config: reformat config.xml sample, some additions

f763c7cd · Franco Fichtner · 06723bcf · f763c7cd · f763c7cd · f763c7cd
Commit f763c7cd authored Sep 16, 2015 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 613 additions and 674 deletions

config.xml.sample src/etc/config.xml.sample +580 -647

config.lib.inc src/etc/inc/config.lib.inc +32 -22

rc.bootup src/etc/rc.bootup +1 -5

No files found.
--- a/src/etc/config.xml.sample
+++ b/src/etc/config.xml.sample
 <?xml version="1.0"?>
 <opnsense>
-	<trigger_initial_wizard/>
-	<version>9.9</version>
-	<lastchange></lastchange>
-	<theme>opnsense</theme>
-	<sysctl>
-		<item>
-			<descr><![CDATA[Disable the pf ftp proxy handler.]]></descr>
-			<tunable>debug.pfftpproxy</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html]]></descr>
-			<tunable>vfs.read_max</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
-			<tunable>net.inet.ip.portrange.first</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
-			<tunable>net.inet.tcp.blackhole</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
-			<tunable>net.inet.udp.blackhole</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Randomize the ID field in IP packets (default is 0: sequential IP IDs)]]></descr>
-			<tunable>net.inet.ip.random_id</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[
-				Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-				It can also be used to probe for information about your internal networks. These functions come enabled
-				as part of the standard FreeBSD core system.
-			]]></descr>
-			<tunable>net.inet.ip.sourceroute</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[
-				Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-				It can also be used to probe for information about your internal networks. These functions come enabled
-				as part of the standard FreeBSD core system.
-			]]></descr>
-			<tunable>net.inet.ip.accept_sourceroute</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[
-				Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
-				to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
-				packets without returning a response.
-			]]></descr>
-			<tunable>net.inet.icmp.drop_redirect</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[
-				This option turns off the logging of redirect packets because there is no limit and this could fill
-				up your logs consuming your whole hard drive.
-			]]></descr>
-			<tunable>net.inet.icmp.log_redirect</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
-			<tunable>net.inet.tcp.drop_synfin</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Enable sending IPv4 redirects]]></descr>
-			<tunable>net.inet.ip.redirect</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Enable sending IPv6 redirects]]></descr>
-			<tunable>net.inet6.ip6.redirect</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
-			<tunable>net.inet6.ip6.use_tempaddr</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
-			<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
-			<tunable>net.inet.tcp.syncookies</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Maximum incoming/outgoing TCP datagram size (receive)]]></descr>
-			<tunable>net.inet.tcp.recvspace</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Maximum incoming/outgoing TCP datagram size (send)]]></descr>
-			<tunable>net.inet.tcp.sendspace</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[IP Fastforwarding]]></descr>
-			<tunable>net.inet.ip.fastforwarding</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr>
-			<tunable>net.inet.tcp.delayed_ack</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>
-			<tunable>net.inet.udp.maxdgram</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>
-			<tunable>net.link.bridge.pfil_onlyip</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>
-			<tunable>net.link.bridge.pfil_member</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>
-			<tunable>net.link.bridge.pfil_bridge</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>
-			<tunable>net.link.tap.user_open</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>
-			<tunable>kern.randompid</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Maximum size of the IP input queue]]></descr>
-			<tunable>net.inet.ip.intr_queue_maxlen</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>
-			<tunable>hw.syscons.kbd_reboot</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Enable TCP extended debugging]]></descr>
