.inet.tcp.syncache.bucketlimit=100 	

# Size of TCP syncache hashtable.
net.inet.tcp.syncache.hashsize=1024 	

# Limiting retranstited SYN/ACKS reduces local syn cache size and a "SYN flood" DoS attack's collateral damage by not sending SYN/ACKs back to spoofed ips, multiple times.
net.inet.tcp.syncache.rexmtlimit=0 	

# Send reset on socket allocation failure.
net.inet.tcp.syncache.rst_on_sock_fail=0 	

# Disable syncookies because can be spoofed. (only enable temporary against heavy DOS attacks)	
net.inet.tcp.syncookies=0 	

# Generate UDP Checksums.
net.inet.udp.checksum=1 	

# Log all incoming UDP packets.
net.inet.udp.log_in_vain=0 	

# Restrict AF_INET6 sockets to IPv6 addresses only.
net.inet6.ip6.v6only=1

# The hashtable increase is necessary for HTTP/3 UDP traffic due to the sheer number of malicious UDP packets creating states. 
net.pf.source_nodes_hashsize=1048576 	

# Increase size of pf states hashtable.
net.pf.states_hashsize=1048576 

# Maximum routing socket dispatch queue length.
net.route.netisr_maxqlen=2048 	

# Protect the route table from DoS attacks.
net.inet.ip.rtexpire=2 	

# Enable locking of shared memory pages in core. 	
kern.ipc.shm_use_phys=1 	

# Increase shared memory for more performance.
kern.ipc.shmall=256000 	
kern.ipc.shmmax=1000000000 	
kern.ipc.shmmni=1024 	
kern.ipc.shmseg=1024 	

# Maximum listen socket pending connection accept queue size.
kern.ipc.soacceptqueue=2048 	

# Increase size of the listen queue for accepting new TCP connections.
kern.ipc.somaxconn=2048 	

# Max open files.
kern.openfiles=1024 	

# Maximum number of files open.
kern.maxfiles=100000 	

# Maximum process shared memory.
kern.maxproc=100000 	

# Maximum number of file descriptors on your system. 
kern.maxusers=1024 	

# Interactivity score threshold.
kern.sched.interact=5 	

# Quantum for timeshare threads in stathz ticks.
kern.sched.slice=1 

# Time to delay syncing directories, metadata & files.
kern.dirdelay=3 
kern.metadelay=2 	
kern.filedelay=5 	
	
# Increase length of the arguments exceeding the kernel.
kern.ps_arg_cache_limit=4096 	

# Disable forwarding of a signal to a process on a different CPU.
kern.smp.forward_signal_enabled=0 	

# Raise the number of allowed threads per process.
kern.threads.max_threads_per_proc=4096 	

# Flush L1 Data Cache on NMI exit, software bhyve L1TF mitigation assist.
machdep.nmi_flush_l1d_sw=1 	

# Increase maximum size of the IP input queue.
net.inet.ip.intr_queue_maxlen=4096 	

# First Portrange for outgoing connections.
net.inet.ip.portrange.first=10000 	

# Maximum number of random port allocations before switching to a sequental one. 	
net.inet.ip.portrange.randomcps=9999 	

# Enable random port allocation.
net.inet.ip.portrange.randomized=1 	

# Minimum time to keep sequental port allocation before switching to a random one.
net.inet.ip.portrange.randomtime=1 	

# Increase UFS read-ahead speeds (better disk performance - particularly for SSDs) to match the state of hard drives and NCQ.
vfs.read_max=128 	

# Disable Internet Group Management Protocol (IGMP).
net.inet.igmp.recvifkludge=0 	
net.inet.igmp.sendlocal=0 	
net.inet.igmp.sendra=0 	
net.inet.igmp.v1enable=0 	
net.inet.igmp.v2enable=0 	

# Disable loopback multicast datagrams.
net.inet.ip.mcast.loop=0 	

# Disable Multicast Listener Discovery (MLD).
net.inet6.mld.use_allow=0 	
net.inet6.mld.v1enable=0 	
net.inet6.mld.v2enable=0 	

# Disable Panic on NMI raised by hardware failure.
machdep.panic_on_nmi=0 	

# For best performance set to 1. bpf is write-only unless program explicitly specifies the read filter. *Don't enable or opnsense firewall logs stop working*.
net.bpf.optimize_writers=0 	

