Merge branch 'master' into sensei-doc-updates

collect_changelogs.py

@@ -154,6 +154,8 @@ if __name__ == '__main__':
         # per version rst file
         template = Template(open("%s/source/releases/default.rst.in" % root_dir, "r").read())
         for major_version in template_data['major_versions']:
-            with open("%s/source/releases/%s.rst" % (root_dir, major_version), 'w') as f_out:
-                template_data['this_version'] = major_version
-                f_out.write(template.render(template_data))
+            if major_version in template_data['versions']:
+                # wait for the main version before writing a changelog
+                with open("%s/source/releases/%s.rst" % (root_dir, major_version), 'w') as f_out:
+                    template_data['this_version'] = major_version
+                    f_out.write(template.render(template_data))

source/development/api/core/diagnostics.rst

@@ -18,6 +18,8 @@ Diagnostics
    :widths: 4, 15, 15, 30, 40
 
     "``GET``","diagnostics","firewall","log",""
+    "``GET``","diagnostics","firewall","log_filters",""
+    "``GET``","diagnostics","firewall","stats",""
 
 .. csv-table:: Resources (InterfaceController.php)
    :header: "Method", "Module", "Controller", "Command", "Parameters"

source/development/api/core/ids.rst

@@ -25,7 +25,7 @@ Ids
     "``GET``","ids","settings","getRuleset","$id"
     "``GET``","ids","settings","getRulesetproperties",""
     "``GET``","ids","settings","getUserRule","$uuid=null"
-    "``GET``","ids","settings","listRuleClasstypes",""
+    "``GET``","ids","settings","listRuleMetadata",""
     "``GET``","ids","settings","listRulesets",""
     "``POST``","ids","settings","searchInstalledRules",""
     "``*``","ids","settings","searchUserRule",""

source/development/api/core/proxy.rst

@@ -41,3 +41,13 @@ Proxy
     "``POST``","proxy","settings","toggleRemoteBlacklist","$uuid"
 
     "``<<uses>>``", "", "", "", "*model* `Proxy.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml>`__"
+
+.. csv-table:: Resources (TemplateController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``GET``","proxy","template","get",""
+    "``POST``","proxy","template","reset",""
+    "``POST``","proxy","template","set",""
+
+    "``<<uses>>``", "", "", "", "*model* `Proxy.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml>`__"

source/development/api/core/unbound.rst

@@ -11,3 +11,11 @@ Unbound
     "``GET``","unbound","diagnostics","listlocaldata",""
     "``GET``","unbound","diagnostics","listlocalzones",""
     "``GET``","unbound","diagnostics","stats",""
+
+.. csv-table:: Service (ServiceController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``GET``","unbound","service","dnsbl",""
+
+    "``<<uses>>``", "", "", "", "*model* `Dnsbl.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Unboundplus/Dnsbl.xml>`__"

source/development/api/plugins/stunnel.rst

@@ -0,0 +1,16 @@
+Stunnel
+~~~~~~~
+
+.. csv-table:: Service (ServicesController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","stunnel","services","addItem",""
+    "``POST``","stunnel","services","delItem","$uuid"
+    "``GET``","stunnel","services","get",""
+    "``GET``","stunnel","services","getItem","$uuid=null"
+    "``*``","stunnel","services","searchItem",""
+    "``POST``","stunnel","services","setItem","$uuid"
+    "``POST``","stunnel","services","toggleItem","$uuid,$enabled=null"
+
+    "``<<uses>>``", "", "", "", "*model* `Stunnel.xml <https://github.com/opnsense/plugins/blob/master/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml>`__"

source/development/api/plugins/udpbroadcastrelay.rst

@@ -0,0 +1,26 @@
+Udpbroadcastrelay
+~~~~~~~~~~~~~~~~~
+
+.. csv-table:: Service (ServiceController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","udpbroadcastrelay","service","config",""
+    "``POST``","udpbroadcastrelay","service","reload",""
+    "``POST``","udpbroadcastrelay","service","restart","$uuid"
+    "``POST``","udpbroadcastrelay","service","start","$uuid"
+    "``POST``","udpbroadcastrelay","service","status","$uuid"
+    "``POST``","udpbroadcastrelay","service","stop","$uuid"
+
+    "``<<uses>>``", "", "", "", "*model* `UDPBroadcastRelay.xml <https://github.com/opnsense/plugins/blob/master/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml>`__"
+
+.. csv-table:: Resources (SettingsController.php)
+   :header: "Method", "Module", "Controller", "Command", "Parameters"
+   :widths: 4, 15, 15, 30, 40
+
+    "``POST``","udpbroadcastrelay","settings","addRelay",""
+    "``POST``","udpbroadcastrelay","settings","delRelay","$uuid"
+    "``GET``","udpbroadcastrelay","settings","getRelay","$uuid=null"
+    "``GET``","udpbroadcastrelay","settings","searchRelay",""
+    "``POST``","udpbroadcastrelay","settings","setRelay","$uuid"
+    "``POST``","udpbroadcastrelay","settings","toggleRelay","$uuid"

source/development/backend/autorun.rst

@@ -20,6 +20,18 @@ They can contain any executable file (e.g. shell scripts) in the following subdi
     - scripts used for periodic backup and restore
 - carp
     - scripts used for CARP MASTER / BACKUP events
+- config
+    - scripts used when a configuration change took place (:code:`config.xml` changed).
+
+.. Note::
+    This event is intended to be atomic for every changed revision, it's triggered using configd :code:`system event config_changed`
+    and is loosely coupled via a :code:`syslog-ng` handler within the standard :code:`Config->save()` method.
+    The syshook event contains a pointer to the backup file in question (e.g. :code:`/conf/backup/config-1601651332.5394.xml`),
+    so the consumer (script) knows which revision to process.
+
+.. Tip::
+    Try to keep custom config handlers as small and efficient as possible since the number of triggered events can grow rapidly.
+
 - early
     - start script before system network startup
 - monitor

source/development/frontend.rst

@@ -12,3 +12,5 @@ The OPNsense frontend is implemented with `PHP/Phalcon <https://en.wikipedia.org
    frontend/models
    frontend/routing
    frontend/controller
+   frontend/view_js_helpers
+   

source/development/frontend/controller.rst

@@ -56,6 +56,56 @@ directory.
 More information on how to write Volt pages can be found here :
 http://docs.phalconphp.com/en/latest/reference/volt.html
 
+---------------------
+User forms
+---------------------
+
+When designers need forms for users to input data, they can use the :code:`getForm()` method on our standard controller
+to feed a simple xml file as definition for the template engine to use. The example section contains a step by step
+guide how to use these.
+
+The getForm() method itself merily passes the structure to thew view, which can use this information to render
+forms on page load (statically).
+In our standard layout `partials <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/views/layout_partials/form_input_tr.volt>`__ we offer some different record types which we will detail below:
+
+
+**Attributes**
+
+============  ===========================================================================================
+Name          Description
+============  ===========================================================================================
+id            unique id of the attribute
+type          type of input or field. For a list of valid types, use the Type table below
+label         attribute label (visible text)
+size          size (width in characters) attribute if applicable
+height        height (length in characters) attribute if applicable
+help          help text
+advanced      property "is advanced", only display in advanced mode
+hint          input control hint
+style         css class(es) to add, helps identifying items easier using jQuery selectors
+width         width in pixels if applicable
+allownew      allow new items (for list) if applicable
+readonly      if true, input fields will be readonly
+============  ===========================================================================================
+
+
+**Types**
+
+==================  ===========================================================================================
+Name                Description
+==================  ===========================================================================================
+header              Header row 
+text                Single line of text
+password            Password field for sensitive input. The contents will not be displayed.
+textbox             Multiline text box
+checkbox            Checkbox
+dropdown            Single item selection from dropdown
+select_multiple     Multiple item select from dropdown
+hidden              Hidden fields not for user interaction
+info                Static text (help icon, no input or editing)
+==================  ===========================================================================================
+
+
 ---------------------
 API based controllers
 ---------------------

source/development/frontend/view_js_helpers.rst

@@ -0,0 +1,132 @@
+==============================
+View construction (and tools)
+==============================
+
+Although most of our code base is being processed server side, some things just require interaction on the
+clients machine for a fluent user experience.
+
+In this chapter we will try to explain some of the components we use when designing pages and how pages are usually constructed.
+
+--------------------------
+Layout
+--------------------------
+
+To ease reading of volt templates, we recommend using a fixed layout when creating templates.
+The base of our rendered page always contains the standard `layout <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/views/layouts/default.volt>`__
+which is hooked via our standard frontend controller.
+
+Below you will find the sections and their order, which we will describe briefly.
+
+.. code-block:: html
+
+    {#
+      {1} Copyright notice
+    #}
+    <script>
+    $( document ).ready(function() {
+      {2} UI code
+    });
+    </script>
+    {3} page html
+    {{ partial("layout_partials/base_dialog",...)}}  {4} dialog forms (see getForm())
+
+
+#.   The copyright block, 2 clause BSD with the authors on top
+#.   Javascript code which belongs to this page
+#.   HTML code, usually starts with some :code:`<div>` containers and uses standard Bootstrap 3 layouting
+#.   When forms are used, these are placed last, these will be generated to the client as standard html code
+
+
+----------------------------
+ajaxCall
+----------------------------
+
+:code:`ajaxCall(url, sendData, callback)` is a wrapper around jQuery's :code:`$.ajax` call preset to a :code:`POST` type
+request and wrapping the sendData into a json object.
+The :code:`callback` function will be called with the data and status received from the endpoint.
+
+
+
+.. code-block:: javascript
+    :name: ajaxCall
+    :caption: example usage
+
+    ajaxCall('/api/monit/status/get/xml', {}, function(data, status) {
+        console.log(data)
+    });
+
+
+----------------------------
+ajaxGet
+----------------------------
+
+:code:`ajaxGet(url,sendData,callback)` is also a wrapper around jQuery's :code:`$.ajax` call, but for a :code:`GET` type
+request.
+
+.. code-block:: javascript
+    :name: ajaxGet
+    :caption: example usage
+
+    ajaxGet('/api/diagnostics/interface/getInterfaceNames', {}, function(data, status) {
+        console.log(data);
+    });
+
+
+----------------------------
+mapDataToFormUI
+----------------------------
+
+The :code:`mapDataToFormUI(data_get_map, server_params)` can be used to map data retrieved from a controller to a
+form in the browser.
+
+This function accepts two parameters, data_get_map contains a mapping between form id's and server endpoints, server_params
+is optional and can be used to set option in the :code:`GET` type request.
+
+When the endpoint is successfully called it should return a json type structure containing the path to the item, as an
+example using :code:`data_get_map = {'myform': '/api/path/to/formdata'};`:
+
+
+.. code-block:: json
+
+    {
+      "netflow": {
+        "capture": {
+          "interfaces": {
+            "lan": {
+              "value": "LAN",
+              "selected": 1
+            },
+            "wan": {
+              "value": "WAN",
+              "selected": 0
+            }
+          },
+        },
+        "collect": {
+          "enable": "1"
+        }
+      }
+    }
+
+Which maps to the fields in this simplified structure (usually rendered via our volt templates):
+
+.. code-block:: html
+
+    <form id="myform">
+        <select multiple="multiple" id="netflow.capture.interfaces">
+        </select>
+        <input type="checkbox" id="netflow.collect.enable">
+    </form>
+
+
+The function returns a :code:`$.Deferred()` which will be resolved when all endpoints are called.
+
+----------------------------
+saveFormToEndpoint
+----------------------------
+
+:code:`saveFormToEndpoint(url, formid, callback_ok, disable_dialog, callback_fail)` is the opposite of :code:`mapDataToFormUI()`
+and retrieves the data from the form and sends it to the configured (url) endpoint as json structure.
+
+The response data looks similar to the example data in mapDataToFormUI, but more condensed since selections will
+be returned as single (separated) values, such as :code:`lan,wan` if both options where set.

source/development/guidelines/basics.rst

@@ -11,8 +11,7 @@ code. It also explains guideline differences between new and legacy code.
 --------
 PHP code
 --------
-For PHP code the `PSR-1 <https://www.php-fig.org/psr/psr-1/>`_ and
-`PSR-2 <https://www.php-fig.org/psr/psr-2/>`_ Coding Standard apply.
+For PHP code the `PSR-12 <https://www.php-fig.org/psr/psr-12/>`_ coding standard applies.
 
