# Security Guidelines



## gpatrick (Apr 17, 2014)

My usage of FreeBSD goes back to the mid-90s and with different jobs I have used AIX and Solaris.  Therefore with my knowledge of and use of Solaris in the workplace I moved to using Solaris -> OpenSolaris -> OpenIndiana -> SmartOS at home.  Because of Bhyve, Capsicum, and other things available in FreeBSD I'm interested in exploring my return to it for my mail and web services for multiple domains.

My question is that in the past I used settings such as

```
log_in_vain="YES"
sysctl net.inet.tcp.log_in_vain=1 
sysctl net.inet.udp.log_in_vain=1
sysctl net.inet.tcp.blackhole=2
sysctl net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
```
And other settings to make the operating system more secure.  Realizing that most attacks and exploits are Web- and application-based, one should reduce exposure and the attack surface where possible.  So are these still necessary, or have these become default settings since my 4.x/5.x days?


----------



## trh411 (Apr 21, 2014)

The default settings for these sysctl(8) security knobs are:

```
net.inet.tcp.log_in_vain: 0 
net.inet.udp.log_in_vain: 0
net.inet.tcp.blackhole: 0
net.inet.udp.blackhole: 0
net.inet.sctp.blackhole: 0
```
in FreeBSD-9x, FreeBSD-10.0 and FreeBSD-11.0-CURRENT.


----------

