Secure Kernel Source
Secure Kernel Source
The following are things you can do in the kernel source to tighten up security. You can prefix statements with # to make it a comment to disable it or delete the statement all together.
At the top the file is the following statement.
options INET6
Ipv6 is a developmental protocol, if you are not testing this protocol on purpose, it should be disabled.
Followed by Memory disk root option. This allows a operating system to be placed into memory and run. 
option MD_Root
A few lines down are the network filesystem options.
Comment these out to disable them.
options NFSCLIENT 
       
options NFSSERVER 
      
options NFSLOCKD  
       
options NFS_ROOT  
       
Comment out the following option because you disabled Ipv6 earlier.
device faith
options COMPAT_FREEBSD4
options COMPAT_FREEBSD5
options COMPAT_FREEBSD6
options COMPAT_FREEBSD7
 
Add the following statement.
options TCP_DROP_SYNFIN
Adds support for ignoring TCP packets with SYN+FIN. This prevents nmap from identifying the TCP/IP stack.
options ICMP_BANDLIM
     
Enables icmp error response bandwidth limiting. This will help protect from D.O.S. packet attacks.
options RANDOM_IP_ID
  
Causes the ID field in IP packets to be randomized instead of incremented by 1 with each packet generated. This closes a minor
information leak which allows remote observers to determine the rate of packet generation on the machine by watching the counter.
options NO_LKM
Ddisable FBSD ability to dynamically load kernel modules. 
If you do not have a printer cabled off the parallel port of this PC then disable these options.
device ppc   
device ppbus 
device lpt   
device plip  
device ppi   
 
If you are not copying this system to other PCs with different hardware, then besides the security benefit you can also reduce the time it takes to compile the kernel by removing all unused device drivers. Review your /var/run/dmesg.boot log messages to see which devices you are really using and only keep those. Comment out all the others. Do not delete the following device; it is used by most NICs but does not show up in dmesg as used.
device miibus
