From 52aa7c2b066d55912ad140ba4ec30cb87ff5a77c Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 31 Jul 2018 16:51:11 +0200 Subject: [PATCH] scale vs wodth for images... --- source/manual/aliases.rst | 12 +++--- source/manual/antivirus.rst | 2 +- source/manual/captiveportal.rst | 4 +- source/manual/gui.rst | 2 +- source/manual/hacarp.rst | 2 +- source/manual/how-tos/IPv6_ZenUK.rst | 26 ++++++------ source/manual/how-tos/SkyUK.rst | 27 ++++++------- source/manual/how-tos/cachingproxy.rst | 10 ++--- source/manual/how-tos/carp.rst | 2 +- source/manual/how-tos/cellular.rst | 6 +-- source/manual/how-tos/cloud_backup.rst | 2 +- source/manual/how-tos/edrop.rst | 8 ++-- source/manual/how-tos/fwcategory.rst | 10 ++--- source/manual/how-tos/guestnet.rst | 30 +++++++------- source/manual/how-tos/insight.rst | 20 +++++----- source/manual/how-tos/installaws.rst | 20 +++++----- source/manual/how-tos/ips-feodo.rst | 22 +++++----- source/manual/how-tos/ips-geoip.rst | 18 ++++----- source/manual/how-tos/ips-sslfingerprint.rst | 20 +++++----- source/manual/how-tos/ipsec-road.rst | 30 +++++++------- source/manual/how-tos/ipsec-s2s.rst | 42 ++++++++++---------- source/manual/how-tos/ipv6_tunnelbroker.rst | 10 ++--- source/manual/how-tos/orange_fr_fttp.rst | 42 +++++++++----------- source/manual/how-tos/proxyicapantivirus.rst | 4 +- source/manual/how-tos/proxytransparent.rst | 12 +++--- source/manual/how-tos/proxywebfilter.rst | 8 ++-- source/manual/how-tos/self-signed-chain.rst | 28 ++++++------- source/manual/how-tos/shaper.rst | 8 ++-- source/manual/how-tos/sslvpn_client.rst | 22 +++++----- source/manual/how-tos/sslvpn_s2s.rst | 10 ++--- source/manual/how-tos/two_factor.rst | 20 +++++----- source/manual/how-tos/user-ldap.rst | 14 +++---- source/manual/how-tos/user-local.rst | 4 +- source/manual/install.rst | 4 +- source/manual/ipv6.rst | 2 +- source/manual/mobile_wan.rst | 2 +- source/manual/netflow.rst | 4 +- source/manual/systemhealth.rst | 18 ++++----- source/manual/two_factor.rst | 4 +- source/manual/users.rst | 2 +- source/manual/virtuals.rst | 2 +- source/manual/vpnet.rst | 4 +- source/relations/osi.rst | 2 +- 43 files changed, 268 insertions(+), 273 deletions(-) diff --git a/source/manual/aliases.rst b/source/manual/aliases.rst index cdf1b554..d6d8ab15 100644 --- a/source/manual/aliases.rst +++ b/source/manual/aliases.rst @@ -36,13 +36,13 @@ Sample Lets say we want to create an alias table for **www.youtube.com** .. image:: images/aliases_host.png - :scale: 100% + :width: 100% **Apply changes** and look at the content of our newly created pf table. Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube table. .. image:: images/pftable_youtube.png - :scale: 100% + :width: 100% As you can see there are multiple ip addresses for this domain. @@ -73,12 +73,12 @@ GeoIP ----- With GeoIP alias you can select one or more countries or whole continents to block or allow. Use the *toggle all* checkbox to select all countries within the given -region. +region. This feature was reworked with 17.7.7 and supersedes the GeoIP blocking via IPS. .. image:: images/firewall_geoip_alias.png - :scale: 100% + :width: 100% -------------- Import Feature @@ -131,12 +131,12 @@ the ipsec server for a site to site tunnel connection: * 192.168.300.3 .. image:: images/alias_remote_ipsec.png - :scale: 100% + :width: 100% We call our list remote_ipsec and update our firewall rules accordingly. .. image:: images/alias_firewall_rules.png - :scale: 100% + :width: 100% Notice the list icon to identify a rule with an alias (list). diff --git a/source/manual/antivirus.rst b/source/manual/antivirus.rst index f05d132e..179c3292 100644 --- a/source/manual/antivirus.rst +++ b/source/manual/antivirus.rst @@ -3,7 +3,7 @@ =================== .. image:: images/eye_on_virus_new.jpg - :scale: 100% + :width: 100% **OPNsense** offers the industry standard ICAP to protect http and https connections against ransomware, trojans, viruses and other malware . diff --git a/source/manual/captiveportal.rst b/source/manual/captiveportal.rst index 1f122b17..eebe92a7 100644 --- a/source/manual/captiveportal.rst +++ b/source/manual/captiveportal.rst @@ -7,7 +7,7 @@ but is also widely used in corporate networks for an additional layer of securit on wireless or Internet access. .. image:: images/hotspot_login.png - :scale: 100% + :width: 100% -------------------- Typical Applications @@ -27,7 +27,7 @@ task. At the same time it offers additional functionalities, such as: * Custom Splash page .. image:: images/captiveportal_template_folder.png - :scale: 100% + :width: 100% --------------- Zone Management diff --git a/source/manual/gui.rst b/source/manual/gui.rst index de7c4a83..e2fe3d42 100644 --- a/source/manual/gui.rst +++ b/source/manual/gui.rst @@ -21,7 +21,7 @@ GUI Layout & Main Components The GUI consists out of the following main components: .. image:: images/gui_layout.png - :scale: 100% + :width: 100% Logo & Link to Lobby diff --git a/source/manual/hacarp.rst b/source/manual/hacarp.rst index 3d897257..12222498 100644 --- a/source/manual/hacarp.rst +++ b/source/manual/hacarp.rst @@ -11,7 +11,7 @@ with automatic and seamless fail-over. While switching to the backup network connections will stay active with minimal interruption for the users. .. image:: images/light_bulbs.png - :scale: 100% + :width: 100% ------------------ Automatic failover diff --git a/source/manual/how-tos/IPv6_ZenUK.rst b/source/manual/how-tos/IPv6_ZenUK.rst index fc4a803d..90181147 100644 --- a/source/manual/how-tos/IPv6_ZenUK.rst +++ b/source/manual/how-tos/IPv6_ZenUK.rst @@ -27,14 +27,14 @@ connection, for IPv6 using DHCP, select DHCPv6 in the IPv6 connection as shown below. .. image:: images/ZenUK_image1.png - :scale: 100% + :width: 100% The next step is to configure the parameters required for DHCPv6, these are located in the DHCPv6 client configuration section of the WAN interface shown below. .. image:: images/ZenUK_image2.png - :scale: 100% + :width: 100% As stated before, Zen provide a /48 prefix, so select the prefix size accordingly. We directly send the solicit as in this case we do not wish @@ -59,14 +59,14 @@ Select Interfaces->LAN and set the IPv6 Configuration Type to ‘Track Interface’ .. image:: images/ZenUK_image3.png - :scale: 100% + :width: 100% Finally, set the Track IPv6 Interface to WAN, unless there is a special requirement which this document does not cover, set the IPv6 Prefix ID to 0. .. image:: images/ZenUK_image4.png - :scale: 100% + :width: 100% Click ‘Save’ and then ‘Apply’. @@ -107,7 +107,7 @@ Set up the gateway like this: .. image:: images/ZenUK_image5.png - :scale: 100% + :width: 100% Click Save. @@ -119,7 +119,7 @@ Select Interfaces->WAN. Go to IPv6 Configuration Type and Select Static IPv6. .. image:: images/ZenUK_image6.png - :scale: 100% + :width: 100% Go to Static IPv6 Configuration and set the IPv6 Static address: @@ -127,7 +127,7 @@ Go to Static IPv6 Configuration and set the IPv6 Static address: DHCPv6.** .. image:: images/ZenUK_image7.png - :scale: 100% + :width: 100% Select Use IPv4 connectivity, all IPv6 traffic goes via the PPPoE link. @@ -135,7 +135,7 @@ Finally, select the IPv6 Upstream Gateway, this is the gateway you created earlier. .. image:: images/ZenUK_image8.png - :scale: 100% + :width: 100% Click Save and Apply. @@ -146,7 +146,7 @@ The LAN interface is very simple to set up, all we need to do is set the IPv6 Configuration Type to Static, and enter our static address. .. image:: images/ZenUK_image9.png - :scale: 100% + :width: 100% Zen give us a /48 prefix to use on the LAN, so pick an address from that range. For example our prefix is: @@ -158,7 +158,7 @@ So 2a02:8242:55AB:0:4:3:2:1 would suffice. .. image:: images/ZenUK_image10.png - :scale: 100% + :width: 100% We want to use a /64 prefix on this interface. @@ -177,7 +177,7 @@ Services->DHCPv6[LAN] Firstly, enable the server. .. image:: images/ZenUK_image11.png - :scale: 100% + :width: 100% You will notice that the subnet already has a range, and the subnet mask is the /64 we set on the LAN. There is also a range we must use, the @@ -192,7 +192,7 @@ Enter the upper – end range that the server will use. 2a02:8231:d256::eeee:ffff:ffff:ffff .. image:: images/ZenUK_image12.png - :scale: 100% + :width: 100% This should cover most LAN subnets, the range given here gives 281,474.976.710,655 addresses. @@ -204,7 +204,7 @@ example we will only be giving out 64 bit prefixes. We know we have been given a /48 prefix by Zen, so we enter our prefix range like this: .. image:: images/ZenUK_image13.png - :scale: 100% + :width: 100% Our prefix range is the upper 48 bits, plus some of the next 16 bits, but we must not cross into the range we have used for our LAN addresses. diff --git a/source/manual/how-tos/SkyUK.rst b/source/manual/how-tos/SkyUK.rst index ab56ffc0..d1d53f06 100644 --- a/source/manual/how-tos/SkyUK.rst +++ b/source/manual/how-tos/SkyUK.rst @@ -17,19 +17,19 @@ in the modem itself. Set both IPv4 