pfSense

Remove bce item it is loader.conf only per jimp

Add missing </item>

oops, typo

Increase vfs.read_max to 32. See http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html .. This can help dramatically if using Squid or any other packae that does a lot of hard disk reads.

Convert fullname field on users to descr, so it gains CDATA protection.

desc to descr in Load Balancer config, so they gain CDATA protection and standardize field names. Ticket #320.

Change the description field on sysctl tunables to be 'descr' and not 'desc' so they will gain CDATA protection. Ticket #320

Upgrade code for pppoe.

Disable TSO and LRO in the default config.

Remove these from the default config. They moved into other sections and do not need to exist by default.

Fix variable name for consistency.

Remove associated rule-id from default config they confuse rule edit page.

Remove bandwidth tags from default config they are not used.

Don't use "local" as a domain. It breaks DNS resolution for hosts running mDNS.

The "local" search domain signifies to local hosts that are running
mDNS (bonjour or avahi) that mDNS is to be used to look up local hosts
instead of doing a normal DNS query to the server listed in...

Fix whitespace.

Enable WAN and LAN in the default configuration.

Make lan/wan behave as all other interfaces.

ping_hosts.sh is no more in /etc. Remove some unneeded lines.

Ticket #136.

Fix associated nat rules.
Now both the filter rules and the nat ones contain a associated-rule-id tag which helps link the items together.
The API to use for this is in itemid.inc.

All the issues should be solved now.

Add patch from lietu (Janne Enberg). Ticket #136

1) Multiple NAT rules can be assigned the same filter rule
-> Fixed, added assigned-nat-rule-id to filter rules to keep track of the assignment

2) when removing the link (i.e. switching to "pass" or "none", the linked rule isn't deleted (should it be? probably yes)...

Add lookup table for sysctl tunable (sysctl.inc). Make config.xml values default to value 'default' Ticket #71

Minor formatting change

Set default protocol to HTTPS. Somehow this commit did not make it last time

Make the default HTTPS. Ticket #63

Default to only system information and interfaces widgets. This reduces load time on RSPRO from 9+ seconds to 2.5

Add default load balancing monitor types for ICMP, TCP, HTTP, HTTPS and SMTP from BillM

Revert "add crontab entries for snort auto block and snort update"

This reverts commit b0d639a5e7880ee55c671cbabdb01cd0f1ae1b38.

add crontab entries for snort auto block and snort update

Added support for automatically managing firewall rules with NAT rules.

Turn off flowtables by default

Enable flow table support by default for new installations

Add enable/disable option for flow table support... Remove configuration option.

Make pfSense_ng the new default theme

Nuke snort2c

Requested-by: rob iscool

Add L2 L3 Cache lookup by default.

- Import infrastructure for caching flows as a means of accelerating L3 and L2 lookups
   as well as providing stateful load balancing when used with RADIX_MPATH.
 - Currently compiled in to i386 and amd64 but disabled by default, it can be enabled at...

default to vr0/vr1 rather than sis, since the defaults should be for ALIX, not WRAP.

Remove reset_slbd.sh from cron.

Catch up with the latest additions.

Remove ftp-proxy/pftpx/ftpsesame references we handle all of this in kernel now.(yay!)

Modify IPsec code to allow for transport mode. All existing configurations are
marked as tunnel for backwards compatibility. There are problems with the spd
read code which Will likely choke on transport entries. We can fix this later.

Modify captive portal to use centralized user management. The user manager has
been modified to include an account expiration option to support this service.

Correct the configuration file IPsec certificate upgrade process.

Use nice -n20 for common launched items

Update config.xml to 5.5 to prevent RRD database updates from triggering.
add rrd tag to default enabled

change default to enable block bogons

Add TCP TSO = 0 sysctl

Change default icmplim to 750.

Revise default allow all to any rule text. Remove > and attempt to cleanup
text to make it more friendly to a new user.

Remove the page locking privileges after discussion with Scott on IRC. The
feature was confusing and offered little utility that I could see. If we
really need to provide serialized access to sections of the webui, IMO it
should be a global lock option and enabled or disabled manually and not a...

