11.2opnsenseDisable the pf ftp proxy handler.debug.pfftpproxydefaultIncrease UFS read-ahead speeds to match current state of hard drives and NCQ. More information here: http://ivoras.sharanet.org/blog/tree/2010-11-19.ufs-read-ahead.htmlvfs.read_maxdefaultSet the ephemeral port range to be lower.net.inet.ip.portrange.firstdefaultDrop packets to closed TCP ports without returning a RSTnet.inet.tcp.blackholedefaultDo not send ICMP port unreachable messages for closed UDP portsnet.inet.udp.blackholedefaultRandomize the ID field in IP packets (default is 0: sequential IP IDs)net.inet.ip.random_iddefault
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
net.inet.ip.sourceroutedefault
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
net.inet.ip.accept_sourceroutedefault
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
net.inet.icmp.drop_redirectdefault
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
net.inet.icmp.log_redirectdefaultDrop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)net.inet.tcp.drop_synfindefaultEnable sending IPv4 redirectsnet.inet.ip.redirectdefaultEnable sending IPv6 redirectsnet.inet6.ip6.redirectdefaultEnable privacy settings for IPv6 (RFC 4941)net.inet6.ip6.use_tempaddrdefaultPrefer privacy addresses and use them over the normal addressesnet.inet6.ip6.prefer_tempaddrdefaultGenerate SYN cookies for outbound SYN-ACK packetsnet.inet.tcp.syncookiesdefaultMaximum incoming/outgoing TCP datagram size (receive)net.inet.tcp.recvspacedefaultMaximum incoming/outgoing TCP datagram size (send)net.inet.tcp.sendspacedefaultIP Fastforwardingnet.inet.ip.fastforwardingdefaultDo not delay ACK to try and piggyback it onto a data packetnet.inet.tcp.delayed_ackdefaultMaximum outgoing UDP datagram sizenet.inet.udp.maxdgramdefaultHandling of non-IP packets which are not passed to pfil (see if_bridge(4))net.link.bridge.pfil_onlyipdefaultSet to 0 to disable filtering on the incoming and outgoing member interfaces.net.link.bridge.pfil_memberdefaultSet to 1 to enable filtering on the bridge interfacenet.link.bridge.pfil_bridgedefaultAllow unprivileged access to tap(4) device nodesnet.link.tap.user_opendefaultRandomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())kern.randompiddefaultMaximum size of the IP input queuenet.inet.ip.intr_queue_maxlendefaultDisable