Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse Source
pull/460/head
Nick H 1 year ago
parent dadc3ac530 d5f3033ae9
commit f4542cc546
10 changed files with 238 additions and 131 deletions
Show Stats Download Patch File Download Diff File

3
source/intro.rst
Unescape Escape View File

@ -95,8 +95,7 @@ The feature set of OPNsense includes high-end features such as forward caching
proxy, traffic shaping, intrusion detection and easy OpenVPN client setup.
The latest release is based on a recent FreeBSD for long-term support and uses a
newly developed MVC-framework based on Phalcon. OPNsenses focus on security
brings unique features such as the option to use LibreSSL instead of OpenSSL
(selectable in the GUI).
brings unique features such as easy to use one time password authentication for various components.
The robust and reliable update mechanism gives OPNsense the ability to provide
important security updates in a timely fashion.

20
source/manual/aliases.rst
Unescape Escape View File

@ -59,6 +59,8 @@ OPNsense offers the following alias types:
| BGP ASN | Maps autonomous system (AS) numbers to networks |
| | where they are responsible for. |
+------------------+------------------------------------------------------+
| OpenVPN group | Map user groups to logged in OpenVPN users |
+------------------+------------------------------------------------------+
| Internal | Internal aliases which are managed by the product |
| (automatic) | |
+------------------+------------------------------------------------------+
@ -322,6 +324,24 @@ alias and add or remove entries immediately.
Since external alias types won't be touched by OPNsense, you can use :code:`pfctl` directly in scripts to manage
its contents. (e.g. :code:`pfctl -t MyAlias -T add 10.0.0.3` to add **10.0.0.3** to **MyAlias**)
....................................
OpenVPN group
....................................
This alias type offers the possibility to build firewall policies for logged in OpenVPN users by the group they belong to
as configured in :menuselection:`System --> Access --> Groups`.
The current users that are logged into OpenVPN can be inspected via :menuselection:`VPN --> OpenVPN --> Connection Status`, the alias
just follows this information and flushes the attached addresses to the item in question.
For example, when a user named **fred** which is a member of group **remote_users** logs into OpenVPN and received a tunnel address
of :code:`10.10.10.2`, the alias containing "remote_users" would include this address as well.
.. Tip::
When using LDAP (Active directory), you can synchronise group membership to avoid double administration in OPNsense.
....................................
Internal (automatic)
....................................

33
source/manual/firewall_settings.rst
Unescape Escape View File

@ -72,11 +72,6 @@ Configure the frequency of updating the lists of IP addresses that are reserved
Gateway Monitoring
------------------------------------
Kill states
.....................................
When unchecked (enabled) all states will be reset when a gateway is removed (see monitoring in the :doc:`gateways <gateways>` section)
Skip rules
.....................................
@ -135,16 +130,6 @@ Firewall state table optimization to use, influences the number of active states
* [aggressive] Expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate idle connections
* [conservative] Tries to avoid dropping any legitimate idle connections at the expense of increased memory usage and CPU utilization.
Firewall Rules Optimization
.....................................
Influence how the firewall optimizes the generated ruleset.
* [none] Disable the ruleset optimizer.
* [basic] (default) Basic ruleset optimization does four things to improve the performance of ruleset evaluations: remove duplicate rules; remove rules that are a subset of another rule; combine multiple rules into a table when advantageous; re-order the rules to improve evaluation performance
* [profile] Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.
Bind states to interface
.....................................
@ -229,7 +214,21 @@ Check certificate of aliases URLs
Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.
Dynamic state reset
Anti DDOS
------------------------------------
Enable syncookies
.....................................
This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register.
This option is quite similar to the `syncookies <https://www.freebsd.org/cgi/man.cgi?syncookies>`__ kernel setting,
preventing memory allocation for local services before a proper handshake is made.
In this case pf will be protected agains state table exhaustion.
The following modes are available:
* never (default)
* always
* adaptive - in which case a lower and upper percentage should be specified referring to the usage of the state table.

