Project

General

Profile

config-pfSense.local-20091124200047.xml

Chris Buechler, 11/24/2009 03:03 PM

 
1
<?xml version="1.0"?>
2
<pfsense>
3
        <version>6.0</version>
4
        <lastchange/>
5
        <theme>pfsense_ng</theme>
6
        <sysctl>
7
                <item>
8
                        <desc>Set the ephemeral port range to be lower.</desc>
9
                        <tunable>net.inet.ip.portrange.first</tunable>
10
                        <value>1024</value>
11
                </item>
12
                <item>
13
                        <desc>Drop packets to closed TCP ports without returning a RST</desc>
14
                        <tunable>net.inet.tcp.blackhole</tunable>
15
                        <value>2</value>
16
                </item>
17
                <item>
18
                        <desc>Do not send ICMP port unreachable messages for closed UDP ports</desc>
19
                        <tunable>net.inet.udp.blackhole</tunable>
20
                        <value>1</value>
21
                </item>
22
                <item>
23
                        <desc>Randomize the ID field in IP packets (default is 0: sequential IP IDs)</desc>
24
                        <tunable>net.inet.ip.random_id</tunable>
25
                        <value>1</value>
26
                </item>
27
                <item>
28
                        <desc>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</desc>
29
                        <tunable>net.inet.tcp.drop_synfin</tunable>
30
                        <value>1</value>
31
                </item>
32
                <item>
33
                        <desc>Enable sending IPv4 redirects</desc>
34
                        <tunable>net.inet.ip.redirect</tunable>
35
                        <value>1</value>
36
                </item>
37
                <item>
38
                        <desc>Enable sending IPv6 redirects</desc>
39
                        <tunable>net.inet6.ip6.redirect</tunable>
40
                        <value>1</value>
41
                </item>
42
                <item>
43
                        <desc>Generate SYN cookies for outbound SYN-ACK packets</desc>
44
                        <tunable>net.inet.tcp.syncookies</tunable>
45
                        <value>1</value>
46
                </item>
47
                <item>
48
                        <desc>Maximum incoming/outgoing TCP datagram size (receive)</desc>
49
                        <tunable>net.inet.tcp.recvspace</tunable>
50
                        <value>65228</value>
51
                </item>
52
                <item>
53
                        <desc>Maximum incoming/outgoing TCP datagram size (send)</desc>
54
                        <tunable>net.inet.tcp.sendspace</tunable>
55
                        <value>65228</value>
56
                </item>
57
                <item>
58
                        <desc>IP Fastforwarding</desc>
59
                        <tunable>net.inet.ip.fastforwarding</tunable>
60
                        <value>1</value>
61
                </item>
62
                <item>
63
                        <desc>Do not delay ACK to try and piggyback it onto a data packet</desc>
64
                        <tunable>net.inet.tcp.delayed_ack</tunable>
65
                        <value>0</value>
66
                </item>
67
                <item>
68
                        <desc>Maximum outgoing UDP datagram size</desc>
69
                        <tunable>net.inet.udp.maxdgram</tunable>
70
                        <value>57344</value>
71
                </item>
72
                <item>
73
                        <desc>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</desc>
74
                        <tunable>net.link.bridge.pfil_onlyip</tunable>
75
                        <value>0</value>
76
                </item>
77
                <item>
78
                        <desc>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</desc>
79
                        <tunable>net.link.bridge.pfil_member</tunable>
80
                        <value>1</value>
81
                </item>
82
                <item>
83
                        <desc>Set to 1 to enable filtering on the bridge interface</desc>
84
                        <tunable>net.link.bridge.pfil_bridge</tunable>
85
                        <value>0</value>
86
                </item>
87
                <item>
88
                        <desc>Allow unprivileged access to tap(4) device nodes</desc>
89
                        <tunable>net.link.tap.user_open</tunable>
90
                        <value>1</value>
91
                </item>
92
                <item>
93
                        <desc>Verbosity of the rndtest driver (0: do not display results on console)</desc>
94
                        <tunable>kern.rndtest.verbose</tunable>
95
                        <value>0</value>
96
                </item>
97
                <item>
98
                        <desc>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</desc>
99
                        <tunable>kern.randompid</tunable>
100
                        <value>347</value>
101
                </item>
102
                <item>
103
                        <desc>Maximum size of the IP input queue</desc>