-			<tunable>net.inet.tcp.log_debug</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Set ICMP Limits]]></descr>
-			<tunable>net.inet.icmp.icmplim</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[TCP Offload Engine]]></descr>
-			<tunable>net.inet.tcp.tso</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[UDP Checksums]]></descr>
-			<tunable>net.inet.udp.checksum</tunable>
-			<value>default</value>
-		</item>
-		<item>
-			<descr><![CDATA[Maximum socket buffer size]]></descr>
-			<tunable>kern.ipc.maxsockbuf</tunable>
-			<value>default</value>
-		</item>
-	</sysctl>
-	<system>
-		<optimization>normal</optimization>
-		<hostname>OPNsense</hostname>
-		<domain>localdomain</domain>
-		<dnsserver/>
-		<dnsallowoverride/>
-		<group>
-			<name>admins</name>
-			<description><![CDATA[System Administrators]]></description>
-			<scope>system</scope>
-			<gid>1999</gid>
-			<member>0</member>
-			<priv>page-all</priv>
-		</group>
-		<user>
-			<name>root</name>
-			<descr><![CDATA[System Administrator]]></descr>
-			<scope>system</scope>
-			<groupname>admins</groupname>
-			<password>$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.</password>
-			<uid>0</uid>
-			<priv>user-shell-access</priv>
-		</user>
-		<nextuid>2000</nextuid>
-		<nextgid>2000</nextgid>
-		<timezone>Etc/UTC</timezone>
-		<time-update-interval>300</time-update-interval>
-		<timeservers>0.nl.pool.ntp.org</timeservers>
-		<webgui>
-			<protocol>https</protocol>
-		</webgui>
-		<disablenatreflection>yes</disablenatreflection>
-		<disableconsolemenu/>
-		<!-- <harddiskstandby></harddiskstandby> -->
-		<disablesegmentationoffloading/>
-		<disablelargereceiveoffloading/>
-		<ipv6allow/>
-		<powerd_ac_mode>hadp</powerd_ac_mode>
-		<powerd_battery_mode>hadp</powerd_battery_mode>
-		<powerd_normal_mode>hadp</powerd_normal_mode>
-		<bogons>
-			<interval>monthly</interval>
-		</bogons>
-		<kill_states/>
-		<ssh>
-			<sshdkeyonly/>
-		</ssh>
-	</system>
-	<interfaces>
-		<wan>
-			<enable/>
-			<if>mismatch1</if>
-			<mtu></mtu>
-			<ipaddr>dhcp</ipaddr>
-			<ipaddrv6>dhcp6</ipaddrv6>
-			<!-- *or* ipv4-address *or* 'pppoe' *or* 'pptp' *or* 'bigpond' -->
-			<subnet></subnet>
-			<gateway></gateway>
-			<blockpriv/>
-			<blockbogons/>
-			<dhcphostname></dhcphostname>
-			<media></media>
-			<mediaopt></mediaopt>
-			<dhcp6-duid></dhcp6-duid>
-			<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
-			<!--
-			<wireless>
-				*see below (opt[n])*
-			</wireless>
-			-->
-		</wan>
-		<lan>
-			<enable/>
-			<if>mismatch0</if>
-			<ipaddr>192.168.1.1</ipaddr>
-			<subnet>24</subnet>
-			<ipaddrv6>track6</ipaddrv6>
-			<subnetv6>64</subnetv6>
-			<media></media>
-			<mediaopt></mediaopt>
-			<track6-interface>wan</track6-interface>
-			<track6-prefix-id>0</track6-prefix-id>
-			<!--
-			<wireless>
-				*see below (opt[n])*
-			</wireless>
-			-->
-		</lan>
-		<!--
-		<opt[n]>
-			<enable/>
-			<descr></descr>
-			<if></if>
-			<ipaddr></ipaddr>
-			<subnet></subnet>
-			<media></media>
-			<mediaopt></mediaopt>
-			<bridge>lan|wan|opt[n]</bridge>
-			<wireless>
-				<mode>hostap *or* bss *or* ibss</mode>
-				<ssid></ssid>
-				<channel></channel>
-				<wep>
-					<enable/>
-					<key>
-						<txkey/>
-						<value></value>
-					</key>
-				</wep>
-			</wireless>
-		</opt[n]>
-		-->
-	</interfaces>
-	<!--
-	<vlans>
-		<vlan>
-			<tag></tag>
-			<if></if>
-			<descr></descr>
-		</vlan>
-	</vlans>
-	-->
-	<staticroutes>
-		<!--
-		<route>
-			<interface>lan|opt[n]|pptp</interface>
-			<network>xxx.xxx.xxx.xxx/xx</network>
-			<gateway>xxx.xxx.xxx.xxx</gateway>
-			<descr></descr>
-		</route>
-		-->
-	</staticroutes>
-	<dhcpd>
-		<lan>
-			<enable/>
-			<range>
-				<from>192.168.1.100</from>
-				<to>192.168.1.199</to>
-			</range>
-			<!--
-			<winsserver>xxx.xxx.xxx.xxx</winsserver>
-			<defaultleasetime></defaultleasetime>
-			<maxleasetime></maxleasetime>
-			<gateway>xxx.xxx.xxx.xxx</gateway>
-			<domain></domain>
-			<dnsserver></dnsserver>
-			<ntpserver>xxx.xxx.xxx.xxx</ntpserver>
-			<next-server></next-server>
-			<filename></filename>
-			<filename32></filename32>
-			<filename64></filename64>
-			-->
-		</lan>
-		<!--
-		<opt[n]>
-			...
-		</opt[n]>
-		-->
-		<!--
-		<staticmap>
-			<mac>xx:xx:xx:xx:xx:xx</mac>
-			<ipaddr>xxx.xxx.xxx.xxx</ipaddr>
-			<descr></descr>
-		</staticmap>
-		-->
-	</dhcpd>
-	<pptpd>
-		<mode><!-- off *or* server *or* redir --></mode>