and IPv6 configuration type to DHCP and DHCPv6 respectively. .. image:: images/skyuk_wan_1.png - :scale: 100% + :width: 100% **Option61 - dhcp-client-identifier** ------------------------------------- We now need to send the Sky login credentials. When using VDSL we do not need to use specific credentials, as long as they are correctly formatted -anything will do. +anything will do. Under DHCP Client Configuration select the Advanced button. .. image:: images/skyuk_lan_2.png - :scale: 100% + :width: 100% There is an entry 'Send Options', enter the UserID & Password here in the format: @@ -52,13 +52,13 @@ So the full entry for the 'Lease Requirements' Send Options would be: *dhcp-client-identifier "12345678@skydsl|12345678",dhcp-class-identifier "7.16a4N_UNI|PCBAFAST2504Nv1.0"* - + The next step is to configure the parameters required for DHCPv6, these are located in the DHCPv6 client configuration section of the WAN interface shown below. .. image:: images/skyuk_wan_2.png - :scale: 100% + :width: 100% Sky provide a /56 IPv6 delegation, they do not provide a global IPv6 address on the WAN interface, this is link local only. The setting of the option @@ -81,12 +81,12 @@ again would probably result in a new prefix being given, therefore an option to enter and store a DUID is given in the Interface:Settings menu. .. image:: images/skyuk_wan_3.png - :scale: 100% + :width: 100% The Identifier can either be entered manually or if the user clicks on the 'i' icon, the existing DUID can be automatically entered into the field by clicking -on the 'Insert the existing DUID here' legend. - +on the 'Insert the existing DUID here' legend. + Click ‘Save’. **LAN Interface** @@ -97,17 +97,17 @@ Interfaces:[LAN] menu. It is my recommendation not to use the private subnet range 192.168.*.0, as this range is often used by hotels and other public networks for access, this -can cause issues when using a VPN. My preferred address method is using the +can cause issues when using a VPN. My preferred address method is using the 10.*.*.0 subnet where the second and third quartet are birth dates or some other easily memorable number. i.e. 10.1.11.0 would be the first of November. This is more random and the chances of the same range on a public network is greatly reduced, however the address range is easily memorable. .. image:: images/ZenUK_image3.png - :scale: 100% - + :width: 100% + .. image:: images/skyuk_lan_1.png - :scale: 100% + :width: 100% Once the LAN IPv4 address is set then all that remains in the LAN interface is to set the interface to use the assigned IPv6 prefix. @@ -117,7 +117,7 @@ requirement which this document does not cover, set the IPv6 Prefix ID to 0. .. image:: images/ZenUK_image4.png - :scale: 100% + :width: 100% Click ‘Save’ and then ‘Apply’. @@ -125,4 +125,3 @@ Setting up the IPv4 DHCP server is not covered in this document, but is required. It is advisable at this point to reboot the system. - diff --git a/source/manual/how-tos/cachingproxy.rst b/source/manual/how-tos/cachingproxy.rst index fb5f5f75..e8e9ed56 100644 --- a/source/manual/how-tos/cachingproxy.rst +++ b/source/manual/how-tos/cachingproxy.rst @@ -3,7 +3,7 @@ Setup Caching Proxy =================== .. image:: images/proxy_basics.png - :scale: 100% + :width: 100% ---------------- Enable / Disable @@ -36,7 +36,7 @@ To enable caching click on the arrow next to the **General Proxy Settings** to see the dropdown menu and click on **Local Cache Settings**. .. image:: images/proxy_cache.png - :scale: 100% + :width: 100% Check the **Enable local cache** and click **Apply**. @@ -137,7 +137,7 @@ Fill in: Looks like (screenshots of version 16.1.4): .. image:: images/proxy_blacklist.png - :scale: 100% + :width: 100% **Save changes** @@ -177,7 +177,7 @@ And one more rule to block HTTPS access: **Save** & **Apply changes** .. image:: images/proxy_firewall.png - :scale: 100% + :width: 100% ------------------------- Configure Browser/Firefox @@ -186,7 +186,7 @@ To configure you browser for use with the proxy, just go to your network setting and configure a proxy like this in firefox: .. image:: images/proxy_firefox.png - :scale: 100% + :width: 100% For a set-for-step guide on full category based web filtering see :doc:`proxywebfilter`. diff --git a/source/manual/how-tos/carp.rst b/source/manual/how-tos/carp.rst index a9ab50d9..de3570a9 100644 --- a/source/manual/how-tos/carp.rst +++ b/source/manual/how-tos/carp.rst @@ -15,7 +15,7 @@ will be used for the internal network and 172.8.0.0/24 will be used to route our traffic to the internet. .. image:: ./images/900px-Carp_setup_example.png - :scale: 100% + :width: 100% When using CARP ( `FreeBSD handbook on CARP `__ ), all fail-safe interfaces should have a dedicated ip address which will be diff --git a/source/manual/how-tos/cellular.rst b/source/manual/how-tos/cellular.rst index 164d00a0..c83d4c27 100644 --- a/source/manual/how-tos/cellular.rst +++ b/source/manual/how-tos/cellular.rst @@ -40,11 +40,11 @@ If you need to enter a PIN number then click on **Advanced Options** Click **Save** to apply the settings. .. image:: images/4g_configure_ppp.png - :scale: 100% + :width: 100% .. image:: images/ppp_celular_configured.png - :scale: 100% + :width: 100% --------------------------------- Step 2 - Assign the WAN interface @@ -60,7 +60,7 @@ If everything went fine then your are all setup and the default gateway will be the one of you cellular connection. .. image:: images/Interface_assignment_4g.png - :scale: 100% + :width: 100% ------------------------- Step 3 - Trouble shooting diff --git a/source/manual/how-tos/cloud_backup.rst b/source/manual/how-tos/cloud_backup.rst index f7895bbf..9e68ad2d 100644 --- a/source/manual/how-tos/cloud_backup.rst +++ b/source/manual/how-tos/cloud_backup.rst @@ -101,7 +101,7 @@ Now we can put it all together, login to your OPNsense firewall and go to the backup feature (default : https://192.168.1.1/diag_backup.php ) .. image:: ./images/600px-Google_Drive_Backup_screenshot.png - :scale: 100% + :width: 100% On the bottom of the page are the options for the Google Drive backup, enable the feature and fill in the parameters. Email address is acquired diff --git a/source/manual/how-tos/edrop.rst b/source/manual/how-tos/edrop.rst index ef720c05..0e96923c 100644 --- a/source/manual/how-tos/edrop.rst +++ b/source/manual/how-tos/edrop.rst @@ -53,7 +53,7 @@ Set the update frequency to 1 for each day. Press **Save** and then **Apply changes**. .. image:: images/spamhaus_drop_edrop.png - :scale: 100% + :width: 100% --------------------------------------- Step 2 - Firewall Rules Inbound Traffic @@ -87,7 +87,7 @@ Enter the following configuration and leave all other parameters on default valu =================== =============== ============================================= .. image:: images/spamhaus_wan_rules.png - :scale: 100% + :width: 100% **Save** @@ -123,7 +123,7 @@ lower right corner. **Save** and **Apply changes** .. image:: images/spamhaus_lan.png - :scale: 100% + :width: 100% **DONE** @@ -134,4 +134,4 @@ To list the ip addresses that are currently in the DROP and EDROP lists go to **Firewall->Diagnostics->pfTables** and select the list you want to see: .. image:: images/spamhaus_pftable.png - :scale: 100% + :width: 100% diff --git a/source/manual/how-tos/fwcategory.rst b/source/manual/how-tos/fwcategory.rst index 74d003b9..a1a3442c 100644 --- a/source/manual/how-tos/fwcategory.rst +++ b/source/manual/how-tos/fwcategory.rst @@ -16,7 +16,7 @@ Then just add you category, if this is the first rule with a category no selecti options will be visible. .. image:: images/Rule_Category.png - :scale: 100% + :width: 100% --------------------------------- Firewall Rules Filter by category @@ -27,7 +27,7 @@ becomes visible at the bottom of the table. If you click it is will look like this: .. image:: images/Filter_by_Category.png - :scale: 100% + :width: 100% If you have a large number of categories, then just start typing and in search box to make a quick selection. @@ -38,7 +38,7 @@ Before Selection Take a look at this simple rule set before selecting our "My IP's" category. .. image:: images/Rules_Full.png - :scale: 100% + :width: 100% -------------------- And after selection @@ -46,7 +46,7 @@ Take a look at this simple rule set before selecting our "My IP's" category. Now when selecting our test category it will look like this: .. image:: images/Filter_Category_Result.png - :scale: 100% + :width: 100% That is all there is to it to organize your rules without messing anything up. @@ -59,4 +59,4 @@ This features makes it possible to select rules from more than one category. Example: .. image:: images/fw_category_multiselect.png - :scale: 100% + :width: 100% diff --git a/source/manual/how-tos/guestnet.rst b/source/manual/how-tos/guestnet.rst index 1e3b2e01..751c93bf 100644 --- a/source/manual/how-tos/guestnet.rst +++ b/source/manual/how-tos/guestnet.rst @@ -6,7 +6,7 @@ Guest Networks are widely used to allow