104
                        <tunable>net.inet.ip.intr_queue_maxlen</tunable>
105
                        <value>1000</value>
106
                </item>
107
                <item>
108
                        <desc>Disable CTRL+ALT+Delete reboot from keyboard.</desc>
109
                        <tunable>hw.syscons.kbd_reboot</tunable>
110
                        <value>0</value>
111
                </item>
112
                <item>
113
                        <desc>Enable TCP Inflight mode</desc>
114
                        <tunable>net.inet.tcp.inflight.enable</tunable>
115
                        <value>1</value>
116
                </item>
117
                <item>
118
                        <desc>Enable TCP extended debugging</desc>
119
                        <tunable>net.inet.tcp.log_debug</tunable>
120
                        <value>0</value>
121
                </item>
122
                <item>
123
                        <desc>Set ICMP Limits</desc>
124
                        <tunable>net.inet.icmp.icmplim</tunable>
125
                        <value>750</value>
126
                </item>
127
                <item>
128
                        <desc>TCP Offload Engine</desc>
129
                        <tunable>net.inet.tcp.tso</tunable>
130
                        <value>0</value>
131
                </item>
132
                <item>
133
                        <desc>TCP Offload Engine - BCE</desc>
134
                        <tunable>hw.bce.tso_enable</tunable>
135
                        <value>0</value>
136
                </item>
137
        </sysctl>
138
        <system>
139
                <optimization>normal</optimization>
140
                <hostname>pfSense</hostname>
141
                <domain>local</domain>
142
                <dnsserver/>
143
                <dnsallowoverride/>
144
                <group>
145
                        <name>all</name>
146
                        <description>All Users</description>
147
                        <scope>system</scope>
148
                        <gid>1998</gid>
149
                        <member>0</member>
150
                </group>
151
                <group>
152
                        <name>admins</name>
153
                        <description>System Administrators</description>
154
                        <scope>system</scope>
155
                        <gid>1999</gid>
156
                        <member>0</member>
157
                        <priv>page-all</priv>
158
                </group>
159
                <user>
160
                        <name>admin</name>
161
                        <fullname>System Administrator</fullname>
162
                        <scope>system</scope>
163
                        <groupname>admins</groupname>
164
                        <password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
165
                        <uid>0</uid>
166
                        <priv>user-shell-access</priv>
167
                </user>
168
                <nextuid>2000</nextuid>
169
                <nextgid>2000</nextgid>
170
                <timezone>Etc/UTC</timezone>
171
                <time-update-interval>300</time-update-interval>
172
                <timeservers>0.pfsense.pool.ntp.org</timeservers>
173
                <webgui>
174
                        <protocol>http</protocol>
175
                        <port/>
176
                        <ssl-certref/>
177
                </webgui>
178
                <disablenatreflection>yes</disablenatreflection>
179
                <cert/>
180
                <enablesshd>enabled</enablesshd>
181
        </system>
182
        <interfaces>
183
                <lan>
184
                        <descr/>
185
                        <if>em1</if>
186
                </lan>
187
                <opt1>
188
                        <descr>OPT1</descr>
189
                        <if>em3</if>
190
                        <spoofmac/>
191
                        <ipaddr>192.168.16.1</ipaddr>
192
                        <subnet>24</subnet>
193
                </opt1>
194
                <wan>
195
                        <if>em0</if>
196
                        <mtu/>
197
                        <ipaddr>dhcp</ipaddr>
198
                        <subnet/>
199
                        <gateway/>
200
                        <blockbogons/>
201
                        <dhcphostname/>
202
                        <media/>
203
                        <mediaopt/>
204
                        <bandwidth>100</bandwidth>
205
                        <bandwidthtype>Mb</bandwidthtype>
206
                        <descr>WAN</descr>
207
                </wan>
208
        </interfaces>
209
        <staticroutes/>
210
        <pppoe>
211
                <username/>
212
                <password/>
213
                <provider/>
214
        </pppoe>
215
        <pptp>
216
                <username/>
217
                <password/>
218
                <local/>
219
                <subnet/>
220
                <remote/>
221
        </pptp>
222
        <dhcpd/>
223
        <pptpd>
224
                <mode/>
225
                <redir/>
226
                <localip/>
227
                <remoteip/>
228
        </pptpd>
229
        <ovpn/>
230
