Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'opnsense:master' into master

Browse Source
pull/465/head
zenarmor 1 year ago committed by GitHub
parent e132115879 f3c6e5b277
commit e9d2a63c00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
93 changed files with 4856 additions and 462 deletions
Show Stats Download Patch File Download Diff File

2
collect_api_endpoints.py
Unescape Escape View File

@ -1,4 +1,4 @@
#!/usr/local/bin/python
#!/usr/local/bin/python3
"""
Copyright (c) 2020 Ad Schellevis <ad@opnsense.org>
All rights reserved.

64
collect_plugin_tiers.py
Unescape Escape View File

@ -0,0 +1,64 @@
#!/usr/local/bin/python3
"""
Copyright (c) 2022 Ad Schellevis <ad@opnsense.org>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
"""
import os
import argparse
import re
from jinja2 import Template
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-template_filename', default='source/support.rst.in', help='')
parser.add_argument('source', help='source directory')
cmd_args = parser.parse_args()
# collect all plugins
plugin_tiers = dict()
for root, dirs, files in os.walk(cmd_args.source):
if 'Makefile' in files and 'pkg-descr' in files:
plugin_tier = 3
with open(os.path.join(root, 'Makefile'), 'rt') as f_in:
for line in f_in.read().split('\n'):
parts = line.split()
if len(parts) >= 2 and parts[0].startswith('PLUGIN_TIER') and parts[-1].isdigit():
plugin_tier = int(parts[-1])
plugin_name = root[len(cmd_args.source)+1:]
if plugin_tier not in plugin_tiers:
plugin_tiers[plugin_tier] = {}
plugin_tiers[plugin_tier][plugin_name] = {
'tier': plugin_tier,
'name': plugin_name
}
with open(os.path.join(root, 'pkg-descr'), 'rt') as f_in:
descr = f_in.read().strip().split('\n\n')[0].replace('\n', ' ').replace('"', "'")
plugin_tiers[plugin_tier][plugin_name]['descr'] = descr
template = Template(open(cmd_args.template_filename, "rt").read())
if cmd_args.template_filename.endswith('.in'):
with open(cmd_args.template_filename[:-3], 'w') as f_out:
f_out.write(template.render({'tiers': plugin_tiers}))
else:
print(template.render({'tiers': plugin_tiers}))

5
source/CE_releases.rst
Unescape Escape View File

@ -8,8 +8,8 @@ Community Edition
:width: 600px
:align: center
As of January 2015 there have been *237* releases leading to the latest version *22.7.6*
named "Powerful Panther".
As of January 2015 there have been *247* releases leading to the latest version *23.1.2*
named "Quintessential Quail".
@ -20,6 +20,7 @@ The list below contains all releases, ordered by version number categorized by m
:titlesonly:
:glob:
releases/CE_23.1
releases/CE_22.7
releases/CE_22.1
releases/CE_21.7

7
source/development/api.rst
Unescape Escape View File

@ -29,6 +29,13 @@ The $key and $secret parameters are used to pass the API credentials using curl.
When using Postman to test an API call, use the 'basic auth' authorization type. The $key and $secret parameters go into Username/Password respectively.
.. note::
Always make sure the owner of the key is authorized to access the resource in question, the "Effective Privileges" set on the user
shows which resources are accessible. (Edit reveals the endpoints assigned to each resource).
ACL's are explained in :doc:`development/components/acl </development/components/acl>`).
Core API
--------

11
source/development/api/core/diagnostics.rst
Unescape Escape View File

@ -43,6 +43,7 @@ Diagnostics
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","diagnostics","interface","CarpStatus","$status"
"``POST``","diagnostics","interface","delRoute",""
"``POST``","diagnostics","interface","flushArp",""
"``GET``","diagnostics","interface","getArp",""
@ -53,9 +54,13 @@ Diagnostics
"``GET``","diagnostics","interface","getMemoryStatistics",""
"``GET``","diagnostics","interface","getNdp",""
"``GET``","diagnostics","interface","getNetisrStatistics",""
"``GET``","diagnostics","interface","getPfSyncNodes",""
"``GET``","diagnostics","interface","getProtocolStatistics",""
"``GET``","diagnostics","interface","getRoutes",""
"``GET``","diagnostics","interface","getSocketStatistics",""
"``GET``","diagnostics","interface","getVipStatus",""
"``GET``","diagnostics","interface","searchArp",""
"``GET``","diagnostics","interface","searchNdp",""
.. csv-table:: Resources (LvtemplateController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
@ -108,6 +113,12 @@ Diagnostics
"``<<uses>>``", "", "", "", "*model* `PacketCapture.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Diagnostics/PacketCapture.xml>`__"
.. csv-table:: Resources (SystemController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``GET``","diagnostics","system","memory",""
.. csv-table:: Resources (SystemhealthController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40

9
source/development/api/core/firewall.rst
Unescape Escape View File

@ -1,3 +1,5 @@
.. _api_core_firewall:
Firewall
~~~~~~~~
@ -14,6 +16,7 @@ Firewall
"``GET``","firewall","alias","getItem","$uuid=null"
"``GET``","firewall","alias","getTableSize",""
"``POST``","firewall","alias","import",""
"``GET``","firewall","alias","listCategories",""
"``GET``","firewall","alias","listCountries",""
"``GET``","firewall","alias","listNetworkAliases",""
"``POST``","firewall","alias","reconfigure",""
@ -56,3 +59,9 @@ Firewall
:widths: 4, 15, 15, 30, 40
"``GET``","firewall","filter_util","ruleStats",""
.. Tip::
In order to inject rules using an API, you may take a look at the :ref:`Firewall Plugin API <api_plugins_firewall>`,
currently the core system does not support rule modifications via the API for this topic.

22
source/development/api/core/firewall.rst.in
Unescape Escape View File

@ -0,0 +1,22 @@
.. _api_core_firewall:
{{ title }}
{{ title_underline }}
{% for controller in controllers %}
.. csv-table:: {{controller.type}} ({{controller.filename}})
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
{% for endpoint in controller.endpoints %}
"``{{endpoint.method}}``","{{endpoint.module}}","{{endpoint.controller}}","{{endpoint.command}}","{{endpoint.parameters}}"
{%- endfor %}
{%- if controller.uses %}
{% for use in controller.uses %}
"``<<uses>>``", "", "", "", "*{{use.type}}* `{{use.name}} <{{use.link}}>`__"
{%- endfor %}
{%- endif %}
{% endfor %}
.. Tip::
In order to inject rules using an API, you may take a look at the :ref:`Firewall Plugin API <api_plugins_firewall>`,
currently the core system does not support rule modifications via the API for this topic.

16
source/development/api/core/interfaces.rst
Unescape Escape View File

@ -16,6 +16,22 @@ Interfaces
"``<<uses>>``", "", "", "", "*model* `Loopback.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Interfaces/Loopback.xml>`__"
.. csv-table:: Resources (VipSettingsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","interfaces","vip_settings","addItem",""
"``POST``","interfaces","vip_settings","delItem","$uuid"
"``GET``","interfaces","vip_settings","get",""
"``GET``","interfaces","vip_settings","getItem","$uuid=null"
"``GET``","interfaces","vip_settings","getUnusedVhid",""
"``POST``","interfaces","vip_settings","reconfigure",""
"``*``","interfaces","vip_settings","searchItem",""
"``POST``","interfaces","vip_settings","set",""
"``POST``","interfaces","vip_settings","setItem","$uuid"
"``<<uses>>``", "", "", "", "*model* `Vip.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Interfaces/Vip.xml>`__"
.. csv-table:: Resources (VlanSettingsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40

81
source/development/api/core/ipsec.rst
Unescape Escape View File

@ -1,6 +1,42 @@
Ipsec
~~~~~
.. csv-table:: Resources (ConnectionsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","ipsec","connections","addChild",""
"``POST``","ipsec","connections","addConnection",""
"``POST``","ipsec","connections","addLocal",""
"``POST``","ipsec","connections","addRemote",""
"``GET``","ipsec","connections","connectionExists","$uuid"
"``POST``","ipsec","connections","delChild","$uuid"
"``POST``","ipsec","connections","delConnection","$uuid"
"``POST``","ipsec","connections","delLocal","$uuid"
"``POST``","ipsec","connections","delRemote","$uuid"
"``GET``","ipsec","connections","get",""
"``GET``","ipsec","connections","getChild","$uuid=null"
"``GET``","ipsec","connections","getConnection","$uuid=null"
"``GET``","ipsec","connections","getLocal","$uuid=null"
"``GET``","ipsec","connections","getRemote","$uuid=null"
"``GET``","ipsec","connections","isEnabled",""
"``*``","ipsec","connections","searchChild",""
"``*``","ipsec","connections","searchConnection",""
"``*``","ipsec","connections","searchLocal",""
"``*``","ipsec","connections","searchRemote",""
"``POST``","ipsec","connections","set",""
"``POST``","ipsec","connections","setChild","$uuid=null"
"``POST``","ipsec","connections","setConnection","$uuid=null"
"``POST``","ipsec","connections","setLocal","$uuid=null"
"``POST``","ipsec","connections","setRemote","$uuid=null"
"``POST``","ipsec","connections","toggle","$enabled=null"
"``POST``","ipsec","connections","toggleChild","$uuid,$enabled=null"
"``POST``","ipsec","connections","toggleConnection","$uuid,$enabled=null"
"``POST``","ipsec","connections","toggleLocal","$uuid,$enabled=null"
"``POST``","ipsec","connections","toggleRemote","$uuid,$enabled=null"
"``<<uses>>``", "", "", "", "*model* `Swanctl.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml>`__"
.. csv-table:: Resources (KeyPairsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
@ -30,6 +66,36 @@ Ipsec
"``POST``","ipsec","legacy_subsystem","applyConfig",""
"``GET``","ipsec","legacy_subsystem","status",""
.. csv-table:: Resources (ManualSpdController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","ipsec","manual_spd","add",""
"``POST``","ipsec","manual_spd","del","$uuid"
"``GET``","ipsec","manual_spd","get","$uuid=null"
"``GET``","ipsec","manual_spd","get",""
"``*``","ipsec","manual_spd","search",""
"``POST``","ipsec","manual_spd","set","$uuid=null"
"``POST``","ipsec","manual_spd","set",""
"``POST``","ipsec","manual_spd","toggle","$uuid,$enabled=null"
"``<<uses>>``", "", "", "", "*model* `Swanctl.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml>`__"
.. csv-table:: Resources (PoolsController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","ipsec","pools","add",""
"``POST``","ipsec","pools","del","$uuid"
"``GET``","ipsec","pools","get","$uuid=null"
"``GET``","ipsec","pools","get",""
"``*``","ipsec","pools","search",""
"``POST``","ipsec","pools","set","$uuid=null"
"``POST``","ipsec","pools","set",""
"``POST``","ipsec","pools","toggle","$uuid,$enabled=null"
"``<<uses>>``", "", "", "", "*model* `Swanctl.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml>`__"
.. csv-table:: Resources (PreSharedKeysController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
@ -90,3 +156,18 @@ Ipsec
"``POST``","ipsec","tunnel","toggle","$enabled=null"
"``POST``","ipsec","tunnel","togglePhase1","$ikeid,$enabled=null"
"``POST``","ipsec","tunnel","togglePhase2","$seqid,$enabled=null"
.. csv-table:: Resources (VtiController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","ipsec","vti","add",""
"``POST``","ipsec","vti","del","$uuid"
"``GET``","ipsec","vti","get","$uuid=null"
"``GET``","ipsec","vti","get",""
"``*``","ipsec","vti","search",""
"``POST``","ipsec","vti","set","$uuid=null"
"``POST``","ipsec","vti","set",""
"``POST``","ipsec","vti","toggle","$uuid,$enabled=null"
"``<<uses>>``", "", "", "", "*model* `Swanctl.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml>`__"

11
source/development/api/core/unbound.rst
Unescape Escape View File

@ -12,6 +12,16 @@ Unbound
"``GET``","unbound","diagnostics","listlocalzones",""
"``GET``","unbound","diagnostics","stats",""
.. csv-table:: Resources (OverviewController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``GET``","unbound","overview","Rolling","$timeperiod,$clients=false"
"``GET``","unbound","overview","isBlockListEnabled",""
"``GET``","unbound","overview","isEnabled",""
"``GET``","unbound","overview","searchQueries",""
"``GET``","unbound","overview","totals","$maximum"
.. csv-table:: Service (ServiceController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
@ -56,5 +66,6 @@ Unbound
"``POST``","unbound","settings","toggleForward","$uuid,$enabled=null"
"``POST``","unbound","settings","toggleHostAlias","$uuid,$enabled=null"
"``POST``","unbound","settings","toggleHostOverride","$uuid,$enabled=null"
"``POST``","unbound","settings","updateBlocklist",""
"``<<uses>>``", "", "", "", "*model* `Unbound.xml <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml>`__"

