lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 08:34:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
core/src/etc/config.xml.sample
Franco Fichtner ed59098b70 config: strip harmess transformations from sample 
o comment blocks filled arrays disappear
o empty array tags disappear
o empty value tags collapse

This only leaves comment blocks in empty tags, which create
whitespace noise, which fucks up the config.xml real bad,
rippling through to the code that deal with is_array, isset
and actual = array() assignments to fix the faulty config.
Will clean this up one by one later.
2015-09-20 09:31:55 +02:00

463 lines
14 KiB
XML
Raw Blame History

<?xml version="1.0"?>
<opnsense>
<trigger_initial_wizard/>
<version>11.2</version>
<theme>opnsense</theme>
<sysctl>
<item>
<descr><![CDATA[Disable the pf ftp proxy handler.]]></descr>
<tunable>debug.pfftpproxy</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Increase UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.html]]></descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set the ephemeral port range to be lower.]]></descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Drop packets to closed TCP ports without returning a RST]]></descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Do not send ICMP port unreachable messages for closed UDP ports]]></descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Randomize the ID field in IP packets (default is 0: sequential IP IDs)]]></descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
]]></descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
]]></descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
]]></descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
]]></descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)]]></descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Enable sending IPv4 redirects]]></descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Enable sending IPv6 redirects]]></descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Enable privacy settings for IPv6 (RFC 4941)]]></descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Prefer privacy addresses and use them over the normal addresses]]></descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Generate SYN cookies for outbound SYN-ACK packets]]></descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Maximum incoming/outgoing TCP datagram size (receive)]]></descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Maximum incoming/outgoing TCP datagram size (send)]]></descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[IP Fastforwarding]]></descr>
<tunable>net.inet.ip.fastforwarding</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Do not delay ACK to try and piggyback it onto a data packet]]></descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Maximum outgoing UDP datagram size]]></descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Handling of non-IP packets which are not passed to pfil (see if_bridge(4))]]></descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 0 to disable filtering on the incoming and outgoing member interfaces.]]></descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set to 1 to enable filtering on the bridge interface]]></descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Allow unprivileged access to tap(4) device nodes]]></descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())]]></descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Maximum size of the IP input queue]]></descr>
<tunable>net.inet.ip.intr_queue_maxlen</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Disable CTRL+ALT+Delete reboot from keyboard.]]></descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Enable TCP extended debugging]]></descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Set ICMP Limits]]></descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[TCP Offload Engine]]></descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[UDP Checksums]]></descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr><![CDATA[Maximum socket buffer size]]></descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
</sysctl>
<system>
<optimization>normal</optimization>
<hostname>OPNsense</hostname>
<domain>localdomain</domain>
<dnsallowoverride/>
<group>
<name>admins</name>
<description><![CDATA[System Administrators]]></description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr><![CDATA[System Administrator]]></descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.</password>
<uid>0</uid>
<priv>user-shell-access</priv>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Europe/Amsterdam</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>0.nl.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<disableconsolemenu/>
<disablesegmentationoffloading/>
<disablelargereceiveoffloading/>
<ipv6allow/>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<kill_states/>
</system>
<interfaces>
<wan>
<enable/>
<if>mismatch1</if>
<mtu/>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<subnet/>
<gateway/>
<blockpriv/>
<blockbogons/>
<dhcphostname></dhcphostname>
<media/>
<mediaopt/>
<dhcp6-duid/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable/>
<if>mismatch0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
</lan>
</interfaces>
<staticroutes>
<!--
<route>
<interface>lan|opt[n]|pptp</interface>
<network>xxx.xxx.xxx.xxx/xx</network>
<gateway>xxx.xxx.xxx.xxx</gateway>
<descr></descr>
</route>
-->
</staticroutes>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
</lan>
</dhcpd>
<pptpd>
<mode/>
<redir/>
<localip/>
<remoteip/>
</pptpd>
<dnsmasq>
<enable/>
</dnsmasq>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat>
<ipaddr/>
</ipv6nat>
</diag>
<bridge>
<!-- <filteringbridge/> -->
</bridge>
<syslog>
<reverse/>
</syslog>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr><![CDATA[Default allow LAN to any rule]]></descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr><![CDATA[Default allow LAN IPv6 to any rule]]></descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<proxyarp>
<!--
<proxyarpnet>
<network>xxx.xxx.xxx.xxx/xx</network>
*or*
<range>
<from>xxx.xxx.xxx.xxx</from>
<to>xxx.xxx.xxx.xxx</to>
</range>
</proxyarpnet>
-->
</proxyarp>
<cron>
<item>
<minute>1,31</minute>
<hour>0-5</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>adjkerntz -a</command>
</item>
<item>
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/etc/rc.update_bogons</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
</item>
<item>
<minute>1</minute>
<hour>1</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/etc/rc.dyndns.update</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/sbin/expiretable -v -t 3600 virusprot</command>
</item>
<item>
<minute>30</minute>
<hour>12</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/etc/rc.update_urltables</command>
</item>
</cron>
<wol>
<!--
<wolentry>
<interface>lan|opt[n]</interface>
<mac>xx:xx:xx:xx:xx:xx</mac>
<descr></descr>
</wolentry>
-->
</wol>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr><![CDATA[ICMP]]></descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr><![CDATA[Generic TCP]]></descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr><![CDATA[Generic HTTP]]></descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr><![CDATA[Generic HTTPS]]></descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr><![CDATA[Generic SMTP]]></descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<widgets>
<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interface_list-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>
</widgets>
</opnsense>
Reference in New Issue View Git Blame Copy Permalink