mirror of https://github.com/opnsense/docs
push 23.4 configuration files and add 4000 to the bios section
Ad Schellevis
1 year ago
parent
cc565a2ca5
commit
6ecb087ee2
@ -0,0 +1,423 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<thermal_hardware>amdtemp</thermal_hardware>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<rrdbackup>-1</rrdbackup>
|
||||
<netflowbackup>-1</netflowbackup>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
||||
@ -0,0 +1,397 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>AMD temp offset</descr>
|
||||
<tunable>dev.amdtemp.0.sensor_offset</tunable>
|
||||
<value>-10</value>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<use_mfs_var>1</use_mfs_var>
|
||||
<use_mfs_tmp>1</use_mfs_tmp>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
||||
@ -0,0 +1,397 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>AMD temp offset</descr>
|
||||
<tunable>dev.amdtemp.0.sensor_offset</tunable>
|
||||
<value>-10</value>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<rrdbackup>-1</rrdbackup>
|
||||
<netflowbackup>-1</netflowbackup>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
||||
@ -0,0 +1,428 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>ice_ddp_load</tunable>
|
||||
<value>YES</value>
|
||||
<descr>Include DDP package file for Intel ice driver</descr>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<thermal_hardware>amdtemp</thermal_hardware>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<rrdbackup>-1</rrdbackup>
|
||||
<netflowbackup>-1</netflowbackup>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
||||
Loading…
Reference in New Issue