<?xml version="1.0"?>
<opnsense>
	<trigger_initial_wizard/>
	<version>9.9</version>
	<lastchange></lastchange>
	<theme>opnsense</theme>
	<sysctl>
		<item>
			<descr><![CDATA[Disable the pf ftp proxy handler.]]></descr>
			<tunable>debug.pfftpproxy</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html]]></descr>
			<tunable>vfs.read_max</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
			<tunable>net.inet.ip.portrange.first</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
			<tunable>net.inet.tcp.blackhole</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
			<tunable>net.inet.udp.blackhole</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Randomize the ID field in IP packets (default is 0: sequential IP IDs)]]></descr>
			<tunable>net.inet.ip.random_id</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[
				Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
				It can also be used to probe for information about your internal networks. These functions come enabled
				as part of the standard FreeBSD core system.
			]]></descr>
			<tunable>net.inet.ip.sourceroute</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[
				Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
				It can also be used to probe for information about your internal networks. These functions come enabled
				as part of the standard FreeBSD core system.
			]]></descr>
			<tunable>net.inet.ip.accept_sourceroute</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[
				Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
				to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
				packets without returning a response.
			]]></descr>
			<tunable>net.inet.icmp.drop_redirect</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[
				This option turns off the logging of redirect packets because there is no limit and this could fill
				up your logs consuming your whole hard drive.
			]]></descr>
			<tunable>net.inet.icmp.log_redirect</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
			<tunable>net.inet.tcp.drop_synfin</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Enable sending IPv4 redirects]]></descr>
			<tunable>net.inet.ip.redirect</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Enable sending IPv6 redirects]]></descr>
			<tunable>net.inet6.ip6.redirect</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
			<tunable>net.inet6.ip6.use_tempaddr</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
			<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
			<tunable>net.inet.tcp.syncookies</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Maximum incoming/outgoing TCP datagram size (receive)]]></descr>
			<tunable>net.inet.tcp.recvspace</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Maximum incoming/outgoing TCP datagram size (send)]]></descr>
			<tunable>net.inet.tcp.sendspace</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[IP Fastforwarding]]></descr>
			<tunable>net.inet.ip.fastforwarding</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr>
			<tunable>net.inet.tcp.delayed_ack</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>
			<tunable>net.inet.udp.maxdgram</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>
			<tunable>net.link.bridge.pfil_onlyip</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>
			<tunable>net.link.bridge.pfil_member</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>
			<tunable>net.link.bridge.pfil_bridge</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>
			<tunable>net.link.tap.user_open</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>
			<tunable>kern.randompid</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Maximum size of the IP input queue]]></descr>
			<tunable>net.inet.ip.intr_queue_maxlen</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>
			<tunable>hw.syscons.kbd_reboot</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Enable TCP extended debugging]]></descr>
			<tunable>net.inet.tcp.log_debug</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Set ICMP Limits]]></descr>