-		<redir/>
-		<localip/>
-		<remoteip/>
-		<!-- <accounting/> -->
-		<!--
-		<user>
-			<name></name>
-			<password></password>
-		</user>
-		-->
-	</pptpd>
-	<dnsmasq>
-		<enable/>
-		<!--
-		<hosts>
-			<host></host>
-			<domain></domain>
-			<ip></ip>
-			<descr></descr>
-		</hosts>
-		-->
-	</dnsmasq>
-	<snmpd>
-		<!-- <enable/> -->
-		<syslocation/>
-		<syscontact/>
-		<rocommunity>public</rocommunity>
-	</snmpd>
-	<diag>
-		<ipv6nat>
-			<!-- <enable/> -->
-			<ipaddr/>
-		</ipv6nat>
-	</diag>
-	<bridge>
-		<!-- <filteringbridge/> -->
-	</bridge>
-	<syslog>
-		<reverse/>
-		<!--
-		<enable/>
-		<remoteserver>xxx.xxx.xxx.xxx</remoteserver>
-		<filter/>
-		<dhcp/>
-		<system/>
-		<nologdefaultblock/>
-		-->
-	</syslog>
-	<!--
-	<captiveportal>
-		<enable/>
-		<interface>lan|opt[n]</interface>
-		<idletimeout>minutes</idletimeout>
-		<timeout>minutes</timeout>
-		<page>
-			<htmltext></htmltext>
-			<errtext></errtext>
-		</page>
-		<httpslogin/>
-		<httpsname></httpsname>
-		<redirurl></redirurl>
-		<radiusip></radiusip>
-		<radiusport></radiusport>
-		<radiuskey></radiuskey>
-		<nomacfilter/>
-	</captiveportal>
-	-->
-	<nat>
-		<outbound>
-			<mode>automatic</mode>
-			<!--
-			<rule>
-				<interface></interface>
-				<source>
-					<network>xxx.xxx.xxx.xxx/xx</network>
-				</source>
-				<destination>
-					<not/>
-					<any/>
-					*or*
-					<network>xxx.xxx.xxx.xxx/xx</network>
-				</destination>
-				<target>xxx.xxx.xxx.xxx</target>
-				<descr></descr>
-			</rule>
-			-->
-		</outbound>
-		<!--
-		<rule>
-			<interface></interface>
-			<external-address></external-address>
-			<protocol></protocol>
-			<external-port></external-port>
-			<target></target>
-			<local-port></local-port>
-			<descr></descr>
-		</rule>
-		-->
-		<!--
-		<onetoone>
-			<interface></interface>
-			<external>xxx.xxx.xxx.xxx</external>
-			<internal>xxx.xxx.xxx.xxx</internal>
-			<subnet></subnet>
-			<descr></descr>
-		</onetoone>
-		-->
-		<!--
-		<servernat>
-			<ipaddr></ipaddr>
-			<descr></descr>
-		</servernat>
-		-->
-	</nat>
-	<filter>
-		<!-- <tcpidletimeout></tcpidletimeout> -->
-		<rule>
-			<type>pass</type>
-			<ipprotocol>inet</ipprotocol>
-			<descr><![CDATA[Default allow LAN to any rule]]></descr>
-			<interface>lan</interface>
-			<source>
-				<network>lan</network>
-			</source>
-			<destination>
-				<any/>
-			</destination>
-		</rule>
-		<rule>
-			<type>pass</type>
-			<ipprotocol>inet6</ipprotocol>
-			<descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr>
-			<interface>lan</interface>
-			<source>
-				<network>lan</network>
-			</source>
-			<destination>
-				<any/>
-			</destination>
-		</rule>
-		<!-- rule syntax:
-		<rule>
-			<disabled/>
-			<id>[0-9]*</id>
-			<type>pass|block|reject</type>
-			<ipprotocol>inet|inet6</ipprotocol>
-			<descr>...</descr>
-			<interface>lan|opt[n]|wan|pptp</interface>
-			<protocol>tcp|udp|tcp/udp|...</protocol>
-			<icmptype></icmptype>
-			<source>
-				<not/>
+  <trigger_initial_wizard/>
+  <version>11.2</version>
+  <lastchange></lastchange>
+  <theme>opnsense</theme>
+  <sysctl>
+    <item>
+      <descr><![CDATA[Disable the pf ftp proxy handler.]]></descr>
+      <tunable>debug.pfftpproxy</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html]]></descr>
+      <tunable>vfs.read_max</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
+      <tunable>net.inet.ip.portrange.first</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
+      <tunable>net.inet.tcp.blackhole</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
+      <tunable>net.inet.udp.blackhole</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Randomize the ID field in IP packets (default is 0: sequential IP IDs)]]></descr>
+      <tunable>net.inet.ip.random_id</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      ]]></descr>
+      <tunable>net.inet.ip.sourceroute</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      ]]></descr>
+      <tunable>net.inet.ip.accept_sourceroute</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[
+        Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
+        to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
+        packets without returning a response.
+      ]]></descr>
+      <tunable>net.inet.icmp.drop_redirect</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[
+        This option turns off the logging of redirect packets because there is no limit and this could fill
