opnsense Increase UFS read-ahead speeds to match the state of hard drives and NCQ. vfs.read_max default Set the ephemeral port range to be lower. net.inet.ip.portrange.first default Drop packets to closed TCP ports without returning a RST net.inet.tcp.blackhole default Do not send ICMP port unreachable messages for closed UDP ports net.inet.udp.blackhole default Randomize the ID field in IP packets net.inet.ip.random_id default Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. net.inet.ip.sourceroute default Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. net.inet.ip.accept_sourceroute default This option turns off the logging of redirect packets because there is no limit and this could fill up your logs consuming your whole hard drive. net.inet.icmp.log_redirect default Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway) net.inet.tcp.drop_synfin default Enable sending IPv6 redirects net.inet6.ip6.redirect default Enable privacy settings for IPv6 (RFC 4941) net.inet6.ip6.use_tempaddr default Prefer privacy addresses and use them over the normal addresses net.inet6.ip6.prefer_tempaddr default Generate SYN cookies for outbound SYN-ACK packets net.inet.tcp.syncookies default Maximum incoming/outgoing TCP datagram size (receive) net.inet.tcp.recvspace default Maximum incoming/outgoing TCP datagram size (send) net.inet.tcp.sendspace default Do not delay ACK to try and piggyback it onto a data packet net.inet.tcp.delayed_ack default Maximum outgoing UDP datagram size net.inet.udp.maxdgram default Handling of non-IP packets which are not passed to pfil (see if_bridge(4)) net.link.bridge.pfil_onlyip default Set to 1 to additionally filter on the physical interface for locally destined packets net.link.bridge.pfil_local_phys default Set to 0 to disable filtering on the incoming and outgoing member interfaces. net.link.bridge.pfil_member default Set to 1 to enable filtering on the bridge interface net.link.bridge.pfil_bridge default Allow unprivileged access to tap(4) device nodes net.link.tap.user_open default Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid()) kern.randompid default Maximum size of the IP input queue net.inet.ip.intr_queue_maxlen default Disable CTRL+ALT+Delete reboot from keyboard. hw.syscons.kbd_reboot default Hint at default settings for serial console in case the autodetect is not working hw.uart.console default Enable TCP extended debugging net.inet.tcp.log_debug default Set ICMP Limits net.inet.icmp.icmplim default TCP Offload Engine net.inet.tcp.tso default UDP Checksums net.inet.udp.checksum default Maximum socket buffer size kern.ipc.maxsockbuf default Page Table Isolation (Meltdown mitigation, requires reboot.) vm.pmap.pti default Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation) hw.ibrs_disable default Hide processes running as other groups security.bsd.see_other_gids default Hide processes running as other users security.bsd.see_other_uids default Enable/disable sending of ICMP redirects in response to IP packets for which a better, and for the sender directly reachable, route and next hop is known. net.inet.ip.redirect 0 Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect packets without returning a response. net.inet.icmp.drop_redirect 1 Maximum outgoing UDP datagram size net.local.dgram.maxdgram default 115200 serial video normal OPN1 somedomain.yourlocal.mcd admins System Administrators system 1999 0 2000 page-all root System Administrator system admins $2y$10$5555555555o8dj21980j1doiOIJDIOASJOID!jidjeue19812y 