From abcf528284ccb4cba8875da578237ace5f6d82db Mon Sep 17 00:00:00 2001
From: "(system)" <(system)@OPNsense.localdomain>
Date: Fri, 7 Feb 2025 12:44:44 +0100
Subject: [PATCH] /usr/local/opnsense/mvc/script/run_migrations.php made
 changes @ 2025-02-07T12:31:55.441500 ((system))

---
 config.xml | 206 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 109 insertions(+), 97 deletions(-)

diff --git a/config.xml b/config.xml
index 08ca095..f388d8b 100644
--- a/config.xml
+++ b/config.xml
@@ -1,203 +1,203 @@
 <?xml version="1.0"?>
 <opnsense>
   <theme>opnsense</theme>
-  <sysctl>
-    <item>
-      <descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
+  <sysctl version="1.0.0">
+    <item uuid="3e6aaa97-52d5-4c00-abaf-9c571b1c128a">
       <tunable>vfs.read_max</tunable>
       <value>default</value>
+      <descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
     </item>
-    <item>
-      <descr>Set the ephemeral port range to be lower.</descr>
+    <item uuid="ae8d1d50-dc6d-49ce-9772-219a08816731">
       <tunable>net.inet.ip.portrange.first</tunable>
       <value>default</value>
+      <descr>Set the ephemeral port range to be lower.</descr>
     </item>
-    <item>
-      <descr>Drop packets to closed TCP ports without returning a RST</descr>
+    <item uuid="e0cb18b9-4029-41d0-a327-2e12ea7e02d8">
       <tunable>net.inet.tcp.blackhole</tunable>
       <value>default</value>
+      <descr>Drop packets to closed TCP ports without returning a RST</descr>
     </item>
-    <item>
-      <descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
+    <item uuid="56718c77-8222-46c7-97aa-216cfe68a73b">
       <tunable>net.inet.udp.blackhole</tunable>
       <value>default</value>
+      <descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
     </item>
-    <item>
-      <descr>Randomize the ID field in IP packets</descr>
+    <item uuid="1de7ad00-090f-4ce2-81ff-0650b0857a5d">
       <tunable>net.inet.ip.random_id</tunable>
       <value>default</value>
+      <descr>Randomize the ID field in IP packets</descr>
     </item>
-    <item>
-      <descr>
-        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
-        It can also be used to probe for information about your internal networks. These functions come enabled
-        as part of the standard FreeBSD core system.
-      </descr>
+    <item uuid="79ce9844-d41c-4dff-adb5-f8ae3a0bcbdc">
       <tunable>net.inet.ip.sourceroute</tunable>
       <value>default</value>
-    </item>
-    <item>
       <descr>
         Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
         It can also be used to probe for information about your internal networks. These functions come enabled
         as part of the standard FreeBSD core system.
       </descr>
+    </item>
+    <item uuid="7c341be1-a50b-4fb3-9321-cbfee546c372">
       <tunable>net.inet.ip.accept_sourceroute</tunable>
       <value>default</value>
+      <descr>
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      </descr>
     </item>
-    <item>
+    <item uuid="7bfbc692-e8b4-46fa-96f5-eb21883e7297">
+      <tunable>net.inet.icmp.log_redirect</tunable>
+      <value>default</value>
       <descr>
         This option turns off the logging of redirect packets because there is no limit and this could fill
         up your logs consuming your whole hard drive.
