Merge branch 'opnsense:master' into master
@ -0,0 +1,64 @@
|
||||
#!/usr/local/bin/python3
|
||||
"""
|
||||
Copyright (c) 2022 Ad Schellevis <ad@opnsense.org>
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright notice,
|
||||
this list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
||||
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
||||
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
||||
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
POSSIBILITY OF SUCH DAMAGE.
|
||||
"""
|
||||
import os
|
||||
import argparse
|
||||
import re
|
||||
from jinja2 import Template
|
||||
|
||||
if __name__ == '__main__':
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument('-template_filename', default='source/support.rst.in', help='')
|
||||
parser.add_argument('source', help='source directory')
|
||||
cmd_args = parser.parse_args()
|
||||
|
||||
# collect all plugins
|
||||
plugin_tiers = dict()
|
||||
for root, dirs, files in os.walk(cmd_args.source):
|
||||
if 'Makefile' in files and 'pkg-descr' in files:
|
||||
plugin_tier = 3
|
||||
with open(os.path.join(root, 'Makefile'), 'rt') as f_in:
|
||||
for line in f_in.read().split('\n'):
|
||||
parts = line.split()
|
||||
if len(parts) >= 2 and parts[0].startswith('PLUGIN_TIER') and parts[-1].isdigit():
|
||||
plugin_tier = int(parts[-1])
|
||||
plugin_name = root[len(cmd_args.source)+1:]
|
||||
if plugin_tier not in plugin_tiers:
|
||||
plugin_tiers[plugin_tier] = {}
|
||||
plugin_tiers[plugin_tier][plugin_name] = {
|
||||
'tier': plugin_tier,
|
||||
'name': plugin_name
|
||||
}
|
||||
with open(os.path.join(root, 'pkg-descr'), 'rt') as f_in:
|
||||
descr = f_in.read().strip().split('\n\n')[0].replace('\n', ' ').replace('"', "'")
|
||||
plugin_tiers[plugin_tier][plugin_name]['descr'] = descr
|
||||
|
||||
template = Template(open(cmd_args.template_filename, "rt").read())
|
||||
if cmd_args.template_filename.endswith('.in'):
|
||||
with open(cmd_args.template_filename[:-3], 'w') as f_out:
|
||||
f_out.write(template.render({'tiers': plugin_tiers}))
|
||||
else:
|
||||
print(template.render({'tiers': plugin_tiers}))
|
@ -0,0 +1,22 @@
|
||||
.. _api_core_firewall:
|
||||
|
||||
{{ title }}
|
||||
{{ title_underline }}
|
||||
{% for controller in controllers %}
|
||||
.. csv-table:: {{controller.type}} ({{controller.filename}})
|
||||
:header: "Method", "Module", "Controller", "Command", "Parameters"
|
||||
:widths: 4, 15, 15, 30, 40
|
||||
{% for endpoint in controller.endpoints %}
|
||||
"``{{endpoint.method}}``","{{endpoint.module}}","{{endpoint.controller}}","{{endpoint.command}}","{{endpoint.parameters}}"
|
||||
{%- endfor %}
|
||||
{%- if controller.uses %}
|
||||
{% for use in controller.uses %}
|
||||
"``<<uses>>``", "", "", "", "*{{use.type}}* `{{use.name}} <{{use.link}}>`__"
|
||||
{%- endfor %}
|
||||
{%- endif %}
|
||||
{% endfor %}
|
||||
|
||||
.. Tip::
|
||||
|
||||
In order to inject rules using an API, you may take a look at the :ref:`Firewall Plugin API <api_plugins_firewall>`,
|
||||
currently the core system does not support rule modifications via the API for this topic.
|
@ -0,0 +1,423 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<thermal_hardware>amdtemp</thermal_hardware>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<rrdbackup>-1</rrdbackup>
|
||||
<netflowbackup>-1</netflowbackup>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
@ -0,0 +1,397 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>AMD temp offset</descr>
|
||||
<tunable>dev.amdtemp.0.sensor_offset</tunable>
|
||||
<value>-10</value>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<use_mfs_var>1</use_mfs_var>
|
||||
<use_mfs_tmp>1</use_mfs_tmp>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
@ -0,0 +1,397 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>AMD temp offset</descr>
|
||||
<tunable>dev.amdtemp.0.sensor_offset</tunable>
|
||||
<value>-10</value>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<rrdbackup>-1</rrdbackup>
|
||||
<netflowbackup>-1</netflowbackup>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
@ -0,0 +1,428 @@
|
||||
<?xml version="1.0"?>
|
||||
<opnsense>
|
||||
<trigger_initial_wizard/>
|
||||
<theme>opnsense</theme>
|
||||
<sysctl>
|
||||
<item>
|
||||
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
|
||||
<tunable>vfs.read_max</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set the ephemeral port range to be lower.</descr>
|
||||
<tunable>net.inet.ip.portrange.first</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop packets to closed TCP ports without returning a RST</descr>
|
||||
<tunable>net.inet.tcp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
|
||||
<tunable>net.inet.udp.blackhole</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize the ID field in IP packets</descr>
|
||||
<tunable>net.inet.ip.random_id</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
|
||||
It can also be used to probe for information about your internal networks. These functions come enabled
|
||||
as part of the standard FreeBSD core system.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.accept_sourceroute</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
This option turns off the logging of redirect packets because there is no limit and this could fill
|
||||
up your logs consuming your whole hard drive.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.log_redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
|
||||
<tunable>net.inet.tcp.drop_synfin</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable sending IPv6 redirects</descr>
|
||||
<tunable>net.inet6.ip6.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
|
||||
<tunable>net.inet6.ip6.use_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
|
||||
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
|
||||
<tunable>net.inet.tcp.syncookies</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
|
||||
<tunable>net.inet.tcp.recvspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
|
||||
<tunable>net.inet.tcp.sendspace</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
|
||||
<tunable>net.inet.tcp.delayed_ack</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.inet.udp.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
|
||||
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
|
||||
<tunable>net.link.bridge.pfil_local_phys</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
|
||||
<tunable>net.link.bridge.pfil_member</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set to 1 to enable filtering on the bridge interface</descr>
|
||||
<tunable>net.link.bridge.pfil_bridge</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Allow unprivileged access to tap(4) device nodes</descr>
|
||||
<tunable>net.link.tap.user_open</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
|
||||
<tunable>kern.randompid</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
|
||||
<tunable>hw.syscons.kbd_reboot</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable TCP extended debugging</descr>
|
||||
<tunable>net.inet.tcp.log_debug</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Set ICMP Limits</descr>
|
||||
<tunable>net.inet.icmp.icmplim</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>TCP Offload Engine</descr>
|
||||
<tunable>net.inet.tcp.tso</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>UDP Checksums</descr>
|
||||
<tunable>net.inet.udp.checksum</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum socket buffer size</descr>
|
||||
<tunable>kern.ipc.maxsockbuf</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
|
||||
<tunable>vm.pmap.pti</tunable>
|
||||
<value>0</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
|
||||
<tunable>hw.ibrs_disable</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other groups</descr>
|
||||
<tunable>security.bsd.see_other_gids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Hide processes running as other users</descr>
|
||||
<tunable>security.bsd.see_other_uids</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
|
||||
and for the sender directly reachable, route and next hop is known.
|
||||
</descr>
|
||||
<tunable>net.inet.ip.redirect</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>
|
||||
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
|
||||
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
|
||||
packets without returning a response.
