|
1
|
<?xml version="1.0"?>
|
|
2
|
<pfsense>
|
|
3
|
<version>6.0</version>
|
|
4
|
<lastchange/>
|
|
5
|
<theme>pfsense_ng</theme>
|
|
6
|
<sysctl>
|
|
7
|
<item>
|
|
8
|
<desc>Set the ephemeral port range to be lower.</desc>
|
|
9
|
<tunable>net.inet.ip.portrange.first</tunable>
|
|
10
|
<value>1024</value>
|
|
11
|
</item>
|
|
12
|
<item>
|
|
13
|
<desc>Drop packets to closed TCP ports without returning a RST</desc>
|
|
14
|
<tunable>net.inet.tcp.blackhole</tunable>
|
|
15
|
<value>2</value>
|
|
16
|
</item>
|
|
17
|
<item>
|
|
18
|
<desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
|
|
19
|
<tunable>net.inet.udp.blackhole</tunable>
|
|
20
|
<value>1</value>
|
|
21
|
</item>
|
|
22
|
<item>
|
|
23
|
<desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
|
|
24
|
<tunable>net.inet.ip.random_id</tunable>
|
|
25
|
<value>1</value>
|
|
26
|
</item>
|
|
27
|
<item>
|
|
28
|
<desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
|
|
29
|
<tunable>net.inet.tcp.drop_synfin</tunable>
|
|
30
|
<value>1</value>
|
|
31
|
</item>
|
|
32
|
<item>
|
|
33
|
<desc>Enable sending IPv4 redirects</desc>
|
|
34
|
<tunable>net.inet.ip.redirect</tunable>
|
|
35
|
<value>1</value>
|
|
36
|
</item>
|
|
37
|
<item>
|
|
38
|
<desc>Enable sending IPv6 redirects</desc>
|
|
39
|
<tunable>net.inet6.ip6.redirect</tunable>
|
|
40
|
<value>1</value>
|
|
41
|
</item>
|
|
42
|
<item>
|
|
43
|
<desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
|
|
44
|
<tunable>net.inet.tcp.syncookies</tunable>
|
|
45
|
<value>1</value>
|
|
46
|
</item>
|
|
47
|
<item>
|
|
48
|
<desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
|
|
49
|
<tunable>net.inet.tcp.recvspace</tunable>
|
|
50
|
<value>65228</value>
|
|
51
|
</item>
|
|
52
|
<item>
|
|
53
|
<desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
|
|
54
|
<tunable>net.inet.tcp.sendspace</tunable>
|
|
55
|
<value>65228</value>
|
|
56
|
</item>
|
|
57
|
<item>
|
|
58
|
<desc>IP Fastforwarding</desc>
|
|
59
|
<tunable>net.inet.ip.fastforwarding</tunable>
|
|
60
|
<value>1</value>
|
|
61
|
</item>
|
|
62
|
<item>
|
|
63
|
<desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
|
|
64
|
<tunable>net.inet.tcp.delayed_ack</tunable>
|
|
65
|
<value>0</value>
|
|
66
|
</item>
|
|
67
|
<item>
|
|
68
|
<desc>Maximum outgoing UDP datagram size</desc>
|
|
69
|
<tunable>net.inet.udp.maxdgram</tunable>
|
|
70
|
<value>57344</value>
|
|
71
|
</item>
|
|
72
|
<item>
|
|
73
|
<desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
|
|
74
|
<tunable>net.link.bridge.pfil_onlyip</tunable>
|
|
75
|
<value>0</value>
|
|
76
|
</item>
|
|
77
|
<item>
|
|
78
|
<desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
|
|
79
|
<tunable>net.link.bridge.pfil_member</tunable>
|
|
80
|
<value>1</value>
|
|
81
|
</item>
|
|
