Archive for the ‘FREEBSD’ Category

FreeBSD net.inet.ip Sysctls Explained

October 22nd, 2010 No comments



The net.inet.ip.portrange.* sysctl variables control the port number ranges automatically bound to TCP and UDP sockets.

There are three ranges: a low range, a default range, and a high range. Most network programs use the default range which is controlled by the net.inet.ip.portrange.first and net.inet.ip.portrange.last, which default to 1024 and 5000, respectively. Bound port ranges are used for outgoing connections, and it is possible to run the system out of ports under certain circumstances. This most commonly occurs when you are running a heavily loaded web proxy. The port range is not an issue when running servers which handle mainly incoming connections, such as a normal web server, or has a limited number of outgoing connections, such as a mail relay. For situations where you may run yourself out of ports, it is recommended to increase net.inet.ip.portrange.last modestly. A value of 10000, 20000 or 30000 may be reasonable. You should also consider firewall effects when changing the port range. Some firewalls may block large ranges of ports (usually low-numbered ports) and expect systems to use higher ranges of ports for outgoing connections — for this reason it is not recommended that net.inet.ip.portrange.first be lowered.

net.inet.ip.portrange.first, net.inet.ip.portrange.last

Use the default range of values, normally net.inet.ip.portrange.hifirst through net.inet.ip.portrange.hilast. This is adjustable.

net.inet.ip.portrange.hifirst, net.inet.ip.portrange.hilast

Use a high range of values

net.inet.ip.portrange.lowfirst, net.inet.ip.portrange.lowlast

Use a low range of ports, which are normally restricted to privileged processes on UNIX systems.

net.inet.ip.portrange.reservedlow, net.inet.ip.portrange.reservedhigh

The range of privileged ports which only may be opened by root-owned processes may be modified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl settings. The values default to the traditional range, 0 through IPPORT_RESERVED – 1 (0 through 1023), respectively. Note that these settings do not affect and are not accounted for in the use or calculation of the other net.inet.ip.portrange values above. Changing these values departs from UNIX tradition and has security consequences that the administrator should carefully evaluate before modifying these settings.


Enable random port allocation. Ports are allocated at random within the specified port range in order to increase the difficulty of random spoofing attacks. In scenarios such as benchmarking, this behavior may be undesirable. In these cases, net.inet.ip.portrange.randomized can be used to toggle randomization off.

type: boolean, default: on

net.inet.ip.portrange.randomtime, net.inet.ip.portrange.randomcps

If more than net.inet.ip.portrange.randomcps ports have been allocated in the last second, then return to sequential port allocation. Return to random allocation only once the current port allocation rate drops below net.inet.ip.portrange.randomcps for at least net.inet.ip.portrange.randomtime seconds. The default values for net.inet.ip.portrange.randomcps and net.inet.ip.portrange.randomtime are 10 port allocations per second and 45 seconds correspondingly.


Enable IP forwarding between interfaces

IP forwarding is the process of forwarding internet packets from one network to another. By default the FreeBSD system will not forward IP packets between various network interfaces. In other words, routing functions (also known as gateway functions) are disabled.

type: boolean, default: off


When fast IP forwarding is enabled, IP packets are forwarded directly to the appropriate network interface with direct processing to completion, which greatly improves the throughput. All packets for local IP addresses, non-unicast, or with IP options are handled by the normal IP input processing path. All features of the normal (slow) IP forwarding path are supported including firewall (through pfil(9) hooks) checking, except ipsec(4) tunnel brokering. The IP fastforwarding path does not generate ICMP redirect or source quench messages. Compared to normal IP forwarding this can give a speedup of 40 to 60% in packet forwarding performance.

type: boolean, default: off


Enable sending IP redirects Allow (1) or disallow (0) send ICMP redirections when forwarding. This option is ignored unless the host is routing IP packets. Normally, this option should be enabled on all systems.

type: boolean, dafault: 1


The maximum time-to-live (hop count) value for an IP packet sourced by the system. This value applies to normal transport protocols, not to ICMP.

type: integer, dafault: 64

Spoofed packet attacks may also be used to overload the kernel route cache. Refer to the net.inet.ip.rtexpire, rtminexpire, and rtmaxcache sysctl parameters. A spoofed packet attack that uses a random source IP will cause the kernel to generate a temporary cached route in the route table, viewable with netstat -rna | fgrep W3.


