VultureProject · ELDiablO59152 · Oct 28, 2025 · Oct 30, 2025 · Nov 3, 2025 · Nov 6, 2025
diff --git a/CHANGELOG b/CHANGELOG
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 ## [Unreleased]
+### Changed
+- [SYSCTL] Comment each setting and improve compatibility with hbsd14
+### Fixed
+- [RESOLV] Nameserver in jails
 
 
 ## [2.1.18] - 2025-10-24

diff --git a/etc/sysctl.conf b/etc/sysctl.conf
@@ -1,90 +1,92 @@
-kern.coredump=0
-kern.ipc.maxsockbuf=67108864
-kern.ipc.soacceptqueue=4096
+# http://netlab.dhis.org/download/software/os_cfg/FBSD/13/base/etc/sysctl.conf
+# http://netlab.dhis.org/download/software/os_cfg/FBSD/14/base/etc/sysctl.conf
 
-#Wires all shared pages, making them unswappable
-kern.ipc.shm_use_phys=1
-kern.maxfiles=204800
-kern.maxfilesperproc=128000
-kern.maxprocperuid=64000
-kern.maxvnodes=250000
-kern.sched.interact=5
-kern.sched.slice=1
-kern.sugid_coredump=0
-kern.threads.max_threads_per_proc=4096
-kern.msgbuf_show_timestamp=1
+kern.coredump=0                          # Disable core dumps (prevents leaking sensitive memory data)
+kern.ipc.maxsockbuf=67108864             # Maximum socket buffer size (64 MB)
+kern.ipc.soacceptqueue=4096              # Max listen queue depth for TCP connections
 
-net.inet.carp.log=1
-net.inet.carp.preempt=1
+kern.ipc.shm_use_phys=1                  # Lock shared memory segments in RAM (avoid swapping, improve IPC perf)
+kern.maxfiles=204800                     # System-wide open file descriptor limit
+kern.maxfilesperproc=128000              # Per-process open file descriptor limit
+kern.maxprocperuid=64000                 # Maximum number of processes per user ID
+kern.maxvnodes=250000                    # Maximum number of vnodes (filesystem inode cache)
+kern.sched.interact=5                    # Scheduler interactivity bias (lower = less interactive favoring)
+kern.sched.slice=1                       # Scheduler time slice (ms)
+kern.sugid_coredump=0                    # Disable core dumps for setuid/setgid binaries
+kern.threads.max_threads_per_proc=4096   # Max threads per process
+kern.msgbuf_show_timestamp=1             # Include timestamps in kernel message buffer (dmesg)
 
-net.inet.ip.intr_queue_maxlen=4096
-net.inet.ip.maxfragpackets=0
-net.inet.ip.maxfragsperpacket=0
-net.inet.ip.process_options=0
-net.inet.ip.random_id=1
-net.inet.ip.redirect=0
-net.inet.ip.sourceroute=0
-net.inet.ip.accept_sourceroute=0
-net.inet.ip.ttl=128
+net.inet.carp.log=1                      # Enable CARP (failover) logging
+net.inet.carp.preempt=1                  # Allow CARP preemption for faster master failover
 
-net.inet.icmp.maskrepl=0
-net.inet.icmp.log_redirect=0
-net.inet.icmp.drop_redirect=1
+net.inet.ip.intr_queue_maxlen=4096       # Max length of IP input queue
+net.inet.ip.maxfragpackets=0             # Disable fragmented packet reassembly (DoS protection)
+net.inet.ip.maxfragsperpacket=0          # Limit per-packet fragmentation
+net.inet.ip.process_options=0            # Ignore IP options (security hardening)
+net.inet.ip.random_id=1                  # Randomize IP ID field (prevent fingerprinting)
+net.inet.ip.redirect=0                   # Ignore ICMP redirects (anti-MITM)
+net.inet.ip.sourceroute=0                # Disable source routing
+net.inet.ip.accept_sourceroute=0         # Refuse source-routed packets
+net.inet.ip.ttl=128                      # Default IP Time-To-Live value
 