# No ABORT is sent back in response to an out-of-the-blue packet.	
net.inet.sctp.blackhole=2 	

# Disable sending of the SACK-IMMEDIATELY-bit.
net.inet.sctp.enable_sack_immediately=0 	

# Enable SCTP PKTDROP.
net.inet.sctp.pktdrop_enable=1 	

# Default congestion control module. Default value is 0. The minimum is 0, and the maximum is 3. A value of 0 enables the default congestion control algorithm. A value of 1 enables the High Speed congestion control algorithm. A value of 2 enables the HTCP congestion control algorithm. A value of 3 enables the data center congestion control (DCCC) algorithm.
net.inet.sctp.default_cc_module=2
	     
# Make IPsec tunnel ECN-friendly when set to 1.
net.inet.ipsec.ecn=0           
net.inet6.ipsec6.ecn=0	        

# Maximum number of outgoing ICMPv6 error messages per second.
net.inet6.icmp6.errppslimit=1 	

# Disable loopback route when configuring an IPv6 address.
net.inet6.icmp6.nd6_useloopback=0 	

# Disable RF4620 node information query types.
net.inet6.icmp6.nodeinfo=0 	

# Don't join old IPv6 NI group address in draft-ietf-ipngwg-icmp-name-lookup for compatibility with KAME implementation.
net.inet6.icmp6.nodeinfo_oldmcprefix=0 

# Disable accepting ICMPv6 RA messages.
net.inet6.ip6.accept_rtadv=0 	

# Disable automatically adding an IPv6 link-local address to interfaces when attached.
net.inet6.ip6.auto_linklocal=0 	

# Number of ICMPv6 NS messages sent during duplicate address detection.
net.inet6.ip6.dad_count=0 	

# Disable Enhanced DAD, which adds a random nonce to NS messages for DAD.
net.inet6.ip6.dad_enhanced=0 	

# Disable IPv6 Forwarding. (Disable if you don't use IPV6 routing)
net.inet6.ip6.forwarding=0 	

# Default maximum number of IPv6 extension headers permitted on incoming IPv6 packets, 0 for no artificial limit.
net.inet6.ip6.hdrnestlimit=0 	

# Maximum size of the IPv6 input queue.
net.inet6.ip6.intr_queue_maxlen=2048 	

# Disable IPv6 loopback multicast datagrams.
net.inet6.ip6.mcast.loop=0 	

# Disable routers sending ICMPv6 RA messages on interfaces added into the default router list.
net.inet6.ip6.no_radr=1 	

# Disable the default router list from ICMPv6 RA messages even when packet forwarding is enabled.
net.inet6.ip6.rfc6204w3=0 	
 	
# Disable the use of IPv6 addresses whose preferred lifetimes have expired.
net.inet6.ip6.use_deprecated=0 	

# Enable privacy settings for IPv6 (RFC 4941).
net.inet6.ip6.use_tempaddr=1 	
net.inet6.ip6.prefer_tempaddr=1 	 	1 	

# When the value is zero the stack always use a new SA.
net.key.preferred_oldsa=0 	

# Enable filtering on the bridge interface.
net.link.bridge.pfil_bridge=1 	

# Enable additionally filter on the physical interface for locally destined packets.
net.link.bridge.pfil_local_phys=1 	

# Enable filtering on the incoming and outgoing member interfaces. 
net.link.bridge.pfil_member=1

# Only allow IP packets to pass (subject to firewall rules), set to 0 to unconditionally pass all non-IP Ethernet frames.
net.link.bridge.pfil_onlyip=1 	

# Allow unprivileged access to tap(4) device nodes.
net.link.tap.user_open=0 	

# CPU Power Saving.
# See 'sysctl dev.cpu.0.cx_supported' what lowest CPU sleep states are supported. (for 24/7 active router / server use C0 or C1 and for desktop client use the highest deep sleeping state to save power.)
hw.acpi.cpu.cx_lowest=C1
# See "sysctll dev.cpu.0.freq_levels" what lowest CPU frequencies are supported.
debug.cpufreq.lowest=600

# PCI Power saving put absolutely everything in D3 state. 
hw.pci.do_power_nodriver=3 	

# Deny a process to chroot if it has a directory open.	
kern.chroot_allow_open_directories=0 	

# Revoke mmap access to files via copy-on-write semantics, or by removing all write access.
security.mac.mmap_revocation_via_cow=1 	

# Unprivileged processes prevented from sending certain signals to processes whose credentials have changed.
security.bsd.conservative_signals=1 	