38
source/manual/firmware.rst
Unescape Escape View File

@ -59,15 +59,39 @@ Settings
The settings menu contains all available mirrors and options which you can choose for your installation.
Usually the default options are good enough here, but if you want to choose a mirror more close to home you can do so here.
OPNsense supports two flavours for its TLS crypto stack, OpenSSL and LibreSSL. Our standard is `OpenSSL <https://www.openssl.org/>`__, but some more
security minded people favor OpenBSD's `LibreSSL <https://www.libressl.org/>`__
.. Note::
Since OpenSSL is more widely used, some software packages are not compatible with LibreSSL.
.. Tip::
The settings menu also provides the option to test development versions, which can be practical when testing features that
are planned for release. Just change the release type to **Development**.
Activate the Business Edition
...........................................
When you have purchased a license for the Business Edition or received it pre-installed on an appliance, you will
have to enable the license first.
In order to do so, please choose the following settings:
============== ==================================================================================
Mirror: Deciso (HTTPS,NL,Commercial)
Flavour: OpenSSL
Type: Business
Subscription: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (the activation key for the product)
============== ==================================================================================
.. image:: ../hardware/images/quickstart_be.png
:width: 500px
After save, go back to the status tab and click **Check for updates**
.. Note::
Upgrading to OPNsense BE is only possible when the installed community version number is lower than the
last available business edition. E.g. you can upgrade **22.7.x** to **22.10.x**, but you can not upgrade
**23.1** to **22.10**. You can always re-install using the installer found on the `business mirror <https://opnsense-update.deciso.com/>`__

34
source/manual/git-backup.rst
Unescape Escape View File

@ -87,9 +87,39 @@ password When using https authentication, choose a
Make sure to push to a "bare" upstream repository, when pressing "Setup/Test Git" the initial commits should be send to
your git server.
.. Tip::
--------------------------
SSH Setup
--------------------------
If you use GitHub, then your only option for git-backup, is to configure it for SSH access since GitHub has removed the ability for external applications to log into your account via your username and password.
The fields in OPNSense under :code:`System / Configuration / Backups / Git` should contain the following:
* URL absolutely MUST follow this format when using GitHub and GitLab: :code:`ssh://github.com/user_name/repo_name.git`. Any URL string that does not follow this pattern will not work.
* Branch should contain the word: :code:`master`
* SSH Private key (discussed below)
* User Name should ONLY contain the word :code:`git`
* password: leave this field empty
You need to create your repository BEFORE enabling git-backup. Do not add any files or READMEs to the repository. In other words, create a BLANK repository.
Next, `create a new SSH key <https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent>`__ specifically for git-backup (only generate the private / public keys per that document and skip the rest). **It is imperative that you do not add a password to your key**, or your backups will fail with authentication errors.
You should set up SSH access to just your repository by assigning your SSH public key to the repository instead of assigning it to your GitHub / GitLab account. Doing this ensures that you don't arbitrarily expose more of your git resources to OPNSense than is absolutely necessary for git-backup to work properly.
If you use GitHub, you can add your SSH public key by going to your repository, then click on :code:`settings`, then :code:`Deploy keys`. Or you can go straight to the URL using this format: :code:`https://github.com/USER_NAME/REPOSITORY_NAME/settings/keys/new`.
* Check the box :code:`Allow write Access`.
For GitHub and GitLab repositories, please make sure your URL follows this structure: :code:`ssh://github.com/user_name/repo_name.git`.
Make sure the fields are populated as stated above and that the Enable box is checked, then click on :code:`Setup / Test Git` and you should see a message come back at the top of the page indicating that the first backup was successful.
--------------------------
Conflict resolution

2
source/manual/how-tos/self-signed-chain.rst
Unescape Escape View File

@ -108,7 +108,7 @@ Have a look at the form, create an intermediate CA and save it.
The Certificate
---------------
The thirth certificate will be a **server certificate** signed by the intermediate CA we just created.
The third certificate will be a **server certificate** signed by the intermediate CA we just created.
This will also be the last one we create for this chain.
Go to **Trust/Certificates**

2
source/manual/how-tos/wireguard-client.rst
Unescape Escape View File

@ -102,7 +102,7 @@ Step 5(a) - Assign an interface to WireGuard (recommended)
Finally, it allows separation of the firewall rules of each WireGuard instance (each :code:`wgX` device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance
- Go to :menuselection:`Interfaces --> Assignments`
- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg0` if this is your first one)
- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg1` if this is your first one)
- Add a description (eg :code:`HomeWireGuard`)
- Click **+** to add it, then click **Save**
- Then select your new interface under the Interfaces menu

