system: more for #7440

2026-03-14 08:34:39 +00:00 · 2025-02-14 08:43:17 +01:00 · 2025-02-14 08:43:17 +01:00 · 6cae0ba7bb
commit 6cae0ba7bb
parent 206c57b39d
3 changed files with 9 additions and 115 deletions
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
@ -3,64 +3,11 @@
  <trigger_initial_wizard/>
  <theme>opnsense</theme>
  <sysctl>
-    <item>
-      <descr><![CDATA[Increase UFS read-ahead speeds to match the state of hard drives and NCQ.]]></descr>
-      <tunable>vfs.read_max</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
-      <tunable>net.inet.ip.portrange.first</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
-      <tunable>net.inet.tcp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
-      <tunable>net.inet.udp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Randomize the ID field in IP packets]]></descr>
-      <tunable>net.inet.ip.random_id</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.sourceroute</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.accept_sourceroute</tunable>
-      <value>default</value>
-    </item>
    <item>
      <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
      <tunable>net.inet.tcp.drop_synfin</tunable>
      <value>default</value>
    </item>
-    <item>
-      <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
-      <tunable>net.inet6.ip6.use_tempaddr</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
-      <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
-      <value>default</value>
-    </item>
    <item>
      <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
      <tunable>net.inet.tcp.syncookies</tunable>
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@ -87,14 +87,14 @@ function system_sysctl_defaults()
        'net.inet.icmp.icmplim' => [ 'default' => '0', 'optional' => true ],
        'net.inet.icmp.log_redirect' => [ 'default' => '0' ],
        'net.inet.icmp.reply_from_interface' => [ 'default' => '1' ],
-        'net.inet.ip.accept_sourceroute' => [ 'default' => '0', 'optional' => true ],
+        'net.inet.ip.accept_sourceroute' => [ 'default' => '0' ],
        'net.inet.ip.forwarding' => [ 'default' => '1' ],
        'net.inet.ip.intr_queue_maxlen' => [ 'default' => '1000' ],
-        'net.inet.ip.portrange.first' => [ 'default' => '1024', 'optional' => true ],
-        'net.inet.ip.random_id' => [ 'default' => '1', 'optional' => true ],
+        'net.inet.ip.portrange.first' => [ 'default' => '1024' ],
+        'net.inet.ip.random_id' => [ 'default' => '1' ],
        'net.inet.ip.redirect' => [ 'default' => '0' ],
-        'net.inet.ip.sourceroute' => [ 'default' => '0', 'optional' => true ],
-        'net.inet.tcp.blackhole' => [ 'default' => '2', 'optional' => true ],
+        'net.inet.ip.sourceroute' => [ 'default' => '0' ],
+        'net.inet.tcp.blackhole' => [ 'default' => '2' ],
        'net.inet.tcp.delayed_ack' => [ 'default' => '0', 'optional' => true ],
        'net.inet.tcp.drop_synfin' => [ 'default' => '1', 'optional' => true ],
        'net.inet.tcp.log_debug' => [ 'default' => '0', 'optional' => true ],
@ -102,17 +102,17 @@ function system_sysctl_defaults()
        'net.inet.tcp.sendspace' => [ 'default' => '65228' , 'optional' => true],
        'net.inet.tcp.syncookies' => [ 'default' => '1', 'optional' => true ],
        'net.inet.tcp.tso' => [ 'default' => '1', 'optional' => true ],
-        'net.inet.udp.blackhole' => [ 'default' => '1', 'optional' => true ],
+        'net.inet.udp.blackhole' => [ 'default' => '1' ],
        'net.inet.udp.checksum' => [ 'default' => 1, 'optional' => true ],
        'net.inet.udp.maxdgram' => [ 'default' => '57344' ],
        'net.inet6.ip6.accept_rtadv' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0' ],
        'net.inet6.ip6.forwarding' => [ 'default' => '1' ],
        'net.inet6.ip6.intr_queue_maxlen' => [ 'default' => '1000' ],
        'net.inet6.ip6.log_cannot_forward' => [ 'default' => '0' ],
-        'net.inet6.ip6.prefer_tempaddr' => [ 'default' => '0', 'optional' => true ],
+        'net.inet6.ip6.prefer_tempaddr' => [ 'default' => '0' ],
        'net.inet6.ip6.redirect' => [ 'default' => '0' ],
        'net.inet6.ip6.rfc6204w3' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0' ],
-        'net.inet6.ip6.use_tempaddr' => [ 'default' => '0', 'optional' => true ],
+        'net.inet6.ip6.use_tempaddr' => [ 'default' => '0' ],
        'net.link.bridge.pfil_bridge' => [ 'default' => '0', 'optional' => true ],
        'net.link.bridge.pfil_local_phys' => [ 'default' => '0', 'optional' => true ],
        'net.link.bridge.pfil_member' => [ 'default' => '1', 'optional' => true ],
@ -127,7 +127,7 @@ function system_sysctl_defaults()
        'net.route.multipath' => [ 'default' => '0' ],
        'security.bsd.see_other_gids' => [ 'default' => '0' ],
        'security.bsd.see_other_uids' => [ 'default' => '0' ],
-        'vfs.read_max' => [ 'default' => '32', 'optional' => true ],
+        'vfs.read_max' => [ 'default' => '32' ],
        'vfs.zfs.dirty_data_sync_percent' => [ 'default' => '5' ],
        'vfs.zfs.txg.timeout' => [ 'default' => '90' ],
        'vm.numa.disabled' => [ 'default' => '1' ],
--- a/src/opnsense/mvc/tests/app/models/OPNsense/ACL/AclConfig/config.xml
+++ b/src/opnsense/mvc/tests/app/models/OPNsense/ACL/AclConfig/config.xml
@ -3,64 +3,11 @@
  <trigger_initial_wizard/>
  <theme>opnsense</theme>
  <sysctl>
-    <item>
-      <descr><![CDATA[Increase UFS read-ahead speeds to match the state of hard drives and NCQ.]]></descr>
-      <tunable>vfs.read_max</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
-      <tunable>net.inet.ip.portrange.first</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
-      <tunable>net.inet.tcp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
-      <tunable>net.inet.udp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Randomize the ID field in IP packets]]></descr>
-      <tunable>net.inet.ip.random_id</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.sourceroute</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.accept_sourceroute</tunable>
-      <value>default</value>
-    </item>
    <item>
      <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
      <tunable>net.inet.tcp.drop_synfin</tunable>
      <value>default</value>
    </item>
-    <item>
-      <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
-      <tunable>net.inet6.ip6.use_tempaddr</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
-      <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
-      <value>default</value>
-    </item>
    <item>
      <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
      <tunable>net.inet.tcp.syncookies</tunable>