From 9299ceaf2cf959475d07079ef42968305c951fb8 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Sat, 26 May 2007 22:34:48 +0000
Subject: Add overlooked sysctl's.

---
 conf.default/config.xml | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

(limited to 'conf.default')

diff --git a/conf.default/config.xml b/conf.default/config.xml
index c866332..d3842d8 100644
--- a/conf.default/config.xml
+++ b/conf.default/config.xml
@@ -6,6 +6,41 @@
 	<theme>nervecenter</theme>
 	<sysctl>
 		<item>
+			<desc>Drop packets to closed TCP ports without returning a RST</desc>
+			<tunable>net.inet.tcp.blackhole</tunable>
+			<value>2</value>
+		</item>
+		<item>
+			<desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
+			<tunable>net.inet.udp.blackhole</tunable>
+			<value>1</value>
+		</item>
+		<item>
+			<desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
+			<tunable>net.inet.ip.random_id</tunable>
+			<value>1</value>
+		</item>
+		<item>
+			<desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
+			<tunable>net.inet.tcp.drop_synfin</tunable>
+			<value>1</value>
+		</item>
+		<item>
+			<desc>Disable sending IPv4 redirects</desc>
+			<tunable>net.inet.ip.redirect</tunable>
+			<value>0</value>
+		</item>
+		<item>
+			<desc>Disable sending IPv6 redirects</desc>
+			<tunable>net.inet6.ip6.redirect</tunable>
+			<value>0</value>
+		</item>	
+		<item>
+			<desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
+			<tunable>net.inet.tcp.syncookies</tunable>
+			<value>1</value>
+		</item>
+		<item>
 			<desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
 			<tunable>net.inet.tcp.recvspace</tunable>
 			<value>65228</value>
-- 
cgit v1.1