197
source/manual/install.rst
Unescape Escape View File

@ -2,14 +2,12 @@
Initial Installation & Configuration
=====================================
.. rubric:: Software setup
:name: firstHeading
:class: firstHeading page-header
.. Note::
Just looking on how to invoke the installer? When the live environment has been
started just login with user **installer** and password **opnsense**.
.. contents:: Index
------------
Architecture
------------
@ -23,20 +21,20 @@ Embedded vs Full
----------------
OPNsense offers two Image types with all major releases: embedded and full images.
The Embedded Image is intended for environments where preinstalling
the storage media is required due to a lack of local resources on the firewall
like storage, and/or console access (VGA/Serial). The image is tailored to reduce
write cycles as well, but the image can be used anywhere. Another reason for the
Embedded Image is to eliminate the need for local console access for installing OPNsense.
Installation is managed by prewriting the image to a storage device, installing the
The Embedded Image is intended for environments where preinstalling
the storage media is required due to a lack of local resources on the firewall
like storage, and/or console access (VGA/Serial). The image is tailored to reduce
write cycles as well, but the image can be used anywhere. Another reason for the
Embedded Image is to eliminate the need for local console access for installing OPNsense.
Installation is managed by prewriting the image to a storage device, installing the
storage device, and booting the system.
Full Images provide installation tools like OPNsense Importer, Live Environment,
and Installer. Full Images are released to support different console/hardware installation
requirements.
Full Images provide installation tools like OPNsense Importer, Live Environment,
and Installer. Full Images are released to support different console/hardware installation
requirements.
Both image types can be installed and run from virtual disks (VM), `SD memory
cards <https://en.wikipedia.org/wiki/Secure_Digital>`__,
cards <https://en.wikipedia.org/wiki/Secure_Digital>`__,
USB disks, `solid-state
disks (SSD) <https://en.wikipedia.org/wiki/Solid-state_drive>`__, or `hard disk drives
(HDD) <https://en.wikipedia.org/wiki/Hard_disk_drive>`__.
@ -65,7 +63,7 @@ behavior of an embedded version by enabling RAM disks, this is especially
useful for SD memory card installations.
.. Warning::
See the chapter :doc:`Hardware Sizing & Setup <hardware>` for further information
See the chapter :doc:`Hardware Sizing & Setup <hardware>` for further information
on hardware requirements prior to an install.
------------------
@ -94,16 +92,16 @@ Depending on your hardware and use case, different installation options are avai
+--------+---------------------------------------------------+------------+
.. Note::
All Full Image types can run both **`OPNsense Importer <https://docs.opnsense.org/manual/install.html#opnsense-importer>`**
before booting into the Live environment and also run
**`Installer <https://docs.opnsense.org/manual/install.html#install-to-target-system>`** once booted into the Live environment.
All Full Image types can run both `OPNsense Importer <https://docs.opnsense.org/manual/install.html#opnsense-importer>`__
before booting into the Live environment and also run
`Installer <https://docs.opnsense.org/manual/install.html#install-to-target-system>`__ once booted into the Live environment.
.. Warning::
Flash memory cards will only tolerate a limited number of writes and re-writes. For
Nano image memory disks for **/var/log** and **/tmp** are applied by
Flash memory cards will only tolerate a limited number of writes and re-writes. For
Nano image memory disks for **/var/log** and **/tmp** are applied by
default to prolong CF (flash) card lifetimes.
To enable non-embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`,
To enable non-embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`,
change the setting, then reboot. Consider enabling an external syslog server as well.
------------------------------
@ -156,13 +154,13 @@ Image Filename Composition
}
.. Note::
**Please** be aware that the latest installation media does not always correspond
with the latest released version available. OPNsense installation images are provided
on a scheduled basis with major release versions in January and July. More information
on our release schedule is available from our package repository, see
`README <https://pkg.opnsense.org/releases/mirror/README>`. We are encouraged to update
OPNsense after installation to be on the latest release available, see
`Update Page <https://docs.opnsense.org/manual/updates.html>`.
**Please** be aware that the latest installation media does not always correspond
with the latest released version available. OPNsense installation images are provided
on a scheduled basis with major release versions in January and July. More information
on our release schedule is available from our package repository, see
`README <https://pkg.opnsense.org/releases/mirror/README>`__. We are encouraged to update
OPNsense after installation to be on the latest release available, see
`Update Page <https://docs.opnsense.org/manual/updates.html>`__.
-------------------------
@ -185,10 +183,10 @@ Use one of the OPNsense mirrors to download these files:
2. Click one of the available mirrors closest to your location.
3. Download one of each file mentioned above for your Image type.
The OpenSSL public key (.pub) is required to verify against. Although the file is
available on the mirror's repository, you should not trust the copy there. Download