82
|
<item>
|
|
83
|
<desc>Set to 1 to enable filtering on the bridge interface</desc>
|
|
84
|
<tunable>net.link.bridge.pfil_bridge</tunable>
|
|
85
|
<value>0</value>
|
|
86
|
</item>
|
|
87
|
<item>
|
|
88
|
<desc>Allow unprivileged access to tap(4) device nodes</desc>
|
|
89
|
<tunable>net.link.tap.user_open</tunable>
|
|
90
|
<value>1</value>
|
|
91
|
</item>
|
|
92
|
<item>
|
|
93
|
<desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
|
|
94
|
<tunable>kern.rndtest.verbose</tunable>
|
|
95
|
<value>0</value>
|
|
96
|
</item>
|
|
97
|
<item>
|
|
98
|
<desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
|
|
99
|
<tunable>kern.randompid</tunable>
|
|
100
|
<value>347</value>
|
|
101
|
</item>
|
|
102
|
<item>
|
|
103
|
<desc>Maximum size of the IP input queue</desc>
|
|
104
|
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
|
|
105
|
<value>1000</value>
|
|
106
|
</item>
|
|
107
|
<item>
|
|
108
|
<desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
|
|
109
|
<tunable>hw.syscons.kbd_reboot</tunable>
|
|
110
|
<value>0</value>
|
|
111
|
</item>
|
|
112
|
<item>
|
|
113
|
<desc>Enable TCP Inflight mode</desc>
|
|
114
|
<tunable>net.inet.tcp.inflight.enable</tunable>
|
|
115
|
<value>1</value>
|
|
116
|
</item>
|
|
117
|
<item>
|
|
118
|
<desc>Enable TCP extended debugging</desc>
|
|
119
|
<tunable>net.inet.tcp.log_debug</tunable>
|
|
120
|
<value>0</value>
|
|
121
|
</item>
|
|
122
|
<item>
|
|
123
|
<desc>Set ICMP Limits</desc>
|
|
124
|
<tunable>net.inet.icmp.icmplim</tunable>
|
|
125
|
<value>750</value>
|
|
126
|
</item>
|
|
127
|
<item>
|
|
128
|
<desc>TCP Offload Engine</desc>
|
|
129
|
<tunable>net.inet.tcp.tso</tunable>
|
|
130
|
<value>0</value>
|
|
131
|
</item>
|
|
132
|
<item>
|
|
133
|
<desc>TCP Offload Engine - BCE</desc>
|
|
134
|
<tunable>hw.bce.tso_enable</tunable>
|
|
135
|
<value>0</value>
|
|
136
|
</item>
|
|
137
|
</sysctl>
|
|
138
|
<system>
|
|
139
|
<optimization>normal</optimization>
|
|
140
|
<hostname>pfSense</hostname>
|
|
141
|
<domain>local</domain>
|
|
142
|
<dnsserver/>
|
|
143
|
<dnsallowoverride/>
|
|
144
|
<group>
|
|
145
|
<name>all</name>
|
|
146
|
<description>All Users</description>
|
|
147
|
<scope>system</scope>
|
|
148
|
<gid>1998</gid>
|
|
149
|
<member>0</member>
|
|
150
|
</group>
|
|
151
|
<group>
|
|
152
|
<name>admins</name>
|
|
153
|
<description>System Administrators</description>
|
|
154
|
<scope>system</scope>
|
|
155
|
<gid>1999</gid>
|
|
156
|
<member>0</member>
|
|
157
|
<priv>page-all</priv>
|
|
158
|
</group>
|
|
159
|
<user>
|
|
160
|
<name>admin</name>
|
|
161
|
<fullname>System Administrator</fullname>
|
|
162
|
<scope>system</scope>
|
|
163
|
<groupname>admins</groupname>
|
|
164
|
<password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
|
|
165
|