+        up your logs consuming your whole hard drive.
+      ]]></descr>
+      <tunable>net.inet.icmp.log_redirect</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
+      <tunable>net.inet.tcp.drop_synfin</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Enable sending IPv4 redirects]]></descr>
+      <tunable>net.inet.ip.redirect</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Enable sending IPv6 redirects]]></descr>
+      <tunable>net.inet6.ip6.redirect</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
+      <tunable>net.inet6.ip6.use_tempaddr</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
+      <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
+      <tunable>net.inet.tcp.syncookies</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (receive)]]></descr>
+      <tunable>net.inet.tcp.recvspace</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (send)]]></descr>
+      <tunable>net.inet.tcp.sendspace</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[IP Fastforwarding]]></descr>
+      <tunable>net.inet.ip.fastforwarding</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr>
+      <tunable>net.inet.tcp.delayed_ack</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>
+      <tunable>net.inet.udp.maxdgram</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>
+      <tunable>net.link.bridge.pfil_onlyip</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>
+      <tunable>net.link.bridge.pfil_member</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>
+      <tunable>net.link.bridge.pfil_bridge</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>
+      <tunable>net.link.tap.user_open</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>
+      <tunable>kern.randompid</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Maximum size of the IP input queue]]></descr>
+      <tunable>net.inet.ip.intr_queue_maxlen</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>
+      <tunable>hw.syscons.kbd_reboot</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Enable TCP extended debugging]]></descr>
+      <tunable>net.inet.tcp.log_debug</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Set ICMP Limits]]></descr>
+      <tunable>net.inet.icmp.icmplim</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[TCP Offload Engine]]></descr>
+      <tunable>net.inet.tcp.tso</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[UDP Checksums]]></descr>
+      <tunable>net.inet.udp.checksum</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr><![CDATA[Maximum socket buffer size]]></descr>
+      <tunable>kern.ipc.maxsockbuf</tunable>
+      <value>default</value>
+    </item>
+  </sysctl>
+  <system>
+    <optimization>normal</optimization>
+    <hostname>OPNsense</hostname>
+    <domain>localdomain</domain>
+    <dnsserver/>
+    <dnsallowoverride/>
+    <group>
+      <name>admins</name>
+      <description><![CDATA[System Administrators]]></description>
+      <scope>system</scope>
+      <gid>1999</gid>
+      <member>0</member>
+      <priv>page-all</priv>
+    </group>
+    <user>
+      <name>root</name>
+      <descr><![CDATA[System Administrator]]></descr>
+      <scope>system</scope>
+      <groupname>admins</groupname>
+      <password>$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.</password>
+      <uid>0</uid>
+      <priv>user-shell-access</priv>
+    </user>
+    <nextuid>2000</nextuid>
+    <nextgid>2000</nextgid>
+    <timezone>Europe/Amsterdam</timezone>
+    <time-update-interval>300</time-update-interval>
+    <timeservers>0.nl.pool.ntp.org</timeservers>
+    <webgui>
+      <protocol>https</protocol>
+    </webgui>
+    <disablenatreflection>yes</disablenatreflection>
+    <disableconsolemenu/>
+    <disablesegmentationoffloading/>
+    <disablelargereceiveoffloading/>
+    <ipv6allow/>
+    <powerd_ac_mode>hadp</powerd_ac_mode>
+    <powerd_battery_mode>hadp</powerd_battery_mode>
+    <powerd_normal_mode>hadp</powerd_normal_mode>
+    <bogons>
+      <interval>monthly</interval>
+    </bogons>
+    <kill_states/>
+  </system>
+  <interfaces>
+    <wan>
+      <enable/>
+      <if>mismatch1</if>
+      <mtu></mtu>
+      <ipaddr>dhcp</ipaddr>
+      <ipaddrv6>dhcp6</ipaddrv6>
+      <subnet></subnet>
+      <gateway></gateway>
+      <blockpriv/>
+      <blockbogons/>
+      <dhcphostname></dhcphostname>
+      <media></media>
+      <mediaopt></mediaopt>
+      <dhcp6-duid></dhcp6-duid>