Default expiration time on dynamically learned routes. Lifetime in seconds of protocol-cloned IP routes after the last reference drops.

type: integer, default: 1 hour


Minimum value of ip.rtexpire. Minimum time to attempt to hold onto dynamically learned routes. This value has no effect on user modifications, but restricts the dynamic adaptation.

type: integer, default: 10 seconds.


Trigger level of cached, unreferenced, protocol-cloned routes which initiates dynamic adaptation.

type: integer, default: 128


Enable forwarding source routed IP packets

Source Routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. Remember that as a packet travels through the network, each router will examine the “destination IP address” and choose the next hop to forward the packet to. In source routing, the “source” (i.e. the sender) makes some or all of these decisions

In strict source routing, the sender specifies the exact route the packet must take. This is virtually never used.

The more common form is loose source record route (LSRR), in which the sender gives one or more hops that the packet must go through.

type: boolean, default: false


Enable accepting source routed IP packets

type: boolean, default: false


Maximum size of the IP input queue

type: integer, default: 50


Number of packets dropped from the IP input queue

type: integer, default: 0


Maximum number of fragmented packets the host will accept and hold in the reassembling queue simultaneously. 0 means that the host will not accept any fragmented packets. -1 means that the host will accept as many fragmented packets as it receives.

type: integer


Maximum number of fragments the host will accept and hold in the reassembling queue for a packet. 0 means that the host will not accept any fragmented packets.

type: integer, default: 16


Crrent number of IPv4 fragment reassembly queue entries.

type: integer

net.inet.ip.check_interface: Verify packet arrives on correct interface


Control IP IDs generation behaviour. The IP_ID is used for packet reassembly and needs to be unique within a certain time frame specific to a certain host. Normally the IP_ID is assigned sequentially to each IP packet leaving the host. This makes it possible to gather for example the number of hosts behind a NAT device (track different sequences of IP_ID’s). Enabling random IP_ID’s assigns a random IP_ID to each packet rendering this kind of “attack” ineffective.

Default is 0 (sequential IP IDs). IPv6 flow IDs and fragment IDs are always random.

type: boolean, default: false


Enable the transmission of source quench packets The ICMP Source quench message is a request to decrease the traffic rate of data messages sent to an internet destination. A host MAY send a Source Quench message if it is approaching, or has reached, the point at which it is forced to discard incoming datagrams due to a shortage of reassembly buffers or other resources.

type: integer, default: 0


Control IP options processing([LS]SRR, RR, TS). By setting this variable to 0, all IP options in the incoming packets will be ignored, and the packets will be passed unmodified. By setting to 1, IP options in the incoming packets will be processed accordingly. By setting to 2, an ICMP “prohibited by filter” message will be sent back in response to incoming packets with IP options. Default is 1. This sysctl(8) variable affects packets destined for a local host as well as packets forwarded to some other host.

IP Options do not have any practical use today. The only useful application is RR (Record Route) where it remembers the last 8 hops the packet traversed through. That allows you to check parts of the path back to you. IP options processing is rather expensive because the packet header has to be modified and expanded. In addition the only other use is to circumvent or trick firewalls thus it is normally blocked there.

type: integer, default: 1


Enable packet capture for FAITH IPv4->IPv6 translater daemon.

type: boolean, default: off


The maximum time-to-live (hop count) value for an IP packet for gif(4) tunnel.

type: integer, default: 30


Refuse to create same prefixes on different interfaces except carp interfaces.

type: boolean, default: off


Treat all subnets as directly connected

type: integer, default: 0

Categories: FREEBSD Tags: ,

How to set CPU affinity for a process in FreeBSD

September 2nd, 2010 No comments

beastieProcessor affinity means, on a multi-CPU machine, the process(es)run only on dedicated set of CPUs. In other words processes are bound to isolated (subset) of the CPUs. This feature can be usedduring performance benchmarking, and also while deploying an application.