16
source/development/api/plugins/firewall.rst
Unescape Escape View File

@ -1,9 +1,19 @@
.. _api_plugins_firewall:
Firewall
~~~~~~~~
The firewall API plugin is a first step into migrating the legacy firewall components from OPNsense, although it does contain
a user interface, it's main focus is only to provide machine to machine interaction between custom applications and OPNsense
for selected features.
The firewall API plugin (**os-firewall**) offers a way for machine to machine interaction between custom applications and OPNsense, it can
easily be installed like any other plugin via :menuselection:`System --> Firmware --> Plugins`.
Although the plugin does contains a basic user interface (in :menuselection:`Firewall --> Automation`), it's mirely intended
as a reference and testbed. There's no relation to any of the rules being managed via the core system.
.. Tip::
Use your browsers "inspect" feature to compare requests easily, the user interface in terms of communication is exactly the same
as offered by the API . Rules not visible in the web interface (:menuselection:`Firewall --> Automation`) will not be returned by the API either.
.. csv-table:: Abstract [non-callable] (FilterBaseController.php)

16
source/development/api/plugins/firewall.rst.in
Unescape Escape View File

@ -1,9 +1,19 @@
.. _api_plugins_firewall:
{{ title }}
{{ title_underline }}
The firewall API plugin is a first step into migrating the legacy firewall components from OPNsense, although it does contain
a user interface, it's main focus is only to provide machine to machine interaction between custom applications and OPNsense
for selected features.
The firewall API plugin (**os-firewall**) offers a way for machine to machine interaction between custom applications and OPNsense, it can
easily be installed like any other plugin via :menuselection:`System --> Firmware --> Plugins`.
Although the plugin does contains a basic user interface (in :menuselection:`Firewall --> Automation`), it's mirely intended
as a reference and testbed. There's no relation to any of the rules being managed via the core system.
.. Tip::
Use your browsers "inspect" feature to compare requests easily, the user interface in terms of communication is exactly the same
as offered by the API . Rules not visible in the web interface (:menuselection:`Firewall --> Automation`) will not be returned by the API either.
{% for controller in controllers %}
.. csv-table:: {{controller.type}} ({{controller.filename}}) {% if not controller.is_abstract %} -- extends : {{controller.base_class}} {% endif %}

29
source/development/api/plugins/freeradius.rst
Unescape Escape View File

@ -86,6 +86,35 @@ Freeradius
"``<<uses>>``", "", "", "", "*model* `Lease.xml <https://github.com/opnsense/plugins/blob/master/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Lease.xml>`__"
.. csv-table:: Resources (ProxyController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40
"``POST``","freeradius","proxy","addHomeserver",""
"``POST``","freeradius","proxy","addHomeserverpool",""
"``POST``","freeradius","proxy","addRealm",""
"``POST``","freeradius","proxy","delHomeserver","$uuid"
"``POST``","freeradius","proxy","delHomeserverpool","$uuid"
"``POST``","freeradius","proxy","delRealm","$uuid"
"``GET``","freeradius","proxy","get",""
"``GET``","freeradius","proxy","get",""
"``GET``","freeradius","proxy","getHomeserver","$uuid=null"
"``GET``","freeradius","proxy","getHomeserverpool","$uuid=null"
"``GET``","freeradius","proxy","getRealm","$uuid=null"
"``GET``","freeradius","proxy","searchHomeserver",""
"``GET``","freeradius","proxy","searchHomeserverpool",""
"``GET``","freeradius","proxy","searchRealm",""
"``POST``","freeradius","proxy","set",""
"``POST``","freeradius","proxy","set",""
"``POST``","freeradius","proxy","setHomeserver","$uuid"
"``POST``","freeradius","proxy","setHomeserverpool","$uuid"
"``POST``","freeradius","proxy","setRealm","$uuid"
"``GET``","freeradius","proxy","toggleHomeserver","$uuid"
"``GET``","freeradius","proxy","toggleHomeserverpool","$uuid"
"``GET``","freeradius","proxy","toggleRealm","$uuid"
"``<<uses>>``", "", "", "", "*model* `Proxy.xml <https://github.com/opnsense/plugins/blob/master/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Proxy.xml>`__"
.. csv-table:: Service (ServiceController.php)
:header: "Method", "Module", "Controller", "Command", "Parameters"
:widths: 4, 15, 15, 30, 40

5
source/development/api/plugins/haproxy.rst
Unescape Escape View File

@ -51,6 +51,7 @@ Haproxy
"``POST``","haproxy","settings","addBackend",""
"``POST``","haproxy","settings","addCpu",""
"``POST``","haproxy","settings","addErrorfile",""
"``POST``","haproxy","settings","addFcgi",""
"``POST``","haproxy","settings","addFrontend",""
"``POST``","haproxy","settings","addGroup",""
"``POST``","haproxy","settings","addHealthcheck",""
@ -65,6 +66,7 @@ Haproxy
"``POST``","haproxy","settings","delBackend","$uuid"
"``POST``","haproxy","settings","delCpu","$uuid"
"``POST``","haproxy","settings","delErrorfile","$uuid"
"``POST``","haproxy","settings","delFcgi","$uuid"
"``POST``","haproxy","settings","delFrontend","$uuid"
"``POST``","haproxy","settings","delGroup","$uuid"
"``POST``","haproxy","settings","delHealthcheck","$uuid"
@ -80,6 +82,7 @@ Haproxy
"``GET``","haproxy","settings","getBackend","$uuid=null"
"``GET``","haproxy","settings","getCpu","$uuid=null"
"``GET``","haproxy","settings","getErrorfile","$uuid=null"
"``GET``","haproxy","settings","getFcgi","$uuid=null"
"``GET``","haproxy","settings","getFrontend","$uuid=null"
"``GET``","haproxy","settings","getGroup","$uuid=null"
"``GET``","haproxy","settings","getHealthcheck","$uuid=null"
@ -94,6 +97,7 @@ Haproxy
"``*``","haproxy","settings","searchBackends",""
"``*``","haproxy","settings","searchCpus",""
"``*``","haproxy","settings","searchErrorfiles",""
"``*``","haproxy","settings","searchFcgis",""
"``*``","haproxy","settings","searchFrontends",""
"``*``","haproxy","settings","searchGroups",""
"``*``","haproxy","settings","searchHealthchecks",""
@ -109,6 +113,7 @@ Haproxy
"``POST``","haproxy","settings","setBackend","$uuid"
"``POST``","haproxy","settings","setCpu","$uuid"
"``POST``","haproxy","settings","setErrorfile","$uuid"
"``POST``","haproxy","settings","setFcgi","$uuid"
"``POST``","haproxy","settings","setFrontend","$uuid"
"``POST``","haproxy","settings","setGroup","$uuid"
"``POST``","haproxy","settings","setHealthcheck","$uuid"

1
source/development/api/plugins/wireguard.rst
Unescape Escape View File

@ -21,6 +21,7 @@ Wireguard
:widths: 4, 15, 15, 30, 40
"``GET``","wireguard","general","get",""
"``GET``","wireguard","general","getStatus",""
"``POST``","wireguard","general","set",""
"``<<uses>>``", "", "", "", "*model* `General.xml <https://github.com/opnsense/plugins/blob/master/net/wireguard/src/opnsense/mvc/app/models/OPNsense/Wireguard/General.xml>`__"

6
source/development/backend/legacy.rst
Unescape Escape View File

@ -1,6 +1,6 @@
====================
Using legacy plugins
====================
============================
Using (legacy) plugins
============================
-------
General

46
source/development/components/acl.rst
Unescape Escape View File

@ -10,23 +10,43 @@ Access Control List
Overview
--------
The current ACL system is targeted at delivering backwards compatibility
for legacy code and being able to extend this a little to add new
The ACL system is targeted at delivering backwards compatibility
for legacy code and being able to extend this to add new
features without having to reimplement the whole system.
In the legacy system the access control is using the following steps to
determine if a page can be accessed by a user:
The following steps determine if a page can be accessed by a user:
#. The user, stored in the config.xml file at system/user (one item per
user)
#. One or more groups for that user, stored in system/group which
contains priv sections.
#. A PHP file binding the priv section content to a page mask (including
wildcards)
#. The user, stored in the config.xml file at system/user may set "Effective Privileges" valid for that explicit entry, stored in <priv/> sections
#. One or more groups for that user, stored in system/group which contains priv sections as well.
#. An XML file (:code:`ACL.xml`) linking logical acl keys to uri patterns
Access controls for most legacy components are stored in models/OPNsense/Core/ACL/ACL.xml, most new components add their own
ACL's in the model belonging to the component. All stored :code:`ACL.xml` files combined determine the full set of options available
in the user/group manager. There is no expicit requirement which model services which ACL.
.. Note::
When in need of a single ACL to match an explicit set of components (pages/api endpoints), one can add an ACL file easily
for a module without further logic.
---------------
ACL format
---------------
Each ACL file is stored in the model location (/usr/local/opnsense/mvc/app/models/) where :code:`ACL.xml` files
are stored in the location [VENDOR]/[MODULE]/ACL/ACL.xml. The format of the file is as follows:
.. code-block:: html
<acl>
<my-unique-acl-key> <!-- as stored for the user/group -->
<name>My ACL name</name> <!-- name visible in the user manager -->
<patterns>
<pattern>path/to/my/module</pattern> <!-- list of uri's this ACL should unlock. -->
</patterns>
</my-unique-acl-key>
</acL>
Our temporary solution is to keep the user and the group in place and replace the
PHP file with a simple config in the model which uses the same mask construction
there was in the old codebase. To bind priv to pages, edit models/OPNsense/Core/ACL\_Legacy\_Page\_Map.txt
--------------
Usage from PHP

6
source/development/examples/api_enable_services.rst
Unescape Escape View File

@ -108,6 +108,12 @@ The service above defines the following static variables:
The :code:`reconfigureForceRestart` overwrite tells the controller if it should always stop the service before trying a start, some
services can be signaled to do a reconfigure without stopping.
.. Tip::
When a service may register new :doc:`interfaces </development/backend/legacy>`, one could implement the protected method
:code:`invokeInterfaceRegistration` and make it return :code:`true`, after which the plugin system will detect changes to the
interface registrations automatically.
Endpoints
---------------------------------

2
source/development/frontend/models_fieldtypes.rst
Unescape Escape View File

@ -136,6 +136,7 @@ List of (comma) separated values, which can be validated using a regex.
"Required", "Y,N", "Mark field as required"
"ValidationMessage", ":code:`text`", "Error message on validation failure"
"Mask", ":code:`regex`", "Optional validation regex"
"MaskPerItem", "Y,N", "Apply regex validation to each item separately"
ConfigdActionsField
@ -398,6 +399,7 @@ Validate if the value is a valid network address (IPv4, IPv6).
"FieldSeparator", ":code:`text`", "Separator character to use"
"WildcardEnabled", "Y,N", "Allow the use of the :code:`any` clause"
"AsList", "Y,N", "Field type should return list items"
"Strict", "Y,N", "Disallow the usage of host bits when a netmask is used"
NumericField
------------------------------------

106
source/hardware/bios.rst
Unescape Escape View File

@ -10,62 +10,70 @@ how to install them.
.. contents:: Table of Contents
:local:
**Product families**
=====================================================================================================================
To address a series of
`vulnerabilities <https://www.bleepingcomputer.com/news/security/uefi-firmware-vulnerabilities-affect-at-least-25-computer-vendors/>`_
found in the InsydeH2O UEFI firmware, which affects security appliances from Deciso, the necessary
downloads as well as the instructions to update the UEFI firmware are included here.
|
-------------------------
DEC800 and DEC3800 series
DEC800 & DEC3800 series
-------------------------
The following appliances using the NetBoard `A20 <https://www.deciso.com/netboard-a20/>`_
are affected:
- `DEC800 series <https://shop.opnsense.com/dec800-series-opnsense-desktop-security-appliance/>`_
- `DEC3800 series <https://shop.opnsense.com/dec3800-series-opnsense-rack-security-appliance/>`_
^^^^^^^^^^
Downloads
^^^^^^^^^^
+-----------------------------------------------------------------------------------------------------------------------------------------------------+
| DEC800 & DEC3800 series BIOS Version 9 |
+-------+-------------------------------------------------------------------------+-------------------------------------------------------------------+
| OS | Download | SHA256 Checksum |
+=======+=========================================================================+===================================================================+
|Windows|:download:`Windows installer <files/NetBoard-A20-USB-installer.zip>` | b824b7508cdb56bd097afdd64bfca0c23e08f003a93a16846809e7a394187567 |
+-------+-------------------------------------------------------------------------+-------------------------------------------------------------------+
|Linux |:download:`Image <files/A20_0009_BIOS_USB_IMAGE.img.bz2>` | da38482d3f9bcbea8aa6fe34c68b64ffb6f896ac9daa3011efb70b420e31ca01 |
+-------+-------------------------------------------------------------------------+-------------------------------------------------------------------+
+---------------+------------------------------------------------------------------------------------------------------------------------------------------+
|**12-2022**: Version 10 (latest) |
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| OS | Download |SHA256 Checksum |
+===============+=========================================================================+================================================================+
| Windows |:download:`Windows installer <files/NetBoard_A20_0010_USB_installer.zip>`|77882f0da538dc5630ff8b760dd4ac0445084374975a15703d054845e03c3bb1|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| Linux |:download:`Image <files/A20_0010_BIOS_USB_IMAGE.img.bz2>` |edbbb073fe65b1ae427c5c63e5f3613da58c397e709b7934586ee59f54819800|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| CVE update. |
+----------------------------------------------------------------------------------------------------------------------------------------------------------+
+---------------+------------------------------------------------------------------------------------------------------------------------------------------+
|**03-2022**: Version 9 |
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| OS | Download |SHA256 Checksum |
+===============+=========================================================================+================================================================+
| Windows |:download:`Windows installer <files/NetBoard_A20_0009_USB_installer.zip>`|e92dc8e3822ae295e218a3e67fe86743ccb0220fcbd98e22dbfa5fd9e3b7d9f7|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| Linux |:download:`Image <files/A20_0009_BIOS_USB_IMAGE.img.bz2>` |d217149a90f5ed2b3fe6a317b5317c94d4f4988a9065249ce6addf790e42b609|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| Addresses a series of |
| `vulnerabilities <https://www.bleepingcomputer.com/news/security/uefi-firmware-vulnerabilities-affect-at-least-25-computer-vendors/>`_ |
| found in the InsydeH2O UEFI firmware, which affects the NetBoard `A20 <https://www.deciso.com/netboard-a20/>`_ security appliances from Deciso. |
+----------------------------------------------------------------------------------------------------------------------------------------------------------+
|
-------------------------
DEC700 and DEC2700 series
-------------------------
The following apliances using the NetBoard `A10 <https://www.deciso.com/netboard-a10/>`_
are affected:
- `DEC700 series <https://shop.opnsense.com/dec700-series-opnsense-desktop-security-appliance/>`_
- `DEC2700 series <https://shop.opnsense.com/dec2700-series-opnsense-rack-security-appliance/>`_
^^^^^^^^^^
Downloads
^^^^^^^^^^
+-----------------------------------------------------------------------------------------------------------------------------------------------------+
| DEC700 & DEC2700 series BIOS version 22 |
+-------+-------------------------------------------------------------------------+-------------------------------------------------------------------+
| OS | Download | SHA256 Checksum |
+=======+=========================================================================+===================================================================+
|Windows|:download:`Windows installer <files/NetBoard-A10-USB-installer.zip>` | 5fc6fcc98d17d207b29e4e8f9ac5a0765a2f69b2ff058f958e7727519d0b676f |
+-------+-------------------------------------------------------------------------+-------------------------------------------------------------------+
|Linux |:download:`Image <files/A10_022_BIOS_USB_IMAGE.img.bz2>` | a4c107d7fa1240fbb1e2fd5368c30d5ff7e66897424cf34942dd260b11eca9b8 |
+-------+-------------------------------------------------------------------------+-------------------------------------------------------------------+
+---------------+------------------------------------------------------------------------------------------------------------------------------------------+
|**03-2023**: Version 24 (latest) |
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| OS | Download |SHA256 Checksum |
+===============+=========================================================================+================================================================+
| Windows |:download:`Windows installer <files/NetBoard_A10_0024_USB_installer.zip>`|a4f63ac91a20a74ef32a74e18f791186fba1b281734024fe52f317a59ddc3eb3|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| Linux |:download:`Image <files/A10_0024_BIOS_USB_IMAGE.img.bz2>` |6831eb1945ea71b27c9fe420a842b2a8a6966c53c1935232d57cef35e1598e25|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| CVE Update and improved fan control. |
+----------------------------------------------------------------------------------------------------------------------------------------------------------+
+---------------+------------------------------------------------------------------------------------------------------------------------------------------+
|**03-2022**: Version 22 |
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| OS | Download |SHA256 Checksum |
+===============+=========================================================================+================================================================+
| Windows |:download:`Windows installer <files/NetBoard_A10_0022_USB_installer.zip>`|5fc6fcc98d17d207b29e4e8f9ac5a0765a2f69b2ff058f958e7727519d0b676f|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| Linux |:download:`Image <files/A10_0022_BIOS_USB_IMAGE.img.bz2>` |a4c107d7fa1240fbb1e2fd5368c30d5ff7e66897424cf34942dd260b11eca9b8|
+---------------+-------------------------------------------------------------------------+----------------------------------------------------------------+
| Addresses a series of |
| `vulnerabilities <https://www.bleepingcomputer.com/news/security/uefi-firmware-vulnerabilities-affect-at-least-25-computer-vendors/>`_ |
| found in the InsydeH2O UEFI firmware, which affects the NetBoard `A10 <https://www.deciso.com/netboard-a10/>`_ security appliances from Deciso. |
+----------------------------------------------------------------------------------------------------------------------------------------------------------+
|
**Installation instructions**
=====================================================================================================================

423
source/hardware/configs/22.10/A10-gen3-config.xml
Unescape Escape View File

@ -0,0 +1,423 @@
<?xml version="1.0"?>
<opnsense>
<trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
<tunable>vm.pmap.pti</tunable>
<value>0</value>
</item>
<item>
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
<tunable>hw.ibrs_disable</tunable>
<value>1</value>
</item>
<item>
<descr>Hide processes running as other groups</descr>
<tunable>security.bsd.see_other_gids</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other users</descr>
<tunable>security.bsd.see_other_uids</tunable>
<value>default</value>
</item>
<item>
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
and for the sender directly reachable, route and next hop is known.
</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.local.dgram.maxdgram</tunable>
<value>default</value>
</item>
<item>
<tunable>dev.ax.0.iflib.override_nrxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.0.iflib.override_ntxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.1.iflib.override_nrxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.1.iflib.override_ntxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.0.rss_enabled</tunable>
<value>1</value>
<descr/>
</item>
<item>
<tunable>dev.ax.1.rss_enabled</tunable>
<value>1</value>
<descr/>
</item>
</sysctl>
<system>
<serialspeed>115200</serialspeed>
<primaryconsole>serial</primaryconsole>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>localdomain</domain>
<dnsallowoverride>1</dnsallowoverride>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<disablevlanhwfilter>1</disablevlanhwfilter>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<ipv6allow/>
<powerd_enable>1</powerd_enable>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<thermal_hardware>amdtemp</thermal_hardware>
<bogons>
<interval>monthly</interval>
</bogons>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<ssh>
<group>admins</group>
</ssh>
<firmware version="1.0.0">
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
<flavour>latest</flavour>
<type>business</type>
</firmware>
<rrdbackup>-1</rrdbackup>
<netflowbackup>-1</netflowbackup>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>igb1</if>
<mtu/>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<subnet/>
<gateway/>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<dhcphostname/>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable>1</enable>
<if>igb0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
</interfaces>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
</lan>
</dhcpd>
<unbound>
<enable>1</enable>
</unbound>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
</opnsense>

397
source/hardware/configs/22.10/A10V2-SD-config.xml
Unescape Escape View File

@ -0,0 +1,397 @@
<?xml version="1.0"?>
<opnsense>
<trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
<tunable>vm.pmap.pti</tunable>
<value>0</value>
</item>
<item>
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
<tunable>hw.ibrs_disable</tunable>
<value>1</value>
</item>
<item>
<descr>Hide processes running as other groups</descr>
<tunable>security.bsd.see_other_gids</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other users</descr>
<tunable>security.bsd.see_other_uids</tunable>
<value>default</value>
</item>
<item>
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
and for the sender directly reachable, route and next hop is known.
</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.local.dgram.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>AMD temp offset</descr>
<tunable>dev.amdtemp.0.sensor_offset</tunable>
<value>-10</value>
</item>
</sysctl>
<system>
<serialspeed>115200</serialspeed>
<primaryconsole>serial</primaryconsole>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>localdomain</domain>
<dnsallowoverride>1</dnsallowoverride>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<disablevlanhwfilter>1</disablevlanhwfilter>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<ipv6allow/>
<powerd_enable>1</powerd_enable>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<ssh>
<group>admins</group>
</ssh>
<firmware version="1.0.0">
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
<flavour>latest</flavour>
<type>business</type>
</firmware>
<use_mfs_var>1</use_mfs_var>
<use_mfs_tmp>1</use_mfs_tmp>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>igb1</if>
<mtu/>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<subnet/>
<gateway/>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<dhcphostname/>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable>1</enable>
<if>igb0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
</interfaces>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
</lan>
</dhcpd>
<unbound>
<enable>1</enable>
</unbound>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
</opnsense>

397
source/hardware/configs/22.10/A10V2-config.xml
Unescape Escape View File

@ -0,0 +1,397 @@
<?xml version="1.0"?>
<opnsense>
<trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
<tunable>vm.pmap.pti</tunable>
<value>0</value>
</item>
<item>
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
<tunable>hw.ibrs_disable</tunable>
<value>1</value>
</item>
<item>
<descr>Hide processes running as other groups</descr>
<tunable>security.bsd.see_other_gids</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other users</descr>
<tunable>security.bsd.see_other_uids</tunable>
<value>default</value>
</item>
<item>
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
and for the sender directly reachable, route and next hop is known.
</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.local.dgram.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>AMD temp offset</descr>
<tunable>dev.amdtemp.0.sensor_offset</tunable>
<value>-10</value>
</item>
</sysctl>
<system>
<serialspeed>115200</serialspeed>
<primaryconsole>serial</primaryconsole>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>localdomain</domain>
<dnsallowoverride>1</dnsallowoverride>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<disablevlanhwfilter>1</disablevlanhwfilter>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<ipv6allow/>
<powerd_enable>1</powerd_enable>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<ssh>
<group>admins</group>
</ssh>
<firmware version="1.0.0">
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
<flavour>latest</flavour>
<type>business</type>
</firmware>
<rrdbackup>-1</rrdbackup>
<netflowbackup>-1</netflowbackup>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>igb1</if>
<mtu/>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<subnet/>
<gateway/>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<dhcphostname/>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable>1</enable>
<if>igb0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
</interfaces>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
</lan>
</dhcpd>
<unbound>
<enable>1</enable>
</unbound>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
</opnsense>

428
source/hardware/configs/22.10/A20-config.xml
Unescape Escape View File

@ -0,0 +1,428 @@
<?xml version="1.0"?>
<opnsense>
<trigger_initial_wizard/>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
<tunable>vm.pmap.pti</tunable>
<value>0</value>
</item>
<item>
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
<tunable>hw.ibrs_disable</tunable>
<value>1</value>
</item>
<item>
<descr>Hide processes running as other groups</descr>
<tunable>security.bsd.see_other_gids</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other users</descr>
<tunable>security.bsd.see_other_uids</tunable>
<value>default</value>
</item>
<item>
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
and for the sender directly reachable, route and next hop is known.
</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.local.dgram.maxdgram</tunable>
<value>default</value>
</item>
<item>
<tunable>dev.ax.0.iflib.override_nrxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.0.iflib.override_ntxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.1.iflib.override_nrxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.1.iflib.override_ntxds</tunable>
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
<descr/>
</item>
<item>
<tunable>dev.ax.0.rss_enabled</tunable>
<value>1</value>
<descr/>
</item>
<item>
<tunable>dev.ax.1.rss_enabled</tunable>
<value>1</value>
<descr/>
</item>
<item>
<tunable>ice_ddp_load</tunable>
<value>YES</value>
<descr>Include DDP package file for Intel ice driver</descr>
</item>
</sysctl>
<system>
<serialspeed>115200</serialspeed>
<primaryconsole>serial</primaryconsole>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>localdomain</domain>
<dnsallowoverride>1</dnsallowoverride>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu/>
<disablevlanhwfilter>1</disablevlanhwfilter>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<ipv6allow/>
<powerd_enable>1</powerd_enable>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<thermal_hardware>amdtemp</thermal_hardware>
<bogons>
<interval>monthly</interval>
</bogons>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<ssh>
<group>admins</group>
</ssh>
<firmware version="1.0.0">
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
<flavour>latest</flavour>
<type>business</type>
</firmware>
<rrdbackup>-1</rrdbackup>
<netflowbackup>-1</netflowbackup>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>igb1</if>
<mtu/>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<subnet/>
<gateway/>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<dhcphostname/>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable>1</enable>
<if>igb0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
</interfaces>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
</lan>
</dhcpd>
<unbound>
<enable>1</enable>
</unbound>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
</opnsense>

13
source/hardware/defaults.rst
Unescape Escape View File

@ -11,16 +11,29 @@ Below you will find the list of our currently available models:
Model Formfactor config
========= ============ ========================================================================
DEC675 Desktop :download:`22.1/22.4 <configs/22.4/A10V2-SD-config.xml>`
:download:`22.7/22.10 <configs/22.10/A10V2-SD-config.xml>`
DEC695 Desktop :download:`22.1/22.4 <configs/22.4/A10V2-config.xml>`
:download:`22.7/22.10 <configs/22.10/A10V2-config.xml>`
DEC740 Desktop :download:`22.1/22.4 <configs/22.4/A10-gen3-config.xml>`
:download:`22.7/22.10 <configs/22.10/A10-gen3-config.xml>`
DEC750 Desktop :download:`22.1/22.4 <configs/22.4/A10-gen3-config.xml>`
:download:`22.7/22.10 <configs/22.10/A10-gen3-config.xml>`
DEC840 Desktop :download:`22.1/22.4 <configs/22.4/A20-config.xml>`
:download:`22.7/22.10 <configs/22.10/A20-config.xml>`
DEC850 Desktop :download:`22.1/22.4 <configs/22.4/A20-config.xml>`
:download:`22.7/22.10 <configs/22.10/A20-config.xml>`
DEC2685 Rack :download:`22.1/22.4 <configs/22.4/A10V2-config.xml>`
:download:`22.7/22.10 <configs/22.10/A10V2-config.xml>`
DEC2750 Rack :download:`22.1/22.4 <configs/22.4/A10-gen3-config.xml>`
:download:`22.7/22.10 <configs/22.10/A10-gen3-config.xml>`
DEC3840 Rack :download:`22.1/22.4 <configs/22.4/A20-config.xml>`
:download:`22.7/22.10 <configs/22.10/A20-config.xml>`
DEC3850 Rack :download:`22.1/22.4 <configs/22.4/A20-config.xml>`
:download:`22.7/22.10 <configs/22.10/A20-config.xml>`
DEC3860 Rack :download:`22.1/22.4 <configs/22.4/A20-config.xml>`
:download:`22.7/22.10 <configs/22.10/A20-config.xml>`
DEC4020 Rack :download:`22.1/22.4 <configs/22.4/A20-config.xml>`
:download:`22.7/22.10 <configs/22.10/A20-config.xml>`
DEC4040 Rack :download:`22.1/22.4 <configs/22.4/A20-config.xml>`
:download:`22.7/22.10 <configs/22.10/A20-config.xml>`
========= ============ ========================================================================

0
source/hardware/files/A10_022_BIOS_USB_IMAGE.img.bz2 → source/hardware/files/A10_0022_BIOS_USB_IMAGE.img.bz2
Unescape Escape View File

BIN
source/hardware/files/A10_0024_BIOS_USB_IMAGE.img.bz2
View File

Binary file not shown.

BIN
source/hardware/files/A20_0009_BIOS_USB_IMAGE.img.bz2
View File

Binary file not shown.

BIN
source/hardware/files/A20_0010_BIOS_USB_IMAGE.img.bz2
View File

Binary file not shown.

0
source/hardware/files/NetBoard-A10-USB-installer.zip → source/hardware/files/NetBoard_A10_0022_USB_installer.zip
Unescape Escape View File

BIN
source/hardware/files/NetBoard_A10_0024_USB_installer.zip
View File

Binary file not shown.

BIN
source/hardware/files/NetBoard-A20-USB-installer.zip → source/hardware/files/NetBoard_A20_0009_USB_installer.zip
View File

Binary file not shown.

BIN
source/hardware/files/NetBoard_A20_0010_USB_installer.zip
View File

Binary file not shown.

3
source/intro.rst
Unescape Escape View File

@ -95,8 +95,7 @@ The feature set of OPNsense includes high-end features such as forward caching
proxy, traffic shaping, intrusion detection and easy OpenVPN client setup.
The latest release is based on a recent FreeBSD for long-term support and uses a
newly developed MVC-framework based on Phalcon. OPNsenses focus on security
brings unique features such as the option to use LibreSSL instead of OpenSSL
(selectable in the GUI).
brings unique features such as easy to use one time password authentication for various components.
The robust and reliable update mechanism gives OPNsense the ability to provide
important security updates in a timely fashion.