0 $2y$11$55555555556D8198uOASIDJaiojdjd1oijdijosaoijdaoidOIASJDoijdoiadOASdoiK user someuser /bin/sh 2000 2001 2000 Etc/UTC 0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org https 6155aba4c9375 1 1 yes 1 1 1 1 1 hadp hadp hadp monthly aesni 1 1 1 admins 1 enabled 1 1 os-ddclient,os-dyndns,os-haproxy,os-wireguard 1 admins yes basic en_US none none none none none none none none 1 pppoe0 WAN 1 1 pppoe 1 1 em1 LAN 1 192.168.20.1 24 track6 0 1 lo0 Loopback 1 127.0.0.1 none 1 8 ::1 128 em5 backup_sync 1 1 10.10.5.1 24 1 wireguard WireGuard (Group) 1 group 1 1 openvpn OpenVPN 1 group 1 1 192.168.20.1 somedomain.yourlocal.mcd hmac-md5 192.168.20.50 192.168.20.200 192.168.20.1 55:55:55:55:55:1c 192.168.20.160 somehost983 someservire8 55:55:55:55:55:1c 192.168.20.155 somehost893 55:55:55:55:55:1c 192.168.20.52 somehost545 55:55:55:55:55:1c 192.168.20.51 sw1 someswitch2 55:55:55:55:55:1c 192.168.20.50 hostswitch2 switch-2 (bottom) public 3 automatic tcp wan inet nat_618812d37b8193.31302503 host_3 22 1 wanip 55555 root@192.168.1.118 /firewall_nat_edit.php made changes root@192.168.1.118 /firewall_nat_edit.php made changes tcp wan inet nat_64fa19f4acba11.80049900 192.168.20.150 7860 1 wanip 7860 root@172.12.0.10 /firewall_nat_edit.php made changes root@172.12.0.10 /firewall_nat_edit.php made changes tcp wan inet nat_64fb1fbba71e29.76190279 192.168.20.150 7861 1 wanip 7861 root@172.12.0.10 /firewall_nat_edit.php made changes root@172.12.0.10 /firewall_nat_edit.php made changes tcp wan inet nat_64fb1fcea6d8b7.62653343 192.168.20.150 7862 1 wanip 7862 root@172.12.0.10 /firewall_nat_edit.php made changes root@172.12.0.10 /firewall_nat_edit.php made changes tcp wan inet nat_64fb1fdb48ff18.28912920 192.168.20.150 7863 1 wanip 7863 root@172.12.0.10 /firewall_nat_edit.php made changes root@172.12.0.10 /firewall_nat_edit.php made changes tcp wan inet nat_65aed5a66c4f65.25454286 192.168.20.140 8081 1 wanip 10100 root@192.168.20.100 /firewall_nat_edit.php made changes root@192.168.20.100 /firewall_nat_edit.php made changes tcp wan inet nat_65aed67d497580.58958916 192.168.20.160 8080 1 wanip 10101 root@192.168.20.100 /firewall_nat_edit.php made changes root@192.168.20.100 /firewall_nat_edit.php made changes tcp wan inet nat_65aed6961c4ea7.81903986 192.168.20.160 4000 1 wanip 10110 root@192.168.20.100 /firewall_nat_edit.php made changes root@192.168.20.100 /firewall_nat_edit.php made changes tcp wan inet nat_65f4a5b928c9a7.52477383 192.168.20.115 5000 1 wanip 10111 root@192.168.20.147 /firewall_nat_edit.php made changes root@192.168.20.100 /firewall_nat_edit.php made changes tcp wan inet Redirecting to someservice1 on somehost9 nat_662bb59baf7573.98640354 192.168.20.115 11434 1 wanip 11000 root@192.168.20.100 /firewall_nat_edit.php made changes root@192.168.20.100 /firewall_nat_edit.php made changes tcp wan inet port forwarding for virtual ip for someservice2 servers pass someservice2_vip 55555 1 wanip 55555 root@172.12.0.12 /firewall_nat_edit.php made changes root@172.12.0.12 /firewall_nat_edit.php made changes tcp wan inet port forwarding for virtual ip for someservice2 servers nat_670979b3279551.73601303 1 192.168.20.1 55555 1 wanip 55555 root@172.12.0.12 /firewall_nat_edit.php made changes root@172.12.0.12 /firewall_nat_edit.php made changes tcp wan inet port forwarding for reconfig of someservice2 somehost3 nat_6709763b6a6748.85579760 1 192.168.20.132 55555 1 wanip 5533 root@172.12.0.12 /firewall_nat_edit.php made changes root@172.12.0.12 /firewall_nat_edit.php made changes