       </descr>
-      <tunable>net.inet.icmp.log_redirect</tunable>
-      <value>default</value>
     </item>
-    <item>
-      <descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
+    <item uuid="14a58970-1cfc-43f3-a7f8-c2ce13fdb617">
       <tunable>net.inet.tcp.drop_synfin</tunable>
       <value>default</value>
+      <descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
     </item>
-    <item>
-      <descr>Enable sending IPv6 redirects</descr>
+    <item uuid="189b1f7b-6097-4e25-9976-c8d3a65ff489">
       <tunable>net.inet6.ip6.redirect</tunable>
       <value>default</value>
+      <descr>Enable sending IPv6 redirects</descr>
     </item>
-    <item>
-      <descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
+    <item uuid="c3a10277-b4ec-4b75-9550-a0378c4d2bb4">
       <tunable>net.inet6.ip6.use_tempaddr</tunable>
       <value>default</value>
+      <descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
     </item>
-    <item>
-      <descr>Prefer privacy addresses and use them over the normal addresses</descr>
+    <item uuid="799d08de-e567-413b-abb0-42cecf7fa784">
       <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
       <value>default</value>
+      <descr>Prefer privacy addresses and use them over the normal addresses</descr>
     </item>
-    <item>
-      <descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
+    <item uuid="34c2769b-287a-4ca0-9ffd-4f33718a45b7">
       <tunable>net.inet.tcp.syncookies</tunable>
       <value>default</value>
+      <descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
     </item>
-    <item>
-      <descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
+    <item uuid="b11f856f-ef08-4a2a-a00e-9ade0b8f6046">
       <tunable>net.inet.tcp.recvspace</tunable>
       <value>default</value>
+      <descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
     </item>
-    <item>
-      <descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
+    <item uuid="63523e71-e760-4bff-93d1-342e255eb199">
       <tunable>net.inet.tcp.sendspace</tunable>
       <value>default</value>
+      <descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
     </item>
-    <item>
-      <descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
+    <item uuid="8346d8e1-f503-4051-8a6a-434690856edc">
       <tunable>net.inet.tcp.delayed_ack</tunable>
       <value>default</value>
+      <descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
     </item>
-    <item>
-      <descr>Maximum outgoing UDP datagram size</descr>
+    <item uuid="66722d67-259b-40e2-93cb-61ced4cf79cb">
       <tunable>net.inet.udp.maxdgram</tunable>
       <value>default</value>
+      <descr>Maximum outgoing UDP datagram size</descr>
     </item>
-    <item>
-      <descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
+    <item uuid="7ae77c54-1693-45dd-82ac-9a5d9bf6e515">
       <tunable>net.link.bridge.pfil_onlyip</tunable>
       <value>default</value>
+      <descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
     </item>
-    <item>
-      <descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
+    <item uuid="91a783d4-817b-4ace-9700-65356a82072b">
       <tunable>net.link.bridge.pfil_local_phys</tunable>
       <value>default</value>
+      <descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
     </item>
-    <item>
-      <descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
+    <item uuid="1fc3262a-960b-4f49-b201-edd77a1e2b31">
       <tunable>net.link.bridge.pfil_member</tunable>
       <value>default</value>
+      <descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
     </item>
-    <item>
-      <descr>Set to 1 to enable filtering on the bridge interface</descr>
+    <item uuid="174014af-fc1f-4688-8bcb-13225678595e">
       <tunable>net.link.bridge.pfil_bridge</tunable>
       <value>default</value>
+      <descr>Set to 1 to enable filtering on the bridge interface</descr>
     </item>
-    <item>
-      <descr>Allow unprivileged access to tap(4) device nodes</descr>
+    <item uuid="154c3822-97de-424c-beb0-fd4245d9a6c2">
       <tunable>net.link.tap.user_open</tunable>
       <value>default</value>
+      <descr>Allow unprivileged access to tap(4) device nodes</descr>
     </item>
-    <item>
-      <descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
+    <item uuid="e5bddcc7-0035-4a1d-b460-d2eba1a95452">
       <tunable>kern.randompid</tunable>
       <value>default</value>
+      <descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
     </item>
-    <item>
-      <descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
+    <item uuid="5661389c-894a-4fd4-a679-fbbbc0de2b31">
       <tunable>hw.syscons.kbd_reboot</tunable>
       <value>default</value>
+      <descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
     </item>
-    <item>
-      <descr>Enable TCP extended debugging</descr>
+    <item uuid="b30dfecf-6bcb-42ff-8083-f57ee708007f">
       <tunable>net.inet.tcp.log_debug</tunable>
       <value>default</value>
+      <descr>Enable TCP extended debugging</descr>
     </item>
-    <item>
-      <descr>Set ICMP Limits</descr>
+    <item uuid="f9354f0f-0a41-4b18-b555-e8a21340f18f">
       <tunable>net.inet.icmp.icmplim</tunable>
       <value>default</value>
+      <descr>Set ICMP Limits</descr>
     </item>
-    <item>
-      <descr>TCP Offload Engine</descr>
+    <item uuid="abd3bf28-643c-4461-a79f-da011acd5b0f">
       <tunable>net.inet.tcp.tso</tunable>
       <value>default</value>
+      <descr>TCP Offload Engine</descr>
     </item>
-    <item>
-      <descr>UDP Checksums</descr>
+    <item uuid="e76f5d08-35ee-4419-89f1-7ff2c05f59c5">
       <tunable>net.inet.udp.checksum</tunable>
       <value>default</value>
+      <descr>UDP Checksums</descr>
     </item>
-    <item>
-      <descr>Maximum socket buffer size</descr>
+    <item uuid="2db68529-e007-464f-91bf-c83630e777d4">
       <tunable>kern.ipc.maxsockbuf</tunable>
       <value>default</value>
+      <descr>Maximum socket buffer size</descr>
     </item>
-    <item>
-      <descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
+    <item uuid="ea141674-53d8-4ec1-a579-6a787047e744">
       <tunable>vm.pmap.pti</tunable>
       <value>default</value>
+      <descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
     </item>
-    <item>
-      <descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
+    <item uuid="e8fcbef7-703d-4b40-9caf-f4fb9297e4fe">
       <tunable>hw.ibrs_disable</tunable>
       <value>default</value>
+      <descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
     </item>
-    <item>
-      <descr>Hide processes running as other groups</descr>
+    <item uuid="8d9f827c-1873-4b1d-b243-4d68b70377ca">
       <tunable>security.bsd.see_other_gids</tunable>
       <value>default</value>
+      <descr>Hide processes running as other groups</descr>
     </item>
-    <item>
-      <descr>Hide processes running as other users</descr>
+    <item uuid="231d927d-5270-4752-bb23-bfe9d7f9f978">
       <tunable>security.bsd.see_other_uids</tunable>
       <value>default</value>
+      <descr>Hide processes running as other users</descr>
     </item>
-    <item>
+    <item uuid="128fb208-8e18-4c7d-8647-dbb14e6874ee">
+      <tunable>net.inet.ip.redirect</tunable>
+      <value>default</value>
       <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
         and for the sender directly reachable, route and next hop is known.