38
source/manual/aliases.rst
Unescape Escape View File

@ -8,6 +8,24 @@ changes.
Aliases can be added, modified and removed via :menuselection:`Firewall --> Aliases`.
-----------------------------------
Overview
-----------------------------------
The page opens with an overview of the aliases available, including some internal ones available from installed software.
At the top of the page you can search for aliases or preselect various types or categories to which they belong.
In order to gain some insights into the current status of the plugins, two additional (meta) fields are being displayed, being:
* Loaded#
* Shows the amount of entries planned to install into the table, in case there's not enough memory available to load the
item in question, one can easily find the alias causing the overflow in table entries (bar at the right top of the page)
* Last updated
* Shows the last timestamp from the entries saved to disk.
-----------
Alias Types
-----------
@ -41,6 +59,8 @@ OPNsense offers the following alias types:
| BGP ASN | Maps autonomous system (AS) numbers to networks |
| | where they are responsible for. |
+------------------+------------------------------------------------------+
| OpenVPN group | Map user groups to logged in OpenVPN users |
+------------------+------------------------------------------------------+
| Internal | Internal aliases which are managed by the product |
| (automatic) | |
+------------------+------------------------------------------------------+
@ -304,6 +324,24 @@ alias and add or remove entries immediately.
Since external alias types won't be touched by OPNsense, you can use :code:`pfctl` directly in scripts to manage
its contents. (e.g. :code:`pfctl -t MyAlias -T add 10.0.0.3` to add **10.0.0.3** to **MyAlias**)
....................................
OpenVPN group
....................................
This alias type offers the possibility to build firewall policies for logged in OpenVPN users by the group they belong to
as configured in :menuselection:`System --> Access --> Groups`.
The current users that are logged into OpenVPN can be inspected via :menuselection:`VPN --> OpenVPN --> Connection Status`, the alias
just follows this information and flushes the attached addresses to the item in question.
For example, when a user named **fred** which is a member of group **remote_users** logs into OpenVPN and received a tunnel address
of :code:`10.10.10.2`, the alias containing "remote_users" would include this address as well.
.. Tip::
When using LDAP (Active directory), you can synchronise group membership to avoid double administration in OPNsense.
....................................
Internal (automatic)
....................................

1
source/manual/certificates.rst
Unescape Escape View File

@ -8,6 +8,7 @@ avoiding the need to use the ``openssl`` command line tool. Certificates in OPNs
:menuselection:`System --> Trust --> Certificates`.
Examples of OPNsense components that use certificates:
* OpenVPN
* IPsec
* Captive Portal

78
source/manual/diagnostics_firewall.rst
Unescape Escape View File

@ -28,6 +28,26 @@ Sessions
Utilises `pftop <https://www.freebsd.org/cgi/man.cgi?query=pftop>`__ to offer a detailed view on the active sessions
and their traffic counters.
The following fields are available in the grid:
==========================================================================================================================
========================= ================================================================================================
Dir Direction (in :code:`->` or out :code:`<-`)
Proto Protocol in question
Source Source address and port
Gateway Address and port this session is being translated too using NAT
Destination Destination address and port
State State at source:destination, see tables in States section
Age (sec) The number of seconds since the state is created
Expires (sec) The number of seconds left before the state expires.
Pkts Number of packets processed by the state
Bytes Number of bytes processed by the state
Rule Rule this state (most likely) belongs to
========================= ================================================================================================
-----------------------------------------
States
-----------------------------------------
@ -36,6 +56,64 @@ Insight into the state table (pf), offers the ability to search for specific sta
It is also possible to reset all states and/or the source tracking tables from here, especially the state table
reset should be used with care as it drops all active connections.
.. Note::
The state table tries to connect states to rules, but since these are refered to by rule number (sequence) in :code:`pf(4)`
these aren't always accurate after changes to the rules.
The following fields are available in the grid:
==========================================================================================================================
========================= ================================================================================================
State id Unique internal identifier describing the state and the origin (creator)
Int Bound to which interface, by default this is all unless " Bind states to interface" is set
in :menuselection:`Firewall->Settings->Advanced`
Dir Direction (in :code:`->` or out :code:`<-`)
Proto Protocol in question
Source Source address and port
Nat Address and port this session is being translated too using NAT
Destination Destination address and port
State State at source:destination,
see next tables for lists of states and their explanations available
Rule Rule this state (most likely) belongs to
Command Button to drop a specific state (State id)
========================= ================================================================================================
List of available TCP states (as defined by `RFC 793 <https://www.rfc-editor.org/rfc/rfc793>`__)
==========================================================================================================================
========================= ================================================================================================
LISTEN Represents waiting for a connection request from any remote TCP and port.
SYN_SENT Represents waiting for a matching connection request after having sent a connection request.
SYN_RCVD Represents waiting for a confirming connection request acknowledgment
after having both received and sent a connection request.
ESTABLISHED Represents an open connection, data received can be delivered to the user.
The normal state for the data transfer phase of the connection.
FIN_WAIT_1 Represents waiting for a connection termination request from the remote TCP,
or an acknowledgment of the connection termination request previously sent.
FIN_WAIT_2 Represents waiting for a connection termination request from the remote TCP.
CLOSE_WAIT Represents waiting for a connection termination request from the local user.
CLOSING Represents waiting for a connection termination request acknowledgment from the remote TCP.
LAST_ACK Represents waiting for an acknowledgment of the connection termination request
previously sent to the remote TCP (which includes an acknowledgment of
its connection termination request).
TIME_WAIT Represents waiting for enough time to pass to be sure the remote TCP received the
acknowledgment of its connection termination request.
CLOSED Represents no connection state at all
==========================================================================================================================
List of available UDP/Other states (man `pf.conf(5) <https://www.freebsd.org/cgi/man.cgi?pf.conf(5)>`__)
==========================================================================================================================
========================= ================================================================================================
NO_TRAFFIC No traffic for this direction
SINGLE The state if the source host sends more than one packet but the destination host has never sent one back.
MULTIPLE The state if both hosts have sent packets.
========================= ================================================================================================
-----------------------------------------
Statistics
-----------------------------------------

4
source/manual/diagnostics_interfaces.rst
Unescape Escape View File

@ -119,12 +119,12 @@ Promiscuous When set, the system will capture all traffic presen
Address Family Capture IPv4, IPv6 or both
Invert Protocol Select all but the protocol selected below
Protocol The protocol to filter on
Host Address This value is either the Source or Destination IP address or subnet in CIDR notation.
Host Address This value is either the Source or Destination IP/MAC address or subnet in CIDR notation.
The packet capture will look for this address in either field.
Matching can be negated by preceding the value with ":code:`not`".
Multiple IP addresses or CIDR subnets may be specified as boolean expression.
If you leave this field blank, all packets on the specified interface will be captured.
Example: :code:`not 10.0.0.0/24 not and not 11.0.0.1`
Example: :code:`not 10.0.0.0/24 not and not 11.0.0.1 or 00:0a:01:02:03:04`
Invert Port Select all but the port selected below
Port Port number to filter on (e.g. :code:`443` for standard https, :code:`22` for ssh)
Packet Length The Packet length is the number of bytes of each packet that will be captured.

5
source/manual/firewall.rst
Unescape Escape View File

@ -120,6 +120,11 @@ Our default deny rule uses this property for example (if no rule applies, drop t
groups use :code:`300000` and interface rules land on :code:`400000` combined with the order in which they appear.
Automatic rules are usually registered at a higher priority (lower number).
.. Warning::
**NAT rules are always processed before filter rules!**
So for example, if you define a `NAT : port forwarding rules <nat.html#port-forwarding>`__ *without a associated rule*, i.e. **Filter rule association** set to **Pass**, this has the consequence, that no other rules will apply!
.. Tip::
The interface should show all rules that are used, when in doubt, you can always inspect the raw output of the ruleset in :code:`/tmp/rules.debug`

33
source/manual/firewall_settings.rst
Unescape Escape View File

@ -72,11 +72,6 @@ Configure the frequency of updating the lists of IP addresses that are reserved
Gateway Monitoring
------------------------------------
Kill states
.....................................
When unchecked (enabled) all states will be reset when a gateway is removed (see monitoring in the :doc:`gateways <gateways>` section)
Skip rules
.....................................
@ -135,16 +130,6 @@ Firewall state table optimization to use, influences the number of active states
* [aggressive] Expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate idle connections
* [conservative] Tries to avoid dropping any legitimate idle connections at the expense of increased memory usage and CPU utilization.
Firewall Rules Optimization
.....................................
Influence how the firewall optimizes the generated ruleset.
* [none] Disable the ruleset optimizer.
* [basic] (default) Basic ruleset optimization does four things to improve the performance of ruleset evaluations: remove duplicate rules; remove rules that are a subset of another rule; combine multiple rules into a table when advantageous; re-order the rules to improve evaluation performance
* [profile] Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.
Bind states to interface
.....................................
@ -229,7 +214,21 @@ Check certificate of aliases URLs
Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it.
Dynamic state reset
Anti DDOS
------------------------------------
Enable syncookies
.....................................
This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register.
This option is quite similar to the `syncookies <https://www.freebsd.org/cgi/man.cgi?syncookies>`__ kernel setting,
preventing memory allocation for local services before a proper handshake is made.
In this case pf will be protected agains state table exhaustion.
The following modes are available:
* never (default)
* always
* adaptive - in which case a lower and upper percentage should be specified referring to the usage of the state table.

38
source/manual/firmware.rst
Unescape Escape View File

@ -59,15 +59,39 @@ Settings
The settings menu contains all available mirrors and options which you can choose for your installation.
Usually the default options are good enough here, but if you want to choose a mirror more close to home you can do so here.
OPNsense supports two flavours for its TLS crypto stack, OpenSSL and LibreSSL. Our standard is `OpenSSL <https://www.openssl.org/>`__, but some more
security minded people favor OpenBSD's `LibreSSL <https://www.libressl.org/>`__
.. Note::
Since OpenSSL is more widely used, some software packages are not compatible with LibreSSL.
.. Tip::
The settings menu also provides the option to test development versions, which can be practical when testing features that
are planned for release. Just change the release type to **Development**.
Activate the Business Edition
...........................................
When you have purchased a license for the Business Edition or received it pre-installed on an appliance, you will
have to enable the license first.
In order to do so, please choose the following settings:
============== ==================================================================================
Mirror: Deciso (HTTPS,NL,Commercial)
Flavour: OpenSSL
Type: Business
Subscription: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (the activation key for the product)
============== ==================================================================================
.. image:: ../hardware/images/quickstart_be.png
:width: 500px
After save, go back to the status tab and click **Check for updates**
.. Note::
Upgrading to OPNsense BE is only possible when the installed community version number is lower than the
last available business edition. E.g. you can upgrade **22.7.x** to **22.10.x**, but you can not upgrade
**23.1** to **22.10**. You can always re-install using the installer found on the `business mirror <https://opnsense-update.deciso.com/>`__

34
source/manual/git-backup.rst
Unescape Escape View File

@ -87,9 +87,39 @@ password When using https authentication, choose a
Make sure to push to a "bare" upstream repository, when pressing "Setup/Test Git" the initial commits should be send to
your git server.
.. Tip::
--------------------------
SSH Setup
--------------------------
If you use GitHub, then your only option for git-backup, is to configure it for SSH access since GitHub has removed the ability for external applications to log into your account via your username and password.
The fields in OPNSense under :code:`System / Configuration / Backups / Git` should contain the following:
* URL absolutely MUST follow this format when using GitHub and GitLab: :code:`ssh://github.com/user_name/repo_name.git`. Any URL string that does not follow this pattern will not work.
* Branch should contain the word: :code:`master`
* SSH Private key (discussed below)
* User Name should ONLY contain the word :code:`git`
* password: leave this field empty
You need to create your repository BEFORE enabling git-backup. Do not add any files or READMEs to the repository. In other words, create a BLANK repository.
Next, `create a new SSH key <https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent>`__ specifically for git-backup (only generate the private / public keys per that document and skip the rest). **It is imperative that you do not add a password to your key**, or your backups will fail with authentication errors.
You should set up SSH access to just your repository by assigning your SSH public key to the repository instead of assigning it to your GitHub / GitLab account. Doing this ensures that you don't arbitrarily expose more of your git resources to OPNSense than is absolutely necessary for git-backup to work properly.
If you use GitHub, you can add your SSH public key by going to your repository, then click on :code:`settings`, then :code:`Deploy keys`. Or you can go straight to the URL using this format: :code:`https://github.com/USER_NAME/REPOSITORY_NAME/settings/keys/new`.
* Check the box :code:`Allow write Access`.
For GitHub and GitLab repositories, please make sure your URL follows this structure: :code:`ssh://github.com/user_name/repo_name.git`.
Make sure the fields are populated as stated above and that the Enable box is checked, then click on :code:`Setup / Test Git` and you should see a message come back at the top of the page indicating that the first backup was successful.
--------------------------
Conflict resolution

22
source/manual/gui.rst
Unescape Escape View File

@ -66,9 +66,29 @@ and navigate directly to the right page.
.. image:: images/quick-navigation.png
System Status
-------------
In the upper right corner of the screen is also a small indication of the system status.
In a normal situation this will be greyed out, but it will display a color if something is
wrong. You can click on it to review any of the pending messages, if any:
.. image:: images/gui_system_status.png
The colors indicate the severity of the issue. They are:
* Red. Indicates that an error has occured during system operation. Click it to go to the
relevant page. In most cases this will be the crash reporter, which you can use
to send us information about the crash.
.. image:: images/gui_system_status_error.png
* Yellow. Indicates a warning.
* Blue. Indicates an informational message.
* Grey. Everything is working as normal.
User & Local domain
-------------------
In the right corner just to the left of the quick navigation you will see your
In the right corner just to the left of the system status you will see your
username and the full domain name the firewall is configured with
(to change firewall name, go to :menuselection:`System --> Setting --> General`).

10
source/manual/how-tos/cloud_backup.rst
Unescape Escape View File

@ -116,6 +116,14 @@ First you need to set up a project in the Google developer console.
- You will be prompted to download the key. Do so, and then click **CLOSE** in the popup screen.
- Now **click** on the newly created Service Account:
.. image:: ./images/google_service_account.png
- Write down the **Unique ID** of the Service Account. This ID will be your **Client-ID** in the OPNSense Google Drive backup:
.. image:: ./images/google_service_account_details.png
2. Set up a Google Drive folder
===============================
@ -154,7 +162,7 @@ Now put it all together in OPNsense.
=============================== ===================================================================================
Enable checked
Email Address enter the email address of the service account you created
Email Address enter the Unique ID number of the service account you created
P12 key click the **Choose file** button and select the P12 key you saved earlier to upload it
Folder ID paste the Google Drive folder ID that you copied earlier
Prefix hostname to backupfile checked or unchecked as desired (useful if you have multiple OPNsenses)

BIN
source/manual/how-tos/images/google_service_account.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
source/manual/how-tos/images/google_service_account_details.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

9
source/manual/how-tos/ipsec-rw.rst
Unescape Escape View File

@ -1,6 +1,6 @@
==========================
IPsec: Setup Remote Access
==========================
=================================================
Road Warriors - Setup Remote Access
=================================================
.. contents:: Index
@ -131,11 +131,8 @@ List of examples
:maxdepth: 2
:titlesonly:
ipsec-rw-android
ipsec-rw-linux
ipsec-rw-srv-eapradius
ipsec-rw-srv-eaptls
ipsec-rw-srv-ikev1xauth
ipsec-rw-srv-mschapv2
ipsec-rw-srv-rsamschapv2
ipsec-rw-w7

2
source/manual/how-tos/ipsec-s2s-binat.rst
Unescape Escape View File

@ -1,5 +1,5 @@
=================================
IPSec BINAT (NAT before IPSec)
IPSec - BINAT (NAT before IPSec)
=================================

107
source/manual/how-tos/ipsec-s2s-conn-binat.rst
Unescape Escape View File

@ -0,0 +1,107 @@
========================================
IPsec - NAT before IPsec
========================================
.. contents:: Index
--------------------------------
Network topology
--------------------------------
The schema below describes the situation we are implementing.
Two networks (A,B) to peer both firewalls, where the Ipsec policy includes :code:`10.1.0.0/24 <-> 192.168.1.0/24`,
but locally side A uses :code:`10.99.0.0/24`.
How to setup the tunnel itself is explained in the :doc:`ipsec-s2s-conn` document.
.. nwdiag::
:scale: 100%
nwdiag {
span_width = 90;
node_width = 180;
network A {
address = "[real] 10.99.0.0/24\n[policy] 10.1.0.0/24";
pclana [label="PC Site A\n10.99.0.20",shape="cisco.pc"];
fwa [shape = "cisco.firewall", address="10.99.0.1/24"];
}
network Ext {
address = "10.10.1.0/24";
label = "Ext";
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
}
network B {
address = "192.168.1.0/24"
fwb [shape = "cisco.firewall", address="192.168.1.20"];
pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
}
}
--------------------------------
Preparations
--------------------------------
Make sure the tunnel is up and running before trying out the NAT part, then edit the child entry and input a :code:`Reqid`
there which isn't used in any of the other tunnels. For this example we choose :code:`100` here.
.. Note::
It's imperative to choose a static number here in order to be able to bind policies to the current tunnel.
--------------------------------
Add manual security policies
--------------------------------
In order for IPsec to trust the local network (:code:`10.99.0.0/24`) a manual policy needs to be added, go to
the "Manual" tab in :menuselection:`VPN->IPsec->Security Policy Database`. Next add a new entry containing the following items:
===========================================
======================= ===================
Property site A
======================= ===================
Reqid **100**
Source network **10.0.99.0/24**
======================= ===================
.. Tip::
When the "Destination network" is left empty, the other end (in this case 192.168.1.0/24) will be received from the tunnel.
In case multiple networks exist in the same child policy it's better to define which one this entry belongs too.
.. Tip::
After changing manual security policies, make sure the tunnel is reconnected (restart or disconnect and connect)
as the registration is being arranged using an `updown event <https://docs.strongswan.org/docs/5.9/plugins/updown.html>`__
--------------------------------
Configure NAT
--------------------------------
To map the networks, we will use a one to one rule created from the :menuselection:`Firewall->NAT->One-to-One` menu option.
The following settings apply here:
=================================================================================
======================= =================== =====================================
Property site A Notes
======================= =================== =====================================
Interface **IPsec**
Type **BINAT** Two way mapping
External network **10.1.0.0** As defined in the child connection
Source **10.99.0.0/24** The local network
Destination **192.168.1.0/24** The remote network
======================= =================== =====================================
.. Note::
When using BINAT all networks need to be equally sized (:code:`/24` in this case)

220
source/manual/how-tos/ipsec-s2s-conn-route.rst
Unescape Escape View File

@ -0,0 +1,220 @@
====================================
IPsec - Route based (VTI) PSK setup
====================================
This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in routed mode
between two OPNsense machines using a pre shared key.
.. contents:: Index
--------------------------------
Network topology
--------------------------------
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24)
to peer both firewalls. We will create a tunnel network using :code:`192.168.123.1` [A] and :code:`192.168.123.2` [B].
.. nwdiag::
:scale: 100%
nwdiag {
span_width = 90;
node_width = 180;
network A {
address = "10.2.0.0/24";
pclana [label="PC Site A\n10.2.0.20",shape="cisco.pc"];
fwa [shape = "cisco.firewall", address="10.2.0.1/24"];
}
network Ext {
address = "10.10.1.0/24";
label = "Ext-VTI\n192.168.123.1 <--> 192.168.123.2";
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
}
network B {
address = "192.168.2.0/24"
fwb [shape = "cisco.firewall", address="192.168.2.20"];
pclanb [label="PC Site B\n192.168.2.20",shape="cisco.pc"];
}
}
--------------------------------
Preparations
--------------------------------
.....................
Interface
.....................
In order to define our IPsec tunnel we do need to define a virtual tunnel interface (:menuselection:`VPN->IPsec->Virtual Tunnel Interfaces`) first.
The purpose of this device is to attach a tunnel to a security policy defined by its request id (:code:`reqid`).
On both sites A and B we will add VTIs using the following parameters:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Reqid 10 10
Local address **10.10.1.1** **10.10.1.2**
Remote address **10.10.1.2** **10.10.1.1**
Tunnel local address **192.168.123.1** **192.168.123.2**
Tunnel remote address **192.168.123.2** **192.168.123.1**
======================= =================== ===================
.. Note::
Reqid should be a unique number within all configured :code:`if_ipsec(4)` tunnels. The number 10 is arbitrary
.....................
Gateways
.....................
Next step on both ends is to define a gateway (:menuselection:`System->Gateways->Single`) which reaches the other end of this channel, the
interface should be automatically created and is called :code:`ipsec10` in this example.
Both ends will need a gateway pointing at each other :
Site A will need the following gateway:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Name IPSEC10_GW IPSEC10_GW
Interface IPSEC10 IPSEC10
Address Family IPv4 IPv4
IP address **192.168.123.2** **192.168.123.1**
======================= =================== ===================
.....................
Routes
.....................
We may already prepare the routes as the interfaces and gateways are available in :menuselection:`System->Routes->Configuration`.
On Site A we need to define a path to Site B and the other way around:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Network Address **10.0.2.0/24** **192.168.2.0/24**
Gateway IPSEC10_GW IPSEC10_GW
======================= =================== ===================
.....................
Enable IPsec
.....................
Before configuring the connections, we enable the IPsec module. Just mark the "enable" checkbox on the connections tab.
--------------------------------
Setting up the IPsec connection
--------------------------------
In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add
a new entry.
.....................
General settings
.....................
Side by side the following general settings need to be set in this case, which configures the first part of the security association between
both sites:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Local addresses **10.10.1.1** **10.10.1.2**
Remote addresses **10.10.1.2** **10.10.1.1**
======================= =================== ===================
Press <save> to go to the next step.
.....................
Authentication
.....................
Next we will need to add local authentication (add a new record in the local grid):
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Pre-Shared Key Pre-Shared Key
Id **hostA** **hostB**
======================= =================== ===================
Then we need to set Pre-Shared Key for remote authentication as well:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Pre-Shared Key Pre-Shared Key
Id **hostB** **hostA**
======================= =================== ===================
.. Note::
Secrets for both ends need to be added to ":menuselection:`VPN->IPsec->Pre-Shared Keys`", site A needs a secret
set for local identifier :code:`hostB`. Optionally one may also set a second (remote) identifier in which case the secret
belongs to these two identifiers.
.....................
Children
.....................
Finally we may add a child which will add security policies. Since our VTI tunnel matches on all traffic, both Site A and B
use the same configuration which looks like this:
===============================================================
====================== ========================================
Mode Tunnel
Policies **[uncheck]**
Local 0.0.0.0/0
Remote 0.0.0.0/0
====================== ========================================
.. Warning::
Make sure no policies are installed, when missing a passthrough and having policies installed one would not be able
to access the firewall anymore as traffic will be trapped inside the tunnel.
.....................
Save and apply
.....................
Finally save the settings and hit apply on the connections page to establish the tunnel.
--------------------------------
Validate
--------------------------------
Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview`
--------------------------------
Install firewall policies
--------------------------------
With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec`
menu option.

159
source/manual/how-tos/ipsec-s2s-conn.rst
Unescape Escape View File

@ -0,0 +1,159 @@
========================================
IPsec - Policy based public key setup
========================================
This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in policy mode
between two OPNsense machines using key pairs.
.. contents:: Index
--------------------------------
Network topology
--------------------------------
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24)
to peer both firewalls.
.. nwdiag::
:scale: 100%
nwdiag {
span_width = 90;
node_width = 180;
network A {
address = "10.1.0.0/24";
pclana [label="PC Site A\n10.1.0.20",shape="cisco.pc"];
fwa [shape = "cisco.firewall", address="10.1.0.1/24"];
}
network Ext {
address = "10.10.1.0/24";
label = "Ext";
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
}
network B {
address = "192.168.1.0/24"
fwb [shape = "cisco.firewall", address="192.168.1.20"];
pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
}
}
--------------------------------
Preparations
--------------------------------
Since our policy based setup doesn't require interfaces, gateways and routes, we only need to make sure the IPsec
module is enabled on the Connections tab and Key pairs are registered for both hosts.
..................................
Key pairs
..................................
Go to the :menuselection:`VPN->IPsec->Key Pairs` option in the menu and create a new key on both hosts, then copy the public part
from Site A to Site B and vise versa. Keys may easily be generated with the gear button in the Key type field.
--------------------------------
Setting up the IPsec connection
--------------------------------
In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add
a new entry.
.....................
General settings
.....................
Side by side the following general settings need to be set in this case, which configures the first part of the security association between
both sites:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Local addresses **10.10.1.1** **10.10.1.2**
Remote addresses **10.10.1.2** **10.10.1.1**
======================= =================== ===================
Press <save> to go to the next step.
.. Note::
One may omit the local address if any address may be used to initiate the connection from, other valid options
are also mentioned in the help text of the attribute.
.....................
Authentication
.....................
Next we will need to add local authentication (add a new record in the local grid):
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Public Key Public Key
Id **hostA** **hostB**
Public Keys **hostA-key** **hostB-key**
======================= =================== ===================
Then we need to set Pre-Shared Key for remote authentication as well:
===============================================================
======================= =================== ===================
Property site A site B
======================= =================== ===================
Authentication Public Key Public Key
Id **hostB** **hostA**
Public Keys **hostB-key** **hostA-key**
======================= =================== ===================
.. Note::
On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the oposite.
.....................
Children
.....................
Finally we may add a child which will add security policies and kernel routes.