|
||||
</descr>
|
||||
<tunable>net.inet.icmp.drop_redirect</tunable>
|
||||
<value>1</value>
|
||||
</item>
|
||||
<item>
|
||||
<descr>Maximum outgoing UDP datagram size</descr>
|
||||
<tunable>net.local.dgram.maxdgram</tunable>
|
||||
<value>default</value>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_nrxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.iflib.override_ntxds</tunable>
|
||||
<value>2048, 2048, 2048, 2048, 2048, 2048, 2048, 2048</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.0.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>dev.ax.1.rss_enabled</tunable>
|
||||
<value>1</value>
|
||||
<descr/>
|
||||
</item>
|
||||
<item>
|
||||
<tunable>ice_ddp_load</tunable>
|
||||
<value>YES</value>
|
||||
<descr>Include DDP package file for Intel ice driver</descr>
|
||||
</item>
|
||||
</sysctl>
|
||||
<system>
|
||||
<serialspeed>115200</serialspeed>
|
||||
<primaryconsole>serial</primaryconsole>
|
||||
<optimization>normal</optimization>
|
||||
<hostname>OPNsense</hostname>
|
||||
<domain>localdomain</domain>
|
||||
<dnsallowoverride>1</dnsallowoverride>
|
||||
<group>
|
||||
<name>admins</name>
|
||||
<description>System Administrators</description>
|
||||
<scope>system</scope>
|
||||
<gid>1999</gid>
|
||||
<member>0</member>
|
||||
<priv>page-all</priv>
|
||||
</group>
|
||||
<user>
|
||||
<name>root</name>
|
||||
<descr>System Administrator</descr>
|
||||
<scope>system</scope>
|
||||
<groupname>admins</groupname>
|
||||
<password>$2y$10$YRVoF4SgskIsrXOvOQjGieB9XqHPRra9R7d80B3BZdbY/j21TwBfS</password>
|
||||
<uid>0</uid>
|
||||
</user>
|
||||
<nextuid>2000</nextuid>
|
||||
<nextgid>2000</nextgid>
|
||||
<timezone>Etc/UTC</timezone>
|
||||
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
|
||||
<webgui>
|
||||
<protocol>https</protocol>
|
||||
</webgui>
|
||||
<disablenatreflection>yes</disablenatreflection>
|
||||
<usevirtualterminal>1</usevirtualterminal>
|
||||
<disableconsolemenu/>
|
||||
<disablevlanhwfilter>1</disablevlanhwfilter>
|
||||
<disablechecksumoffloading>1</disablechecksumoffloading>
|
||||
<disablesegmentationoffloading>1</disablesegmentationoffloading>
|
||||
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
|
||||
<ipv6allow/>
|
||||
<powerd_enable>1</powerd_enable>
|
||||
<powerd_ac_mode>hadp</powerd_ac_mode>
|
||||
<powerd_battery_mode>hadp</powerd_battery_mode>
|
||||
<powerd_normal_mode>hadp</powerd_normal_mode>
|
||||
<thermal_hardware>amdtemp</thermal_hardware>
|
||||
<bogons>
|
||||
<interval>monthly</interval>
|
||||
</bogons>
|
||||
<pf_share_forward>1</pf_share_forward>
|
||||
<lb_use_sticky>1</lb_use_sticky>
|
||||
<ssh>
|
||||
<group>admins</group>
|
||||
</ssh>
|
||||
<firmware version="1.0.0">
|
||||
<mirror>https://opnsense-update.deciso.com/FILL-IN-YOUR-LICENSE-HERE</mirror>
|
||||
<flavour>latest</flavour>
|
||||
<type>business</type>
|
||||
</firmware>
|
||||
<rrdbackup>-1</rrdbackup>
|
||||
<netflowbackup>-1</netflowbackup>
|
||||
</system>
|
||||
<interfaces>
|
||||
<wan>
|
||||
<enable>1</enable>
|
||||
<if>igb1</if>
|
||||
<mtu/>
|
||||
<ipaddr>dhcp</ipaddr>
|
||||
<ipaddrv6>dhcp6</ipaddrv6>
|
||||
<subnet/>
|
||||
<gateway/>
|
||||
<blockpriv>1</blockpriv>
|
||||
<blockbogons>1</blockbogons>
|
||||
<dhcphostname/>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
|
||||
</wan>
|
||||
<lan>
|
||||
<enable>1</enable>
|
||||
<if>igb0</if>
|
||||
<ipaddr>192.168.1.1</ipaddr>
|
||||
<subnet>24</subnet>
|
||||
<ipaddrv6>track6</ipaddrv6>
|
||||
<subnetv6>64</subnetv6>
|
||||
<media/>
|
||||
<mediaopt/>
|
||||
<track6-interface>wan</track6-interface>
|
||||
<track6-prefix-id>0</track6-prefix-id>
|
||||
</lan>
|
||||
</interfaces>
|
||||
<dhcpd>
|
||||
<lan>
|
||||
<enable/>
|
||||
<range>
|
||||
<from>192.168.1.100</from>
|
||||
<to>192.168.1.199</to>
|
||||
</range>
|
||||
</lan>
|
||||
</dhcpd>
|
||||
<unbound>
|
||||
<enable>1</enable>
|
||||
</unbound>
|
||||
<snmpd>
|
||||
<syslocation/>
|
||||
<syscontact/>
|
||||
<rocommunity>public</rocommunity>
|
||||
</snmpd>
|
||||
<nat>
|
||||
<outbound>
|
||||
<mode>automatic</mode>
|
||||
</outbound>
|
||||
</nat>
|
||||
<filter>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet</ipprotocol>
|
||||
<descr>Default allow LAN to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
<rule>
|
||||
<type>pass</type>
|
||||
<ipprotocol>inet6</ipprotocol>
|
||||
<descr>Default allow LAN IPv6 to any rule</descr>
|
||||
<interface>lan</interface>
|
||||
<source>
|
||||
<network>lan</network>
|
||||
</source>
|
||||
<destination>
|
||||
<any/>
|
||||
</destination>
|
||||
</rule>
|
||||
</filter>
|
||||
<rrd>
|
||||
<enable/>
|
||||
</rrd>
|
||||
<load_balancer>
|
||||
<monitor_type>
|
||||
<name>ICMP</name>
|
||||
<type>icmp</type>
|
||||
<descr>ICMP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>TCP</name>
|
||||
<type>tcp</type>
|
||||
<descr>Generic TCP</descr>
|
||||
<options/>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTP</name>
|
||||
<type>http</type>
|
||||
<descr>Generic HTTP</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>HTTPS</name>
|
||||
<type>https</type>
|
||||
<descr>Generic HTTPS</descr>
|
||||
<options>
|
||||
<path>/</path>
|
||||
<host/>
|
||||
<code>200</code>
|
||||
</options>
|
||||
</monitor_type>
|
||||
<monitor_type>
|
||||
<name>SMTP</name>
|
||||
<type>send</type>
|
||||
<descr>Generic SMTP</descr>
|
||||
<options>
|
||||
<send/>
|
||||
<expect>220 *</expect>
|
||||
</options>
|
||||
</monitor_type>
|
||||
</load_balancer>
|
||||
<ntpd>
|
||||
<prefer>0.opnsense.pool.ntp.org</prefer>
|
||||
</ntpd>
|
||||
<widgets>
|
||||
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
|
||||
<column_count>2</column_count>
|
||||
</widgets>
|
||||
</opnsense>
|
After Width: | Height: | Size: 19 KiB |
After Width: | Height: | Size: 44 KiB |
@ -0,0 +1,107 @@
|
||||
========================================
|
||||
IPsec - NAT before IPsec
|
||||
========================================
|
||||
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
--------------------------------
|
||||
Network topology
|
||||
--------------------------------
|
||||
|
||||
The schema below describes the situation we are implementing.
|
||||
Two networks (A,B) to peer both firewalls, where the Ipsec policy includes :code:`10.1.0.0/24 <-> 192.168.1.0/24`,
|
||||
but locally side A uses :code:`10.99.0.0/24`.