it, open it up, and verify the public key matches the one from other sources. If it
does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle
The OpenSSL public key (.pub) is required to verify against. Although the file is
available on the mirror's repository, you should not trust the copy there. Download
it, open it up, and verify the public key matches the one from other sources. If it
does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle
attack. Some other sources to get the public key from include:
* https://pkg.opnsense.org/releases/mirror/README
@ -197,19 +195,19 @@ attack. Some other sources to get the public key from include:
* https://github.com/opnsense/changelog/tree/master/community
* https://pkg.opnsense.org (/<FreeBSD:<version>:<architecture>/<release version>/sets/changelog.txz)
.. Note::
Only major release announcements for images contain the public key, and update
release announcements will not. i.e. 22.1 will have a copy of the public key in the release
.. Note::
Only major release announcements for images contain the public key, and update
release announcements will not. i.e. 22.1 will have a copy of the public key in the release
announcement, but 22.1.9 will not.
Once you download all the required files and verify that the public key matches
the public key found in one of the alternate sources listed above, you can be relatively
confident that the key has not been tampered with. To verify the downloaded image, run
Once you download all the required files and verify that the public key matches
the public key found in one of the alternate sources listed above, you can be relatively
confident that the key has not been tampered with. To verify the downloaded image, run
the following commands (substituting the filenames in brackets for the files you downloaded):
``openssl sha256 OPNsense-<filename>.bz2``
Match the checksum command output with the checksum vaules in file ``OPNsense-<version>-OpenSSL-checksums-amd64.sha256``.
Match the checksum command output with the checksum vaules in file ``OPNsense-<version>-OpenSSL-checksums-amd64.sha256``.
If the checksums don't match, redownload your image file. If checksums match continue with the verification commands.
``openssl base64 -d -in OPNsense-<filename>.sig -out /tmp/image.sig``
@ -217,8 +215,8 @@ If the checksums don't match, redownload your image file. If checksums match co
``openssl dgst -sha256 -verify OPNsense-<filename>.pub -signature /tmp/image.sig OPNsense-<filename>.bz2``
If the output of the second command is “**Verified OK**”, your image file was verified
successfully, and its safe to install from it. Any other outputs, and you may need
If the output of the second command is “**Verified OK**”, your image file was verified
successfully, and its safe to install from it. Any other outputs, and you may need
to check your commands for errors, or the image file may have been compromised.
@ -226,19 +224,19 @@ to check your commands for errors, or the image file may have been compromised.
Installation Media
-------------------
Now that you have downloaded and verified the installation image from above. You must unpack the
image file before you can write the image to disk. For Unix-like OSes use ``bzip2 -d OPNsense-<filename>.bz2``
command. For Windows use an application like `7zip <https://www.7-zip.org/download.html>`_. The ``.bz2`` will
Now that you have downloaded and verified the installation image from above. You must unpack the
image file before you can write the image to disk. For Unix-like OSes use ``bzip2 -d OPNsense-<filename>.bz2``
command. For Windows use an application like `7zip <https://www.7-zip.org/download.html>`_. The ``.bz2`` will
be removed from the end of the filename after command/applcation completes.
After unpacking the image you can create the installation media. The easiest method to install
OPNsense is to use USB "`vga <https://docs.opnsense.org/manual/install.html#installation-media>`_"
Image. If your target platform has a serial console interface choose the
`serial <https://docs.opnsense.org/manual/install.html#installation-media>`_” image. If you
After unpacking the image you can create the installation media. The easiest method to install
OPNsense is to use USB "`vga <https://docs.opnsense.org/manual/install.html#installation-media>`_"
Image. If your target platform has a serial console interface choose the
`serial <https://docs.opnsense.org/manual/install.html#installation-media>`_” image. If you
need to know more about using the serial console interface, consult the :doc:`serial access how-to<how-tos/serial_access>`.
Write the image to a USB flash drive (>=1 GB) or hard disk, using either dd for Unix-like
OSes and for Windows use physdiskwrite, `Etcher <https://www.balena.io/etcher#download-etcher>`_,
Write the image to a USB flash drive (>=1 GB) or hard disk, using either dd for Unix-like
OSes and for Windows use physdiskwrite, `Etcher <https://www.balena.io/etcher#download-etcher>`_,
or `Rufus <https://rufus.ie/>`_.
@ -287,9 +285,9 @@ System Boot Preparation
-------------------------
After preparing the installation media, we need to make sure we can access the console
(either via keyboard and [virtual]monitor or :doc:`serial connectivity<how-tos/serial_access>`). Next we need to know
how to access the boot menu or the system bios (UEFI) to boot from the installation media. Most times will be a function
(F#), Del, or ESC key that needs to pressed immediately after powering on (or rebooting) the system. Usually within the
(either via keyboard and [virtual]monitor or :doc:`serial connectivity<how-tos/serial_access>`). Next we need to know