======================= =================== ===================
Property site A site B
======================= =================== ===================
Mode Tunnel Tunnel
Policies [checked] [checked]
Local **192.168.1.0/24** **10.0.1.0/24**
Remote **10.0.1.0/24** **192.168.1.0/24**
======================= =================== ===================
.....................
Save and apply
.....................
Finally save the settings and hit apply on the connections page to establish the tunnel.
--------------------------------
Validate
--------------------------------
Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview`
--------------------------------
Install firewall policies
--------------------------------
With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec`
menu option.

6
source/manual/how-tos/ipsec-s2s-route-azure.rst
Unescape Escape View File

@ -1,6 +1,6 @@
===============================
Microsoft Azure Route-based VPN
===============================
================================================
IPsec VTI - connect to Microsoft Azure
================================================
Microsoft Azure offers three VPN types:

6
source/manual/how-tos/ipsec-s2s-route.rst
Unescape Escape View File

@ -1,6 +1,6 @@
===========================
Setup a routed IPSec Tunnel
===========================
=================================
IPsec VTI - Route based setup
=================================
Most Site-to-Site VPNs are policy-based, which means you define a local and a remote
network (or group of networks). Only traffic matching the defined policy is pushed into the

2
source/manual/how-tos/ipsec-s2s.rst
Unescape Escape View File

@ -1,5 +1,5 @@
================================
Setup IPsec site to site tunnel
IPsec - Site to Site tunnel
================================
Site to site VPNs connect two locations with static public IP addresses and allow

3
source/manual/how-tos/ipv6_dsl.rst
Unescape Escape View File

@ -48,3 +48,6 @@ At the bottom in section **Track IPv6 Interface** choose **IPv6 Interface** as W
Hit Apply and disable/enable the NICs of your internal systems. Depending on the system
and vendor, also a reboot could be required.
If you experience problems with the 24h disconnect disrupting connectivity, it may help to set **Prevent Release**
in section :menuselection:`Interfaces --> Settings`.

2
source/manual/how-tos/self-signed-chain.rst
Unescape Escape View File

@ -108,7 +108,7 @@ Have a look at the form, create an intermediate CA and save it.
The Certificate
---------------
The thirth certificate will be a **server certificate** signed by the intermediate CA we just created.
The third certificate will be a **server certificate** signed by the intermediate CA we just created.
This will also be the last one we create for this chain.
Go to **Trust/Certificates**

6
source/manual/how-tos/wireguard-client.rst
Unescape Escape View File

@ -38,7 +38,7 @@ Step 2 - Configure the local peer (server)
.. Note::
The tunnel address must be in CIDR notation and must be a unique IP and subnet for your network. The subnet should be an appropriate size that includes all the client peers that will use the tunnel. For IPv4 it should be a private (RFC1918) address, for example 10.10.10.1/24. For IPv6, it could either be a unique ULA /64 address, or a unique GUA /64 address derived from your prefix delegation. **Do not use a tunnel address that is a /32 (IPv4) or a /128 (IPv6)**
The tunnel address must be in CIDR notation and must be a unique IP and subnet for your network, such as if it was on a physically different routed interface. The subnet should be an appropriate size that includes all the client peers that will use the tunnel. For IPv4 it should be a private (RFC1918) address, for example 10.10.10.1/24. For IPv6, it could either be a unique ULA /64 address, or a unique GUA /64 address derived from your prefix delegation. **Do not use a tunnel address that is a /32 (IPv4) or a /128 (IPv6)**
.. Note::
@ -102,7 +102,7 @@ Step 5(a) - Assign an interface to WireGuard (recommended)
Finally, it allows separation of the firewall rules of each WireGuard instance (each :code:`wgX` device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance
- Go to :menuselection:`Interfaces --> Assignments`
- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg0` if this is your first one)
- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg1` if this is your first one)
- Add a description (eg :code:`HomeWireGuard`)
- Click **+** to add it, then click **Save**
- Then select your new interface under the Interfaces menu
@ -129,7 +129,7 @@ Step 5(a) - Assign an interface to WireGuard (recommended)
.. Tip::
If Unbound DNS is configured with all interfaces registered it requires a reload of Unbound DNS to get the new Wireguard interface added. This is necessary get DNS working trough the VPN tunnel.
If Unbound DNS is configured with all interfaces registered it requires a reload of Unbound DNS to get the new Wireguard interface added. This is necessary to get DNS working through the VPN tunnel.
Step 5(b) - Create an outbound NAT rule
---------------------------------------

BIN
source/manual/images/gui_layout.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 360 KiB

After

Width:  |  Height:  |  Size: 136 KiB

BIN
source/manual/images/gui_system_status.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.3 KiB

BIN
source/manual/images/gui_system_status_error.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.0 KiB

BIN
source/manual/images/opnsense_console.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.4 KiB

BIN
source/manual/images/opnsense_liveenv.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
source/manual/images/reporting_traffic_sample.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 275 KiB

After

Width:  |  Height:  |  Size: 60 KiB

BIN
source/manual/images/top_talkers.png
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

507
source/manual/install.rst
Unescape Escape View File

@ -2,37 +2,44 @@
Initial Installation & Configuration
=====================================
.. rubric:: Software setup
:name: firstHeading
:class: firstHeading page-header
.. Note::
Just looking on how to invoke the installer? When the live environment has been
started just login with user **installer** and password **opnsense**.
.. contents:: Index
------------
Architecture
------------
The **software setup** and installation of OPNsense® is available
for the `x86-64 <https://en.wikipedia.org/wiki/X86-64>`__ bit microprocessor
for the `x86-64 <https://en.wikipedia.org/wiki/X86-64>`__ microprocessor
architecture only.
----------------
Embedded vs Full
----------------
Full installs can run on `SD memory
cards <https://en.wikipedia.org/wiki/Secure_Digital>`__, `solid-state
disks (SSD) <https://en.wikipedia.org/wiki/Solid-state_drive>`__ or
`hard disk drives
OPNsense offers two Image types with all major releases: embedded and full images.
The Embedded Image is intended for environments where preinstalling
the storage media is required due to a lack of local resources on the firewall
like storage, and/or console access (VGA/Serial). The image is tailored to reduce
write cycles as well, but the image can be used anywhere. Another reason for the
Embedded Image is to eliminate the need for local console access for installing OPNsense.
Installation is managed by prewriting the image to a storage device, installing the
storage device, and booting the system.
Full Images provide installation tools like OPNsense Importer, Live Environment,
and Installer. Full Images are released to support different console/hardware installation
requirements.
Both image types can be installed and run from virtual disks (VM), `SD memory
cards <https://en.wikipedia.org/wiki/Secure_Digital>`__,
USB disks, `solid-state
disks (SSD) <https://en.wikipedia.org/wiki/Solid-state_drive>`__, or `hard disk drives
(HDD) <https://en.wikipedia.org/wiki/Hard_disk_drive>`__.
Since version 15.1.10 (04 May 2015) the option to install an
`embedded <https://en.wikipedia.org/wiki/Embedded_operating_system>`__
OPNsense image is also supported.
The main differences between an embedded image and a full image are:
The main differences between embedded and full images are:
+-----------------------+-----------------------+
| Embedded | Full |
@ -50,117 +57,55 @@ The main differences between an embedded image and a full image are:
+-----------------------+-----------------------+
Embedded images (nano) store logging and cache data in memory only, while full versions
Embedded image store logging and cache data in memory only, while full versions
will keep the data stored on the local drive. A full version can mimic the
behavior of an embedded version by enabling RAM disks, this is especially
useful for SD memory card installations.
.. Warning::
See the chapter :doc:`Hardware Setup <hardware>` for
further information on hardware requirements prior to an install.
-------------------------
Download and verification
-------------------------
The OPNsense distribution can be `downloaded <https://opnsense.org/download>`__
from one of our `mirrors <https://opnsense.org/download>`__.
The OpenSSL tool is used for file verification.
4 files are needed for verification:
* The bzip compressed ISO file (<filename>.iso.bz2)
* The SHA-256 checksum file (<filename>.sha256)
* The signature file (<filename>.sig)
* The openssl public key (<filename>.pub)
These files can be downloaded from one of the download mirrors. To download them:
1. Go to the OPNSense `download <https://opnsense.org/download>`__ page.
2. After selecting a mirror, right click the download button and click "open in new tab".
3. A popup will appear asking if you want to download the image. Say "no" for now.
4. Remove the file name after the last slash in the URL bar, and press enter. This will take you to the directory listing for that mirror.
I.e. If you wanted to download from the US East Coast mirror:
Opening the link in a new tab would take you to this link:
See the chapter :doc:`Hardware Sizing & Setup <hardware>` for further information
on hardware requirements prior to an install.
-------------------------------
Installation Images
-------------------------------
Depending on your hardware and use case, different installation options are available:
+--------+---------------------------------------------------+------------+
| Type | Description | Image Type |
+========+===================================================+============+
| dvd | ISO image boots into a live environment in | Full |
| | VGA-only mode with UEFI support | |
+--------+---------------------------------------------------+------------+
| vga | USB image boots into a live environment | Full |
| | in VGA-only mode with UEFI support | |
+--------+---------------------------------------------------+------------+
| serial | USB image boots into live environment running in | Full |
| | serial console (115200) mode only with | |
| | UEFI support | |
+--------+---------------------------------------------------+------------+
| nano | Image for preinstalling onto >=4 GB USB drives, | Embedded |
| | SD, or CF cards for use with embedded devices | |
| | running in serial console (115200) mode with | |
| | secondary VGA support (no kernel messages though) | |
+--------+---------------------------------------------------+------------+
``mirror.wdc1.us.leaseweb.net/opnsense/releases/22.7/OPNsense-22.7-OpenSSL-dvd-amd64.iso.bz2``
You should take off the file name at the end, like this:
``mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/``
The OpenSSL public key is required to verify against. This file is also on
the mirror directory listing page, however you should not trust the copy
there. Download it, open it up, and verify that the public key matches the
one from other sources. If it does not, the mirror may have been hacked,
or you may be the victim of a man-in-the-middle attack. Some other sources
to get the public key from include:
* https://pkg.opnsense.org/releases/mirror/README
* https://forum.opnsense.org/index.php?board=11.0
* https://opnsense.org/blog/
* https://github.com/opnsense/changelog/tree/master/community
* https://pkg.opnsense.org (/<FreeBSD version & architecture>/<release version>/sets/changelog.txz) (lands signed and verified in the GUI of the running software)
Note that only release announcements with images (typically all major
releases) contain the public key. I.e. 22.1 would have a copy of the public
key in the release announcement, but 22.1.9 would not.
Once you have downloaded all the required files and a copy of the public key,
and verified that the public key matches the public key from the alternate
sources listed above, you can be relatively certain that the key has not
been tampered with. To verify the downloaded image, run the following
commands (substituting the names in brackets for the files you downloaded):
``openssl base64 -d -in <filename>.sig -out /tmp/image.sig``
``openssl dgst -sha256 -verify <key>.pub -signature /tmp/image.sig <image>.img.bz2``
Make sure to change the "img" to "iso" in the second line if you downloaded
a different installer type.
If the output of the second command is "Verified OK", your image was verified
successfully, and you can install it. If it has any other output, you may have
made an error using the commands, or the image may have been compromised.
------------------
Installation Media
------------------
Depending on you hardware and use case different installation media are provided:
+--------+---------------------------------------------------+
|Type | Description |
+========+===================================================+
| dvd | ISO installer image with live system capabilities |
| | running in VGA-only mode with UEFI support |
+--------+---------------------------------------------------+
| vga | USB installer image with live system capabilities |
| | running in VGA-only mode with UEFI support |
+--------+---------------------------------------------------+
| serial | USB installer image with live system capabilities |
| | running in serial console (115200) mode only |
| | with UEFI support |
+--------+---------------------------------------------------+
| nano | A preinstalled image for >=4 GB USB sticks, |
| | SD or CF cards for use with embedded devices |
| | running in serial console (115200) mode with |
| | secondary VGA support (no kernel messages though) |
+--------+---------------------------------------------------+
.. Note::
All Full Image types can run both `OPNsense Importer <https://docs.opnsense.org/manual/install.html#opnsense-importer>`__
before booting into the Live environment and also run
`Installer <https://docs.opnsense.org/manual/install.html#install-to-target-system>`__ once booted into the Live environment.
.. Warning::
Flash memory cards will only tolerate a limited number of writes and re-writes. For
Nano image memory disks for **/var/log** and **/tmp** are applied by
default to prolong CF (flash) card lifetimes.
Flash memory cards will only tolerate a limited number of writes
and re-writes. For embedded (nano) versions memory disks for /var and /tmp are
applied by default to prolong CF (flash) card lifetimes.
To enable for non embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`,
change the setting, then reboot. Consider to enable an external syslog server as well.
To enable non-embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`,
change the setting, then reboot. Consider enabling an external syslog server as well.
------------------------------
Media Filename Composition
Image Filename Composition
------------------------------
.. blockdiag::
@ -209,77 +154,111 @@ Media Filename Composition
}
.. Note::
**Please** be aware that the latest installation media does not always correspond
with the latest released version available. OPNsense installation images are provided
on a scheduled basis with major release versions in January and July. More information
on our release schedule is available from our package repository, see
`README <https://pkg.opnsense.org/releases/mirror/README>`__. We are encouraged to update
OPNsense after installation to be on the latest release available, see
`Update Page <https://docs.opnsense.org/manual/updates.html>`__.
**Please** be aware that the latest installation media does not always
correspond with the latest released version. OPNsense installation images are
provided on a regular basis together with major versions in January and July.
More information on our release schedule is available from our package
repository, see `README <https://pkg.opnsense.org/releases/mirror/README>`__
-------------------------
Download and Verification
-------------------------
--------------------
OpenSSL and LibreSSL
--------------------
The OPNsense distribution can be `downloaded <https://opnsense.org/download>`__
from one of our `mirrors <https://opnsense.org/download>`__.
OPNsense images are provided based upon `OpenSSL <https://www.openssl.org>`__.
The `LibreSSL <http://www.libressl.org>`__ flavor can be selected from within
the GUI (:menuselection:`System --> Firmware --> Settings`). In order to apply your choice an update
must be performed after save, which can include a reboot of the system.
OpenSSL is used for image file verification. 4 files are needed for verification process:
.. image:: ./images/firmware_flavour.png
* The SHA-256 checksum file (<filename>.sha256)
* The bzip compressed Image file (<filename>.<image>.bz2)
* The signature file (<filename>.<image>.bz2.sig)
* The openssl public key (<filename>.pub)
Use one of the OPNsense mirrors to download these files:
-------------------------
Boot preparation
-------------------------
After preparing the installation media, we need to make sure we can access the console
(either via keyboard and [virtual]monitor or :doc:`serial connectivity<how-tos/serial_access>`) and know how to
access the boot selection via the system bios. Often there's a (function) key one should press during initial boot.
1. Go to the bottom of OPNSense `download <https://opnsense.org/download>`__ page.
2. Click one of the available mirrors closest to your location.
3. Download one of each file mentioned above for your Image type.
.. Tip::
The OpenSSL public key (.pub) is required to verify against. Although the file is
available on the mirror's repository, you should not trust the copy there. Download
it, open it up, and verify the public key matches the one from other sources. If it
does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle
attack. Some other sources to get the public key from include:
OPNsense devices from the `OPNsense shop <https://shop.opnsense.com/>`__ use :code:`<ESC>` to enter the bios and boot selection
options.
* https://pkg.opnsense.org/releases/mirror/README
* https://forum.opnsense.org/index.php?board=11.0
* https://opnsense.org/blog/
* https://github.com/opnsense/changelog/tree/master/community
* https://pkg.opnsense.org (/<FreeBSD:<version>:<architecture>/<release version>/sets/changelog.txz)
.. Note::
Only major release announcements for images contain the public key, and update
release announcements will not. i.e. 22.1 will have a copy of the public key in the release
announcement, but 22.1.9 will not.
Once you download all the required files and verify that the public key matches
the public key found in one of the alternate sources listed above, you can be relatively
confident that the key has not been tampered with. To verify the downloaded image, run
the following commands (substituting the filenames in brackets for the files you downloaded):
::
openssl sha256 OPNsense-<filename>.bz2
Match the checksum command output with the checksum values in the file ``OPNsense-<version>-OpenSSL-checksums-amd64.sha256``.
If the checksums don't match, redownload your image file.
If checksums match continue with the verification commands.
::
openssl base64 -d -in OPNsense-<filename>.sig -out /tmp/image.sig
openssl dgst -sha256 -verify OPNsense-<filename>.pub -signature /tmp/image.sig OPNsense-<filename>.bz2
If the output of the second command is “**Verified OK**”, your image file was verified
successfully, and its safe to install from it. Any other outputs, and you may need
to check your commands for errors, or the image file may have been compromised.
Serial connectivity settings for DECXXXX devices can be found :doc:`here </hardware/serial_connectivity>`
-------------------
Installation Method
Installation Media
-------------------
Download the installation image from one of the mirrors listed on the `OPNsense
<https://opnsense.org/download/>`__ website.
Now that you have downloaded and verified the installation image from above. You must unpack the
image file before you can write the image to disk.
For Unix-like OSes use the following command:
The easiest method of installation is the USB-memstick installer. If
your target platform has a serial interface choose the "serial" image.
If you need to know more about using the serial interface,
consult the :doc:`serial access how-to<how-tos/serial_access>`.
::
Write the image to a USB flash drive (>=1 GB) or an IDE hard disk,
either with dd under FreeBSD or under Windows with physdiskwrite
bzip2 -d OPNsense-<filename>.bz2
Before writing an (iso) image you need to unpack it first (use bunzip2).
For Windows use an application like `7zip <https://www.7-zip.org/download.html>`_. The ``.bz2`` will
be removed from the end of the filename after command/applcation completes.
**FreeBSD**
::
After unpacking the image you can create the installation media. The easiest method to install
OPNsense is to use the USB "`vga <https://docs.opnsense.org/manual/install.html#installation-media>`_"
Image. If your target platform has a serial console interface choose the
`serial <https://docs.opnsense.org/manual/install.html#installation-media>`_” image. If you
need to know more about using the serial console interface, consult the :doc:`serial access how-to<how-tos/serial_access>`.
dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/daX bs=16k
Write the image to a USB flash drive (>=1 GB) or hard disk, using either dd for Unix-like
OSes and for Windows use physdiskwrite, `Etcher <https://www.balena.io/etcher#download-etcher>`_,
or `Rufus <https://rufus.ie/>`_.
Where X = the device number of your USB flash drive (check ``dmesg``)
**Linux**
**FreeBSD**
::
dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/sdX bs=16k
dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/daX bs=16k
where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX)
(ignore the warning about trailing garbage - it's because of the digital signature)
Where X = the device number of your USB flash drive (check ``dmesg``)
**OpenBSD**
::
dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/rsd6c bs=16k
@ -288,113 +267,193 @@ The device must be the ENTIRE device (in Windows/DOS language: the 'C'
partition), and a raw I/O device (the 'r' in front of the device "sd6"),
not a block mode device.
**macOS**
**Linux**
::
sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/sdX bs=16k
where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX)
(ignore the warning about trailing garbage - it's because of the digital signature)
**macOS**
::
sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/rdiskX bs=64k
sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/rdiskX bs=64k
where r = raw device, and where X = the disk device number of your CF
card (check Disk Utility) (ignore the warning about trailing garbage -
it's because of the digital signature)
**Windows**
::
physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].img
physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].img
(use v0.3 or later!)
-------------------------
System Boot Preparation
-------------------------
After preparing the installation media, we need to make sure we can access the console
(either via keyboard and [virtual]monitor or :doc:`serial connectivity<how-tos/serial_access>`). Next we need to know
how to access the boot menu or the system bios (UEFI) to boot from the installation media. Most times will be a function
(F#), Del, or ESC key that needs to pressed immediately after powering on (or rebooting) the system. Usually within the
first 2 to 3 seconds from powering up.
.. Tip::
OPNsense devices from the `OPNsense shop <https://shop.opnsense.com/>`__ use :code:`<ESC>` to enter the bios and boot selection
options.
.. Note::
Serial connectivity settings for DECXXXX devices can be found :doc:`here </hardware/serial_connectivity>`
-------------------------
Installation Instructions
-------------------------
.. rubric:: Install Instructions
:name: install-to-system
The boot process gives you the opportunity to run several optional configuration
steps. It has been designed to always boot into a live environment in order to
be able to access the GUI or even SSH directly. If a timeout was missed simply
restart the boot procedure.
OPNsense installation boot process allows us to run several optional configuration steps. The
boot process was designed to always boot into the live environment, allowing us to access the
GUI or even SSH directly. If a timeout was missed, restart the boot procedure.
OPNsense Importer
-----------------
All images feature the new "opnsense-importer" utility, which is now invoked
instead of the early installer. You can stop the automatic timeout by pressing
any key. Afterwards you will have the opportunity to select a disk to import
from. If the option times out or the importer is exited without a disk selection,
the factory defaults will be used for the boot.
All Full Images have the OPNsense Importer feature that offers flexibility in
recovering failed firewalls, testing new releases without overwriting the current
installation by running the new version in memory with the existing configuration
or migrating configurations to new hardware installations. Using Importer is slightly
different between previous installs with existing configurations on disk vs new
installations/migrations.
For systems that have OPNsense installed, and the configuration intact. Here is the process:
#. Boot the system with installation media
#. Press any key when you see **“Press any key to start the configuration importer”**.
#. If you see OPNsense logo you have past the Importer and will need to reboot.
The next prompt will be for manual interface selection.
This step is well-established since OPNsense 15.7 .
#. Type the device name of the existing drive that contains the configuration and press enter.
#. If Importer is successful, the boot process will continue into the Live environment using the stored configuration on disk.
#. If Importer was unsuccessful, we will returned to the device selection prompt. Confirm the
device name is correct and try again. Otherwise, there maybe possible disk corruption and
restoring from backup.
Live environment
At this point the system will boot up with a fully functional firewall in Live enironment using existing configuration
but will not overwrite the previous installation. Use this feature for safely previewing or testing upgrades.
For New installations/migrations follow this process:
#. We must have a 2nd USB drive formatted with FAT or FAT32 File system.
#. Preferable non-bootable USB drive.
#. Create a **conf** directory on the root of the USB drive
#. Place an *unencrypted* <downloaded backup>.xml into /conf and rename the file to **config.xml** (:code:`/conf/config.xml`)
#. Put both the Installation media and the 2nd USB drive into the system and power up / reboot.
#. Boot the system from the OPNsense Installation media via Boot Menu or BIOS (UEFI).
#. Press aany key when you see: **“Press any key to start the configuration importer”**
#. Type the device name of the 2nd USB Drive, e.g. `da0` or `nvd0` , and press Enter.
#. If Importer is successful, the boot process will continue into the Live environment using
the configuration stored on the USB drive.
#. If unsuccessful, importer will error and return us to the device selection prompt. Suggest
repeating steps 1-3 again.
Live Environment
----------------
The system will then continue into a live environment. If the config importer
was used previously on an existing installation, the system will boot up with a
fully functional setup, but will not overwrite the previous installation. Use
this feature for safely previewing upgrades.
If you have used a DVD, VGA, Serial image you are by default able to log into
the root shell using the user "root" with password "opnsense" to operate the
live environment.
The GUI will listen on https://192.168.1.1/ for user "root" with password
"opnsense" by default unless a previous configuration was imported. Using SSH,
the "root" and "installer" users are available as well on IP 192.168.1.1. Note
that these install medias are read-only, which means your current live
configuration will be lost after reboot.
Nano image
----------
If you have used a Nano image, your system is already up and running as it is
designed as such. It is set to read-write attempting to minimise write cycles by
mounting relevant partitions as memory file systems and reporting features
disabled by default.
..
Should we state the ability to manually identify network adapters before entering the live environment?
Create a bootable USB flash drive with the downloaded and unpacked image
file. Configure your system to boot from USB.
.. image:: ./images/opnsense_liveenv.png
Install to target system
------------------------
If you have used a DVD, VGA, Serial image you are by default able to start the
installer using the user "installer" with password "opnsense". On a previously
imported configuration the password will be the same as root's password.
After booting with an OPNsense Full Image (DVD, VGA, Serial), the firewall will
be in the Live environment with and without the use of OPNsense Importer. We
can interact with the Live environment via Local Console, GUI (HTTPS), or SSH.
Should the installer user not work for any reason, log in as user "root", select
option 8 from the menu and type "opnsense-installer". The "opnsense-importer" can
be run this way as well should you require to run the import again.
By default, we can log into the shell using the user :code:`root` with the password
:code:`opnsense` to operate the live environment via the local console.
The installer can always be run to clone an existing system, even for Nano
images. This can be useful for creating live backups for later recovery.
The GUI is accessible at `https://192.168.1.1/ <https://192.168.1.1/>`__ using Username:
:code:`root` Password: :code:`opnsense` by default (unless a previous configuration was imported).
Using SSH we can access the firewall at IP **192.168.1.1** . Both the **root** and **installer**
users are available with the password specified above.
.. Note::
That the installation media is read-only, which means your current live configuration will
be lost after reboot.
The installation process involves a few simple steps.
Continue to `OPNsense Installer`_ to install OPNsense to the local storage device.
OPNsense Installer
---------------------
.. Note::
To invoke the installer login with user **installer** and password
**opnsense**
After successfully booting up with the OPNsense Full Image (DVD, VGA, Serial),
the firewall will be at the Live Environment's login: prompt. To start the
installation process, login with the user ``installer`` and password ``opnsense``.
If Importer was used to import an existing configuration, the installer and root
user password would be the root password from the imported configuration.
If the installer user does not work, log in as user root and select: ``8) Shell``
from the menu and type ``opnsense-installer``. The ``opnsense-importer`` can also
be run this way should you require to rerun the import.
The installer can always be run to clone an existing system, even for Nano
images. This can be useful for creating live backups for later recovery.
.. Tip::
The installer can also be started from the network using ssh, default ip
address is 192.168.1.1
#. Keymap selection - The default configuration should be fine for most
occasions.
#. Install (UFS|ZFS) - Choose either a UFS or ZFS filesystem. ZFS is in most
cases the best option as it is the most reliable option, but does require
enough memory (a couple of gigabytes at least).
#. Partitioning (ZFS) - Choose a device type. When using a single disk the
default option (stripe) is usually fine.
#. Continue with recommended swap (UFS) - Yes is usually fine here unless
the install target is very small (< 16GB)
#. Root Password - Choose a new root password
#. Complete Install - Exits the installer and reboots the machine
#. Reboot - The system is now installed and needs to be rebooted to
continue with configuration.
The installer can also be started from an inside host using ssh. Default ip
address is ``192.168.1.1``
The installation process involves the following steps:
#. Keymap selection - The default configuration should be fine for most Occasions.
#. Install (UFS|ZFS) - Choose UFS or ZFS filesystem. ZFS is in most cases the best option
