Merge remote-tracking branch 'upstream/master'

source/intro.rst

@@ -95,8 +95,7 @@ The feature set of OPNsense includes high-end features such as forward caching
 proxy, traffic shaping, intrusion detection and easy OpenVPN client setup.
 The latest release is based on a recent FreeBSD for long-term support and uses a
 newly developed MVC-framework based on Phalcon. OPNsense’s focus on security
-brings unique features such as the option to use LibreSSL instead of OpenSSL
-(selectable in the GUI).
+brings unique features such as easy to use one time password authentication for various components.
 
 The robust and reliable update mechanism gives OPNsense the ability to provide
 important security updates in a timely fashion.

source/manual/aliases.rst

@@ -59,6 +59,8 @@ OPNsense offers the following alias types:
 | BGP ASN          | Maps autonomous system (AS) numbers to networks      |
 |                  | where they are responsible for.                      |
 +------------------+------------------------------------------------------+
+| OpenVPN group    | Map user groups to logged in OpenVPN users           |
++------------------+------------------------------------------------------+
 | Internal         | Internal aliases which are managed by the product    |
 | (automatic)      |                                                      |
 +------------------+------------------------------------------------------+
@@ -322,6 +324,24 @@ alias and add or remove entries immediately.
     Since external alias types won't be touched by OPNsense, you can use :code:`pfctl` directly in scripts to manage
     its contents. (e.g. :code:`pfctl -t MyAlias -T add 10.0.0.3` to add **10.0.0.3** to **MyAlias**)
 
+
+....................................
+OpenVPN group
+....................................
+
+This alias type offers the possibility to build firewall policies for logged in OpenVPN users by the group they belong to
+as configured in :menuselection:`System --> Access --> Groups`.
+
+The current users that are logged into OpenVPN can be inspected via :menuselection:`VPN --> OpenVPN --> Connection Status`, the alias
+just follows this information and flushes the attached addresses to the item in question.
+
+For example, when a user named **fred** which is a member of group **remote_users** logs into OpenVPN and received a tunnel address
+of :code:`10.10.10.2`, the alias containing "remote_users" would include this address as well.
+
+.. Tip::
+
+    When using LDAP (Active directory), you can synchronise group membership to avoid double administration in OPNsense.
+
 ....................................
 Internal (automatic)
 ....................................

source/manual/firewall_settings.rst

@@ -72,11 +72,6 @@ Configure the frequency of updating the lists of IP addresses that are reserved
 Gateway Monitoring
 ------------------------------------
 
-Kill states
-.....................................
-
-When unchecked (enabled) all states will be reset when a gateway is removed (see monitoring in the :doc:`gateways <gateways>` section)
-
 Skip rules
 .....................................
 
@@ -135,16 +130,6 @@ Firewall state table optimization to use, influences the number of active states
 * [aggressive] Expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate idle connections
 * [conservative] Tries to avoid dropping any legitimate idle connections at the expense of increased memory usage and CPU utilization.
 
-
-Firewall Rules Optimization
-.....................................
-
-Influence how the firewall optimizes the generated ruleset.
-
-* [none] Disable the ruleset optimizer.
-* [basic] (default) Basic ruleset optimization does four things to improve the performance of ruleset evaluations: remove duplicate rules; remove rules that are a subset of another rule; combine multiple rules into a table when advantageous; re-order the rules to improve evaluation performance
-* [profile] Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.
-
 Bind states to interface
 .....................................
 
@@ -229,7 +214,21 @@ Check certificate of aliases URLs
 
 Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.
 
-Dynamic state reset
+
+Anti DDOS
+------------------------------------
+
+Enable syncookies
 .....................................
 
-This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register.
+
+This option is quite similar to the `syncookies <https://www.freebsd.org/cgi/man.cgi?syncookies>`__ kernel setting,
+preventing memory allocation for local services before a proper handshake is made.
+
+In this case pf will be protected agains state table exhaustion.
+
+The following modes are available:
+
+* never (default)
+* always
+* adaptive - in which case a lower and upper percentage should be specified referring to the usage of the state table.

source/manual/firmware.rst

@@ -59,15 +59,39 @@ Settings
 The settings menu contains all available mirrors and options which you can choose for your installation.
 Usually the default options are good enough here, but if you want to choose a mirror more close to home you can do so here.
 
