11.2opnsenseDisable the pf ftp proxy handler.debug.pfftpproxydefaultIncrease UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.htmlvfs.read_maxdefaultSet the ephemeral port range to be lower.net.inet.ip.portrange.firstdefaultDrop packets to closed TCP ports without returning a RSTnet.inet.tcp.blackholedefaultDo not send ICMP port unreachable messages for closed UDP portsnet.inet.udp.blackholedefaultRandomize the ID field in IP packets (default is 0: sequential IP IDs)net.inet.ip.random_iddefault
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
net.inet.ip.sourceroutedefault
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
net.inet.ip.accept_sourceroutedefault
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
net.inet.icmp.drop_redirectdefault
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
net.inet.icmp.log_redirectdefaultDrop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)net.inet.tcp.drop_synfindefaultEnable sending IPv4 redirectsnet.inet.ip.redirectdefaultEnable sending IPv6 redirectsnet.inet6.ip6.redirectdefaultEnable privacy settings for IPv6 (RFC 4941)net.inet6.ip6.use_tempaddrdefaultPrefer privacy addresses and use them over the normal addressesnet.inet6.ip6.prefer_tempaddrdefaultGenerate SYN cookies for outbound SYN-ACK packetsnet.inet.tcp.syncookiesdefaultMaximum incoming/outgoing TCP datagram size (receive)net.inet.tcp.recvspacedefaultMaximum incoming/outgoing TCP datagram size (send)net.inet.tcp.sendspacedefaultIP Fastforwardingnet.inet.ip.fastforwardingdefaultDo not delay ACK to try and piggyback it onto a data packetnet.inet.tcp.delayed_ackdefaultMaximum outgoing UDP datagram sizenet.inet.udp.maxdgramdefaultHandling of non-IP packets which are not passed to pfil (see if_bridge(4))net.link.bridge.pfil_onlyipdefaultSet to 0 to disable filtering on the incoming and outgoing member interfaces.net.link.bridge.pfil_memberdefaultSet to 1 to enable filtering on the bridge interfacenet.link.bridge.pfil_bridgedefaultAllow unprivileged access to tap(4) device nodesnet.link.tap.user_opendefaultRandomize PIDs (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())kern.randompiddefaultMaximum size of the IP input queuenet.inet.ip.intr_queue_maxlendefaultDisable CTRL+ALT+Delete reboot from keyboard.hw.syscons.kbd_rebootdefaultEnable TCP extended