as it is the most reliable option, but it does require enough capacity (a couple of gigabytes at least).
#. Partitioning (ZFS) - Choose a device type. The default option (stripe) is usually acceptable
when using a single disk.
#. Disk Selection (ZFS) - Select the Storage device e.g. ``da0`` or ``nvd0``
#. Last Chance! - Select Yes to continue with partitioning and to format the disk. However, doing
so will **destroy** the contents of the disk.
#. Continue with recommended swap (UFS) - Yes is usually fine here unless the install target
is very small (< 16GB)
#. Select Root Password - Change and confirm the new root password
#. Select Complete Install - Exits the installer and reboots the machine. The system is now installed
and ready for initial configuration.
.. Warning::
You will lose all files on the installation disk. If another disk is to be
used then choose a Custom installation instead of the Quick/Easy Install.
Nano Image
----------
To use the nano image follow this process:
#. Create the system disk with using the nano image. See `Installation Media`_
how to write the nano image to disk.
#. Install the system disk drive into the system.
#. Configure the system (BIOS) to boot from this disk.
#. After the system boots, the firewall is ready to be configured.
Using the nano image for embedded systems, your firewall is already up and running. The configuration
settings to enable Memory Disks (RAM disks) that minimize write cycles to relevant partitions by
mounting these partitions in system memory and reporting features are disabled by default.
---------------------
Initial configuration
Initial Configuration
---------------------
After installation the system will prompt you for the interface
assignment, if you ignore this then default settings are applied.

2
source/manual/interfaces.rst
Unescape Escape View File

@ -20,7 +20,7 @@ port 1. Assignments can be changed by going to :menuselection:`Interfaces --> As
interfaces, with the interface name on the left and the physical port selected in the dropdown. New ones can be
created here as well, using a non-occupied physical port.
When creating a new interfaces or changing an existing one (which can be done by clicking its name in the overview),
When creating a new interface or changing an existing one (which can be done by clicking its name in the overview),
the following options are available:
=========================== ============================================================================================================================================================

39
source/manual/monit.rst
Unescape Escape View File

@ -321,3 +321,42 @@ Status
The Monit status panel can be accessed via :menuselection:`Services --> Monit --> Status`. For every active service, it will show the status,
along with extra information if the service provides it.
-------------------------
Advanced Configurations
-------------------------
Some installations require configuration settings that are not accessible in the UI.
To support these, individual configuration files with a ``.conf`` extension can be put into the
``/usr/local/etc/monit.opnsense.d`` directory. These files will be automatically included by
the UI generated configuration. Multiple configuration files can be placed there. But note that
* The wildcard include processing in Monit is based on ``glob(7)``. So the order in which the files are included is in ascending ASCII order.
* Monit supports up to 1024 include files. If this limit is exceeded, Monit will report an error.
* It makes sense to check if the configuration file is valid. You can do so by using the following command::
# Run syntax check for the control file
configctl monit check
This is a sample configuration file to customize the limits of the Monit daemon:
::
## Set limits for various tests. The following example shows the default values:
##
set limits {
programOutput: 5120 B, # check program's output truncate limit
# sendExpectBuffer: 256 B, # limit for send/expect protocol test
fileContentBuffer: 5120 B, # limit for file content test
# httpContentBuffer: 1 MB, # limit for HTTP content test
# networkTimeout: 5 seconds # timeout for network I/O
# programTimeout: 300 seconds # timeout for check program
# stopTimeout: 30 seconds # timeout for service stop
# startTimeout: 120 seconds # timeout for service start
# restartTimeout: 30 seconds # timeout for service restart
}
.. Warning::
It is the sole responsibility of the administrator which places a file in the extension directory to ensure that the configuration is
valid.

3
source/manual/reporting_settings.rst
Unescape Escape View File

@ -4,6 +4,9 @@ Reporting Settings
Some basic reporting settings and options can be found under :menuselection:`Reporting --> Settings`.
Unbound DNS is capable of collecting statistics for insight into DNS traffic. This behaviour is not enabled by default, but can
be enabled in this page. You can also clear any collected data using the "Reset DNS data" button.
The Health reporting uses RRD collection, for which you can disable the statistics collection process, in cases where monitoring is not
relevant or causes too much stress on the system. The option to collect statistics is enabled by default.

10
source/manual/reporting_traffic.rst
Unescape Escape View File

@ -1,5 +1,5 @@
===================
Reporting Traffic
Reporting: Traffic
===================
Under :menuselection:`Reporting --> Traffic` you will find a traffic monitor which show the current amount of
@ -13,7 +13,8 @@ Graph
:width: 100%
The top area of the screen shows an overview of all network adapters for both in- and outgoing traffic.
The top area of the screen shows an overview of all network adapters for both in- and outgoing traffic. You can
select the desired polling resolution with the dropdown left of the interface selection dropdown.
The graph below shows the top consumers over the same timespan, when you point to a dot it will show you the measured
bandwith for the selected host (the color matches the interface).
@ -25,7 +26,10 @@ Top talkers
Although the graphical overview also shows the most active clients on the network, sometimes it is more convenient
to see the list of addresses and their current activity in a grid type overview.
This is where the "Top talkers" tab comes into play, the information is quite comparable to what a command line tool as
:code:`iftop` would display.
:code:`iftop` would display:
.. image:: images/top_talkers.png
:width: 100%
When opening this tab you will be presented with the most active addresses, including the amount of traffic
passed when measured and the last time traffic was seen from or to that address.

82
source/manual/reporting_unbound_dns.rst
Unescape Escape View File

@ -0,0 +1,82 @@
======================
Reporting: Unbound DNS
======================
Starting from OPNsense 23.1, users are able to gain insight into DNS traffic passing through their Unbound DNS resolver
using the reporting tool under :menuselection:`Reporting --> Unbound DNS`.
All data presented here is kept on the system for a total of 7 days, creating a rolling window into DNS traffic without
allowing the system to take up boundless storage space.
-------------------------
Overview
-------------------------
The overview tab shows high-level DNS traffic data.
**Counters**
* The total amount of queries Unbound has handled, starting from the moment as reported above the counters.
This will either be from the moment the gathering of statistics has been enabled, or up until the last 7 days.
Keep in mind that the counter is as seen from the incoming side, and will increase regardless of the type
of response returned.
* The amount of queries Unbound has successfully resolved. This counter does not distinguish between forwards or
recursion, and excludes every other response type, such as responses from cache, local-data or a local policy
such as a blocklist.
* The amount of queries Unbound has blocked. This is either because a queried domain was part of a blocklist,
or part of a user-configured exact match as configured in :menuselection:`Services --> Unbound DNS --> Blocklist`.
* The size of the current blocklist (if any). This will equal the total amount of domains listed inside all the
active blocklists.
Every query counter shows the percentage as part of to the total amount of queries.
.. Note::
Adding up both the blocked and resolved queries does not equal the total amount, since the amount of
responses from cache, local-data and other possible sources such as Unbound itself on e.g. a SERVFAIL are not
shown.
**Graphs**
Also included in the report are two DNS traffic graphs, the first one being the query graph, and the second one
being the client graph. Both graphs show the amount of **incoming** queries over a selectable span of time.
The query graph also shows the amount of blocked queries. You can hover over the dots in the client graph
to see which client it is, as well as the amount of queries associated with this client. If you proceed to click
on this point of data, you will be referred to the Details grid containing every query within this time interval
made by this client.
Both the query and client graph have the option to display the data on a logarithmic scale in order to catch outliers
properly while preserving your perspective of the normal flow of traffic.
**Top domains**
On the bottom of the page the top 10 of both passed and blocked queries are shown. This includes the amount a domain
has been requested, as well as a percentage of passed or blocked requests respectively. If you have blocklists enabled,
you are also able to explicitly block or whitelist a specific domain from this top list with the click of a button.
The relevant domains will show up in :menuselection:`Services --> Unbound DNS --> Blocklist`, under "Whitelist Domains"
or "Blocklist Domains".
-------------------------
Details
-------------------------
The details tab shows a livefeed of **completed** queries along with reply information.
You can refresh the list by clicking the refresh button on the top right of the screen. In it you can find:
* Which client queried which domain with its associated DNS record type.
* The action taken by Unbound, this can either be pass, block or drop. The latter only occurs when a query could
not be serviced due to an internal error.
* The source of the response. This can be either Recursion, Local, Local-data or cache. Local refers to a decision
made by Unbound to either block or drop the query. Local-data refers to the custom host overrides and its associated
aliases or internal local-data entries generated by the system.
* The return code of the DNS query. Refer to the
`IANA DNS Parameters <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6>`__
for its meaning.
* If recursion is involved, how long in milliseconds it took to resolve a domain.
* The TTL of the final answer. Answers from recursion will always contain an upstream-defined TTL value, while
answers from cache will show a snapshot of the remaining cache TTL value before recursion would have to take place again.
Please note that TTL behaviour can be largely dependent on the settings used in :menuselection:`Services --> Unbound DNS --> Advanced`.
* The blocklist used if a query was blocked.
* Either a block or whitelist action button, which can be used in the same way as described above for the "Top domains" in the
overview section. Please note that this column will not appear if blocklists are disabled.

2
source/manual/reverse_proxy.rst
Unescape Escape View File

@ -133,7 +133,7 @@ redirects, manipulation of downloaded files like executables).
Modern clients and servers should support TLS 1.2 and TLS 1.3. All others should
be disabled.
TLS - Diffenent ways to use it
TLS - Different ways to use it
==============================
1) Breaking up the connection on the firewall (down- and upstream are using TLS)

67
source/manual/settingsmenu.rst
Unescape Escape View File

@ -112,6 +112,73 @@ share the same syntax:
- Specifying multiple values is possible using the comma: ``1,4,9``
- Ranges can be specified using a dash: ``4-9``
Available cron jobs are registered in the backend to prevent command injection and privilege escalation. These can be found under
`Command` and may allow an additional `Parameter`. Restart and reload actions are self-explanatory. They take no parameters and
will restart (usually slower stop and start of a process) or reload (usually a faster SIGHUP) the respective service. The availability
of restart and reload is subject to their respective services as not all software will support a reload for implementational reasons.
The most common core commands are as follows:
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Command in GUI | Command in shell | Supported parameters | Background information |
+==============================================================================================================================================================+
| Update and reload firewall aliases | configctl filter refresh_aliases | No parameters | Updates IP aliases for DNS entries and MAC |
| | | | addresses as well as URL tables. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Firmware update check | configctl firmware poll | No parameters | Refresh current update status from firmware |
| | | | mirror for e.g. remote status check via |
| | | | API. Note this utilizes a skew interval of |
| | | | 25 minutes. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Firmware changelog update | configctl firmware changelog cron | No parameters | Refresh current changelog status from |
| | | | authoritative firmware location to preview |
| | | | changelogs for new versions. Note this |
| | | | utilizes a skew interval of 25 minutes and |
| | | | is also performed by the firmware update |
| | | | check. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Automatic firmware update | configctl firmware auto-update | No parameters | Perform a minor update if applicable. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Update and reload intrusion detection rules | configctl ids update | No parameters | Fetches remote rules and reloads the IDS |
| | | | instance to make use of newly fetched rules.|
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Periodic interface reset | configctl interface reconfigure | identifier: Internal | Cycle through an interface reset that |
| | [identifier] | name of the interface | removes all connectivity and reactivates |
| | | as shown in assignments | it cleanly. |
| | | or overview page, e.g. | |
| | | "lan", "wan", "optX". | |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Download and reload external proxy ACLs | configctl proxy fetchacls | No parameters | Fetch and activate the external ACL files |
| | | | for configured blocklists. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Remote backup | configctl system remote backup | No parameters | Trigger the remote backup at the specified |
| | | | time as opposed to its nightly default. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Issue a reboot | configctl system reboot | No parameters | Perform a reboot at the specified time. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| HA update and reconfigure backup | configctl system ha_reconfigure_backup | No parameters | Synchronize the configuration to the backup |
| | | | firewall and restart its services to apply |
| | | | the changes. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Update Unbound DNSBLs | configctl unbound dnsbl | No parameters | Update the the DNS blocklists and apply the |
| | | | changes to Unbound. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ZFS pool trim | configctl zfs trim [pool] | pool: ZFS pool name to | Initiates an immediate on-demand TRIM |
| | | perform the action on | operation for all of the free space in a |
| | | | pool. This operation informs the underlying |
| | | | storage devices of all blocks in the pool |
| | | | which are no longer allocated and allows |
| | | | thinly provisioned devices to reclaim the |
| | | | space. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
| ZFS pool scrub | configctl zfs scrub [pool] | pool: ZFS pool name to | Begins a scrub or resumes a paused scrub. |
| | | perform the action on | The scrub examines all data in the specified|
| | | | pools to verify that it checksums correctly.|
| | | | For replicated (mirror, raidz, or draid) |
| | | | devices, ZFS automatically repairs any |
| | | | damage discovered during the scrub. |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------+
-------
General
-------

2
source/manual/software_included.rst
Unescape Escape View File

@ -72,7 +72,7 @@ If, for example you would like to install the gnu `nano <https://www.nano-editor
The ports tree
....................................
In case your using software, which is not supplied by us, you can always build these packages yourself.
In case you are using software, which is not supplied by us, you can always build these packages yourself.
It's best to use our build system to facilitate this, you can do so using the following commands
.. code-block:: sh

142
source/manual/unbound.rst
Unescape Escape View File

@ -121,7 +121,8 @@ Advanced
-------------------------
Although the default settings should be reasonable for most setups, some need more tuning or require specific options
set.
set. Some of these settings are enabled and given a default value by Unbound,
refer to `unbound.conf(5) <https://nlnetlabs.nl/documentation/unbound/unbound.conf/>`__ for the defaults.
=====================================================================================================================
@ -140,48 +141,99 @@ Harden DNSSEC data DNSSEC data is required for trust-anchored
If this is disabled and no DNSSEC data is received,
then the zone is made insecure.
Serve expired responses Serve expired responses from the cache with a TTL of 0
without waiting for the actual resolution to finish.
Message Cache Size Size of the message cache. The message cache stores DNS rcodes
and validation statuses. The RRSet cache will automatically be
set to twice this amount.
The RRSet cache contains the actual RR data. The default is 4 megabytes.
without waiting for the actual resolution to finish. When checked,
multiple options to customize the behaviour regarding expired responses
will appear.
Expired Record Reply TTL Value TTL value to use when replying with expired data.
If "Client Expired Response Timeout" is also used then it is recommended
to use 30 as the default value as per RFC 8767.
Only applicable when "Serve expired responses" is checked.
TTL for Expired Responses Limits the serving of expired responses to the configured amount of seconds
after expiration. A value of 0 disables the limit. A suggested value
as per RFC 8767 is between 86400 (1 day) and 259200 (3 days).
Only applicable when "Serve expired responses" is checked.
Reset Expired Record TTL Set the TTL of expired records to the "TTL for Expired Responses" value
after a failed attempt to retrieve the record from an upstream server.
This makes sure that the expired records will be served as long as
there are queries for it.
Only applicable when "Serve expired responses" is checked.
Client Expired Response Timeout Time in milliseconds before replying to the client with expired data.
This essentially enables the serve- stable behavior as specified in RFC 8767
that first tries to resolve before immediately responding with expired data.
A recommended value per RF 8767 is 1800. Setting this to 0 will disable this behavior.
Only applicable when "Serve expired responses" is checked.
Strict QNAME Minimisation Send minimum amount of information to upstream servers to enhance privacy.
Do not fall-back to sending full QNAME to potentially broken nameservers.
A lot of domains will not be resolvable when this option in enabled.
Only use if you know what you are doing.
Extended Statistics If enabled, extended statistics are printed to syslog.
Log Queries If enabled, prints one line per query to the log, with the log timestamp
and IP address, name, type and class. Note that it takes time to print these lines,
which makes the server (significantly) slower. Odd (non-printable) characters
in names are printed as '?'.
Log Replies If enabled, prints one line per reply to the log, with the log timestamp
and IP address, name, type, class, return code, time to resolve,
whether the reply is from the cache and the response size.
Note that it takes time to print these lines, which makes the server (significantly) slower.
Odd (non-printable) characters in names are printed as '?'.
Tag Queries and Replies If enabled, prints the word 'query: ' and 'reply: ' with logged queries and replies.
This makes filtering logs easier.
Log level verbosity Select the log verbosity. Level 0 means no verbosity, only errors.
Level 1 gives operational information. Level 2 gives detailed
operational information. Level 3 gives query level information,
output per query. Level 4 gives algorithm level information.
Level 5 logs client identification for cache misses. Default is level 1.
Private Domains List of domains to mark as private. These domains and all its subdomains
are allowed to contain private addresses.
Rebind Protection networks These are addresses on your private network, and are not allowed to
be returned for public internet names. Any occurrence of such addresses
are removed from DNS answers. Additionally, the DNSSEC validator may mark the answers bogus.
This protects against so-called DNS Rebinding.
(Only applicable when DNS rebind check is enabled in
`Administration <settingsmenu.html#administration>`__)
Insecure Domains List of domains to mark as insecure. DNSSEC chain of trust is ignored towards the domain name.
Message Cache Size Size of the message cache. The message cache stores DNS rcodes and validation statuses.
The RRSet cache (which contains the actual RR data) will automatically be set to twice this amount.
Valid input is plain bytes, optionally appended with 'k', 'm', or 'g' for kilobytes,
megabytes or gigabytes respectively.
RRset Cache Size Size of the RRset cache. Contains the actual RR data. Valid input is plain bytes,
optionally appended with 'k', 'm', or 'g' for kilobytes, megabytes or gigabytes respectively.
Automatically set to twice the amount of the Message Cache Size when empty, but can be manually
modified.
Outgoing TCP Buffers The number of outgoing TCP buffers to allocate per thread.
The default value is 10. If 0 is selected then no TCP queries,
to authoritative servers, are done.
If 0 is selected then no TCP queries to authoritative servers are done.
Incoming TCP Buffers The number of incoming TCP buffers to allocate per thread.
The default value is 10. If 0 is selected then no TCP queries,
from clients, are accepted.
If 0 is selected then no TCP queries from clients are accepted.
Number of queries per thread The number of queries that every thread will service simultaneously.
If more queries arrive that need to be serviced,
and no queries can be jostled, then these queries are dropped.
If more queries arrive that need to be serviced, and no queries can be jostled out (see "Jostle Timeout"),
then these queries are dropped. This forces the client to resend after a timeout,
allowing the server time to work on the existing queries.
Outgoing Range The number of ports to open. This number of file descriptors can be opened per thread.
Larger numbers need extra resources from the operating system.
For performance a very large value is best. For reference,
usually double the amount of queries per thread is used.
Jostle Timeout This timeout is used for when the server is very busy.
This protects against denial of service by slow queries or
high query rates. The default value is 200 milliseconds.
Maximum TTL for RRsets and messages Configure a maximum Time to live for RRsets and messages in the cache.
The default is 86400 seconds (1 day). When the internal TTL expires
the cache item is expired. This can be configured to force the
resolver to query for data more often and not trust (very large) TTL values.
Minimum TTL for RRsets and messages Configure a minimum Time to live for RRsets and messages in the cache.
The default is 0 seconds. If the minimum value kicks in,
the data is cached for longer than the domain owner intended,
and thus less queries are made to look up the data.
The 0 value ensures the data in the cache is as the domain owner intended.
High values can lead to trouble as the data in the cache might not match up
with the actual data anymore.
TTL for Host cache entries Time to live for entries in the host cache.
The host cache contains roundtrip timing and
EDNS support information. The default is 15 minutes.
Number of Hosts to cache Number of hosts for which information is cached. The default is 10000.
Set to a value that usually results in one round-trip to the authority servers.
If too many queries arrive, then 50% of the queries are allowed to run to completion,
and the other 50% are replaced with the new incoming query if they have already spent
more than their allowed time. This protects against denial of service by
slow queries or high query rates.
Maximum TTL for RRsets and messages Configure a maximum Time to live in seconds for RRsets and messages in the cache.
When the internal TTL expires the cache item is expired.
This can be configured to force the resolver to query for
data more often and not trust (very large) TTL values.
Minimum TTL for RRsets and messages Configure a minimum Time to live in seconds for RRsets and messages in the cache.
If the minimum value kicks in, the data is cached for longer than the domain owner intended,
and thus fewer queries are made to look up the data. The 0 value ensures
the data in the cache is as the domain owner intended. High values can lead to
trouble as the data in the cache might not match up with the actual data anymore.
TTL for Host cache entries Time to live in seconds for entries in the host cache.
The host cache contains round-trip timing, lameness and EDNS support information.
Number of Hosts to cache Number of hosts for which information is cached.
Unwanted Reply Threshold If enabled, a total number of unwanted replies is kept track of in every
thread. When it reaches the threshold, a defensive action is taken and
a warning is printed to the log file. This defensive action is to clear
the RRSet and message caches, hopefully flushing away any poison.
The default is disabled, but if enabled a value of 10 million is suggested.
Log level verbosity Select the log verbosity. Level 0 means no verbosity, only errors.
Level 1 gives operational information. Level 2 gives detailed
operational information. Level 3 gives query level information,
output per query. Level 4 gives algorithm level information.
Level 5 logs client identification for cache misses. Default is level 1.
==================================== ===============================================================================
@ -231,9 +283,27 @@ URLs of Blacklists Additional http[s] location to download bl
files containing a list of fqdn's (e.g. :code:`my.evil.domain.com`) are
supported.
Whitelist Domains When a blacklist item contains a pattern defined in this list it will
be ommitted from the results. e.g. :code:`.*\.nl` would exclude all .nl domains
be ommitted from the results. e.g. :code:`.*\.nl` would exclude all .nl domains.
Blocked domains explicitly whitelisted using the :doc:`/manual/reporting_unbound_dns`
page will show up in this list.
Blocklist Domains List of domains to explicitly block. Regular expressions are not supported.
Passed domains explicitly blocked using the :doc:`/manual/reporting_unbound_dns`
page will show up in this list.
Destination Address Specify an IP address to return when DNS records are blocked. Can be used to
redirect such domains to a separate webserver informing the user that the
content has been blocked. The default is 0.0.0.0. Any value in this field
is skipped if "Return NXDOMAIN" is checked.
Return NXDOMAIN Instead of returning the "Destination Address", return the DNS return code
"NXDOMAIN". This is useful in cases where devices cannot cope
with the 0.0.0.0 destination address, such as certain Apple devices.
==================================== ===============================================================================
.. Note::
Applying the blocklist settings will not restart Unbound, rather it will signal to Unbound to dynamically
process the blocklists as soon as they're downloaded. There may be up to a minute of delay before Unbound
has loaded everything. During this time Unbound will still be just as responsive.
When any of the DNSBL types are used, the content will be fetched directly from its original source, to
get a better understanding of the source of the lists we compiled the list below containing references to
the list maintainers.

1
source/manual/updates.rst
Unescape Escape View File

@ -20,7 +20,6 @@ Update settings
By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings:
* **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here.
* **Firmware Flavour:** OPNsense is available in different flavours. Currently, these flavours influence which cryptographic library to use: OpenSSL (the default) or its drop-in replacement LibreSSL.
* **Release Type:** With this setting, you can switch between the regular fortnightly schedule of tested releases (Production) or the newest, not fully tested code (Development). **Please leave this setting on "Production", unless you fully understand the implications of switching.**
--------------

4
source/manual/virtuals.rst
Unescape Escape View File

@ -23,7 +23,7 @@ For optimum performance and compatibility, these guides are given:
VMware ESXi
-----------
VMware offers full instructions for installing FreeBSD, these can be found
`here <http://partnerweb.vmware.com/GOSIG/FreeBSD_11x.html>`__.
`here <https://partnerweb.vmware.com/GOSIG/FreeBSD_13x.html>`__.
To install the VMware tools just goto :menuselection:`System --> Firmware --> Plugins` and install
**os-vmware** by clicking on the **+** sign next to it.
@ -97,7 +97,7 @@ Amazon AWS EC2 Cloud
.. image:: how-tos/images/amazon-web-services.png
:height: 80px
Installing OPNsense into the Amazon cloud can be a dounting task as no console is
Installing OPNsense into the Amazon cloud can be a daunting task as no console is
offered. Luckily an easy to install AMI is also available in the aws marketplace.
See also our how-to for :doc:`how-tos/installaws`.

262
source/manual/vpnet.rst
Unescape Escape View File

@ -35,64 +35,239 @@ Since IPsec is used in many different scenario's and sometimes has the tendency
will describe different usecases and provide some examples in this chapter.
.................................
Site 2 Site policy based
General context
.................................
Probably one of the oldest and most used scenarios is the policy based one.
The IPsec module incorporates different functions, which are grouped into various menu items. Since the start of our
project we have been offering IPsec features based on the legacy :code:`ipsec.conf` format, which we are migrating to
`swantcl.conf <https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html>`__ as of version 23.1. While
migrating the existing featureset we came to the conclusion that the world has changed quite a bit and in order to
offer better (api) access to the featureset available we decided to plan for deprecation of the legacy "Tunnel settings" as they
have existed since we started. No timeline has been set, only a feature freeze on tunnels using the "Tunnel settings" menu item.
Like all IPsec configurations, a standard site to site setup starts with a so called "Phase 1" entry to establish the
communication between both peers defined in :menuselection:`VPN -> IPsec -> Tunnel Settings`. After the phase 1
is configured, the "Phase 2" defines which policies traffic should match on.
One of the main goals for the long run is to better align the gui components so they reflect the reality underneath, as we use
`strongswan <https://www.strongswan.org/>`__, our aim is to follow their terminology more closely than we previously did.
The following functions are available in the menu (as of OPNsense 23.1):
* Connections
* New configuration tool offering access to the connections and pools sections of the :code:`swanctl` configuration
* Tunnel Settings
* Legacy IPsec configuration tool
* Mobile Clients
* Offering access to various options of the `attr <https://docs.strongswan.org/docs/5.9/plugins/attr.html>`__ plugin and pool configurations for legacy tunnels
* Pre-Shared Keys
* Define `secrets <https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_secrets>`__ to be used for local authentication.
* Key Pairs
* For public key authentication collect public and private keys.
* Advanced Settings
* Define passthrough networks (to exclude from kernel traps), logging options and some generic options
* Status Overview
* Shows tunnel statusses
* Lease Status