			<tunable>net.inet.icmp.icmplim</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[TCP Offload Engine]]></descr>
			<tunable>net.inet.tcp.tso</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[UDP Checksums]]></descr>
			<tunable>net.inet.udp.checksum</tunable>
			<value>default</value>
		</item>
		<item>
			<descr><![CDATA[Maximum socket buffer size]]></descr>
			<tunable>kern.ipc.maxsockbuf</tunable>
			<value>default</value>
		</item>
	</sysctl>
	<system>
		<optimization>normal</optimization>
		<hostname>OPNsense</hostname>
		<domain>localdomain</domain>
		<dnsserver/>
		<dnsallowoverride/>
		<group>
			<name>all</name>
			<description><![CDATA[All Users]]></description>
			<scope>system</scope>
			<gid>1998</gid>
		</group>
		<group>
			<name>admins</name>
			<description><![CDATA[System Administrators]]></description>
			<scope>system</scope>
			<gid>1999</gid>
			<member>0</member>
			<priv>page-all</priv>
		</group>
		<user>
			<name>root</name>
			<descr><![CDATA[System Administrator]]></descr>
			<scope>system</scope>
			<groupname>admins</groupname>
			<password>$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.</password>
			<uid>0</uid>
			<priv>user-shell-access</priv>
		</user>
		<nextuid>2000</nextuid>
		<nextgid>2000</nextgid>
		<timezone>Etc/UTC</timezone>
		<time-update-interval>300</time-update-interval>
		<timeservers>0.nl.pool.ntp.org</timeservers>
		<webgui>
			<protocol>https</protocol>
		</webgui>
		<disablenatreflection>yes</disablenatreflection>
		<disableconsolemenu/>
		<!-- <harddiskstandby></harddiskstandby> -->
		<disablesegmentationoffloading/>
		<disablelargereceiveoffloading/>
		<ipv6allow/>
		<powerd_ac_mode>hadp</powerd_ac_mode>
		<powerd_battery_mode>hadp</powerd_battery_mode>
		<powerd_normal_mode>hadp</powerd_normal_mode>
		<bogons>
			<interval>monthly</interval>
		</bogons>
		<kill_states/>
		<ssh>
			<sshdkeyonly/>
		</ssh>
	</system>
	<interfaces>
		<wan>
			<enable/>
			<if>mismatch1</if>
			<mtu></mtu>
			<ipaddr>dhcp</ipaddr>
			<ipaddrv6>dhcp6</ipaddrv6>
			<!-- *or* ipv4-address *or* 'pppoe' *or* 'pptp' *or* 'bigpond' -->
			<subnet></subnet>
			<gateway></gateway>
			<blockpriv/>
			<blockbogons/>
			<dhcphostname></dhcphostname>
			<media></media>
			<mediaopt></mediaopt>
			<dhcp6-duid></dhcp6-duid>
			<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
			<!--
			<wireless>
				*see below (opt[n])*
			</wireless>
			-->
		</wan>
		<lan>
			<enable/>
			<if>mismatch0</if>
			<ipaddr>192.168.1.1</ipaddr>
			<subnet>24</subnet>
			<ipaddrv6>track6</ipaddrv6>
			<subnetv6>64</subnetv6>
			<media></media>
			<mediaopt></mediaopt>
			<track6-interface>wan</track6-interface>
			<track6-prefix-id>0</track6-prefix-id>
			<!--
			<wireless>
				*see below (opt[n])*
			</wireless>
			-->
		</lan>
		<!--
		<opt[n]>
			<enable/>
			<descr></descr>
			<if></if>
			<ipaddr></ipaddr>
			<subnet></subnet>
			<media></media>
			<mediaopt></mediaopt>
			<bridge>lan|wan|opt[n]</bridge>
			<wireless>
				<mode>hostap *or* bss *or* ibss</mode>
				<ssid></ssid>
				<channel></channel>
				<wep>
					<enable/>
					<key>
						<txkey/>
						<value></value>
					</key>
				</wep>
			</wireless>
		</opt[n]>
		-->
	</interfaces>
	<!--
	<vlans>
		<vlan>
			<tag></tag>
			<if></if>
			<descr></descr>
		</vlan>
	</vlans>
	-->
	<staticroutes>
		<!--
		<route>
			<interface>lan|opt[n]|pptp</interface>
			<network>xxx.xxx.xxx.xxx/xx</network>
			<gateway>xxx.xxx.xxx.xxx</gateway>
			<descr></descr>
		</route>
		-->
	</staticroutes>
	<dhcpd>
		<lan>
			<enable/>
			<range>
				<from>192.168.1.100</from>
				<to>192.168.1.199</to>
			</range>
			<!--
			<winsserver>xxx.xxx.xxx.xxx</winsserver>
			<defaultleasetime></defaultleasetime>
			<maxleasetime></maxleasetime>
			<gateway>xxx.xxx.xxx.xxx</gateway>
			<domain></domain>
			<dnsserver></dnsserver>
			<ntpserver>xxx.xxx.xxx.xxx</ntpserver>
			<next-server></next-server>
			<filename></filename>
			<filename32></filename32>
			<filename64></filename64>
			-->
		</lan>
		<!--
		<opt[n]>
			...