-net.inet.tcp.abc_l_var=44
+net.inet.icmp.maskrepl=0                 # Do not reply to ICMP address mask requests
+net.inet.icmp.log_redirect=0             # Do not log ICMP redirects
+net.inet.icmp.drop_redirect=1            # Drop ICMP redirects entirely
 
-#Let applications manage Keepalive
-net.inet.tcp.always_keepalive=0
+net.inet.tcp.abc_l_var=44                # Adjust congestion control ABC variable (RFC 3465)
 
-#Stops creating any state (nor socket neither compressed tcpw) for the TCP connection where both endpoints were local.
-net.inet.tcp.nolocaltimewait=1
+net.inet.tcp.always_keepalive=0          # Disable global TCP keepalive, let apps decide
 
-net.inet.tcp.delayed_ack=1
-net.inet.tcp.blackhole=2
-net.inet.tcp.drop_synfin=1
-net.inet.tcp.ecn.enable=1
-net.inet.tcp.fast_finwait2_recycle=1
-net.inet.tcp.icmp_may_rst=0
-net.inet.tcp.initcwnd_segments=44
-net.inet.tcp.isn_reseed_interval=4500
-net.inet.tcp.keepcnt=3
-net.inet.tcp.keepidle=10000
-net.inet.tcp.keepintvl=5000
-net.inet.tcp.minmss=536
-net.inet.tcp.maxtcptw=200000
-net.inet.tcp.msl=5000
-net.inet.tcp.recvbuf_auto=1
-net.inet.tcp.recvbuf_max=16777216
-net.inet.tcp.sendbuf_auto=1
-net.inet.tcp.sendbuf_inc=131072
-net.inet.tcp.sendbuf_max=16777216
-net.inet.tcp.syncache.rexmtlimit=0
-net.inet.tcp.syncookies=0
-net.inet.tcp.tso=0
+net.inet.tcp.nolocaltimewait=1           # Skip TIME_WAIT for loopback connections
 
-net.inet.udp.blackhole=1
+net.inet.tcp.delayed_ack=1               # Delay ACKs to piggyback with outgoing data
+net.inet.tcp.blackhole=2                 # Drop TCP packets to closed ports (no RST)
+net.inet.tcp.drop_synfin=1               # Drop packets with SYN+FIN flags (scans/attacks)
+net.inet.tcp.ecn.enable=1                # Enable Explicit Congestion Notification (RFC 3168)
+# deprecated in 14.x ->
+net.inet.tcp.fast_finwait2_recycle=1     # Recycle FIN_WAIT_2 sockets faster
+net.inet.tcp.icmp_may_rst=0              # Do not reset TCP on ICMP errors
+net.inet.tcp.initcwnd_segments=44        # Initial congestion window size (segments)
+net.inet.tcp.isn_reseed_interval=4500    # ISN generator reseed interval (sec)
+net.inet.tcp.keepcnt=3                   # Number of keepalive probes before closing
+net.inet.tcp.keepidle=10000              # Idle time before first keepalive (ms)
+net.inet.tcp.keepintvl=5000              # Interval between keepalive probes (ms)
+net.inet.tcp.minmss=536                  # Minimum TCP MSS
+net.inet.tcp.msl=5000                    # Maximum Segment Lifetime (ms)
+net.inet.tcp.recvbuf_auto=1              # Enable automatic receive buffer tuning
+net.inet.tcp.recvbuf_max=16777216        # Max receive buffer size (16 MB)
+net.inet.tcp.sendbuf_auto=1              # Enable automatic send buffer tuning
+net.inet.tcp.sendbuf_inc=131072          # Incremental send buffer growth step (128 KB)
+net.inet.tcp.sendbuf_max=16777216        # Max send buffer size (16 MB)
+net.inet.tcp.syncache.rexmtlimit=0       # Disable SYN cache retransmit limit
+net.inet.tcp.syncookies=0                # Disable SYN cookies (only needed during SYN flood)
+net.inet.tcp.tso=0                       # Disable TCP Segmentation Offload (can cause driver issues)
 