 ------
 Python
@@ -27,6 +26,39 @@ Architecture
 Documentation is available about our :doc:`architecture </development/architecture>`
 and used :doc:`components </development/components>`.
 
+-----------------------
+Safeguard user input
+-----------------------
+
+We aim to validate user input before injecting it in the configuration in order to provide a more user friendly
+interface and prevent bad things to happen in the future.
+
+Although we do understand that the perfect validation isn't always possible at once (too much referential constraints, not always as easy to catch)
+it is a best practice to ask yourself if a specific input could be validated (if not now, what about the future).
+
+The issue with user input impossible to validate is that it will bite you eventually, leading to future security issues waiting to happen
+(for example a non authorized user can write commands that will be executed with elevated privileges, we saw this with openvpn for example).
+
+For this reason we do not allow plain text configuration data to be stored in our configuration
+(although some legacy components still use this `opnsense/core#d62015 <https://github.com/opnsense/core/commit/d62015df1cdb0c0711b488bd66ced631b9a4f37b>`__ )
+
+.. Note::
+
+    Feature requests for custom user inputs will be declined in our public repositories, defining what a feature should do
+    also helps designing the right feature.
+
+
+.. Tip::
+
+    If custom input is needed, in most cases you can use hooks to include additional configuration data in the service,
+    most services offer this type of support (either with predefined directories or via the template system).
+
+    This prevents arbitrary users from adding undefined configuration data.
+
+
+The different field types in our model system are aimed to help the developer safeguard his or her code for unexpected input.
+
+
 -----------------
 Ideal Development
 -----------------

source/firewall.rst

@@ -22,7 +22,6 @@ These are all combined in the firewall section.
    manual/nptv6
    manual/shaping
    manual/firewall_groups
-   manual/firewall_vip
    manual/firewall_settings
    manual/firewall_scrub
    manual/how-tos/carp

source/interfaces.rst

@@ -18,6 +18,7 @@ All traffic flowing through your appliance is using (virtual) interfaces, this i
    manual/interfaces
    manual/interfaces_overview
    manual/interfaces_settings
+   manual/firewall_vip
    manual/wireless
    manual/other-interfaces
    manual/ipv6

source/manual/aliases.rst

@@ -16,12 +16,17 @@ OPNsense offers the following alias types:
 +------------------+------------------------------------------------------+
 | Type             | Description                                          |
 +==================+======================================================+
-| Hosts            | Single hosts by IP or Fully Qualified Domain Name    |
+| Hosts            | Single hosts by IP or Fully Qualified Domain Name  or|
+|                  | host exclusions (starts with "!" sign)               |
 +------------------+------------------------------------------------------+
-| Networks         | Entire network p.e. 192.168.1.1/24                   |
+| Networks         | Entire network p.e. 192.168.1.1/24 or network        |
+|                  | exclusion eg !192.168.1.0/24                         |
 +------------------+------------------------------------------------------+
 | Ports            | Port numbers or a port range like 20:30              |
 +------------------+------------------------------------------------------+
+| MAC addresses    | MAC address or partial mac addresses like            |
+|                  | :code:`f4:90:ea`                                     |
++------------------+------------------------------------------------------+
 | URL (IPs)        | A table of IP addresses that are fetched once        |
 +------------------+------------------------------------------------------+
 | URL Tables (IPs) | A table of IP addresses that are fetched on regular  |
@@ -64,6 +69,9 @@ As you can see there are multiple IP addresses for this domain.
     To change the alias domain resolve interval, go to :menuselection:`Firewall --> Settings --> Advanced` and
     set **Aliases Resolve Interval** to the number of seconds to refresh.
 
+Hosts type Aliases can contain exclusion hosts.
+Exclusion addresses starts with "!" sign (eg !192.168.0.1) and can be used to exclude hosts from Network Group Aliases.
+
 ..................
 Networks
 ..................
@@ -71,6 +79,10 @@ Networks are specified in Classless Inter-Domain Routing format (CIDR). Use the
 the correct CIDR mask for each entry. For instance a /32 specifies a single IPv4 host,
 or /128 specifies a single IPv6 host, whereas /24 specifies 255.255.255.0 and
 /64 specifies a normal IPv6 network.
+Network type Aliases can contain exclusion hosts or networks.
+Exclusion addresses starts with "!" sign (eg !192.168.0.0/24) and can be used to
+exclude hosts or networks from current Alias or Network Group Alias
+
 
 ..................
 Ports
@@ -79,6 +91,27 @@ Ports can be specified as a single number or a range using a colon **:**.
 For instance to add a range of 20 to 25 one would enter 20:25 in the **Port(s)**
 section.
 
+..................
+MAC addresses
+..................
+
+Hardware mac addresses can be specified as a (partial) hex value, such as :code:`F4:90:EA` to match all addresses from
+Deciso or :code:`f4:90:ea:00:00:01` to match a single item (the input is case insensitive).
+
+The way these aliases function is approximately the same as hostnames in host type aliases, they are resolved on periodic
+intervals from the :code:`arp` and :code:`ndp` tables.
+
+
+.. Warning::
+
+    Please be aware that hardware addresses can be spoofed (https://en.wikipedia.org/wiki/MAC_spoofing), which doesn't make
+    filters on them more secure than ip addresses in any way.
+
+.. Note::
+
+    Since mappings between addresses and mac addresses are resolved periodically the actual situation can differ, you can
+    always check :menuselection:`Firewall -> Diagnostics -> pfTables` to inspect the current contents of the alias.
+
 ..................
 URL Tables
 ..................
@@ -242,6 +275,11 @@ two machines.
 
       Adding aliases using :code:`/api/firewall/alias_util/add/` is only supported for Host, Network and External type aliases
 
+----------
+Exclusions
+----------
+Pf firewall tables support exceptions (or exclusion) of addresses. This feature can be used in one Alias or in combined (Network
+group type) Aliases. See (https://www.freebsd.org/doc/handbook/firewalls-pf.html 30.3.2.4).
 
 --------
 Nesting
@@ -261,6 +299,19 @@ For example, we define 4 servers among 2 critical using different rulesets:
 
 The alias :code:`servers` will contain all 4 addresses after configuration.
 
+There is also a possibility to combine different Aliases with Aliases, consisting of exclusions.
+For example, there is Alias "FireHOL" that use extensive externl drop-list and two Aliases that contains
+subnet and hosts exclusions. It is possible to create Network group (combined) Alias ("FireHOL_with_exclusions"):
+
+* FireHOL {https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset}
+* subnets_exclusions {!127.0.0.0/8, !0.0.0.0/8}
+* hosts_exclusions {!8.8.8.8}
+* FireHOL_with_exclusions {FireHOL, subnets_exclusions, hosts_exclusions}
+
+:code:`FireHOL_with_exclusions` Alias will contain all records from FireHOL Alias excluding addresses from exclusions Aliases.
+
+It's always good to check if an address is included in the Alias via :menuselection:`Firewall --> Diagnostics --> pfTable`
+
 ---------------------------------
 Spamhaus
 ---------------------------------

source/manual/backups.rst

@@ -36,6 +36,7 @@ have various components that depend on each other, it's most safe to restore a c
    :titlesonly:
 