guests controlled internet access at hotels, RV Parks or businesses. .. image:: images/opnsense_hotspot_controller.png - :scale: 100% + :width: 100% .. Note:: For the example we expect the GUESTNET interface to be connected with your @@ -190,7 +190,7 @@ Click **Save** and then **Apply changes** Your rules should look similar to the screenshot below: .. image:: images/guestnet_fwrules.png - :scale: 100% + :width: 100% ------------------------------ @@ -232,13 +232,13 @@ Lets create a custom landing page, to do so click on the tab **Templates** and click on the download icon in the lower right corner ( |download| ). .. image:: images/template_download.png - :scale: 100% + :width: 100% Now download the default template, we will use this to create our own. Unpack the template zip file, you should have something similar to this: .. image:: images/template_filelisting.png - :scale: 100% + :width: 100% Most files of the template can be modified, but some are default and may not be changes. Upon upload any changes to the files listed in **exclude.list** will be @@ -247,7 +247,7 @@ ignored. Currently these include the bootstrap java scripting and some fonts. With the captive portal enabled the default screen looks like: .. image:: images/default_login_no_authenticator.png - :scale: 100% + :width: 100% Lets change this default with a new logo and a welcome message, to this: @@ -305,10 +305,10 @@ Enter a **Template Name**, for this example we use **Company**. Hit Upload ( |upload| ) .. |download| image:: images/btn_download.png - :scale: 100% + :width: 100% .. |upload| image:: images/btn_upload.png - :scale: 100% + :width: 100% To enable the captive portal on the GUESTNET interface just click on **Apply**. @@ -393,7 +393,7 @@ After testing your result should be similar to this (if your internet connection has sufficient bandwidth). .. image:: images/cp-traffic-shaping.png - :scale: 100% + :width: 100% .. Note:: Keep in mind we have only one connected client in this test, so all reserved @@ -431,7 +431,7 @@ Click on **Create Vouchers** in the lower right corner of the form. Lets create 1 Day vouchers for our guests: .. image:: images/create_vouchers.png - :scale: 100% + :width: 100% Enter the Validity (1 day), the number of Vouchers and a Groupname (Wifi day pass f.i.). @@ -474,7 +474,7 @@ the cvs data with word, open office or any other dtp/text editor. Create something like this: .. image:: images/cp_royalhotel_voucher.png - :scale: 100% + :width: 100% You can select a database to and remove it entirely. This way you can create a voucher database for the arrival date of guest per guest group @@ -501,7 +501,7 @@ When done click **Save changes** and the **Apply** to apply the new settings. Now users will see the login form as part of your template: .. image:: images/cp_voucher_login.png - :scale: 100% + :width: 100% -------------- Check Sessions @@ -510,7 +510,7 @@ To check the active sessions go to **Services->Captive Portal->Sessions** Our current session looks like this: .. image:: images/cp_active_sessions.png - :scale: 100% + :width: 100% You can drop an active session by clicking on the trashcan. @@ -527,7 +527,7 @@ page of the captive portal (**Services->Captive Protal->Vouchers**) and select the correct database (Wifi day pass in our example). .. image:: images/cp_active_vouchers.png - :scale: 100% + :width: 100% .. Note:: The state valid means it is activated but still valid. @@ -583,7 +583,7 @@ like this (shown with a bit of context): window.open("session_popup.html","Session Status & Logout","width=400, height=400"); .. image:: images/captiveportal_popup.png - :scale: 100% + :width: 100% ----------------------------- Advanced - CLI Session Status @@ -601,4 +601,4 @@ Type the following on the cli prompt to do so (for zone id 0): The output will be something similar to this: .. image:: images/cli_list_captiveportalsessions.png - :scale: 100% + :width: 100% diff --git a/source/manual/how-tos/insight.rst b/source/manual/how-tos/insight.rst index 0384b606..1c3ddc23 100644 --- a/source/manual/how-tos/insight.rst +++ b/source/manual/how-tos/insight.rst @@ -12,7 +12,7 @@ Insight is a fully integrated part of OPNsense. Its User Interface is simple yet powerful. .. image:: images/insight_gui.png - :scale: 100% + :width: 100% Insight offers a full set of analysis tools, ranging from a graphical overview to @@ -40,17 +40,17 @@ to compare usage with different interfaces. **Stacked** .. image:: images/stacked_view.png - :scale: 100% + :width: 100% **Stream** .. image:: images/stream_view.png - :scale: 100% + :width: 100% **Expanded** .. image:: images/expanded_view.png - :scale: 100% + :width: 100% Interfaces ---------- @@ -74,10 +74,10 @@ view by clicking or double clicking on one of the shown port names/numbers. Clicking on a piece of the pie will open a detailed view for further analysis. .. image:: images/pie_piece.png - :scale: 100% + :width: 100% .. image:: images/pie_details.png - :scale: 100% + :width: 100% IP Addresses Pie Chart @@ -103,14 +103,14 @@ click on the tab **Details**. When opening the details view by clicking on the tab one can make a new query. .. image:: images/insight_details_view.png - :scale: 100% + :width: 100% After selecting a valid date range (form/to) and interface one can further limit the output by filtering on port or ip address. Select the refresh icon to update the detailed output. Leave Port and Address empty for a full detailed listing. .. image:: images/insight_full_details.png - :scale: 100% + :width: 100% ----------- @@ -120,7 +120,7 @@ The **Export** view allows you to export the data for further analysis in your f spreadsheet or other data analysis application. .. image:: images/insight_export_view.png - :scale: 100% + :width: 100% To export data, select a **Collection** : @@ -134,4 +134,4 @@ Select the **Resolution** in seconds (300,3600,86400) Then select a date range (from/to) and click the **export** button. .. image:: images/insight_export.png - :scale: 100% + :width: 100% diff --git a/source/manual/how-tos/installaws.rst b/source/manual/how-tos/installaws.rst index 15329f8e..f75d08d4 100644 --- a/source/manual/how-tos/installaws.rst +++ b/source/manual/how-tos/installaws.rst @@ -2,7 +2,7 @@ Installing OPNsense AWS image ============================= .. image:: images/amazon-web-services.png - :scale: 100% + :width: 100% To apply for access to the OPNsense Amazon AWS EC2 cloud image, you need: @@ -24,7 +24,7 @@ Step 2 - Select Type Choose an instance type .. image:: images/aws_launch_new_image.png - :scale: 100% + :width: 100% --------------------------------- Step 3 - Configure security group @@ -32,7 +32,7 @@ Step 3 - Configure security group To configure security group, make sure you allow https access from your own network. .. image:: images/aws_configure_security_group.png - :scale: 100% + :width: 100% ------------------------- @@ -40,7 +40,7 @@ Step 4 - Configure a disk ------------------------- .. image:: images/aws_choose_disc.png - :scale: 100% + :width: 100% ----------------------------- @@ -48,7 +48,7 @@ Step 5 - Review your settings ----------------------------- .. image:: images/aws_review_settings.png - :scale: 100% + :width: 100% -------------------- Step 6 - SSH keypair @@ -56,14 +56,14 @@ Step 6 - SSH keypair Select ssh keypair or skip, the ssh key isn’t used for OPNsense, ssh is disabled by default. .. image:: images/aws_ssh_keypair.png - :scale: 100% + :width: 100% --------------------------- Step 7 - Review status page --------------------------- .. image:: images/aws_status.png - :scale: 100% + :width: 100% ---------------------- Step 8 - AWS instances @@ -71,7 +71,7 @@ Step 8 - AWS instances Go to your AWS instances .. image:: images/aws_instances.png - :scale: 100% + :width: 100% Select the image, go to “image settings” then “get system log” to obtain the initial password @@ -82,14 +82,14 @@ Step 9 - Initial root password Copy your initial root password (line ** set initial….) .. image:: images/aws_capture_initial_password.png - :scale: 100% + :width: 100% -------------------------------- Step 10 - Search current address -------------------------------- .. image:: images/aws_search_current_ip.png - :scale: 100% + :width: 100% Login to OPNsense using the address provided. diff --git a/source/manual/how-tos/ips-feodo.rst b/source/manual/how-tos/ips-feodo.rst index cf6966f2..cc18878b 100644 --- a/source/manual/how-tos/ips-feodo.rst +++ b/source/manual/how-tos/ips-feodo.rst @@ -17,7 +17,7 @@ Prerequisites **System->Firmware: Fetch updates** .. image:: images/firmware.png - :scale: 100% + :width: 100% * Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for logging (>10GB advisable). @@ -26,7 +26,7 @@ Prerequisites Under **Interface-Settings** .. image:: images/disable_offloading.png - :scale: 100% + :width: 100% .. warning:: @@ -48,7 +48,7 @@ detection system too run on. For our example we will use the WAN interface, as that will most likely be you