steini/Opnsense
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

/usr/local/opnsense/mvc/script/run_migrations.php made changes @ 2025-02-07T12:31:55.441500 ((system))

Browse Source
This commit is contained in:
(system) 2025-02-07 12:44:44 +01:00 committed by System Administrator
parent bbcbb48cbf
commit abcf528284
1 changed files with 109 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

206
config.xml
View File

@ -1,203 +1,203 @@
<?xml version="1.0"?> <?xml version="1.0"?>
<opnsense> <opnsense>
<theme>opnsense</theme> <theme>opnsense</theme>
<sysctl> <sysctl version="1.0.0">
<item> <item uuid="3e6aaa97-52d5-4c00-abaf-9c571b1c128a">
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
<tunable>vfs.read_max</tunable> <tunable>vfs.read_max</tunable>
<value>default</value> <value>default</value>
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
</item> </item>
<item> <item uuid="ae8d1d50-dc6d-49ce-9772-219a08816731">
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable> <tunable>net.inet.ip.portrange.first</tunable>
<value>default</value> <value>default</value>
<descr>Set the ephemeral port range to be lower.</descr>
</item> </item>
<item> <item uuid="e0cb18b9-4029-41d0-a327-2e12ea7e02d8">
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable> <tunable>net.inet.tcp.blackhole</tunable>
<value>default</value> <value>default</value>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
</item> </item>
<item> <item uuid="56718c77-8222-46c7-97aa-216cfe68a73b">
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable> <tunable>net.inet.udp.blackhole</tunable>
<value>default</value> <value>default</value>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
</item> </item>
<item> <item uuid="1de7ad00-090f-4ce2-81ff-0650b0857a5d">
<descr>Randomize the ID field in IP packets</descr>
<tunable>net.inet.ip.random_id</tunable> <tunable>net.inet.ip.random_id</tunable>
<value>default</value> <value>default</value>
<descr>Randomize the ID field in IP packets</descr>
</item> </item>
<item> <item uuid="79ce9844-d41c-4dff-adb5-f8ae3a0bcbdc">
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable> <tunable>net.inet.ip.sourceroute</tunable>
<value>default</value> <value>default</value>
</item>
<item>
<descr> <descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box. Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system. as part of the standard FreeBSD core system.
</descr> </descr>
</item>
<item uuid="7c341be1-a50b-4fb3-9321-cbfee546c372">
<tunable>net.inet.ip.accept_sourceroute</tunable> <tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value> <value>default</value>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
</item> </item>
<item> <item uuid="7bfbc692-e8b4-46fa-96f5-eb21883e7297">
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
<descr> <descr>
This option turns off the logging of redirect packets because there is no limit and this could fill This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive. up your logs consuming your whole hard drive.
</descr> </descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item> </item>
<item> <item uuid="14a58970-1cfc-43f3-a7f8-c2ce13fdb617">
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable> <tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value> <value>default</value>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
</item> </item>
<item> <item uuid="189b1f7b-6097-4e25-9976-c8d3a65ff489">
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable> <tunable>net.inet6.ip6.redirect</tunable>
<value>default</value> <value>default</value>
<descr>Enable sending IPv6 redirects</descr>
</item> </item>
<item> <item uuid="c3a10277-b4ec-4b75-9550-a0378c4d2bb4">
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable> <tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value> <value>default</value>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
</item> </item>
<item> <item uuid="799d08de-e567-413b-abb0-42cecf7fa784">
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable> <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value> <value>default</value>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
</item> </item>
<item> <item uuid="34c2769b-287a-4ca0-9ffd-4f33718a45b7">
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable> <tunable>net.inet.tcp.syncookies</tunable>
<value>default</value> <value>default</value>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
</item> </item>
<item> <item uuid="b11f856f-ef08-4a2a-a00e-9ade0b8f6046">
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable> <tunable>net.inet.tcp.recvspace</tunable>
<value>default</value> <value>default</value>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
</item> </item>
<item> <item uuid="63523e71-e760-4bff-93d1-342e255eb199">
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable> <tunable>net.inet.tcp.sendspace</tunable>
<value>default</value> <value>default</value>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
</item> </item>
<item> <item uuid="8346d8e1-f503-4051-8a6a-434690856edc">
