5.2 nervecenter Set the ephemeral port range to be lower. net.inet.ip.portrange.first 1024 Drop packets to closed TCP ports without returning a RST net.inet.tcp.blackhole 2 Do not send ICMP port unreachable messages for closed UDP ports net.inet.udp.blackhole 1 Randomize the ID field in IP packets (default is 0: sequential IP IDs) net.inet.ip.random_id 1 Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway) net.inet.tcp.drop_synfin 1 Enable sending IPv4 redirects net.inet.ip.redirect 1 Enable sending IPv6 redirects net.inet6.ip6.redirect 1 Generate SYN cookies for outbound SYN-ACK packets net.inet.tcp.syncookies 1 Maximum incoming/outgoing TCP datagram size (receive) net.inet.tcp.recvspace 65228 Maximum incoming/outgoing TCP datagram size (send) net.inet.tcp.sendspace 65228 IP Fastforwarding net.inet.ip.fastforwarding 1 Do not delay ACK to try and piggyback it onto a data packet net.inet.tcp.delayed_ack 0 Maximum outgoing UDP datagram size net.inet.udp.maxdgram 57344 Handling of non-IP packets which are not passed to pfil (see if_bridge(4)) net.link.bridge.pfil_onlyip 0 Set to 0 to disable filtering on the incoming and outgoing member interfaces. net.link.bridge.pfil_member 1 Set to 1 to enable filtering on the bridge interface net.link.bridge.pfil_bridge 0 Allow unprivileged access to tap(4) device nodes net.link.tap.user_open 1 Verbosity of the rndtest driver (0: do not display results on console) kern.rndtest.verbose 0 Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid()) kern.randompid 347 Maximum size of the IP input queue net.inet.ip.intr_queue_maxlen 1000 Disable CTRL+ALT+Delete reboot from keyboard. hw.syscons.kbd_reboot 0 Enable TCP Inflight mode net.inet.tcp.inflight.enable 1 Enable TCP extended debugging net.inet.tcp.log_debug 0 Set ICMP Limits net.inet.icmp.icmplim 500 normal pfSense local all All Users system 1998 0 admins System Administrators system 1999 0 page-all admin System Administrator system admins $1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re. 0 user-shell-access 2000 2000 Etc/UTC 300 0.pfsense.pool.ntp.org http yes sis1 dhcp 100 Mb sis0 192.168.1.1 24 100 Mb dyndns 192.168.1.100 192.168.1.199 public pass Default allow LAN to any rule lan lan 0 * * * * root /usr/bin/nice -n20 newsyslog 1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a 1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c */5 * * * * root /usr/local/bin/checkreload.sh */5 * * * * root /etc/ping_hosts.sh */140 * * * * root /usr/local/sbin/reset_slbd.sh