<?xml version="1.0"?> <opnsense> <trigger_initial_wizard/> <version>9.9</version> <lastchange></lastchange> <theme>opnsense</theme> <sysctl> <item> <descr><![CDATA[Disable the pf ftp proxy handler.]]></descr> <tunable>debug.pfftpproxy</tunable> <value>default</value> </item> <item> <descr><![CDATA[Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html]]></descr> <tunable>vfs.read_max</tunable> <value>default</value> </item> <item> <descr><![CDATA[Set the ephemeral port range to be lower.]]></descr> <tunable>net.inet.ip.portrange.first</tunable> <value>default</value> </item> <item> <descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr> <tunable>net.inet.tcp.blackhole</tunable> <value>default</value> </item> <item> <descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr> <tunable>net.inet.udp.blackhole</tunable> <value>default</value> </item> <item> <descr><![CDATA[Randomize the ID field in IP packets (default is 0: sequential IP IDs)]]></descr> <tunable>net.inet.ip.random_id</tunable> <value>default</value> </item> <item> <descr><![CDATA[ Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. ]]></descr> <tunable>net.inet.ip.sourceroute</tunable> <value>default</value> </item> <item> <descr><![CDATA[ Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. ]]></descr> <tunable>net.inet.ip.accept_sourceroute</tunable> <value>default</value> </item> <item> <descr><![CDATA[ Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect packets without returning a response. ]]></descr> <tunable>net.inet.icmp.drop_redirect</tunable> <value>default</value> </item> <item> <descr><![CDATA[ This option turns off the logging of redirect packets because there is no limit and this could fill up your logs consuming your whole hard drive. ]]></descr> <tunable>net.inet.icmp.log_redirect</tunable> <value>default</value> </item> <item> <descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr> <tunable>net.inet.tcp.drop_synfin</tunable> <value>default</value> </item> <item> <descr><![CDATA[Enable sending IPv4 redirects]]></descr> <tunable>net.inet.ip.redirect</tunable> <value>default</value> </item> <item> <descr><![CDATA[Enable sending IPv6 redirects]]></descr> <tunable>net.inet6.ip6.redirect</tunable> <value>default</value> </item> <item> <descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr> <tunable>net.inet6.ip6.use_tempaddr</tunable> <value>default</value> </item> <item> <descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr> <tunable>net.inet6.ip6.prefer_tempaddr</tunable> <value>default</value> </item> <item> <descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr> <tunable>net.inet.tcp.syncookies</tunable> <value>default</value> </item> <item> <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (receive)]]></descr> <tunable>net.inet.tcp.recvspace</tunable> <value>default</value> </item> <item> <descr><![CDATA[Maximum incoming/outgoing TCP datagram size (send)]]></descr> <tunable>net.inet.tcp.sendspace</tunable> <value>default</value> </item> <item> <descr><![CDATA[IP Fastforwarding]]></descr> <tunable>net.inet.ip.fastforwarding</tunable> <value>default</value> </item> <item> <descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr> <tunable>net.inet.tcp.delayed_ack</tunable> <value>default</value> </item> <item> <descr><![CDATA[Maximum outgoing UDP datagram size]]></descr> <tunable>net.inet.udp.maxdgram</tunable> <value>default</value> </item> <item> <descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr> <tunable>net.link.bridge.pfil_onlyip</tunable> <value>default</value> </item> <item> <descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr> <tunable>net.link.bridge.pfil_member</tunable> <value>default</value> </item> <item> <descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr> <tunable>net.link.bridge.pfil_bridge</tunable> <value>default</value> </item> <item> <descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr> <tunable>net.link.tap.user_open</tunable> <value>default</value> </item> <item> <descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr> <tunable>kern.randompid</tunable> <value>default</value> </item> <item> <descr><![CDATA[Maximum size of the IP input queue]]></descr> <tunable>net.inet.ip.intr_queue_maxlen</tunable> <value>default</value> </item> <item> <descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr> <tunable>hw.syscons.kbd_reboot</tunable> <value>default</value> </item> <item> <descr><![CDATA[Enable