-OPNsense supports two flavours for its TLS crypto stack, OpenSSL and LibreSSL. Our standard is `OpenSSL <https://www.openssl.org/>`__, but some more
-security minded people favor OpenBSD's `LibreSSL <https://www.libressl.org/>`__
-
-.. Note::
-
-    Since OpenSSL is more widely used, some software packages are not compatible with LibreSSL.
-
 
 .. Tip::
 
     The settings menu also provides the option to test development versions, which can be practical when testing features that
     are planned for release. Just change the release type to **Development**.
+
+
+Activate the Business Edition
+...........................................
+
+When you have purchased a license for the Business Edition or received it pre-installed on an appliance, you will
+have to enable the license first.
+
+In order to do so, please choose the following settings:
+
+============== ==================================================================================
+Mirror:        Deciso (HTTPS,NL,Commercial)
+Flavour:       OpenSSL
+Type:          Business
+Subscription:  XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (the activation key for the product)
+============== ==================================================================================
+
+
+.. image:: ../hardware/images/quickstart_be.png
+    :width: 500px
+
+
+After save, go back to the status tab and click **Check for updates**
+
+
+.. Note::
+
+    Upgrading to OPNsense BE is only possible when the installed community version number is lower than the
+    last available business edition. E.g. you can upgrade **22.7.x** to **22.10.x**, but you can not upgrade
+    **23.1** to **22.10**. You can always re-install using the installer found on the `business mirror <https://opnsense-update.deciso.com/>`__
+

source/manual/git-backup.rst

@@ -87,9 +87,39 @@ password                              When using https authentication, choose a
 Make sure to push to a "bare" upstream repository, when pressing "Setup/Test Git" the initial commits should be send to
 your git server.
 
-.. Tip::
+--------------------------
+SSH Setup
+--------------------------
+
+If you use GitHub, then your only option for git-backup, is to configure it for SSH access since GitHub has removed the ability for external applications to log into your account via your username and password.
+
+The fields in OPNSense under :code:`System / Configuration / Backups / Git` should contain the following:
+
+* URL absolutely MUST follow this format when using GitHub and GitLab: :code:`ssh://github.com/user_name/repo_name.git`. Any  URL string that does not follow this pattern will not work.
+
+
+* Branch should contain the word: :code:`master`
+
+
+* SSH Private key (discussed below)
+
+
+* User Name should ONLY contain the word :code:`git`
+
+
+* password: leave this field empty
+
+You need to create your repository BEFORE enabling git-backup. Do not add any files or READMEs to the repository. In other words, create a BLANK repository.
+
+Next, `create a new SSH key <https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent>`__ specifically for git-backup (only generate the private / public keys per that document and skip the rest). **It is imperative that you do not add a password to your key**, or your backups will fail with authentication errors.
+
+You should set up SSH access to just your repository by assigning your SSH public key to the repository instead of assigning it to your GitHub / GitLab account. Doing this ensures that you don't arbitrarily expose more of your git resources to OPNSense than is absolutely necessary for git-backup to work properly.
+
+If you use GitHub, you can add your SSH public key by going to your repository, then click on :code:`settings`, then :code:`Deploy keys`. Or you can go straight to the URL using this format: :code:`https://github.com/USER_NAME/REPOSITORY_NAME/settings/keys/new`.
+
+* Check the box :code:`Allow write Access`.
 
-    For GitHub and GitLab repositories, please make sure your URL follows this structure: :code:`ssh://github.com/user_name/repo_name.git`.
+Make sure the fields are populated as stated above and that the Enable box is checked, then click on :code:`Setup / Test Git` and you should see a message come back at the top of the page indicating that the first backup was successful.
 
 --------------------------
 Conflict resolution

source/manual/how-tos/self-signed-chain.rst

@@ -108,7 +108,7 @@ Have a look at the form, create an intermediate CA and save it.
 The Certificate
 ---------------
 
-The thirth certificate will be a **server certificate** signed by the intermediate CA we just created.
+The third certificate will be a **server certificate** signed by the intermediate CA we just created.
 This will also be the last one we create for this chain.
 
 Go to **Trust/Certificates**

source/manual/how-tos/wireguard-client.rst

@@ -102,7 +102,7 @@ Step 5(a) - Assign an interface to WireGuard (recommended)
     Finally, it allows separation of the firewall rules of each WireGuard instance (each :code:`wgX` device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance    
 
 - Go to :menuselection:`Interfaces --> Assignments`
-- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg0` if this is your first one)
+- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg1` if this is your first one)
 - Add a description (eg :code:`HomeWireGuard`)
 - Click **+** to add it, then click **Save**
 - Then select your new interface under the Interfaces menu

source/manual/install.rst

@@ -2,14 +2,12 @@
 Initial Installation & Configuration
 =====================================
 
-.. rubric:: Software setup
-   :name: firstHeading
-   :class: firstHeading page-header
-
 .. Note::
    Just looking on how to invoke the installer? When the live environment has been
    started just login with user **installer** and password **opnsense**.
 