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable> <tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value> <value>default</value>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
</item> </item>
<item> <item uuid="66722d67-259b-40e2-93cb-61ced4cf79cb">
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable> <tunable>net.inet.udp.maxdgram</tunable>
<value>default</value> <value>default</value>
<descr>Maximum outgoing UDP datagram size</descr>
</item> </item>
<item> <item uuid="7ae77c54-1693-45dd-82ac-9a5d9bf6e515">
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable> <tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value> <value>default</value>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
</item> </item>
<item> <item uuid="91a783d4-817b-4ace-9700-65356a82072b">
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable> <tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value> <value>default</value>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
</item> </item>
<item> <item uuid="1fc3262a-960b-4f49-b201-edd77a1e2b31">
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable> <tunable>net.link.bridge.pfil_member</tunable>
<value>default</value> <value>default</value>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
</item> </item>
<item> <item uuid="174014af-fc1f-4688-8bcb-13225678595e">
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable> <tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value> <value>default</value>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
</item> </item>
<item> <item uuid="154c3822-97de-424c-beb0-fd4245d9a6c2">
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable> <tunable>net.link.tap.user_open</tunable>
<value>default</value> <value>default</value>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
</item> </item>
<item> <item uuid="e5bddcc7-0035-4a1d-b460-d2eba1a95452">
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable> <tunable>kern.randompid</tunable>
<value>default</value> <value>default</value>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
</item> </item>
<item> <item uuid="5661389c-894a-4fd4-a679-fbbbc0de2b31">
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable> <tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value> <value>default</value>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
</item> </item>
<item> <item uuid="b30dfecf-6bcb-42ff-8083-f57ee708007f">
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable> <tunable>net.inet.tcp.log_debug</tunable>
<value>default</value> <value>default</value>
<descr>Enable TCP extended debugging</descr>
</item> </item>
<item> <item uuid="f9354f0f-0a41-4b18-b555-e8a21340f18f">
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable> <tunable>net.inet.icmp.icmplim</tunable>
<value>default</value> <value>default</value>
<descr>Set ICMP Limits</descr>
</item> </item>
<item> <item uuid="abd3bf28-643c-4461-a79f-da011acd5b0f">
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable> <tunable>net.inet.tcp.tso</tunable>
<value>default</value> <value>default</value>
<descr>TCP Offload Engine</descr>
</item> </item>
<item> <item uuid="e76f5d08-35ee-4419-89f1-7ff2c05f59c5">
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable> <tunable>net.inet.udp.checksum</tunable>
<value>default</value> <value>default</value>
<descr>UDP Checksums</descr>
</item> </item>
<item> <item uuid="2db68529-e007-464f-91bf-c83630e777d4">
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable> <tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value> <value>default</value>
<descr>Maximum socket buffer size</descr>
</item> </item>
<item> <item uuid="ea141674-53d8-4ec1-a579-6a787047e744">
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
<tunable>vm.pmap.pti</tunable> <tunable>vm.pmap.pti</tunable>
<value>default</value> <value>default</value>
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
</item> </item>
<item> <item uuid="e8fcbef7-703d-4b40-9caf-f4fb9297e4fe">
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
<tunable>hw.ibrs_disable</tunable> <tunable>hw.ibrs_disable</tunable>
<value>default</value> <value>default</value>
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
</item> </item>
<item> <item uuid="8d9f827c-1873-4b1d-b243-4d68b70377ca">
<descr>Hide processes running as other groups</descr>
<tunable>security.bsd.see_other_gids</tunable> <tunable>security.bsd.see_other_gids</tunable>
<value>default</value> <value>default</value>
<descr>Hide processes running as other groups</descr>
</item> </item>
<item> <item uuid="231d927d-5270-4752-bb23-bfe9d7f9f978">
<descr>Hide processes running as other users</descr>
<tunable>security.bsd.see_other_uids</tunable> <tunable>security.bsd.see_other_uids</tunable>
<value>default</value> <value>default</value>
<descr>Hide processes running as other users</descr>
</item> </item>
<item> <item uuid="128fb208-8e18-4c7d-8647-dbb14e6874ee">
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better, <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
and for the sender directly reachable, route and next hop is known. and for the sender directly reachable, route and next hop is known.