|
||||
|
||||
How to setup the tunnel itself is explained in the :doc:`ipsec-s2s-conn` document.
|
||||
|
||||
.. nwdiag::
|
||||
:scale: 100%
|
||||
|
||||
nwdiag {
|
||||
|
||||
span_width = 90;
|
||||
node_width = 180;
|
||||
network A {
|
||||
address = "[real] 10.99.0.0/24\n[policy] 10.1.0.0/24";
|
||||
pclana [label="PC Site A\n10.99.0.20",shape="cisco.pc"];
|
||||
fwa [shape = "cisco.firewall", address="10.99.0.1/24"];
|
||||
}
|
||||
network Ext {
|
||||
address = "10.10.1.0/24";
|
||||
label = "Ext";
|
||||
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
|
||||
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
|
||||
}
|
||||
network B {
|
||||
address = "192.168.1.0/24"
|
||||
fwb [shape = "cisco.firewall", address="192.168.1.20"];
|
||||
pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
--------------------------------
|
||||
Preparations
|
||||
--------------------------------
|
||||
|
||||
Make sure the tunnel is up and running before trying out the NAT part, then edit the child entry and input a :code:`Reqid`
|
||||
there which isn't used in any of the other tunnels. For this example we choose :code:`100` here.
|
||||
|
||||
.. Note::
|
||||
|
||||
It's imperative to choose a static number here in order to be able to bind policies to the current tunnel.
|
||||
|
||||
--------------------------------
|
||||
Add manual security policies
|
||||
--------------------------------
|
||||
|
||||
In order for IPsec to trust the local network (:code:`10.99.0.0/24`) a manual policy needs to be added, go to
|
||||
the "Manual" tab in :menuselection:`VPN->IPsec->Security Policy Database`. Next add a new entry containing the following items:
|
||||
|
||||
===========================================
|
||||
|
||||
======================= ===================
|
||||
Property site A
|
||||
======================= ===================
|
||||
Reqid **100**
|
||||
Source network **10.0.99.0/24**
|
||||
======================= ===================
|
||||
|
||||
.. Tip::
|
||||
|
||||
When the "Destination network" is left empty, the other end (in this case 192.168.1.0/24) will be received from the tunnel.
|
||||
In case multiple networks exist in the same child policy it's better to define which one this entry belongs too.
|
||||
|
||||
.. Tip::
|
||||
|
||||
After changing manual security policies, make sure the tunnel is reconnected (restart or disconnect and connect)
|
||||
as the registration is being arranged using an `updown event <https://docs.strongswan.org/docs/5.9/plugins/updown.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------
|
||||
Configure NAT
|
||||
--------------------------------
|
||||
|
||||
To map the networks, we will use a one to one rule created from the :menuselection:`Firewall->NAT->One-to-One` menu option.
|
||||
The following settings apply here:
|
||||
|
||||
=================================================================================
|
||||
|
||||
======================= =================== =====================================
|
||||
Property site A Notes
|
||||
======================= =================== =====================================
|
||||
Interface **IPsec**
|
||||
Type **BINAT** Two way mapping
|
||||
External network **10.1.0.0** As defined in the child connection
|
||||
Source **10.99.0.0/24** The local network
|
||||
Destination **192.168.1.0/24** The remote network
|
||||
======================= =================== =====================================
|
||||
|
||||
|
||||
.. Note::
|
||||
|
||||
When using BINAT all networks need to be equally sized (:code:`/24` in this case)
|
@ -0,0 +1,220 @@
|
||||
====================================
|
||||
IPsec - Route based (VTI) PSK setup
|
||||
====================================
|
||||
|
||||
This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in routed mode
|
||||
between two OPNsense machines using a pre shared key.
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
--------------------------------
|
||||
Network topology
|
||||
--------------------------------
|
||||
|
||||
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24)
|
||||
to peer both firewalls. We will create a tunnel network using :code:`192.168.123.1` [A] and :code:`192.168.123.2` [B].
|
||||
|
||||
.. nwdiag::
|
||||
:scale: 100%
|
||||
|
||||
nwdiag {
|
||||
|
||||
span_width = 90;
|
||||
node_width = 180;
|
||||
network A {
|
||||
address = "10.2.0.0/24";
|
||||
pclana [label="PC Site A\n10.2.0.20",shape="cisco.pc"];
|
||||
fwa [shape = "cisco.firewall", address="10.2.0.1/24"];
|
||||
}
|
||||
network Ext {
|
||||
address = "10.10.1.0/24";
|
||||
label = "Ext-VTI\n192.168.123.1 <--> 192.168.123.2";
|
||||
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
|
||||
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
|
||||
}
|
||||
network B {
|
||||
address = "192.168.2.0/24"
|
||||
fwb [shape = "cisco.firewall", address="192.168.2.20"];
|
||||
pclanb [label="PC Site B\n192.168.2.20",shape="cisco.pc"];
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
--------------------------------
|
||||
Preparations
|
||||
--------------------------------
|
||||
|
||||
.....................
|
||||
Interface
|
||||
.....................
|
||||
|
||||
In order to define our IPsec tunnel we do need to define a virtual tunnel interface (:menuselection:`VPN->IPsec->Virtual Tunnel Interfaces`) first.
|
||||
The purpose of this device is to attach a tunnel to a security policy defined by its request id (:code:`reqid`).
|
||||
|
||||
On both sites A and B we will add VTIs using the following parameters:
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Reqid 10 10
|
||||
Local address **10.10.1.1** **10.10.1.2**
|
||||
Remote address **10.10.1.2** **10.10.1.1**
|
||||
Tunnel local address **192.168.123.1** **192.168.123.2**
|
||||
Tunnel remote address **192.168.123.2** **192.168.123.1**
|
||||
======================= =================== ===================
|
||||
|
||||
|
||||
.. Note::
|
||||
|
||||
Reqid should be a unique number within all configured :code:`if_ipsec(4)` tunnels. The number 10 is arbitrary
|
||||
|
||||
|
||||
.....................
|
||||
Gateways
|
||||
.....................
|
||||
|
||||
Next step on both ends is to define a gateway (:menuselection:`System->Gateways->Single`) which reaches the other end of this channel, the
|
||||
interface should be automatically created and is called :code:`ipsec10` in this example.
|
||||
|
||||
Both ends will need a gateway pointing at each other :
|
||||
Site A will need the following gateway:
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Name IPSEC10_GW IPSEC10_GW
|
||||
Interface IPSEC10 IPSEC10
|
||||
Address Family IPv4 IPv4
|
||||
IP address **192.168.123.2** **192.168.123.1**
|
||||
======================= =================== ===================
|
||||
|
||||
|
||||
.....................
|
||||
Routes
|
||||
.....................
|
||||
|
||||
We may already prepare the routes as the interfaces and gateways are available in :menuselection:`System->Routes->Configuration`.
|
||||
|
||||
On Site A we need to define a path to Site B and the other way around:
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Network Address **10.0.2.0/24** **192.168.2.0/24**
|
||||
Gateway IPSEC10_GW IPSEC10_GW
|
||||
======================= =================== ===================
|
||||
|
||||
|
||||
.....................
|
||||
Enable IPsec
|
||||
.....................
|
||||
|
||||
Before configuring the connections, we enable the IPsec module. Just mark the "enable" checkbox on the connections tab.
|
||||
|
||||
--------------------------------
|
||||
Setting up the IPsec connection
|
||||
--------------------------------
|
||||
|
||||
In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add
|
||||
a new entry.
|
||||
|
||||
|
||||
.....................
|
||||
General settings
|
||||
.....................