tcp wan inet Redirecting to someservice81 on somehost9 nat_663c3458b7b5e4.19986620 192.168.20.115 27017 1 wanip 27057 root@172.12.0.8 /firewall_nat_edit.php made changes root@172.12.0.8 /firewall_nat_edit.php made changes tcp wan inet Redirecting to someservice858 on somehost545 nat_663d85b2e3b364.53108170 192.168.20.163 8888 1 wanip 8888 root@172.12.0.10 /firewall_nat_edit.php made changes root@172.12.0.10 /firewall_nat_edit.php made changes tcp wan inet Redirecting to someservice858 on somehost545 nat_667cd97504d870.57128970 192.168.20.163 8889 1 wanip 9888 root@172.12.0.8 /firewall_nat_edit.php made changes root@172.12.0.8 /firewall_nat_edit.php made changes tcp wan inet Redirecting to someservice858 on somehost9 nat_666c8932142ed6.34062700 192.168.20.115 8888 1 wanip 8889 root@192.168.20.100 /firewall_nat_edit.php made changes root@192.168.20.100 /firewall_nat_edit.php made changes tcp wan inet nat_651ffc35e573d9.09092618 192.168.20.140 22 1 wanip 30140 root@172.12.0.11 /firewall_nat_edit.php made changes root@172.12.0.11 /firewall_nat_edit.php made changes pass wan inet keep state allow public connections to vpn in wireguard 1 udp 1 wanip 51820 root@192.168.1.118 /firewall_rules_edit.php made changes root@192.168.1.118 /firewall_rules_edit.php made changes pass wan inet keep state in 1 icmp 1 echoreq wanip root@192.168.1.136 /firewall_rules_edit.php made changes root@192.168.1.118 /firewall_rules_edit.php made changes nat_618812d37b8193.31302503 wan inet keep state tcp 1
x3690_3
22 root@192.168.1.118 /firewall_nat_edit.php made changes nat_64fa19f4acba11.80049900 wan inet keep state tcp 1
192.168.20.150
7860 root@172.12.0.10 /firewall_nat_edit.php made changes nat_64fb1fbba71e29.76190279 wan inet keep state tcp 1
192.168.20.150
7861 root@172.12.0.10 /firewall_nat_edit.php made changes nat_64fb1fcea6d8b7.62653343 wan inet keep state tcp 1
192.168.20.150
7862 root@172.12.0.10 /firewall_nat_edit.php made changes nat_64fb1fdb48ff18.28912920 wan inet keep state tcp 1
192.168.20.150
7863 root@172.12.0.10 /firewall_nat_edit.php made changes nat_651ffc35e573d9.09092618 wan inet keep state tcp 1
192.168.20.140
22 root@172.12.0.11 /firewall_nat_edit.php made changes nat_65aed5a66c4f65.25454286 wan inet keep state tcp 1
192.168.20.140
8081 root@192.168.20.100 /firewall_nat_edit.php made changes nat_65aed67d497580.58958916 wan inet keep state tcp 1
192.168.20.160
8080 root@192.168.20.100 /firewall_nat_edit.php made changes nat_65aed6961c4ea7.81903986 wan inet keep state tcp 1
192.168.20.160
4000 root@192.168.20.100 /firewall_nat_edit.php made changes nat_65f4a5b928c9a7.52477383 wan inet keep state tcp 1
192.168.20.115
5000 root@192.168.20.100 /firewall_nat_edit.php made changes nat_662bb59baf7573.98640354 wan inet keep state Redirecting to someservice1 on somehost9 tcp 1
192.168.20.115
11434 root@192.168.20.100 /firewall_nat_edit.php made changes nat_663c3458b7b5e4.19986620 wan inet keep state Redirecting to someservice81 on somehost9 tcp 1
192.168.20.115
27017 root@172.12.0.8 /firewall_nat_edit.php made changes nat_663d85b2e3b364.53108170 wan inet keep state Redirecting to someservice858 on somehost545 tcp 1
192.168.20.163
8888 root@172.12.0.10 /firewall_nat_edit.php made changes nat_666c8932142ed6.34062700 wan inet keep state Redirecting to someservice858 on somehost9 tcp 1
192.168.20.115
8888 root@192.168.20.100 /firewall_nat_edit.php made changes nat_667cd97504d870.57128970 wan inet keep state Redirecting to someservice858 on somehost545 tcp 1
192.168.20.163