# Unprivileged processes cannot create hard links to files owned by other groups.
security.bsd.hardlink_check_gid=1 	

# Unprivileged processes cannot create hard links to files owned by other users.
security.bsd.hardlink_check_uid=1	 	

# Permit processes to map an object at virtual address zero.
security.bsd.map_at_zero=0 	

# Hide processes running as other groups.	
security.bsd.see_other_gids=0

# Hide processes running as other users.
security.bsd.see_other_uids=0
	
# Disable non-root users to call mlock.
security.bsd.unprivileged_mlock=0 	

# Unprivileged processes may use process debugging facilities.
security.bsd.unprivileged_proc_debug=0 	

# Unprivileged processes may read the kernel message buffer.
security.bsd.unprivileged_read_msgbuf=0 	

# Hide running running processes match jails.
security.bsd.see_jail_proc=0 

# Disable processes in jail can set their hostnames.
security.jail.set_hostname_allowed=0 

# Lower the system load average under FreeBSD. Allows to choose periodic and one-shot operation mode. In periodic mode, periodic interrupts from timer hardware are taken as the only source of time for time events. One-shot mode instead uses currently selected time counter to precisely schedule all needed events and programs event timer to generate interrupt exactly in speci-fied time. Default value depends of chosen timer capabilities, but one-shot mode is preferred, until other is forced by user or hardware. 	
kern.eventtimer.periodic=0 	

# Disable USB Enumeration if don't need it.
hw.usb.disable_enumeration=1 	
dev.uhub.0.disable_enumeration=1 	
dev.uhub.1.disable_enumeration=1 

# Disable USB Port Power if don't need it.
hw.usb.disable_port_power=1 
dev.uhub.0.disable_port_power=1 	
dev.uhub.1.disable_port_power=1 

# Disable KDB on NMI.
machdep.kdb_on_nmi=0 
	
# Restrict ability to change keymap.
hw.kbd.keymap_restrict_change=4 

# Disable key combination to enter debugger. 
kern.vt.kbd_debug=0 	

# Disable keyboard debug.
w.syscons.kbd_debug=0 	

Disable CTRL+ALT+Delete reboot from keyboard.
hw.syscons.kbd_reboot=0

# Disable coredump and text dumps.
kern.nodump_coredump=1 
kern.coredump=0 	
kern.coredump_pack_fileinfo=0 	
kern.coredump_pack_vmmapinfo=0 
debug.minidump=0 	
debug.trace_all_panics=0 	
debug.trace_on_panic=0 	
debug.ddb.textdump.do_config=0 	
debug.ddb.textdump.do_ddb=0 	
debug.ddb.textdump.do_msgbuf=0 	
debug.ddb.textdump.do_panic=0 	
debug.ddb.textdump.do_version=0 	

# Disable device nodes & metadata format if don't use them.
kern.geom.label.ext2fs.enable=0 	
kern.geom.label.msdosfs.enable=0 	
kern.geom.label.ntfs.enable=0 	
kern.geom.label.reiserfs.enable=0 	
kern.geom.raid.enable=0 
kern.geom.raid.concat.enable=0 	
kern.geom.raid.ddf.enable=0 	
kern.geom.raid.intel.enable=0 	
kern.geom.raid.jmicron.enable=0 	
kern.geom.raid.nvidia.enable=0 	
kern.geom.raid.promise.enable=0 	
kern.geom.raid.raid0.enable=0 	
kern.geom.raid.raid1.enable=0 	
kern.geom.raid.raid1e.enable=0 	
kern.geom.raid.raid5.enable=0 	
kern.geom.raid.sii.enable=0

Now for the other FreeBSD sysctl tunables you need to create a new file in /boot/loader.conf.local because can only be activated on boot.