|
||||
|
||||
Side by side the following general settings need to be set in this case, which configures the first part of the security association between
|
||||
both sites:
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Local addresses **10.10.1.1** **10.10.1.2**
|
||||
Remote addresses **10.10.1.2** **10.10.1.1**
|
||||
======================= =================== ===================
|
||||
|
||||
Press <save> to go to the next step.
|
||||
|
||||
.....................
|
||||
Authentication
|
||||
.....................
|
||||
|
||||
Next we will need to add local authentication (add a new record in the local grid):
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Authentication Pre-Shared Key Pre-Shared Key
|
||||
Id **hostA** **hostB**
|
||||
======================= =================== ===================
|
||||
|
||||
Then we need to set Pre-Shared Key for remote authentication as well:
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Authentication Pre-Shared Key Pre-Shared Key
|
||||
Id **hostB** **hostA**
|
||||
======================= =================== ===================
|
||||
|
||||
.. Note::
|
||||
|
||||
Secrets for both ends need to be added to ":menuselection:`VPN->IPsec->Pre-Shared Keys`", site A needs a secret
|
||||
set for local identifier :code:`hostB`. Optionally one may also set a second (remote) identifier in which case the secret
|
||||
belongs to these two identifiers.
|
||||
|
||||
.....................
|
||||
Children
|
||||
.....................
|
||||
|
||||
Finally we may add a child which will add security policies. Since our VTI tunnel matches on all traffic, both Site A and B
|
||||
use the same configuration which looks like this:
|
||||
|
||||
|
||||
===============================================================
|
||||
|
||||
====================== ========================================
|
||||
Mode Tunnel
|
||||
Policies **[uncheck]**
|
||||
Local 0.0.0.0/0
|
||||
Remote 0.0.0.0/0
|
||||
====================== ========================================
|
||||
|
||||
.. Warning::
|
||||
|
||||
Make sure no policies are installed, when missing a passthrough and having policies installed one would not be able
|
||||
to access the firewall anymore as traffic will be trapped inside the tunnel.
|
||||
|
||||
.....................
|
||||
Save and apply
|
||||
.....................
|
||||
|
||||
Finally save the settings and hit apply on the connections page to establish the tunnel.
|
||||
|
||||
--------------------------------
|
||||
Validate
|
||||
--------------------------------
|
||||
|
||||
Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview`
|
||||
|
||||
--------------------------------
|
||||
Install firewall policies
|
||||
--------------------------------
|
||||
|
||||
With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec`
|
||||
menu option.
|
@ -0,0 +1,159 @@
|
||||
========================================
|
||||
IPsec - Policy based public key setup
|
||||
========================================
|
||||
|
||||
This example utilises the new options available in OPNsense 23.1 to setup a site to site tunnel in policy mode
|
||||
between two OPNsense machines using key pairs.
|
||||
|
||||
.. contents:: Index
|
||||
|
||||
--------------------------------
|
||||
Network topology
|
||||
--------------------------------
|
||||
|
||||
The schema below describes the situation we are implementing. Two networks (A,B) and a transit network (10.10.1.0/24)
|
||||
to peer both firewalls.
|
||||
|
||||
.. nwdiag::
|
||||
:scale: 100%
|
||||
|
||||
nwdiag {
|
||||
|
||||
span_width = 90;
|
||||
node_width = 180;
|
||||
network A {
|
||||
address = "10.1.0.0/24";
|
||||
pclana [label="PC Site A\n10.1.0.20",shape="cisco.pc"];
|
||||
fwa [shape = "cisco.firewall", address="10.1.0.1/24"];
|
||||
}
|
||||
network Ext {
|
||||
address = "10.10.1.0/24";
|
||||
label = "Ext";
|
||||
fwa [shape = "cisco.firewall", address="10.10.1.1/24"];
|
||||
fwb [shape = "cisco.firewall", address="10.10.1.2/24"];
|
||||
}
|
||||
network B {
|
||||
address = "192.168.1.0/24"
|
||||
fwb [shape = "cisco.firewall", address="192.168.1.20"];
|
||||
pclanb [label="PC Site B\n192.168.1.20",shape="cisco.pc"];
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
--------------------------------
|
||||
Preparations
|
||||
--------------------------------
|
||||
|
||||
Since our policy based setup doesn't require interfaces, gateways and routes, we only need to make sure the IPsec
|
||||
module is enabled on the Connections tab and Key pairs are registered for both hosts.
|
||||
|
||||
..................................
|
||||
Key pairs
|
||||
..................................
|
||||
|
||||
Go to the :menuselection:`VPN->IPsec->Key Pairs` option in the menu and create a new key on both hosts, then copy the public part
|
||||
from Site A to Site B and vise versa. Keys may easily be generated with the gear button in the Key type field.
|
||||
|
||||
|
||||
--------------------------------
|
||||
Setting up the IPsec connection
|
||||
--------------------------------
|
||||
|
||||
In order to setup a simple (and common) IPsec connection, we go to :menuselection:`VPN->IPsec->Connections` and add
|
||||
a new entry.
|
||||
|
||||
|
||||
.....................
|
||||
General settings
|
||||
.....................
|
||||
|
||||
Side by side the following general settings need to be set in this case, which configures the first part of the security association between
|
||||
both sites:
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Local addresses **10.10.1.1** **10.10.1.2**
|
||||
Remote addresses **10.10.1.2** **10.10.1.1**
|
||||
======================= =================== ===================
|
||||
|
||||
Press <save> to go to the next step.
|
||||
|
||||
.. Note::
|
||||
|
||||
One may omit the local address if any address may be used to initiate the connection from, other valid options
|
||||
are also mentioned in the help text of the attribute.
|
||||
|
||||
|
||||
.....................
|
||||
Authentication
|
||||
.....................
|
||||
|
||||
Next we will need to add local authentication (add a new record in the local grid):
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Authentication Public Key Public Key
|
||||
Id **hostA** **hostB**
|
||||
Public Keys **hostA-key** **hostB-key**
|
||||
======================= =================== ===================
|
||||
|
||||
Then we need to set Pre-Shared Key for remote authentication as well:
|
||||
|
||||
===============================================================
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Authentication Public Key Public Key
|
||||
Id **hostB** **hostA**
|
||||
Public Keys **hostB-key** **hostA-key**
|
||||
======================= =================== ===================
|
||||
|
||||
|
||||
.. Note::
|
||||
|
||||
On host A the private key for Host A should be known and only the public key of Host B, Host B is exactly the oposite.
|
||||
|
||||
|
||||
.....................
|
||||
Children
|
||||
.....................
|
||||
|
||||
Finally we may add a child which will add security policies and kernel routes.
|
||||
|
||||
|
||||
======================= =================== ===================
|
||||
Property site A site B
|
||||
======================= =================== ===================
|
||||
Mode Tunnel Tunnel
|
||||
Policies [checked] [checked]
|
||||
Local **192.168.1.0/24** **10.0.1.0/24**
|
||||
Remote **10.0.1.0/24** **192.168.1.0/24**
|
||||
======================= =================== ===================
|
||||
|
||||
.....................
|
||||
Save and apply
|
||||
.....................
|
||||
|
||||
Finally save the settings and hit apply on the connections page to establish the tunnel.
|
||||
|
||||
--------------------------------
|
||||
Validate
|
||||
--------------------------------
|
||||
|
||||
Now can check if the tunnel is active on both side using the status overview in :menuselection:`VPN->IPsec->Status Overview`
|
||||
|
||||
--------------------------------
|
||||
Install firewall policies
|
||||
--------------------------------
|
||||
|
||||
With the tunnel active, all that remains is to accept traffic on this tunnel using the :menuselection:`Firewall->Rules->IPsec`
|
||||
menu option.