* For mobile clients, show address leases for various pools configured
* Security Association Database
* Shows security associations, the fundamental concept of IPsec describing a relationship between two or more entities
* Security Policy Database
* Installed security policies describing which traffic is allowed to pass a tunnel
* Virtual Tunnel Interfaces
* Edit or create new :code:`if_ipsec(4)` interfaces and show the ones created by legacy tunnels
* Log File
* Inspect log entries related to IPsec
Since the kernel traps traffic matching defined policies, no additional routing need to be configured in order to
communicate between both ends of a tunnel.
.. Note::
Using Network Address Translation in these types of setups is different, due to the fact that the installed IPsec policy
should accept the traffic in order to encapsulate it. The `IPSec BINAT` document will explain how to apply translations.
When migrating Pre-Shared Key type tunnels to connections, make sure to add an entry in the "Pre-Shared Keys" module as well.
If both ends should use their own identifier, fill in both local and remote values. The legacy module requested this information in the phase 1
page and wrote the same information to the secrets.
.................................
Security policies and routing
.................................
In order to pass traffic over an IPsec tunnel, we need a policy matching the traffic. By default when adding a phase 2 (or child) policy
a "kernel route" is installed as well, which traps traffic before normal routing takes place.
.. Note::
Without a policy in place for the tunnel, traffic won't be accepted, in case a policy with a kernel route overlaps a local or locally routed network
the traffic will not be received by the host in question.
.. Tip::
When matching overlapping networks in a policy, make sure to exclude your own network segments in the
When matching overlapping networks in a policy (VTI or overlapping networks), make sure to exclude your own network segments in the
:code:`Passthrough networks` option in :menuselection:`VPN -> IPsec -> Advanced Settings` to prevent traffic being blackholed.
.................................
Implementation schemes
.................................
When setting up IPsec VPNs there are two main types of scenario's with their own advantages and disadvantages.
Policy based
--------------------------
The first one is the standard policy based tunnel, which guards the security of the tunnel with policies and installs kernel
traps to send traffic over the tunnel in case it matches these policies. For example a local network :code:`192.168.1.0/24`
sending traffic to a remote location responsible for :code:`192.168.2.0/24`. The advantage of this scenario is the ease of setup,
no routes are needed to be configured, when in this example :code:`192.168.1.10` contacts :code:`192.168.2.10` the packets
are seamlessly forwarded over the tunnel to the remote location.
When local traffic doesn't match the policies in question due to the tunnel needing Network Address Translation,
that's also possible as long as policies are manually added to the security policy database,
this is also referred to as "NAT before IPsec".
Route based (VTI)
--------------------------
Route based, also known as VTI, tunnels are using a virtual interface known as :code:`if_ipsec(4)`, which can be found under
:menuselection:`VPN -> IPsec -> Virtual Tunnel Interfaces`. This links two ends of the communication for routing purposes
after which normal routing applies. The "(Install) Policies" checkmark needs to be disabled in this case for the child (phase 1 in the legacy tunnel configuration)
definition. Usually the communication policy (phase 2 or child) is set to match all traffic (either :code:`0.0.0.0/0` for IPv4 or :code:`::/0` for IPv6).
So the same example as the policy based option would need (static) routes for the destinations in question (:code:`192.168.1.0/24` needs
a route to :code:`192.168.2.0/24` and vice versa), peering happens over a small network in another subnet (for example :code:`10.0.0.1` <-> :code:`10.0.0.2`)
bound to the tunnel interface.
The advantage of this type of setup is one can use standard or advanced routing technologies to forward traffic around tunnels.
.. Note::
In order to filter traffic on the :code:`if_ipsec(4)` device some tunables need to be set. Both :code:`net.inet.ipsec.filtertunnel`
and :code:`net.inet6.ipsec6.filtertunnel` need to be set to :code:`1` and :code:`net.enc.in.ipsec_filter_mask` and :code:`net.enc.out.ipsec_filter_mask`
need to be set to :code:`0` in order to allow rules on the device. The downside is that policy based tunnels (:code:`enc0`) can not be filtered
anymore as this changes the behaviour from filtering on the :code:`enc0` device to the :code:`if_ipsec(4)` devices.
.. Warning::
Currently it does not seem to be possible to add NAT rules for :code:`if_ipsec(4)` devices.
.. Warning::
In order to reliably setup a VTI tunnel, both ends should use static ip addresses. Although in the legacy configuration it
was possible to resolve hostnames, this will never lead to a stable configuration as the :code:`if_ipsec(4)` device
matches both source and destination `[#] <https://github.com/freebsd/freebsd-src/blob/c8ee75f2315e8267ad814dc5b4645ef205f0e0e1/sys/net/if_ipsec.c#L479>`__
before accepting the traffic and has no knowledge about any external changes.
.................................
Road Warriors / Mobile users
.................................
IPsec may also be used to service remote workers connecting to OPNsense from various clients, such as Windows, MacOS, iOS and Android.
The type of client usually determines the authentication scheme(s) being used.
In case clients should be offered default settings, these can be configured from :menuselection:`VPN -> IPsec -> Mobile Clients`.
Pool options (Virtual IPvX Address Pool) on this page will be used by the legacy tunnel configuration only, when using the new connections
module one may configure different pools per connection.
The examples section contains various options available in OPNsense. When using the new "connections" option available
as of OPNsense 23.1, different `examples from Strongswan <https://docs.strongswan.org/docs/5.9/interop/windowsClients.html>`__
are usually quite easy to implement as we follow the `swantcl.conf <https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html>`__
format quite closely in the new module.
The following client setup examples are available in our documentation:
.. toctree::
:maxdepth: 2
:titlesonly:
:maxdepth: 2
:titlesonly:
how-tos/ipsec-s2s
how-tos/ipsec-s2s-binat
how-tos/ipsec-rw-android
how-tos/ipsec-rw-linux
how-tos/ipsec-rw-w7
.................................
Site 2 Site route based (VTI)
Examples
.................................
Unlike the policy based setup described in the previous chapter, the route based variant depends on custom routes being installed
on both ends of the tunnel. When adding a route based tunnel, the system will add an interface for you which you can use in normal
routing operations.
This paragraph offers examples for some commonly used implementation scenarios.
Legacy (:menuselection:`VPN -> IPsec -> Tunnel Settings`)
------------------------------------------------------------------------------
.. toctree::
:maxdepth: 2
:titlesonly:
how-tos/ipsec-s2s
how-tos/ipsec-s2s-binat
how-tos/ipsec-s2s-route
how-tos/ipsec-s2s-route-azure
how-tos/ipsec-rw
.. Note::
Using Network Address Translation in policy based tunnels is different, due to the fact that the installed IPsec policy
should accept the traffic in order to encapsulate it. The `IPSec BINAT` document will explain how to apply translations.
.................................
Road Warriors / Mobile users
.................................
For people working from home IPsec is also an option, althouh a bit more complicated in comparison to OpenVPN due
to the many different implementation types.
New > 23.1 (:menuselection:`VPN -> IPsec -> Connections`)
------------------------------------------------------------------------------
.. toctree::
:maxdepth: 2
:titlesonly:
how-tos/ipsec-rw
how-tos/ipsec-s2s-conn
how-tos/ipsec-s2s-conn-route
how-tos/ipsec-s2s-conn-binat
.. Tip::
The number of examples for the new module on our end is limited, but for inspiration it's often a good
idea to walkthrough the examples provided by `Strongswan <https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation#Configuration-Examples>`__.
Quite some swanctl.conf examples are easy to implement in our new module as we do follow the same terminology.
.................................
Tuning considerations
.................................
Depending on the workload (many different IPsec flows or a single flow), it might help to enable multithreaded crypto mode
on :code:`ipsec`, in which case cryptographic packets are dispatched to multiple processors.
In order to do so, add or change the following tunable in :menuselection:`System --> Settings --> Tunables`:
.. Note::
:code:`net.inet.ipsec.async_crypto` = **1**
To distribute load better over available cores in the system, it may help to enable :doc:`receive side scaling </troubleshooting/performance>`.
In which case the following tunables need to be changed:
.. Note::
* :code:`net.isr.bindthreads` = **1**
* :code:`net.isr.maxthreads` = **-1** <-- equal the number of cores in the machine
* :code:`net.inet.rss.enabled` = **1**
* :code:`net.inet.rss.bits` = **X** <-- see :doc:`rss </troubleshooting/performance>` document.
.................................
@ -116,19 +291,46 @@ with the settings of the component they belong to. The log files can be found in
in :menuselection:`VPN -> IPsec -> Advanced Settings`.
.................................
Custom configurations
.................................
In some (rare) cases one might want to add custom configuration options not available in the user interface, for this reason we
do support standard includes.
While the :code:`swanctl.conf` and the legacy :code:`ipsec.conf` configuration files are well suited to define IPsec-related configuration parameters,
it is not useful for other strongSwan applications to read options from these files.
To configure these other components, it is possible to manually append options to our default template, in which case files
may be placed in the directory :code:`/usr/local/etc/strongswan.opnsense.d/` using the file extention :code:`.conf`
IPsec configurations are managed in `swantcl.conf <https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html>`__ format (as of 23.1), merging your own additions is possible by
placing files with a :code:`.conf` extension in the directory :code:`/usr/local/etc/swanctl/conf.d/`.
.. Warning::
Files added to these directories will not be mainted by the user interface, if you're unsure if you need this, it's likely
a good idea to skip adding files here as it might lead to errors difficult to debug.
.. Note::
Prior to version 23.1 it was also possible to add secrets and ipsec configurations in :code:`/usr/local/etc/ipsec.secrets.opnsense.d/`
and :code:`/usr/local/etc/ipsec.opnsense.d/`, with the switch to 23.1 these files are deprecated and should be manually migrated into swanctl.conf
format.
--------------------------
OpenVPN (SSL VPN)
--------------------------
One of the main advantages of OpenVPN in comparison to IPsec is the ease of configuration, there are less settings involved
One of the main advantages of OpenVPN in comparison to IPsec is the ease of configuration, there are fewer settings involved
and it's quite simple to export settings for clients.
.................................
Site 2 Site
.................................
OpenVPN on OPNsense can also be used to create a tunnel between two locations, similar to what IPsec offers, generally
OpenVPN on OPNsense can also be used to create a tunnel between two locations, similar to what IPsec offers. Generally
the performance of IPsec is higher which usually makes this a less common choice.
.. toctree::
@ -185,6 +387,14 @@ A selection of the most relevant settings can be found in the table below.
"IPv[4|6] Remote Network", "These are the networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established."
"Redirect Gateway", "Force the clients default gateway to this tunnel"
.. Note::
When configuring tunnel networks, make sure they fit in the network defined on the server tunnel itself to allow the server to send data back to the client.
For example in a :code:`10.0.0.0/24` network you are able to define a client specific one like :code:`10.0.0.100/30`.
To reduce the chances of a collision, also make sure to reserve enough space at the server as the address might already be assigned to a dynamic client otherwise.
--------------------------
Plugin VPN options

BIN
source/pdf/BE22.10-STIC_OPNSENSE_CQ-ETR-v2.0.pdf
View File

Binary file not shown.

6
source/relations.rst
Unescape Escape View File

@ -3,9 +3,9 @@ Project Relations
====================================
The OPNsense® development team believes that sharing knowledge makes better
products. The team is proud on it relations with other projects & organizations
and likes to mention them and their hard work. More details may be found on
these pages.
products. The team is proud of its relations with other projects &
organizations and likes to mention them and their hard work. More details may
be found on these pages.
.. toctree::
:maxdepth: 2

2
source/releases/BE_20.7.rst
Unescape Escape View File

@ -431,7 +431,7 @@ Here are the full patch notes:
* src: assorted multicast group join/leave corrections
* src: fix vmx driver packet loss and degraded performance `[4] <FREEBSD:FreeBSD-EN-20:16.vmx>`__
* src: fix memory corruption in USB network device driver `[5] <FREEBSD:FreeBSD-SA-20:21.usb_net>`__
* src: fix multiple vulnerabilities in sqlite3 `[6] <FREEBSD:FreeBSD-SA-20:22.sqlite>`__
* src: fix multiple vulnerabilities in sqlite `[6] <FREEBSD:FreeBSD-SA-20:22.sqlite>`__
* src: fix sendmsg(2) privilege escalation `[7] <FREEBSD:FreeBSD-SA-20:23.sendmsg>`__
* ports: perl 5.32.0 `[8] <https://perldoc.perl.org/5.32.0/perldelta>`__
* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__

178
source/releases/BE_22.10.rst
Unescape Escape View File

@ -16,6 +16,158 @@ the images can be found below as well.
https://downloads.opnsense.com/
--------------------------------------------------------------------------
22.10.2 (February 20, 2023)
--------------------------------------------------------------------------
This business release is based on the OPNsense 22.7.11 community version
with additional reliability improvements.
Here are the full patch notes:
* interfaces: fix VLAN missing a config lock on delete
* firewall: do not switch gateway on bootup
* intrusion detection: properly reset metadata response when no metadata is found
* unbound: missing global so that cache is never flushed when requested
* mvc: cleanse $record input in searchRecordsetBase() before usage
* src: fix multiple OpenSSL vulnerabilities `[1] <FREEBSD:FreeBSD-SA-23:03.openssl>`__
* src: geli: split the initalization of HMAC `[2] <FREEBSD:FreeBSD-SA-23:01.geli>`__
* src: fix ena driver crash after reset in 7th gen AWS instance types `[3] <FREEBSD:FreeBSD-EN-23:03.ena>`__
* src: fix sdhci broken write-protect settings `[4] <FREEBSD:FreeBSD-EN-23:02.sdhci>`__
* src: import tzdata 2022g `[5] <FREEBSD:FreeBSD-EN-23:01.tzdata>`__
* src: x86: ignore stepping for APL30 errata
* ports: openssl 1.1.1t `[6] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
--------------------------------------------------------------------------
22.10.1 (February 01, 2023)
--------------------------------------------------------------------------
This business release is based on the OPNsense 22.7.11 community version
with additional reliability improvements.
Here are the full patch notes:
* system: fix getOID() call for phpseclib 3 while processing CSR
* system: avoid error on installer user creation
* system: show booting banner on dashboard
* system: add statistics tree view containing vmstat memory characteristics
* system: explicitly reopen main log file in case another log file was used and closed
* system: tweak log_msg() to prepare log level adjustments migration away from log_error()
* system: enforce config reload to fetch group membership in authentication tester
* system: separate interface type icon from name column in interface widget
* system: change system log default to "Notice"
* system: UX tweaks on activity page
* system: revised backend daemon startup delay
* system: drop empty plugins_run() result
* system: fix internal CRL check (contributed by kulikov-a)
* system: add group (class) sync and user creation for RADIUS authentication
* system: show and search ACL endpoints in privilege selector
* system: replace a number of log_error() calls with log_msg() equivalent
* system: improve SSH lockout behaviour
* system: fix a few minor Coverity Scan reports in PHP and Python `[1] <https://scan.coverity.com/projects/opnsense-core>`__
* interfaces: show attached interface for VLAN device in overview
* interfaces: packet capture MVC/API replacement
* interfaces: fix ARP table name resolve backend issue (contributed by soif)
* interfaces: migrate main clearing of interface data to ifctl
* interfaces: fix display of special HTML characters in packet capture
* interfaces: retain existing PPP settings on saving interface settings
* interfaces: delete the correct lock of PPP device
* interfaces: fix variable use in interface_proxyarp_configure()
* interfaces: use get_interface_list() to identify hardware devices
* interfaces: fix single ACL use for MVC/API interface pages
* firewall: off-by-one in regex for target port range parse
* firewall: support Maxmind unclassified "EU" as selectable country
* firewall: fix possible race condition when changing limit in live log
* firewall: fix sorting bug in aliases list
* firewall: allow the use of "dynamic" interface types in shaper, e.g. IPsec devices
* firewall: wrap user rule registration in new function filter_core_rules_user()
* firewall: simplify rule lookup by using filter_core_rules_user()
* firewall: allow external dynamic address in NPT
* firewall: remove extended VIP expansion from NAT rules
* firewall: fix live view hostname lookup may result in HTTP 431 error
* firewall: add category selection to aliases
* firewall: sates page performance improvements and better address parsing in search
* firewall: reuse "hostid" on filter reload events
* firewall: show automated "port 0" rule as actual port "0" on PHP 8
* reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
* reporting: bail DNS resolve in traffic graphs when resolver is not configured
* captive portal: for static MAC assignments make sure that the IP address actually changed before updating it
* dnsmasq: remove expired root trust anchor (contributed by Johnny S. Lee)
* firmware: always fetch the signature file to avoid signature issues after upgrades
* firmware: use effective ABI in changelog fetch
* firmware: ignore automatic business plugin and license hint
* ipsec: missing return in controller
* ipsec: remove side effect host route removal from Phase 1 page
* ipsec: allow to search all phase 2 entries via API call
* ipsec: default log should be set to "basic" but PHP 8 disagreed
* openvpn: use ifctl in link up/down scripts
* openvpn: remove unused "pool_enable" attribute
* unbound: move the removal of pluggable files above the configuration check
* unbound: remove 127/8 from private-address block when rebind protection is enabled
* unbound: make the default private-address items configurable via the advanced page
* unbound: fix possible error while opening DoT page
* unbound: do not stop on potential errors in start script
* unbound: rework DNSBL implementation to Python module
* unbound: fix blocklist use with DNS64 mode (contributed by kulikov-a)
* unbound: change working directory before checking configuration
* unbound: introduce blocklist module changes for upcoming 23.1
* unbound: fix log message blocklist item count (contributed by kulikov-a)
* unbound: also change working dir for unbound-checkconf in start script (contributed by kulikov-a)
* unbound: fix missing query_reply property leading to an AttributeError
* unbound: safeguard retrieval of blocklist shortcode
* web proxy: fix broken "Google GSuite restricted" option
* backend: wait 1 second for configd socket to become available
* backend: clean up scripts/systemheath location
* backend: moved log format definitions to new location for core and several plugins
* mvc: when multiple validation messages are returned wrap each message in a div tag
* mvc: translate a base field error
* mvc: change default sorting to case-insensitive
* mvc: move JavaScript and CSS imports to base controller
* mvc: make sure HostnameField with ZoneRootAllowed accepts "@." prefix
* mvc: fix IntegerField minimum value (contributed by xbb)
* rc: remove obsolete NAME_var_script and NAME_var_mfs support
* ui: unicode content for tokenizer (contributed by kulikov-a)
* plugins: migrate all plugins to NAME_setup script use
* plugins: $verbose argument in plugins_run() is spurious
* plugins: os-acme-client 3.15 `[2] <https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr>`__
* plugins: os-apcupsd 1.1 `[3] <https://github.com/opnsense/plugins/blob/stable/22.7/sysutils/apcupsd/pkg-descr>`__
* plugins: os-clamav 1.8 `[4] <https://github.com/opnsense/plugins/blob/stable/22.7/security/clamav/pkg-descr>`__
* plugins: os-ddclient IPv6 parsing fix `[5] <https://github.com/opnsense/plugins/blob/stable/22.7/dns/ddclient/pkg-descr>`__
* plugins: os-freeradius is no longer available for LibreSSL to allow updates of FreeRADIUS software
* plugins: os-frr 1.31 `[6] <https://github.com/opnsense/plugins/blob/stable/22.7/net/frr/pkg-descr>`__
* plugins: os-haproxy 3.12 `[7] <https://github.com/opnsense/plugins/blob/stable/22.7/net/haproxy/pkg-descr>`__
* plugins: os-maltrail 1.10 `[8] <https://github.com/opnsense/plugins/blob/stable/22.7/security/maltrail/pkg-descr>`__
* plugins: os-nginx 1.31 `[9] <https://github.com/opnsense/plugins/blob/stable/22.7/www/nginx/pkg-descr>`__
* plugins: os-openconnect 1.4.3 `[10] <https://github.com/opnsense/plugins/blob/stable/22.7/security/openconnect/pkg-descr>`__
* plugins: os-rfc2136 1.7 fixes key format issue with latest bind-tools update
* plugins: os-stunnel fixes missing include in certificate script
* plugins: os-telegraf 1.12.7 `[11] <https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-theme-cicada 1.31 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.43 (contributed by Team Rebellion)
* plugins: os-tor 1.9 enables hardware acceleration (contributed by haarp)
* plugins: os-wireguard 1.13 `[12] <https://github.com/opnsense/plugins/blob/stable/22.7/net/wireguard/pkg-descr>`__
* ports: curl 7.87.0 `[13] <https://curl.se/changes.html#7_87_0>`__
* ports: dnsmasq 2.88 `[14] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
* ports: expat 2.5.0 `[15] <https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes>`__
* ports: krb5 1.20.1 `[16] <https://web.mit.edu/kerberos/krb5-1.20/>`__
* ports: libxml 2.10.3 `[17] <http://www.xmlsoft.org/news.html>`__
* ports: nss 3.87 `[18] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html>`__
* ports: openssl 1.1.1s `[19] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
* ports: openvpn 2.5.8 `[20] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.8>`__
* ports: pcre 10.42 `[21] <https://www.pcre.org/changelog.txt>`__
* ports: phalcon 5.1.4 `[22] <https://github.com/phalcon/cphalcon/releases/tag/v5.1.4>`__
* ports: php 8.0.27 `[23] <https://www.php.net/ChangeLog-8.php#8.0.27>`__
* ports: phpseclib 3.0.18 `[24] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.18>`__
* ports: python 3.9.16 `[25] <https://docs.python.org/release/3.9.16/whatsnew/changelog.html>`__
* ports: sqlite 3.40.1 `[26] <https://sqlite.org/releaselog/3_40_1.html>`__
* ports: strongswan 5.9.9 `[27] <https://github.com/strongswan/strongswan/releases/tag/5.9.9>`__
* ports: suricata 6.0.9 `[28] <https://suricata.io/2022/11/29/suricata-6-0-9-released/>`__
* ports: unbound 1.17.1 `[29] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1>`__
--------------------------------------------------------------------------
22.10 (October 26, 2022)
--------------------------------------------------------------------------
@ -290,14 +442,32 @@ Here are the full patch notes:
* ports: phalcon 5.0.3 `[39] <https://github.com/phalcon/cphalcon/releases/tag/v5.0.3>`__
* ports: php 8.0.24 `[40] <https://www.php.net/ChangeLog-8.php#8.0.24>`__
* ports: phpseclib 3.0.16 `[41] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.16>`__
* ports: python 3.9.14 `[42] <https://docs.python.org/release/3.9.14/whatsnew/changelog.html>`__
* ports: python 3.9.15 `[42] <https://docs.python.org/release/3.9.15/whatsnew/changelog.html>`__
* ports: rrdtool 1.8.0 `[43] <https://github.com/oetiker/rrdtool-1.x/blob/master/CHANGES>`__
* ports: sqlite 3.39.3 `[44] <https://sqlite.org/releaselog/3_39_3.html>`__
* ports: squid 5.7 `[45] <http://www.squid-cache.org/Versions/v5/squid-5.7-RELEASENOTES.html>`__
* ports: strongswan 5.9.8 `[46] <https://github.com/strongswan/strongswan/releases/tag/5.9.8>`__
* ports: suricata 6.0.8 `[47] <https://suricata.io/2022/09/27/suricata-6-0-7-released/>`__
* ports: syslog-ng 3.38.1 `[48] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.38.1>`__
* ports: unbound 1.16.3 `[49] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-3>`__
* ports: sudo 1.9.12p1 `[47] <https://www.sudo.ws/stable.html#1.9.12p1>`__
* ports: suricata 6.0.8 `[48] <https://suricata.io/2022/09/27/suricata-6-0-7-released/>`__
* ports: syslog-ng 3.38.1 `[49] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.38.1>`__
* ports: unbound 1.16.3 `[50] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-3>`__
The following operating system hotfix was issued:
* src: vxlan: check the size of data available in mbuf before using them
* src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations `[51] <FREEBSD:FreeBSD-EN-22:23.vm>`__
* src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers `[52] <FREEBSD:FreeBSD-EN-22:26.cam>`__
* src: loader: fix elf lookup_symbol type filtering `[53] <FREEBSD:FreeBSD-EN-22:27.loader>`__
* src: zfs: fix a pair of bugs in zfs_fhtovp() `[54] <FREEBSD:FreeBSD-EN-22:24.zfs>`__
* src: zfs: fix use-after-free in btree code `[55] <FREEBSD:FreeBSD-EN-22:21.zfs>`__
* src: tcp: finish SACK loss recovery on sudden lack of SACK blocks `[56] <FREEBSD:FreeBSD-EN-22:25.tcp>`__
* src: igc: remove unnecessary PHY ID checks
* src: ixl: add support for I710 devices and remove non-inclusive language
* src: ixl: fix SR-IOV panics
* src: u3g: add more USB IDs
* src: ixgbe: workaround errata about UDP frames with zero checksum
* src: hpet: Allow a MMIO window smaller than 1K
* src: ping: fix handling of IP packet sizes `[57] <FREEBSD:FreeBSD-SA-22:15.ping>`__
Known issues and limitations:

2
source/releases/BE_22.4.rst
Unescape Escape View File

@ -127,7 +127,7 @@ Here are the full patch notes:
* ports: openvpn 2.5.7 `[12] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.7>`__
* ports: php 7.4.30 `[13] <https://www.php.net/ChangeLog-7.php#7.4.30>`__
* ports: py-certifi 2022.5.18.1
* ports: sqlite3 3.38.5 `[14] <https://sqlite.org/releaselog/3_38_5.html>`__
* ports: sqlite 3.38.5 `[14] <https://sqlite.org/releaselog/3_38_5.html>`__
* ports: strongswan 5.9.6 `[15] <https://github.com/strongswan/strongswan/releases/tag/5.9.6>`__
* ports: sudo 1.9.11p2 `[16] <https://www.sudo.ws/stable.html#1.9.11p2>`__
* ports: unbound 1.16.0 `[17] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0>`__

2
source/releases/CE_18.7.rst
Unescape Escape View File

@ -167,7 +167,7 @@ A hotfix release was issued as 18.7.10_4:
To keep it snappy: enclosed are assorted updates and fixes, a new
dnscrypt-proxy plugin as well as security updates from FreeBSD and
third parties. Happy patchday!
third parties. Happy patch day!
Here are the full patch notes:

2
source/releases/CE_20.7.rst
Unescape Escape View File

@ -431,7 +431,7 @@ Here are the full patch notes:
* src: assorted multicast group join/leave corrections
* src: fix vmx driver packet loss and degraded performance `[4] <FREEBSD:FreeBSD-EN-20:16.vmx>`__
* src: fix memory corruption in USB network device driver `[5] <FREEBSD:FreeBSD-SA-20:21.usb_net>`__
* src: fix multiple vulnerabilities in sqlite3 `[6] <FREEBSD:FreeBSD-SA-20:22.sqlite>`__
* src: fix multiple vulnerabilities in sqlite `[6] <FREEBSD:FreeBSD-SA-20:22.sqlite>`__
* src: fix sendmsg(2) privilege escalation `[7] <FREEBSD:FreeBSD-SA-20:23.sendmsg>`__
* ports: perl 5.32.0 `[8] <https://perldoc.perl.org/5.32.0/perldelta>`__
* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__

2
source/releases/CE_21.7.rst
Unescape Escape View File

@ -193,7 +193,7 @@ release as that becomes available.
Highlights for 22.1 already include:
* Suricata Netmap v14 support for multi-gigabit speed in IPS mode with RSS enabled
* Suricata Netmap version 14 support for multi-gigabit speed in IPS mode with RSS enabled
* Separate VLAN MAC spoofing and permanent promiscuous mode setting
* Tunable analytics provide automatic descriptions and type
* IPsec tunnel overview ported to MVC with pagination

2
source/releases/CE_22.1.rst
Unescape Escape View File

@ -138,7 +138,7 @@ Here are the full patch notes:
* ports: openvpn 2.5.7 `[8] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.7>`__
* ports: php 7.4.30 `[9] <https://www.php.net/ChangeLog-7.php#7.4.30>`__
* ports: py-certifi 2022.5.18.1
* ports: sqlite3 3.38.5 `[10] <https://sqlite.org/releaselog/3_38_5.html>`__
* ports: sqlite 3.38.5 `[10] <https://sqlite.org/releaselog/3_38_5.html>`__
* ports: sudo 1.9.11p2 `[11] <https://www.sudo.ws/stable.html#1.9.11p2>`__
* ports: unbound 1.16.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0>`__

265
source/releases/CE_22.7.rst
Unescape Escape View File

@ -34,6 +34,267 @@ can be found below as well.
* Full mirror list: https://opnsense.org/download/
--------------------------------------------------------------------------
22.7.11 (January 18, 2023)
--------------------------------------------------------------------------
This will be the end of life release for the 22.7 series with only a small
number of reliability updates. Upgrades to 23.1-RC1 are possible from the
development version of this release. We do expect an online update for RC2
next week.
The final 23.1 release will be on January 26. As always the upgrade path
from the community version will be added as a hotfix shortly after the final
release annoucement is published. However, this time around LibreSSL will
no longer update and must be switched to the OpenSSL flavour prior to the
upgrade.
Here are the full patch notes:
* system: fix a few minor Coverity Scan reports in Python code `[1] <https://scan.coverity.com/projects/opnsense-core>`__
* firewall: show automated "port 0" rule as actual port "0" on PHP 8
* reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
* unbound: safeguard retrieval of blocklist shortcode
* mvc: fix IntegerField minimum value (contributed by xbb)
* plugins: os-acme-client 3.15 `[2] <https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr>`__
* plugins: os-stunnel fixes missing include in certificate script
* ports: curl 7.87.0 `[3] <https://curl.se/changes.html#7_87_0>`__
* ports: nss 3.87 `[4] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html>`__
* ports: pcre 10.42 `[5] <https://www.pcre.org/changelog.txt>`__
* ports: phalcon 5.1.4 `[6] <https://github.com/phalcon/cphalcon/releases/tag/v5.1.4>`__
* ports: php 8.0.27 `[7] <https://www.php.net/ChangeLog-8.php#8.0.27>`__
* ports: sqlite 3.40.1 `[8] <https://sqlite.org/releaselog/3_40_1.html>`__
* ports: strongswan 5.9.9 `[9] <https://github.com/strongswan/strongswan/releases/tag/5.9.9>`__
* ports: unbound 1.17.1 `[10] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1>`__
A hotfix release was issued as 22.7.11_1:
* firmware: enable upgrade path to 23.1 (OpenSSL only)
--------------------------------------------------------------------------
22.7.10 (December 21, 2022)
--------------------------------------------------------------------------
Another small reliability update with additional RADIUS user creation
support included. 23.1 is just around the corner now and most work
for it has already been done. The major release is scheduled for
January 26 with a release candidate coming out 2 weeks earlier.
Here are the full patch notes:
* system: add group (class) sync and user creation for RADIUS authentication
* system: show and search ACL endpoints in privilege selector
* system: replace a number of log_error() calls with log_msg() equivalent
* system: improve SSH lockout behaviour
* firewall: sates page performance improvements and better address parsing in search
* firewall: reuse "hostid" on filter reload events
* ipsec: allow to search all phase 2 entries via API call
* openvpn: remove unused "pool_enable" attribute
* unbound: introduce blocklist module changes for upcoming 23.1