CTRL+ALT+Delete reboot from keyboard.hw.syscons.kbd_rebootdefaultEnable TCP extended debuggingnet.inet.tcp.log_debugdefaultSet ICMP Limitsnet.inet.icmp.icmplimdefaultTCP Offload Enginenet.inet.tcp.tsodefaultUDP Checksumsnet.inet.udp.checksumdefaultMaximum socket buffer sizekern.ipc.maxsockbufdefaultnormalOPNsenselocaldomainadminsSystem Administratorssystem19990page-allrootSystem Administratorsystemadmins$6$$Y8Et6wWDdXO2tJZRabvSfQvG2Lc8bAS6D9COIsMXEJ2KjA27wqDuAyd/CdazBQc3H3xQX.JXMKxJeRz2OqTkl.0user-shell-access20002000Europe/Amsterdam3000.nl.pool.ntp.orghttps56b9fb5b8286fyes1hadphadphadpmonthly115200serialenabled111em111172.10.1.116GW1em0192.168.1.124track664wan0192.168.1.100192.168.1.199publicautomaticpasswaninetkeep stateIPsec ESPIPsec Tunnelsesp1waniproot@192.168.2.100/firewall_rules_edit.php made changesroot@192.168.1.100/firewall_rules_edit.php made changespasswaninetkeep stateIPsec ISAKMPIPsec Tunnelstcp/udp1wanip500root@192.168.1.100/firewall_rules_edit.php made changesroot@192.168.1.100/firewall_rules_edit.php made changespasswaninetkeep stateIPsec NAT-TIPsec Tunnelstcp/udp1wanip4500root@192.168.1.100/firewall_rules_edit.php made changesroot@192.168.1.100/firewall_rules_edit.php made changespassinetDefault allow LAN to any rulelanlanpassinet6Default allow LAN IPv6 to any rulelanlanpassenc0inetkeep stateAllow IPsec traffic to LAN netIPsec Tunnels1lanroot@192.168.2.100/firewall_rules_edit.php made changesroot@192.168.1.100/firewall_rules_edit.php made changes1,310-5***rootadjkerntz -a131**root/usr/local/etc/rc.update_bogons*/60****root/usr/local/sbin/expiretable -v -t 3600 sshlockout11***root/usr/local/etc/rc.dyndns.update*/60****root/usr/local/sbin/expiretable -v -t 3600 virusprot3012***root/usr/local/etc/rc.update_urltablesICMPicmpICMPTCPtcpGeneric TCPHTTPhttpGeneric HTTP/200HTTPShttpsGeneric HTTPS/200SMTPsendGeneric SMTP220 *system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,interface_statistics-container:col1:close,interface_list-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:closeroot@192.168.2.100/firewall_rules_edit.php made changes56b9fb5b8286fwebConfigurator defaultLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiekNDQTFlZ0F3SUJBZ0lKQVB5WVgzRGRzUUJTTUEwR0NTcUdTSWIzRFFFQkN3VUFNRTR4Q3pBSkJnTlYKQkFZVEFrNU1NUlV3RXdZRFZRUUlEQXhhZFdsa0xVaHZiR3hoYm1ReEZUQVRCZ05WQkFjTURFMXBaR1JsYkdoaApjbTVwY3pFUk1BOEdBMVVFQ2d3SVQxQk9jMlZ1YzJVd0hoY05NVFl3TWpBNU1UUTBORFE1V2hjTk1UY3dNakE0Ck1UUTBORFE1V2pCT01Rc3dDUVlEVlFRR0V3Sk9UREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXcKRXdZRFZRUUhEQXhOYVdSa1pXeG9ZWEp1YVhNeEVUQVBCZ05WQkFvTUNFOVFUbk5sYm5ObE1JSUNJakFOQmdrcQpoa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQTNTR2Yvd29vWHQzSDhvUVNLaHNLMis5QTNISHVRWUNzCjB0eS9HaWFNVTN2Z3pKTVVrdWtlelk4YStEQzFnS2pRVkoyMUpFQmVHL2g4eE9VOHM5aWQvTSs5VE5LSEVFRGQKb0poMnZjYjBzZmJtdDgycEFHVDJEanNkRVNEeDErYnNoMktMNEJ2MzQ3N3ZaS0d2UUJWRktncjlVNEtxbS94awpNU09EYUl3ZHgxTVcvVEtNeE53aDhSMkpZVUUzMWN6bkFhcXE0eG5BMGVXWjhyWXAyMmhCbkQxaXdMN1cvWVNuCnprWnhLaVorbjdjUENwVTBod09SblFvOFduYWpvcmFxT0ZkMFJGSTl1bktOQ1k2aEhZUmZ5UHV5WnJxM3dhcEgKTU8xL0EwMWsrK2dBQTNsUW5NdGNVbUpZckRySFpPUGlGQmFaaVkxN0szaTJuNlYrVG9qU1R3L283cjlNMTJTOApaQW9IWCt1d2lvOUwyOW1EYXl0SWpjakl5SzZ6R3hzSWI5QkpxM3JOSFJ4WjBpZUlrVloxN3p0clduaWlMQTB6CnJiMmFWNnJNR3lKQm45WHNST0lHZDF2ajlKdkdFd3hScjhtYXJsSGh1bDZQQ0pFT29VYTBvZkd4bzVhaGZLV1oKNjVkNmhMREVJZHZvU1NCcXNzZ1N3Y2d6a1NOUDdlWmFNYjRBdGlTWFBWa3J3SG5yOHlWVU5jejhYVGhGbk14NwpQb2szNHk0SHZOV091bDdaZzJYUFN3dElUNmxUcFFrajQ4MFJ3UW55aXZJcUFGOEwrM2hMMTRHYXVHVWdzQ2ZaCnlTeFNiMXRMSUhnL0oyYlhESUdsVWdONjh5ZXFjR1FyS3FoQWhvQVVQSUpab0p0cldMZ1FEYm5XYWRlV3IyNzcKTUdNdTlGb3JtM2tDQXdFQUFhTlFNRTR3SFFZRFZSME9CQllFRk13RXRIU0VjRTBWOW80YmYyRTZWbjVtaTFvcQpNQjhHQTFVZEl3UVlNQmFBRk13RXRIU0VjRTBWOW80YmYyRTZWbjVtaTFvcU1Bd0dBMVVkRXdRRk1BTUJBZjh3CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFEaWVpNnMzRElPcnd3NERldXlzYlJValNRSFlyQUl6SHhmNW9ETU4KOGVpYkwyR25DVTZDZENPamJIMVQwMVg4dVVNVTNVaDZIWGJnQ3RESnE1QjduMzNXaDZ1WkxCRkZ1Rkl6L29lWAptTWIxbGZJVEhnTXZuc3FzM3RiU09VQkpiU1RwSGtGeWVnbWFUUE5Nd1ltcWw1VEVlbXNjakMyTTkzL0NIWSt3ClFGU2hpTWVUbUhkdnBQcW0xMkI1SUZOL2x3Qk04REE1dGFVRHJxVytObXVWaE9sdVhKdGlmZlZmSllLNm1LVzcKSFBXYjAzODdzaGpmNDFNeXJodjJMRlU5ZWFsd2t6QmRFNXVpU0ljT1VURFVyQlJaaFpuNDVtVHA3ZnJEeHM2NwplaWE2dzVtZ1VQTElvNndkUlFUbEZtdEU2MmlQdjRsTFFKUFZ0aUFEb1hFTXhVVHBRR2JlRGtZZHU0RFRodGtKCkU5TGV3SjlyOElBUmE0VDMxVUdoRkxzNDJnTTU2bzNWWWJCNDhIc0RVTElRVW83YmxGNENPejRsMmwvRUZpRVUKVlRVMWIrZ3pFMUZLYTdlcUJFNTYvWHczSUQ2d1Vrc1hmYWZsQlI1Y3huUVV1S3dhMnZsdEtNL3o3bFZhc2ZZUQpZRnhTYTlLWnc1MDRyODVLUW9PTmxHMktFeWhZWXhsQ3N6NWR4MlpxMGdUL1cvL1BnbmVFSGpTWE9CR1NvL1dLCnJSejQ2QU4zSUlqMTBIdEx6K1JQQ1VTODAyalJybmRVbjlOeVlsY243cWVEUmFhcm4rWkFjdFludU90ZjdiOUcKaUhJSW9PYTJ6MHZMSnErZW5pOVErbFQxcmc1SXA1S0JwRE0xRWlTU3FyKytZNWhCeGcvSkFlS0Qvc1d4eTZTVAptSkVQCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRRGRJWi8vQ2loZTNjZnkKaEJJcUd3cmI3MERjY2U1QmdLelMzTDhhSm94VGUrRE1reFNTNlI3Tmp4cjRNTFdBcU5CVW5iVWtRRjRiK0h6RQo1VHl6MkozOHo3MU0wb2NRUU4yZ21IYTl4dlN4OXVhM3pha0FaUFlPT3gwUklQSFg1dXlIWW92Z0cvZmp2dTlrCm9hOUFGVVVxQ3YxVGdxcWIvR1F4STROb2pCM0hVeGI5TW96RTNDSHhIWWxoUVRmVnpPY0JxcXJqR2NEUjVabnkKdGluYmFFR2NQV0xBdnRiOWhLZk9SbkVxSm42ZnR3OEtsVFNIQTVHZENqeGFkcU9pdHFvNFYzUkVVajI2Y28wSgpqcUVkaEYvSSs3Sm11cmZCcWtjdzdYOERUV1Q3NkFBRGVWQ2N5MXhTWWxpc09zZGs0K0lVRnBtSmpYc3JlTGFmCnBYNU9pTkpQRCtqdXYwelhaTHhrQ2dkZjY3Q0tqMHZiMllOckswaU55TWpJcnJNYkd3aHYwRW1yZXMwZEhGblMKSjRpUlZuWHZPMnRhZUtJc0RUT3R2WnBYcXN3YklrR2YxZXhFNGdaM1crUDBtOFlUREZHdnlacXVVZUc2WG84SQprUTZoUnJTaDhiR2pscUY4cFpucmwzcUVzTVFoMitoSklHcXl5QkxCeURPUkkwL3Q1bG94dmdDMkpKYzlXU3ZBCmVldnpKVlExelB4ZE9FV2N6SHMraVRmakxnZTgxWTY2WHRtRFpjOUxDMGhQcVZPbENTUGp6UkhCQ2ZLSzhpb0EKWHd2N2VFdlhnWnE0WlNDd0o5bkpMRkp2VzBzZ2VEOG5adGNNZ2FWU0EzcnpKNnB3WkNzcXFFQ0dnQlE4Z2xtZwptMnRZdUJBTnVkWnAxNWF2YnZzd1l5NzBXaXViZVFJREFRQUJBb0lDQUdoV3RGSzNyVUxON01sT2JlKzJJTktUCnVvd0pxZno0UlJPZG13SXd6Q2VjSFA4S0t6d0NpVWsreTkvdHc4WjRZUXg3K1h1b2IzOU5LVG9TWENrVC9iL0wKR2F3RTdqdktENGoyUjVqV0pxRk9PYURpaG1xc09MbVFSTy9QRnEzanhSbEFjM1dFWE52MlBLakQ3WmdVTVRWYwpTQm0rWHRnSktCRlRpMjZxSm1ibG1zUlB0TUl5aUVWbnhXbkJSeUkzYzR5Q3hlMHdPcDRQY3l0bHJxeGJMaElWCm1PSVBhZ3ZuS3ZLV3BGRGFKd2NmYmhaMVBucXlRV1BTNzVWVHczUkVNbDh4VEtmc0VqcEdVS3dBdzU3VTFnbFUKVWVKTkdlVmtmZ0RsSHZnazdaQTY4TDZ5NEVtTFh2MTBjQmljQjNkZ1cwMVZPSThCMWVzMkl4MkREZXpxZkNoMwpLMEdseitDWGVzMFhIL014UnYrUXR6L3lNVHdTUTd0Zys3Z3gyekh0ejVMaXFrTXNIRDR0K1dBSkVYcFlSRjB4CnhZMmJ2V3hDY2JBdmhuL0ZReStHRlY3NjhBODh6ODE2Wk1NV3Q0NUdQZHNmeU1ZK1ZPOG92eTJpdW4rNEVaNy8KY2JmaHpIWmMxdWVOd2xrcFZaUjdtZ2lpeWNmVXFjNU1PUklxckJ0R3JUVVlKNnBSUHphUG9DdHBXeGozcUNzUApDaWpVM2RIcUE1K0gxRkFaQldWY3dQK1J4aFJ1aW9qblJtRVdIeW85SWYzaDIwVHVKdlNRWFJmTHMxakRzR01kCmdhbURTcnZsenNLVWkyRTFKeTRzSk8rL0ZFanduWHV0R2lFV01WcjN3MmJzMW1sNUdGdHdYZXVhV0o3cXdhblUKbDBtZG9MMk9RMGNNbHJra1g3eHhBb0lCQVFENlp6UUk3azlIdGJXMDFWaC9FWEtiWEdwck96SVR6NWJhc0dwTwoyRHNNSEoxWUs1TU1LeUQ2YXFWUDNrNTMveWI1cGdZTmlqMzZlWnNQd1QyRmc2VmMrQXFrUnQ3RnZBM3B5R1ZlCkp1K3BOSWp0S1BIRTNIMWowb0xML1l4bWdIenpUT3B5eTlHRS9PRmMwK043c1dRUlJCcnFBbHlBcDJLYkEwaVgKSlhRd1p5VGNsNTg4VHNzdE01TFpZRFpKZGhzcURvaDN2Ty9YTWp5Ry9DTUFRakZDMWIrb093dWpJOGdYeU