|
Before Width: | Height: | Size: 360 KiB After Width: | Height: | Size: 136 KiB |
After Width: | Height: | Size: 5.3 KiB |
After Width: | Height: | Size: 8.0 KiB |
After Width: | Height: | Size: 9.4 KiB |
After Width: | Height: | Size: 12 KiB |
Before Width: | Height: | Size: 275 KiB After Width: | Height: | Size: 60 KiB |
After Width: | Height: | Size: 78 KiB |
@ -0,0 +1,82 @@
|
||||
======================
|
||||
Reporting: Unbound DNS
|
||||
======================
|
||||
|
||||
Starting from OPNsense 23.1, users are able to gain insight into DNS traffic passing through their Unbound DNS resolver
|
||||
using the reporting tool under :menuselection:`Reporting --> Unbound DNS`.
|
||||
|
||||
All data presented here is kept on the system for a total of 7 days, creating a rolling window into DNS traffic without
|
||||
allowing the system to take up boundless storage space.
|
||||
|
||||
-------------------------
|
||||
Overview
|
||||
-------------------------
|
||||
|
||||
The overview tab shows high-level DNS traffic data.
|
||||
|
||||
**Counters**
|
||||
|
||||
* The total amount of queries Unbound has handled, starting from the moment as reported above the counters.
|
||||
This will either be from the moment the gathering of statistics has been enabled, or up until the last 7 days.
|
||||
Keep in mind that the counter is as seen from the incoming side, and will increase regardless of the type
|
||||
of response returned.
|
||||
* The amount of queries Unbound has successfully resolved. This counter does not distinguish between forwards or
|
||||
recursion, and excludes every other response type, such as responses from cache, local-data or a local policy
|
||||
such as a blocklist.
|
||||
* The amount of queries Unbound has blocked. This is either because a queried domain was part of a blocklist,
|
||||
or part of a user-configured exact match as configured in :menuselection:`Services --> Unbound DNS --> Blocklist`.
|
||||
* The size of the current blocklist (if any). This will equal the total amount of domains listed inside all the
|
||||
active blocklists.
|
||||
|
||||
Every query counter shows the percentage as part of to the total amount of queries.
|
||||
|
||||
.. Note::
|
||||
|
||||
Adding up both the blocked and resolved queries does not equal the total amount, since the amount of
|
||||
responses from cache, local-data and other possible sources such as Unbound itself on e.g. a SERVFAIL are not
|
||||
shown.
|
||||
|
||||
|
||||
**Graphs**
|
||||
|
||||
Also included in the report are two DNS traffic graphs, the first one being the query graph, and the second one
|
||||
being the client graph. Both graphs show the amount of **incoming** queries over a selectable span of time.
|
||||
The query graph also shows the amount of blocked queries. You can hover over the dots in the client graph
|
||||
to see which client it is, as well as the amount of queries associated with this client. If you proceed to click
|
||||
on this point of data, you will be referred to the Details grid containing every query within this time interval
|
||||
made by this client.
|
||||
|
||||
Both the query and client graph have the option to display the data on a logarithmic scale in order to catch outliers
|
||||
properly while preserving your perspective of the normal flow of traffic.
|
||||
|
||||
**Top domains**
|
||||
|
||||
On the bottom of the page the top 10 of both passed and blocked queries are shown. This includes the amount a domain
|
||||
has been requested, as well as a percentage of passed or blocked requests respectively. If you have blocklists enabled,
|
||||
you are also able to explicitly block or whitelist a specific domain from this top list with the click of a button.
|
||||
The relevant domains will show up in :menuselection:`Services --> Unbound DNS --> Blocklist`, under "Whitelist Domains"
|
||||
or "Blocklist Domains".
|
||||
|
||||
-------------------------
|
||||
Details
|
||||
-------------------------
|
||||
|
||||
The details tab shows a livefeed of **completed** queries along with reply information.
|
||||
You can refresh the list by clicking the refresh button on the top right of the screen. In it you can find:
|
||||
|
||||
* Which client queried which domain with its associated DNS record type.
|
||||
* The action taken by Unbound, this can either be pass, block or drop. The latter only occurs when a query could
|
||||
not be serviced due to an internal error.
|
||||
* The source of the response. This can be either Recursion, Local, Local-data or cache. Local refers to a decision
|
||||
made by Unbound to either block or drop the query. Local-data refers to the custom host overrides and its associated
|
||||
aliases or internal local-data entries generated by the system.
|
||||
* The return code of the DNS query. Refer to the
|
||||
`IANA DNS Parameters <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6>`__
|
||||
for its meaning.
|
||||
* If recursion is involved, how long in milliseconds it took to resolve a domain.
|
||||
* The TTL of the final answer. Answers from recursion will always contain an upstream-defined TTL value, while
|
||||
answers from cache will show a snapshot of the remaining cache TTL value before recursion would have to take place again.
|
||||
Please note that TTL behaviour can be largely dependent on the settings used in :menuselection:`Services --> Unbound DNS --> Advanced`.
|
||||
* The blocklist used if a query was blocked.
|
||||
* Either a block or whitelist action button, which can be used in the same way as described above for the "Top domains" in the
|
||||
overview section. Please note that this column will not appear if blocklists are disabled.
|
@ -0,0 +1,517 @@
|
||||
===========================================================================================
|
||||
23.1 "Quintessential Quail" Series
|
||||
===========================================================================================
|
||||
|
||||
|
||||
|
||||
For more than 8 years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, fast adoption
|
||||
of upstream software updates as well as clear and stable 2-Clause BSD
|
||||
licensing.
|
||||
|
||||
23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with
|
||||
a blocklist rewrite in Python, improved WAN SLAAC operability, firewall
|
||||
alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates,
|
||||
MVC/API pages for packet capture/virtual IPs/IPsec connection management,
|
||||
IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient
|
||||
custom backend support (including Azure), WireGuard kernel module plugin
|
||||
variant as the new default plus much more.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/23.1/
|
||||
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
|
||||
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
|
||||
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.1.2 (March 07, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This is mainly a reliability update with fixes in assorted subsystems.
|
||||
Of note is the OpenVPN authentication framework rewrite in order to take
|
||||
advantage of the upcoming OpenVPN 2.6 deferred authentication feature and
|
||||
the fix for DHCP renew behaviour that was reported on 23.1.
