pfSense

Update config.xml to 5.5 to prevent RRD database conversion from triggering.
add rrd tag to default enabled

change default to enable block bogons

Add TCP TSO = 0 sysctl

Change default icmplim to 750.

Revise default allow all to any rule text. Remove > and attempt to cleanup
text to make it more friendly to a new user.

Remove the page locking privileges after discussion with Scott on IRC. The
feature was confusing and offered little utility that I could see. If we
really need to provide serialized access to sections of the webui, IMO it
should be a global lock option and enabled or disabled manually and not a...

Modify all the default configuration files to ensure the versions match.
While in globals.inc, remove the easyrsa path and do some whitespace
cleanup.

Set net.inet.icmp.icmplim to 500. Apparently the low setting of 200
wrecked Seths firewall on upgrade due to overwhelming amounts of icmp
packets.

Move WAN interface to appear first now that the interface code
programatically enumerates the interfaces. Not sure if we need
upgrade code to move the interface order.

Disable extended TCP debugging.

Sync to new config version number.

Epose if_bridge(4) sysctl members.

Rewrite the pfsense privilege system with the following goals in mind ...

1) Redefine page privileges to not use static urls
2) Accurate generation of privilege definitions from source
3) Merging the user and group privileges into a single set
4) Allow any privilege to be added to users or groups w/ inheritance...

• Switch XML tag from </pages> to <pages/>
• Sync the all group which appears to be missing

latest config.xml version is 4.9

Add TCP Inflight

Remove unused tag.

Unbreak package manager

Add missing bits from HEAD.

Switch over to the newly provisioned 0.pfsense.pool.ntp.org which
ntp.org has graciously setup for pfSense.

Really disable CTRL+ALT+DELETE.

Disable CTRL+ALT+DELETE reboot sequence on keyboard.

Admnins commonly have to press this sequence to login to winderz boxen and
if you have a shared KVM you might accidently reboot your firewall.

Revert previous patch to retain compatibility in the GUI.

Add defualt pass rule on lan interface and remove it from config.
It is a default policy so lets keep it with defaults and let the user override it when pleases.

Remove it from here since it is part of the default policy and allow that on a new installation,...

Move update bogons script to 3am.

Discussed on pfSense-support@

• Download bogons entries from pfsense.com
• Do not update on every minute on the 1st of the month
• Sleep for a random period before updating to avoid killing the server

Increase net.inet.ip.intr_queue_maxlen to 1000 which is the IP input queue.

Reset slbd every 140 minutes as opposed to 300 minutes.

Set the ephemeral port range starting port to 1024 instead of 49152.

On a busy firewall it is possible to run out of ephemeral ports and then the system will block new connections until a port is available.

s/bin/sbin/

Reset SLBD every 5 hours to avoid 100% cpu utilization

Ticket #1316

We need to expire entries every hour, not every half hour. (snort)

Add overlooked sysctl's.

Add system tunables area which allows the user to fine control sysctl's.

Oops, we need /etc/ping_hosts.sh to run every 5 minutes.

Add NTP server field to dhcp config.
From: Alexander Schaber

We actually have 2.9 has the default now.

• Bump config version to 2.8
• Automatically install a IPSEC pass rule for unsuspecting users

Backport cron handling from HEAD.

Patches-submitted-by: DSH@

Change default theme to nervecenter.

No objections from any of the 13 other people in IRC. Make it so.

Disable NAT reflection by default.

Set theme back to metallic and avoid the lynching

Change default theme back to pfsense.

Some people claim the fancy metallic theme is slower.

See http://forums.whirlpool.net.au/forum-replies-archive.cfm/436523.html

Change back to sis0 and sis1 for embedded. CDROM platform and other will pull in conf.defaults which is set for VMWARE if need be.

Change the default interface setup in PC version to vmware.

Do not enable SSHD by default.

Ticket #682

Disable FTP proxy helper on WAN by default

1.10 -> 2.0

Bump config version to 1.9

Allow SSH service to be disabled / enabled.

Turn off raw filter for new installs

3 out of 4 kids agree, metallic is a better theme!

Enable ipsec passthrough by default

Turn on prefer older sa's by default

Default to "raw" logging until the loging parsing items are updated.

Switch default optimization method to normal. For some reason "default" does not work even though "Building firewalls with OpenBSD and PF" claims it does.

Allow for the user to customize the pf optimization options in the system -> advanced menu. the default is normal.

Commit what I have so far. Magic shaper now works 100% .. or atleast appears to!

switch xml format over to pfsense header and footer. time to break away from m0n0walls configuration since ours is a little different now.

Move schedulertype configuration setting to system since we have switched to one scheduler per system.

Change default password to pfsense

Change ntp interval to 300 in alternate config file

Change time update interval to 400.

Requested-by: B.Kharazmi

revert back to m0n0wall header and footer for xml config files. this will keep us partly compatible with m0n0wall -> pfSense upgraders

Say welcome to the pfSense package manager!

change default scheduler type to hfsc

change hostname to pfSense

Initial revision