To get the CPU model and number of active CPUs try the following command:

$ sysctl hw.model hw.ncpu

The cpuset command

The cpuset command can be used to assign processor sets to processes, run commands constrained to a given set or list of processors, and query information about processor binding, sets, and available processors in the system.

cpuset requires a target to modify or query. The target may be specified as a command, process id, thread id, a cpuset id, an irq or a jail id. Using -g the target’s set id or mask may be queried. Using -l or -s the target’s CPU mask or set id may be set. If no target is specified, cpuset operates on itself. Not all combinations of operations and targets are supported. For example, you may not set the id of an existing set or query and launch a command at the same time.

There are two sets applicable to each process and one private mask per thread. Every process in the system belongs to a cpuset. By default processes are started in set 1. The mask or id may be queried using -c. Each thread also has a private mask of CPUs it is allowed to run on that must be a subset of the assigned set. And finally, there is a root set, numbered 0, that is immutable. This last set is the list of all possible CPUs in the system and is queried using -r.

When running a command it may join a set specified with -s otherwise a new set is created. In addition, a mask for the command may be specified using -l. When used in conjunction with -c the mask modifies the sup- plied or created set rather than the private mask for the thread.

The options are as follows:

-c           The requested operation should reference the cpuset avail-
             able via the target specifier.

-g           Causes cpuset to print either a list of valid CPUs or, using
             -i, the id of the target.

-i           When used with the -g option print the id rather than the
             valid mask of the target.

-j jailid    Specifies a jail id as the target of the operation.

-l cpu-list  Specifies a list of CPUs to apply to a target.  Specifica-
             tion may include numbers seperated by '-' for ranges and
             commas separating individual numbers.

-p pid       Specifies a pid as the target of the operation.

-s setid     Specifies a set id as the target of the operation.

-r           The requested operation should reference the root set avail-
             able via the target specifier.

-t tid       Specifies a thread id as the target of the operation.

-x irq       Specifies an irq as the target of the operation.


Create a new group with CPUs 0-4 inclusive and run /bin/sh on it:

cpuset -c -l 0-4 /bin/sh

Query the mask of CPUs the is allowed to run on:

cpuset -g -p

Restrict /bin/sh to run on CPUs 0 and 2 while its group is still allowed
to run on CPUs 0-4:

cpuset -l 0,2 -p

Modify the cpuset /bin/sh belongs to restricting it to CPUs 0 and 2:

cpuset -l 0,2 -c -p

Modify the cpuset all threads are in by default to contain only the first
4 CPUs, leaving the rest idle:

cpuset -l 0-3 -s 1

Print the id of the cpuset /bin/sh is in:

cpuset -g -i -p

Move the pid into the specified cpuset setid so it may be managed with
other pids in that set:

cpuset -s  -p


Categories: FREEBSD, HOW-TOS Tags: , ,

FreeBSD Get CPU & Memory Information

July 21st, 2010 No comments

beastieTo get information about CPU and Memory under FreeBSD use the following commands:

Getting CPU information:
From dmesg:

$ dmesg | grep CPU


$ grep CPU /var/run/dmesg.boot | less

Using sysctl:
CPU model:

$ sysctl hw.model

CPU clock rate:

$ sysctl hw.clockrate

No of cpus:

$ sysctl hw.ncpu

Get all information:

$ sysctl -a | grep -i cpu | less

Getting memory information:
From dmesg:

$ dmesg | grep memory


$ grep memory /var/run/dmesg.boot

Using sysctl:

$ sysctl -a | grep mem | less

FreeBSD find out memory usage

There is a Linux like free command for FreeBSD. You can get it from

$ git clone
$ cd free; make
$ sudo mv free /usr/local/bin/free
$ free -m -t


                   total          active            free        inactive            wire          cached
Memory:             1917              59            1053             575             111              41
Summary:            1917             246            1670

Freecolor is a free replacement that displays free memory graphically as a bargraph. It supports the same options as free. Install freecolor, enter:

# pkg_add -r freecolor

To see memory details, enter:

# freecolor -m


Physical  : [#######################............] 67% (162/239)
Swap      : [##################################.] 99% (599/600)
# freecolor -m -o


             total       used       free     shared    buffers     cached
Mem:           239         77        162          0          0          0
Swap:          600          0        599
Categories: FREEBSD Tags: , ,