machdep.hyperthreading_allowed="0"
machdep.disable_mtrrs="1"
machdep.syscall_ret_flush_l1d="1"
hw.spec_store_bypass_disable="1"
hw.mds_disable="3"
hw.hn.enable_udp4cs="0"  
hw.hn.enable_udp6cs="0" 
hw.hn.trust_hostudp="0"
hw.hn.trust_hostip="0"
hw.hn.trust_hosttcp="0"
hw.vtnet.rx_process_limit="-1"
hw.vtnet.mq_disable="1"
hw.vtnet.lro_disable="1"
hw.vtnet.tso_disable="1"
hw.vtnet.csum_disable="1"
kern.ipc.nmbclusters="1000000"
kern.ipc.nmbjumbop="524288"
net.inet.tcp.tcbhashsize="65536"
kern.ipc.numopensockets="2048"
net.link.ifqmaxlen="4096"
net.isr.defaultqlimit="4096"
net.isr.dispatch="deferred"
net.isr.bindthreads="1"
net.isr.maxthreads="-1"
net.isr.numthreads="-1"
kern.racct.enable="1"
kern.features.compat_freebsd_32bit="0"
kern.features.ipsec="0"
kern.features.inet6="0"
kern.features.pps_sync="0"
kern.features.nfsd="0"
kern.features.nfscl="0"
kern.features.scbus="0"
kern.features.kdtrace_hooks="0"	
kern.features.ktrace="0"	
kern.features.netdump="0"
kern.smp.maxcpus="-1"
debug.acpi.max_threads="-1"
hw.mca.enabled="0"
microcode_update_enable="YES"
cc_htcp_load="YES"
if_ath_load="YES"
if_bridge_load="NO"
if_enc_load="NO"
if_gif_load="NO"
if_gre_load="NO"
if_lagg_load="NO"
if_tap_load="NO"
if_tun_load="NO"
pfsync_load="NO"
ppp_enable="NO"
pppoed_enable="YES"
icmp_drop_redirect="YES"
icmp_log_redirect="YES"
icmp_bmcastecho="NO"
accept_sourceroute="NO"
forward_sourceroute="NO"
tcp_extensions="NO"
tcp_drop_synfin="YES"
tcp_rack_load="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
sshguard_enable="YES"
rpcbind_enable="NO"
nfs_client_enable="NO"
nfs_server_enable="NO"
mountd_enable="NO"
inetd_enable="NO"
ftpproxy_enable="NO"
ipv6_enable="NO"
ipv6_prefer="NO"
ipv6_activate_all_interfaces="NO"
ipv6_privacy="YES"
ipv6_cpe_wanif="NO"
ipv6_ipv4mapping="NO"
ipv6_gateway_enable="NO"
ubthidhci_enable="NO"
bthidd_enable="NO"
hcsecd_enable="NO"
rfcomm_pppd_server_enable="NO"
sdpd_enable="NO"
ipsec_enable="NO"
ftpd_enable="NO"
linux_enable="NO"
lpd_enable="NO"
rtsold_enable="NO"
bsnmpd_enable="NO"
rtadvd_enable="NO"
route6d_enable="NO"
nis_server_enable="NO"
nis_ypxfrd_enable="NO"
nis_ypset_enable="NO"
nis_ypldap_enable="NO"
nis_client_enable="NO"
keyserv_enable="NO"
timed_enable="NO"
rpc_statd_enable="NO"
rpc_lockd_enable="NO"
nfscbd_enable="NO"
nfsuserd_enable="NO"
nfsv4_server_enable="NO"
rwhod_enable="NO"
fsck_y_enable="YES"
kdc_enable="NO"
kfd_enable="NO"
kadmind_enable="NO"
ctld_enable="NO"
iscsid_enable="NO"
iscsictl_enable="NO"
virecover_enable="NO"
mixer_enable="NO"
netwait_enable="NO"
cfumass_load="NO"
amd_enable="NO"
rwhod_enable="NO"
hastd_enable="NO"
harvest_mask="351"
performance_cpu_freq="LOW"
performance_cx_lowest="LOW"
economy_cx_lowest="LOW"
powerd_enable="YES"
ddb_enable="NO"
savecore_enable="NO"
dumpdev="NO"
update_motd="NO"
clear_tmp_enable="YES"
kern_securelevel_enable="YES"
kern_securelevel="-1"

Please Donate to support my work and website! Thank you!

Bitcoin Bitcoin (BTC): bc1qh57ull2dlr6nyplxnylg3nknzzhjxhy0s30w6z

Ethereum Ethereum (ETH): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Polkadot Polkadot (DOT): 148kirRpkuwUnP47bRXZhQxR3P7jVrBvuq1kYTvLe5kg8dfn

Tether Tether (USDT): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Litecoin Litecoin (LTC): LhpN9rMg83CnBwEZdtRNAG718b9fts8qpE

Dogecoin Dogecoin (DOGE): DEazATJowtTJmCiMMGa3hnMYFBcZUQmLt9

Cardano Cardano (ADA): addr1qx9dy20ur3k4k5vtgqd7ez2kjq2x88sdv3xju833xnxvrzy26g5lc8rdtdgcksqmajy4dyq5vw0q6ezd9c0rzdxvcxyq07ejmp

Leave a Reply

Your email address will not be published. Required fields are marked *

Infohack.eu