    how-tos/cloud_backup
+   git-backup
 
 
 --------------------------------

source/manual/git-backup.rst

@@ -0,0 +1,144 @@
+====================================================
+Traceability of configuration changes using Git
+====================================================
+
+When seeking a solution to keep full traceability of configuration changes made by (various) users on your firewall,
+the git-backup plugin might be a useful addition to your setup.
+
+In order to use this feature, one has to install the git-backup plugin first (in :menuselection:`System->Firmware->Plugins` search for os-git-backup).
+
+.. Warning:
+
+    Since backups using git are stored unecrypted and contain sensitive data, we generally advise not to use public cloud
+    providers to store this data. Only use this option if you can guarantee the security of your git backup server.
+
+--------------------------
+Concept
+--------------------------
+
+Since git backup is a little bit different than the standard backup options available, we will explain briefly how it works using
+the diagram below.
+
+.. blockdiag::
+  :scale: 100%
+
+    blockdiag {
+        default_fontsize = 9;
+        node_width = 200;
+        node_height = 80;
+        default_group_color = "#def7ff";
+        config_changed [shape = box, label="Event:\nconfig changed"];
+        syslog_ng [shape = beginpoint, label="syslog-ng\nevent handler"];
+        configd [shape = endpoint, label="configd\nlistener"];
+        git_action [shape = box, label = "git add+commit\nchanged config.xml"];
+
+        config_changed -> syslog_ng;
+        syslog_ng -> configd [label = "loosely coupled"];
+        configd -> git_action;
+
+        group {
+          orientation = portrait
+          syslog_ng;
+          configd;
+        }
+    }
+
+When :code:`config.xml` changes happen due to user or api interaction, an event is triggered to which handlers can subscribe
+(using :doc:`syshook </development/backend/autorun>`).
+Our git-backup plugin subscribes to these events in order to add the received backups and commits these with
+information extracted from the received xml file. To prevent the system to lock during backups,
+we choose this loosely coupled method. Events which are yet unprocessed are being left in the (existing) backup directory.
+
+.. Note::
+
+    Events are processed from the moment the initial backup is configured, when disabling backups, the (local) changelog itself
+    remains active.
+
+On periodic intervals (the standard ones from the backup scheduler), the collected commits are pushed to the configured
+upstream repository. The regular backup procedure (which is also being triggered using the test button in the user interface)
+is responsible for initialising the empty local repository and configuring the upstream target.
+
+.. Note::
+
+    One can always change the upstream target, as long as the newly configured one is either "bare" (empty) or containing the
+    exact same content (/change history) as the one used on this firewall.
+
+--------------------------
+Initial setup
+--------------------------
+
+The configuration part of this plugin is quite basic and offers two types of transport modes, https using a username and
+password combination or ssh using public key infrastructure.
+
+=====================================================================================================================
+
+====================================  ===============================================================================
+Enable                                Enable backup to the upstream target
+URL                                   Target location, which defined transport protocol,
+                                      options as ssh://server/project.git or https://server/project.git are allowed here.
+Branch                                The branch to push your commits to on the configured url
+SSH private key                       When using ssh, make sure to add a private key here
+User Name                             Username, when using gitlab and ssh, the default is :code:`git` here
+                                      (most of these providers use a single user and identify the user by it's key)
+password                              When using https authentication, choose a password here.
+====================================  ===============================================================================
+
+Make sure to push to a "bare" upstream repository, when pressing "Setup/Test Git" the initial commits should be send to
+your git server.
+
+
+--------------------------
+Conflict resolution
+--------------------------
+
+From the user interface no conflict resolution is offered, you need to configure an upstream repository and stick
+to it for the lifetime of the firewall. When for some reason a backup needs to be restored and one would like to
+stick to the same git repository, manual conflict resolution might be an option. Support on these scenario's is
+not offered.
+
+The repository is available on the OPNsense machine in the following directory :code:`/conf/backup/git`.
+
+
+.. Note::
+
+    Conflict resolution can complicate the solution a lot (merging, fast-forward, ....), for this reason we will not
+    accept feature requests trying to push to existing (used) repositories.
+
+
+--------------------------
+Error handling
+--------------------------
+
+When errors occur these will be written to the normal system logging, search for :code:`git-backup` in the general
+system logging (:menuselection:`System -> Log Files -> General`).
+
+Some standard errors might be returned via the test button, which should provide a clear direction, known ones are:
+
+* **authentication failure** -> username/password combination is not valid or the provided ssh key doesn't match the expected one
+* **ssh hostkey changed** -> it looks like a man-in-the-middle attack is happening, if that's not the case and the remote identification
+  changed for valid reasons, manual intervention is required (remove the offensive key from :code:`/root/.ssh/known_hosts`)
+* **git out of sync** -> unable to synchronize, see "Conflict resolution" for additional info.
+
+
+--------------------------
+Cleanup
+--------------------------
+
+The repository is saved locally on the firewall in :code:`/conf/backup/git`, if for some reason one would like to remove the
+collected history and start over from scratch, one can safetly remove this directory.
+
+Login using a (ssh) console and remove the git directory in that case (:code:`rm -rf /conf/backup/git`)
+
+
+.. Note::
+
+    As long as the plugin is installed and /conf/backup/git contains a git repository, the changes will be captured
+    (also without an upstream). One could use this knowledge as well to keep a local (only) repository by creating
+    a repository without assigning an upstream and leave the backup option disabled.
+
+.. Tip::
+
+    The firewall contains a local backup of the most recent changes (configured in :menuselection:`System -> Configuration -> History`)
+    which the config changed event handler uses to feed to the consumers. If after a cleanup one would like to flush
+    the collected changes again to the upstream provider, the :code:`/conf/event_config_changed.json` could be removed
+    to "forget" about the already handled config events (in which case all backups will be signaled again to all config syshook handlers)

source/manual/gui.rst

@@ -128,3 +128,65 @@ A dropdown tab can be clicked upon to open the first menu item or you can click
 the arrow next to it to show all options, like so:
 
 .. image:: images/dropdown_tab.png
+
+
+
+------------------
+Data grids
+------------------
+
+Many components within OPNsense use grid views to navigate through content, below is an example of a simple table view
+supporting the most relevant actions.
+
+.. image:: images/gui_grid.png
+
+Fields
+-------------------
+
+.. raw:: html
+
+    The available fields vary between components, the <i class="fa fa-list-ul"></i> icon can be used to select which fields should
+    be visible or hidden.
+    <br/><br/>
+
+
+Filter and limit
+-------------------
+
+.. raw:: html
+
+    The top area of the grid contains a search input combined with a reload button <i class="fa fa-reload"></i> and
+    a selection for the number of rows to show at once on a page. Often the search input will be instantly applied, but
+    in some cases a reload is needed if the action can't be processed fast enough.
+    <br/><br/>
+
+Actions
+-------------------
+
+.. raw:: html
+
+    Different actions could be supported on a (set of) records:
+      <ul class="simple">
+        <li> <i class="fa fa-square-o"></i> / <i class="fa fa-check-square-o"> </i> Enable / disable a record  </li>
+        <li> <i class="fa fa-pencil"></i> Edit a record  </li>
+        <li> <i class="fa fa-clone"></i> Copy a record and edit </li>
+        <li> <i class="fa fa-trash"></i> Delete a record, usually this will ask for a confirmation </li>
+        <li> <i class="fa fa-plus"></i> Add a new record and open edit dialog  </li>
+      </ul>
+      <br/><br/>
+
+
+Page Navigation
+-------------------
+
+
+The navigation buttons :code:`« ‹ [1,2,..] › »` help scroll through the different pages that are available for the
+selected data.
+
+.. Note::
+
+    Although the page numbers and last page button (:code:`»`) are always visible, they can only be used when the size
+    of the dataset is known upfront. In case of large datasets, such as intrusion alerts and log views the number of records
+    is not known upfront, since there's no relation between the size of the underlaying data and the number of records.
+
+    The record count in these cases is more or less a guestimate based on the number of records already shown.

source/manual/how-tos/SkyUK.rst

@@ -61,11 +61,17 @@ interface shown below.
 	:width: 100%
 
 Sky provide a /56 IPv6 delegation, they do not provide a global IPv6 address
-on the WAN interface, this is link local only. The setting of the option
-'Directly send SOLICIT' and Prefix delegation size set to 56 is an absolute
-requirement for Sky .
+on the WAN interface, this is link local only. Prefix delegation size should
+be set to 56.
+
+Click 'Save' and 'Apply'
+
+The only other requirement is found in the Interfaces:Settings menu under
+IPV6 DHCP. The ‘Prevent Release' option.
+
+.. image:: images/skyuk_dhcp6c_interface_settings.png
+	:width: 100%
 
-The only other requirement in this section is to select ‘Prevent Release'.
 This is there as the Sky DHCPv6 servers use a 'sticky' address. If the
 OPNsense dhcp6 client sends a release signal to the server it's more than
 likely that the allocated prefix will change, thus this setting, along with

source/manual/how-tos/installazure.rst

@@ -8,13 +8,13 @@ captive portal and filtering web proxy. The optional high availability setup ens
 with automatic failover and synchronised states, minimising disruption.
 Keep your network secure and the good packets flowing.
 
-The Virtual Appliance is available on the Microsoft Azure Marketplace (`here <https://azuremarketplace.microsoft.com/nl-nl/marketplace/apps/decisosalesbv.opnsense?tab=Overview>`__).
+The Virtual Appliance is available on the Microsoft Azure Marketplace (`here <https://azuremarketplace.microsoft.com/en-en/marketplace/apps/decisosalesbv.opnsense?tab=Overview>`__).
 
 .. image:: images/azure_offer.png
     :width: 100%
 
 Our installation manual will guide you through a simple installation scenario using 1 network interface, for
-more advanced network setups you best checkout the Azure `documentation <https://docs.microsoft.com/nl-nl/azure/virtual-machines/linux/multiple-nics>`__.
+more advanced network setups you best checkout the Azure `documentation <https://docs.microsoft.com/en-en/azure/virtual-machines/linux/multiple-nics>`__.
 
 -------------------------
 Setup : Basic settings
@@ -61,7 +61,7 @@ after bootup. Most settings can be changed after deployment.
 .. Note::
 
     Microsoft has quite some information available about different networking settings and options
-    `here <https://docs.microsoft.com/nl-nl/azure/virtual-machines/windows/network-overview>`__
+    `here <https://docs.microsoft.com/en-en/azure/virtual-machines/windows/network-overview>`__
 
 
 ------------------------

source/manual/how-tos/ipv6_tunnelbroker.rst

@@ -67,12 +67,13 @@ The newly created GIF tunnel must now be assigned as a new interface.
 Go to :menuselection:`Interfaces --> Assignments`, select the GIF tunnel for **New interface**
 and click the **+** sign next to it.
 
-Then under :menuselection:`Interfaces -> [OPTX]` check **Enable Interface** and change the
-description to e.g. TUNNELBROKER before hitting **Save**.
+Then under :menuselection:`Interfaces --> [OPTX]` (or :menuselection:`Interfaces --> [TunnelBroker]` 
+depending on what you selected) check **Enable Interface** and change the
+description to e.g., TUNNELBROKER before hitting **Save**.
 
 The newly created interface must now be set as the default IPv6 gateway
 under :menuselection:`System --> Gateways --> Single` by editing the new gateway entry
-TUNNELBROKER_TUNNELV6 and checking **Default Gateway** before saving.
+TUNNELBROKER_TUNNELV6 and checking **Upstream Gateway** before saving.
 
 -----------------------------
 Step 3 - Basic Firewall Rules
@@ -103,11 +104,10 @@ Step 5 - Configure DHCPv6 SLAAC
 -------------------------------
 
 We'll next configure OPNsense for Stateless Address Auto Configuration (SLAAC).
-We're going to set up the DHCPv6 service. Go to :menuselection:`Services --> DHCPv6 --> Server`.
+Go to :menuselection:`Services --> Router Advertisements` and choose an interface.
 
-Simply choose a range for clients to use. Save your settings. Next go to the
-Router Advertisements sub tab on that same page. Set the **Router Advertisements**
-setting to *Assisted* and the **Router Priority** setting to *Normal*.
+Set the **Router Advertisements** setting to *Assisted* and the 
+**Router Priority** setting to *Normal*.
 
 .. image:: images/tunnelbroker_dhcpv6.png
    :width: 100%

source/manual/how-tos/lan_bridge.rst

@@ -68,7 +68,8 @@ and Save, remember to check the new interface and ensure it is enabled as in Ste
 -----------------    
 We now need to make two changes to the System Tunables to ensure that filtering is carried
 out on the bridge itself, and not on the member interfaces. Go to :menuselection:`System --> Settings --> Tunables`
-and select using the pen button net.link.bridge.pfil_member and set the value to 0.
+and select using the pen button net.link.bridge.pfil_member and set the value to 0
+(add a new record if this entry doesn't exist on your installation).
 