8889 root@172.12.0.8 /firewall_nat_edit.php made changes pass wan inet keep state open virtual ip address for someservice2 in 1 tcp 1
192.168.20.225
55555 root@172.12.0.12 /firewall_rules_edit.php made changes root@172.12.0.12 /firewall_rules_edit.php made changes pass lan inet Default allow LAN to any rule lan pass lan inet6 Default allow LAN IPv6 to any rule lan pass lan inet keep state in 1 carp 1 1 root@192.168.20.100 /firewall_rules_edit.php made changes root@192.168.20.100 /firewall_rules_edit.php made changes pass wireguard inet keep state in 1 1 1 root@192.168.20.100 /firewall_rules_edit.php made changes root@192.168.1.136 /firewall_rules_edit.php made changes nat_6709763b6a6748.85579760 wan inet keep state port forwarding for reconfig of someservice2 somehost3 tcp 1
192.168.20.132
55555 root@172.12.0.12 /firewall_nat_edit.php made changes 1 nat_670979b3279551.73601303 wan inet keep state port forwarding for virtual ip for someservice2 servers tcp 1
192.168.20.1
55555 root@172.12.0.12 /firewall_nat_edit.php made changes 1 ICMP icmp ICMP TCP tcp Generic TCP HTTP http Generic HTTP / 200 HTTPS https Generic HTTPS / 200 SMTP send Generic SMTP 220 * 0.opnsense.pool.ntp.org system_information-container:00000000-col3:show,traffic_graphs-container:00000001-col3:show,thermal_sensors-container:00000002-col3:show,log-container:00000003-col3:show,services_status-container:00000004-col4:show,gateways-container:00000005-col4:show,interface_list-container:00000006-col4:show,carp_status-container:00000007-col4:show,wireguard-container:00000008-col4:show,dyn_dns_status-container:00000009-col4:show,system_log-container:00000010-col4:show 2 root@172.12.0.12 /firewall_nat.php made changes v9 0 1800 15 wireguard 1 1 x3690_3 host 0 192.168.1.136 1 someservice2_vip host 0 192.168.20.225 alias for someservice2 vip 0 0 0 wan 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 W0D23 4 ac medium 0 0 0 0 120 120 127.0.0.1 25 0 auto 1 syslog facility log_daemon 0 root oiujds9889DSIJSDIJSDIjdj 2812 5 1 0 root@localhost.local 0 10 1 $HOST system 300 30
da6083fd-852c-44af-9ae7-8c9de443bbc9,4f18b847-c2ab-4707-9686-bf656e187ab8,62ea6632-3554-43be-bb0b-ceceab685338,f543f50a-4e52-4afd-85ce-95fe6d61dc54 1 RootFs filesystem / 300 30
58896875-13d3-41ad-bed5-d610e0197d37 0 carp_status_change custom /usr/local/opnsense/scripts/OPNsense/Monit/carp_status 300 30
78d20574-60b0-4e63-b6d2-0248e7570293 0 gateway_alert custom /usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert 300 30
572a5691-1ea7-4191-be24-d7399845a75b Ping NetworkPing failed ping alert NetworkLink NetworkInterface failed link alert NetworkSaturation NetworkInterface saturation is greater than 75% alert MemoryUsage SystemResource memory usage is greater than 75% alert CPUUsage SystemResource cpu usage is greater than 75% alert LoadAvg1 SystemResource loadavg (1min) is greater than 4 alert LoadAvg5 SystemResource loadavg (5min) is greater than 3 alert LoadAvg15 SystemResource loadavg (15min) is greater than 2 alert SpaceUsage SpaceUsage space usage is greater than 75% alert ChangedStatus ProgramStatus changed status alert NonZeroStatus ProgramStatus status != 0 alert 0 opnsense 1 1 0 on strip 1 1 0 admin@localhost.local 0 /var/squid/cache 256 always 100 16 256 0 0 0 2048 1024 1024 256 0 0 username password lan 3128 3129 0 0 4 5 0 3401 public 2121 0 1 0 80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http 443:https 0 icap://[::1]:1344/avscan icap://[::1]:1344/avscan 1 0 0 X-Username 1 1024 60 OPNsense proxy authentication 2 5