		</opt[n]>
		-->
		<!--
		<staticmap>
			<mac>xx:xx:xx:xx:xx:xx</mac>
			<ipaddr>xxx.xxx.xxx.xxx</ipaddr>
			<descr></descr>
		</staticmap>
		-->
	</dhcpd>
	<pptpd>
		<mode><!-- off *or* server *or* redir --></mode>
		<redir/>
		<localip/>
		<remoteip/>
		<!-- <accounting/> -->
		<!--
		<user>
			<name></name>
			<password></password>
		</user>
		-->
	</pptpd>
	<dnsmasq>
		<enable/>
		<!--
		<hosts>
			<host></host>
			<domain></domain>
			<ip></ip>
			<descr></descr>
		</hosts>
		-->
	</dnsmasq>
	<snmpd>
		<!-- <enable/> -->
		<syslocation/>
		<syscontact/>
		<rocommunity>public</rocommunity>
	</snmpd>
	<diag>
		<ipv6nat>
			<!-- <enable/> -->
			<ipaddr/>
		</ipv6nat>
	</diag>
	<bridge>
		<!-- <filteringbridge/> -->
	</bridge>
	<syslog>
		<reverse/>
		<!--
		<enable/>
		<remoteserver>xxx.xxx.xxx.xxx</remoteserver>
		<filter/>
		<dhcp/>
		<system/>
		<nologdefaultblock/>
		-->
	</syslog>
	<!--
	<captiveportal>
		<enable/>
		<interface>lan|opt[n]</interface>
		<idletimeout>minutes</idletimeout>
		<timeout>minutes</timeout>
		<page>
			<htmltext></htmltext>
			<errtext></errtext>
		</page>
		<httpslogin/>
		<httpsname></httpsname>
		<redirurl></redirurl>
		<radiusip></radiusip>
		<radiusport></radiusport>
		<radiuskey></radiuskey>
		<nomacfilter/>
	</captiveportal>
	-->
	<nat>
		<outbound>
			<mode>automatic</mode>
			<!--
			<rule>
				<interface></interface>
				<source>
					<network>xxx.xxx.xxx.xxx/xx</network>
				</source>
				<destination>
					<not/>
					<any/>
					*or*
					<network>xxx.xxx.xxx.xxx/xx</network>
				</destination>
				<target>xxx.xxx.xxx.xxx</target>
				<descr></descr>
			</rule>
			-->
		</outbound>
		<!--
		<rule>
			<interface></interface>
			<external-address></external-address>
			<protocol></protocol>
			<external-port></external-port>
			<target></target>
			<local-port></local-port>
			<descr></descr>
		</rule>
		-->
		<!--
		<onetoone>
			<interface></interface>
			<external>xxx.xxx.xxx.xxx</external>
			<internal>xxx.xxx.xxx.xxx</internal>
			<subnet></subnet>
			<descr></descr>
		</onetoone>
		-->
		<!--
		<servernat>
			<ipaddr></ipaddr>
			<descr></descr>
		</servernat>
		-->
	</nat>
	<filter>
		<!-- <tcpidletimeout></tcpidletimeout> -->
		<rule>
			<type>pass</type>
			<ipprotocol>inet</ipprotocol>
			<descr><![CDATA[Default allow LAN to any rule]]></descr>
			<interface>lan</interface>
			<source>
				<network>lan</network>
			</source>
			<destination>
				<any/>
			</destination>
		</rule>
		<rule>
			<type>pass</type>
			<ipprotocol>inet6</ipprotocol>
			<descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr>
			<interface>lan</interface>
			<source>
				<network>lan</network>
			</source>
			<destination>
				<any/>
			</destination>
		</rule>
		<!-- rule syntax:
		<rule>
			<disabled/>
			<id>[0-9]*</id>
			<type>pass|block|reject</type>
			<ipprotocol>inet|inet6</ipprotocol>
			<descr>...</descr>
			<interface>lan|opt[n]|wan|pptp</interface>