+      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
+    </wan>
+    <lan>
+      <enable/>
+      <if>mismatch0</if>
+      <ipaddr>192.168.1.1</ipaddr>
+      <subnet>24</subnet>
+      <ipaddrv6>track6</ipaddrv6>
+      <subnetv6>64</subnetv6>
+      <media></media>
+      <mediaopt></mediaopt>
+      <track6-interface>wan</track6-interface>
+      <track6-prefix-id>0</track6-prefix-id>
+    </lan>
+  </interfaces>
+  <staticroutes>
+    <!--
+    <route>
+      <interface>lan|opt[n]|pptp</interface>
+      <network>xxx.xxx.xxx.xxx/xx</network>
+      <gateway>xxx.xxx.xxx.xxx</gateway>
+      <descr></descr>
+    </route>
+    -->
+  </staticroutes>
+  <dhcpd>
+    <lan>
+      <enable/>
+      <range>
+        <from>192.168.1.100</from>
+        <to>192.168.1.199</to>
+      </range>
+      <!--
+      <winsserver>xxx.xxx.xxx.xxx</winsserver>
+      <defaultleasetime></defaultleasetime>
+      <maxleasetime></maxleasetime>
+      <gateway>xxx.xxx.xxx.xxx</gateway>
+      <domain></domain>
+      <dnsserver></dnsserver>
+      <ntpserver>xxx.xxx.xxx.xxx</ntpserver>
+      <next-server></next-server>
+      <filename></filename>
+      <filename32></filename32>
+      <filename64></filename64>
+      -->
+    </lan>
+    <!--
+    <opt[n]>
+      ...
+    </opt[n]>
+    -->
+    <!--
+    <staticmap>
+      <mac>xx:xx:xx:xx:xx:xx</mac>
+      <ipaddr>xxx.xxx.xxx.xxx</ipaddr>
+      <descr></descr>
+    </staticmap>
+    -->
+  </dhcpd>
+  <pptpd>
+    <mode><!-- off *or* server *or* redir --></mode>
+    <redir/>
+    <localip/>
+    <remoteip/>
+    <!-- <accounting/> -->
+    <!--
+    <user>
+      <name></name>
+      <password></password>
+    </user>
+    -->
+  </pptpd>
+  <dnsmasq>
+    <enable/>
+    <!--
+    <hosts>
+      <host></host>
+      <domain></domain>
+      <ip></ip>
+      <descr></descr>
+    </hosts>
+    -->
+  </dnsmasq>
+  <snmpd>
+    <!-- <enable/> -->
+    <syslocation/>
+    <syscontact/>
+    <rocommunity>public</rocommunity>
+  </snmpd>
+  <diag>
+    <ipv6nat>
+      <!-- <enable/> -->
+      <ipaddr/>
+    </ipv6nat>
+  </diag>
+  <bridge>
+    <!-- <filteringbridge/> -->
+  </bridge>
+  <syslog>
+    <reverse/>
+    <!--
+    <enable/>
+    <remoteserver>xxx.xxx.xxx.xxx</remoteserver>
+    <filter/>
+    <dhcp/>
+    <system/>
+    <nologdefaultblock/>
+    -->
+  </syslog>
+  <nat>
+    <outbound>
+      <mode>automatic</mode>
+      <!--
+      <rule>
+        <interface></interface>
+        <source>
+          <network>xxx.xxx.xxx.xxx/xx</network>
+        </source>
+        <destination>
+          <not/>
+          <any/>
+          *or*
+          <network>xxx.xxx.xxx.xxx/xx</network>
+        </destination>
+        <target>xxx.xxx.xxx.xxx</target>
+        <descr></descr>
+      </rule>
+      -->
+    </outbound>
+    <!--
+    <rule>
+      <interface></interface>
+      <external-address></external-address>
+      <protocol></protocol>
+      <external-port></external-port>
+      <target></target>
+      <local-port></local-port>
+      <descr></descr>
+    </rule>
+    -->
+    <!--
+    <onetoone>
+      <interface></interface>
+      <external>xxx.xxx.xxx.xxx</external>
+      <internal>xxx.xxx.xxx.xxx</internal>
+      <subnet></subnet>
+      <descr></descr>
+    </onetoone>
+    -->
+    <!--
+    <servernat>
+      <ipaddr></ipaddr>
+      <descr></descr>
+    </servernat>
+    -->
+  </nat>
+  <filter>
+    <!-- <tcpidletimeout></tcpidletimeout> -->
+    <rule>
+      <type>pass</type>
+      <ipprotocol>inet</ipprotocol>
+      <descr><![CDATA[Default allow LAN to any rule]]></descr>
+      <interface>lan</interface>
+      <source>
+        <network>lan</network>
+      </source>
+      <destination>
+        <any/>
+      </destination>
+    </rule>
+    <rule>
+      <type>pass</type>
+      <ipprotocol>inet6</ipprotocol>
+      <descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr>
+      <interface>lan</interface>
+      <source>
+        <network>lan</network>
+      </source>
+      <destination>
+        <any/>
+      </destination>
+    </rule>
+    <!-- rule syntax:
+    <rule>
+      <disabled/>
+      <id>[0-9]*</id>
+      <type>pass|block|reject</type>
+      <ipprotocol>inet|inet6</ipprotocol>
+      <descr>...</descr>
+      <interface>lan|opt[n]|wan|pptp</interface>
+      <protocol>tcp|udp|tcp/udp|...</protocol>
+      <icmptype></icmptype>
+      <source>
+        <not/>

