version 1.3, 2006/12/23 08:06:54 |
version 1.6, 2007/03/12 14:37:28 |
|
|
.\" |
.\" |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95 |
.\" |
.\" |
.Dd December 4, 2006 |
.Dd February 2, 2007 |
.Dt SYSCTL 7 |
.Dt SYSCTL 7 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
Line 1073 This cannot be set to less than 0 or gre |
|
Line 1073 This cannot be set to less than 0 or gre |
|
be smaller than |
be smaller than |
.Li ip.lowportmax . |
.Li ip.lowportmax . |
.It Li ip.maxflows |
.It Li ip.maxflows |
IP Fast Forwarding is enabled by default. |
IPv4 Fast Forwarding is enabled by default. |
If set to 0, IP Fast Forwarding is disabled. |
If set to 0, IPv4 Fast Forwarding is disabled. |
.Li ip.maxflows |
.Li ip.maxflows |
controls the maximum amount of flows which can be created. |
controls the maximum amount of flows which can be created. |
The default value is 256. |
The default value is 256. |
Line 1295 The currently defined protocols and name |
|
Line 1295 The currently defined protocols and name |
|
.It ip6 log_interval integer yes |
.It ip6 log_interval integer yes |
.It ip6 lowportmax integer yes |
.It ip6 lowportmax integer yes |
.It ip6 lowportmin integer yes |
.It ip6 lowportmin integer yes |
|
.It ip6 maxflows integer yes |
.It ip6 maxfragpackets integer yes |
.It ip6 maxfragpackets integer yes |
.It ip6 maxfrags integer yes |
.It ip6 maxfrags integer yes |
.It ip6 redirect integer yes |
.It ip6 redirect integer yes |
Line 1385 The lowest port number to use for TCP an |
|
Line 1386 The lowest port number to use for TCP an |
|
This cannot be set to less than 0 or greater than 1024, and must |
This cannot be set to less than 0 or greater than 1024, and must |
be smaller than |
be smaller than |
.Li ip6.lowportmax . |
.Li ip6.lowportmax . |
|
.It Li ip6.maxflows |
|
IPv6 Fast Forwarding is enabled by default. |
|
If set to 0, IPv6 Fast Forwarding is disabled. |
|
.Li ip6.maxflows |
|
controls the maximum amount of flows which can be created. |
|
The default value is 256. |
.It Li ip6.maxfragpackets |
.It Li ip6.maxfragpackets |
The maximum number of fragmented packets the node will accept. |
The maximum number of fragmented packets the node will accept. |
0 means that the node will not accept any fragmented packets. |
0 means that the node will not accept any fragmented packets. |
|
|
.Dv PF_UNIX |
.Dv PF_UNIX |
PCBs), and |
PCBs), and |
.Xr w 1 . |
.Xr w 1 . |
|
.It Li security.models |
|
.Nx |
|
supports pluggable security models. |
|
Every security model used, whether if loaded as an LKM or built with the system, |
|
is required to add an entry to this node with at least one element, |
|
.Dq name , |
|
indicating the name of the security model. |
|
.Pp |
|
In addition to the name, any settings and other information private to the |
|
security model will be available under this node. |
|
See |
|
.Xr secmodel 9 |
|
for more information. |
.It Li security.pax |
.It Li security.pax |
Settings for PaX -- exploit mitigation features. |
Settings for PaX -- exploit mitigation features. |
|
For more information on any of the PaX features, please see |
|
.Xr paxctl 8 |
|
and |
|
.Xr security 8 . |
.Pp |
.Pp |
.Bl -tag -width "123456" |
.Bl -tag -width "123456" |
.It Li security.pax.mprotect.enable |
.It Li security.pax.mprotect.enable |
Line 1954 explicit enable/disable flag. |
|
Line 1978 explicit enable/disable flag. |
|
.Pp |
.Pp |
When non-zero, all programs will get the PaX MPROTECT restrictions, |
When non-zero, all programs will get the PaX MPROTECT restrictions, |
except those exempted with |
except those exempted with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
Otherwise, all programs will not get the PaX MPROTECT restrictions, |
Otherwise, all programs will not get the PaX MPROTECT restrictions, |
except those specifically marked as such with |
except those specifically marked as such with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
.It Li security.pax.segvguard.enable |
.It Li security.pax.segvguard.enable |
Enable PaX Segvguard. |
Enable PaX Segvguard. |
.Pp |
.Pp |
Please see |
|
.Xr security 8 |
|
for more information. |
|
.Pp |
|
PaX Segvguard can detect and prevent certain exploitation attempts, where |
PaX Segvguard can detect and prevent certain exploitation attempts, where |
an attacker may try for example to brute-force function return addresses |
an attacker may try for example to brute-force function return addresses |
of respawning daemons. |
of respawning daemons. |
Line 1980 explicit enable/disable flag. |
|
Line 2000 explicit enable/disable flag. |
|
.Pp |
.Pp |
When non-zero, all programs will get the PaX Segvguard, |
When non-zero, all programs will get the PaX Segvguard, |
except those exempted with |
except those exempted with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
Otherwise, no program will get the PaX Segvguard restrictions, |
Otherwise, no program will get the PaX Segvguard restrictions, |
except those specifically marked as such with |
except those specifically marked as such with |
.Xr paxctl 1 . |
.Xr paxctl 8 . |
.It Li security.pax.segvguard.expiry_timeout |
.It Li security.pax.segvguard.expiry_timeout |
If the max number was not reached within this timeout (in seconds), the entry |
If the max number was not reached within this timeout (in seconds), the entry |
will expire. |
will expire. |