* unbound: fix log message blocklist item count (contributed by kulikov-a)
* unbound: also change working dir for unbound-checkconf in start script (contributed by kulikov-a)
* ui: unicode content for tokenizer (contributed by kulikov-a)
* plugins: os-clamav 1.8 `[1] <https://github.com/opnsense/plugins/blob/stable/22.7/security/clamav/pkg-descr>`__
* plugins: os-ddclient IPv6 parsing fix `[2] <https://github.com/opnsense/plugins/blob/stable/22.7/dns/ddclient/pkg-descr>`__
* plugins: os-rfc2136 1.7 fixes key format issue with latest bind-tools update
* plugins: os-theme-cicada 1.31 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.43 (contributed by Team Rebellion)
* plugins: os-wireguard post-start hook improvement for interface grouping
* ports: curl 7.86.0 `[3] <https://curl.se/changes.html#7_86_0>`__
* ports: dnsmasq 2.88 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
* ports: nss 3.86 `[5] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_86.html>`__
* ports: phalcon 5.1.2 `[6] <https://github.com/phalcon/cphalcon/releases/tag/v5.1.2>`__
* ports: phpseclib 3.0.18 `[7] <https://github.com/phpseclib/phpseclib/releases/tag/3.0.18>`__
* ports: python 3.9.16 `[8] <https://docs.python.org/release/3.9.16/whatsnew/changelog.html>`__
A hotfix release was issued as 22.7.10_2:
* ipsec: default log should be set to "basic" but PHP 8 disagreed
* unbound: fix missing query_reply property leading to an AttributeError
--------------------------------------------------------------------------
22.7.9 (December 01, 2022)
--------------------------------------------------------------------------
A quick update to address the new FreeBSD security advisory for ping utility
as well as Suricata. The DNS block list was rewritten in Python and there
will be a couple of cool additions for it in the foreseeable future. :)
Here are the full patch notes:
* system: fix internal CRL check (contributed by kulikov-a)
* system: fix a few minor Coverity Scan reports in PHP code `[1] <https://scan.coverity.com/projects/opnsense-core>`__
* interfaces: use get_interface_list() to identify hardware devices
* interfaces: fix single ACL use for MVC/API interface pages
* firewall: add category selection to aliases
* unbound: rework DNSBL implementation to Python module
* backend: clean up scripts/systemheath location
* backend: moved log format definitions to new location for core and several plugins
* mvc: change default sorting to case-insensitive
* mvc: move JavaScript and CSS imports to base controller
* mvc: make sure HostnameField with ZoneRootAllowed accepts "@." prefix
* plugins: os-telegraf 1.12.7 `[2] <https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-theme-cicada 1.30 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.42 (contributed by Team Rebellion)
* plugins: os-wireguard now attempts to start tunnels again when all DNS is configured
* src: ixgbe: workaround errata about UDP frames with zero checksum
* src: hpet: Allow a MMIO window smaller than 1K
* src: ping: fix handling of IP packet sizes `[3] <FREEBSD:FreeBSD-SA-22:15.ping>`__
* ports: php 8.0.26 `[4] <https://www.php.net/ChangeLog-8.php#8.0.26>`__
* ports: sqlite 3.40.0 `[5] <https://sqlite.org/releaselog/3_40_0.html>`__
* ports: suricata 6.0.9 `[6] <https://suricata.io/2022/11/29/suricata-6-0-9-released/>`__
A hotfix release was issued as 22.7.9_3:
* unbound: fix blocklist use with DNS64 mode (contributed by kulikov-a)
* unbound: change working directory before checking configuration
* web proxy: fix broken "Google GSuite restricted" option
* ports: suricata backs out new version 14 netmap API changes for now `[7] <https://redmine.openinfosecfoundation.org/issues/5744>`__
--------------------------------------------------------------------------
22.7.8 (November 17, 2022)
--------------------------------------------------------------------------
This is a small maintenance and security update. You will notice that
LibreSSL no longer works with FreeRADIUS software due to hiding library
internals that are used by the software. Your current install will
continue to work, but we would recommend switching to OpenSSL to receive
FreeRADIUS updates as they become available.
Also, the infamous log_error() message is being phased out in the development
version to end the questions of "Why is this log message an error?" and so
with log_msg() each log line receives a more appropriate log level between
error, warning and notice.
Here are the full patch notes:
* system: add statistics tree view containing vmstat memory characteristics
* system: explicitly reopen main log file in case another log file was used and closed
* system: tweak log_msg() to prepare log level adjustments migration away from log_error()
* system: enforce config reload to fetch group membership in authentication tester
* system: separate interface type icon from name column in interface widget
* system: change system log default to "Notice"
* system: UX tweaks on activity page
* system: revised backend daemon startup delay
* system: drop empty plugins_run() result
* interfaces: migrate main clearing of interface data to ifctl
* interfaces: fix display of special HTML characters in packet capture
* interfaces: retain existing PPP settings on saving interface settings
* interfaces: delete the correct lock of PPP device
* interfaces: fix variable use in interface_proxyarp_configure()
* firewall: wrap user rule registration in new function filter_core_rules_user()
* firewall: simplify rule lookup by using filter_core_rules_user()
* firewall: allow external dynamic address in NPT
* firewall: remove extended VIP expansion from NAT rules
* firewall: fix live view hostname lookup may result in HTTP 431 error
* ipsec: remove side effect host route removal from Phase 1 page
* unbound: do not stop on potential errors in start script
* plugins: os-freeradius is no longer available for LibreSSL to allow updates of FreeRADIUS software
* plugins: os-nginx 1.31 `[1] <https://github.com/opnsense/plugins/blob/stable/22.7/www/nginx/pkg-descr>`__
* plugins: os-wireguard now skips invalid peers for dashboard widget (contributed by jkellerer)
* ports: expat 2.5.0 `[2] <https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes>`__
* ports: krb5 1.20.1 `[3] <https://web.mit.edu/kerberos/krb5-1.20/>`__
* ports: nss 3.85 `[4] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_85.html>`__
* ports: phalcon 5.1.1 `[5] <https://github.com/phalcon/cphalcon/releases/tag/v5.1.1>`__
* ports: sudo 1.9.12p1 `[6] <https://www.sudo.ws/stable.html#1.9.12p1>`__
--------------------------------------------------------------------------
22.7.7 (November 03, 2022)
--------------------------------------------------------------------------
We replaced the packet capture tool with a MVC/API rewrite and
updated most plugins to use the new setup script facility when
doing a start/restart/reload through the RC system.
A number of FreeBSD kernel improvements have been included as well.
Although OpenSSL is being updated keep in mind that the current
popular vulnerability only exists in version 3 and we still use
1.1.1.
Here are the full patch notes:
* system: fix getOID() call for phpseclib 3 while processing CSR
* system: avoid error on installer user creation
* system: show booting banner on dashboard
* interfaces: show attached interface for VLAN device in overview
* interfaces: packet capture MVC/API replacement
* interfaces: fix ARP table name resolve backend issue (contributed by soif)
* firewall: off-by-one in regex for target port range parse
* firewall: support Maxmind unclassified "EU" as selectable country
* firewall: fix possible race condition when changing limit in live log
* firewall: fix sorting bug in aliases list
* firewall: allow the use of "dynamic" interface types in shaper, e.g. IPsec devices
* dnsmasq: remove expired root trust anchor (contributed by Johnny S. Lee)
* firmware: always fetch the signature file to avoid signature issues after upgrades
* firmware: use effective ABI in changelog fetch
* firmware: ignore automatic business plugin and license hint
* intrusion detection: missing OPNsense categories
* ipsec: missing return in controller
* openvpn: use ifctl in link up/down scripts
* unbound: move the removal of pluggable files above the configuration check
* unbound: remove 127/8 from private-address block when rebind protection is enabled
* unbound: make the default private-address items configurable via the advanced page
* unbound: fix possible error while opening DoT page
* mvc: when multiple validation messages are returned wrap each message in a div tag
* mvc: prevent UserExceptions to end up in the crash reporter
* mvc: translate a base field error
* backend: wait 1 second for configd socket to become available
* console: store UUID for VLAN device
* rc: remove obsolete NAME_var_script and NAME_var_mfs support
* plugins: migrate all plugins to NAME_setup script use
* plugins: $verbose argument in plugins_run() is spurious
* plugins: os-acme-client 3.14 `[1] <https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr>`__
* plugins: os-apcupsd 1.1 `[2] <https://github.com/opnsense/plugins/blob/stable/22.7/sysutils/apcupsd/pkg-descr>`__
* plugins: os-frr 1.31 `[3] <https://github.com/opnsense/plugins/blob/stable/22.7/net/frr/pkg-descr>`__
* plugins: os-haproxy 3.12 `[4] <https://github.com/opnsense/plugins/blob/stable/22.7/net/haproxy/pkg-descr>`__
* plugins: os-maltrail 1.10 `[5] <https://github.com/opnsense/plugins/blob/stable/22.7/security/maltrail/pkg-descr>`__
* plugins: os-openconnect 1.4.3 `[6] <https://github.com/opnsense/plugins/blob/stable/22.7/security/openconnect/pkg-descr>`__
* plugins: os-telegraf 1.12.6 `[7] <https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-tor 1.9 enables hardware acceleration (contributed by haarp)
* plugins: os-wireguard 1.13 `[8] <https://github.com/opnsense/plugins/blob/stable/22.7/net/wireguard/pkg-descr>`__
* src: revert "e1000: try auto-negotiation for fixed 100 or 10 configuration"
* src: vxlan: check the size of data available in mbuf before using them
* src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations `[9] <FREEBSD:FreeBSD-EN-22:23.vm>`__
* src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers `[10] <FREEBSD:FreeBSD-EN-22:26.cam>`__
* src: loader: fix elf lookup_symbol type filtering `[11] <FREEBSD:FreeBSD-EN-22:27.loader>`__
* src: zfs: fix a pair of bugs in zfs_fhtovp() `[12] <FREEBSD:FreeBSD-EN-22:24.zfs>`__
* src: zfs: fix use-after-free in btree code `[13] <FREEBSD:FreeBSD-EN-22:21.zfs>`__
* src: tcp: finish SACK loss recovery on sudden lack of SACK blocks `[14] <FREEBSD:FreeBSD-EN-22:25.tcp>`__
* src: igc: remove unnecessary PHY ID checks
* src: ixl: add support for I710 devices and remove non-inclusive language
* src: ixl: fix SR-IOV panics
* src: rc: run NAME_setup before RC_ARG_precmd
* src: u3g: add more USB IDs
* ports: libxml 2.10.3 `[15] <http://www.xmlsoft.org/news.html>`__
* ports: nss 3.84 `[16] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_84.html>`__
* ports: openssl 1.1.1s `[17] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
* ports: openvpn 2.5.8 `[18] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.8>`__
* ports: phalcon 5.1.0 `[19] <https://github.com/phalcon/cphalcon/releases/tag/v5.1.0>`__
* ports: php 8.0.25 `[20] <https://www.php.net/ChangeLog-8.php#8.0.25>`__
* ports: python 3.9.15 `[21] <https://docs.python.org/release/3.9.15/whatsnew/changelog.html>`__
* ports: sudo 1.9.12 `[22] <https://www.sudo.ws/stable.html#1.9.12>`__
* ports: unbound 1.17.0 `[23] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-0>`__
A hotfix release was issued as 22.7.7_1:
* openvpn: ifctl requires interface to operate
--------------------------------------------------------------------------
22.7.6 (October 12, 2022)
--------------------------------------------------------------------------
@ -664,8 +925,8 @@ Here are the full patch notes against 22.1.10:
* plugins: os-tor no longer available on LibreSSL due to incompatibilities with newer Tor versions
* plugins: os-web-proxy-useracl is no longer available, no updates since 2017
* src: FreeBSD 13.1-RELEASE `[5] <https://www.freebsd.org/releases/13.1R/relnotes/>`__
* ports: sqlite 3.39.0 `[6] <https://sqlite.org/releaselog/3_39_0.html>`__
* ports: php 8.0.20 `[7] <https://www.php.net/ChangeLog-8.php#8.0.20>`__
* ports: php 8.0.20 `[6] <https://www.php.net/ChangeLog-8.php#8.0.20>`__
* ports: sqlite 3.39.0 `[7] <https://sqlite.org/releaselog/3_39_0.html>`__
A hotfix release was issued as 22.7.r1_8:

517
source/releases/CE_23.1.rst
Unescape Escape View File

@ -0,0 +1,517 @@
===========================================================================================
23.1 "Quintessential Quail" Series
===========================================================================================
For more than 8 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.
23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with
a blocklist rewrite in Python, improved WAN SLAAC operability, firewall
alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates,
MVC/API pages for packet capture/virtual IPs/IPsec connection management,
IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient
custom backend support (including Azure), WireGuard kernel module plugin
variant as the new default plus much more.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/23.1/
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
* Full mirror list: https://opnsense.org/download/
--------------------------------------------------------------------------
23.1.2 (March 07, 2023)
--------------------------------------------------------------------------
This is mainly a reliability update with fixes in assorted subsystems.
Of note is the OpenVPN authentication framework rewrite in order to take
advantage of the upcoming OpenVPN 2.6 deferred authentication feature and
the fix for DHCP renew behaviour that was reported on 23.1.
The roadmap for 23.7 was published, but at this point mainly consists of
MVC/API porting efforts for existing static pages. While the rewrite is
not strictly necessary from a user perspective it will move us a lot closer
to our mission goal to introduce privilege separation and to provide an API
for all components.
Here are the full patch notes:
* system: use singleton boot detection everywhere
* system: protect against more stray scripts on boot
* system: several shell_safe() conversions
* system: when applying auto-far default route make sure the local address is not empty
* system: refactor system_default_route() to prevent empty $gateway
* system: create system_resolver_configure() and cron job support
* system: add simple script and configd action to list current group membership (configctl auth list groups)
* system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reload
* interfaces: protect against empty GIF host route
* interfaces: fix parsing of device names with a dot in packet capture
* interfaces: force newip calls through DHCP/PPP/OVPN on IPv4
* interfaces: force newip calls through DHCP/PPP on IPv6
* firewall: fix NAT dropdowns ignoring VIPs
* firewall: fix validation of alias names such as "A_BC"
* fIrewall: show all applicable floating rules when inspecting interface rules
* firewall: prevent networks from being sent to DNS resolver in update_tables.py
* reporting: make all status mapping colors configurable for themes in the Unbound DNS page
* dnsmasq: add dns_forward_max, cache_size and local_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)
* firmware: remove retired LibreSSL flavour handling and annotations
* ipsec: reqid should not be provided on mobile sessions
* ipsec: validate pool names on connections page
* ipsec: allow "@" character in all other eap_id fields for new connections
* ipsec: add connection data to XMLRPC sync
* ipsec: "Dynamic gateway" (rightallowany) option should be translated to 0.0.0.0/0,::/0
* network time: remove "disable monitor" to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)
* openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication
* openvpn: rename -cipher option to --data-ciphers-fallback and adjust GUI accordingly
* unbound: fix typo in logger and create a pipe early in dnsbl_module.py (contributed by kulikov-a)
* unbound: fix type cast to prevent unnecessary updateBlocklist action
* unbound: add missing blocklist
* ui: solve deprecation in PHP via html_safe() wrapper
* wizard: unbound hardened DNSSEC setting moved
* plugins: os-acme-client 3.16 `[1] <https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr>`__
* plugins: os-crowdsec 1.0.2 `[2] <https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr>`__
* plugins: os-rfc2136 1.8 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/rfc2136/pkg-descr>`__
* plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)
* plugins: os-theme-tucan 1.26 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)
* src: fix multiple OpenSSL vulnerabilities `[4] <FREEBSD:FreeBSD-SA-23:03.openssl>`__
* src: pfsync: support deferring IPv6 packets
* src: pfsync: add missing bucket lock
* src: pfsync: ensure 'error' is always initialised
* ports: filterlog 0.7 fixes unknown TCP option print
* ports: lighttpd 1.4.69 `[5] <https://www.lighttpd.net/2023/2/10/1.4.69/>`__
* ports: monit 5.33.0 `[6] <https://mmonit.com/monit/changes/>`__
* ports: nss 3.88.1 `[7] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html>`__
* ports: openldap 2.6.4 `[8] <https://www.openldap.org/software/release/changes.html>`__
* ports: openssh 9.2p1 `[9] <https://www.openssh.com/txt/release-9.2>`__
* ports: php 8.1.16 `[10] <https://www.php.net/ChangeLog-8.php#8.1.16>`__
* ports: phalcon 5.2.1 `[11] <https://github.com/phalcon/cphalcon/releases/tag/v5.2.1>`__
* ports: sqlite 3.41.0 `[12] <https://sqlite.org/releaselog/3_41_0.html>`__
* ports: strongswan 5.9.10 `[13] <https://github.com/strongswan/strongswan/releases/tag/5.9.10>`__
* ports: sudo 1.9.13p2 `[14] <https://www.sudo.ws/stable.html#1.9.13p2>`__
--------------------------------------------------------------------------
23.1.1 (February 15, 2023)
--------------------------------------------------------------------------
Apart from security updates for operating system and third party software
this mainly fixes issues with the initial 23.1 release. IPsec and Unbound
components in particular receive a number of improvements being the more
prominent areas of work for this series. Unbound also gained a SafeSearch
option and the new reporting database CPU usage should be much lower and
easier to use.
Overall we are happy with how the major release turned out and look forward
to further fixes in e.g. Netmap framework including Suricata changes for
multi-threading support which has been in the works for a long time. OpenVPN
2.6 update and related changes are also pending at the moment.
The roadmap for 23.7 will be published soon and will again include a number
of MVC/API conversions for static components. Statistics do indicate that we
are over 60% done with converting the code base to a modern framework as
compared to early 2015 which is now already over 8 years ago!
Here are the full patch notes:
* system: replace single exec_command() with new shell_safe() wrapper
* system: fix assorted PHP 8.1 deprecation notes
* system: remove overreaching "Reconfigure a plugin facility" cron job and backend command that has no visible users
* interfaces: fix VLAN rename after protocol addition in 23.1
* interfaces: fix VLAN missing a config lock on delete
* interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
* interfaces: allow VHID reuse as it was before 23.1
* firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
* firewall: do not calculate local port range for alias (contributed by kulikov-a)
* firewall: update validation of alias names to be slightly more restrictive
* firewall: safeguard download_geolite() and log errors
* firewall: do not switch gateway on bootup
* captive portal: enforce a database repair during operation if necessary
* firmware: move single-call function reporter page
* intrusion detection: properly reset metadata response when no metadata is found
* ipsec: allow "@" character in eap_id fields for new connections
* ipsec: missing remapping pool UUID to name for new connections
* ipsec: change status column sizing and hide local/remote auth by default
* ipsec: fix username parsing in lease status
* ipsec: refactor widget to use new data format
* ipsec: migrate duplicated cron job
* ipsec: faulty unique constraint in pre-shared keys
* ipsec: fix eap_id placement for eap-mschapv2
* unbound: simplify logger logic for required queries
* unbound: add SafeSearch option to blocklists
* unbound: match white/blocklist action exactly from reporting page
* unbound: always prioritize whitelists over blocklists
* unbound: various UX improvements in reporting page
* unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
* unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
* unbound: add HTTPS record type to reporting
* unbound: remember reporting page logarithmic setting
* unbound: missing global so that cache is never flushed when requested
* mvc: cleanse $record input in searchRecordsetBase() before usage
* plugins: os-haproxy 4.1 `[1] <https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr>`__
* plugins: os-openconnect 1.4.4 `[2] <https://github.com/opnsense/plugins/blob/stable/23.1/security/openconnect/pkg-descr>`__
* plugins: os-qemu-guest-agent 1.2 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr>`__
* plugins: os-tayga fixes MVC interface registration
* plugins: os-wireguard fixes MVC interface registration
* src: geli: split the initalization of HMAC `[4] <FREEBSD:FreeBSD-SA-23:01.geli>`__
* src: fix ena driver crash after reset in 7th gen AWS instance types `[5] <FREEBSD:FreeBSD-EN-23:03.ena>`__
* src: fix sdhci broken write-protect settings `[6] <FREEBSD:FreeBSD-EN-23:02.sdhci>`__
* src: import tzdata 2022g `[7] <FREEBSD:FreeBSD-EN-23:01.tzdata>`__
* src: ipsec: clear pad bytes in PF_KEY messages
* src: fib_algo: set vnet when destroying algo instance
* src: if_ipsec: handle situations where there are no policy or SADB entry for if
* src: if_ipsec: protect against user supplying unknown address family
* src: if_me: use dedicated network privilege
* src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
* src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
* src: iflib: Add null check to iflib_stop()
* src: x86: ignore stepping for APL30 errata
* src: pfctl: rule.label is a two-dimensional array
* src: pf: fix syncookies in conjunction with tcp fast port reuse
* src: pf: fix panic on deferred packets
* src: ipfw: Add missing 'va' code point name
* src: netmap: try to count packet drops in emulated mode
* src: netmap: fix a queue length check in the generic port rx path
* src: netmap: tell the compiler to avoid reloading ring indices
* ports: remove GnuTLS workarounds from ports previously required for LibreSSL
* ports: dnsmasq 2.89 `[8] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
* ports: dpinger 3.3 `[9] <https://github.com/dennypage/dpinger/releases/tag/v3.3>`__
* ports: lighttpd 1.4.68 `[10] <https://www.lighttpd.net/2023/1/3/1.4.68/>`__
* ports: openssh 9.1p1 `[11] <https://www.openssh.com/txt/release-9.1>`__
* ports: openssl 1.1.1t `[12] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
* ports: php 8.1.15 `[13] <https://www.php.net/ChangeLog-8.php#8.1.15>`__
A hotfix release was issued as 23.1.1_2:
* captive portal: remove mod_evasion use which was discontinued by lighttpd
* unbound: wait for pipe in logger (contributed by kulikov-a)
Rate limiting was removed from the captive portal which was set to 250
connections by the same IP to the captive portal itself. This can be
easily replaced by a manual firewall rule with advanced options set, e.g.
"Max established" set to 250 with destination "This Firewall".
--------------------------------------------------------------------------
23.1 (January 26, 2023)
--------------------------------------------------------------------------
For more than 8 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.
23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with
a blocklist rewrite in Python, improved WAN SLAAC operability, firewall
alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates,
MVC/API pages for packet capture/virtual IPs/IPsec connection management,
IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient
custom backend support (including Azure), WireGuard kernel module plugin
variant as the new default plus much more.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/23.1/
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
* Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 22.7.11:
* system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
* system: introduced a service boot log
* system: the LibreSSL flavour has been discontinued
* system: simplify gateway monitoring setup code
* system: add option to skip gateway monitor host route
* system: populate /etc/hosts file with IPv6 addresses too
* system: simplify and guard host route creation
* system: merge system_staticroutes_configure() into system_routing_configure()
* system: do not yield process after calling shutdown command
* system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
* system: show size of ZFS ARC (adaptive replacement cache) in system widget
* system: introduce support tier annotations for core and plugins `[2] <https://docs.opnsense.org/support.html>`__
* system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
* system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
* reporting: add Unbound DNS statistics frontend including client drill-down
* interfaces: heavy cleanup of the wireless device integration
* interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
* interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
* interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
* interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
* interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
* interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
* interfaces: simplified get_real_interface() function
* interfaces: removed obsolete "defaultgw" files
* interfaces: simplified rc.linkup script
* interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
* interfaces: converted virtual IPs to MVC/API
* interfaces: add MAC filtering to packet capture
* interfaces: convert ARP/NDP pages to server-side searchable variant
* interfaces: create null route for DHCPv6 delegated prefix
* interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
* firewall: remove deprecated "Dynamic state reset" mechanic
* firewall: invalidate port forward rule entry when no target is specified
* firewall: hide deprecated source OS rule setting under advanced
* firewall: add group option to prevent grouping in interfaces menu
* firewall: safeguard against missing name from the alias API call
* intrusion detection: keep grid to prevent widgets being removed
* intrusion detection: reload grid after log drop (contributed by kulikov-a)
* intrusion detection: add verbose logging mode selector
* ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
* ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
* ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
* ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
* ipsec: rewrote lease status page in MVC/API
* ipsec: add configurable "unique" setting to phase 1
* ipsec: missing correct phase 1 to collect "Network List" option
* monit: support start timeout setting (contributed by spoutin)
* openvpn: add unique daemon name to each instance
* unbound: add statistics database backend
* unbound: add exact domain blocking
* mvc: call plugins_interfaces() optionally on service reconfigure
* mvc: match UUID for multiple values (contributed by kulikov-a)
* mvc: convert setBase() to an upsert operation
* mvc: change default sorting to case-insensitive
* mvc: add TextField tests (contributed by agh1467)
* mvc: implement required getRealInterface() variant
* ui: assorted improvements in bootgrid and form controls
* ui: switch to pure JSON data in bootgrids
* plugins: os-bind 1.25 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr>`__
* plugins: os-ddclient 1.11 `[4] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr>`__
* plugins: os-dyndns end of life note moves to 23.7
* plugins: os-freeradius 1.9.22 `[5] <https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr>`__
* plugins: os-frr 1.32 `[6] <https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr>`__
* plugins: os-haproxy 4.0 `[7] <https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr>`__
* plugins: os-puppet-agent 1.1 `[8] <https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/puppet-agent/pkg-descr>`__
* plugins: os-sslh 1.0 `[9] <https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr>`__ (contributed by agh1467)
* plugins: os-theme-cicada 1.32 (contributed by Team Rebellion)
* plugins: os-upnp 1.5 `[10] <https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr>`__
* plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
* src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
* ports: php 8.1.14 `[11] <https://www.php.net/ChangeLog-8.php#8.1.14>`__
* ports: sudo 1.9.12p2 `[12] <https://www.sudo.ws/stable.html#1.9.12p2>`__
A hotfix release was issued as 23.1_6:
* system: incorrect link to CARP status page on dashboard widget
* reporting: bail DNS resolve in traffic graphs when resolver is not configured
* captive portal: for static MAC assignments make sure that the IP address actually changed before updating it
* ipsec: missing a bracket for agressive mode selection
* ipsec: mute a spurious boot warning
* ipsec: myid may be be optional
* plugins: os-bind fix plugin directory path
* plugins: os-ddclient minor PHP fix
* plugins: os-frr allow restart via cron
* plugins: os-nut wrong user for latest port
* plugins: os-upnp typo in log level
* plugins: os-wireguard service widget fix
Migration notes, known issues and limitations:
* LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
* StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
* The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
The public key for the 23.1 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
# -----END PUBLIC KEY-----
.. code-block::
# SHA256 (OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2) = f25c10113ef1ea13c031fc6102f8e6caf73a7296b12bcc287670026cab29c7c7
# SHA256 (OPNsense-23.1-OpenSSL-nano-amd64.img.bz2) = 74ec824288adde409074f6855cb0110b860d0b28c33fbd6a30f12473a5e97d54
# SHA256 (OPNsense-23.1-OpenSSL-serial-amd64.img.bz2) = 2b0ea23de4d09eed952f074e561d55b06b5d323bf9d68a2eae34c3118c304318
# SHA256 (OPNsense-23.1-OpenSSL-vga-amd64.img.bz2) = 13b9f31651aa165862965566238eaecf66563a3b037fb7f8912a6d0440170bdb
--------------------------------------------------------------------------
23.1.r2 (January 19, 2023)
--------------------------------------------------------------------------
Only a small number of fixes and the usual third party updates.
Still on track for January 26. See you then...
Here are the full patch notes:
* system: introduce support tier annotations for core and plugins
* system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
* system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
* interfaces: further simplify get_real_interface()
* interfaces: correct PPPoEv6 device lookup
* reporting: add Unbound DNS drill-down for client graph
* mvc: implement required getRealInterface() variant
* plugins: os-haproxy 4.0 `[1] <https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr>`__
* ports: curl 7.87.0 `[2] <https://curl.se/changes.html#7_87_0>`__
* ports: nss 3.87 `[3] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html>`__
* ports: pcre 10.42 `[4] <https://www.pcre.org/changelog.txt>`__
* ports: phalcon 5.1.4 `[5] <https://github.com/phalcon/cphalcon/releases/tag/v5.1.4>`__
* ports: php 8.1.14 `[6] <https://www.php.net/ChangeLog-8.php#8.1.14>`__
* ports: strongswan 5.9.9 `[7] <https://github.com/strongswan/strongswan/releases/tag/5.9.9>`__
* ports: unbound 1.17.1 `[8] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1>`__
--------------------------------------------------------------------------
23.1.r1 (January 13, 2023)
--------------------------------------------------------------------------
For more than 8 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.
We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you. <3
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/23.1/
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
* Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 22.7.10:
* system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
* system: introduced a service boot log
* system: the LibreSSL flavour has been discontinued
* system: simplify gateway monitoring setup code
* system: add option to skip gateway monitor host route
* system: populate /etc/hosts file with IPv6 addresses too
* system: simplify host route creation