 .. image:: images/lan_bridge_6.png
 	:width: 100%

source/manual/how-tos/maxmind_geo_ip.rst

@@ -33,4 +33,6 @@ You can check that you have done it correctly by just pasting the link into a br
 OPNsense
 ##########
 
-In OPNsense, goto Firewall:Aliases and select the GeoIP settings tab. Enter the URL you have created into the URL box and click Apply, and that's it.
+In OPNsense, goto Firewall:Aliases and select the GeoIP settings tab. Enter the URL you have created into the URL box and click Apply.
+
+Once you have set up the Maxmind credentials if you have not created a GeoIP alias you will need to do so. Instructions on how to create the alias(es) can be found in the Firewall->Aliases section of this wiki.

source/manual/how-tos/sslvpn_client.rst

@@ -238,7 +238,7 @@ For our example will use the following settings:
 
 ===================================== ===============================================
  **Description**                       *My SSL VPN Server*
- **Server Mode**                       *Remote Access (User Auth)*
+ **Server Mode**                       *Remote Access (SSL/TLS + User Auth)*
  **Backend for authentication**        *TOTP VPN Access Server*
  **Protocol**                          *UDP*
  **Device Mode**                       *tun*

source/manual/how-tos/tayga.rst

@@ -0,0 +1,111 @@
+==================
+Tayga NAT64 how-to
+==================
+
+------------
+Introduction
+------------
+IPv6-only networks are less complex to plan, configure, maintain and troubleshoot than dual-stack networks. But many services on the Internet
+are still IPv4-only. NAT64 preserves access to these services by performing IPv6-to-IPv4 translation. The NAT64 implementation currently
+available for OPNsense is the Tayga plugin.
+
+.. Note::
+   This how-to focuses on providing IPv6-only LANs with access to IPv4-only services. However, this is not the only use case for NAT64.
+
+-------------
+Prerequisites
+-------------
+OPNsense should be configured with working dual-stack Internet access and at least one IPv6-only LAN.
+
+--------------------------------
+Installing and configuring Tayga
+--------------------------------
+Go to :menuselection:`System --> Firmware --> Plugins` and install the `os-tayga` plugin. Then go to :menuselection:`Services --> Tayga`.
+
+Tick `Enable` and configure all prefixes and addresses:
+
+:IPv6 Prefix:
+   The IPv6 prefix which Tayga uses to translate IPv4 addresses. You can use the default well-known prefix 64:ff9b::/96 or an unused /96 from
+   your site's GUA prefix.
+
+   .. Warning::
+      When using the well-known prefix 64:ff9b::/96, Tayga will prohibit IPv6 hosts from contacting IPv4 hosts that have private (RFC1918)
+      addresses. This is not relevant when using NAT64 for accessing IPv4 services on the Internet. However, if access to local services with
+      private IPv4 addresses is required, a GUA /96 prefix must be used.
+
+   .. Note::
+      While technically possible, using a ULA prefix for NAT64 is not recommended. This can cause issues with certain hosts, especially those
+      which support 464XLAT.
+
+:IPv4 Pool:
+   The virtual IPv4 addresses which Tayga maps to LAN IPv6 addresses. Can be left to its default value unless this overlaps with existing
+   subnets in your network. Must be sufficiently large to fit all devices in your IPv6-only LAN(s).
+
+Tayga is a hop in the path, so it needs its own IP addresses for ICMP:
+
+:IPv4 Address:
+   Will show up in traceroutes from the IPv4 side to the IPv6 side. Can be left to its default value unless you changed the `IPv4 Pool`.
+   Should be located in the `IPv4 Pool` subnet.
+
+:IPv6 Address:
+   Will show up in traceroutes from the IPv6 side to the IPv4 side. Should be left empty in most cases. It will then get automatically
+   created by Tayga.
+
+   .. Note::
+      Unless manually configured, Tayga generates its `IPv6 Address` by mapping its `IPv4 Address` into its `IPv6 Prefix`. For example, if
+      the default `IPv6 Prefix` 64:ff9b::/96 and `IPv4 Address` 192.168.255.1 are being used, Tayga's `IPv6 Address` will be
+      64:ff9b::192.168.255.1 (64:ff9b::c0a8:ff01).
+
+Tayga behaves like an external device connected to OPNsense via a point-to-point interface. This interface requires IP addresses for ICMP:
+
+:IPv4 NAT64 Interface Address:
+   Can be left to its default value unless this conflicts with your network. Must not be located in the `IPv4 Pool` subnet. For simplicity,
+   you may reuse an address of another OPNsense interface.
+
+:IPv6 NAT64 Interface Address:
+   Must not be located in the `IPv6 Prefix` subnet. For simplicity, you may reuse an address of another OPNsense interface.
+
+   .. Warning::
+      The default value must not be used since 2001:db8::/32 is a documentation-only prefix.
+
+Save. Tayga should now be running.
+
+---------------------
+Adding firewall rules
+---------------------
+Tayga uses a tunnel interface for packet exchange with the system. Rules are required to prevent the firewall from blocking these packets.
+Additionally, an outbound NAT rule is required for IPv4 Internet access.
+
+Go to :menuselection:`Firewall --> Rules --> Tayga`, add a new rule, set the `TCP/IP Version` to `IPv4+IPv6`, leave all other settings to
+their default values and save.
+
+.. Note::
+   If you just enabled Tayga and can't find :menuselection:`Firewall --> Rules --> Tayga`, go to :menuselection:`Interfaces --> Assignments`,
+   click `Save` and reload the page.
+
+Go to :menuselection:`Firewall --> Settings --> Normalization`, add a new rule, set the `Interface` to `Tayga`, leave all other settings to
+their default values and save.
+
+.. Note::
+   This rule is required for proper handling of fragmented packets.
+
+Go to :menuselection:`Firewall --> NAT --> Outbound`, add a new rule, set `Source address` to `Single host or network`, enter your Tayga
+`IPv4 Pool`, leave all other settings to their default values and save.
+
+Apply the firewall changes. NAT64 should now be fully operational.
+
+-----------------
+Configuring DNS64
+-----------------
+In most scenarios, NAT64 also requires DNS64. If you use OPNsense's :doc:`/manual/unbound` DNS resolver, DNS64 can be enabled by going to
+:menuselection:`Services --> Unbound DNS --> General` and ticking `Enable DNS64 Support`. If you don't use the default 64:ff9b::/96 prefix,
+you also have to enter your /96 prefix there.
+
+.. Note::
+   You may also use any other DNS64 capable DNS server. If you use the default 64:ff9b::/96 prefix, using a service like `Google's Public
+   DNS64 <https://developers.google.com/speed/public-dns/docs/dns64>` is possible, too.
+
+-------
+Testing
+-------
+You can use a service like https://internet.nl/connection/ to verify that devices in your IPv6-only LAN have IPv6 and IP4 Internet access.

source/manual/how-tos/tor.rst

@@ -221,7 +221,7 @@ Relays
 ------
 
 A Tor relay is a host which forwards traffic for other Tor nodes.
-A relay, which allows to pass traffic outside of the Tor network,
+A relay that allows traffic to pass outside of the Tor network
 is called an "Exit Node". If the relay is configured only for you
 (not for public access), it is called a bridge.
 Bridges are used to circumvent filtering of public entry nodes based

source/manual/how-tos/wireguard-client.rst

@@ -6,86 +6,177 @@ WireGuard Road Warrior Setup
 Introduction
 ------------
 
-WireGuard is a simple, fast and modern VPN. It aims to be faster and simpler than IPSec. It intends to be
-considerably more performant than OpenVPN. Initially released for the Linux kernel, it is now cross-platform
-and widely deployable. It is currently under heavy development. We will describe here how to set up
-WireGuard as a central server or just as a client.
+WireGuard is a simple, fast VPN using modern `cryptography <https://www.WireGuard.com/protocol>`__. It aims to be faster and simpler than IPsec whilst also being a considerably more performant alternative to OpenVPN. Initially released for the Linux kernel, it is now cross-platform and widely deployable. It is under heavy development and was included in the Linux kernel v5.6 in `March 2020 <https://arstechnica.com/gadgets/2020/03/WireGuard-vpn-makes-it-to-1-0-0-and-into-the-next-linux-kernel>`__. 
+
+.. Warning::
+
+    WireGuard is still experimental and should be used with caution.
+
+This article describes setting up a central WireGuard server, running on OPNsense and configuring a client. 
 
 ---------------------
 Step 1 - Installation
 ---------------------
 
-Install the plugin as usual, refresh the page and you will find the client via :menuselection:`VPN --> WireGuard`. 
+Install the plugin via :menuselection:`System --> Firmware --> Plugins` and selecting the package **os-WireGuard**.
+
+Once the plugin is installed, refresh the page and you will find the WireGuard configuration menu via :menuselection:`VPN --> WireGuard`.
 
 --------------------------------
 Step 2a - Setup WireGuard Server
 --------------------------------
 
-The setup of a central VPN server is very simple. Just go to tab **Local** and create a new instance.
-Give it a **Name** and set a desired **Listen Port**. If you have more than one service instance be 
-aware that you can use the **Listen Port** only once. For **Tunnel Address** choose an unused network
-to tunnel all clients just like with OpenVPN or GRE (e.g. 192.168.0.1/24).
-**Peers** can not be chosen yet since we have not created them yet. 
-After hitting **Save changes** you can reopen the newly created instance, write down your new public
-key and give it to the other side in a secure way (e.g. PGP encrypted or via SMS). 
+First, create a WireGuard VPN server via :menuselection:`VPN --> WireGuard` under the **Local** tab. Create a new instance using the **+** button and customizing the following values as neccessary:
+
+====================== =================== =====================================================================
+ **Enabled**            Checked            *Check to enable the server*
+ **Name**               WireGuard          *The name of the server instance*
+ **Instance**           (auto populated)   *Automatically generated server instance number*
+ **Public Key**         (empty)            *Leave empty, keys will be automatically generated*
+ **Private key**        (empty)            *Leave empty, keys will be automatically generated*
+ **Listen Port**        51820              *Server listen port. If multiple servers exist, this port must be unique*
+ **DNS Server**         192.168.1.254      *Populate as required with DNS server*
+ **Tunnel Address**     10.10.10.1/24      *Use CIDR notation and avoid subnet overlap with regularly used networks*
+ **Peers**              (empty)            *List of peers for this server, leave blank on initial configuration*
+ **Disable Routes**     Unchecked          *This will prevent installing routes*
+====================== =================== =====================================================================
+
+.. Warning::
+
+    Ensure that **Tunnel Address** is a /24 or the desired CIDR notated subnet mask, do not use /32.
+
+Once the tunnel is created after clicking **Save**, reopen the newly created instance and take note of the public key that was just generated. This key will be required when setting up any client that wishes to connect to this server. Make sure to protect it and use secure transmission methods to clients (e.g. PGP encrypted or via SMS).
+
+Use the **Endpoints** tab to add the first client. Use the **+** button and configure the following:
+
+====================== =================== =====================================================================
+ **Enabled**            Checked            *Check to enable the server*
+ **Name**               client1            *The name of the client*
+ **Public Key**         PubKey             *Provide public key from client*
+ **Shared Secret**      (empty)            *optional - shared secret (PSK) for this peer*
+ **AllowedIPs**         10.10.10.2/32      *IP address of client (peer) - ensure to use /32 with multiple clients*
+ **Endpoint Address**   (empty)            *Not required for inbound connections - dynamic*
+ **Endpoint Port**      (empty)            *Not required for inbound connections - dynamic*
+ **Keepalive**          (empty)            *optional - sets persistent keepalive interval*
+====================== =================== =====================================================================
+
+Click **Save** and return to the **Local** tab. Now select the newly created peer under **Peers**. Click **Save**.
+
+Next, enable WireGuard under the **General** tab and continue with the setup. Add further clients under **Endpoints** and allow them to access the **Wireguard** server by selecting them under **Peers**. 
+
+.. Hint:: 
+
+    Pressing **Save** effectively executes :code:`wg-quick down wg0` followed by :code:`wg-quick up wg0` (with 0 being the **Instance ID** of the server). Though not often required, sometimes it is useful to debug a tunnel not starting via the CLI using :code:`wg show`. Configuration files are stored at :code:`/usr/local/etc/wireguard/wgX.conf`.
+
+------------------------------
+Step 2b - Setup Firewall rules
+------------------------------
 