-net.inet6.icmp6.nodeinfo=0
-net.inet6.icmp6.rediraccept=0
-net.inet6.ip6.accept_rtadv=0
-net.inet6.ip6.auto_linklocal=0
-net.inet6.ip6.maxfragpackets=0
-net.inet6.ip6.maxfrags=0
-net.inet6.ip6.prefer_tempaddr=1
-net.inet6.ip6.use_tempaddr=1
-net.inet6.ip6.use_deprecated=0
+net.inet.udp.blackhole=1                 # Drop UDP packets to closed ports (no ICMP unreachable)
 
-net.local.dgram.maxdgram=65535
-net.local.dgram.recvspace=65535
+net.inet6.icmp6.nodeinfo=0               # Disable ICMPv6 Node Information responses
+net.inet6.icmp6.rediraccept=0            # Reject ICMPv6 redirects
+net.inet6.ip6.accept_rtadv=0             # Disable IPv6 Router Advertisements (no autoconf)
+# read-only now, use ifconfig instead ->
+net.inet6.ip6.auto_linklocal=0           # Do not auto-generate link-local addresses
+net.inet6.ip6.maxfragpackets=0           # Disable IPv6 fragment reassembly
+net.inet6.ip6.maxfrags=0                 # Limit fragment buffer usage
+net.inet6.ip6.prefer_tempaddr=1          # Prefer temporary (privacy) addresses
+net.inet6.ip6.use_tempaddr=1             # Enable IPv6 temporary address generation
+net.inet6.ip6.use_deprecated=0           # Do not use deprecated IPv6 addresses
 
-security.bsd.hardlink_check_gid=1
-security.bsd.hardlink_check_uid=1
-security.bsd.see_other_gids=0
-security.bsd.see_other_uids=0
-security.bsd.stack_guard_page=1
-security.bsd.unprivileged_proc_debug=0
-security.bsd.unprivileged_read_msgbuf=0
+net.local.dgram.maxdgram=65535           # Max datagram size for UNIX domain sockets
+net.local.dgram.recvspace=65535          # Receive buffer size for UNIX domain sockets
 
-vfs.zfs.vdev.async_read_max_active=6
-vfs.zfs.vdev.sync_read_max_active=20
-vfs.read_max=128
+security.bsd.hardlink_check_gid=1        # Prevent hardlinking across GIDs (privilege restriction)
+security.bsd.hardlink_check_uid=1        # Prevent hardlinking across UIDs (mitigate privilege escalation)
+security.bsd.see_other_gids=0            # Hide processes of other GIDs (isolation)
+security.bsd.see_other_uids=0            # Hide processes of other UIDs (privacy)
+security.bsd.stack_guard_page=1          # Enable stack guard page (stack overflow protection)
+security.bsd.unprivileged_proc_debug=0   # Disallow ptrace/debug on other users’ processes
+security.bsd.unprivileged_read_msgbuf=0  # Prevent non-root users from reading kernel message buffer
+
+vfs.zfs.bclone_enabled=1                 # Allows shallow copies of data blocks (introduced in OpenZFS 2.2). 
-vfs.zfs.bclone_enabled=1                 # Allows shallow copies of data blocks (introduced in OpenZFS 2.2). 
+vfs.zfs.bclone_enabled=0                 # Allows shallow copies of data blocks (introduced in OpenZFS 2.2). 
-vfs.zfs.bclone_enabled=1                 # Allows shallow copies of data blocks (introduced in OpenZFS 2.2). 
+vfs.zfs.bclone_enabled=0                 # Allows shallow copies of data blocks (introduced in OpenZFS 2.2). 
+vfs.zfs.vdev.async_read_max_active=6     # Max active async ZFS reads per vdev
+vfs.zfs.vdev.sync_read_max_active=20     # Max active sync ZFS reads per vdev
+vfs.read_max=128                         # Max number of blocks per read-ahead operation
diff --git a/home/vlt-adm/system/configure_jail_hosts.sh b/home/vlt-adm/system/configure_jail_hosts.sh
@@ -15,20 +15,43 @@ JAIL_NAME="$1"
 TARGET="/zroot/${JAIL_NAME}"
 