-				<address>xxx.xxx.xxx.xxx(/xx) or alias</address>
-				*or*
-				<network>lan|opt[n]|pptp</network>
-				*or*
-				<any/>
+        <address>xxx.xxx.xxx.xxx(/xx) or alias</address>
+        *or*
+        <network>lan|opt[n]|pptp</network>
+        *or*
+        <any/>

-				<port>a[-b]</port>
-			</source>
-			<destination>
-				*same as for source*
-			</destination>
-			<frags/>
-			<log/>
-		</rule>
-		-->
-	</filter>
-	<proxyarp>
-		<!--
-		<proxyarpnet>
-			<network>xxx.xxx.xxx.xxx/xx</network>
-			*or*
-			<range>
-				<from>xxx.xxx.xxx.xxx</from>
-				<to>xxx.xxx.xxx.xxx</to>
-			</range>
-		</proxyarpnet>
-		-->
-	</proxyarp>
-	<cron>
-		<item>
-			<minute>1,31</minute>
-			<hour>0-5</hour>
-			<mday>*</mday>
-			<month>*</month>
-			<wday>*</wday>
-			<who>root</who>
-			<command>adjkerntz -a</command>
-		</item>
-		<item>
-			<minute>1</minute>
-			<hour>3</hour>
-			<mday>1</mday>
-			<month>*</month>
-			<wday>*</wday>
-			<who>root</who>
-			<command>/usr/local/etc/rc.update_bogons</command>
-		</item>
-		<item>
-			<minute>*/60</minute>
-			<hour>*</hour>
-			<mday>*</mday>
-			<month>*</month>
-			<wday>*</wday>
-			<who>root</who>
-			<command>/usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
-		</item>
-		<item>
-			<minute>1</minute>
-			<hour>1</hour>
-			<mday>*</mday>
-			<month>*</month>
-			<wday>*</wday>
-			<who>root</who>
-			<command>/usr/local/etc/rc.dyndns.update</command>
-		</item>
-		<item>
-			<minute>*/60</minute>
-			<hour>*</hour>
-			<mday>*</mday>
-			<month>*</month>
-			<wday>*</wday>
-			<who>root</who>
-			<command>/usr/local/sbin/expiretable -v -t 3600 virusprot</command>
-		</item>
-		<item>
-			<minute>30</minute>
-			<hour>12</hour>
-			<mday>*</mday>
-			<month>*</month>
-			<wday>*</wday>
-			<who>root</who>
-			<command>/usr/local/etc/rc.update_urltables</command>
-		</item>
-	</cron>
-	<wol>
-		<!--
-		<wolentry>
-			<interface>lan|opt[n]</interface>
-			<mac>xx:xx:xx:xx:xx:xx</mac>
-			<descr></descr>
-		</wolentry>
-		-->
-	</wol>
-	<rrd>
-		<enable/>
-	</rrd>
-	<load_balancer>
-		<monitor_type>
-			<name>ICMP</name>
-			<type>icmp</type>
-			<descr><![CDATA[ICMP]]></descr>
-			<options/>
-		</monitor_type>
-		<monitor_type>
-			<name>TCP</name>
-			<type>tcp</type>
-			<descr><![CDATA[Generic TCP]]></descr>
-			<options/>
-		</monitor_type>
-		<monitor_type>
-			<name>HTTP</name>
-			<type>http</type>
-			<descr><![CDATA[Generic HTTP]]></descr>
-			<options>
-				<path>/</path>
-				<host/>
-				<code>200</code>
-			</options>
-		</monitor_type>
-		<monitor_type>
-			<name>HTTPS</name>
-			<type>https</type>
-			<descr><![CDATA[Generic HTTPS]]></descr>
-			<options>
-				<path>/</path>
-				<host/>
-				<code>200</code>
-			</options>
-		</monitor_type>
-		<monitor_type>
-			<name>SMTP</name>
-			<type>send</type>
-			<descr><![CDATA[Generic SMTP]]></descr>
-			<options>
-				<send></send>
-				<expect>220 *</expect>
-			</options>
-		</monitor_type>
-	</load_balancer>
-	<widgets>
-		<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interface_list-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>
-	</widgets>
+        <port>a[-b]</port>
+      </source>
+      <destination>
+        *same as for source*
+      </destination>
+      <frags/>
+      <log/>