4zMQpVOXN4UDBLVmZNL0ZGS0lodDZKRVdQWnh3Um12anZCcmtLV3AzSllQdENlckxvbWxNRzJQMXA0ZWFMemJWdUFoCmNiSDQ1WWZWSmFGbTJvcEtPS1dIMXdWY2hLeGJ4WnNNSThOZFJqQ3MyVEtQQWxDdEFvSUJBUURpRXU0QmxhT2cKNnY0Vzl2TTQrbEVyT0xZMHVrUm5pV2lzSjdVYzlkK2s4VHNJMmdGTWNFY1JveWtsZ1RoN1B6N1NnaFpzOEhsYQptQk5oaWN4NElLeTY4S1VjZGZQZDAvMzBWQmNkSmNQdGtJY3JXMlJzaXJ3N25QeHZ1S01qcWRVNmhnSkU0MnI5CmlPRFVtZDk5ZEpSbnUzZGhhVjNpSkVaMjdudE1NZGdGelJIaTFoK1Zob012aUE5NjlPZ2YvK1E0SkNYd3ZDVksKRkNjUFk3SVlGZm9vWmExWDIwR09HL2I0TEVRSzF3Tml0eW5WRUp4QWxuVjloY2VYbjJNY291aU9Qdk9CRnd3YQpIRG1Ja21rWWw5Qlhkd21jMGJrWVJTcElmTFFvSnU5bkZwZFhGcU1hKzFxSzUyTDRsdGNUWWhUcGhzU3JzR3dzCk1SV3JFL1BTRHZOOUFvSUJBR0pNSnpvbVN3c01neE5FK1NPUXR0dlVVSlpkdTQvWld3L29WeU15Y1NPVkRCTnoKcjVzRVIwTG1vSlNVNFZycjErSUMwYmQ1QUZHV2NVK2kvVUt2WmpmenkwR243SVhWQitVeFhORzBHVHJrTzZoVgovV3JaWDRQVFBMTlZpa3NtdjJaSFdIWE9HeWJJbXJOMUhvVU5Jd3BBSVF5aDlxd3VpVi91encwK2o3ajhsSlRnCkZJdDVKdnRNbHFZc3hjTGEwVmtXTVc1SHhpTkZQa3VES1Q1TnZjYk40Qm5yYStzVC9kV1FiY21EckxWTmJ4YjkKMHhZN3ZsWGNINkFUQ0ZPcGlTckl3d3FHMHZHMmZWWVcwOGU0VWlKOXUxVE8zRzExa2tYTWVkbkhKeVZjL1pDbgo0QTlmVlJCRDRuOUw0bmZxUVRzWmZIOHNmdUhienZuYm5hUlVOVlVDZ2dFQkFLckZROVljay9LOUw5eG5CSWtZCnhQR1NNRWlhSDR2YVJ5QXNDbXBxN0ZvckFyNEg5NDBuRHZncXVLMGs5R1pjK3ZhRzM2dkE1dHBoSDlyQS9ad00KaW8zWHM5RlE1RHEvcFFqSDhJSExBanBVdjFZbi9pN2ppWmE2V2hHR2RtMDlIOTNLVnJKMDIxL1M0b3FXQlRVKwpOOUEzMHREWmg5cUlMbFl1aFNLa1VCcnBza1lZR3RtWE4wZFRUdVpCVTRyQWdFTk1Rd0NiRHN2cmR5bnYxQnJQCmx4eW0yWThSQjI3eWZ0Y3VrT05qVWFKaTI0MmZzM2d5YjJPM0IzTG9LalQ2ZGhMbFNJbE53STJFbm8wa2s1REoKTk02dEU2eksyemVUSDRLTCtJYVFDcTFqYWtTVnkvVll3eWREN0FYOTQwODMrcllBWUZXVXVkR1Q3bHRCZ2g4OQp2ZjBDZ2dFQURhdXJSNDlLR3k0bDR2bDVQYnQweFE4bGRvc25GYlFhVHhrVDJiNU9EL3RYUVJVM3ZZbXE0ejVBCjR5ejFTbkFmc0lDWWNMazBUYTdHLzkwdjNQTFJjQW5wQWU0eERiRGRJQTQ1anpLWG1RYy9mNTBER2l4WDBuUWQKK3RTNXVyWHVtK01PQi84RnA1Q01kaWxSTDdBSDE3czNvait0QWxxcHV4MHo0cXNQR2dWdlRFbTZJSnh4RmVXMAo0cnVad0QvZVUrN1FaNWx6cVphUEcwTkhzblgrem1odHlMS1ozRmtWZStkVXVUQ3ZVSjJkVXl4OVdJUEhpWS9iCjBhTHV0Sk1DT1lxT1J4a0JqZDNiU3dmNk9zZ1RYUDcyRTN1ZzZzQVRtdGtkZ3lPOHRKc001QlgxUE42RWdOU2gKUFM2dFVvanZKbzJtMDlORkx2ZFdHWlU4QVAxaVZBPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=ikev2wanmaininetmyaddresspeeraddressaes256sha5121428800At4aDMOAOub2NwT6gMHApre_shared_keySite Boff172.10.2.11156ba1241e5d1ctunnel143600Local LAN Site Besplannetwork
192.168.2.0
24aes256hmac_sha5121wan172.10.2.1GW1inetRemote Gateway1