TCP extended debugging]]></descr> <tunable>net.inet.tcp.log_debug</tunable> <value>default</value> </item> <item> <descr><![CDATA[Set ICMP Limits]]></descr> <tunable>net.inet.icmp.icmplim</tunable> <value>default</value> </item> <item> <descr><![CDATA[TCP Offload Engine]]></descr> <tunable>net.inet.tcp.tso</tunable> <value>default</value> </item> <item> <descr><![CDATA[UDP Checksums]]></descr> <tunable>net.inet.udp.checksum</tunable> <value>default</value> </item> <item> <descr><![CDATA[Maximum socket buffer size]]></descr> <tunable>kern.ipc.maxsockbuf</tunable> <value>default</value> </item> </sysctl> <system> <optimization>normal</optimization> <hostname>OPNsense</hostname> <domain>localdomain</domain> <dnsserver/> <dnsallowoverride/> <group> <name>all</name> <description><![CDATA[All Users]]></description> <scope>system</scope> <gid>1998</gid> </group> <group> <name>admins</name> <description><![CDATA[System Administrators]]></description> <scope>system</scope> <gid>1999</gid> <member>0</member> <priv>page-all</priv> </group> <user> <name>root</name> <descr><![CDATA[System Administrator]]></descr> <scope>system</scope> <groupname>admins</groupname> <password>$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.</password> <uid>0</uid> <priv>user-shell-access</priv> </user> <nextuid>2000</nextuid> <nextgid>2000</nextgid> <timezone>Etc/UTC</timezone> <time-update-interval>300</time-update-interval> <timeservers>0.nl.pool.ntp.org</timeservers> <webgui> <protocol>https</protocol> </webgui> <disablenatreflection>yes</disablenatreflection> <disableconsolemenu/> <!-- <harddiskstandby></harddiskstandby> --> <disablesegmentationoffloading/> <disablelargereceiveoffloading/> <ipv6allow/> <powerd_ac_mode>hadp</powerd_ac_mode> <powerd_battery_mode>hadp</powerd_battery_mode> <powerd_normal_mode>hadp</powerd_normal_mode> <bogons> <interval>monthly</interval> </bogons> <kill_states/> <ssh> <sshdkeyonly/> </ssh> </system> <interfaces> <wan> <enable/> <if>mismatch1</if> <mtu></mtu> <ipaddr>dhcp</ipaddr> <ipaddrv6>dhcp6</ipaddrv6> <!-- *or* ipv4-address *or* 'pppoe' *or* 'pptp' *or* 'bigpond' --> <subnet></subnet> <gateway></gateway> <blockpriv/> <blockbogons/> <dhcphostname></dhcphostname> <media></media> <mediaopt></mediaopt> <dhcp6-duid></dhcp6-duid> <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len> <!-- <wireless> *see below (opt[n])* </wireless> --> </wan> <lan> <enable/> <if>mismatch0</if> <ipaddr>192.168.1.1</ipaddr> <subnet>24</subnet> <ipaddrv6>track6</ipaddrv6> <subnetv6>64</subnetv6> <media></media> <mediaopt></mediaopt> <track6-interface>wan</track6-interface> <track6-prefix-id>0</track6-prefix-id> <!-- <wireless> *see below (opt[n])* </wireless> --> </lan> <!-- <opt[n]> <enable/> <descr></descr> <if></if> <ipaddr></ipaddr> <subnet></subnet> <media></media> <mediaopt></mediaopt> <bridge>lan|wan|opt[n]</bridge> <wireless> <mode>hostap *or* bss *or* ibss</mode> <ssid></ssid> <channel></channel> <wep> <enable/> <key> <txkey/> <value></value> </key> </wep> </wireless> </opt[n]> --> </interfaces> <!-- <vlans> <vlan> <tag></tag> <if></if> <descr></descr> </vlan> </vlans> --> <staticroutes> <!-- <route> <interface>lan|opt[n]|pptp</interface> <network>xxx.xxx.xxx.xxx/xx</network> <gateway>xxx.xxx.xxx.xxx</gateway> <descr></descr> </route> --> </staticroutes> <dhcpd> <lan> <enable/> <range> <from>192.168.1.100</from> <to>192.168.1.199</to> </range> <!-- <winsserver>xxx.xxx.xxx.xxx</winsserver> <defaultleasetime></defaultleasetime> <maxleasetime></maxleasetime> <gateway>xxx.xxx.xxx.xxx</gateway> <domain></domain> <dnsserver></dnsserver> <ntpserver>xxx.xxx.xxx.xxx</ntpserver> <next-server></next-server> <filename></filename> <filename32></filename32> <filename64></filename64> --> </lan> <!-- <opt[n]> ... </opt[n]> --> <!-- <staticmap> <mac>xx:xx:xx:xx:xx:xx</mac> <ipaddr>xxx.xxx.xxx.xxx</ipaddr> <descr></descr> </staticmap> --> </dhcpd> <pptpd> <mode><!-- off *or* server *or* redir --></mode> <redir/> <localip/> <remoteip/> <!-- <accounting/> --> <!-- <user> <name></name> <password></password> </user> --> </pptpd> <dnsmasq> <enable/> <!-- <hosts> <host></host> <domain></domain> <ip></ip> <descr></descr> </hosts> --> </dnsmasq> <snmpd> <!-- <enable/> --> <syslocation/> <syscontact/> <rocommunity>public</rocommunity> </snmpd> <diag> <ipv6nat> <!-- <enable/> --> <ipaddr/> </ipv6nat> </diag> <bridge> <!-- <filteringbridge/> --> </bridge> <syslog> <reverse/> <!-- <enable/> <remoteserver>xxx.xxx.xxx.xxx</remoteserver> <filter/> <dhcp/> <system/> <nologdefaultblock/> --> </syslog> <!-- <captiveportal> <enable/> <interface>lan|opt[n]</interface> <idletimeout>minutes</idletimeout> <timeout>minutes</timeout> <page> <htmltext></htmltext> <errtext></errtext> </page> <httpslogin/> <httpsname></httpsname> <redirurl></redirurl> <radiusip></radiusip> <radiusport></radiusport> <radiuskey></radiuskey> <nomacfilter/> </captiveportal> --> <nat> <outbound> <mode>automatic</mode> <!-- <rule> <interface></interface> <source> <network>xxx.xxx.xxx.xxx/xx</network> </source> <destination> <not/> <any/> *or* <network>xxx.xxx.xxx.xxx/xx</network> </destination> <target>xxx.xxx.xxx.xxx</target> <descr></descr> </rule> --> </outbound> <!-- <rule> <interface></interface> <external-address></external-address> <protocol></protocol> <external-port></external-port> <target></target> <local-port></local-port> <descr></descr> </rule> --> <!-- <onetoone> <interface></interface> <external>xxx.xxx.xxx.xxx</external> <internal>xxx.xxx.xxx.xxx</internal> <subnet></subnet> <descr></descr> </onetoone> --> <!-- <servernat> <ipaddr></ipaddr> <descr></descr> </servernat> --> </nat> <filter> <!-- <tcpidletimeout></tcpidletimeout> --> <rule> <type>pass</type> <ipprotocol>inet</ipprotocol> <descr><![CDATA[Default allow LAN to any rule]]></descr> <interface>lan</interface> <source> <network>lan</network> </source> <destination> <any/> </destination> </rule> <rule> <type>pass</type> <ipprotocol>inet6</ipprotocol> <descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr> <interface>lan</interface> <source> <network>lan</network> </source> <destination> <any/> </destination> </rule> <!-- rule syntax: <rule> <disabled/> <id>[0-9]*</id> <type>pass|block|reject</type> <ipprotocol>inet|inet6</ipprotocol> <descr>...</descr> <interface>lan|opt[n]|wan|pptp</interface> <protocol>tcp|udp|tcp/udp|...</protocol> <icmptype></icmptype> <source> <not/> <address>xxx.xxx.xxx.xxx(/xx) or alias</address> *or* <network>lan|opt[n]|pptp</network> *or* <any/> <port>a[-b]</port> </source> <destination> *same as for source* </destination> <frags/> <log/> </rule> --> </filter> <proxyarp> <!-- <proxyarpnet> <network>xxx.xxx.xxx.xxx/xx</network> *or* <range> <from>xxx.xxx.xxx.xxx</from> <to>xxx.xxx.xxx.xxx</to> </range> </proxyarpnet> --> </proxyarp> <cron> <item> <minute>1,31</minute> <hour>0-5</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command>adjkerntz -a</command> </item> <item> <minute>1</minute> <hour>3</hour> <mday>1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command>/usr/local/etc/rc.update_bogons</command> </item> <item> <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command>/usr/local/sbin/expiretable -v -t 3600 sshlockout</command> </item> <item> <minute>1</minute> <hour>1</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command>/usr/local/etc/rc.dyndns.update</command> </item> <item> <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command>/usr/local/sbin/expiretable -v -t 3600 virusprot</command> </item> <item> <minute>30</minute> <hour>12</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command>/usr/local/etc/rc.update_urltables</command> </item> </cron> <wol> <!-- <wolentry> <interface>lan|opt[n]</interface> <mac>xx:xx:xx:xx:xx:xx</mac> <descr></descr> </wolentry> --> </wol> <rrd> <enable/> </rrd> <load_balancer> <monitor_type> <name>ICMP</name> <type>icmp</type> <descr><![CDATA[ICMP]]></descr> <options/> </monitor_type> <monitor_type> <name>TCP</name> <type>tcp</type> <descr><![CDATA[Generic TCP]]></descr> <options/> </monitor_type> <monitor_type> <name>HTTP</name> <type>http</type> <descr><![CDATA[Generic HTTP]]></descr> <options> <path>/</path> <host/> <code>200</code> </options> </monitor_type> <monitor_type> <name>HTTPS</name> <type>https</type> <descr><![CDATA[Generic HTTPS]]></descr> <options> <path>/</path> <host/> <code>200</code> </options> </monitor_type> <monitor_type> <name>SMTP</name> <type>send</type> <descr><![CDATA[Generic SMTP]]></descr> <options> <send></send> <expect>220 *</expect> </options> </monitor_type> </load_balancer> <widgets> <sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interface_list-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence> </widgets> </opnsense>