-Now go to tab **Endpoints** and add the fist road warrior, give it a **Name**, insert the **Public
-Key** and **Allowed IPs** e.g. *192.168.0.2/32, 10.10.10.0/24* (it is important to use /32 for the
-tunnel address when using multiple endpoints). **Endpoint Address** and  **Endpoint Port** can be left
-empty since they are mostly dynamic, now hit **Save changes**.
+For external clients to connect to the WireGuard server firewall rules must be created to permit that traffic to flow from WAN to LAN. Select :menuselection:`Firewall --> NAT --> Port Forward` and click **+Add** creating a rule with the following information:
 
-Go back to tab **Local**, open the instance and choose the newly created endpoint in **Peers**.
+=========================== ================ =====================================================================
+ **Interface**               WAN              *The interface this rule applies to*
+ **TCP/IP Version**          IPv4             *Select the Internet Protocol version this rule applies to*
+ **Protocol**                UDP              *WireGuard works over UDP*
+ **Source**                  *                *Accept traffic from any source*
+ **Source Port**             *                *Accept traffic on any port*
+ **Destination**             WAN address      *Traffic destination*
+ **Destination Port**        51820            *Specify the port or port range required*
+ **Redirect target IP**      192.168.1.254    *The LAN IP of the firewall*
+ **Redirect target port**    51820            *The listen port for WireGuard server*
+ **Description**             WG WAN to LAN    *Optional - provide a description*
+=========================== ================ ===================================================================== 
 
-Now we can **Enable** the VPN in tab **General** and continue with the setup.
+If more granular rules are required note there is a new interface **wg0** where these may be configured.
 
-If you want to add more users just add them in **Endpoints** and link them via **Peers**.
+The final piece is to allow traffic from the Wireguard network. Do this via :menuselection:`Firewall --> Rules --> WireGuard` and click **+Add** with the following information (if an item is not specified, leave it set to the default value):
 
-------------------------
-Step 2b - Setup Firewall
-------------------------
+=========================== ================ =====================================================================
+ **Interface**               WireGuard        *The interface this rule applies to*
+ **Source**                  WireGuard net    *Source subnet*
+ **Destination**             any              *Traffic destination*
+ **Description**             WG WAN to LAN    *Optional - provide a description*
+=========================== ================ =====================================================================
 
-On :menuselection:`Firewall --> Rules` add a new rule on your WAN interface allowing the port you set in your
-instance (Protocol UDP). You also have a new interface **Wireguard** in rules, where you can
-set granular rules on connections inside your tunnel.
+.. Hint::
 
-Your tunnel is now up and running.
+    Rules defined under :menuselection:`Firewall --> Rules --> WireGuard` take precedence over rules individually configured for each tunnel.
+
+Connect to the tunnel from a client and verify connection via :menuselection:`VPN --> WireGuard` using the **List Configuration** and **Handshakes** tabs where peers are identified by their public keys. At this point the tunnel should be up and running but the client will have limited access.
 
 ---------------------------------
 Step 2c - Assignments and Routing
 ---------------------------------
 
-With this setup your clients can reach your internal networks when they add it via **Allowed IPs**.
-But what if you want to push all traffic via VPN in order to filter some streams out of it?
-Then we have to assign the interface via :menuselection:`Interface --> Assignments`, choose our instance (e.g. instance
-0 is interface wg0), enable it, hit **Prevent Interface Removal** and don't configure an IP address.
+Thus far, the setup documented here permits your clients to reach the internal networks configured via **Allowed IPs**. However, a common use case is that users wish to push all traffic through a VPN tunnel. To do this assign WireGuard an interface via :menuselection:`Interfaces --> Assignments` and select the wgX instance from the **New interface** dropdown menu. Click **+** to assign the interface. Once assigned, click **Save**.
+
+Rename the interface as required and select **Prevent Interface Removal** by selecting the interface from the :menuselection:`Interfaces -> [wgX]` list. Do not assign the interface an IP address.
 
-After this we can go to :menuselection:`Firewall --> NAT --> Outbound` and add a rule. Check that rule generation is set
-to manual or hybrid. Add a rule and select your WAN as **Interface**. **Source** should be the Tunnel
-Network you use and **Translation / target** set to WAN address.
+The next step is to configure Outbound NAT. Go to :menuselection:`Firewall --> NAT --> Outbound` and add a rule. First, ensure that rule generation is set to manual or hybrid (if unsure, select hybrid). Add a rule (via **+Add** in the top right) with the following values (unless explictly mentioned below, leave as default):
 
-Now when you add 0.0.0.0/0 on your road warrior, outgoing packets are translated and reach the 
-Internet via your VPN. 
+=========================== ================ =====================================================================
+ **Interface**               WAN              *The interface the rule applies to*
+ **Source address**          wg0 net          *Tunnel Network configured previously*
+ **Translation / target**    WAN address      *Packets matching this rule will be mapped to the IP address given here*
+=========================== ================ ===================================================================== 
 
-When assigning interfaces we can also add gateways to them. This would offer you the chance to
-balance traffic via different VPN providers or do more complex routing scenarios. 
-To do this, go to :menuselection:`System --> Gateways --> Single` and add a new gateway. Choose your WireGuard interface
+To reach the Internet from a client via the VPN configure configure **AllowedIPs** to 0.0.0.0/0.
+
+When assigning interfaces, gateways can be added to them. This is useful if balancing traffic across multiple VPNs is required or in more complex routing scenarios.
+ 
+To do this, go to :menuselection:`System --> Gateways --> Single` and add a new gateway. Choose the relevant WireGuard interface
 and set the Gateway to **dynamic**.
 
 -------------------------------
 Step 3 - Setup WireGuard Client
 -------------------------------
 
-The development of WireGuard is very dynamic so this howto won't include any screenshots since 
-features are added rapidly or naming might change. 
-If we have OPNsense also at the client side the configuration is similar to step 3a but you have to
-choose **Allowed IPs** within the range of the server side and exchange public keys after 
-the creation of a new instance. Then networks which should be routed via WireGuard have to be 
-added to your **Allowed IPs** in the endpoint configuration of your client (e.g. 192.168.0.0/24 
-when this is the LAN of the WireGuard server). For pushing all network traffic via VPN you can add
-0.0.0.0/0. If you do this it's important to also specify a DNS server which will be added to your
-interface. Therefore go to **Local**, edit your instance and fill in one or more IP addresses in
-the **DNS** field. 
+.. Tip::
+
+    Key generation can be performed on any device with `WireGuard client tools <https://www.wireguard.com/install>`__ installed. A one-liner for generating a matching private and public keypair is :code:`wg genkey | tee private.key | wg pubkey > public.key`.
+
+Client configuration is largely beyond the scope of this article since there is such a wide array of possible targets. However, the key pieces of information required to configure a client are: 
+
+* Address - *Server side this is referred to as **Tunnel Address***
+* DNS - *DNS server*
+* Endpoint - *DNS entry or IP supported, include the port here*
+* Public Key - *Refers to Public Key of the WireGuard server*
+* AllowedIPs - *Configure which traffic (by subnet) is sent via the tunnel*
+
+-------------------------------------
+Appendix A - Example configurations
+-------------------------------------
+
+.. Warning::
+
+    Note that WireGuard is still under heavy development and these configurations may change without warning. They are provided for guidance only. 
+    
+    **Do not reuse these example keys!**
+
+An example Client configuration file:
+
+.. code-block:: none
+
+    [Interface]
+    PrivateKey = 8GboYh0YF3q/hJhoPFoL3HM/ObgOuC8YI6UXWsgWL2M=
+    Address = 10.10.10.2/32
+    DNS = 192.168.1.254
+
+    [Peer]
+    PublicKey = OwdegSTyhlpw7Dbpg8VSUBKXF9CxoQp2gAOdwgqtPVI=
+    AllowedIPs = 0.0.0.0/0
+    Endpoint = vpn.example.com:51820
+
 
+An example Server configuration file:
 
+.. code-block:: none
 
-That's it!
+    [Interface]
+    Address = 10.10.10.1/24
+    DNS = 192.168.1.254
+    ListenPort = 51820
+    PrivateKey = YNqHwpcAmVj0lVzPSt3oUnL7cRPKB/geVxccs0C0kk0=
+    [Peer]
+    PublicKey = CLnGaiAfyf6kTBJKh0M529MnlqfFqoWJ5K4IAJ2+X08=
+    AllowedIPs = 10.10.10.2/32

source/manual/how-tos/wireguard-s2s.rst

@@ -33,7 +33,7 @@ key and give it to the other side.
 
 When this VPN is set up on OPNsense only do the same on the second machine and exchange the public
 keys. Now go to tab **Endpoints** and add the remote site, give it a **Name**, insert the **Public
-Key** and the **Allowed IPs** e.g. *192.168.0.2/32, 10.10.10.0/24*. This will set the remonte tunnel
+Key** and the **Allowed IPs** e.g. *192.168.0.2/32, 10.10.10.0/24*. This will set the remote tunnel
 IP address (/32 is important when using multiple endpoints) and route 10.10.10.0/24 via the tunnel. 
 **Endpoint Address** is the public IP of the remote site and you can also set optionally the 
 **Endpoint Port**, now hit **Save changes**.

source/manual/monit.rst

@@ -121,6 +121,43 @@ Now, navigate to the “Service Settings” tab. Here, add the following service
 
 Save and apply.
 