|
||||
|
||||
The roadmap for 23.7 was published, but at this point mainly consists of
|
||||
MVC/API porting efforts for existing static pages. While the rewrite is
|
||||
not strictly necessary from a user perspective it will move us a lot closer
|
||||
to our mission goal to introduce privilege separation and to provide an API
|
||||
for all components.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: use singleton boot detection everywhere
|
||||
* system: protect against more stray scripts on boot
|
||||
* system: several shell_safe() conversions
|
||||
* system: when applying auto-far default route make sure the local address is not empty
|
||||
* system: refactor system_default_route() to prevent empty $gateway
|
||||
* system: create system_resolver_configure() and cron job support
|
||||
* system: add simple script and configd action to list current group membership (configctl auth list groups)
|
||||
* system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reload
|
||||
* interfaces: protect against empty GIF host route
|
||||
* interfaces: fix parsing of device names with a dot in packet capture
|
||||
* interfaces: force newip calls through DHCP/PPP/OVPN on IPv4
|
||||
* interfaces: force newip calls through DHCP/PPP on IPv6
|
||||
* firewall: fix NAT dropdowns ignoring VIPs
|
||||
* firewall: fix validation of alias names such as "A_BC"
|
||||
* fIrewall: show all applicable floating rules when inspecting interface rules
|
||||
* firewall: prevent networks from being sent to DNS resolver in update_tables.py
|
||||
* reporting: make all status mapping colors configurable for themes in the Unbound DNS page
|
||||
* dnsmasq: add dns_forward_max, cache_size and local_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)
|
||||
* firmware: remove retired LibreSSL flavour handling and annotations
|
||||
* ipsec: reqid should not be provided on mobile sessions
|
||||
* ipsec: validate pool names on connections page
|
||||
* ipsec: allow "@" character in all other eap_id fields for new connections
|
||||
* ipsec: add connection data to XMLRPC sync
|
||||
* ipsec: "Dynamic gateway" (rightallowany) option should be translated to 0.0.0.0/0,::/0
|
||||
* network time: remove "disable monitor" to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)
|
||||
* openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication
|
||||
* openvpn: rename -cipher option to --data-ciphers-fallback and adjust GUI accordingly
|
||||
* unbound: fix typo in logger and create a pipe early in dnsbl_module.py (contributed by kulikov-a)
|
||||
* unbound: fix type cast to prevent unnecessary updateBlocklist action
|
||||
* unbound: add missing blocklist
|
||||
* ui: solve deprecation in PHP via html_safe() wrapper
|
||||
* wizard: unbound hardened DNSSEC setting moved
|
||||
* plugins: os-acme-client 3.16 `[1] <https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr>`__
|
||||
* plugins: os-crowdsec 1.0.2 `[2] <https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr>`__
|
||||
* plugins: os-rfc2136 1.8 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/rfc2136/pkg-descr>`__
|
||||
* plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tucan 1.26 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)
|
||||
* src: fix multiple OpenSSL vulnerabilities `[4] <FREEBSD:FreeBSD-SA-23:03.openssl>`__
|
||||
* src: pfsync: support deferring IPv6 packets
|
||||
* src: pfsync: add missing bucket lock
|
||||
* src: pfsync: ensure 'error' is always initialised
|
||||
* ports: filterlog 0.7 fixes unknown TCP option print
|
||||
* ports: lighttpd 1.4.69 `[5] <https://www.lighttpd.net/2023/2/10/1.4.69/>`__
|
||||
* ports: monit 5.33.0 `[6] <https://mmonit.com/monit/changes/>`__
|
||||
* ports: nss 3.88.1 `[7] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html>`__
|
||||
* ports: openldap 2.6.4 `[8] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: openssh 9.2p1 `[9] <https://www.openssh.com/txt/release-9.2>`__
|
||||
* ports: php 8.1.16 `[10] <https://www.php.net/ChangeLog-8.php#8.1.16>`__
|
||||
* ports: phalcon 5.2.1 `[11] <https://github.com/phalcon/cphalcon/releases/tag/v5.2.1>`__
|
||||
* ports: sqlite 3.41.0 `[12] <https://sqlite.org/releaselog/3_41_0.html>`__
|
||||
* ports: strongswan 5.9.10 `[13] <https://github.com/strongswan/strongswan/releases/tag/5.9.10>`__
|
||||
* ports: sudo 1.9.13p2 `[14] <https://www.sudo.ws/stable.html#1.9.13p2>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.1.1 (February 15, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Apart from security updates for operating system and third party software
|
||||
this mainly fixes issues with the initial 23.1 release. IPsec and Unbound
|
||||
components in particular receive a number of improvements being the more
|
||||
prominent areas of work for this series. Unbound also gained a SafeSearch
|
||||
option and the new reporting database CPU usage should be much lower and
|
||||
easier to use.
|
||||
|
||||
Overall we are happy with how the major release turned out and look forward
|
||||
to further fixes in e.g. Netmap framework including Suricata changes for
|
||||
multi-threading support which has been in the works for a long time. OpenVPN
|
||||
2.6 update and related changes are also pending at the moment.
|
||||
|
||||
The roadmap for 23.7 will be published soon and will again include a number
|
||||
of MVC/API conversions for static components. Statistics do indicate that we
|
||||
are over 60% done with converting the code base to a modern framework as
|
||||
compared to early 2015 which is now already over 8 years ago!
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: replace single exec_command() with new shell_safe() wrapper
|
||||
* system: fix assorted PHP 8.1 deprecation notes
|
||||
* system: remove overreaching "Reconfigure a plugin facility" cron job and backend command that has no visible users
|
||||
* interfaces: fix VLAN rename after protocol addition in 23.1
|
||||
* interfaces: fix VLAN missing a config lock on delete
|
||||
* interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
|
||||
* interfaces: allow VHID reuse as it was before 23.1
|
||||
* firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
|
||||
* firewall: do not calculate local port range for alias (contributed by kulikov-a)
|
||||
* firewall: update validation of alias names to be slightly more restrictive
|
||||
* firewall: safeguard download_geolite() and log errors
|
||||
* firewall: do not switch gateway on bootup
|
||||
* captive portal: enforce a database repair during operation if necessary
|
||||
* firmware: move single-call function reporter page
|
||||
* intrusion detection: properly reset metadata response when no metadata is found
|
||||
* ipsec: allow "@" character in eap_id fields for new connections
|
||||
* ipsec: missing remapping pool UUID to name for new connections
|
||||
* ipsec: change status column sizing and hide local/remote auth by default
|
||||
* ipsec: fix username parsing in lease status
|
||||
* ipsec: refactor widget to use new data format
|
||||
* ipsec: migrate duplicated cron job
|
||||
* ipsec: faulty unique constraint in pre-shared keys
|
||||
* ipsec: fix eap_id placement for eap-mschapv2
|
||||
* unbound: simplify logger logic for required queries
|
||||
* unbound: add SafeSearch option to blocklists
|
||||
* unbound: match white/blocklist action exactly from reporting page
|
||||
* unbound: always prioritize whitelists over blocklists
|
||||
* unbound: various UX improvements in reporting page
|
||||
* unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
|
||||
* unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
|
||||
* unbound: add HTTPS record type to reporting
|
||||
* unbound: remember reporting page logarithmic setting
|
||||
* unbound: missing global so that cache is never flushed when requested
|
||||
* mvc: cleanse $record input in searchRecordsetBase() before usage
|
||||
* plugins: os-haproxy 4.1 `[1] <https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr>`__
|
||||
* plugins: os-openconnect 1.4.4 `[2] <https://github.com/opnsense/plugins/blob/stable/23.1/security/openconnect/pkg-descr>`__
|
||||
* plugins: os-qemu-guest-agent 1.2 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr>`__
|
||||
* plugins: os-tayga fixes MVC interface registration
|
||||
* plugins: os-wireguard fixes MVC interface registration
|
||||
* src: geli: split the initalization of HMAC `[4] <FREEBSD:FreeBSD-SA-23:01.geli>`__
|
||||
* src: fix ena driver crash after reset in 7th gen AWS instance types `[5] <FREEBSD:FreeBSD-EN-23:03.ena>`__
|
||||
* src: fix sdhci broken write-protect settings `[6] <FREEBSD:FreeBSD-EN-23:02.sdhci>`__
|
||||
* src: import tzdata 2022g `[7] <FREEBSD:FreeBSD-EN-23:01.tzdata>`__
|
||||
* src: ipsec: clear pad bytes in PF_KEY messages
|
||||
* src: fib_algo: set vnet when destroying algo instance
|
||||
* src: if_ipsec: handle situations where there are no policy or SADB entry for if
|
||||
* src: if_ipsec: protect against user supplying unknown address family
|
||||
* src: if_me: use dedicated network privilege
|
||||
* src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
|
||||
* src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
|
||||
* src: iflib: Add null check to iflib_stop()
|
||||
* src: x86: ignore stepping for APL30 errata
|
||||
* src: pfctl: rule.label is a two-dimensional array
|
||||
* src: pf: fix syncookies in conjunction with tcp fast port reuse
|
||||
* src: pf: fix panic on deferred packets
|
||||
* src: ipfw: Add missing 'va' code point name
|
||||
* src: netmap: try to count packet drops in emulated mode
|
||||
* src: netmap: fix a queue length check in the generic port rx path
|
||||
* src: netmap: tell the compiler to avoid reloading ring indices
|
||||
* ports: remove GnuTLS workarounds from ports previously required for LibreSSL
|
||||
* ports: dnsmasq 2.89 `[8] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
||||
* ports: dpinger 3.3 `[9] <https://github.com/dennypage/dpinger/releases/tag/v3.3>`__
|
||||
* ports: lighttpd 1.4.68 `[10] <https://www.lighttpd.net/2023/1/3/1.4.68/>`__
|
||||
* ports: openssh 9.1p1 `[11] <https://www.openssh.com/txt/release-9.1>`__
|
||||
* ports: openssl 1.1.1t `[12] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
||||
* ports: php 8.1.15 `[13] <https://www.php.net/ChangeLog-8.php#8.1.15>`__
|
||||
|
||||
A hotfix release was issued as 23.1.1_2:
|
||||
|
||||
* captive portal: remove mod_evasion use which was discontinued by lighttpd
|
||||
* unbound: wait for pipe in logger (contributed by kulikov-a)
|
||||
|
||||
Rate limiting was removed from the captive portal which was set to 250
|
||||
connections by the same IP to the captive portal itself. This can be
|
||||
easily replaced by a manual firewall rule with advanced options set, e.g.