<uid>0</uid>
|
|
166
|
<priv>user-shell-access</priv>
|
|
167
|
</user>
|
|
168
|
<nextuid>2000</nextuid>
|
|
169
|
<nextgid>2000</nextgid>
|
|
170
|
<timezone>Etc/UTC</timezone>
|
|
171
|
<time-update-interval>300</time-update-interval>
|
|
172
|
<timeservers>0.pfsense.pool.ntp.org</timeservers>
|
|
173
|
<webgui>
|
|
174
|
<protocol>http</protocol>
|
|
175
|
<port/>
|
|
176
|
<ssl-certref/>
|
|
177
|
</webgui>
|
|
178
|
<disablenatreflection>yes</disablenatreflection>
|
|
179
|
<cert/>
|
|
180
|
<enablesshd>enabled</enablesshd>
|
|
181
|
</system>
|
|
182
|
<interfaces>
|
|
183
|
<lan>
|
|
184
|
<descr/>
|
|
185
|
<if>em1</if>
|
|
186
|
</lan>
|
|
187
|
<opt1>
|
|
188
|
<descr>OPT1</descr>
|
|
189
|
<if>em3</if>
|
|
190
|
<spoofmac/>
|
|
191
|
<ipaddr>192.168.16.1</ipaddr>
|
|
192
|
<subnet>24</subnet>
|
|
193
|
</opt1>
|
|
194
|
<wan>
|
|
195
|
<if>em0</if>
|
|
196
|
<mtu/>
|
|
197
|
<ipaddr>dhcp</ipaddr>
|
|
198
|
<subnet/>
|
|
199
|
<gateway/>
|
|
200
|
<blockbogons/>
|
|
201
|
<dhcphostname/>
|
|
202
|
<media/>
|
|
203
|
<mediaopt/>
|
|
204
|
<bandwidth>100</bandwidth>
|
|
205
|
<bandwidthtype>Mb</bandwidthtype>
|
|
206
|
<descr>WAN</descr>
|
|
207
|
</wan>
|
|
208
|
</interfaces>
|
|
209
|
<staticroutes/>
|
|
210
|
<pppoe>
|
|
211
|
<username/>
|
|
212
|
<password/>
|
|
213
|
<provider/>
|
|
214
|
</pppoe>
|
|
215
|
<pptp>
|
|
216
|
<username/>
|
|
217
|
<password/>
|
|
218
|
<local/>
|
|
219
|
<subnet/>
|
|
220
|
<remote/>
|
|
221
|
</pptp>
|
|
222
|
<dhcpd/>
|
|
223
|
<pptpd>
|
|
224
|
<mode/>
|
|
225
|
<redir/>
|
|
226
|
<localip/>
|
|
227
|
<remoteip/>
|
|
228
|
</pptpd>
|
|
229
|
<ovpn/>
|
|
230
|
<dnsmasq>
|
|
231
|
<enable/>
|
|
232
|
<domainoverrides>
|
|
233
|
<domain>test.com</domain>
|
|
234
|
<ip>1.2.3.4</ip>
|
|
235
|
<descr/>
|
|
236
|
</domainoverrides>
|
|
237
|
<domainoverrides>
|
|
238
|
<domain>test.com</domain>
|
|
239
|
<ip>1.2.3.5</ip>
|
|
240
|
<descr/>
|
|
241
|
</domainoverrides>
|
|
242
|
</dnsmasq>
|
|
243
|
<snmpd>
|
|
244
|
<syslocation/>
|
|
245
|
<syscontact/>
|
|
246
|
<rocommunity>public</rocommunity>
|
|
247
|
</snmpd>
|
|
248
|
<diag>
|
|
249
|
<ipv6nat>
|
|
250
|
<ipaddr/>
|
|
251
|
</ipv6nat>
|
|
252
|
</diag>
|
|
253
|
<bridge/>
|
|
254
|
<syslog/>
|
|
255
|
<filter>
|
|
256
|
<rule>
|
|
257
|
<type>pass</type>
|
|
258
|
<interface>wan</interface>
|
|
259
|
<source>
|
|
260
|
<any/>
|
|
261
|
</source>
|
|
262
|
<destination>
|
|
263
|
<any/>
|
|
264
|
</destination>
|
|
265
|
<statetype>keep state</statetype>
|
|
266
|
<os/>
|
|
267
|
<descr>Allow all via pfSsh.php</descr>
|
|
268
|
</rule>
|
|
269
|
<rule>
|
|
270
|
<id/>
|
|
271
|
<type>pass</type>
|
|
272
|
<interface>opt1</interface>
|
|
273
|
<max-src-nodes/>
|
|
274
|
<max-src-states/>
|
|
275
|
<statetimeout/>
|
|
276
|