+---------
+Example 3
+---------
+
+In this example, we want to monitor Suricata EVE Log for alerts and send an e-mail.
+This is really simple, be sure to keep false positives low to no get spammed by alerts.
+
+First, make sure you have followed the steps under “Global setup”. Then, navigate to the “Service Tests Settings” tab.
+Here, you need to add one test:
+
++-----------+------------------------------------------+
+| Setting   | Value                                    |
++===========+==========================================+
+| Name      | SURICATA_EVE                             |
++-----------+------------------------------------------+
+| Condition | content =  "blocked"                     |
++-----------+------------------------------------------+
+| Action    | Alert                                    |
++-----------+------------------------------------------+
+
+Now, navigate to the “Service Settings” tab. Here, add the following service:
+
++-----------+---------------------------------------------------------+
+| Setting   | Value                                                   |
++===========+=========================================================+
+| Name      | SURICATA_ALERT                                          |
++-----------+---------------------------------------------------------+
+| Type      | File                                                    |
++-----------+---------------------------------------------------------+
+| Path      | /var/log/suricata/eve.json                              |
++-----------+---------------------------------------------------------+
+| Tests     | SURICATA_EVE                                            |
++-----------+---------------------------------------------------------+
+
+Save and apply.
+From now on you will receive with the alert message for every block action.
+
 -----------------
 Settings overview
 -----------------

source/manual/radvd.rst

@@ -68,7 +68,7 @@ Advertise Routes                      Advertise more specific specific routes to
 DNS
 --------------------------------
 
-For supported clients, DNS settings can also be propagated by radvd as detailed in `RFC 6101 <https://tools.ietf.org/html/rfc6106>`__
+For supported clients, DNS settings can also be propagated by radvd as detailed in `RFC 8106 <https://tools.ietf.org/html/rfc8106>`__
 
 ====================================  ===============================================================================
 DNS servers                           Define which dns servers to publish to the clients, either the ones

source/manual/reporting_traffic.rst

@@ -21,9 +21,23 @@ Below the larger graphs, you will find a couple of options, which helps track cu
 +---------------------------------+------------------------------------------------------------------------------------+
 | Sort by                         | Sort by criteria                                                                   |
 +---------------------------------+------------------------------------------------------------------------------------+
-| Filter                          |  Local traffic only, or All                                                        |
+| Filter                          | Local traffic only, or All                                                         |
 +---------------------------------+------------------------------------------------------------------------------------+
 | Display                         | IP address or (fully qualified) hostname                                           |
 +---------------------------------+------------------------------------------------------------------------------------+
 | Top                             | Number of entries to show                                                          |
 +---------------------------------+------------------------------------------------------------------------------------+
+
+
+.. Note::
+
+    When an interface doesn't report traffic and you are certain there should be any, make sure to check if you have any
+    services enabled that use netmap (zero copy) support on the selected interface (such as IPS and Sensei).
+    When zero copy is used, packets won't by copied in the kernel in which case bpf can't read from the usual in memory buffer.
+
+
+    :code:`bpf(4)` does support a zerocopy mode, in which case it will map the kernel memory pages directly
+    (`freebsd/freebsd#310e3f9 <https://github.com/freebsd/freebsd/commit/310e3f93ddb4d35429a892af85c9b1cf4ef64ebe>`__),
+    To enable, go to :menuselection:`System -> Settings -> Tunables` and add :code:`net.bpf.zerocopy_enable` set to :code:`1`
+
+    Since this feature is marked experimental, the standard is not to use zero-copy.

source/manual/unbound.rst

@@ -194,6 +194,52 @@ Refuse Non-local                      Allow only authoritative local-data querie
                                       client for messages that are disallowed.
 ====================================  ===============================================================================
 
+-------------------------
+Blacklist
+-------------------------
+
+Enable integrated dns blacklisting using one of the predefined sources or custom locations.
+
+=====================================================================================================================
+
+====================================  ===============================================================================
+Enable                                Enable blacklists
+Type of DNSBL                         Predefined external sources
+URLs of Blacklists                    Additional http[s] location to download blacklists from, only plain text
+                                      files containing a list of fqdn's (e.g. :code:`my.evil.domain.com`) are
+                                      supported.
+Whitelist Domains                     When a blacklist item contains a pattern defined in this list it will
+                                      be ommitted from the results.  e.g. :code:`.*\.nl` would exclude all .nl domains
+====================================  ===============================================================================
+
+When any of the DNSBL types are used, the content will be fetched directly from its original source, to
+get a better understanding of the source of the lists we compiled the list below containing references to
+the list maintainers.
+
+*Predefined sources*
+=====================================================================================================================
+
+====================================  ===============================================================================
+AdAway                                https://adaway.org
+AdGuard List                          https://justdomains.github.io/blocklists/#the-lists
+Blocklist.site                        https://github.com/blocklistproject/Lists
+EasyList                              https://justdomains.github.io/blocklists/#the-lists
+Easyprivacy                           https://justdomains.github.io/blocklists/#the-lists
+NoCoin List                           https://justdomains.github.io/blocklists/#the-lists
+PornTop1M List                        https://github.com/chadmayfield/my-pihole-blocklists
+Simple Ad List                        https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
+Simple Tracker List                   https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
+StevenBlack/hosts                     https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+WindowsSpyBlocker                     https://github.com/crazy-max/WindowsSpyBlocker
+YoYo List                             https://pgl.yoyo.org/adservers/
+====================================  ===============================================================================
+
+.. Note::
+
+    In order to automatically update the lists on timed intervals you need to add a cron task, just go to
+    :menuselection:`System -> Settings ->Cron` and a new task for a command called "Download Unbound DNSBLs and restart".
+
+    Usually once a day is a good enough interval for these type of tasks.
 
 -------------------------
 Statistics
@@ -201,3 +247,68 @@ Statistics
 
 The statistics page provides some insights into the running server, such as the number of queries executed,
 cache usage and uptime.
+
+-------------------------
+Advanced Configurations
+-------------------------
+
+Some installations require configuration settings that are not accessible in the UI.
+To support these, individual configuration files with a ``.conf`` extension can be put into the
+``/var/unbound/etc`` directory. These files will be automatically included by the UI generated configuration.
+Multiple configuration files can be placed there. But note that
+
+* As it cannot be predicted in which clause the configuration currently takes place, you must prefix the configuration with the required clause.
+  For the concept of "clause" see the ``unbound.conf(5)`` documentation.
+* The wildcard include processing in unbound is based on ``glob(7)``. So the order in which the files are included is in ascending ASCII order.
+* Namecollisions with plugins, which use this extension point e. g. ``unbound-plus``, may occur. So be sure to use an unique filename.
+* It is a good idea, to check the complete configuration by running the unbound-checkconf utility::
+
+   # check if configuration is valid
+   unbound-checkconf /var/unbound/unbound.conf
+
+  This will report errors that prevent unbound from starting.
+
+This is a sample configuration file to add an option in the server clause:
+
+::
+
+    server:
+      private-domain: xip.io
+
+
+.. Note::
+  A final thing to note is, that on memory based system ``/var`` is volatile and every file placed inside or below will not survive a restart.
+  As a solution the Template System (":doc:`/development/backend/templates`") can be used to automatically generate these files.
+
+  To get the same effect as placing the file in the sample above directly in ``/var/unbound/etc`` follow these steps:
+
+  #. Create a ``+TARGETS`` file in ``/usr/local/opnsense/service/templates/sampleuser/Unbound``::
+
+      sampleuser_additional_options.conf:/var/unbound/etc/sampleuser_additional_options.conf
+
+  #. Place the template file as ``sampleuser_additional_options.conf`` in the same directory::
+
+      server:
+        private-domain: xip.io
+
+  #. Test the template generation by issuing the following command::
+
+      # generate template
+      configctl template reload sampleuser/Unbound
+
+
+  #. Check the output in the target directory::
+
+      # show generated file
+      cat /var/unbound/etc/sampleuser_additional_options.conf
+      # check if configuration is valid
+      unbound-checkconf /var/unbound/unbound.conf
+
+
+.. Warning::
+    It is the sole responsibility of the administrator which places a file in the extension directory to ensure that the configuration is
+    valid.
+
+.. Note::
+    This method replaces the ``Custom options`` settings in the General page of the Unbound configuration,
+    which was already marked as "to be removed in the future".

source/manual/virtuals.rst

@@ -51,10 +51,18 @@ HyperV
 HyperV Generation 1 and 2 are supported out of the box, no additional drivers
 or tools are needed.
 
+KVM
+---
+**i440FX chipset**
+OPNsense on KVM works with virtio disks and network devices (confirmed on QEMU 5.0).
+
+**Q35 chipset**
+OPNsense on KVM currently does not work with the Q35 chipset. Virtio and other PCIe devices do not get detected properly.
+This is a FreeBSD/KVM related `issue <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236922>`__ that is unspecific to OPNsense.
+
 Others
 ------
-OPNsense can be installed on all virtual machines that support FreeBSD (such as
-KVM, Bhyve, VirtualBox).
+OPNsense can be installed on all virtual machines that support FreeBSD (such as Bhyve, VirtualBox).
 
 ------------------
 
@@ -75,7 +83,7 @@ trust by using current package fingerprints -> CA root certificates -> HTTPS ->
 package fingerprints.
 
 What it will also do is turn a supported stock FreeBSD release into an OPNsense
-installation, given that UFS was used to install the root file system.
+installation.  Both UFS and ZFS installations are supported.
 
 opnsense bootstrap is available for our
 `github source repository <https://github.com/opnsense/update/tree/master/bootstrap>`__
@@ -131,12 +139,6 @@ been reported to help for certain ESXi versions.
 
 ------------------
 
-Installation failure on KVM
----------------------------
-If you are using virtio for the root disk then try switching to sata mode.
-
-------------------
-
 NAT issues on XenServer
 -----------------------
 This issue has been reported to be solved by disabling checksum offloading on both

source/plugins.rst

@@ -46,6 +46,7 @@ VPN & Connectivity
    manual/how-tos/dynamicrouting_rip
    manual/how-tos/dynamicrouting_zebra
    manual/how-tos/tor
+   manual/how-tos/tayga
 
 ----------------
 Web
@@ -86,6 +87,7 @@ Other
    manual/how-tos/freeradius
    manual/how-tos/accounting
    manual/how-tos/mailgateway
+   manual/git-backup
 
 ----------------
 Reporting

source/releases.rst

@@ -6,8 +6,8 @@ Releases
     :width: 600px
     :align: center
 
-As of January 2015 there have been *181* releases leading to the latest version *20.1.7*
-named "Keen Kingfisher".
+As of January 2015 there have been *187* releases leading to the latest version *20.7.2*
+named "Legendary Lion".
 
 The list below contains all releases, ordered by version number categorized by major version.
 
@@ -16,6 +16,7 @@ The list below contains all releases, ordered by version number categorized by m
    :titlesonly:
    :glob:
 
+   releases/20.7
    releases/20.1
    releases/19.7
    releases/19.1

source/releases.rst.in

@@ -16,5 +16,7 @@ The list below contains all releases, ordered by version number categorized by m
    :titlesonly:
    :glob:
 {% for major_version in major_versions%}
+{%- if major_version in versions %}
    releases/{{major_version}}
+{%- endif %}
 {%- endfor %}

source/releases/20.1.rst

@@ -28,6 +28,106 @@ can be found below as well.
 * Full mirror list: https://opnsense.org/download/
 