how to access the boot menu or the system bios (UEFI) to boot from the installation media. Most times will be a function
(F#), Del, or ESC key that needs to pressed immediately after powering on (or rebooting) the system. Usually within the
first 2 to 3 seconds from powering up.
@ -308,41 +306,41 @@ Installation Instructions
-------------------------
..
Comment: Not sure how rubric:: are used. I would like to replace Installation Instructions rubric with
Comment: Not sure how rubric:: are used. I would like to replace Installation Instructions rubric with
section above. I also don't know how :name: work
.. rubric:: Install Instructions
:name: install-to-system
OPNsense installation boot process allows us to run several optional configuration steps. The
boot process was designed to always boot into the live environment, allowing us to access the
OPNsense installation boot process allows us to run several optional configuration steps. The
boot process was designed to always boot into the live environment, allowing us to access the
GUI or even SSH directly. If a timeout was missed, restart the boot procedure.
OPNsense Importer
-----------------
All Full Images have the OPNsense Importer feature that offers flexibility in
recovering failed firewalls, testing new releases without overwriting the current
installation by running the new version in memory with the existing configuration
or migrating configurations to new hardware installations. Using Importer is slightly
different between previous installs with existing configurations on disk vs new
All Full Images have the OPNsense Importer feature that offers flexibility in
recovering failed firewalls, testing new releases without overwriting the current
installation by running the new version in memory with the existing configuration
or migrating configurations to new hardware installations. Using Importer is slightly
different between previous installs with existing configurations on disk vs new
installations/migrations.
For systems that have OPNsense installed, and the configuration intact. Here is the process:
#. Boot the system with installation media
#. Press any key when you see **“Press any key to start the configuration importer”**.
#. Press any key when you see **“Press any key to start the configuration importer”**.
#. If you see OPNsense logo you have past the Importer and will need to reboot.
#. Type the device name of the existing drive that contains the configuration and press enter.
#. If Importer is successful, the boot process will continue into the Live environment using
the stored configuration on disk.
#. If Importer was unsuccessful, we will returned to the device selection prompt. Confirm the
device name is correct and try again. Otherwise, there maybe possible disk corruption and
#. If Importer is successful, the boot process will continue into the Live environment using
the stored configuration on disk.
#. If Importer was unsuccessful, we will returned to the device selection prompt. Confirm the
device name is correct and try again. Otherwise, there maybe possible disk corruption and
restoring from backup.
At this point the system will boot up with a fully functional firewall in Live enironment using existing configuration
At this point the system will boot up with a fully functional firewall in Live enironment using existing configuration
but will not overwrite the previous installation. Use this feature for safely previewing or testing upgrades.
For New installations/migrations follow this process:
@ -350,20 +348,19 @@ For New installations/migrations follow this process:
#. We must have a 2nd USB drive formatted with FAT or FAT32 File system.
#. Preferable non-bootable USB drive.
#. Create a **conf** directory on the root of the USB drive
#. Place an *unencrypted* <downloaded backup>.xml into /conf and rename the file to **config.xml**
``/conf/config.xml``
#. Put both the Installation media and the 2nd USB drive into the system and power up / reboot.
#. Put both the Installation media and the 2nd USB drive into the system and power up / reboot.
#. Boot the system from the OPNsense Installation media via Boot Menu or BIOS (UEFI).
#. Press aany key when you see: **“Press any key to start the configuration importer”**
#. Type the device name of the 2nd USB Drive, e.g. `da0`, and press Enter.
#. If Importer is successful, the boot process will continue into the Live environment using
#. If Importer is successful, the boot process will continue into the Live environment using
the configuration stored on the USB drive.
#. If unsuccessful, importer will error and return us to the device selection prompt. Suggest
#. If unsuccessful, importer will error and return us to the device selection prompt. Suggest
repeating steps 1-3 again.
Live Environment
@ -373,21 +370,21 @@ Live Environment
.. image:: ./images/opnsense_liveenv.png
After booting with an OPNsense Full Image (DVD, VGA, Serial), the firewall will
be in the Live environment with and without the use of OPNsense Importer. We
After booting with an OPNsense Full Image (DVD, VGA, Serial), the firewall will
be in the Live environment with and without the use of OPNsense Importer. We
can interact with the Live environment via Local Console, GUI (HTTPS), or SSH.
By default, we can log into the shell using the user `root` with the password
By default, we can log into the shell using the user `root` with the password
`opnsense` to operate the live environment via the local console.
The GUI is accessible at `https://192.168.1.1/ <https://192.168.1.1/>` using Username:
`root` Password: `opnsense` by default (unless a previous configuration was imported).