|
||||
"Max established" set to 250 with destination "This Firewall".
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.1 (January 26, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For more than 8 years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, fast adoption
|
||||
of upstream software updates as well as clear and stable 2-Clause BSD
|
||||
licensing.
|
||||
|
||||
23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with
|
||||
a blocklist rewrite in Python, improved WAN SLAAC operability, firewall
|
||||
alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates,
|
||||
MVC/API pages for packet capture/virtual IPs/IPsec connection management,
|
||||
IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient
|
||||
custom backend support (including Azure), WireGuard kernel module plugin
|
||||
variant as the new default plus much more.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/23.1/
|
||||
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
|
||||
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
|
||||
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against 22.7.11:
|
||||
|
||||
* system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
|
||||
* system: introduced a service boot log
|
||||
* system: the LibreSSL flavour has been discontinued
|
||||
* system: simplify gateway monitoring setup code
|
||||
* system: add option to skip gateway monitor host route
|
||||
* system: populate /etc/hosts file with IPv6 addresses too
|
||||
* system: simplify and guard host route creation
|
||||
* system: merge system_staticroutes_configure() into system_routing_configure()
|
||||
* system: do not yield process after calling shutdown command
|
||||
* system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
|
||||
* system: show size of ZFS ARC (adaptive replacement cache) in system widget
|
||||
* system: introduce support tier annotations for core and plugins `[2] <https://docs.opnsense.org/support.html>`__
|
||||
* system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
|
||||
* system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
|
||||
* reporting: add Unbound DNS statistics frontend including client drill-down
|
||||
* interfaces: heavy cleanup of the wireless device integration
|
||||
* interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
|
||||
* interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
|
||||
* interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
|
||||
* interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
|
||||
* interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
|
||||
* interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
|
||||
* interfaces: simplified get_real_interface() function
|
||||
* interfaces: removed obsolete "defaultgw" files
|
||||
* interfaces: simplified rc.linkup script
|
||||
* interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
|
||||
* interfaces: converted virtual IPs to MVC/API
|
||||
* interfaces: add MAC filtering to packet capture
|
||||
* interfaces: convert ARP/NDP pages to server-side searchable variant
|
||||
* interfaces: create null route for DHCPv6 delegated prefix
|
||||
* interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
|
||||
* firewall: remove deprecated "Dynamic state reset" mechanic
|
||||
* firewall: invalidate port forward rule entry when no target is specified
|
||||
* firewall: hide deprecated source OS rule setting under advanced
|
||||
* firewall: add group option to prevent grouping in interfaces menu
|
||||
* firewall: safeguard against missing name from the alias API call
|
||||
* intrusion detection: keep grid to prevent widgets being removed
|
||||
* intrusion detection: reload grid after log drop (contributed by kulikov-a)
|
||||
* intrusion detection: add verbose logging mode selector
|
||||
* ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
|
||||
* ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
|
||||
* ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
|
||||
* ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
|
||||
* ipsec: rewrote lease status page in MVC/API
|
||||
* ipsec: add configurable "unique" setting to phase 1
|
||||
* ipsec: missing correct phase 1 to collect "Network List" option
|
||||
* monit: support start timeout setting (contributed by spoutin)
|
||||
* openvpn: add unique daemon name to each instance
|
||||
* unbound: add statistics database backend
|
||||
* unbound: add exact domain blocking
|
||||
* mvc: call plugins_interfaces() optionally on service reconfigure
|
||||
* mvc: match UUID for multiple values (contributed by kulikov-a)
|
||||
* mvc: convert setBase() to an upsert operation
|
||||
* mvc: change default sorting to case-insensitive
|
||||
* mvc: add TextField tests (contributed by agh1467)
|
||||
* mvc: implement required getRealInterface() variant
|
||||
* ui: assorted improvements in bootgrid and form controls
|
||||
* ui: switch to pure JSON data in bootgrids
|
||||
* plugins: os-bind 1.25 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr>`__
|
||||
* plugins: os-ddclient 1.11 `[4] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr>`__
|
||||
* plugins: os-dyndns end of life note moves to 23.7
|
||||
* plugins: os-freeradius 1.9.22 `[5] <https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-frr 1.32 `[6] <https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr>`__
|
||||
* plugins: os-haproxy 4.0 `[7] <https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr>`__
|
||||
* plugins: os-puppet-agent 1.1 `[8] <https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/puppet-agent/pkg-descr>`__
|
||||
* plugins: os-sslh 1.0 `[9] <https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr>`__ (contributed by agh1467)
|
||||
* plugins: os-theme-cicada 1.32 (contributed by Team Rebellion)
|
||||
* plugins: os-upnp 1.5 `[10] <https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr>`__
|
||||
* plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
|
||||
* src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
|
||||
* ports: php 8.1.14 `[11] <https://www.php.net/ChangeLog-8.php#8.1.14>`__
|
||||
* ports: sudo 1.9.12p2 `[12] <https://www.sudo.ws/stable.html#1.9.12p2>`__
|
||||
|
||||
A hotfix release was issued as 23.1_6:
|
||||
|
||||
* system: incorrect link to CARP status page on dashboard widget
|
||||
* reporting: bail DNS resolve in traffic graphs when resolver is not configured
|
||||
* captive portal: for static MAC assignments make sure that the IP address actually changed before updating it
|
||||
* ipsec: missing a bracket for agressive mode selection
|
||||
* ipsec: mute a spurious boot warning
|
||||
* ipsec: myid may be be optional
|
||||
* plugins: os-bind fix plugin directory path
|
||||
* plugins: os-ddclient minor PHP fix
|
||||
* plugins: os-frr allow restart via cron
|
||||
* plugins: os-nut wrong user for latest port
|
||||
* plugins: os-upnp typo in log level
|
||||
* plugins: os-wireguard service widget fix
|
||||
|
||||
Migration notes, known issues and limitations:
|
||||
|
||||
* LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
|
||||
* StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
|
||||
* The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
|
||||
|
||||
The public key for the 23.1 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
|
||||
# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
|
||||
# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
|
||||
# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
|
||||
# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
|
||||
# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
|
||||
# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
|
||||
# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
|
||||
# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
|
||||
# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
|
||||
# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
|
||||
# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2) = f25c10113ef1ea13c031fc6102f8e6caf73a7296b12bcc287670026cab29c7c7
|
||||
# SHA256 (OPNsense-23.1-OpenSSL-nano-amd64.img.bz2) = 74ec824288adde409074f6855cb0110b860d0b28c33fbd6a30f12473a5e97d54
|
||||
# SHA256 (OPNsense-23.1-OpenSSL-serial-amd64.img.bz2) = 2b0ea23de4d09eed952f074e561d55b06b5d323bf9d68a2eae34c3118c304318
|
||||
# SHA256 (OPNsense-23.1-OpenSSL-vga-amd64.img.bz2) = 13b9f31651aa165862965566238eaecf66563a3b037fb7f8912a6d0440170bdb
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.1.r2 (January 19, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Only a small number of fixes and the usual third party updates.
|
||||
|
||||
Still on track for January 26. See you then...