<statetype>keep state</statetype>
|
|
277
|
<os/>
|
|
278
|
<protocol>tcp</protocol>
|
|
279
|
<source>
|
|
280
|
<any/>
|
|
281
|
</source>
|
|
282
|
<destination>
|
|
283
|
<any/>
|
|
284
|
</destination>
|
|
285
|
<descr>OPT1 rule</descr>
|
|
286
|
</rule>
|
|
287
|
</filter>
|
|
288
|
<ipsec>
|
|
289
|
<preferredoldsa/>
|
|
290
|
</ipsec>
|
|
291
|
<aliases/>
|
|
292
|
<proxyarp/>
|
|
293
|
<cron>
|
|
294
|
<item>
|
|
295
|
<minute>0</minute>
|
|
296
|
<hour>*</hour>
|
|
297
|
<mday>*</mday>
|
|
298
|
<month>*</month>
|
|
299
|
<wday>*</wday>
|
|
300
|
<who>root</who>
|
|
301
|
<command>/usr/bin/nice -n20 newsyslog</command>
|
|
302
|
</item>
|
|
303
|
<item>
|
|
304
|
<minute>1,31</minute>
|
|
305
|
<hour>0-5</hour>
|
|
306
|
<mday>*</mday>
|
|
307
|
<month>*</month>
|
|
308
|
<wday>*</wday>
|
|
309
|
<who>root</who>
|
|
310
|
<command>/usr/bin/nice -n20 adjkerntz -a</command>
|
|
311
|
</item>
|
|
312
|
<item>
|
|
313
|
<minute>1</minute>
|
|
314
|
<hour>3</hour>
|
|
315
|
<mday>1</mday>
|
|
316
|
<month>*</month>
|
|
317
|
<wday>*</wday>
|
|
318
|
<who>root</who>
|
|
319
|
<command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh</command>
|
|
320
|
</item>
|
|
321
|
<item>
|
|
322
|
<minute>*/60</minute>
|
|
323
|
<hour>*</hour>
|
|
324
|
<mday>*</mday>
|
|
325
|
<month>*</month>
|
|
326
|
<wday>*</wday>
|
|
327
|
<who>root</who>
|
|
328
|
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
|
|
329
|
</item>
|
|
330
|
<item>
|
|
331
|
<minute>1</minute>
|
|
332
|
<hour>1</hour>
|
|
333
|
<mday>*</mday>
|
|
334
|
<month>*</month>
|
|
335
|
<wday>*</wday>
|
|
336
|
<who>root</who>
|
|
337
|
<command>/usr/bin/nice -n20 /etc/rc.dyndns.update</command>
|
|
338
|
</item>
|
|
339
|
<item>
|
|
340
|
<minute>*/60</minute>
|
|
341
|
<hour>*</hour>
|
|
342
|
<mday>*</mday>
|
|
343
|
<month>*</month>
|
|
344
|
<wday>*</wday>
|
|
345
|
<who>root</who>
|
|
346
|
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot</command>
|
|
347
|
</item>
|
|
348
|
<item>
|
|
349
|
<minute>*/5</minute>
|
|
350
|
<hour>*</hour>
|
|
351
|
<mday>*</mday>
|
|
352
|
<month>*</month>
|
|
353
|
<wday>*</wday>
|
|
354
|
<who>root</who>
|
|
355
|
<command>/usr/bin/nice -n20 /usr/local/bin/checkreload.sh</command>
|
|
356
|
</item>
|
|
357
|
<item>
|
|
358
|
<minute>*/5</minute>
|
|
359
|
<hour>*</hour>
|
|
360
|
<mday>*</mday>
|
|
361
|
<month>*</month>
|
|
362
|
<wday>*</wday>
|
|
363
|
<who>root</who>
|
|
364
|
<command>/usr/bin/nice -n20 /etc/ping_hosts.sh</command>
|
|
365
|
</item>
|
|
366
|
</cron>
|
|
367
|
<wol/>
|
|
368
|
<rrd>
|
|
369
|
<enable/>
|
|
370
|
</rrd>
|
|
371
|
<load_balancer>
|
|
372
|
<monitor_type>
|
|
373
|
<name>ICMP</name>
|
|
374
|
<type>icmp</type>
|
|
375
|
<desc>ICMP</desc>
|
|
376
|
<options/>
|
|
377
|
</monitor_type>
|
|
378
|