        <dnsmasq>
231
                <enable/>
232
                <domainoverrides>
233
                        <domain>test.com</domain>
234
                        <ip>1.2.3.4</ip>
235
                        <descr/>
236
                </domainoverrides>
237
                <domainoverrides>
238
                        <domain>test.com</domain>
239
                        <ip>1.2.3.5</ip>
240
                        <descr/>
241
                </domainoverrides>
242
        </dnsmasq>
243
        <snmpd>
244
                <syslocation/>
245
                <syscontact/>
246
                <rocommunity>public</rocommunity>
247
        </snmpd>
248
        <diag>
249
                <ipv6nat>
250
                        <ipaddr/>
251
                </ipv6nat>
252
        </diag>
253
        <bridge/>
254
        <syslog/>
255
        <filter>
256
                <rule>
257
                        <type>pass</type>
258
                        <interface>wan</interface>
259
                        <source>
260
                                <any/>
261
                        </source>
262
                        <destination>
263
                                <any/>
264
                        </destination>
265
                        <statetype>keep state</statetype>
266
                        <os/>
267
                        <descr>Allow all via pfSsh.php</descr>
268
                </rule>
269
                <rule>
270
                        <id/>
271
                        <type>pass</type>
272
                        <interface>opt1</interface>
273
                        <max-src-nodes/>
274
                        <max-src-states/>
275
                        <statetimeout/>
276
                        <statetype>keep state</statetype>
277
                        <os/>
278
                        <protocol>tcp</protocol>
279
                        <source>
280
                                <any/>
281
                        </source>
282
                        <destination>
283
                                <any/>
284
                        </destination>
285
                        <descr>OPT1 rule</descr>
286
                </rule>
287
        </filter>
288
        <ipsec>
289
                <preferredoldsa/>
290
        </ipsec>
291
        <aliases/>
292
        <proxyarp/>
293
        <cron>
294
                <item>
295
                        <minute>0</minute>
296
                        <hour>*</hour>
297
                        <mday>*</mday>
298
                        <month>*</month>
299
                        <wday>*</wday>
300
                        <who>root</who>
301
                        <command>/usr/bin/nice -n20 newsyslog</command>
302
                </item>
303
                <item>
304
                        <minute>1,31</minute>
305
                        <hour>0-5</hour>
306
                        <mday>*</mday>
307
                        <month>*</month>
308
                        <wday>*</wday>
309
                        <who>root</who>
310
                        <command>/usr/bin/nice -n20 adjkerntz -a</command>
311
                </item>
312
                <item>
313
                        <minute>1</minute>
314
                        <hour>3</hour>
315
                        <mday>1</mday>
316
                        <month>*</month>
317
                        <wday>*</wday>
318
                        <who>root</who>
319
                        <command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh</command>
320
                </item>
321
                <item>
322
                        <minute>*/60</minute>
323
                        <hour>*</hour>
324
                        <mday>*</mday>
325
                        <month>*</month>
326
                        <wday>*</wday>
327
                        <who>root</who>
328
                        <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
329
                </item>
330
                <item>
331
                        <minute>1</minute>
332
                        <hour>1</hour>
333
                        <mday>*</mday>
334
                        <month>*</month>
335
                        <wday>*</wday>
336
                        <who>root</who>
337
                        <command>/usr/bin/nice -n20 /etc/rc.dyndns.update</command>
338
                </item>
339
                <item>
340
                        <minute>*/60</minute>
341
                        <hour>*</hour>
342
                        <mday>*</mday>
343
                        <month>*</month>
344
                        <wday>*</wday>
345
                        <who>root</who>
346
                        <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot</command>
347
                </item>
348
                <item>
349
                        <minute>*/5</minute>
350
                        <hour>*</hour>
351
                        <mday>*</mday>
352
                        <month>*</month>
353
                        <wday>*</wday>
354
                        <who>root</who>
355
                        <command>/usr/bin/nice -n20 /usr/local/bin/checkreload.sh</command>
356
                </item>
357