connection with the public Internet. .. image:: images/idps.png - :scale: 100% + :width: 100% ------------------- Apply configuration @@ -57,7 +57,7 @@ First apply the configuration by pressing the **Apply** button at the bottom of the form. .. image:: images/applybtn.png - :scale: 100% + :width: 100% --------------- Fetch Rule sets @@ -66,12 +66,12 @@ For this example we will only fetch the abuse.ch SSL & Dodo Tracker rulesets. To do so: select Enabled after each one. .. image:: images/rulesets_enable.png - :scale: 100% + :width: 100% To download the rule sets press **Download & Update Rules**. .. image:: images/downloadbtn.png - :scale: 100% + :width: 100% ----------------------- Change default behavior @@ -80,12 +80,12 @@ Now click on the info button right after each rule and change Input Filter from none to drop actions. .. image:: images/changefilter.png - :scale: 100% + :width: 100% When done it should like this: .. image:: images/rulesdrop.png - :scale: 100% + :width: 100% ------------------------ Apply fraud drop actions @@ -93,7 +93,7 @@ Apply fraud drop actions Now press **Download & Update Rules** again to change the behavior to drop. .. image:: images/downloadbtn.png - :scale: 100% + :width: 100% --------------- Keep up to date @@ -103,7 +103,7 @@ Now schedule a regular fetch to keep your server up to date. Click on schedule, a popup window will appear: .. image:: images/schedule.png - :scale: 100% + :width: 100% Select **enabled** and choose a time. For the example it is set to each day at 11:12. Select **Save changes** and wait until you have returned to the IDS screen. @@ -122,4 +122,4 @@ Currently there is no test service available to check your block rules against, however here is a sample of an actual alert that has been blocked: .. image:: images/alerts.jpg - :scale: 100% + :width: 100% diff --git a/source/manual/how-tos/ips-geoip.rst b/source/manual/how-tos/ips-geoip.rst index 089e22f8..6c35c29a 100644 --- a/source/manual/how-tos/ips-geoip.rst +++ b/source/manual/how-tos/ips-geoip.rst @@ -14,7 +14,7 @@ Prerequisites **System->Firmware: Fetch updates** .. image:: images/firmware.png - :scale: 100% + :width: 100% * Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for logging (>10GB advisable). @@ -23,7 +23,7 @@ Prerequisites Under **Interface-Settings** .. image:: images/disable_offloading.png - :scale: 100% + :width: 100% .. warning:: @@ -51,7 +51,7 @@ Select |add| to add a new rule. Select Country: .. image:: images/ips_rule_add_geoip.png - :scale: 100% + :width: 100% We selected **Netherlands(not)** as this server needs to be accessible within The Netherlands, this will drop all other traffic in both directions. @@ -59,12 +59,12 @@ The Netherlands, this will drop all other traffic in both directions. Select the Action (Alert or Drop): .. image:: images/ips_action.png - :scale: 100% + :width: 100% Add a description: .. image:: images/ips_description_country.png - :scale: 100% + :width: 100% And click **Save changes** |save| @@ -79,7 +79,7 @@ detection system too run on. For our example we will use the WAN interface, as that will most likely be you connection with the public Internet. .. image:: images/idps.png - :scale: 100% + :width: 100% ------------------- Apply configuration @@ -87,13 +87,13 @@ Apply configuration If this is the first GeoIP rule you add then you need to **Download & Update Rules** .. image:: images/downloadbtn.png - :scale: 100% + :width: 100% Then apply the configuration by pressing the **Apply** button at the bottom of the form. .. image:: images/applybtn.png - :scale: 100% + :width: 100% ------------ @@ -102,7 +102,7 @@ Sample Alert See a sample of an alert message below. .. image:: images/ips_geoip_alert.png - :scale: 100% + :width: 100% .. |save| image:: images/ips_save.png diff --git a/source/manual/how-tos/ips-sslfingerprint.rst b/source/manual/how-tos/ips-sslfingerprint.rst index e14f6005..dc17a3c2 100644 --- a/source/manual/how-tos/ips-sslfingerprint.rst +++ b/source/manual/how-tos/ips-sslfingerprint.rst @@ -13,7 +13,7 @@ Prerequisites **System->Firmware: Fetch updates** .. image:: images/firmware.png - :scale: 100% + :width: 100% * Minimum Advisable Memory is 2 Gigabyte and sufficient free disk space for logging (>10GB advisable). @@ -22,7 +22,7 @@ Prerequisites Under **Interface-Settings** .. image:: images/disable_offloading.png - :scale: 100% + :width: 100% .. warning:: @@ -58,13 +58,13 @@ next to the address : |lock|. Now you will see something similar to: .. image:: images/facebook_click.png - :scale: 100% + :width: 100% Click on the arrow ( **>** ) and then Select **More Information** Now open the certificate details and you will see something that looks like this: .. image:: images/certificate.png - :scale: 100% + :width: 100% Copy the SHA1 certificate fingerprint (A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33:CA:A3:CD:EE:C9:C9). @@ -72,17 +72,17 @@ Copy the SHA1 certificate fingerprint (A0:4E:AF:B3:48:C2:6B:15:A8:C1:AA:87:A3:33 Paste this into the new rule: .. image:: images/ips_rule_details.png - :scale: 100% + :width: 100% Select the Action (Alert or Drop): .. image:: images/ips_action.png - :scale: 100% + :width: 100% Add a description: .. image:: images/ips_description.png - :scale: 100% + :width: 100% And click **Save changes** |save| @@ -97,7 +97,7 @@ detection system too run on. For our example we will use the WAN interface, as that will most likely be you connection with the public Internet. .. image:: images/idps.png - :scale: 100% + :width: 100% ------------------- Apply configuration @@ -106,7 +106,7 @@ First apply the configuration by pressing the **Apply** button at the bottom of the form. .. image:: images/applybtn.png - :scale: 100% + :width: 100% ---------------------------- Clear Browser Cache and test @@ -115,7 +115,7 @@ Since your browser has cached the ssl certificate you will need to clear your cache first. After that you can test and will see the following in **Alerts**: .. image:: images/ips_facebook_alert.png - :scale: 100% + :width: 100% .. Note:: diff --git a/source/manual/how-tos/ipsec-road.rst b/source/manual/how-tos/ipsec-road.rst index 0247ddb3..6fddd27f 100644 --- a/source/manual/how-tos/ipsec-road.rst +++ b/source/manual/how-tos/ipsec-road.rst @@ -83,13 +83,13 @@ To allow IPsec Tunnel Connections, the following should be allowed on WAN. * UDP Traffic on Port 4500 (NAT-T) .. image:: images/ipsec_wan_rules.png - :scale: 100% + :width: 100% To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface. .. image:: images/ipsec_ipsec_lan_rule.png - :scale: 100% + :width: 100% ----------------------- Step 1 - Mobile Clients @@ -163,12 +163,12 @@ Advanced Options Save your setting by pressing: .. image:: images/btn_save.png - :scale: 100% + :width: 100% Now you should see the following screen: .. image:: images/ipsec_road_vpn_p1a.png - :scale: 100% + :width: 100% ------------------------------- @@ -177,12 +177,12 @@ Step 3 - Phase 2 Mobile Clients Press the button that says '+ Show 0 Phase-2 entries' .. image:: images/ipsec_s2s_vpn_p1a_show_p2.png - :scale: 100% + :width: 100% You will see an empty list: .. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png - :scale: 100% + :width: 100% Now press the *+* at the right of this list to add a Phase 2 entry. @@ -212,29 +212,29 @@ Phase 2 proposal (SA/Key Exchange) Save your setting by pressing: .. image:: images/btn_save.png - :scale: 100% + :width: 100% ----------------------------- Enable IPsec, Select: .. image:: images/ipsec_s2s_vpn_p1a_enable.png - :scale: 100% + :width: 100% Save: .. image:: images/btn_save.png - :scale: 100% + :width: 100% And Apply changes: .. image:: images/ipsec_s2s_vpn_p1a_apply.png - :scale: 100% + :width: 100% ------------------ .. image:: images/ipsec_s2s_vpn_p1a_success.png - :scale: 100% + :width: 100% ----------------------------- @@ -282,24 +282,24 @@ Add a new network by pressing the + in the lower left corner. Now select **VPN** and **Cisco IPSec**, give your connection a name and press **Create**. .. image:: images/osx-ipsec-new.png - :scale: 100% + :width: 100% Now enter the details for our connection: .. image:: images/osx-ipsec-conf1.png - :scale: 100% + :width: 100% Next press **Authentication Settings** to add the group name and pre-shared key. .. image:: images/osx-ipsec-conf2.png - :scale: 100% + :width: 100% Press **OK** to save these settings and then **Apply** to apply them. Now test the connection by selecting it from the list and hit **Connect**. .. image:: images/osx-ipsec-connected.png - :scale: 100% + :width: 100% **Done** diff --git a/source/manual/how-tos/ipsec-s2s.rst b/source/manual/how-tos/ipsec-s2s.rst index 1e2a36cd..9a79424d 100644 --- a/source/manual/how-tos/ipsec-s2s.rst +++ b/source/manual/how-tos/ipsec-s2s.rst @@ -181,7 +181,7 @@ sites: * UDP Traffic on Port 4500 (NAT-T) .. image:: images/ipsec_wan_rules.png - :scale: 100% + :width: 100% .. Note:: @@ -191,7 +191,7 @@ To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface. .. image:: images/ipsec_ipsec_lan_rule.png - :scale: 100% + :width: 100% ----------------------- Step 1 - Phase 1 Site A @@ -245,12 +245,12 @@ Advanced Options Save your setting by pressing: .. image:: images/btn_save.png - :scale: 100% + :width: 100% Now you should see the following screen: .. image:: images/ipsec_s2s_vpn_p1a_4.png - :scale: 100% + :width: 100% ----------------------- @@ -259,12 +259,12 @@ Step 2 - Phase 2 Site A Press the button that says '+ Show 0 Phase-2 entries' .. image:: images/ipsec_s2s_vpn_p1a_show_p2.png - :scale: 100% + :width: 100% You will see an empty list: .. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png - :scale: 100% + :width: 100% Now press the *+* at the right of this list to add a Phase 2 entry. @@ -302,29 +302,29 @@ Phase 2 proposal (SA/Key Exchange) Save your setting by pressing: .. image:: images/btn_save.png - :scale: 100% + :width: 100% ----------------------------- Enable IPsec for Site A, Select: .. image:: images/ipsec_s2s_vpn_p1a_enable.png - :scale: 100% + :width: 100% Save: .. image:: images/btn_save.png - :scale: 100% + :width: 100% And Apply changes: .. image:: images/ipsec_s2s_vpn_p1a_apply.png - :scale: 100% + :width: 100% ------------------ .. image:: images/ipsec_s2s_vpn_p1a_success.png - :scale: 100% + :width: 100% **You are done configuring Site A.** @@ -382,12 +382,12 @@ Advanced Options Save your setting by pressing: .. image:: images/btn_save.png - :scale: 100% + :width: 100% Now you should see the following screen: .. image:: images/ipsec_s2s_vpn_p1b_4.png - :scale: 100% + :width: 100% ----------------------- @@ -401,7 +401,7 @@ Press the button that says '+ Show 0 Phase-2 entries' You will see an empty list: .. image:: images/ipsec_s2s_vpn_p1a_p2_empty.png - :scale: 100% + :width: 100% Now press the *+* at the right of this list to add a Phase 2 entry. @@ -441,29 +441,29 @@ Phase 2 proposal (SA/Key Exchange) Save your setting by pressing: .. image:: images/btn_save.png - :scale: 100% + :width: 100% ----------------------------- Enable IPsec for Site B, Select: .. image:: images/ipsec_s2s_vpn_p1a_enable.png - :scale: 100% + :width: 100% Save: .. image:: images/btn_save.png - :scale: 100% + :width: 100% And Apply changes: .. image:: images/ipsec_s2s_vpn_p1a_apply.png - :scale: 100% + :width: 100% ----------------------------- .. image:: images/ipsec_s2s_vpn_p1a_success.png - :scale: 100% + :width: 100% **You are done configuring Site B.** @@ -477,7 +477,7 @@ Go to **VPN->IPsec->Status Overview** to see current status. Press on the **(i)** to see the details of the phase 2 tunnel(s), like this: .. image:: images/ipsec_status.png - :scale: 100% + :width: 100% .. Note:: @@ -491,7 +491,7 @@ cross-cable between the WAN ports. .. image:: images/OPN20322R_870px.png :target: https://www.deciso.com/product-catalog/opn20322r/ - :scale: 100% + :width: 100% To route traffic the WAN interfaces have been configured to use a /16 segment and they are each others default gateway. Other than that the sample is equal to this diff --git a/source/manual/how-tos/ipv6_tunnelbroker.rst b/source/manual/how-tos/ipv6_tunnelbroker.rst index 27425e32..4dc5ae89 100644 --- a/source/manual/how-tos/ipv6_tunnelbroker.rst +++ b/source/manual/how-tos/ipv6_tunnelbroker.rst @@ -34,7 +34,7 @@ individual /64 slices to each network. Once configured, your tunnel settings should look like this: .. image:: images/tunnelbroker_setup.png - :scale: 100% + :width: 100% ----------------------- Step 1 - Add GIF tunnel @@ -61,7 +61,7 @@ Use the following settings and copy in the IPv4&6 addresses from your TunnelBrok Make sure to include the **/64** prefixes! .. image:: images/opnsense_add_gif.png - :scale: 100% + :width: 100% ---------------------------------------------------- Step 2 - Configure the GIF tunnel as a new interface @@ -88,7 +88,7 @@ have servers on LAN whereas most of my clients are on WLAN (Wireless LAN). I block all incoming to LAN and WLAN. Of course, outbound connections are fine. .. image:: images/tunnelbroker_fw_rules.png - :scale: 100% + :width: 100% -------------------------------- Step 4 - Configure LAN interface @@ -100,7 +100,7 @@ because it's the very same. You'll repeat the same process for further networks, but assigning the next interface a separate **/64** address. .. image:: images/tunnelbroker_configure_lan.png - :scale: 100% + :width: 100% ------------------------------- Step 5 - Configure DHCPv6 SLAAC @@ -114,7 +114,7 @@ Router Advertisements sub tab on that same page. Set the **Router Advertisements setting to *Assisted* and the **Router Priority** setting to *Normal*. .. image:: images/tunnelbroker_dhcpv6.png - :scale: 100% + :width: 100% Save your settings. diff --git a/source/manual/how-tos/orange_fr_fttp.rst b/source/manual/how-tos/orange_fr_fttp.rst index d22efe9b..ea571cad 100644 --- a/source/manual/how-tos/orange_fr_fttp.rst +++ b/source/manual/how-tos/orange_fr_fttp.rst @@ -15,39 +15,39 @@ The guide deals with just the internet connection. Setting up of TV or Phone is Orange requires that the WAN is configured over VLAN 832. So the first step is to set up the VLAN on the intended WAN nic as shown below - .. image:: images/OF_image0.png - :scale: 100% +.. image:: images/OF_image0.png + :width: 100% -and the WAN interface assignment should hence look something like this +and the WAN interface assignment should hence look something like this .. image:: images/OF_image1.png - :scale: 100% + :width: 100% **Configuring the WAN Interface** --------------------------------- -In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6 +In order to establish the IPv4 and IPv6 connection Orange requires that the correct parameters are passed for the DHCP and DHCP6 requests respectively select options DHCP and DHCPv6 in general configuration .. image:: images/OF_image2.png - :scale: 100% + :width: 100% **On the DHCP request it is a requirement to pass the following:** * dhcp-class-identifier "sagem" * user-class "+FSVDSL_livebox.Internet.softathome.Livebox3" -* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX +* option-90 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX (hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx) .. Note:: The eleven leading hex 00 pairs to be prefixed to the converted userID -These parameters should be passed as comma separated options in the 'Send Options' area of there WAN DHCP request +These parameters should be passed as comma separated options in the 'Send Options' area of there WAN DHCP request .. image:: images/OF_image3.png - :scale: 100% + :width: 100% .. Note:: It is necessary to specify the following 'Request Options' @@ -61,25 +61,25 @@ These parameters should be passed as comma separated options in the 'Send Option * domain-name-servers * option-90 -These parameters should be passed as comma separated options in the 'Request Options' area of there WAN DHCP request +These parameters should be passed as comma separated options in the 'Request Options' area of there WAN DHCP request Now for the regional specific part. -Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then -this can be done via the 'Option Modifiers'. +Some areas of France require that the DHCP and DHCP6 requests are made with a VLAN-PCP of 6. If you are in one of these regions then +this can be done via the 'Option Modifiers'. .. Note:: The vlan-parent is the physical WAN interface - igb0, em0 etc. .. image:: images/OF_image4.png - :scale: 100% + :width: 100% On the DHCP6 request we need to use raw options -Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority' +Firstly select 'Advanced' and your region needs a VLAN-PCP set it via 'Use VLAN priority' .. image:: images/OF_image5.png - :scale: 100% + :width: 100% then add the following options in the 'Send Options' field @@ -87,7 +87,7 @@ then add the following options in the 'Send Options' field * raw-option 6 00:0b:00:11:00:17:00:18 * raw-option 15 00:2b:46:53:56:44:53:4c:5f:6c:69:76:65:62:6f:78:2e:49:6e:74:65:72:6e:65:74:2e:73:6f:66:74:61:74:68:6f:6d:65:2e:6c:69:76:65:62:6f:78:33 * raw-option 16 00:00:04:0e:00:05:73:61:67:65:6d -* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX +* raw-option 11 00:00:00:00:00:00:00:00:00:00:00:66:74:69:2f:65:77:74:FF:AB:XX:XX (hex conversion of the the userid supplied by Orange which looks like fti/xxxxxxx) .. Note:: @@ -96,7 +96,7 @@ then add the following options in the 'Send Options' field Finally set the Identity Association and Prefix interface as shown .. image:: images/OF_image6.png - :scale: 100% + :width: 100% Click ‘Save’ and then ‘Apply’. @@ -109,19 +109,15 @@ Select Interfaces->LAN and set IPV4 to "Static IPv4" and IPv6 Configuration Type Interface’ .. image:: images/OF_image7.png - :scale: 100% + :width: 100% Finally, set the Track IPv6 Interface to WAN and set the IPv4 address to your chosen address. .. image:: images/OF_image8.png - :scale: 100% + :width: 100% Click ‘Save’ and then ‘Apply’. It is