FreeBSD
~
Configuration
Considerations


# this page contains my own personal notes for setting up and configuring freebsd. i've landed on these after some years of research and playing around. there may be some errors, but i will eventually find and fix those. i'm posting this all here for my own online reference, and to share with anyone else interested.

# Manpages
https://man.freebsd.org/cgi/man.cgi

# Ports Search
https://ports.freebsd.org/cgi/ports.cgi

# Handbook
https://docs.freebsd.org/en/books/handbook/

## /etc/rc.conf ################################

# https://man.freebsd.org/cgi/man.cgi?rc.conf

# FOR ALL SYSTEMS
clear_tmp_enable="YES"
dumpdev="NO"
firewall_enable="YES"
firewall_logging="NO"
firewall_quiet="YES"
firewall_script="/etc/firewall.rules"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
ntpdate_enable="NO"
sendmail_enable="NONE"
sendmail_msp_queue_enable="NO"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
syslogd_flags="-ss"
update_motd="NO"

# SECURITY HARDENING
icmp_drop_redirect="YES"
ipv6_activate_all_interfaces="NO"
kern_securelevel=3
kern_securelevel_enable="YES"

# SERVICES TO TOGGLE
avahi_daemon_enable="NO"
cupsd_enable="NO"
inetd_enable="NO"
moused_enable="NO"
moused_nondefault_enable="NO"
nfs_client_enable="NO"
nfs_server_enable="NO"
powerd_enable="NO"
sndiod_enable="NO"
sshd_enable="YES"
syslogd_enable="NO"
webcamd_enable="NO"

# IMPROVE BATTERY LIFE
economy_cx_lowest="Cmax"
performance_cx_lowest="Cmax"

## /etc/sysctl.conf ############################

# https://man.freebsd.org/cgi/man.cgi?query=sysctl.conf

# sysctl -a

# SECURITY HARDENING
security.bsd.hardlink_check_gid=1
security.bsd.hardlink_check_uid=1
security.bsd.see_jail_proc=0
security.bsd.see_other_gids=0
security.bsd.see_other_uids=0
security.bsd.stack_guard_page=1
security.bsd.unprivileged_proc_debug=0
security.bsd.unprivileged_read_msgbuf=0

# NETWORK SECURITY HARDENING
net.inet.icmp.bmcastecho=0
net.inet.icmp.drop_redirect=1
net.inet.icmp.icmplim_output=0
net.inet.icmp.tstamprepl=0
net.inet.igmp.sendlocal=0
net.inet.igmp.sendra=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.forwarding=0
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.rfc1122_strong_es=1
net.inet.ip.sourceroute=0
net.inet.tcp.always_keepalive=0
net.inet.tcp.blackhole=2
net.inet.tcp.drop_synfin=1
net.inet.tcp.fastopen.client_enable=0
net.inet.tcp.fastopen.psk_enable=0
net.inet.tcp.fastopen.server_enable=0
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.syncookies=1
net.inet.udp.blackhole=1
net.inet6.icmp6.rediraccept=0
net.inet6.ip6.redirect=0

# KERNEL SECURITY HARDENING
hw.kbd.keymap_restrict_change=4
kern.coredump=0
kern.elf32.aslr.enable=1
kern.elf32.aslr.pie_enable=1
kern.elf64.aslr.enable=1
kern.elf64.aslr.pie_enable=1
kern.randompid=1
kern.sugid_coredump=0

# FOR DESKTOP
kern.sched.preempt_thresh=224

# RANDOM
kern.vt.enable_bell=0
vfs.usermount=11

## /boot/loader.conf ##########################

# https://man.freebsd.org/cgi/man.cgi?query=loader.conf

# cat /boot/defaults/loader.conf

# ALL SYSTEMS
aesni_load="YES"
autoboot_delay=2
cryptodev_load="YES"
geom_eli_load="YES"

# SECURITY HARDENING
kern.geom.label.disk_ident.enable=0
kern.geom.label.gptid.enable=0
security.bsd.allow_destructive_dtrace=0

# IMPROVE BATTERY LIFE
compat.linuxkpi.i915_disable_power_well=1
compat.linuxkpi.i915_enable_dc=2
drm.i915.enable_rc6=7
hw.em.smart_power_down=1
hw.i915kms.enable_dc=2
hw.i915kms.enable_fbc=1
hw.pci.do_power_nodriver=3
kern.hz=200
vfs.zfs.txg.timeout=20

## updating system #############################

# PACKAGES UPDATES
pkg autoremove
pkg update
pkg upgrade
pkg clean -a

# BASE SYSTEM UPDATES
freebsd-update fetch
freebsd-update install

# POINT RELEASE UPGRADES
freebsd-update upgrade -r 00.0-RELEASE
freebsd-update install
reboot
freebsd-update install
freebsd-update install

# NOTE: sysctl securekernel
# note: must be off during base system upgrades

## security auditing and tools #################

# other files to consider reviewing
# /etc/ssh/sshd_config
# https://man.freebsd.org/cgi/man.cgi?sshd_config%285%29
# /etc/firewall.rules
# https://docs.freebsd.org/en/books/handbook/firewalls/

chkrootkit
rkhunter --update
rkhunter -c
unhide sys
lynis audit system

## some tui packages ###########################

7zip
amfora
asciiquarium
blocky
btop
chkrootkit
cpufetch
darkhttpd
dnetc
dust
fastfetch
fish
genact
gh
git
htop
lscpu
mc
micro
mle
mle
nano
nbsdgames
neofetch
rkhunter
shuf
tmux
translate
tree
vitetris
viu
w3m
wget

################################################

# note: nothing on this page is official nor associated with the freebsd project. i provide no assurances nor accept any responsibility for any effects or outcomes associated with the use of this content.