The GUI is accessible at `https://192.168.1.1/ <https://192.168.1.1/>` using Username:
`root` Password: `opnsense` by default (unless a previous configuration was imported).
Using SSH we can access the firewall at IP `192.168.1.1`. Both the `root` and `installer`
users are available, using password `opnsense`.
Using SSH we can access the firewall at IP `192.168.1.1`. Both the `root` and `installer`
users are available, using password `opnsense`.
.. Note::
That the installation media is read-only, which means your current live configuration will
That the installation media is read-only, which means your current live configuration will
be lost after reboot.
Continue to :doc:`OPNsense Installer <OPNsense-Installer>`` to install OPNsense to the local storage device.
@ -398,18 +395,18 @@ OPNsense Installer
To invoke the installer login with user **installer** and password
**opnsense**
After successfully booting up with the OPNsense Full Image (DVD, VGA, Serial),
the firewall will be at the Live Environment's login: prompt. To start the
installation process, login with the user ``installer`` and password ``opnsense``.
If Importer was used to import an existing configuration, the installer and root
user password would be the root password from the imported configuration.
After successfully booting up with the OPNsense Full Image (DVD, VGA, Serial),
the firewall will be at the Live Environment's login: prompt. To start the
installation process, login with the user ``installer`` and password ``opnsense``.
If Importer was used to import an existing configuration, the installer and root
user password would be the root password from the imported configuration.
If the installer user does not work, log in as user root and select: ``8) Shell``
from the menu and type ``opnsense-installer``. The ``opnsense-importer`` can also
If the installer user does not work, log in as user root and select: ``8) Shell``
from the menu and type ``opnsense-installer``. The ``opnsense-importer`` can also
be run this way should you require to rerun the import.
..
Is this process documented anywhere? I'm having hard time understanding how a live
backup is created.
Is this process documented anywhere? I'm having hard time understanding how a live
backup is created.
The installer can always be run to clone an existing system, even for Nano
images. This can be useful for creating live backups for later recovery.
@ -421,23 +418,23 @@ images. This can be useful for creating live backups for later recovery.
The installation process involves the following steps:
#. Keymap selection - The default configuration should be fine for most Occasions.
#. Install (UFS|ZFS) - Choose UFS or ZFS filesystem. ZFS is in most cases the best option
#. Install (UFS|ZFS) - Choose UFS or ZFS filesystem. ZFS is in most cases the best option
as it is the most reliable option, but it does require enough capacity (a couple of gigabytes at least).
#. Partitioning (ZFS) - Choose a device type. The default option (stripe) is usually acceptable
#. Partitioning (ZFS) - Choose a device type. The default option (stripe) is usually acceptable
when using a single disk.
#. Disk Selection (ZFS) - Select the Storage device e.g. ``da0`` or ``nvd0``
#. Last Chance! - Select Yes to continue with partitioning and to format the disk. However, doing
#. Last Chance! - Select Yes to continue with partitioning and to format the disk. However, doing
so will **destroy** the contents of the disk.
..
The installer on 23.1 does not mention or ask about swap anymore. Suggest we remove?
#. Continue with recommended swap (UFS) - Yes is usually fine here unless the install target
#. Continue with recommended swap (UFS) - Yes is usually fine here unless the install target
is very small (< 16GB)
#. Select Root Password - Change and confirm the new root password
#. Select Complete Install - Exits the installer and reboots the machine. The system is now installed
#. Select Complete Install - Exits the installer and reboots the machine. The system is now installed
and ready for initial configuration.
..
Suggest we remove the warning as the install steps above covers this. If we keep it, then we should move
Suggest we remove the warning as the install steps above covers this. If we keep it, then we should move
it to the top of the installation process. Also, there isn't Quick/Easy Install option. Is there?
.. Warning::
@ -446,21 +443,21 @@ The installation process involves the following steps:
Nano Image
----------
..
..
Commect: Moving Nano Image section after "Install to target system". We could move it
before "System Boot Preparation". Should we detail other default settings like interfaces, DHCP, etc?
Or are you prompted for interface assignment like Full Images?
To use the nano image follow this process:
#. Create the system disk with using the nano image. See :doc:`Installation Media<installation-media>`
#. Create the system disk with using the nano image. See :doc:`Installation Media<installation-media>`
how to write the nano image to disk.
#. Install the system disk drive into the system.
#. Configure the system (BIOS) to boot from this disk.
#. After the system boots, the firewall is ready to be configured.
Using the Nano image for embedded systems, your firewall is already up and running. The configuration
settings to enable Memory Disks (RAM disks) that minimize write cycles to relevant partitions by
Using the Nano image for embedded systems, your firewall is already up and running. The configuration
settings to enable Memory Disks (RAM disks) that minimize write cycles to relevant partitions by
mounting these partitions in system memory and reporting features are disabled by default.
---------------------