+    </rule>
+    -->
+  </filter>
+  <proxyarp>
+    <!--
+    <proxyarpnet>
+      <network>xxx.xxx.xxx.xxx/xx</network>
+      *or*
+      <range>
+        <from>xxx.xxx.xxx.xxx</from>
+        <to>xxx.xxx.xxx.xxx</to>
+      </range>
+    </proxyarpnet>
+    -->
+  </proxyarp>
+  <cron>
+    <item>
+      <minute>1,31</minute>
+      <hour>0-5</hour>
+      <mday>*</mday>
+      <month>*</month>
+      <wday>*</wday>
+      <who>root</who>
+      <command>adjkerntz -a</command>
+    </item>
+    <item>
+      <minute>1</minute>
+      <hour>3</hour>
+      <mday>1</mday>
+      <month>*</month>
+      <wday>*</wday>
+      <who>root</who>
+      <command>/usr/local/etc/rc.update_bogons</command>
+    </item>
+    <item>
+      <minute>*/60</minute>
+      <hour>*</hour>
+      <mday>*</mday>
+      <month>*</month>
+      <wday>*</wday>
+      <who>root</who>
+      <command>/usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
+    </item>
+    <item>
+      <minute>1</minute>
+      <hour>1</hour>
+      <mday>*</mday>
+      <month>*</month>
+      <wday>*</wday>
+      <who>root</who>
+      <command>/usr/local/etc/rc.dyndns.update</command>
+    </item>
+    <item>
+      <minute>*/60</minute>
+      <hour>*</hour>
+      <mday>*</mday>
+      <month>*</month>
+      <wday>*</wday>
+      <who>root</who>
+      <command>/usr/local/sbin/expiretable -v -t 3600 virusprot</command>
+    </item>
+    <item>
+      <minute>30</minute>
+      <hour>12</hour>
+      <mday>*</mday>
+      <month>*</month>
+      <wday>*</wday>
+      <who>root</who>
+      <command>/usr/local/etc/rc.update_urltables</command>
+    </item>
+  </cron>
+  <wol>
+    <!--
+    <wolentry>
+      <interface>lan|opt[n]</interface>
+      <mac>xx:xx:xx:xx:xx:xx</mac>
+      <descr></descr>
+    </wolentry>
+    -->
+  </wol>
+  <rrd>
+    <enable/>
+  </rrd>
+  <load_balancer>
+    <monitor_type>
+      <name>ICMP</name>
+      <type>icmp</type>
+      <descr><![CDATA[ICMP]]></descr>
+      <options/>
+    </monitor_type>
+    <monitor_type>
+      <name>TCP</name>
+      <type>tcp</type>
+      <descr><![CDATA[Generic TCP]]></descr>
+      <options/>
+    </monitor_type>
+    <monitor_type>
+      <name>HTTP</name>
+      <type>http</type>
+      <descr><![CDATA[Generic HTTP]]></descr>
+      <options>
+        <path>/</path>
+        <host/>
+        <code>200</code>
+      </options>
+    </monitor_type>
+    <monitor_type>
+      <name>HTTPS</name>
+      <type>https</type>
+      <descr><![CDATA[Generic HTTPS]]></descr>
+      <options>
+        <path>/</path>
+        <host/>
+        <code>200</code>
+      </options>
+    </monitor_type>
+    <monitor_type>
+      <name>SMTP</name>
+      <type>send</type>
+      <descr><![CDATA[Generic SMTP]]></descr>
+      <options>
+        <send></send>
+        <expect>220 *</expect>
+      </options>
+    </monitor_type>
+  </load_balancer>
+  <widgets>
+    <sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interface_list-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>
+  </widgets>
 </opnsense>
--- a/src/etc/inc/config.lib.inc
+++ b/src/etc/inc/config.lib.inc
@@ -37,7 +37,6 @@ require_once("legacy_bindings.inc");
 require_once('upgrade_config.inc');
 require_once("certs.inc");

