FreeBSD 14 - [ Configuration Considerations ] this page contains my own personal notes for setting up and configuring freebsd. i've landed on these after some years of research and playing around. there may be some errors, but i will eventually find and fix those. i am posting this all here for my own online reference, and to share with anyone else interested. handbook https://docs.freebsd.org/en/books/handbook ports https://ports.freebsd.org/cgi/ports.cgi manpages https://man.freebsd.org/cgi/man.cgi ######################################################################## ## RC (/etc/rc.conf) ## https://man.freebsd.org/cgi/man.cgi?rc.conf ## cat /etc/defaults/rc.conf #### ## system setup hostname="" ifconfig_*="DHCP" microcode_update_enable="YES" # requires /boot/loader.conf config sshd_enable="YES" zfs_enable="YES" #### ## networking avahi_daemon_enable="NO" icmp_drop_redirect="YES" inetd_enable="NO" ipv6_activate_all_interfaces="NO" nfs_client_enable="NO" nfs_server_enable="NO" portmap_enable="NO" #### ## firewall firewall_enable="YES" firewall_logging="NO" firewall_quiet="YES" firewall_script="*" #### ## kernel securelevel kern_securelevel=3 kern_securelevel_enable="YES" #### ## keeping things clean clear_tmp_enable="YES" dumpdev="NO" syslogd_enable="YES" syslogd_flags="-ss" #### ## turn off waste cupsd_enable="NO" moused_enable="NO" moused_nondefault_enable="NO" powerd_enable="NO" sendmail_enable="NONE" sendmail_msp_queue_enable="NO" sendmail_outbound_enable="NO" sendmail_submit_enable="NO" update_motd="NO" #### ## ntp ntpd_enable="YES" ntpd_sync_on_start="YES" ntpdate_enable="NO" #### ######################################################################## ## SYSCTL (/etc/sysctl.conf) ## https://man.freebsd.org/cgi/man.cgi?sysctl.conf ## sysctl -a #### ## network security hardening net.inet.icmp.bmcastecho=0 net.inet.icmp.drop_redirect=1 net.inet.icmp.icmplim_output=1 net.inet.icmp.tstamprepl=0 net.inet.igmp.sendlocal=0 net.inet.igmp.sendra=0 net.inet.ip.accept_sourceroute=0 net.inet.ip.forwarding=0 net.inet.ip.process_options=0 net.inet.ip.random_id=1 net.inet.ip.redirect=0 net.inet.ip.rfc1122_strong_es=1 net.inet.ip.sourceroute=0 net.inet.tcp.always_keepalive=0 net.inet.tcp.blackhole=2 net.inet.tcp.drop_synfin=1 net.inet.tcp.fastopen.client_enable=0 net.inet.tcp.fastopen.psk_enable=0 net.inet.tcp.fastopen.server_enable=0 net.inet.tcp.icmp_may_rst=0 net.inet.tcp.nolocaltimewait=1 net.inet.tcp.path_mtu_discovery=0 net.inet.tcp.syncookies=1 net.inet.udp.blackhole=1 net.inet6.icmp6.rediraccept=0 net.inet6.ip6.redirect=0 #### ## common security hardening security.bsd.hardlink_check_gid=1 security.bsd.hardlink_check_uid=1 security.bsd.see_jail_proc=0 security.bsd.see_other_gids=0 security.bsd.see_other_uids=0 security.bsd.stack_guard_page=1 security.bsd.unprivileged_proc_debug=0 security.bsd.unprivileged_read_msgbuf=0 #### ## more security hardening hw.kbd.keymap_restrict_change=4 kern.coredump=0 kern.elf32.aslr.enable=1 kern.elf32.aslr.honor_sbrk=1 kern.elf32.aslr.pie_enable=1 kern.elf32.aslr.stack=1 kern.elf64.aslr.enable=1 kern.elf64.aslr.honor_sbrk=1 kern.elf64.aslr.pie_enable=1 kern.elf64.aslr.stack=1 kern.geom.label.disk_ident.enable=0 kern.geom.label.gptid.enable=0 kern.randompid=1 kern.sugid_coredump=0 kern.vt.enable_bell=0 #### ## llm machine only kern.ipc.shm_use_phys=1 vm.swap_enabled=0 ## fstab: /dev/* none swap sw 0 0 #### ## zfs related vfs.zfs.min_auto_ashift=12 vfs.zfs.txg.timeout=45 #### ######################################################################## ## LOADER (/boot/loader.conf) ## https://man.freebsd.org/cgi/man.cgi?query=loader.conf #### ## basic boot stuff aesni_load="YES" autoboot_delay=2 cpu_microcode_load="YES" # must install pkg cpu-microcode-* cpu_microcode_name="/boot/firmware/*-ucode.bin" cryptodev_load="YES" dummynet_load="YES" geom_eli_load="YES" security.bsd.allow_destructive_dtrace=0 #### ## turn off waste hw.pci.do_power_nodriver="3" sound_load="NO" snd_driver_load="NO" snd_hda_load="NO" #### ## llm machine only vm.pmap.pg_ps_enabled=1 #### ## zfs related zfs_load="YES" #### ######################################################################## note: this page is provided as-is. i provide no assurances nor accept any responsibility for any outcomes of its use. note 2: this page is in no way associated with the freebsd project, foundation, or any other official source. ( updated 2025 | kevinmarx.org )