diff --git a/src/etc/config.xml.sample b/src/etc/config.xml.sample
index 43b49b430..8b5418865 100644
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
@@ -3,64 +3,11 @@
   <trigger_initial_wizard/>
   <theme>opnsense</theme>
   <sysctl>
-    <item>
-      <descr><![CDATA[Increase UFS read-ahead speeds to match the state of hard drives and NCQ.]]></descr>
-      <tunable>vfs.read_max</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
-      <tunable>net.inet.ip.portrange.first</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
-      <tunable>net.inet.tcp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
-      <tunable>net.inet.udp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Randomize the ID field in IP packets]]></descr>
-      <tunable>net.inet.ip.random_id</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.sourceroute</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.accept_sourceroute</tunable>
-      <value>default</value>
-    </item>
     <item>
       <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
       <tunable>net.inet.tcp.drop_synfin</tunable>
       <value>default</value>
     </item>
-    <item>
-      <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
-      <tunable>net.inet6.ip6.use_tempaddr</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
-      <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
-      <value>default</value>
-    </item>
     <item>
       <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
       <tunable>net.inet.tcp.syncookies</tunable>
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index e2ff1ad27..59ed11941 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -87,14 +87,14 @@ function system_sysctl_defaults()
         'net.inet.icmp.icmplim' => [ 'default' => '0', 'optional' => true ],
         'net.inet.icmp.log_redirect' => [ 'default' => '0' ],
         'net.inet.icmp.reply_from_interface' => [ 'default' => '1' ],
-        'net.inet.ip.accept_sourceroute' => [ 'default' => '0', 'optional' => true ],
+        'net.inet.ip.accept_sourceroute' => [ 'default' => '0' ],
         'net.inet.ip.forwarding' => [ 'default' => '1' ],
         'net.inet.ip.intr_queue_maxlen' => [ 'default' => '1000' ],
-        'net.inet.ip.portrange.first' => [ 'default' => '1024', 'optional' => true ],
-        'net.inet.ip.random_id' => [ 'default' => '1', 'optional' => true ],
+        'net.inet.ip.portrange.first' => [ 'default' => '1024' ],
+        'net.inet.ip.random_id' => [ 'default' => '1' ],
         'net.inet.ip.redirect' => [ 'default' => '0' ],
-        'net.inet.ip.sourceroute' => [ 'default' => '0', 'optional' => true ],
-        'net.inet.tcp.blackhole' => [ 'default' => '2', 'optional' => true ],
+        'net.inet.ip.sourceroute' => [ 'default' => '0' ],
+        'net.inet.tcp.blackhole' => [ 'default' => '2' ],
         'net.inet.tcp.delayed_ack' => [ 'default' => '0', 'optional' => true ],
         'net.inet.tcp.drop_synfin' => [ 'default' => '1', 'optional' => true ],
         'net.inet.tcp.log_debug' => [ 'default' => '0', 'optional' => true ],
@@ -102,17 +102,17 @@ function system_sysctl_defaults()
         'net.inet.tcp.sendspace' => [ 'default' => '65228' , 'optional' => true],
         'net.inet.tcp.syncookies' => [ 'default' => '1', 'optional' => true ],
         'net.inet.tcp.tso' => [ 'default' => '1', 'optional' => true ],
-        'net.inet.udp.blackhole' => [ 'default' => '1', 'optional' => true ],
+        'net.inet.udp.blackhole' => [ 'default' => '1' ],
         'net.inet.udp.checksum' => [ 'default' => 1, 'optional' => true ],
         'net.inet.udp.maxdgram' => [ 'default' => '57344' ],
         'net.inet6.ip6.accept_rtadv' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0' ],
         'net.inet6.ip6.forwarding' => [ 'default' => '1' ],
         'net.inet6.ip6.intr_queue_maxlen' => [ 'default' => '1000' ],
         'net.inet6.ip6.log_cannot_forward' => [ 'default' => '0' ],
-        'net.inet6.ip6.prefer_tempaddr' => [ 'default' => '0', 'optional' => true ],
+        'net.inet6.ip6.prefer_tempaddr' => [ 'default' => '0' ],
         'net.inet6.ip6.redirect' => [ 'default' => '0' ],
         'net.inet6.ip6.rfc6204w3' => [ 'default' => isset($config['system']['ipv6allow']) ? '1' : '0' ],
-        'net.inet6.ip6.use_tempaddr' => [ 'default' => '0', 'optional' => true ],
+        'net.inet6.ip6.use_tempaddr' => [ 'default' => '0' ],
         'net.link.bridge.pfil_bridge' => [ 'default' => '0', 'optional' => true ],
         'net.link.bridge.pfil_local_phys' => [ 'default' => '0', 'optional' => true ],
         'net.link.bridge.pfil_member' => [ 'default' => '1', 'optional' => true ],
@@ -127,7 +127,7 @@ function system_sysctl_defaults()
         'net.route.multipath' => [ 'default' => '0' ],
         'security.bsd.see_other_gids' => [ 'default' => '0' ],
         'security.bsd.see_other_uids' => [ 'default' => '0' ],
-        'vfs.read_max' => [ 'default' => '32', 'optional' => true ],
+        'vfs.read_max' => [ 'default' => '32' ],
         'vfs.zfs.dirty_data_sync_percent' => [ 'default' => '5' ],
         'vfs.zfs.txg.timeout' => [ 'default' => '90' ],
         'vm.numa.disabled' => [ 'default' => '1' ],
diff --git a/src/opnsense/mvc/tests/app/models/OPNsense/ACL/AclConfig/config.xml b/src/opnsense/mvc/tests/app/models/OPNsense/ACL/AclConfig/config.xml
index c6efa9605..383895623 100644
--- a/src/opnsense/mvc/tests/app/models/OPNsense/ACL/AclConfig/config.xml
+++ b/src/opnsense/mvc/tests/app/models/OPNsense/ACL/AclConfig/config.xml
@@ -3,64 +3,11 @@
   <trigger_initial_wizard/>
   <theme>opnsense</theme>
   <sysctl>
-    <item>
-      <descr><![CDATA[Increase UFS read-ahead speeds to match the state of hard drives and NCQ.]]></descr>
-      <tunable>vfs.read_max</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
-      <tunable>net.inet.ip.portrange.first</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
-      <tunable>net.inet.tcp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
-      <tunable>net.inet.udp.blackhole</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Randomize the ID field in IP packets]]></descr>
-      <tunable>net.inet.ip.random_id</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.sourceroute</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      ]]></descr>
-      <tunable>net.inet.ip.accept_sourceroute</tunable>
-      <value>default</value>
-    </item>
     <item>
       <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
       <tunable>net.inet.tcp.drop_synfin</tunable>
       <value>default</value>
     </item>
-    <item>
-      <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
-      <tunable>net.inet6.ip6.use_tempaddr</tunable>
-      <value>default</value>
-    </item>
-    <item>
-      <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
-      <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
-      <value>default</value>
-    </item>
     <item>
       <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
       <tunable>net.inet.tcp.syncookies</tunable>