debuggingnet.inet.tcp.log_debugdefaultSet ICMP Limitsnet.inet.icmp.icmplimdefaultTCP Offload Enginenet.inet.tcp.tsodefaultUDP Checksumsnet.inet.udp.checksumdefaultMaximum socket buffer sizekern.ipc.maxsockbufdefaultnormalOPNsenselocaldomainadminsSystem Administratorssystem19990page-allrootSystem Administratorsystemadmins$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.0user-shell-access20002000Europe/Amsterdam0.nl.pool.ntp.orghttps56b0bd0633772yes1hadphadphadpmonthly115200serialenabled11en_USnonenonenonenone1em1WAN11172.10.2.116WANGW1em0LAN192.168.2.124track601192.168.2.100192.168.2.199192.168.2.1publicautomaticpasswaninetkeep stateIPsec ESPIPsec Tunnelsesp1waniproot@192.168.2.100/firewall_rules_edit.php made changesroot@192.168.2.100/firewall_rules_edit.php made changespasswaninetkeep stateIPsec ISAKMPIPsec Tunnelsudp1wanip500root@192.168.2.100/firewall_rules_edit.php made changesroot@192.168.2.100/firewall_rules_edit.php made changespasswaninetkeep stateIPsec NAT-TIPsec Tunnelsudp1wanip4500root@192.168.2.100/firewall_rules_edit.php made changesroot@192.168.2.100/firewall_rules_edit.php made changespassinetDefault allow LAN to any rulelanlanpassinet6Default allow LAN IPv6 to any rulelanlanpassenc0inetkeep stateIPSec Allow Access to LAN NetIPsec Tunnels1lanroot@192.168.2.100/firewall_rules_edit.php made changesroot@192.168.2.100/firewall_rules_edit.php made changes1,310-5***rootadjkerntz -a131**root/usr/local/etc/rc.update_bogons*/60****root/usr/local/sbin/expiretable -v -t 3600 sshlockout11***root/usr/local/etc/rc.dyndns.update*/60****root/usr/local/sbin/expiretable -v -t 3600 virusprot3012***root/usr/local/etc/rc.update_urltablesICMPicmpICMPTCPtcpGeneric TCPHTTPhttpGeneric HTTP/200HTTPShttpsGeneric HTTPS/200SMTPsendGeneric SMTP220 *system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,interface_statistics-container:col1:close,interface_list-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:closeroot@192.168.2.100/system_gateways_edit.php made changes56b0bd0633772webConfigurator defaultLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiekNDQTFlZ0F3SUJBZ0lKQUtFRFdCN2RacjdsTUEwR0NTcUdTSWIzRFFFQkN3VUFNRTR4Q3pBSkJnTlYKQkFZVEFrNU1NUlV3RXdZRFZRUUlEQXhhZFdsa0xVaHZiR3hoYm1ReEZUQVRCZ05WQkFjTURFMXBaR1JsYkdoaApjbTVwY3pFUk1BOEdBMVVFQ2d3SVQxQk9jMlZ1YzJVd0hoY05NVFl3TWpBeU1UUXlPRE13V2hjTk1UY3dNakF4Ck1UUXlPRE13V2pCT01Rc3dDUVlEVlFRR0V3Sk9UREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXcKRXdZRFZRUUhEQXhOYVdSa1pXeG9ZWEp1YVhNeEVUQVBCZ05WQkFvTUNFOVFUbk5sYm5ObE1JSUNJakFOQmdrcQpoa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQXJOcG93a3ZIUnhrZ1hTbHQxRmhOL3RCZnRRRW05OElnClU3ZG5SdjhQVk5IVWVnaHRnZjlGL3ZyV3V0cEJ0MzkvQWY2bk45WG5tRjdqUGVBZU5PRXN4VVhBKzFwZ0FsNFgKYlJQdm1seHZJU2lnZDRKR21KMnJHNE14cGM1T1pMbzZaTzgzNDIwZzRLVGFMSUs2L0ptY1YrUFc4dWJxLzJzTQpVcy9Cc0lERUxWUGlzRUJzc08vczE0UmRWZ1RvVG03Q1dzRVFEUlRBd3RpOVVCbVZEWmFKVDd6NDJpTXdaQm9uClNVc05MRTkvVWg5aVYzWlRrSXM0UDdNOVBUc3ZtM2M3QzFhNUZIbkozaVNQR09NaUNjSERzVnRvbUc5ckR2ejAKNFk1Nkd2akorTnJzVG5WcE9yTTBMUEdUYzUvVkdLWkd6R1lOcFR1NG1zS0hIYXFzeEowd2Z0L2JYNWVZSTVBcQpBWEVGcFNJZldpVnQ5eTZ0Wlg2V3JuZFRrdGY0MHJHU2VleFBhdUNycW1nNjhaTTQ3T0lubEJZa2Y1SnRTT1BjCmtKd0dSWjgyL1ZBcG9LY2Izb2M2dlJ6OThnUk9jcXp6anV4WjhJN2lUemRzdFNFQ2NtT0xMR29ObGM1TkFyNVUKNGJndzVLRURSVFV1OGxtYUQ5bFVKUkFrdG93SGYvRUsyVDNrMTNJR2tJZGNDWTN5TWpEcU9KdktKWWZMdU5CMQpvVGJWWUI2ajlxMzc3MjVxYVhubG9SaXV0N3cxWktKVXZJUGFXMXlsK3p6RndMU3ZtbndvcFdLVFlqamlOZmVJCm5Pazdob0ZVYzg3Q1o2MXluMk9FS2JaWlZ6L1k5TElFM2E0UHNZT0FrYVdnekhKQVlyMTNucVYxWW9WYkdqeHEKY25SMUZUSTNCSWtDQXdFQUFhTlFNRTR3SFFZRFZSME9CQllFRkZBK0o5UlNIZ1JKeW1XMmFnVUQvUmhPWnhFNQpNQjhHQTFVZEl3UVlNQmFBRkZBK0o5UlNIZ1JKeW1XMmFnVUQvUmhPWnhFNU1Bd0dBMVVkRXdRRk1BTUJBZjh3CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFJelFDSDJES1luM0puaDBUVWFNejZBbmZtcHFKbDNra0VsKzhqYXYKelFqZ1RIQmJSSzRiQTZWNmRwUXZKOWhlS1pDRGVubVM3QWxaMlB4MWp5UFdTQllCRkc1MTNIQWF1NjVjWXdJUApPb2Myb0NzZzg3eFlnbXRMZ1ZJbk1VYkdtenFuUmdXQTdzclBJZ3ZKNDJCZWhuU29nRlBpVW1hbnRaYTNkYVVVCkg1OTNsME0xRkpTWm9WbUxMZkx2aEtXdUN6ZWp0RWFaYmdtS1dhNHBnZ3Y5NG93NEt3YjlsRVdVNnl4emNjU0QKbTc2K2JzTHRia2lVYTFKdTJjbFRyaG1WWVZkZ1loamlsV0tEdUx6UHJXNnorZHF6Tkk1d3YzRHJ2SHF0Tm5aTgpaNjBBWmsrUlpHZHhYM0lFazRWeUVKeG9hUXI2UkxhU0J2cTYxMk9NYmFMaERteWJvbHBNRW9sR28zRFRURmt4CkN3cE8ybkx4ZStYTjNNc3VMZWMwUWRaeGE2OE1Ca2ZuUFVEcENYSWdvSHhJNzBtUUt0QmVkUUg4RjJwNkNsUG4KeDFpREpWOGhJM2Z4TWpGOUR3OE12TC9XWkxRMUVOWXlzQjZoeHFtVWJpcXlNcDhuT1NtdmQrb3dmOW9Ub1FGcwpOdTQxOVEwejNER1NlSXlxZGdDdWdzZnE2eGtwbTQ1bnBKbnlRN1FuY3EvdFgyNjY2UTc3eVlLdTd2ZmFiMUxrCkljZ0dkRGl2cVFyZDVpa1FCVHZYSmFiVkE2cFlZaFdxcENKUVRGL3N6cW9vNzNTbVFGbWJrdWRBMG42dHpLb1MKK1A2ZEJBV0gybml6bkI3RFJKWno5L2R2aU9LWHVHN010K09GN2lGWk9Na0xqZGtVbC9QS0lQZ25XZ1JSUDM3QQozU3FlCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpSQUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1M0d2dna3FBZ0VBQW9JQ0FRQ3MybWpDUzhkSEdTQmQKS1czVVdFMyswRisxQVNiM3dpQlR0MmRHL3c5VTBkUjZDRzJCLzBYKyt0YTYya0czZjM4Qi9xYzMxZWVZWHVNOQo0QjQwNFN6RlJjRDdXbUFDWGhkdEUrK2FYRzhoS0tCM2drYVluYXNiZ3pHbHprNWt1anBrN3pmamJTRGdwTm9zCmdycjhtWnhYNDlieTV1ci9hd3hTejhHd2dNUXRVK0t3UUd5dzcrelhoRjFXQk9oT2JzSmF3UkFORk1EQzJMMVEKR1pVTmxvbFB2UGphSXpCa0dpZEpTdzBzVDM5U0gySlhkbE9RaXpnL3N6MDlPeStiZHpzTFZya1VlY25lSkk4WQo0eUlKd2NPeFcyaVliMnNPL1BUaGpub2ErTW40MnV4T2RXazZzelFzOFpOem45VVlwa2JNWmcybE83aWF3b2NkCnFxekVuVEIrMzl0Zmw1Z2prQ29CY1FXbEloOWFKVzMzTHExbGZwYXVkMU9TMS9qU3NaSjU3RTlxNEt1cWFEcngKa3pqczRpZVVGaVIva20xSTQ5eVFuQVpGbnpiOVVDbWdweHZlaHpxOUhQM3lCRTV5clBPTzdGbndqdUpQTjJ5MQpJUUp5WTRzc2FnMlZ6azBDdmxUaHVERGtvUU5GTlM3eVdab1AyVlFsRUNTMmpBZC84UXJaUGVUWGNnYVFoMXdKCmpmSXlNT280bThvbGg4dTQwSFdoTnRWZ0hxUDJyZnZ2Ym1wcGVlV2hHSzYzdkRWa29sUzhnOXBiWEtYN1BNWEEKdEsrYWZDaWxZcE5pT09JMTk0aWM2VHVHZ1ZSenpzSm5yWEtmWTRRcHRsbFhQOWowc2dUZHJnK3hnNENScGFETQpja0JpdlhlZXBYVmloVnNhUEdweWRIVVZNamNFaVFJREFRQUJBb0lDQVFDWENvYnQrTythVmY5c3lNM2E5b3E0CjlmWWJvWFVlbkRoSlR3TGxDKzJtclhBZ2JvcmFSR2t5cEpmTVVQbUowZFAydDBJQlRWNEJUREQvbVg1cnNMUEIKY2ZGdThncmhKcjBMcUpiL2FIUUhJb3dOd2YzVVVEbjdZWW1abkF2dWdyaVNDR0xxelNva2dvak95akdBbHU0Qgo4dXFaK0dReWFxVXJHN1hoZUxOejlGQXF1VEVBNzdZaW9OdzZWVEYxajkwdkZuTGpLMVpCTE1sSVhBSmVERVBTCk5JdXplWHBJam4zejBxd2hJeHBiZFdjbWpCUDdRMXdVZFpnMmtDaEtqa1krNHpuNUJXNzdPVEQ5aTBQc0NLL3EKbzdoak0wRDJxTjJHMTB3bGsyNVJrV05hTDhpUzdaTFREd2xNeU1hWnNubzlFNVFxNVdPcmYvNDNVek9DM3VSSApHWlhLNHB6eUZBQU5tSkdlRTUvNm5yM3Ntd0EvbnhMcGNDSUJMbDlvTDg4clVaYXhZeXdCWm41VjZSbzFSVUN6CkRzZytmaE5xbjlVc1pUdXZwQUQ4ekxkVXVuUTQvK09aS3pEbHRwOWhTNEU4MHpXNDMyVUcxb2lKMG5TYXdJOWUKTFJGNWt5bE55SUhaSG5BRWVxZlVacTR2MWhFbmhVUEFKc0tRVjhvNmQ3cDJDdGFoZUYxdnVrM0QzV3RNdWs2NQpQN1h0bktCL2xCUjE3ai9neUdYS0pUc1BIWENURGZuVGxZZU5IZktiMmxZRHZjMnh5N29aZjZ5bWlRbUZ3bVJTCmt6OTFndDFSbVZaVHQ0Z2VRN0VpaVZScjVxdTc3enZxcjlTOXg5NUNOK0NZZFVoWGdXREMxVEZXdVRCaGxPclMKOENHQ3EzMW12Q25WS1NBQlh3ak1BUUtDQVFFQTJiMGo5dG45MXR2VnRCb0NXd3FDL216N3FCTWFkM0ZPTXFvMAprSCtmeFRWYk1ocC8wOEhWYXFmL2F3VTREVXNhNitFa0RJSm9vZkg4NG1BWmVvZXFyRlZJc2xQdkZiNDEzZSt1CmtNOXJxSjZ6Yk5LQ2YyVU5WTTF0ZjRMRkdjNnNuOTBXdGJzY2U3V2VuRFI2Um9ITjgzbHRvMmY4YWEyVW5EaGUKT2dJUEZhb0lJblBJeG8xQ1NSWDloc0dZZ0VObVUydmtVSzNyRXJSMnVlTy8xQ3ZrMjRLUVJVUEdwaDA2cU8zNQp6dGZKZi9naUJ2QThWdHdkYzkzUHVkTE90STBNNVVKNDNSMWpkdjFUN0lHelR4TFZiL2tJcWdXdkk4Mm04TEpTClE0L0hsK1l6Mk1pNUZ2cUJXeFdXN05jT2xsU1hmYTllUkQ1TE1rT3g5MFdZRDRMZ0NRS0NBUUVBeXpvY3JIN3oKeURNa0RQN3E5QysxMHJrYWE1Z0laWlpmcTBMOUExSStDUlJNWitaVGZZcGlZaTNVcHJPZ1lMdHlCMEpvbU9jNApmSWdabk93MFhHOTd4dUZpeWVTdFlGelEyYjJsa0E1ejE1WUNxUTBUNkYyalVsVkFFQXdNS1FTTEpITlo2ZXNsCkFHZkhVa0FPUllNS0JMZmhnVHRQRk5GUTlZT0F2QlNzcC92TmdMZXNUanpLZW10Tk5vZUsxa2ZQMkMwemFiekwKQkNndDR3UEo3UW1WZ2dEbnBCRStWbE1meE1TckhBcUpGNmJKblZKNk5jdWhqK1FzQkJXZFFmL2NJc1pSL2psdQpvT1EwRC9ycThxTkxIUkNLcEpwNWZ1Mk55SlZBZHVScmd0aVhFNHBROVpCTGtVSXRwOUdic0llQjNFcHAvbDd0Cmd0WnlPbFRqdGVzZ2dRS0NBUUVBb0FuL1p5OHUvait5d1ova1gxcElrZzAwbzRMM0R4ZSs3RXBpUEZzeDZkZWYKNGlITUZxNy8yRmNHeTNpWWpGekp1dHBPanN0RGNOVFdsT1VobFFnbWtHaFcrSXZzelVSemYxN3VKZzN2Q1k4cwpQaTQwTU1Mcm00c3FrbkJod3VnL3hYalJlbDIvUDhac2dFK3FHQ3pNWGNyQXBUeUhNSDJmSDN2bTlpZ1JRbEVwCmpYa2c5NTlZT3pQb2xxV3hHNFZ1cnA0OHdIZzBzaGptc3hjTkpqdmxDTnJjZzZ5ZlUvVmo2a3FRTkZJekR0WW8KM0lTek5QeXd3VHNsdFdXVy9PbzNza0s3WjNwMFl6OHI4a2dhcldJZ2N4N09HWG40RXc3VFIxTXFWL0pVTi9mQgozL01ZNkNUVDgwalpGOWV5SnhpaUNJVmZlalYzTzhpNkJBK3BCcTJoVVFLQ0FRQk5heGZkUm9lTDdwOS9LK1ZKCm5KdEJhUzU5YW05WWM4NkNLWVRGTFNGZ3lCRExTOXptYUQ5T2MzTWRCalRFWk9QdGpBallwc3pIOC9qOTVLV1YKeVFwNEd3aE5MUVkzUFdSNmJscVI1RStSQXg2RVUrMFBpZ3hib3dwQ2tyUlhNOW5seXVPbnp1SkxvejAxUWgydApzVnV4ckhNRmpoaDBMOEVOcGtqMlhWSGd0SFgyNFFHTTFHKzE3d1o5RFdtQWM5N2oxV1JPbFpNcFJEMG16Qnl5ClpnSkVnaCs4U3ExYXFWUGkyNkRyajcvbCtLMjVkdUFEZWsxVHlYSlRKQURDVWJ3RXExUTA2cUFRUHA3dXI0R3QKYVRPR0lQVVArNkRwRDRvQnJZbmZRT2tMOFlLcitQY2FkUnUwZkdkMEZNK2draDZRVXZESjdGUENrZnIxNmJ6TgpZb01CQW9JQkFRQ0YrLzZzL0hmemExYStoL3lCNFRacmw1V28wekdTMkp1WEd1YUpHaGxWZ1RldTFzTDBCKzcwClYwTzRYS3E4OW16MW5BaE5RcEZaWDZDU0RyWHFaWXEwV1hDdVppYkVkUEdMc3hYR0kzNk5xb1Voa2FQR0ZobEkKU1JOSzNPZk54cUNaYVpIRWd1MUgwdWRCZEdvV3IzcXI5cWp2MXQ5d1FtdE8xOVBDN1ZzaUMvV2VmV1Rtb3JKcApxcnhQOUtOVXBqVUNUbzE1eVB6c0NNcld1OWp0Y0NFK2pVOXMwY0IzQUQwcW5UZzZJTTlCVXg4UFlhdWV4QTJOCmF1d3orZnB1bDA2OEJTbW15bGFFdmlTeWpLYUlvdVpIQ3RZYU9lYzJGK1ZNVWliL0s3d1JEQ3JtY1VSZUdZTXoKUmpKODZMVmFaWlQyZkM4UnY3T1JEVWtpMS84a3p5ckYKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=wan172.10.1.1WANGW1inetRemote Gateway11ikev2wanmaininetmyaddresspeeraddressaes256sha5121428800At4aDMOAOub2NwT6gMHApre_shared_keySite Aoff172.10.1.1156bafc7ad40cdtunnel143600Local LAN Site A esplannetwork
192.168.1.0
24aes256hmac_sha5121