advisable at this point to reboot the system. - - - - diff --git a/source/manual/how-tos/proxyicapantivirus.rst b/source/manual/how-tos/proxyicapantivirus.rst index 24aacce6..ee59b46c 100644 --- a/source/manual/how-tos/proxyicapantivirus.rst +++ b/source/manual/how-tos/proxyicapantivirus.rst @@ -17,7 +17,7 @@ support ICAP will work just as well. forms of infection such as through emails or usb stick. .. image:: images/SPE_home.png - :scale: 100% + :width: 100% Step 1 - Setup the Proxy ------------------------ @@ -36,7 +36,7 @@ full installation and configuration instructions. We installed the Engine for Web Proxy purpose and enabled ICAP with its default settings. .. image:: images/SPE_ICAP.png - :scale: 100% + :width: 100% Step 4 - Connect the Engine --------------------------- diff --git a/source/manual/how-tos/proxytransparent.rst b/source/manual/how-tos/proxytransparent.rst index 092b0fd7..0fcb4cbf 100644 --- a/source/manual/how-tos/proxytransparent.rst +++ b/source/manual/how-tos/proxytransparent.rst @@ -37,7 +37,7 @@ A simple way to add the NAT/Firewall Rule is to click on the **(i)** icon on the left of the **Enable Transparent HTTP proxy** option and click on **add a new firewall rule**. .. image:: images/screenshot_enable_transparent_http.png - :scale: 100% + :width: 100% **For reference, these are the default settings:** @@ -65,7 +65,7 @@ Authority. Go to **System->Trust->Authorities** or use the search box to get the fast. .. image:: images/search_ca.png - :scale: 100% + :width: 100% Click on **add or import ca** in the upper right corner of the screen to create a new CA. @@ -121,7 +121,7 @@ A simple way to add the NAT/Firewall Rule is to click on the **(i)** icon on the left of the **Enable SSL mode** option and click on **add a new firewall rule**. .. image:: images/screenshot_enable_transparent_http.png - :scale: 100% + :width: 100% **For reference, these are the default settings:** @@ -151,13 +151,13 @@ certificate for each page manually, but for some pages that may not work well un not bumped. .. image:: images/export_CA_cert.png - :scale: 100% + :width: 100% Import and change trust settings on your favorite OS. Per example on OSX it looks like this: .. image:: images/Trust_Settings_OSX.png - :scale: 100% + :width: 100% .. Warning:: Again be very careful with this as your system will accept any page signed with @@ -171,7 +171,7 @@ like this: connection against man in the middle attacks otherwise trusted certificates. If you want to make the connection work again, you have to whitelist the following Google domains in your "No Bump Hosts" settings. - + * Your local Google domain (for example: google.at for Austria, google.de for Germany, …) * .google.com * .googleapis.com diff --git a/source/manual/how-tos/proxywebfilter.rst b/source/manual/how-tos/proxywebfilter.rst index 24479fa5..3a77bc6e 100644 --- a/source/manual/how-tos/proxywebfilter.rst +++ b/source/manual/how-tos/proxywebfilter.rst @@ -54,7 +54,7 @@ The URL of the full compressed UT1 category based list is: ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz .. image:: images/proxy_ut1.png - :scale: 100% + :width: 100% Press **Save Changes**. @@ -72,13 +72,13 @@ to the description of the list. This will open the edit window again, but now yo will see all available categories extracted from the list. .. image:: images/proxy_categories.png - :scale: 100% + :width: 100% For our example we will filter ads and adult content. The easiest way to do so is clear the list and select the following from the drop down list: .. image:: images/proxy_catgegory.png - :scale: 100% + :width: 100% Now **Save changes** and press **Download ACLs** again to download and reconstruct the list with only the selected categories. This will take roughly the same amount @@ -128,4 +128,4 @@ And one more rule to block HTTPS access: **Save** & **Apply changes** .. image:: images/proxy_firewall.png - :scale: 100% + :width: 100% diff --git a/source/manual/how-tos/self-signed-chain.rst b/source/manual/how-tos/self-signed-chain.rst index 4f2a27ba..cbdf15f2 100644 --- a/source/manual/how-tos/self-signed-chain.rst +++ b/source/manual/how-tos/self-signed-chain.rst @@ -13,7 +13,7 @@ Look at the default install, one certificate is created for the webgui/dashboard nothing wrong with that certificate if we use a real world CA, but we do not. We create our own chain so that one has no purpose once done. -Should you even consider using **self-signed certificate chains** in this age of free available +Should you even consider using **self-signed certificate chains** in this age of free available certificates? * Self-signed certificate are just as secure as real world certificates. @@ -32,7 +32,7 @@ What you should know about self-signed certificates: * They are **only** as trustworty as the person, company or organization signing it. * Using these certificates **can** be a security risk if you are the one trusting them and not a CA. -A chain will need at least a CA and certificate; an intermediate CA is not needed, but in case of a +A chain will need at least a CA and certificate; an intermediate CA is not needed, but in case of a compromise the CA key would be compromised too. The chain we are going to create will be made with the following ingredients: @@ -43,7 +43,7 @@ The chain we are going to create will be made with the following ingredients: .. Note:: - This document uses **CN - Common Name** should be read as: **SAN - Subject Alternative Name** and + This document uses **CN - Common Name** should be read as: **SAN - Subject Alternative Name** and will be used if present. Please backup before you proceed. @@ -79,7 +79,7 @@ When you are done save the form, the CA is now generated. ====================== =================================== ======================================== .. image:: images/CA.png - :scale: 15% + :width: 15% .. Tip:: @@ -103,7 +103,7 @@ Have a look at the form, create an intermediate CA and save it. ====================== =================================== ======================================== .. image:: images/CA-inter.png - :scale: 15% + :width: 15% The Certificate --------------- @@ -122,7 +122,7 @@ Have a look at the next form and notice the common name, create a server certifi ====================== =================================== ======================================== .. image:: images/webgui-cert.png - :scale: 15% + :width: 15% .. Tip:: @@ -141,7 +141,7 @@ Now we need to start using the chain: * Go back to the dashboard & open **System/Settings/Administration** * Set **SSL-Certificate** to use the new server certificate. -Open your browser and open the OPNsense/webgui page. You should be presented with a certificate that is +Open your browser and open the OPNsense/webgui page. You should be presented with a certificate that is verified by your intermediate CA. @@ -167,7 +167,7 @@ Go ahead and create a new chain **CA -- intermediate CA -- server cert.**. .. Tip:: - | You can check if **ca-root-nss** has changed: + | You can check if **ca-root-nss** has changed: | Do a health check before you add the CA. | If the check was okay add the CA to the store. | Create a new checksum & save it : @@ -189,7 +189,7 @@ Go to **Trust/Authorities** create a new CA for Nextcloud and save it. ====================== =================================== ======================================== .. image:: images/CA-cloud.png - :scale: 15% + :width: 15% OPNsense needs to be made aware of the Nextcloud chain we are creating. @@ -231,7 +231,7 @@ Go to **Trust/Authorities** and create an intermediate CA. ====================== =================================== ======================================== .. image:: images/CA-cloud-inter.png - :scale: 15% + :width: 15% Download the intermediate CA and install it to your browser: @@ -253,7 +253,7 @@ Go to **Trust/Certificates** create a server certificate. ====================== =================================== ======================================== .. image:: images/cloud-cert.png - :scale: 15% + :width: 15% We need to install this certificate and key to our Nextcloud server, two ways are shown here. @@ -266,10 +266,10 @@ We need to install this certificate and key to our Nextcloud server, two ways ar openssl pkcs12 -in nextcloud-crt.p12 -nodes -out nextcloud.key -nocerts openssl pkcs12 -in nextcloud-crt.p12 -clcerts -nokeys -out nextcloud.pem cp nextcloud.pem nextcloud.crt - + - * Or use the next quick and dirty method for a single key/certificate file: * Upload the ***.p12** archive to your Nextcloud server, in a safe way.. - * Extact the archive into a single **PEM** file and create a certificate. + * Extact the archive into a single **PEM** file and create a certificate. :: @@ -278,7 +278,7 @@ We need to install this certificate and key to our Nextcloud server, two ways ar - * **/etc/ssl/localcerts** will be alright for the certificate or choose your own prefered location. * If the key was extracted