+.. contents:: Index
+
 ------------
 Architecture
 ------------
@@ -94,9 +92,9 @@ Depending on your hardware and use case, different installation options are avai
 +--------+---------------------------------------------------+------------+
 
 .. Note::
-   All Full Image types can run both **`OPNsense Importer <https://docs.opnsense.org/manual/install.html#opnsense-importer>`** 
+   All Full Image types can run both `OPNsense Importer <https://docs.opnsense.org/manual/install.html#opnsense-importer>`__
    before booting into the Live environment and also run
-   **`Installer <https://docs.opnsense.org/manual/install.html#install-to-target-system>`** once booted into the Live environment.
+   `Installer <https://docs.opnsense.org/manual/install.html#install-to-target-system>`__ once booted into the Live environment.
 
 .. Warning::
    Flash memory cards will only tolerate a limited number of writes and re-writes. For
@@ -160,9 +158,9 @@ Image Filename Composition
    with the latest released version available. OPNsense installation images are provided
    on a scheduled basis with major release versions in January and July. More information
    on our release schedule is available from our package repository, see
-   `README <https://pkg.opnsense.org/releases/mirror/README>`.  We are encouraged to update 
+   `README <https://pkg.opnsense.org/releases/mirror/README>`__.  We are encouraged to update
    OPNsense after installation to be on the latest release available, see
-   `Update Page <https://docs.opnsense.org/manual/updates.html>`.
+   `Update Page <https://docs.opnsense.org/manual/updates.html>`__.
 
 
 -------------------------
@@ -350,7 +348,6 @@ For New installations/migrations follow this process:
 #. We must have a 2nd USB drive formatted with FAT or FAT32 File system.
 
   #. Preferable non-bootable USB drive.
-  
 #. Create a **conf** directory on the root of the USB drive
 #. Place an *unencrypted* <downloaded backup>.xml into /conf and rename the file to **config.xml**
 

source/manual/monit.rst

@@ -321,3 +321,42 @@ Status
 
 The Monit status panel can be accessed via :menuselection:`Services --> Monit --> Status`. For every active service, it will show the status,
 along with extra information if the service provides it.
+
+-------------------------
+Advanced Configurations
+-------------------------
+
+Some installations require configuration settings that are not accessible in the UI.
+To support these, individual configuration files with a ``.conf`` extension can be put into the
+``/usr/local/etc/monit.opnsense.d`` directory. These files will be automatically included by
+the UI generated configuration. Multiple configuration files can be placed there. But note that
+
+* The wildcard include processing in Monit is based on ``glob(7)``. So the order in which the files are included is in ascending ASCII order.
+* Monit supports up to 1024 include files. If this limit is exceeded, Monit will report an error.
+* It makes sense to check if the configuration file is valid. You can do so by using the following command::
+
+   # Run syntax check for the control file
+   configctl monit check
+
+This is a sample configuration file to customize the limits of the Monit daemon:
+
+::
+
+    ## Set limits for various tests. The following example shows the default values:
+    ##
+    set limits {
+         programOutput:     5120 B,      # check program's output truncate limit
+    #     sendExpectBuffer:  256 B,      # limit for send/expect protocol test
+         fileContentBuffer: 5120 B,      # limit for file content test
+    #     httpContentBuffer: 1 MB,       # limit for HTTP content test
+    #     networkTimeout:    5 seconds   # timeout for network I/O
+    #     programTimeout:    300 seconds # timeout for check program
+    #     stopTimeout:       30 seconds  # timeout for service stop
+    #     startTimeout:      120 seconds  # timeout for service start
+    #     restartTimeout:    30 seconds  # timeout for service restart
+    }
+
+
+.. Warning::
+    It is the sole responsibility of the administrator which places a file in the extension directory to ensure that the configuration is
+    valid.

source/manual/updates.rst

@@ -20,7 +20,6 @@ Update settings
 By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings:
 
 * **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here.
-* **Firmware Flavour:** OPNsense is available in different flavours. Currently, these flavours influence which cryptographic library to use: OpenSSL (the default) or its drop-in replacement LibreSSL.
 * **Release Type:** With this setting, you can switch between the regular fortnightly schedule of tested releases (Production) or the newest, not fully tested code (Development). **Please leave this setting on "Production", unless you fully understand the implications of switching.**
 
 --------------