Modify all the default configuration files to ensure the versions match.
While in globals.inc, remove the easyrsa path and do some whitespace
cleanup.

Set net.inet.icmp.icmplim to 500. Apparently the low setting of 200
wrecked Seths firewall on upgrade due to overwhelming amounts of icmp
packets.

Move WAN interface to appear first now that the interface code
programatically enumerates the interfaces. Not sure if we need
upgrade code to move the interface order.

Disable extended TCP debugging.

Epose if_bridge(4) sysctl members.

Rewrite the pfsense privilege system with the following goals in mind ...

1) Redefine page privileges to not use static urls
2) Accurate generation of privilege definitions from source
3) Merging the user and group privileges into a single set
4) Allow any privilege to be added to users or groups w/ inheritance...

• Switch XML tag from </pages> to <pages/>
• Sync the all group which appears to be missing

latest config.xml version is 4.9

Rewrite portions of the user manager to ensure data is properly synced to
the system password and group databases. This is to provide better support
for centralized user management when local account administration is
preferred.

I also took this opportunity to do some housekeeping. A lot of funtions...

Add TCP Inflight

re-enable the sending of ICMP redirects by default

Remove unused tag.

Unbreak package manager

Add missing bits from HEAD.

Switch over to the newly provisioned 0.pfsense.pool.ntp.org which
ntp.org has graciously setup for pfSense.

Really disable CTRL+ALT+DELETE.

Disable CTRL+ALT+DELETE reboot sequence on keyboard.

Admnins commonly have to press this sequence to login to winderz boxen and
if you have a shared KVM you might accidently reboot your firewall.

Move update bogons script to 3am.

Discussed on pfSense-support@

• Download bogons entries from pfsense.com
• Do not update on every minute on the 1st of the month
• Sleep for a random period before updating to avoid killing the server

Increase net.inet.ip.intr_queue_maxlen to 1000 which is the IP input queue.

Reset slbd every 140 minutes as opposed to 300 minutes.

Set the ephemeral port range starting port to 1024 instead of 49152.

On a busy firewall it is possible to run out of ephemeral ports and then the system will block new connections until a port is available.

s/bin/sbin/

Reset SLBD every 5 hours to avoid 100% cpu utilization

Ticket #1316

We need to expire entries every hour, not every half hour. (snort)

Add overlooked sysctl's.

Add system tunables area which allows the user to fine control sysctl's.

Oops, we need /etc/ping_hosts.sh to run every 5 minutes.

Add NTP server field to dhcp config.
From: Alexander Schaber

We actually have 2.9 has the default now.

• Bump config version to 2.8
• Automatically install a IPSEC pass rule for unsuspecting users

Backport cron handling from HEAD.

Patches-submitted-by: DSH@

Change default theme to nervecenter.

No objections from any of the 13 other people in IRC. Make it so.

Disable NAT reflection by default.

Change back to sis0 and sis1 factory defaults

Set theme back to metallic and avoid the lynching

Change default theme back to pfsense.

Some people claim the fancy metallic theme is slower.

See http://forums.whirlpool.net.au/forum-replies-archive.cfm/436523.html

Change default interfaces to vmware (lnc0 lnc1) for PC version

Do not enable SSHD by default.

Ticket #682

Disable FTP proxy helper on WAN by default

Remove ability to change schedulertype - we're only supporting HFSC for
now - priq may come back in future, the return of CBQ is unlikely

1.10 -> 2.0

Bump config version to 1.9

Allow SSH service to be disabled / enabled.

Turn off raw filter for new installs

3 out of 4 kids agree, metallic is a better theme!

Enable ipsec passthrough by default

Turn on prefer older sa's by default

Default to "raw" logging until the loging parsing items are updated.

Switch default optimization method to normal. For some reason "default" does not work even though "Building firewalls with OpenBSD and PF" claims it does.

Allow for the user to customize the pf optimization options in the system -> advanced menu. the default is normal.