                <item>
358
                        <minute>*/5</minute>
359
                        <hour>*</hour>
360
                        <mday>*</mday>
361
                        <month>*</month>
362
                        <wday>*</wday>
363
                        <who>root</who>
364
                        <command>/usr/bin/nice -n20 /etc/ping_hosts.sh</command>
365
                </item>
366
        </cron>
367
        <wol/>
368
        <rrd>
369
                <enable/>
370
        </rrd>
371
        <load_balancer>
372
                <monitor_type>
373
                        <name>ICMP</name>
374
                        <type>icmp</type>
375
                        <desc>ICMP</desc>
376
                        <options/>
377
                </monitor_type>
378
                <monitor_type>
379
                        <name>TCP</name>
380
                        <type>tcp</type>
381
                        <desc>Generic TCP</desc>
382
                        <options/>
383
                </monitor_type>
384
                <monitor_type>
385
                        <name>HTTP</name>
386
                        <type>http</type>
387
                        <desc>Generic HTTP</desc>
388
                        <options>
389
                                <path>/</path>
390
                                <host/>
391
                                <code>200</code>
392
                        </options>
393
                </monitor_type>
394
                <monitor_type>
395
                        <name>HTTPS</name>
396
                        <type>https</type>
397
                        <desc>Generic HTTPS</desc>
398
                        <options>
399
                                <path>/</path>
400
                                <host/>
401
                                <code>200</code>
402
                        </options>
403
                </monitor_type>
404
                <monitor_type>
405
                        <name>SMTP</name>
406
                        <type>send</type>
407
                        <desc>Generic SMTP</desc>
408
                        <options>
409
                                <send>EHLO nosuchhost</send>
410
                                <expect>250-</expect>
411
                        </options>
412
                </monitor_type>
413
        </load_balancer>
414
        <revision>
415
                <description>Gateways: removed gateway 0</description>
416
                <time>1259092834</time>
417
        </revision>
418
        <gateways>
419
                <gateway_item>
420
                        <interface>opt1</interface>
421
                        <name>opt1</name>
422
                        <gateway>192.16.5.3</gateway>
423
                        <descr/>
424
                        <monitor>1.2.3.4</monitor>
425
                </gateway_item>
426
        </gateways>
427
        <dnshaper/>
428
        <l7shaper>
429
                <container>
430
                        <name>Test</name>
431
                        <enabled>on</enabled>
432
                        <description>test</description>
433
                        <divert_port>57142</divert_port>
434
                        <l7rules>
435
                                <protocol>bittorrent</protocol>
436
                                <structure>action</structure>
437
                                <behaviour>block</behaviour>
438
                        </l7rules>
439
                        <l7rules>
440
                                <protocol>code_red</protocol>
441
                                <structure>action</structure>
442
                                <behaviour>block</behaviour>
443
                        </l7rules>
444
                        <l7rules>
445
                                <protocol>dayofdefeat-source</protocol>
446
                                <structure>action</structure>
447
                                <behaviour>block</behaviour>
448
                        </l7rules>
449
                </container>
450
        </l7shaper>
451
        <installedpackages>
452
                <carpsettings>
453
                        <config>
454
                                <pfsyncenabled>on</pfsyncenabled>
455
                                <pfsyncinterface>wan</pfsyncinterface>
456
                                <pfsyncpeerip/>
457
                                <synchronizerules/>
458
                                <synchronizeschedules/>
459
                                <synchronizealiases/>
460
                                <synchronizenat/>
461
                                <synchronizeipsec/>
462
                                <synchronizewol/>
463
                                <synchronizestaticroutes/>
464
                                <synchronizelb/>
465
                                <synchronizevirtualip/>
466
                                <synchronizetrafficshaper/>
467
                                <synchronizednsforwarder/>
468
                                <synchronizetoip/>
469
                                <password/>
470
                        </config>
471
                </carpsettings>
472
        </installedpackages>
473
</pfsense>