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: introduce support tier annotations for core and plugins
|
||||
* system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
|
||||
* system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
|
||||
* interfaces: further simplify get_real_interface()
|
||||
* interfaces: correct PPPoEv6 device lookup
|
||||
* reporting: add Unbound DNS drill-down for client graph
|
||||
* mvc: implement required getRealInterface() variant
|
||||
* plugins: os-haproxy 4.0 `[1] <https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr>`__
|
||||
* ports: curl 7.87.0 `[2] <https://curl.se/changes.html#7_87_0>`__
|
||||
* ports: nss 3.87 `[3] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html>`__
|
||||
* ports: pcre 10.42 `[4] <https://www.pcre.org/changelog.txt>`__
|
||||
* ports: phalcon 5.1.4 `[5] <https://github.com/phalcon/cphalcon/releases/tag/v5.1.4>`__
|
||||
* ports: php 8.1.14 `[6] <https://www.php.net/ChangeLog-8.php#8.1.14>`__
|
||||
* ports: strongswan 5.9.9 `[7] <https://github.com/strongswan/strongswan/releases/tag/5.9.9>`__
|
||||
* ports: unbound 1.17.1 `[8] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
23.1.r1 (January 13, 2023)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For more than 8 years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, fast adoption
|
||||
of upstream software updates as well as clear and stable 2-Clause BSD
|
||||
licensing.
|
||||
|
||||
We thank all of you for helping test, shape and contribute to the project!
|
||||
We know it would not be the same without you. <3
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/23.1/
|
||||
* US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
|
||||
* South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
|
||||
* East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against 22.7.10:
|
||||
|
||||
* system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
|
||||
* system: introduced a service boot log
|
||||
* system: the LibreSSL flavour has been discontinued
|
||||
* system: simplify gateway monitoring setup code
|
||||
* system: add option to skip gateway monitor host route
|
||||
* system: populate /etc/hosts file with IPv6 addresses too
|
||||
* system: simplify host route creation
|
||||
* system: merge system_staticroutes_configure() into system_routing_configure()
|
||||
* system: do not yield process after calling shutdown command
|
||||
* system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
|
||||
* system: show size of ZFS ARC (adaptive replacement cache) in system widget
|
||||
* interfaces: heavy cleanup of the wireless device integration
|
||||
* interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
|
||||
* interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
|
||||
* interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
|
||||
* interfaces: add PPPoEv6 mode to prevent IPv6 CP negotiation over PPPoE in other IPv6 modes
|
||||
* interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
|
||||
* interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
|
||||
* interfaces: simplified get_real_interface() function
|
||||
* interfaces: removed obsolete "defaultgw" files
|
||||
* interfaces: simplified rc.linkup script
|
||||
* interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
|
||||
* interfaces: converted virtual IPs to MVC/API
|
||||
* interfaces: add MAC filtering to packet capture
|
||||
* interfaces: convert ARP/NDP pages to server-side searchable variant
|
||||
* interfaces: create null route for DHCPv6 delegated prefix
|
||||
* interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
|
||||
* firewall: remove deprecated "Dynamic state reset" mechanic
|
||||
* firewall: invalidate port forward rule entry when no target is specified
|
||||
* firewall: show automated "port 0" rule as actual port "0" on PHP 8
|
||||
* firewall: hide deprecated source OS rule setting under advanced
|
||||
* reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
|
||||
* intrusion detection: keep grid to prevent widgets being removed
|
||||
* intrusion detection: reload grid after log drop (contributed by kulikov-a)
|
||||
* ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
|
||||
* ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
|
||||
* ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
|
||||
* ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
|
||||
* ipsec: rewrote lease status page in MVC/API
|
||||
* ipsec: add configurable "unique" setting to phase 1
|
||||
* monit: support start timeout setting (contributed by spoutin)
|
||||
* openvpn: add unique daemon name to each instance
|
||||
* unbound: add DNS statistics collector and reporting frontend
|
||||
* unbound: safeguard retrieval of blocklist shortcode
|
||||
* unbound: add exact domain blocking
|
||||
* mvc: call plugins_interfaces() optionally on service reconfigure
|
||||
* mvc: match UUID for multiple values (contributed by kulikov-a)
|
||||
* mvc: convert setBase() to an upsert operation
|
||||
* mvc: change default sorting to case-insensitive
|
||||
* mvc: fix IntegerField minimum value (contributed by xbb)
|
||||
* mvc: add TextField tests (contributed by agh1467)
|
||||
* ui: assorted improvements in bootgrid and form controls
|
||||
* ui: switch to pure JSON data in bootgrids
|
||||
* plugins: os-acme-client 3.15 `[2] <https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr>`__
|
||||
* plugins: os-bind 1.25 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr>`__
|
||||
* plugins: os-ddclient 1.11 `[4] <https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr>`__
|
||||
* plugins: os-dyndns end of life note moves to 23.7
|
||||
* plugins: os-freeradius 1.9.22 `[5] <https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-upnp 1.5 `[6] <https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr>`__
|
||||
* plugins: os-stunnel fixes missing include in certificate script
|
||||
* plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
|
||||
* plugins: os-sslh 1.0 `[7] <https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr>`__ (contributed by agh1467)
|
||||
* src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
|
||||
* ports: php 8.1.13 `[8] <https://www.php.net/ChangeLog-8.php#8.1.13>`__
|
||||
* ports: sqlite 3.40.1 `[9] <https://sqlite.org/releaselog/3_40_1.html>`__
|
||||
|
||||
Migration notes, known issues and limitations:
|
||||
|
||||
* LibreSSL flavour has been discontinued. Switch to OpenSSL flavour to proceed with the upgrade.
|
||||
* StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases. Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
|
||||
* The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf. Legacy tunnel settings cannot be managed from the API and are not migrated.
|
||||
|
||||
The public key for the 23.1 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
|
||||
# AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
|
||||
# NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
|
||||
# fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
|
||||
# gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
|
||||
# tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
|
||||
# PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
|
||||
# i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
|
||||
# Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
|
||||
# QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
|
||||
# UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
|
||||
# MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-23.1.r1-OpenSSL-dvd-amd64.iso.bz2) = ed7d61d0107536c3095526d74c9d4e3b44cb86a7d8896bb51d65eccfd0a2056d
|
||||
# SHA256 (OPNsense-23.1.r1-OpenSSL-nano-amd64.img.bz2) = 66269b2eb434476d437cbf705af25b938e5d17436727eee565dd5e88fe8e6247
|
||||
# SHA256 (OPNsense-23.1.r1-OpenSSL-serial-amd64.img.bz2) = ca6676ae825241190e63b4fbedd8e727b28011fa484c35c1ef1e68e0355b1f4b
|
||||
# SHA256 (OPNsense-23.1.r1-OpenSSL-vga-amd64.img.bz2) = 5a4a8ec5f248484890d569b89f2fd1e29470bb95996c48def20686648e279f77
|