-
 /* make a global alias table (for faster lookups) */
 function alias_make_table($config)
 {
@@ -98,11 +97,19 @@ function parse_config()
 *   null
 ******/
 /* convert configuration, if necessary */
-function convert_config() {
+function convert_config()
+{
 	global $config, $g;
-	$now = date("H:i:s");
-	log_error(sprintf(gettext("Start Configuration upgrade at %s, set execution timeout to 15 minutes"), $now));
-	//ini_set("max_execution_time", "900");
+
+	if (!isset($config['revision'])) {
+		/* force a revision tag for proper handling in config history */
+		write_config('Factory configuration', false);
+	}
+
+	if ($config['version'] == $g['latest_config']) {
+		/* already at latest version */
+		return;
+	}

 	/* special case upgrades */
 	/* fix every minute crontab bogons entry */
@@ -118,8 +125,6 @@ function convert_config() {
 			}
 		}
 	}
-	if ($config['version'] == $g['latest_config'])
-		return;		/* already at latest version */

 	// Save off config version
 	$prev_version = $config['version'];
@@ -134,11 +139,9 @@ function convert_config() {
 		$config['version'] = sprintf('%.1f', $next / 10);
 	}

-	$now = date("H:i:s");
-	log_error(sprintf(gettext("Ended Configuration upgrade at %s"), $now));
-
-	if ($prev_version != $config['version'])
+	if ($prev_version != $config['version']) {
 		write_config(sprintf(gettext('Upgraded config version level from %1$s to %2$s'), $prev_version, $config['version']));
+	}
 }


@@ -318,7 +321,10 @@ function set_device_perms() {
 }


-function make_config_revision_entry($desc = null, $override_user = null) {
+function make_config_revision_entry($desc = null, $override_user = null)
+{
+	global $config;
+
 	if (empty($override_user)) {
 		if (empty($_SESSION["Username"])) {
 			$username = getenv("USER");
@@ -330,22 +336,26 @@ function make_config_revision_entry($desc = null, $override_user = null) {
 		if (!empty($_SERVER['REMOTE_ADDR'])) {
 			$username .= '@' . $_SERVER['REMOTE_ADDR'];
 		}
-	}
-	else {
+	} else {
 		$username = $override_user;
 	}

 	$revision = array();

-	if (time() > mktime(0, 0, 0, 9, 1, 2004))       /* make sure the clock settings are plausible */
-		$revision['time'] = time();
-
-	/* Log the running script so it's not entirely unlogged what changed */
-	if ($desc == "Unknown")
-		$desc = sprintf(gettext("%s made unknown change"), $_SERVER['SCRIPT_NAME']);
-	if (!empty($desc))
-		$revision['description'] = "{$username}: " . $desc;
 	$revision['username'] = $username;
+
+	$revision['time'] = time();
+	if ($revision['time'] == $config['revision']['time']) {
+		/* avoid conflicting timestamps (a second is long) */
+		$revision['time'] = intval($revision['time']) + 1;
+	}
+
+	if ($desc == null || $desc == 'Unknown') {
+		$revision['description'] = sprintf(gettext("%s made unknown change"), $_SERVER['SCRIPT_NAME']);
+	} else {
+		$revision['description'] = $desc;
+	}
+
 	return $revision;
 }


--- a/src/etc/rc.bootup
+++ b/src/etc/rc.bootup
@@ -162,6 +162,7 @@ if (is_install_media()) {
 echo "Loading configuration...";
 global $config;
 $config = parse_config();
+convert_config();
 echo "done.\n";

 /*
@@ -177,11 +178,6 @@ if (is_interface_mismatch()) {
 	led_kitt();
 }

-/* convert config and clean backups */
-echo "Updating configuration...";
-convert_config();
-echo "done.\n";
-
 /* read in /etc/sysctl.conf and set values if needed */
 echo "Setting up extended sysctls...";
 system_setup_sysctl();