mirror of https://github.com/opnsense/docs
Add page about System --> Settings (#155)
parent
ee4414980e
commit
5727b5f55d
@ -0,0 +1,199 @@
|
||||
=============
|
||||
Settings menu
|
||||
=============
|
||||
|
||||
Besides the configuration options that every component has, OPNsense also contains a lot of general settings
|
||||
that you can tweak. This page contains an overview of them.
|
||||
|
||||
--------------
|
||||
Administration
|
||||
--------------
|
||||
|
||||
The settings on this page concerns logging into OPNsense. The “Secure Shell” settings are described under
|
||||
:ref:`Creating Users & Groups<SSH and console login>`.
|
||||
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Setting | Explanation |
|
||||
+==============================================+=======================================================================+
|
||||
| **Web GUI** |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Protocol | It is strongly recommended to leave this on “HTTPS” |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| SSL Certificate | By default, a self-signed certificate is used. Certificates can be |
|
||||
| | added via :menuselection:`System --> Trust --> Certificates`. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| SSL Ciphers | Can be used to limit SSL cipher selection in case the system defaults |
|
||||
| | are undesired. Note that restrictive use may lead to an inaccessible |
|
||||
| | web GUI. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Enable HTTP Strict Transport Security | Enforces loading the web GUI over HTTPS, even when the connection |
|
||||
| | is hijacked (man-in-the-middle attack), and do not allow the user to |
|
||||
| | trust an invalid certificate for the web GUI. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| TCP port | Can be useful if there are other services that are reachable via port |
|
||||
| | 80/443 of the external IP, for example. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Disable web GUI redirect rule | If you change the port, a redirect rule from port 80/443 will be |
|
||||
| | created. Check this to disable creating this rule. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Disable logging of web GUI successful logins | |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Session Timeout | Time in minutes to expire idle management sessions. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Disable DNS Rebinding Checks | OPNsense contains protection against |
|
||||
| | `DNS rebinding <https://en.wikipedia.org/wiki/DNS_rebinding>`__ by |
|
||||
| | filtering out DNS replies with local IPs. Check this box to disable |
|
||||
| | this protection if it interferes with web GUI access or name |
|
||||
| | resolution in your environment. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Alternate Hostnames | Alternate, valid hostnames (to avoid false positives in |
|
||||
| | referrer/DNS rebinding protection). |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| HTTP Compression | Reduces size of transfer, at the cost of slightly higher CPU usage. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Enable access log | Log all access to the Web GUI (for debuggin/analysis) |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Listen interfaces | Can be used to limit interfaces on which the Web GUI can be accessed. |
|
||||
| | This allows freeing the interface for other services, such as HAProxy.|
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Disable HTTP_REFERER enforcement check | The origins of requests are checked in order to provide some |
|
||||
| | protection against CSRF. You can turn this off of it interferes with |
|
||||
| | external scripts that interact with the Web GUI. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| **Console** |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Use the virtual terminal driver (vt) | When unchecked, OPNsense will use the older sc driver. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Primary Console | The primary console will show boot script output. All consoles display|
|
||||
| | OS boot messages, console messages, and the console menu. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Secondary Console | See above. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Serial Speed | Allows adjusting the baud rate. 115200 is the most common. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Use USB-based serial ports | Listen on ``/dev/ttyU0``, ``/dev/ttyU1``, … instead of ``/dev/ttyu0``.|
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Password protect the console menu | Can be unchecked to allow physical console access without password. |
|
||||
| | This can avoid lock-out, but at the cost of attackers being able to |
|
||||
| | do anything if they gain physical access to your system. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| **Authentication** |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Server | Select one or more authentication servers to validate user |
|
||||
| | credentials against. Multiple servers can make sense with remote |
|
||||
| | authentication methods to provide a fallback during connectivity |
|
||||
| | issues. When nothing is specified the default of "Local Database" |
|
||||
| | is used. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Sudo | Permit sudo usage for administrators with shell access. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
| Disable integrated authentication | When set, console login, SSH, and other system services can only use |
|
||||
| | standard UNIX account authentication. |
|
||||
+----------------------------------------------+-----------------------------------------------------------------------+
|
||||
|
||||
----
|
||||
Cron
|
||||
----
|
||||
|
||||
`Cron <https://en.wikipedia.org/wiki/Cron>`__ is a service that is used to execute jobs periodically. Cron jobs can be viewed by navigating to
|
||||
:menuselection:`System --> Settings --> Cron`. New jobs can be added by click the ``+`` button in the lower right
|
||||
corner.
