System Tunables Question
-
Hello fellow Netgate Community members can you please help?
I recently researched and found that the following
net.inet.icmp.icmplim net.inet.ip.redirect net.inet6.ip6.redirect net.inet.tcp.delayed_ackand found they should be set to the following
What are your thoughts...
"
net.inet.icmp.icmplim
Controls: Rate limit for ICMP error messages (like unreachable).Default: 200
Recommended: 50 to 100
Lowering helps prevent ICMP flood abuse.
Set to 0 to disable ICMP rate limiting entirely — not recommended unless you know what you're doing.
Suggested value:net.inet.icmp.icmplim=100
net.inet.ip.redirect
Controls: Whether the system sends ICMP redirects (IPv4).Default: 1 (enabled)
Recommended: 0 (disabled)
Disable for security. ICMP redirects can be used in man-in-the-middle (MITM) attacks.
Routers should not send redirects unless you're doing something very specific with dynamic routing or legacy networks.
Suggested value:net.inet.ip.redirect=0
net.inet6.ip6.redirect
Controls: Same as above, but for IPv6.Default: 1
Recommended: 0 (disabled)
Suggested value:net.inet6.ip6.redirect=0
️ net.inet.tcp.delayed_ack
Controls: TCP Delayed ACK feature (waits briefly before sending ACKs).Default: 1 (enabled)
Recommended: Leave at default (1) unless you have performance issues or know the workload.
Disabling can reduce latency in some cases but may increase traffic load.
Rarely changes much in modern networks; safe to keep enabled unless you're tuning for specific TCP behavior.
Suggested value:net.inet.tcp.delayed_ack=1"
-
Unlikely to hurt in most setups. 100 pings a second is more than most pfSense install should ever see.
Disabling redirect shouldn't cause a problem if your network is configured correctly. In reality you would probably see a stuff stop working in a lot of networks that were being redirected. It will allow you to find those misconfigured devices though.