 
+--------------------------------------------------------------------------
+20.1.9 (July 23, 2020)
+--------------------------------------------------------------------------
+
+
+20.7-RC1 is already available and the final release of 20.7 is scheduled
+for July 30.  A hotfix release for 20.1.9 will enable the upgrade path
+some hours after the initial 20.7 announcement is out, but please note
+that updated 32-bit builds (also known as i386) will no longer be available
+from this day forward.
+
+Here are the full patch notes:
+
+* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
+* firewall: validate if NAT destination contains a port
+* firewall: prevent config_read_array() from adding an empty lo0
+* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
+* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
+* mvc: LegacyLinkField not allowed to return null in __toString()
+* plugins: os-collectd 1.3 `[1] <https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr>`__ 
+* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__ 
+* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__ 
+* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
+* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__ 
+* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__ 
+* ports: ca_root_nss 3.54
+* ports: curl 7.71.1 `[6] <https://curl.haxx.se/changes.html>`__ 
+* ports: dnsmasq 2.82 `[7] <http://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__ 
+* ports: monit 5.27.0 `[8] <https://mmonit.com/monit/changes/>`__ 
+* ports: php 7.3.20 `[9] <https://www.php.net/ChangeLog-7.php#7.3.20>`__ 
+* ports: python 3.7.8 `[10] <https://www.python.org/downloads/release/python-378/>`__ 
+* ports: sqlite 3.32.3 `[11] <https://www.sqlite.org/changes.html>`__ 
+* ports: syslog-ng 3.27.1 `[12] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.27.1>`__ 
+
+A hotfix release was issued as 20.1.9_1:
+
+* firmware: enable upgrade path to 20.7 (amd64 only)
+
+
+
+--------------------------------------------------------------------------
+20.1.8 (July 02, 2020)
+--------------------------------------------------------------------------
+
+
+Sorry about the delay while we chased a race condition in the updates back
+to an issue with the latest FreeBSD package manager updates.  For now we
+reverted to our current version but all relevant third party packages have
+been updated as updates became available over the last weeks, e.g. cURL and
+Python, and hostapd / wpa_supplicant amongst others.
+
+Here are the full patch notes:
+
+* system: simpler get_interface_ip() usage in IPv4 renewal
+* system: allow HA sync of network time settings
+* system: download all filtered items in log export
+* system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)
+* interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)
+* firewall: fix missing address filter error by moving NAT targets to runtime resolve
+* firewall: prevent gateway protocol mismatch from breaking the ruleset
+* firewall: work around categories typeahead issue with recent jQuery libraries
+* firewall: improve alias help text (contributed by Team Rebellion)
+* firewall: switch from single log filter to one per attribute
+* intrusion detection: when enabling rules prefixed with '# ' consume the extra space (contributed by Tra5is)
+* intrusion detection: less sensitive rule parsing
+* intrusion detection: compress stats.log backups
+* ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)
+* unbound: add DNS64 support (contributed by Maurice Walker)
+* web proxy: fix wrong button label for Download ACLs (contributed by 90er)
+* mvc: add sort_flags optional parameter support (contributed by NOYB)
+* rc: add full PATH to rc.syshook invoke
+* plugins: os-acme-client `[1] <https://github.com/opnsense/plugins/pull/1851>`__  `[2] <https://github.com/opnsense/plugins/pull/1880>`__ 
+* plugins: os-dnscrypt-proxy 1.8 `[3] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__ 
+* plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)
+* plugins: os-freeradius 1.9.7 `[4] <https://github.com/opnsense/plugins/pull/1726>`__ 
+* plugins: os-haproxy 2.23 `[5] <https://github.com/opnsense/plugins/pull/1883>`__ 
+* plugins: os-intrusion-detection-content-snort-vrt 1.1
+* plugins: os-stunnel 1.0 `[6] <https://docs.opnsense.org/manual/how-tos/stunnel.html>`__  (sponsored by Incenter Technology)
+* plugins: os-tayga 1.1 `[7] <https://github.com/opnsense/plugins/pull/1826>`__ 
+* plugins: os-theme-rebellion 1.8.4 `[8] <https://github.com/opnsense/plugins/pull/1892>`__ 
+* ports: ca_root_nss 3.53
+* ports: curl 7.71.0 `[9] <https://curl.haxx.se/changes.html>`__ 
+* ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory `[10] <https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt>`__ 
+* ports: krb5 1.18.2 `[11] <https://web.mit.edu/kerberos/krb5-1.18/>`__ 
+* ports: ntp 4.2.8p15 `[12] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__ 
+* ports: pcre 8.44 `[13] <https://www.pcre.org/original/changelog.txt>`__ 
+* ports: perl 5.30.3 `[14] <https://perldoc.perl.org/5.30.3/perldelta.html>`__ 
+* ports: php 7.3.19 `[15] <https://www.php.net/ChangeLog-7.php#7.3.19>`__ 
+* ports: python CVE-2019-18348 and CVE-2020-8492
+* ports: sqlite 3.32.2 `[16] <https://www.sqlite.org/changes.html>`__ 
+* ports: sudo 1.9.1 `[17] <https://www.sudo.ws/stable.html#1.9.1>`__ 
+* ports: unbound 1.10.1 `[18] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-10-1>`__ 
+
+A hotfix release was issued as 20.1.8_1:
+
+* ipsec: fix status page display after third party library update
+* plugins: os-dyndns fix for TTL validation (contributed by Andreas Rupper)
+
+
+
 --------------------------------------------------------------------------
 20.1.7 (May 20, 2020)
 --------------------------------------------------------------------------

source/releases/20.7.rst

@@ -0,0 +1,318 @@
+===========================================================================================
+20.7  "Legendary Lion" Series
+===========================================================================================
+
+
+
+For five and a half years, OPNsense is driving innovation through modularising
+and hardening the open source firewall, with simple and reliable firmware
+upgrades, multi-language support, HardenedBSD security, fast adoption of
+upstream software updates as well as clear and stable 2-Clause BSD licensing.
+
+20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
+a sustainable firewall experience.  This release adds DHCPv6 multi-WAN, custom
+error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
+basic firewall API support (via plugin) and extended live log filtering amongst
+others.
+
+Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
+can be found below as well.
+
+* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
+* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
+* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
+* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
+* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
+* Full mirror list: https://opnsense.org/download/
+
+
+--------------------------------------------------------------------------
+20.7.2 (September 02, 2020)
+--------------------------------------------------------------------------
+
+
+While we are still looking closer at netmap/iflib performance on 12.1 we
+are rolling out a kernel with Intel em/igb updates that should avoid bad
+packet counts in the default installation.  Syslog-ng received a workaround
+for the diagnosed startup issue and alias now supports MAC address content
+similar to how host content works.
+
+Here are the full patch notes:
+
+* system: set REQUESTS_CA_BUNDLE in environments
+* system: improve parsing for temperature sensors
+* system: add "new-password" hint for Chrome on login form
+* system: rename syslog services description and hide legacy mode when not enabled
+* system: force syslog-ng restart after boot sequence
+* system: properly read new style logging directories
+* reporting: replace line endings when sending traceback to syslog in flowd_aggregate
+* reporting: dd traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
+* firewall: add MAC address alias type
+* firewall: be more verbose when fetching alias remote content
+* firewall: prevent pfctl error messages from being suppressed
+* firewall: exclude all reserved pf.conf keywords from alias name
+* firewall: bogons not loaded on initial load
+* firewall: reset damaged bogons files on startup
+* interfaces: add listen-queue-sizes in socket diagnostics
+* firmware: properly report an unsigned repository
+* firmware: revoke 20.1 fingerprint
+* intrusion detection: rule cache parse error on invalid metadata
+* intrusion detection: allow search for status enabled/disabled
+* web proxy: correct template replacement during build time
+* web proxy: bugfix in JSON access log
+* unbound: updated project block lists links (contributed by gap579137)
+* backend: add regex_replace template support
+* plugins: os-acme-client 1.36 `[1] <https://github.com/opnsense/plugins/pull/1974>`__ 
+* plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
+* plugins: os-haproxy 2.24 `[2] <https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr>`__ 
+* plugins: os-stunnel 1.0.1 includes performance tweaks
+* plugins: os-telegraf 1.8.2 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__ 
+* plugins: os-tinc fixes cipher parsing on 20.7
+* src: remove ACPI workaround for serial console on AMD EPYC
+* src: Make pf.conf ':0' ignore link-local v6 addresses too
+* src: default "show bad packets" tunable to off in e100 driver
+* src: fix unsolicited promisc mode in e1000 driver
+* src: add valectl to the system commands
+* ports: ca_root_nss/nss 3.56 `[4] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes>`__ 
+* ports: curl 7.72.0 `[5] <https://curl.haxx.se/changes.html#7_72_0>`__ 
+* ports: libressl 3.1.4 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt>`__ 
+* ports: openldap 2.4.51 `[7] <https://www.openldap.org/software/release/changes.html>`__ 
+* ports: php 7.3.21 `[8] <https://www.php.net/ChangeLog-7.php#7.3.21>`__ 
+* ports: python 3.7.9 `[9] <https://www.python.org/downloads/release/python-379/>`__ 
+* ports: sqlite 3.33.0 `[10] <https://sqlite.org/changes.html>`__ 
+* ports: squid 4.13 `[11] <http://www.squid-cache.org/Versions/v4/squid-4.13-RELEASENOTES.html>`__ 
+* ports: syslog-ng dlsym() workaround
+* ports: unbound 1.11.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0>`__ 
+
+
+
+--------------------------------------------------------------------------
+20.7.1 (August 13, 2020)
+--------------------------------------------------------------------------
+
+
+Small update here with security advisories, multicast fixes and logging
+reliability patches amongst others.
+
+Overall, the jump to HardenedBSD 12.1 is looking promising from our end.
+From the reported issues we still have more logging quirks to investigate
+and especially Netmap support (used in IPS and Sensei) is lacking in some
+areas that were previously working. Patches are being worked on already
+so we shall get there soon enough.  Stay tuned.
+
+Here are the full patch notes:
+
+* system: split log process name into separate column
+* system: filter new style log directories accordingly
+* system: add delay to improve syslog-ng startup
+* system: properly switch login page to latest jQuery 3.5.1
+* firewall: add select boxes for static filters in live log
+* firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
+* firmware: bring back Chinese Aivian mirror
+* firmware: remove defunct opn.sense.nz and RageNetwork mirrors
+* web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
+* backend: cap log messages to 4000 characters to prevent longer messages from vanishing
+* plugins: os-acme-client 1.35 `[1] <https://github.com/opnsense/plugins/pull/1950>`__ 
+* plugins: os-frr 1.15 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__ 
+* plugins: os-postfix 1.15 `[3] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__ 
+* plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
+* src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
+* src: assorted multicast group join/leave corrections
+* src: fix vmx driver packet loss and degraded performance `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc>`__ 
+* src: fix memory corruption in USB network device driver `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc>`__ 
+* src: fix multiple vulnerabilities in sqlite3 `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc>`__ 
+* src: fix sendmsg(2) privilege escalation `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc>`__ 
+* ports: perl 5.32.0 `[8] <https://metacpan.org/changes/release/XSAWYERX/perl-5.32.0>`__ 
+* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__ 
+
+
+
+--------------------------------------------------------------------------
+20.7 (July 30, 2020)
+--------------------------------------------------------------------------
+
+
+For five and a half years, OPNsense is driving innovation through modularising
+and hardening the open source firewall, with simple and reliable firmware
+upgrades, multi-language support, HardenedBSD security, fast adoption of
+upstream software updates as well as clear and stable 2-Clause BSD licensing.
+
+20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
+a sustainable firewall experience.  This release adds DHCPv6 multi-WAN, custom
+error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
+basic firewall API support (via plugin) and extended live log filtering amongst
+others.
+
+Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
+can be found below as well.
+
+* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
+* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
+* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
+* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
+* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
+* Full mirror list: https://opnsense.org/download/
+
+Here are the full patch notes against version 20.7-RC1:
+
+* system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
+* installer: welcome users as genuine 20.7 installer
+* web proxy: do not try to force cachemanager access to use ICAP
+* plugins: os-collectd 1.3 `[2] <https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr>`__ 
+* plugins: os-zabbix5-proxy 1.3 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix5-proxy/pkg-descr>`__ 
+* src: prevent netgraph page fault for LTE usage
+* ports: dnsmasq 2.82 `[4] <http://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__ 
+* ports: monit 5.27.0 `[5] <https://mmonit.com/monit/changes/>`__ 
+* ports: nss 3.55 `[6] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes>`__ 
+* ports: sudo 1.9.2 `[7] <https://www.sudo.ws/stable.html#1.9.2>`__ 
+
+Known issues and limitations:
+
+* legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available
+* i386 architecture builds are no longer available
+
+The public key for the 20.7 series is:
+
+.. code-block::
+
+    # -----BEGIN PUBLIC KEY-----
+    # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
+    # 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
+    # HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
+    # E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
+    # inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
+    # DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
+    # jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
+    # iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
+    # bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
+    # bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
+    # E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
+    # SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
+    # -----END PUBLIC KEY-----
+
+
+
+.. code-block::
+
+    # SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a
+    # SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630
+    # SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60
+    # SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6
+
+--------------------------------------------------------------------------
+20.7.r1 (July 21, 2020)
+--------------------------------------------------------------------------
+
+
+For five and a half years, OPNsense is driving innovation through modularising
+and hardening the open source firewall, with simple and reliable firmware
+upgrades, multi-language support, HardenedBSD security, fast adoption of
+upstream software updates as well as clear and stable 2-Clause BSD licensing.
+
+We thank all of you for helping test, shape and contribute to the project!
+We know it would not be the same without you.  <3
+
+Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
+can be found below as well.
+
+* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
+* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
+* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
+* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
+* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
+* Full mirror list: https://opnsense.org/download/
+
+Here are the full patch notes against 20.1.8_1:
+
+* system: allow to optionally disable legacy logging (clog)
+* system: do not allow login redirects to visit external pages
+* system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
+* system: adapt to 3wire serial console setting
+* system: figure out which sysctls are writeable before attempting to write them
+* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
+* system: disable PCRE JIT in PHP config
+* system: clean up start / stop beep handler
+* interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
+* interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion)
+* interfaces: show delegated prefix in overview (contributed by Team Rebellion)
+* interfaces: DHCPv4 no-release and debug options moved to global interface settings
+* interfaces: automatically register loopback device lo0
+* firewall: handle new net.pf.request_maxcount system limit accordingly
+* firewall: properly evaluate and execute gateway monitoring kill states feature
+* firewall: add the iplen option to shaper rules (contributed by Maxfield Allison)
+* firewall: show partial alias content in tooltip
+* firewall: translated static log overview page to MVC
+* firewall: aliases now show internal aliases
+* firewall: validate if NAT destination contains a port
+* firewall: prevent config_read_array() from adding an empty lo0
+* firmware: added fingerprint for 20.7 series
+* firmware: hint at missing plugins and request to install or dismiss
+* intrusion detection: extend rule search with metadata and show results on rule info
+* intrusion detection: updated pattern options (contributed by @Xeroxxx)
+* intrusion detection: synchronize suricata.yaml with default template
+* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
+* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
+* unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
+* web proxy: support for custom error pages (sponsored by Incenter Technology)
+* web proxy: add connect_timeout (contributed by Michael Muenz)
+* web proxy: allow PURGE on cache (contributed by @sazb)
+* web proxy: add missing IPv6 listener
+* mvc: add "S" option for AllowDynamic in InterfaceField type
+* mvc: LegacyLinkField not allowed to return null in __toString()
+* backend: add safeguard for illegal configd settings leading to overrides on the same command leaf
+* backend: emove undocumented and unused alias support
+* mvc: support virtual nodes in model instances
+* rc: implement inline variables for skip and defer service start
+* ui: unify edit dialog and add onBeforeRenderDialog event deferrable
+* ui: use firewall groups to group interfaces menu accordingly
+* ui: moved virtual IP menu entry to interfaces
+* ui: jQuery 3.5.1
+* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__ 
+* plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules
+* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__ 
+* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
+* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__ 
+* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__ 
+* src: HardenedBSD 12.1-p7
+* ports: ca_root_nss 3.54
+* ports: curl 7.71.1 `[6] <https://curl.haxx.se/changes.html>`__ 
+* ports: php 7.3.20 `[7] <https://www.php.net/ChangeLog-7.php#7.3.20>`__ 
+* ports: python 3.7.8 `[8] <https://www.python.org/downloads/release/python-378/>`__ 
+* ports: sqlite 3.32.3 `[9] <https://www.sqlite.org/changes.html>`__ 
+* ports: suricata 5.0.3 `[10] <https://suricata-ids.org/2020/04/28/suricata-5-0-3-released/>`__ 
+
+Known issues and limitations:
+
+* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available
+* i386 architecture builds will no longer be available
+* Installer still advertises 20.1
+
+The public key for the 20.7 series is:
+
+.. code-block::
+
+    # -----BEGIN PUBLIC KEY-----
+    # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
+    # 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
+    # HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
+    # E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
+    # inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
+    # DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
+    # jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
+    # iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
+    # bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
+    # bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
+    # E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
+    # SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
+    # -----END PUBLIC KEY-----
+
+Please let us know about your experience!
+
+
+
+.. code-block::
+
+    # SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded
+    # SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe
+    # SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e
+    # SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d