<monitor_type>
|
|
379
|
<name>TCP</name>
|
|
380
|
<type>tcp</type>
|
|
381
|
<desc>Generic TCP</desc>
|
|
382
|
<options/>
|
|
383
|
</monitor_type>
|
|
384
|
<monitor_type>
|
|
385
|
<name>HTTP</name>
|
|
386
|
<type>http</type>
|
|
387
|
<desc>Generic HTTP</desc>
|
|
388
|
<options>
|
|
389
|
<path>/</path>
|
|
390
|
<host/>
|
|
391
|
<code>200</code>
|
|
392
|
</options>
|
|
393
|
</monitor_type>
|
|
394
|
<monitor_type>
|
|
395
|
<name>HTTPS</name>
|
|
396
|
<type>https</type>
|
|
397
|
<desc>Generic HTTPS</desc>
|
|
398
|
<options>
|
|
399
|
<path>/</path>
|
|
400
|
<host/>
|
|
401
|
<code>200</code>
|
|
402
|
</options>
|
|
403
|
</monitor_type>
|
|
404
|
<monitor_type>
|
|
405
|
<name>SMTP</name>
|
|
406
|
<type>send</type>
|
|
407
|
<desc>Generic SMTP</desc>
|
|
408
|
<options>
|
|
409
|
<send>EHLO nosuchhost</send>
|
|
410
|
<expect>250-</expect>
|
|
411
|
</options>
|
|
412
|
</monitor_type>
|
|
413
|
</load_balancer>
|
|
414
|
<revision>
|
|
415
|
<description>Gateways: removed gateway 0</description>
|
|
416
|
<time>1259092834</time>
|
|
417
|
</revision>
|
|
418
|
<gateways>
|
|
419
|
<gateway_item>
|
|
420
|
<interface>opt1</interface>
|
|
421
|
<name>opt1</name>
|
|
422
|
<gateway>192.16.5.3</gateway>
|
|
423
|
<descr/>
|
|
424
|
<monitor>1.2.3.4</monitor>
|
|
425
|
</gateway_item>
|
|
426
|
</gateways>
|
|
427
|
<dnshaper/>
|
|
428
|
<l7shaper>
|
|
429
|
<container>
|
|
430
|
<name>Test</name>
|
|
431
|
<enabled>on</enabled>
|
|
432
|
<description>test</description>
|
|
433
|
<divert_port>57142</divert_port>
|
|
434
|
<l7rules>
|
|
435
|
<protocol>bittorrent</protocol>
|
|
436
|
<structure>action</structure>
|
|
437
|
<behaviour>block</behaviour>
|
|
438
|
</l7rules>
|
|
439
|
<l7rules>
|
|
440
|
<protocol>code_red</protocol>
|
|
441
|
<structure>action</structure>
|
|
442
|
<behaviour>block</behaviour>
|
|
443
|
</l7rules>
|
|
444
|
<l7rules>
|
|
445
|
<protocol>dayofdefeat-source</protocol>
|
|
446
|
<structure>action</structure>
|
|
447
|
<behaviour>block</behaviour>
|
|
448
|
</l7rules>
|
|
449
|
</container>
|
|
450
|
</l7shaper>
|
|
451
|
<installedpackages>
|
|
452
|
<carpsettings>
|
|
453
|
<config>
|
|
454
|
<pfsyncenabled>on</pfsyncenabled>
|
|
455
|
<pfsyncinterface>wan</pfsyncinterface>
|
|
456
|
<pfsyncpeerip/>
|
|
457
|
<synchronizerules/>
|
|
458
|
<synchronizeschedules/>
|
|
459
|
<synchronizealiases/>
|
|
460
|
<synchronizenat/>
|
|
461
|
<synchronizeipsec/>
|
|
462
|
<synchronizewol/>
|
|
463
|
<synchronizestaticroutes/>
|
|
464
|
<synchronizelb/>
|
|
465
|
<synchronizevirtualip/>
|
|
466
|
<synchronizetrafficshaper/>
|
|
467
|
<synchronizednsforwarder/>
|
|
468
|
<synchronizetoip/>
|
|
469
|
<password/>
|
|
470
|
</config>
|
|
471
|
</carpsettings>
|
|
472
|
</installedpackages>
|
|
473
|
</pfsense>
|