SysAdmins' Chronicles

Here are a few common kernel options I use when compiling the FreeBSD kernel.

options TCP_DROP_SYNFIN

This option breaks TCP RFC by not responding (dropping) a TCP packet that contains both SYN and FIN flags. Typically FreeBSD would respond to this packet with a TCP packet with the RST flag set. Since in a real TCP conversation a packet with both of these flags set will never occur, its safe to drop them. Some port scanners and OS fingerprinters will try to send SYNFIN packets to match how your OS responds to a known pattern. To enable this option add to your rc.conf: tcp_drop_synfin="YES"

options TCP_RESTRICT_RST

This option limits the number of RST TCP packets FreeBSD will make. Port scanners will typically look for RST packets for closed ports. Limiting the number or responses can slow down port scans. Also this can be used to protect from denial of service attacks. To enable this option add to your rc.conf:
tcp_restrict_rst="YES"
Note: it looks like the TCP_RESTRICT_RST option isn't valid anymore. It seems its a default behavior.

options IPSTEALTH

When doing routing with a FreeBSD server, this option turns on stealth forwarding. Essentially it hides itself from traceroutes. The idea being that it simple does not respond to a traceroute ICMP packet. From my understanding it forwards the packet without adding to the hop count, so when the next hop responds it looks to the user that it is next in line.

options ACCEPT_FILTER_DATA

options ACCEPT_FILTER_HTTP

The idea behind these two options is ease load on Apache or other applications that implement support for accept filters. FreeBSD will delay an accept() from being handed off to an Apache child until, in the case of the HTTP filter, a HTTP request is made. This lets Apache children receive the connection when data is ready, instead of waiting for the connection to be setup and then have data be sent. This will speed up processing for very busy webservers. Find more info at apache.org.

options ICMP_BANDLIM

This option limits the number of error responses FreeBSD will make for ICMP packets. This is to protect against ICMP denial of service attacks.
Note: it looks like the ICMP_BANDLIM option isn't valid anymore. It seems its a default behavior.

options DUMMYNET

Dummynet is used for a few reasons. One is to do bandwidth limiting and queuing (true packet rate limiting) with ipfw. You can also use it for simulating packet loss or delay on a network. Read more at dummynet.com.

options DEVICE_POLLING

options HZ=1000

If your network adapters supports device polling, that is have the kernel poll the network adapter directly for new data instead of using a slower IRQ for polling, enable these two options. Check the man page for your given driver to see if device polling is supported. This may raise CPU utilization a small amount, but should result in a small gain in network performance. Set HZ to the rate in which you want the kernel to poll the driver. Higher number means slower polling and slower network performance, but less CPU utilization. Lower number means faster polling and slightly higher network performance, but more CPU utilization. 1000 Hz has worked well for me on heavy traffic servers.

options QUOTA

Enable disk quota support. This lets you give shell users or system users a set amount of disk space. Don't forget to add "userquota" and/or "groupquota" in /etc/fstab for the partition you want to enable quotas on. Also add to your rc.conf:
quota_enable="YES"
check_quotas="YES"

options IPDIVERT

Enable this option if you want to use natd for network address translation. Check the natd man page or the FreeBSD Handbook for more information.

options IPFIREWALL

Enable this option to compile IPFW into the kernel. NATD will require this.

options IPFIREWALL_VERBOSE

Enable this option if you want IPFW to log to /var/log/security by default. You still need to add log to a given IPFW rule.

options IPFIREWALL_VERBOSE_LIMIT=20

Enable this option and set it equal the number that you want IPFW to stop logging an individual rule. In other words after a rule has made, in the above example 20, log entries do not log that rule anymore. This is to protect again log flooding.