source/troubleshooting.rst

@@ -72,3 +72,4 @@ be found in the list below.
 
    troubleshooting/boot
    troubleshooting/gateways
+   troubleshooting/network

source/troubleshooting/network.rst

@@ -0,0 +1,33 @@
+====================================
+Network
+====================================
+
+
+---------------------------------
+netmap (IPS, Sensei, ...)
+---------------------------------
+
+Netmap is a technology which enables fast packet processing while minimizing overhead, there are however some pittfals
+which may turn your network interface unreachable.
+
+Before using this technology, always make sure you have access via another interface (or console) to your firewall
+in case connectivity is dropped.
+
+In order for netmap to function properly it is imperative that all sorts of driver / hardware  acceleration is disabled
+(:menuselection:`Interfaces -> Settings`), this include :code:`VLAN Hardware Filtering` as well (which wasn't disabled pre 20.7).
+
+Some drivers have may have additional tunables, which enable hardware acceleration, make sure to disable them as well
+(.e.g intel ixl has :code:`hw.ixl.enable_head_writeback`, which we disable by default)
+
+Below you will find a list of tunables which are know to be (partial) incompatible with netmap.
+
+=========================================== =================================================================================
+Tunable                                     Description
+=========================================== =================================================================================
+hw.ixl.enable_head_writeback                Intel :code:`ixl(4)` tunable for increased tx performance,
+                                            OPNsense standard value is disabled.
+
+net.bpf.zerocopy_enable                     Use zero-copy for :code:`bpf(4)` for faster processing, when not set (the default)
+                                            packets will not be seen by bpf, which influences the traffic graphs for example.
+
+=========================================== =================================================================================

source/vendor/deciso/opncentral.rst

@@ -71,3 +71,21 @@ Every connected node is shown with a link which opens in a new tab when clicking
 
 .. image:: images/OPNcentral_status_uptodate.png
     :width: 100%
+
+
+When the management server is allowed to access the OPNcentral components on the connected node it will automatically login
+after the link is clicked with the proper credentials assigned to the api token user.
+
+If the latests Business Edition is installed on the managed machine, but access prohibits automatic logins, you will be redirected to the login page.
+
+When the connected machine is not using the business edition, it's not possible to use the link, a message such as the following will be presented to the
+user:
+
+.. image:: images/OPNcentral_auto_login_unavailable.png
+    :width: 60%
+
+
+.. Note::
+
+    Make sure your browser trusts the remote node otherwise the browser can't access the machine and will signal an issue with the
+    software version.

source/vendor/sunnyvalley/sensei_install.rst

@@ -18,7 +18,7 @@ To install plugins in OPNsense, you must use an account with administrative acce
 Web Interface Installation (Preferred Method)
 ---------------------------------------------
 
-To install Sensei, you must first install the Sunny Valley Networks vendor repository plugin. Go to the :menuselection:`System --> Firmware --> Plugins` page. Click on the “+” icon next to os-sunnyvalley to install the plugin. 
+To install Sensei, you must first install the Sunny Valley Networks vendor repository plugin. Go to the :menuselection:`System --> Firmware --> Plugins` page. Click on the “+” icon next to os-sunnyvalley to install the plugin.
 
 Once the vendor plugin is installed, you should see the Sensei plugin available in the list of plugins as os-sensei. If you do not see the Sensei plugin, you may need to refresh the “Plugins” page. Click the “+” icon next to os-sensei to install the plugin.
 
@@ -35,7 +35,7 @@ Command Line Installation (Alternative Method)
 
 The command line installation method was the primary means for installing Sensei before it was available on the “Plugins” page in the OPNsense web interface. This option is still available for users who have direct access to the OPNsense system yet prefer using command line tools or who may only have remote shell access via SSH to administrate their OPNsense installations. However, the web interface will need utilized after installation to complete the initial configuration of Sensei.
 
-.. Tip:: 
+.. Tip::
 
     If you plan to leave the SSH service active, the best practice recommendations are to create a user with administrative access rather than using the “root” user and to make use of stronger authentication methods such as using keys rather than passwords.
 
@@ -80,7 +80,7 @@ Once the installation has been completed, you may disconnect from your terminal
 
 You will now need to complete the “Initial Configuration Wizard” for Sensei to be fully operational.
 
------------------------------
+------------------------------
 Initial Configuration Wizard
 ------------------------------
 Regardless of the installation method you chose, you will need to go through the initial configuration wizard before you may start using Sensei.
@@ -133,7 +133,7 @@ Your hardware will be analyzed to ensure it meets the minimum requirements. You
 
 .. Warning::
 
-    If you wish to use a remote ElasticSearch database, you must choose it now since you cannot change this after the initial configuration wizard has been completed. 
+    If you wish to use a remote ElasticSearch database, you must choose it now since you cannot change this after the initial configuration wizard has been completed.
 
 .. image:: images/sensei-wizard-reporting-database-high-end.png
     :width: 100%
@@ -170,7 +170,7 @@ For detailed information on "Deployment Modes", `see here <https://help.sunnyva
 .. image:: images/sensei-wizard-interface-selection-protected.png
     :width: 100%
 
-* Click :menuselection:`Next` to continue to the :menuselection:`Cloud Reputation`section.
+* Click :menuselection:`Next` to continue to the :menuselection:`Cloud Reputation` section.
 
 ....................
 5- Cloud Reputation
@@ -241,7 +241,7 @@ Sensei may support up to 1,000 concurrent users on an average PC. You can set yo
 9- Finish
 ....................
 
-* You may enter your email address if you wish to subscribe to the Sunny Valley email list to stay up to date on the latest news. 
+* You may enter your email address if you wish to subscribe to the Sunny Valley email list to stay up to date on the latest news.
 
 .. image:: images/sensei-wizard-finish.png
     :width: 100%