 # Configure /etc/hosts of jail
-/bin/echo "::1 localhost" > ${TARGET}/etc/hosts
-/bin/echo "127.0.0.1 localhost" >> ${TARGET}/etc/hosts
-/bin/echo "fd00::202 mongodb" >> ${TARGET}/etc/hosts
-/bin/echo "127.0.0.2 mongodb" >> ${TARGET}/etc/hosts
-/bin/echo "fd00::203 redis" >> ${TARGET}/etc/hosts
-/bin/echo "127.0.0.3 redis" >> ${TARGET}/etc/hosts
-/bin/echo "fd00::204 rsyslog" >> ${TARGET}/etc/hosts
-/bin/echo "127.0.0.4 rsyslog" >> ${TARGET}/etc/hosts
-/bin/echo "fd00::205 haproxy" >> ${TARGET}/etc/hosts
-/bin/echo "127.0.0.5 haproxy" >> ${TARGET}/etc/hosts
-/bin/echo "127.0.0.6 apache" >> ${TARGET}/etc/hosts
-/bin/echo "fd00::206 apache" >> ${TARGET}/etc/hosts
-/bin/echo "127.0.0.7 portal" >> ${TARGET}/etc/hosts
-/bin/echo "fd00::207 portal" >> ${TARGET}/etc/hosts
+cat << EOF > ${TARGET}/etc/hosts
+127.0.0.1 localhost
+::1 localhost
+127.0.0.2 mongodb
+fd00::202 mongodb
+127.0.0.3 redis
+fd00::203 redis
+127.0.0.4 rsyslog
+fd00::204 rsyslog
+127.0.0.5 haproxy
+fd00::205 haproxy
+127.0.0.6 apache
+fd00::206 apache
+127.0.0.7 portal
+fd00::207 portal
+EOF
 
 # Host's dnsmasq resolver is used by jails -> local loopback of the jail
-echo "nameserver ${JAIL_NAME}" > ${TARGET}/etc/resolv.conf
+case "$JAIL_NAME" in
+    mongodb)
+        /bin/echo "nameserver 127.0.0.2" > ${TARGET}/etc/resolv.conf
+        ;;
+    redis)
+        /bin/echo "nameserver 127.0.0.3" > ${TARGET}/etc/resolv.conf
+        ;;
+    rsyslog)
+        /bin/echo "nameserver 127.0.0.4" > ${TARGET}/etc/resolv.conf
+        ;;
+    haproxy)
+        /bin/echo "nameserver 127.0.0.5" > ${TARGET}/etc/resolv.conf
+        ;;
+    apache)
+        /bin/echo "nameserver 127.0.0.6" > ${TARGET}/etc/resolv.conf
+        ;;
+    portal)
+        /bin/echo "nameserver 127.0.0.7" > ${TARGET}/etc/resolv.conf
+        ;;
+    *)
+        ;;
+esac
diff --git a/home/vlt-adm/system/network-ips.sh b/home/vlt-adm/system/network-ips.sh
@@ -34,7 +34,7 @@ if /sbin/ifconfig | grep -q "$management_ip"; then
     # The Node has been removed of the replicaset, restart mongodb to re-initiate
     /usr/sbin/jexec mongodb service mongod restart
 