* system: merge system_staticroutes_configure() into system_routing_configure()
* system: do not yield process after calling shutdown command
* system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
* system: show size of ZFS ARC (adaptive replacement cache) in system widget
* interfaces: heavy cleanup of the wireless device integration
* interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
* interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
* interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
* interfaces: add PPPoEv6 mode to prevent IPv6 CP negotiation over PPPoE in other IPv6 modes
* interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
* interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
* interfaces: simplified get_real_interface() function
* interfaces: removed obsolete "defaultgw" files
* interfaces: simplified rc.linkup script
* interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
* interfaces: converted virtual IPs to MVC/API
* interfaces: add MAC filtering to packet capture
* interfaces: convert ARP/NDP pages to server-side searchable variant
* interfaces: create null route for DHCPv6 delegated prefix
* interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
* firewall: remove deprecated "Dynamic state reset" mechanic
* firewall: invalidate port forward rule entry when no target is specified
* firewall: show automated "port 0" rule as actual port "0" on PHP 8
* firewall: hide deprecated source OS rule setting under advanced
* reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
* intrusion detection: keep grid to prevent widgets being removed
* intrusion detection: reload grid after log drop (contributed by kulikov-a)
* ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
* ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
* ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
* ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
* ipsec: rewrote lease status page in MVC/API
* ipsec: add configurable "unique" setting to phase 1
* monit: support start timeout setting (contributed by spoutin)
* openvpn: add unique daemon name to each instance
* unbound: add DNS statistics collector and reporting frontend
* unbound: safeguard retrieval of blocklist shortcode
* unbound: add exact domain blocking
* mvc: call plugins_interfaces() optionally on service reconfigure
* mvc: match UUID for multiple values (contributed by kulikov-a)
* mvc: convert setBase() to an upsert operation
* mvc: change default sorting to case-insensitive
* mvc: fix IntegerField minimum value (contributed by xbb)
* mvc: add TextField tests (contributed by agh1467)
* ui: assorted improvements in bootgrid and form controls
* ui: switch to pure JSON data in bootgrids
* plugins: os-acme-client 3.15 `[2] <https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr>`__
* plugins: os-bind 1.25 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr>`__
* plugins: os-ddclient 1.11 `[4] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr>`__
* plugins: os-dyndns end of life note moves to 23.7
* plugins: os-freeradius 1.9.22 `[5] <https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr>`__
* plugins: os-upnp 1.5 `[6] <https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr>`__
* plugins: os-stunnel fixes missing include in certificate script
* plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
* plugins: os-sslh 1.0 `[7] <https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr>`__ (contributed by agh1467)
* src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
* ports: php 8.1.13 `[8] <https://www.php.net/ChangeLog-8.php#8.1.13>`__
* ports: sqlite 3.40.1 `[9] <https://sqlite.org/releaselog/3_40_1.html>`__
Migration notes, known issues and limitations:
* LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
* StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
* The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
The public key for the 23.1 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
.. code-block::
# SHA256 (OPNsense-23.1.r1-OpenSSL-dvd-amd64.iso.bz2) = ed7d61d0107536c3095526d74c9d4e3b44cb86a7d8896bb51d65eccfd0a2056d
# SHA256 (OPNsense-23.1.r1-OpenSSL-nano-amd64.img.bz2) = 66269b2eb434476d437cbf705af25b938e5d17436727eee565dd5e88fe8e6247
# SHA256 (OPNsense-23.1.r1-OpenSSL-serial-amd64.img.bz2) = ca6676ae825241190e63b4fbedd8e727b28011fa484c35c1ef1e68e0355b1f4b
# SHA256 (OPNsense-23.1.r1-OpenSSL-vga-amd64.img.bz2) = 5a4a8ec5f248484890d569b89f2fd1e29470bb95996c48def20686648e279f77

1
source/reporting.rst
Unescape Escape View File

@ -21,6 +21,7 @@ into these.
manual/netflow
manual/reporting_settings
manual/reporting_traffic
manual/reporting_unbound_dns
---------------
Setup guides

7
source/security.rst
Unescape Escape View File

@ -11,7 +11,7 @@ Intro
As your trusted opensource security product, we do care a lot about security and with our regular release schedule we
try to stay ahead of possible incidents. Even though we are cautious and stay informed, sometimes issues
do ocure, in which case it's good to know what to do.
do occur, in which case it's good to know what to do.
------------------------------------------------------------
@ -178,9 +178,10 @@ Below you will find the versions that have been tested or are currently in test.
| Version | status | Download |
+==========+=================+======================================================================================================+
| BE 22.04 | LINCE Compliant | :download:`BE22.04-STIC_OPNSENSE_CQ-ETR-v1.0.pdf <pdf/BE22.04-STIC_OPNSENSE_CQ-ETR-v1.0.pdf>` |
| | | 49a6ed38ec787090d19f1fd302fc730e62671d37ec8b26ed5b3385c68f81f467 |
| | | 5b303285f3b9f9cd6290a623d7c509e48c59da4c678884a1513e84ee7d06d5d1 |
+----------+-----------------+------------------------------------------------------------------------------------------------------+
| BE 22.10 | In test | |
| BE 22.10 | LINCE Compliant | :download:`BE22.10-STIC_OPNSENSE_CQ-ETR-v2.0.pdf <pdf/BE22.10-STIC_OPNSENSE_CQ-ETR-v2.0.pdf>` |
| | | 6fae801d18c3c8574ab8cca9a6f03f8b898dbe8a22136ee8fc8aa01173539fb4 |
+----------+-----------------+------------------------------------------------------------------------------------------------------+

189
source/support.rst
Unescape Escape View File

@ -2,46 +2,52 @@
Support Options
===============
Commercial
----------
.. image:: images/support-1024x492.jpg
Extended professional support services are available for an annual fee.
For the commercial support options see `the OPNsense website <https://opnsense.org/support-overview/commercial-support/>`__
Community
---------
If you need help with OPNsense you can always try the community options first.
When resorting to community support it is important to understand that anyone
helping you is doing so for free and at their own time. Even though your issue or
question may not be answered fully, it would be nice to thank the people who
help you.
Software Support Levels
------------------------
To receive community support, the following options are available:
OPNsense is used in infrastructures of all sizes, in some cases it is very important to know what to expect when running into
issues, certainly if part of the knowledge to maintain the infrastructure needs to be acquired from third parties.
* Start searching this documentation & wiki
* The `OPNsense forum <https://forum.opnsense.org>`__
* Ask online users on `IRC Libera Chat <https://libera.chat/>`__ #opnsense
Our platform is easily extendable, which encourages people to work on components not directly supported by us but very valuable
to our users.
In order to offer clarity for all involved, we decided to explain how we treat the components available in this chapter.
Community Support Levels
------------------------
We currently distinct three different tiers of support, ranging from Critical to Community, where critical is always directly supported
by the OPNsense® Core Team and Community you may safely assume the core team has no (or very limited) involvement.
.. Tip::
When designing infrastructures and in need of commercial support from the creators of OPNsense for community plugins,
you can always contact us and discuss options.
If community plugins are very popular it is possible to promote in terms of support options, but in order to grow out of
the community tier some conditions have to be met.
Tier 1 Core (Critical)
* The software should be usable and understandable.
* Maintainability of the plugin should be good (code quality, following best practices)
* Documentation should be available and at least explain the purpose of the component including the most common settings.
These are the tiers in question:
Critical (Tier 1)
============================================
* Core team develops and supports
* Compiler errors or functional failures block git merges and releases
* Functionality is part of the standard installation
* Functionality is part of the standard installation or an officially supported plugin
Tier 2 Plugins (Non-Critical)
Supplemental (Tier 2)
=====================================================
* Core team develops and supports, sometimes with help from community members
* Core team develops and supports or the functionality is deemed to be important enough to invest their time into bringing the plugin to its desired state in the long run.
* Compiler errors or functional failures block git merges
* Functionality problems such as 'known issues' or might still going into releases
* Functionality problems such as 'known issues' might still go into releases
* Features require user to install the plugin / functionality not installed by default
Tier 3 Plugins (Community)
Community (Tier 3)
============================
- Tier 3 is community supported, this means the OPNsense core development team won't support it to avoid overloading the team
- When accepting a Tier 3 feature into the code base, it will come with a number of limits and conditions:
@ -54,3 +60,138 @@ Tier 3 Plugins (Community)
- The code is offered as plugin and will not be part of the default OPNsense installation. The OPNsense core team will not be responsible for QA
- If the feature get lots of traction, and/or if the team just considers it very useful, it may get 'promoted' to being officially supported (Tier 2)
- The feature will be removed if the submitter stops maintaining it and no-one steps up to take over
Community
---------
If you need help with OPNsense you can always try the community options first.
When resorting to community support it is important to understand that anyone
helping you is doing so for free and at their own time. Even though your issue or
question may not be answered fully, it would be nice to thank the people who
help you.
To receive community support, the following options are available:
* Start searching this documentation & wiki
* The `OPNsense forum <https://forum.opnsense.org>`__
* Ask online users on `IRC Libera Chat <https://libera.chat/>`__ #opnsense
* Open a GitHub ticket (`core <https://github.com/opnsense/core/issues>`__, `plugins <https://github.com/opnsense/plugins/issues>`__) using one of our templates
.. Note::
When a Github ticket is opened, it often is being tagged "support", but its status may change over time when more details
are known. Triaging issues takes time, the easier one can replicate an issue on a clean install, the higher the chance
tickets are being solved.
Commercial
----------
As we build and maintain the software used by individuals and companies all around the globe, we are able to help you
out when it comes to network design choices, solving issues and custom development around OPNsense.
Extended professional support services are available for an annual fee.
You can find our options in `the OPNsense webshop <https://shop.opnsense.com/product-categorie/support/>`__
or you may `contact us <https://shop.opnsense.com/contact-us/>`__ directly.
List of available community plugins
---------------------------------------------------------------
Below you will find the plugins available in the standard (community) version of OPNsense categorised by support tier
as described at the support levels section.
.. csv-table:: Tier 2
:header: "Name", "Description"
"devel/debug", "Add several debugging tools to enable full stack traces on crash reports and extended syntax checks for development activities."
"net/firewall", "This package extends the standard OPNsense firewall system with endpoints for machine to machine management tasks. Gui components are initially only intended to ease testing and to explain current functionality."
"net/frr", "FRRouting (FRR) is an IP routing protocol suite for Linux and Unix platforms which includes protocol daemons for BGP, IS-IS, LDP, OSPF, PIM, and RIP."
"net/relayd", "relayd is a daemon to relay and dynamically redirect incoming connections to a target host. Its purposes is to run as a load-balancer. The daemon is able to monitor groups of hosts for availability, which is determined by checking for a specific service common to a host group. When availability is confirmed, Layer 3 and/or layer 7 forwarding services are set up by relayd."
"security/etpro-telemetry", "Todays cybersecurity engineers need timely and accurate data about eminent threats and how they spread around the globe. With this data cybersecurity researchers and analysts can improve the detection of malicious network traffic. The times when we could rely on just firewall rules for our protection are long gone. Additional layers of security are desperately needed to guard against these attacks."
"security/stunnel", "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."
"security/tinc", "tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet."
"sysutils/git-backup", "This package adds a backup option using git version control."
"sysutils/vmware", "The Open Virtual Machine Tools (open-vm-tools) are the open source implementation of VMware Tools. They are a set of guest operating system virtualization components that enhance performance and user experience of virtual machines. As virtualization technology rapidly becomes mainstream, each virtualization solution provider implements their own set of tools and utilities to supplement the guest virtual machine. However, most of the implementations are proprietary and are tied to a specific virtualization platform."
.. csv-table:: Tier 3
:header: "Name", "Description"
"benchmarks/iperf", "iperf3 is a tool for measuring the achievable TCP, UDP, and SCTP throughput along a path between two hosts. It allows the tuning of various parameters such as socket buffer sizes and maximum attempted throughput. It reports (among other things) bandwidth, delay jitter, and datagram loss. iperf was originally developed by NLANR/DAST."
"databases/redis", "Redis is an open source, advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets."
"devel/grid_example", "The goal of the 'grid_example' plugin is to showcase the capabilities of the OPNsense plugin framework in relation to the grid/table system."
"devel/helloworld", "The goal of the 'Hello world' plugin is to showcase the capabilities of the OPNsense plugin framework. It will control a program on the system named 'testConnection.py'. It will send an email using plain SMTP and will respond with a JSON message about the result of the attempt."
"dns/bind", "BIND implements the DNS protocols. The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. The BIND software distribution contains all of the software necessary for asking and answering name service questions."
"dns/ddclient", "ddclient is a Perl client used to update dynamic DNS entries for accounts on many dynamic DNS services."
"dns/dnscrypt-proxy", "A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPS."
"dns/dyndns", "Support for numerous Dynamic DNS services (DynDNS et al)"
"dns/rfc2136", "Support for RFC-2136 based dynamic DNS updates using Bind"
"emulators/qemu-guest-agent", "QEMU Guest Agent for FreeBSD"
"ftp/tftp", "tftp-hpa is portable, BSD derived tftp server. It supports advanced options such as blksize, blksize2, tsize, timeout, and utimeout. It also supported rulebased security options."
"mail/postfix", "Postfix attempts to be fast, easy to administer, and secure. The outside has a definite Sendmail-ish flavor, but the inside is completely different."
"mail/rspamd", "Rspamd is fast, modular and lightweight spam filter. It is designed to work with big amount of mail and can be easily extended with own filters written in lua."
"misc/theme-cicada", "The cicada theme - grey/orange - Designed and created by remic-webdesign@chello.at"
"misc/theme-rebellion", "A suitably dark theme."
"misc/theme-tukan", "The tukan theme - blue/white - Designed and created by remic-webdesign@chello.at"
"misc/theme-vicuna", "The vicuna theme - dark anthrazit - Designed and created by rene@team-rebellion.net"
"net-mgmt/collectd", "collectd is a daemon which collects system and application performance metrics periodically and provides mechanisms to store the values in a variety of ways, for example in RRD files."
"net-mgmt/lldpd", "LLDP is an industry standard protocol designed to supplant proprietary Link-Layer protocols such as EDP or CDP. The goal of LLDP is to provide an inter-vendor compatible mechanism to deliver Link-Layer notifications to adjacent network devices."
"net-mgmt/net-snmp", "Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment (eg. routers), computer equipment and even devices like UPSs. Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6."
"net-mgmt/netdata", "Netdata is distributed, real-time, performance and health monitoring for systems and applications. It is a highly optimized monitoring agent you install on all your systems and containers."
"net-mgmt/nrpe", "nrpe is used to execute Nagios plugins on remote hosts and report the results to the main Nagios server. From the Nagios homepage:"
"net-mgmt/telegraf", "Telegraf is the Agent for Collecting & Reporting Metrics & Data. Telegraf has plugins or integrations to source a variety of metrics directly from the system its running on, pull metrics from third-party APIs, or even listen for metrics via a StatsD and Kafka consumer services. It also has output plugins to send metrics to a variety of other datastores, services, and message queues, including InfluxDB, Graphite, OpenTSDB, Datadog, Librato, Kafka, MQTT, NSQ, and many others."
"net-mgmt/zabbix-agent", "Zabbix is an enterprise-class open source distributed monitoring solution."
"net-mgmt/zabbix-proxy", "Zabbix is an enterprise-class open source distributed monitoring solution."
"net/chrony", "An alternative to native ntpd daemon. In some edge cases chrony works better in virtual environments."
"net/freeradius", "FreeRADIUS includes a RADIUS server, a BSD licensed client library, a PAM library, and an Apache module. In most cases, the word FreeRADIUS refers to the RADIUS server."
"net/ftp-proxy", "Ftp-proxy is a proxy for the Internet File Transfer Protocol. FTP control connections are being redirected into the proxy, after which the proxy connects to the server on behalf of the client."
"net/google-cloud-sdk", "This plugin installs the Google Cloud SDK. The SDK may be used on the CLI or in conjunction with the Let's Encrypt plugin."
"net/haproxy", "HAProxy is a free, very fast and reliable solution offering high availability, load balancing, and proxying for TCP and HTTP-based applications. It is particularly suited for web sites crawling under very high loads while needing persistence or Layer7 processing."
"net/igmp-proxy", "Igmpproxy is a simple multicast routing daemon based on mrouted. It uses IGMP forwarding to dynamically route multicast traffic."
"net/mdns-repeater", "mdns-repeater is a Multicast DNS repeater. Multicast DNS uses the 224.0.0.251 address, which is 'administratively scoped' and does not leave the subnet."
"net/ntopng", "ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well."
"net/radsecproxy", "A generic RADIUS proxy that in addition to usual RADIUS UDP transport, also supports TLS (RadSec), as well as RADIUS over TCP and DTLS. The aim is for the proxy to have sufficient features to be flexible, while at the same time to be small, efficient and easy to configure."
"net/realtek-re", "This is the official driver from Realtek and can be loaded instead of the FreeBSD driver built into the GENERIC kernel if you experience issues with it (eg. watchdog timeouts), or your card is not supported."
"net/shadowsocks", "A secure socks5 proxy, designed to protect your Internet traffic."
"net/siproxd", "Siproxd is a proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections work via an masquerading firewall (NAT). It allows SIP software clients (like kphone, linphone) or SIP hardware clients (Voice over IP phones which are SIP-compatible, such as those from Cisco, Grandstream or Snom) to work behind an IP masquerading firewall or NAT router."
"net/sslh", "Manage SSLH, the SSL/SHH multiplexer via the OPNsense web UI."
"net/tayga", "TAYGA is an out-of-kernel stateless NAT64 implementation that uses the TUN driver to exchange IPv4 and IPv6 packets with the kernel. It is intended to provide production-quality NAT64 service for networks where dedicated NAT64 hardware would be overkill."
"net/udpbroadcastrelay", "udbproadcastrelay is a UDP multicast relayer. Its intended use is to rebroadbcast udp packets on a specific port across interfaces, be those interfaces physical or VLAN."
"net/upnp", "Mini UPnPd is a lightweight implementation of a UPnP IGD daemon. This is supposed to be run on your gateway machine to allow client systems to redirect ports and punch holes in the firewall."
"net/vnstat", "vnStat is a console-based network traffic monitor for Linux and BSD that keeps a log of network traffic for the selected interface(s). It uses the network interface statistics provided by the kernel as information source. This means that vnStat won't actually be sniffing any traffic and also ensures light use of system resources."
"net/wireguard", "WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry."
"net/wol", "wol implements Wake-On-LAN functionality in a small program. It wakes up hardware that is Magic Packet compliant."
"net/zerotier", "ZeroTier can be used for on-premise network virtualization, as a peer to peer VPN for mobile teams, for hybrid or multi-data-center cloud deployments, or just about anywhere else secure software defined virtual networking is useful."
"security/acme-client", "This plugin contains a full ACME protocol implementation based on the acme.sh project. According to the authors, it's probably 'the easiest and smallest and smartest shell script' to automatically issue and renew the free certificates from Let's Encrypt."
"security/clamav", "ClamAV(r) is an open source (GPL) anti-virus engine used in a variety of situations including email scanning, web scanning, and end point security. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and an advanced tool for automatic database updates."
"security/crowdsec", "Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain."
"security/intrusion-detection-content-et-open", "IDS Proofpoint ET open ruleset duplicates rule files which are being delivered empty in ET Pro Telemetry edition so both can be installed."
"security/intrusion-detection-content-et-pro", "Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats using your existing network security appliances, such as next generation firewalls (NGFW) and network intrusion detection / prevention systems (IDS/IPS)"
"security/intrusion-detection-content-pt-open", "The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer."
"security/intrusion-detection-content-snort-vrt", "The Snort Subscriber Rule Set refer to rules that have been developed, tested and approved by the Talos Security Intelligence and Research Team (Talos). The Snort Subscriber Ruleset released after March 7th, 2005 are governed by the Snort Subscriber Rule Set License Agreement."
"security/maltrail", "Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name, URL, IP address or HTTP User-Agent header value. Also, it uses advanced heuristic mechanisms that can help in discovery of unknown threats."
"security/openconnect", "OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure."
"security/softether", "SoftEther VPN ('SoftEther' means 'Software Ethernet') is one of the world's most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris."
"security/tor", "Tor is a connection-based low-latency anonymous communication system which addresses many flaws in the original onion routing design."
"sysutils/apcupsd", "Apcupsd, short for APC UPS daemon, can be used for controlling all APC UPS models. It can monitor and log the current power and battery status, perform automatic shutdown, and can run in network mode in order to power down other hosts on a LAN."
"sysutils/api-backup", "Provide the functionality to download the config.xml"
"sysutils/apuled", "LED control for PC Engines APU platform OPNsense plugin Cloudfence 2019 - JCC"
"sysutils/dmidecode", "Dmidecode reports information about your system's hardware as described in your system BIOS according to the SMBIOS/DMI standard. This information typically includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB)."
"sysutils/hw-probe", "Send anonymized hardware diagnostics to https://bsd-hardware.info"
"sysutils/lcdproc-sdeclcd", "LCDproc setup for SDEC LCD devices found in Watchguard FireBox firewall appliances."
"sysutils/mail-backup", "Send a config.xml via mail, optionally encrypted via PGP."
"sysutils/munin-node", "Munin network-wide graphing framework (node)"
"sysutils/nextcloud-backup", "This package adds a backup option using an existing NextCloud instance."
"sysutils/node_exporter", "Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors."
"sysutils/nut", "The primary goal of the Network UPS Tools (NUT) project is to provide support for Power Devices, such as Uninterruptible Power Supplies, Power Distribution Units, Automatic Transfer Switch, Power Supply Units and Solar Controllers."
"sysutils/puppet-agent", "Puppet lets you centrally manage every important aspect of your system using a cross-platform specification language that manages all the separate elements normally aggregated in different files, like users, cron jobs, and hosts, along with obviously discrete elements like packages, services, and files."
"sysutils/smart", "The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (S.M.A.R.T.) built into most modern ATA and SCSI hard disks. It is derived from the smartsuite package, and includes support for ATA/ATAPI/SATA disks and SCSI disks and tape devices."
"sysutils/virtualbox", "These additions are for installation inside a FreeBSD guest."
"sysutils/xen", "FreeBSD VM tools for Citrix XenServer and XCP"
"vendor/sunnyvalley", "This plugin adds a proprietary repository to install Zenarmor (previously Sensei), a plugin for OPNsense, complementing the firewall with state of the art next generation firewall features."
"www/c-icap", "c-icap is an implementation of an ICAP server. It can be used with HTTP proxies that support the ICAP protocol to implement content adaptation and filtering services."
"www/cache", "Add and enable caching for the web GUI to accelerate requests."
"www/nginx", "NGINX is a high performance edge web server with the lowest memory footprint and the key features to build modern and efficient web infrastructure."
"www/web-proxy-sso", "Allow to use the web proxy with Single Sign-On against an Active Directory instead of using a bundled authentication."

111
source/support.rst.in
Unescape Escape View File

@ -0,0 +1,111 @@
===============
Support Options
===============
.. image:: images/support-1024x492.jpg
Software Support Levels
------------------------
OPNsense is used in infrastructures of all sizes, in some cases it is very important to know what to expect when running into
issues, certainly if part of the knowledge to maintain the infrastructure needs to be acquired from third parties.
Our platform is easily extendable, which encourages people to work on components not directly supported by us but very valuable
to our users.
In order to offer clarity for all involved, we decided to explain how we treat the components available in this chapter.
We currently distinct three different tiers of support, ranging from Critical to Community, where critical is always directly supported
by the OPNsense® Core Team and Community you may safely assume the core team has no (or very limited) involvement.
.. Tip::
When designing infrastructures and in need of commercial support from the creators of OPNsense for community plugins,
you can always contact us and discuss options.
If community plugins are very popular it is possible to promote in terms of support options, but in order to grow out of
the community tier some conditions have to be met.
* The software should be usable and understandable.
* Maintainability of the plugin should be good (code quality, following best practices)
* Documentation should be available and at least explain the purpose of the component including the most common settings.
These are the tiers in question:
Critical (Tier 1)
============================================
* Core team develops and supports
* Compiler errors or functional failures block git merges and releases
* Functionality is part of the standard installation or an officially supported plugin
Supplemental (Tier 2)
=====================================================
* Core team develops and supports or the functionality is deemed to be important enough to invest their time into bringing the plugin to its desired state in the long run.
* Compiler errors or functional failures block git merges
* Functionality problems such as 'known issues' might still go into releases
* Features require user to install the plugin / functionality not installed by default
Community (Tier 3)
============================
- Tier 3 is community supported, this means the OPNsense core development team won't support it to avoid overloading the team
- When accepting a Tier 3 feature into the code base, it will come with a number of limits and conditions:
* Submitter must commit to maintaining it:
- Make sure code compiles and correctly functions after OPNsense and/or external (e.g. library) changes
- Support users when they encounter problems (forum / git issue tracker all related issues will be assigned to the maintainer)
- The code is offered as plugin and will not be part of the default OPNsense installation. The OPNsense core team will not be responsible for QA
- If the feature get lots of traction, and/or if the team just considers it very useful, it may get 'promoted' to being officially supported (Tier 2)
- The feature will be removed if the submitter stops maintaining it and no-one steps up to take over
Community
---------
If you need help with OPNsense you can always try the community options first.
When resorting to community support it is important to understand that anyone
helping you is doing so for free and at their own time. Even though your issue or
question may not be answered fully, it would be nice to thank the people who
help you.
To receive community support, the following options are available:
* Start searching this documentation & wiki
* The `OPNsense forum <https://forum.opnsense.org>`__
* Ask online users on `IRC Libera Chat <https://libera.chat/>`__ #opnsense
* Open a GitHub ticket (`core <https://github.com/opnsense/core/issues>`__, `plugins <https://github.com/opnsense/plugins/issues>`__) using one of our templates
.. Note::
When a Github ticket is opened, it often is being tagged "support", but its status may change over time when more details
are known. Triaging issues takes time, the easier one can replicate an issue on a clean install, the higher the chance
tickets are being solved.
Commercial
----------
As we build and maintain the software used by individuals and companies all around the globe, we are able to help you
out when it comes to network design choices, solving issues and custom development around OPNsense.
Extended professional support services are available for an annual fee.
You can find our options in `the OPNsense webshop <https://shop.opnsense.com/product-categorie/support/>`__
or you may `contact us <https://shop.opnsense.com/contact-us/>`__ directly.
List of available community plugins
---------------------------------------------------------------
Below you will find the plugins available in the standard (community) version of OPNsense categorised by support tier
as described at the support levels section.
{% for tier in tiers|sort %}
.. csv-table:: Tier {{ tier }}
:header: "Name", "Description"
{% for plugin in tiers[tier]|sort %}
"{{tiers[tier][plugin].name}}", "{{tiers[tier][plugin].descr}}"
{%- endfor %}
{% endfor %}

2
source/troubleshooting/performance.rst
Unescape Escape View File

@ -112,7 +112,7 @@ This means we use the following values:
- for 4-core systems, use 2
- for 8-core systems, use 3
- for 16-core systems, use 4
Etc.
- Etc.
.. Note::

Write Preview
Loading…
Cancel
Save