       </descr>
-      <tunable>net.inet.ip.redirect</tunable>
-      <value>default</value>
     </item>
-    <item>
+    <item uuid="1d872b5b-26ba-48d4-ba7b-13ab223555cf">
+      <tunable>net.inet.icmp.drop_redirect</tunable>
+      <value>1</value>
       <descr>
         Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
         to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
         packets without returning a response.
       </descr>
-      <tunable>net.inet.icmp.drop_redirect</tunable>
-      <value>1</value>
     </item>
-    <item>
-      <descr>Maximum outgoing UDP datagram size</descr>
+    <item uuid="8e0b3bbf-56b2-4a1b-9326-cbd8fa5804ad">
       <tunable>net.local.dgram.maxdgram</tunable>
       <value>default</value>
+      <descr>Maximum outgoing UDP datagram size</descr>
     </item>
   </sysctl>
   <system>
@@ -205,21 +205,32 @@
     <hostname>OPNsense</hostname>
     <domain>localdomain</domain>
     <dnsallowoverride>1</dnsallowoverride>
-    <group>
-      <name>admins</name>
-      <description>System Administrators</description>
-      <scope>system</scope>
+    <group uuid="6638cd79-dba3-41ef-adaf-f71ad552c7ce">
       <gid>1999</gid>
-      <member>0</member>
-      <priv>page-all</priv>
-    </group>
-    <user>
-      <name>root</name>
-      <descr>System Administrator</descr>
+      <name>admins</name>
       <scope>system</scope>
-      <groupname>admins</groupname>
-      <password>$2y$11$F5yOtLTn8aI21fKZTdsnueJjedH0PXTTPpD89Ha6ps3VfC/Ixgojq</password>
+      <description>System Administrators</description>
+      <priv>page-all</priv>
+      <member>0</member>
+    </group>
+    <user uuid="fa6a80c6-0ff6-4b00-9b75-1b2ee49f962f">
       <uid>0</uid>
+      <name>root</name>
+      <disabled>0</disabled>
+      <scope>system</scope>
+      <expires/>
+      <authorizedkeys/>
+      <otp_seed/>
+      <shell/>
+      <password>$2y$11$F5yOtLTn8aI21fKZTdsnueJjedH0PXTTPpD89Ha6ps3VfC/Ixgojq</password>
+      <landing_page/>
+      <comment/>
+      <email/>
+      <apikeys/>
+      <priv/>
+      <language/>
+      <descr>System Administrator</descr>
+      <dashboard/>
     </user>
     <nextuid>2000</nextuid>
     <nextgid>2000</nextgid>
@@ -1008,9 +1019,9 @@
     <interfacesstatisticsfilter>opt2</interfacesstatisticsfilter>
   </widgets>
   <revision>
-    <username>root@192.168.10.103</username>
-    <time>1738926923.5568</time>
-    <description>/system_advanced_admin.php made changes</description>
+    <username>(system)</username>
+    <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
+    <time>1738927915.4415</time>
   </revision>
   <OPNsense>
     <wireguard>
@@ -1298,7 +1309,7 @@
           <http_port>8000</http_port>
         </general>
       </ctrl_agent>
-      <dhcp4 version="1.0.2">
+      <dhcp4 version="1.0.3">
         <general>
           <enabled>0</enabled>
           <interfaces/>
@@ -1800,13 +1811,14 @@
       <descr>Load</descr>
     </gateway_group>
   </gateways>
-  <hasync version="1.0.1">
+  <hasync version="1.0.2">
     <disablepreempt>0</disablepreempt>
     <disconnectppps>0</disconnectppps>
     <pfsyncinterface/>
     <pfsyncpeerip/>
     <pfsyncversion>1400</pfsyncversion>
     <synchronizetoip/>
+    <verifypeer>0</verifypeer>
     <username/>
     <password/>
     <syncitems/>