-    # If boostrap has already be done,
+    # If bootstrap has already be done,
     if /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py is_node_bootstrapped >/dev/null 2>&1 ; then
         # Update node network ips in Mongo
         /usr/local/bin/sudo -u vlt-os /home/vlt-os/env/bin/python /home/vlt-os/vulture_os/manage.py shell -c "from system.cluster.models import Node ; n = Node.objects.get(name=\"`hostname`\") ; n.management_ip = \"$management_ip\" ; n.internet_ip = \"$internet_ip\" ; n.backends_outgoing_ip = \"$backends_outgoing_ip\" ; n.logom_outgoing_ip = \"$logom_outgoing_ip\" ; n.save()"

diff --git a/home/vlt-adm/system/register_vulture_repos.sh b/home/vlt-adm/system/register_vulture_repos.sh
@@ -1,11 +1,13 @@
 #!/usr/bin/env sh
 # Usage update_repositories [prefix_dir]
 
+OS_RELEASE=`/usr/bin/grep 'branch="' $1/etc/hbsd-update.conf | /usr/bin/sed 's/branch="\(.*\)"/\1/'`
+OS_BRANCH_VERSION=`/usr/bin/grep 'os_version="' $1/etc/hbsd-update.conf | /usr/bin/sed 's/os_version="\(.*\)"/\1/'`
 pkg_url="http://pkg.vultureproject.org/"
 vulture_conf="Vulture.conf"
 pkg_ca="pkg.vultureproject.org"
-update_url="http://updates.vultureproject.org/"
-vulture_update_conf="hbsd-update.conf"
+update_url="http://hbsd.vultureproject.org/"
+vulture_update_conf="hbsd-update-${OS_RELEASE}-${OS_BRANCH_VERSION}.conf"
 vulture_update_ca="ca.vultureproject.org"
 temp_dir=$(mktemp -d)
 
@@ -45,8 +47,8 @@ update_repositories() {
         /bin/echo "[-]${_log_header} Done"
     fi
 
-    /bin/mkdir -p "${prefix_dir}/usr/local/etc/pkg/repos"
-    /usr/bin/printf "# HardenedBSD are now disabled by default on Vulture\n# Vulture repositories should be enough to go by, but you can delete this file if you want to enable default HBSD repos again\nHardenedBSD: { enabled: no }\n" > ${prefix_dir}/usr/local/etc/pkg/repos/HardenedBSD.disabled.conf
+    # /bin/mkdir -p "${prefix_dir}/usr/local/etc/pkg/repos"
+    # /usr/bin/printf "# HardenedBSD are now disabled by default on Vulture\n# Vulture repositories should be enough to go by, but you can delete this file if you want to enable default HBSD repos again\nHardenedBSD: { enabled: no }\n" > ${prefix_dir}/usr/local/etc/pkg/repos/HardenedBSD.disabled.conf
 
     /bin/echo -n "[*]${_log_header} Backing up default configurations:"
     for conf in ${prefix_dir}/etc/hbsd-update*.conf ; do
@@ -68,31 +70,31 @@ update_repositories() {
     fi
 
     if [ ! -f ${temp_dir}/${vulture_conf} ]; then
-        /usr/local/bin/wget -q ${pkg_url}${vulture_conf} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download ${vulture_conf}"
+        /usr/bin/fetch -q -o "${temp_dir}" ${pkg_url}${vulture_conf} || finalize 1 "[/] Failed to download $vulture_conf"
         /bin/echo -n "."
     fi
 
-    /bin/cp -f "${temp_dir}/${vulture_conf}" "${prefix_dir}/etc/pkg/${vulture_conf}"
+    /usr/bin/sed "s/current/${OS_RELEASE}/" "${temp_dir}/${vulture_conf}" > "${prefix_dir}/etc/pkg/${vulture_conf}"
     /bin/echo -n "."
 