|
||||
|
||||
When adding a new job or modifying an existing one, you will be presented with fields that directly reflect the
|
||||
cron file syntax and that mostly speak for themselves. A job needs a name, a command, command parameters (if
|
||||
applicable), a description (optional, but recommend) and most importantly, a schedule. All time-related fields
|
||||
share the same syntax:
|
||||
|
||||
- An asterisk (\*) can be used to mean “any”
|
||||
- Specifying multiple values is possible using the comma: ``1,4,9``
|
||||
- Ranges can be specified using a dash: ``4-9``
|
||||
|
||||
-------
|
||||
General
|
||||
-------
|
||||
|
||||
The general settings mainly concern network-related settings like the hostname. The general setting can be set by
|
||||
going to :menuselection:`System --> Settings --> General`. The following settings are available:
|
||||
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Setting | Explanation |
|
||||
+=================================+====================================================================================+
|
||||
| **System** |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Hostname | Hostname without domain, e.g.: ``firewall`` |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Domain | The domain, e.g. ``mycorp.com``, ``home``, ``office``, ``private``, etc. Do not |
|
||||
| | use 'local' as a domain name. It will cause local hosts running mDNS (avahi, |
|
||||
| | bonjour, etc.) to be unable to resolve local hosts not running mDNS. |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Time zone | |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Language | Default language. Can be overridden by users. |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Theme | More themes can be installed via plug-ins. |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| **Networking** |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Prefer to use IPv4 even | |
|
||||
| if IPv6 is available | |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| DNS servers | A list of DNS servers, optionally with a gateway. These DNS servers are also used |
|
||||
| | for the DHCP service, DNS services and for PPTP VPN clients. When using multiple |
|
||||
| | WAN connections there should be at least one unique DNS server per gateway. |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Allow DNS server list to be | If this option is set, DNS servers assigned by a DHCP/PPP server on the WAN will |
|
||||
| overridden by DHCP/PPP on WAN | be used for their own purposes (including the DNS services). However, they will |
|
||||
| | not be assigned to DHCP and PPTP VPN clients. |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Do not use the local DNS | When enabling local DNS services such as Dnsmasq and Unbound, OPNsense will use |
|
||||
| service as a nameserver for | these as a nameserver. Check this option to prevent this. |
|
||||
| this system | |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
| Allow default gateway switching | If the link where the default gateway resides fails switch the default gateway to |
|
||||
| | another available one. |
|
||||
+---------------------------------+------------------------------------------------------------------------------------+
|
||||
|
||||
|
||||
--------
|
||||
Tunables
|
||||
--------
|
||||
|
||||
Tunables are the settings that go into the ``sysctl.conf`` file, which allows tweaking of low-level system
|
||||
settings. They can be set by going to :menuselection:`System --> Settings --> Tunables`.
|
||||
|
||||
Here, the currently active settings can be viewed and new ones can be created. All valid ``sysctl.conf``
|
||||
settings can be added this way if desired. A list of possible values can be obtained by issuing
|
||||
``sysctl -a`` on an OPNsense shell.
|
||||
|
||||
-------------
|
||||
Miscellaneous
|
||||
-------------
|
||||
|
||||
As the name implies, this section contains the settings that do not fit anywhere else.
|
||||
|
||||
================================= ======================================================================================================================================================================================================
|
||||
Setting Explanation
|
||||
================================= ======================================================================================================================================================================================================
|
||||
**Cryptography settings**
|
||||
Diffie-Hellman parameters The server and client needs to use the same parameters in order to set up a connection. How parameters are updated can be tweaked. Please leave on default unless you know why to change it.
|
||||
Hardware acceleration Select your method of hardware acceleration, if present. Check the full help for hardware-specific advice.
|
||||
Use /dev/crypto Old hardware crypto drivers expose the /dev/crypto interface. This is not used by newer hardware or software any more.
|
||||
**Thermal Sensors**
|
||||
Hardware Select between No/ACPI thermal sensor driver and processor-specific drivers.
|
||||
**Periodic Backups**
|
||||
Periodic RRD Backup Periodically backup Round Robin Database.
|
||||
Periodic DHCP Leases Backup Periodically backup DHCP leases.
|
||||
Periodic NetFlow Backup Periodically backup Netflow state.
|
||||
Periodic Captive Portal Backup Periodically backup Captive Portal state.
|
||||
**Power Savings**
|
||||
Use PowerD PowerD allows tweaking power conservation features. The modes are maximum (high performance), minimum (maximum power saving), adaptive (balanced), hiadaptive (balanced, but with higher performance).
|
||||
On AC Power Mode
|
||||
On Battery Power Mode
|
||||
On Normal Power Mode
|
||||
**Disk / Memory Settings**
|
||||
Swap file Create a 2 GB swap file. This can increase performance, at the cost of increased wear on storage, especially flash.
|
||||
/var RAM disk This can be useful to avoid wearing out flash storage. **Everything in /var, including logs will be lost upon reboot.**
|
||||
/tmp RAM disk See above.
|
||||
**System Sounds**
|
||||
Disable the startup/shutdown beep Disable beeps via the built-in speaker (“PC Speaker”)
|
||||
================================= ======================================================================================================================================================================================================
|
Loading…
Reference in New Issue