39
source/manual/monit.rst
Unescape Escape View File

@ -321,3 +321,42 @@ Status
The Monit status panel can be accessed via :menuselection:`Services --> Monit --> Status`. For every active service, it will show the status,
along with extra information if the service provides it.
-------------------------
Advanced Configurations
-------------------------
Some installations require configuration settings that are not accessible in the UI.
To support these, individual configuration files with a ``.conf`` extension can be put into the
``/usr/local/etc/monit.opnsense.d`` directory. These files will be automatically included by
the UI generated configuration. Multiple configuration files can be placed there. But note that
* The wildcard include processing in Monit is based on ``glob(7)``. So the order in which the files are included is in ascending ASCII order.
* Monit supports up to 1024 include files. If this limit is exceeded, Monit will report an error.
* It makes sense to check if the configuration file is valid. You can do so by using the following command::
# Run syntax check for the control file
configctl monit check
This is a sample configuration file to customize the limits of the Monit daemon:
::
## Set limits for various tests. The following example shows the default values:
##
set limits {
programOutput: 5120 B, # check program's output truncate limit
# sendExpectBuffer: 256 B, # limit for send/expect protocol test
fileContentBuffer: 5120 B, # limit for file content test
# httpContentBuffer: 1 MB, # limit for HTTP content test
# networkTimeout: 5 seconds # timeout for network I/O
# programTimeout: 300 seconds # timeout for check program
# stopTimeout: 30 seconds # timeout for service stop
# startTimeout: 120 seconds # timeout for service start
# restartTimeout: 30 seconds # timeout for service restart
}
.. Warning::
It is the sole responsibility of the administrator which places a file in the extension directory to ensure that the configuration is
valid.

1
source/manual/updates.rst
Unescape Escape View File

@ -20,7 +20,6 @@ Update settings
By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings:
* **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here.
* **Firmware Flavour:** OPNsense is available in different flavours. Currently, these flavours influence which cryptographic library to use: OpenSSL (the default) or its drop-in replacement LibreSSL.
* **Release Type:** With this setting, you can switch between the regular fortnightly schedule of tested releases (Production) or the newest, not fully tested code (Development). **Please leave this setting on "Production", unless you fully understand the implications of switching.**
--------------

Write Preview
Loading…
Cancel
Save