FreeBSD net.inet.ip Sysctls Explained



The net.inet.ip.portrange.* sysctl variables control the port number ranges automatically bound to TCP and UDP sockets.

There are three ranges: a low range, a default range, and a high range. Most network programs use the default range which is controlled by the net.inet.ip.portrange.first and net.inet.ip.portrange.last, which default to 1024 and 5000, respectively. Bound port ranges are used for outgoing connections, and it is possible to run the system out of ports under certain circumstances. This most commonly occurs when you are running a heavily loaded web proxy. The port range is not an issue when running servers which handle mainly incoming connections, such as a normal web server, or has a limited number of outgoing connections, such as a mail relay. For situations where you may run yourself out of ports, it is recommended to increase net.inet.ip.portrange.last modestly. A value of 10000, 20000 or 30000 may be reasonable. You should also consider firewall effects when changing the port range. Some firewalls may block large ranges of ports (usually low-numbered ports) and expect systems to use higher ranges of ports for outgoing connections — for this reason it is not recommended that net.inet.ip.portrange.first be lowered.

net.inet.ip.portrange.first, net.inet.ip.portrange.last

Use the default range of values, normally net.inet.ip.portrange.hifirst through net.inet.ip.portrange.hilast. This is adjustable.

net.inet.ip.portrange.hifirst, net.inet.ip.portrange.hilast

Use a high range of values

net.inet.ip.portrange.lowfirst, net.inet.ip.portrange.lowlast

Use a low range of ports, which are normally restricted to privileged processes on UNIX systems.

net.inet.ip.portrange.reservedlow, net.inet.ip.portrange.reservedhigh

The range of privileged ports which only may be opened by root-owned processes may be modified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl settings. The values default to the traditional range, 0 through IPPORT_RESERVED – 1 (0 through 1023), respectively. Note that these settings do not affect and are not accounted for in the use or calculation of the other net.inet.ip.portrange values above. Changing these values departs from UNIX tradition and has security consequences that the administrator should carefully evaluate before modifying these settings.


Enable random port allocation. Ports are allocated at random within the specified port range in order to increase the difficulty of random spoofing attacks. In scenarios such as benchmarking, this behavior may be undesirable. In these cases, net.inet.ip.portrange.randomized can be used to toggle randomization off.

type: boolean, default: on

net.inet.ip.portrange.randomtime, net.inet.ip.portrange.randomcps

If more than net.inet.ip.portrange.randomcps ports have been allocated in the last second, then return to sequential port allocation. Return to random allocation only once the current port allocation rate drops below net.inet.ip.portrange.randomcps for at least net.inet.ip.portrange.randomtime seconds. The default values for net.inet.ip.portrange.randomcps and net.inet.ip.portrange.randomtime are 10 port allocations per second and 45 seconds correspondingly.


Enable IP forwarding between interfaces

IP forwarding is the process of forwarding internet packets from one network to another. By default the FreeBSD system will not forward IP packets between various network interfaces. In other words, routing functions (also known as gateway functions) are disabled.

type: boolean, default: off


When fast IP forwarding is enabled, IP packets are forwarded directly to the appropriate network interface with direct processing to completion, which greatly improves the throughput. All packets for local IP addresses, non-unicast, or with IP options are handled by the normal IP input processing path. All features of the normal (slow) IP forwarding path are supported including firewall (through pfil(9) hooks) checking, except ipsec(4) tunnel brokering. The IP fastforwarding path does not generate ICMP redirect or source quench messages. Compared to normal IP forwarding this can give a speedup of 40 to 60% in packet forwarding performance.

type: boolean, default: off


Enable sending IP redirects Allow (1) or disallow (0) send ICMP redirections when forwarding. This option is ignored unless the host is routing IP packets. Normally, this option should be enabled on all systems.

type: boolean, dafault: 1


The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.

type: integer, dafault: 64

Spoofed packet attacks may also be used to overload the kernel route cache. Refer to the net.inet.ip.rtexpire, rtminexpire, and rtmaxcache sysctl parameters. A spoofed packet attack that uses a random source IP will cause the kernel to generate a temporary cached route in the route table, viewable with netstat -rna | fgrep W3.


Default expiration time on dynamically learned routes. Lifetime in seconds of protocol-cloned IP routes after the last reference drops.

type: integer, default: 1 hour


Minimum value of ip.rtexpire. Minimum time to attempt to hold onto dynamically learned routes. This value has no effect on user modifications, but restricts the dynamic adaptation.

type: integer, default: 10 seconds.


Trigger level of cached, unreferenced, protocol-cloned routes which initiates dynamic adaptation.

type: integer, default: 128


Enable forwarding source routed IP packets

Source Routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. Remember that as a packet travels through the network, each router will examine the “destination IP address” and choose the next hop to forward the packet to. In source routing, the “source” (i.e. the sender) makes some or all of these decisions

In strict source routing, the sender specifies the exact route the packet must take. This is virtually never used.

The more common form is loose source record route (LSRR), in which the sender gives one or more hops that the packet must go through.

type: boolean, default: false


Enable accepting source routed IP packets

type: boolean, default: false


Maximum size of the IP input queue

type: integer, default: 50


Number of packets dropped from the IP input queue

type: integer, default: 0


Maximum number of fragmented packets the host will accept and hold in the reassembling queue simultaneously. 0 means that the host will not accept any fragmented packets. -1 means that the host will accept as many fragmented packets as it receives.

type: integer


Maximum number of fragments the host will accept and hold in the reassembling queue for a packet. 0 means that the host will not accept any fragmented packets.

type: integer, default: 16


Crrent number of IPv4 fragment reassembly queue entries.

type: integer

net.inet.ip.check_interface: Verify packet arrives on correct interface


Control IP IDs generation behaviour. The IP_ID is used for packet reassembly and needs to be unique within a certain time frame specific to a certain host. Normally the IP_ID is assigned sequentially to each IP packet leaving the host. This makes it possible to gather for example the number of hosts behind a NAT device (track different sequences of IP_ID’s). Enabling random IP_ID’s assigns a random IP_ID to each packet rendering this kind of “attack” ineffective.

Default is 0 (sequential IP IDs). IPv6 flow IDs and fragment IDs are always random.

type: boolean, default: false


Enable the transmission of source quench packets The ICMP Source quench message is a request to decrease the traffic rate of data messages sent to an internet destination. A host MAY send a Source Quench message if it is approaching, or has reached, the point at which it is forced to discard incoming datagrams due to a shortage of reassembly buffers or other resources.

type: integer, default: 0


Control IP options processing([LS]SRR, RR, TS). By setting this variable to 0, all IP options in the incoming packets will be ignored, and the packets will be passed unmodified. By setting to 1, IP options in the incoming packets will be processed accordingly. By setting to 2, an ICMP “prohibited by filter” message will be sent back in response to incoming packets with IP options. Default is 1. This sysctl(8) variable affects packets destined for a local host as well as packets forwarded to some other host.

IP Options do not have any practical use today. The only useful application is RR (Record Route) where it remembers the last 8 hops the packet traversed through. That allows you to check parts of the path back to you. IP options processing is rather expensive because the packet header has to be modified and expanded. In addition the only other use is to circumvent or trick firewalls thus it is normally blocked there.

type: integer, default: 1


Enable packet capture for FAITH IPv4->IPv6 translater daemon.

type: boolean, default: off


The maximum time-to-live (hop count) value for an IP packet for gif(4) tunnel.

type: integer, default: 30


Refuse to create same prefixes on different interfaces except carp interfaces.

type: boolean, default: off


Treat all subnets as directly connected

type: integer, default: 0