			<protocol>tcp|udp|tcp/udp|...</protocol>
			<icmptype></icmptype>
			<source>
				<not/>

				<address>xxx.xxx.xxx.xxx(/xx) or alias</address>
				*or*
				<network>lan|opt[n]|pptp</network>
				*or*
				<any/>

				<port>a[-b]</port>
			</source>
			<destination>
				*same as for source*
			</destination>
			<frags/>
			<log/>
		</rule>
		-->
	</filter>
	<proxyarp>
		<!--
		<proxyarpnet>
			<network>xxx.xxx.xxx.xxx/xx</network>
			*or*
			<range>
				<from>xxx.xxx.xxx.xxx</from>
				<to>xxx.xxx.xxx.xxx</to>
			</range>
		</proxyarpnet>
		-->
	</proxyarp>
	<cron>
		<item>
			<minute>1,31</minute>
			<hour>0-5</hour>
			<mday>*</mday>
			<month>*</month>
			<wday>*</wday>
			<who>root</who>
			<command>adjkerntz -a</command>
		</item>
		<item>
			<minute>1</minute>
			<hour>3</hour>
			<mday>1</mday>
			<month>*</month>
			<wday>*</wday>
			<who>root</who>
			<command>/usr/local/etc/rc.update_bogons</command>
		</item>
		<item>
			<minute>*/60</minute>
			<hour>*</hour>
			<mday>*</mday>
			<month>*</month>
			<wday>*</wday>
			<who>root</who>
			<command>/usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
		</item>
		<item>
			<minute>1</minute>
			<hour>1</hour>
			<mday>*</mday>
			<month>*</month>
			<wday>*</wday>
			<who>root</who>
			<command>/usr/local/etc/rc.dyndns.update</command>
		</item>
		<item>
			<minute>*/60</minute>
			<hour>*</hour>
			<mday>*</mday>
			<month>*</month>
			<wday>*</wday>
			<who>root</who>
			<command>/usr/local/sbin/expiretable -v -t 3600 virusprot</command>
		</item>
		<item>
			<minute>30</minute>
			<hour>12</hour>
			<mday>*</mday>
			<month>*</month>
			<wday>*</wday>
			<who>root</who>
			<command>/usr/local/etc/rc.update_urltables</command>
		</item>
	</cron>
	<wol>
		<!--
		<wolentry>
			<interface>lan|opt[n]</interface>
			<mac>xx:xx:xx:xx:xx:xx</mac>
			<descr></descr>
		</wolentry>
		-->
	</wol>
	<rrd>
		<enable/>
	</rrd>
	<load_balancer>
		<monitor_type>
			<name>ICMP</name>
			<type>icmp</type>
			<descr><![CDATA[ICMP]]></descr>
			<options/>
		</monitor_type>
		<monitor_type>
			<name>TCP</name>
			<type>tcp</type>
			<descr><![CDATA[Generic TCP]]></descr>
			<options/>
		</monitor_type>
		<monitor_type>
			<name>HTTP</name>
			<type>http</type>
			<descr><![CDATA[Generic HTTP]]></descr>
			<options>
				<path>/</path>
				<host/>
				<code>200</code>
			</options>
		</monitor_type>
		<monitor_type>
			<name>HTTPS</name>
			<type>https</type>
			<descr><![CDATA[Generic HTTPS]]></descr>
			<options>
				<path>/</path>
				<host/>
				<code>200</code>
			</options>
		</monitor_type>
		<monitor_type>
			<name>SMTP</name>
			<type>send</type>
			<descr><![CDATA[Generic SMTP]]></descr>
			<options>
				<send></send>
				<expect>220 *</expect>
			</options>
		</monitor_type>
	</load_balancer>
	<widgets>
		<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interface_list-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>
	</widgets>
</opnsense>