</descr> </descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item> </item>
<item> <item uuid="1d872b5b-26ba-48d4-ba7b-13ab223555cf">
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
<descr> <descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response. packets without returning a response.
</descr> </descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
</item> </item>
<item> <item uuid="8e0b3bbf-56b2-4a1b-9326-cbd8fa5804ad">
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.local.dgram.maxdgram</tunable> <tunable>net.local.dgram.maxdgram</tunable>
<value>default</value> <value>default</value>
<descr>Maximum outgoing UDP datagram size</descr>
</item> </item>
</sysctl> </sysctl>
<system> <system>
@ -205,21 +205,32 @@
<hostname>OPNsense</hostname> <hostname>OPNsense</hostname>
<domain>localdomain</domain> <domain>localdomain</domain>
<dnsallowoverride>1</dnsallowoverride> <dnsallowoverride>1</dnsallowoverride>
<group> <group uuid="6638cd79-dba3-41ef-adaf-f71ad552c7ce">
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid> <gid>1999</gid>
<member>0</member> <name>admins</name>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope> <scope>system</scope>
<groupname>admins</groupname> <description>System Administrators</description>
<password>$2y$11$F5yOtLTn8aI21fKZTdsnueJjedH0PXTTPpD89Ha6ps3VfC/Ixgojq</password> <priv>page-all</priv>
<member>0</member>
</group>
<user uuid="fa6a80c6-0ff6-4b00-9b75-1b2ee49f962f">
<uid>0</uid> <uid>0</uid>
<name>root</name>
<disabled>0</disabled>
<scope>system</scope>
<expires/>
<authorizedkeys/>
<otp_seed/>
<shell/>
<password>$2y$11$F5yOtLTn8aI21fKZTdsnueJjedH0PXTTPpD89Ha6ps3VfC/Ixgojq</password>
<landing_page/>
<comment/>
<email/>
<apikeys/>
<priv/>
<language/>
<descr>System Administrator</descr>
<dashboard/>
</user> </user>
<nextuid>2000</nextuid> <nextuid>2000</nextuid>
<nextgid>2000</nextgid> <nextgid>2000</nextgid>
@ -1008,9 +1019,9 @@
<interfacesstatisticsfilter>opt2</interfacesstatisticsfilter> <interfacesstatisticsfilter>opt2</interfacesstatisticsfilter>
</widgets> </widgets>
<revision> <revision>
<username>root@192.168.10.103</username> <username>(system)</username>
<time>1738926923.5568</time> <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
<description>/system_advanced_admin.php made changes</description> <time>1738927915.4415</time>
</revision> </revision>
<OPNsense> <OPNsense>
<wireguard> <wireguard>
@ -1298,7 +1309,7 @@
<http_port>8000</http_port> <http_port>8000</http_port>
</general> </general>
</ctrl_agent> </ctrl_agent>
<dhcp4 version="1.0.2"> <dhcp4 version="1.0.3">
<general> <general>
<enabled>0</enabled> <enabled>0</enabled>
<interfaces/> <interfaces/>
@ -1800,13 +1811,14 @@
<descr>Load</descr> <descr>Load</descr>
</gateway_group> </gateway_group>
</gateways> </gateways>
<hasync version="1.0.1"> <hasync version="1.0.2">
<disablepreempt>0</disablepreempt> <disablepreempt>0</disablepreempt>
<disconnectppps>0</disconnectppps> <disconnectppps>0</disconnectppps>
<pfsyncinterface/> <pfsyncinterface/>
<pfsyncpeerip/> <pfsyncpeerip/>
<pfsyncversion>1400</pfsyncversion> <pfsyncversion>1400</pfsyncversion>
<synchronizetoip/> <synchronizetoip/>
<verifypeer>0</verifypeer>
<username/> <username/>
<password/> <password/>
<syncitems/> <syncitems/>