separatly, **/etc/ssl/private** would be a good choice. - * Be sure to set sane permissions on the private directory, ``700`` would do it. + * Be sure to set sane permissions on the private directory, ``700`` would do it. * You could set ``umask`` too (see) ``man umask`` - on your Linux box. * Edit the webserver config to use the certificate and key or single key-cert file. * Sane permissions, ``400`` read only owner is sufficent. diff --git a/source/manual/how-tos/shaper.rst b/source/manual/how-tos/shaper.rst index daa534d0..3191d6f2 100644 --- a/source/manual/how-tos/shaper.rst +++ b/source/manual/how-tos/shaper.rst @@ -176,7 +176,7 @@ Now press |apply| to activate the traffic shaping rules. *Screenshot Rules* .. image:: images/shaping_rules_s1.png - :scale: 100% + :width: 100% .. |apply| image:: images/applybtn.png @@ -308,7 +308,7 @@ Now press |apply| to activate the traffic shaping rules. *Screenshot Rules* .. image:: images/shaping_rules_s2.png - :scale: 100% + :width: 100% ------------------------ Limit bandwidth per user @@ -392,7 +392,7 @@ Now press |apply| to activate the traffic shaping rules. *Screenshot Rules* .. image:: images/shaping_rules_s3.png - :scale: 100% + :width: 100% ----------------------- Prioritize using Queues @@ -522,7 +522,7 @@ Now press |apply| to activate the traffic shaping rules. *Screenshot Rules* .. image:: images/shaping_rules_s4.png - :scale: 100% + :width: 100% -------------------------------------- Multi Interface shaping for a GuestNet diff --git a/source/manual/how-tos/sslvpn_client.rst b/source/manual/how-tos/sslvpn_client.rst index 1d38ea82..9a763a87 100644 --- a/source/manual/how-tos/sslvpn_client.rst +++ b/source/manual/how-tos/sslvpn_client.rst @@ -3,7 +3,7 @@ Setup SSL VPN Road Warrior ========================== .. image:: images/sslvpn_image_new.png - :scale: 100% + :width: 100% Road Warriors are remote users who need secure access to the companies infrastructure. OPNsense uses OpenVPN for its SSL VPN Road Warrior setup and offers OTP (One Time Password) @@ -107,7 +107,7 @@ and click on **Add server** in the top right corner of the form. configuration. Try it by typing *Ac...* and see for yourself: .. image:: images/qs-access_server.png - :scale: 100% + :width: 100% :align: center Now first change the **Type** to **Local + Timebased One time Password** @@ -207,7 +207,7 @@ For the first step we enter: Click **Save** and you will be redirected to the User page. Now we will activate your newly created seed with your Google Authenticator -compatible app. To do so click in the **Click to unhide** button in the +compatible app. To do so click in the **Click to unhide** button in the **OTP QR code** row and you will get a QR code to scan with your smartphone. See also: :doc:`/manual/how-tos/two_factor` @@ -280,7 +280,7 @@ For our example will use the following settings: Click **Save** to add the new server. .. image:: images/sslvpn_server.png - :scale: 100% + :width: 100% ---------------------- @@ -293,14 +293,14 @@ port on the WAN interface. When using multiple servers we need to open up each p For our configuration we only use one server accessible on udp port 1194. .. image:: images/sslvpn_wan_rule.png - :scale: 100% + :width: 100% Next we also need to allow traffic from the VPN clients to our LAN interface. For our example we will allow client to access anything on our local area network, however you may decide just to allow traffic to one or more servers. .. image:: images/sslvpn_openvpn_rule.png - :scale: 100% + :width: 100% ----------------------------- @@ -324,25 +324,25 @@ to open the file with search and select Viscosity. Some sample screenshots (Mac OSX): .. image:: images/viscosity_files.png - :scale: 100% + :width: 100% **Import Configuration** .. image:: images/viscosity_imported.png - :scale: 100% + :width: 100% **Connect & login** In the password field enter your TOTP token first followed by your password. .. image:: images/viscosity_login.png - :scale: 100% + :width: 100% **Connected** .. image:: images/viscosity_connected.png - :scale: 100% + :width: 100% ----------------------------- @@ -400,4 +400,4 @@ exactly the same as before, the only difference is that each user requires a Use and therefore their own configuration. .. image:: images/sslvpn_client_certificate.png - :scale: 100% + :width: 100% diff --git a/source/manual/how-tos/sslvpn_s2s.rst b/source/manual/how-tos/sslvpn_s2s.rst index 8b36d75e..83a241a8 100644 --- a/source/manual/how-tos/sslvpn_s2s.rst +++ b/source/manual/how-tos/sslvpn_s2s.rst @@ -212,7 +212,7 @@ For our example will use the following settings (leave everything else on its de Click **Save** to add the new server. .. image:: images/sslvpn_server.png - :scale: 100% + :width: 100% ---------------------- @@ -261,14 +261,14 @@ port on the WAN interface. When using multiple servers we need to open up each p For our configuration we only use one server accessible on UDP port 1194. .. image:: images/sslvpn_wan_rule.png - :scale: 100% + :width: 100% Next we also need to allow traffic from the VPN client network (192.168.2.0/24). For our example we will allow client to access anything on our local network(s), however you may decide just to allow traffic to one or more IP's. .. image:: images/sslvpn_openvpn_rule.png - :scale: 100% + :width: 100% **You are done configuring Site A.** @@ -308,7 +308,7 @@ Now click on **Save** to apply your settings. The Connection Status can be viewed under **VPN->OpenVPN->Connection Status** .. image:: images/sslvpn_connection_status.png - :scale: 100% + :width: 100% ------------------------------ Step 5 - Client Firewall Rules @@ -317,7 +317,7 @@ To allow traffic from the remote network just add a rule under **Firewall->Rules OpenVPN tab. .. image:: images/sslvpn_firewall_rule_client.png - :scale: 100% + :width: 100% **Done** diff --git a/source/manual/how-tos/two_factor.rst b/source/manual/how-tos/two_factor.rst index 181afb33..846b8fd1 100644 --- a/source/manual/how-tos/two_factor.rst +++ b/source/manual/how-tos/two_factor.rst @@ -6,7 +6,7 @@ using OPNsense and Google's Authenticator. All services of OPNsense can be used with this 2FA solution. .. image:: /manual/images/two_factor_authentication.png - :scale: 100% + :width: 100% .. Note:: @@ -52,12 +52,12 @@ To activate your new OTP seed on the Google Authenticator, first reopen the user you just created by clicking on the pencil icon. .. image:: images/OTP_seed.png - :scale: 100% + :width: 100% Now it will show a QR code: .. image:: images/otp_qr_code.png - :scale: 100% + :width: 100% .. Warning:: @@ -72,18 +72,18 @@ directly. In case of SailOTP the configuration works like this: .. image:: images/sailotp_menu.jpg - :scale: 100% + :width: 100% Pull down to open the application menu and choose the entry to add a new Token. .. image:: images/sailotp_scan_qr.jpg - :scale: 100% + :width: 100% In the next step, you have to scan the previously created QR code by clicking on the screen. .. image:: images/sailotp_scanresult.jpg - :scale: 100% + :width: 100% When the QR code is scanned, a new view will open where you can see the details of the result. This view can be used to check if the generated @@ -122,7 +122,7 @@ is token and then password **in the same field**. Hit the test button and if all goes well you should see *successfully authenticated*. .. image:: images/system_access_tester.png - :scale: 100% + :width: 100% ------------------------ Step 6 - Using the token @@ -131,8 +131,8 @@ To use the token in any application/service that you have configured, just open the Google Authenticator and add the created token/key **before** your regular password. .. Warning:: - Remember, you need to enter the token **before** or **after** you password - (depending on your configuration)! And the password field should be used to enter + Remember, you need to enter the token **before** or **after** you password + (depending on your configuration)! And the password field should be used to enter both token and your password, like: **Password:** 123456PASSWORD @@ -140,4 +140,4 @@ The code will change every 30 seconds. Sample code: .. image:: images/google_token_sample.png - :scale: 25% + :width: 25% diff --git a/source/manual/how-tos/user-ldap.rst b/source/manual/how-tos/user-ldap.rst index 45852f9b..ab59031f 100644 --- a/source/manual/how-tos/user-ldap.rst +++ b/source/manual/how-tos/user-ldap.rst @@ -50,7 +50,7 @@ Enter the following information: something similar to will show up: .. image:: images/ldap_selectcontainer.png - :scale: 100% + :width: 100% .. TIP:: The **Extended Query** can be used to select users who are member of a specific @@ -61,7 +61,7 @@ Enter the following information: **Members**. .. image:: images/ldap_mygroup_properties.png - :scale: 100% + :width: 100% Step 2 - Test @@ -71,7 +71,7 @@ and select your LDAP server and enter a valid username + password. Click on **Test** and if everything is setup correctly it will show: .. image:: images/ldap_testok.png - :scale: 100% + :width: 100% .. Note:: When limited to just one group, the group name will not be shown in the listing. @@ -79,7 +79,7 @@ and select your LDAP server and enter a valid username + password. Click on If not (or your entered invalid credentials) it shows: .. image:: images/ldap_testfail.png - :scale: 100% + :width: 100% Step 3 - Import Users --------------------- @@ -88,7 +88,7 @@ to import the users into the local user manager. Go to **System->Access->Users** you will see a cloud import icon at the lower right corner of the form. .. image:: images/user_cloudimport.png - :scale: 100% + :width: 100% Click on the cloud import icon to start importing users. @@ -105,7 +105,7 @@ notice the difference as the **User Distinguished name** will be shown from the LDAP server, just like this: .. image:: images/user_ldap_distinguishedname.png - :scale: 100% + :width: 100% .. TIP:: See :doc:`user-local` for more information on User, Groups and privileges. @@ -122,4 +122,4 @@ Go to **System->Access->Settings** and change the Authentication Server from The test result should look like this: .. image:: images/user_testresult_ldap.png - :scale: 80% + :width: 80% diff --git a/source/manual/how-tos/user-local.rst b/source/manual/how-tos/user-local.rst index b504b1a3..52b721ac 100644 --- a/source/manual/how-tos/user-local.rst +++ b/source/manual/how-tos/user-local.rst @@ -3,7 +3,7 @@ Creating Users & Groups ======================= .. image:: images/usermanager_groups.png - :scale: 100% + :width: 100% With the local user manager of OPNsense one can add users and groups and define the privileges for granting access to certain parts of the GUI (Web Configurator). @@ -47,6 +47,6 @@ The search bottom at the top of this form can be used to quickly find the right page. .. image:: images/user_privileges.png - :scale: 100% + :width: 100% After making the right selection click on **Save** to store the new settings. diff --git a/source/manual/install.rst b/source/manual/install.rst index fc046ffd..334ff0b1 100644 --- a/source/manual/install.rst +++ b/source/manual/install.rst @@ -368,7 +368,7 @@ Minimum installation actions **Enable RAM disk manually** .. image:: ./images/Screenshot_Use_RAMdisks.png - :scale: 100% + :width: 100% Then via console, check your /etc/fstab and make sure your primary partition has **rw,noatime** instead of just **rw**. @@ -410,4 +410,4 @@ The other method to upgrade the system is via console option **12) Upgrade from An update can be done through the GUI via **System⇒Firmware⇒Updates**. .. image:: ./images/firmware-update.png - :scale: 100% + :width: 100% diff --git a/source/manual/ipv6.rst b/source/manual/ipv6.rst index 25eeb359..7d79a054 100644 --- a/source/manual/ipv6.rst +++ b/source/manual/ipv6.rst @@ -3,7 +3,7 @@ Using IPv6 ========== .. image:: images/IPv6.png - :scale: 100% + :width: 100% OPNsense fully supports IPv6 for routing and firewall. However there are lots of different options to utilize IPv6. Currently these scenario's are known to work: diff --git a/source/manual/mobile_wan.rst b/source/manual/mobile_wan.rst index 26d3f24a..08400bda 100644 --- a/source/manual/mobile_wan.rst +++ b/source/manual/mobile_wan.rst @@ -3,7 +3,7 @@ Mobile Networking ================= .. image:: images/OPNsense_4G_new.png - :scale: 100% + :width: 100% OPNsense supports 3G and 4G (LTE) cellular modems as failsafe or primary WAN interface. Both USB and (mini)PCIe cards are supported. diff --git a/source/manual/netflow.rst b/source/manual/netflow.rst index 2a74b986..6b88c09b 100644 --- a/source/manual/netflow.rst +++ b/source/manual/netflow.rst @@ -3,7 +3,7 @@ Netflow Export & Analyses ========================= .. image:: images/netflow_analyzer_insight.png - :scale: 100% + :width: 100% Netflow is a monitoring feature, invented by Cisco, it is implemented in the FreeBSD kernel with ng_netflow (Netgraph). Since Netgraph is a kernel implementation it @@ -59,7 +59,7 @@ and multiple destinations including local capture for analysis by Insight (OPNse Netflow Analyzer). .. image:: images/netflow_exporter.png - :scale: 100% + :width: 100% -------------------------- Netflow Analyzer - Insight diff --git a/source/manual/systemhealth.rst b/source/manual/systemhealth.rst index b1ab7434..bb1dd42c 100644 --- a/source/manual/systemhealth.rst +++ b/source/manual/systemhealth.rst @@ -3,7 +3,7 @@ System Health & Round Robin Data ================================ .. image:: images/systemhealth_sample.png - :scale: 100% + :width: 100% System Health is a dynamic view on RRD data gathered by the system. It allows you to dive into different statistics that show the overall health and performance of @@ -41,7 +41,7 @@ Please see the screenshot below for all element of the system health module. Each element will be explained in the next chapters. .. image:: images/systemhealth_gui.png - :scale: 100% + :width: 100% Toggle menu collapse -------------------- @@ -68,7 +68,7 @@ this is especially useful for traffic flows where you can plot ingoing and outgo in different directions. .. image:: images/systemhealth_inverse.png - :scale: 100% + :width: 100% Resolution ---------- @@ -94,7 +94,7 @@ and show you the current detail level in this area. Label filter ------------ .. image:: images/systemhealth_labelfilter.png - :scale: 100% + :width: 100% The label filter can be used to filer out data you do not want to see. Click once to disable or double click to select only this set. @@ -102,13 +102,13 @@ to disable or double click to select only this set. A nice sample can be seen here, where the *processes* obscure all other data. .. image:: images/systemhealth_obscureddata.png - :scale: 100% + :width: 100% Just click once on *processes* to hide this data set, notice that the scales will adapt as well. .. image:: images/systemhealth_filtered.png - :scale: 100% + :width: 100% Main graph area --------------- @@ -131,13 +131,13 @@ selected area. A sample selection: .. image:: images/systemhealt_selection.png - :scale: 100% + :width: 100% And the result: .. image:: images/systemhealth_zoomed.png - :scale: 100% + :width: 100% Min/max/average table --------------------- @@ -155,4 +155,4 @@ values and export the data to as comma separated file (.CSV). The exported dataset can be used for your own reporting. .. image:: images/systemhealth_excel.png - :scale: 100% + :width: 100% diff --git a/source/manual/two_factor.rst b/source/manual/two_factor.rst index b8ad3fd1..6ddbfa83 100644 --- a/source/manual/two_factor.rst +++ b/source/manual/two_factor.rst @@ -3,7 +3,7 @@ Two-factor authentication ========================= .. image:: images/two_factor_authentication.png - :scale: 100% + :width: 100% Two-factor authentication also known as 2FA or 2-Step Verification is an authentication method that requires two components, such as a pin/password + a token. @@ -27,7 +27,7 @@ has a default fallback to the local database. In case of 2FA for the GUI one nee to disable the fallback option to make sure no local user can gain access without 2FA. .. image:: images/auth_server_fallback.png - :scale: 100% + :width: 100% ---------------------------- diff --git a/source/manual/users.rst b/source/manual/users.rst index 739b66dc..2bd308c7 100644 --- a/source/manual/users.rst +++ b/source/manual/users.rst @@ -3,7 +3,7 @@ ================= .. image:: images/user_manager.png - :scale: 100% + :width: 100% The user manager of OPNsense allows for controlling access to the different part (pages) of the configurator as well as controlling access to particular diff --git a/source/manual/virtuals.rst b/source/manual/virtuals.rst index 02f0d4a0..8f6e3337 100644 --- a/source/manual/virtuals.rst +++ b/source/manual/virtuals.rst @@ -86,7 +86,7 @@ opnsense bootstrap is available for our Amazon AWS EC2 Cloud -------------------- .. image:: how-tos/images/amazon-web-services.png - :scale: 100% + :width: 100% Installing OPNsense into the Amazon cloud can be a dounting task as no console is offered. As part of Deciso's support packages (see `OPNsense commercial Support diff --git a/source/manual/vpnet.rst b/source/manual/vpnet.rst index 2cc667d1..574dcad6 100644 --- a/source/manual/vpnet.rst +++ b/source/manual/vpnet.rst @@ -7,7 +7,7 @@ extends the private network into the public network such as internet. With a VPN you can create large secure networks that can act as one private network. .. image:: images/Virtual_Private_Network_overview.png - :scale: 100% + :width: 100% (picture from `wikipedia `__) @@ -29,7 +29,7 @@ well known IPsec as well as older (now considered insecure) legacy options such L2TP and PPTP. .. image:: images/vpn.png - :scale: 100% + :width: 100% .. Note:: diff --git a/source/relations/osi.rst b/source/relations/osi.rst index 9f049713..a20ad14f 100644 --- a/source/relations/osi.rst +++ b/source/relations/osi.rst @@ -3,7 +3,7 @@ Open Source Initiative ====================== .. image:: ./images/osi_standard_logo.png - :scale: 25% + :width: 25% -----------------------