     if [ ! -f ${temp_dir}/${pkg_ca} ]; then
-        /usr/local/bin/wget -q ${pkg_url}${pkg_ca} --directory-prefix="${temp_dir}" || finalize 1 "[/] Failed to download $pkg_ca"
+        /usr/bin/fetch -q -o "${temp_dir}" ${pkg_url}${pkg_ca} || finalize 1 "[/] Failed to download $pkg_ca"
         /bin/echo -n "."
     fi
 
     /bin/mkdir -p "${prefix_dir}/usr/share/keys/pkg/trusted" && /bin/cp -f "${temp_dir}/${pkg_ca}" "${prefix_dir}/usr/share/keys/pkg/trusted/${pkg_ca}"
     /bin/echo -n "."
 
     if [ ! -f ${temp_dir}/${vulture_update_conf} ]; then
-        /usr/local/bin/wget -q ${update_url}${vulture_update_conf} --directory-prefix="${temp_dir}" || finalize 1  "[/] Failed to download $vulture_update_conf"
+        /usr/bin/fetch -q -o "${temp_dir}" ${update_url}${vulture_update_conf} || finalize 1 "[/] Failed to download $vulture_update_conf"
         /bin/echo -n "."
     fi
 
-    /bin/mkdir -p "${prefix_dir}/etc" && /bin/cp -f "${temp_dir}/${vulture_update_conf}" "${prefix_dir}/etc/${vulture_update_conf}"
+    /bin/mkdir -p "${prefix_dir}/etc" && /bin/cp -f "${temp_dir}/${vulture_update_conf}" "${prefix_dir}/etc/hbsd-update.conf"
     /bin/echo -n "."
 
     if [ ! -f ${temp_dir}/${vulture_update_ca} ]; then
-        /usr/local/bin/wget -q ${update_url}${vulture_update_ca} --directory-prefix="${temp_dir}" || finalize 1  "[/] Failed to download $vulture_update_ca"
+        /usr/bin/fetch -q -o "${temp_dir}" ${update_url}${vulture_update_ca} || finalize 1 "[/] Failed to download $vulture_update_ca"
         /bin/echo -n "."
     fi
 

diff --git a/home/vlt-adm/system/write_hostname.sh b/home/vlt-adm/system/write_hostname.sh
@@ -70,11 +70,32 @@ fi
 /bin/cp /etc/hosts /zroot/mongodb/etc/hosts
 /usr/bin/sed -i '' "s/$ip/127.0.0.2/" /zroot/mongodb/etc/hosts
 
-#Copy hosts file to jails
-for jail in apache mongodb redis rsyslog haproxy portal; do
+# Copy hosts file to jails
+for jail in mongodb redis rsyslog haproxy apache portal; do
     #TODO deprecate file
     /bin/echo "${hostname}" > /zroot/${jail}/etc/host-hostname
-    /bin/echo "nameserver ${jail}" > /zroot/${jail}/etc/resolv.conf
+    case "$jail" in
+        mongodb)
+            /bin/echo "nameserver 127.0.0.2" > /zroot/${jail}/etc/resolv.conf
+            ;;
+        redis)
+            /bin/echo "nameserver 127.0.0.3" > /zroot/${jail}/etc/resolv.conf
+            ;;
+        rsyslog)
+            /bin/echo "nameserver 127.0.0.4" > /zroot/${jail}/etc/resolv.conf
+            ;;
+        haproxy)
+            /bin/echo "nameserver 127.0.0.5" > /zroot/${jail}/etc/resolv.conf
+            ;;
+        apache)
+            /bin/echo "nameserver 127.0.0.6" > /zroot/${jail}/etc/resolv.conf
+            ;;
+        portal)
+            /bin/echo "nameserver 127.0.0.7" > /zroot/${jail}/etc/resolv.conf
+            ;;
+        *)
+            ;;
+    esac
 done
 
 # Reload dnsmasq service to account for potential changes in /etc/hosts