opnsense Disable the pf ftp proxy handler. debug.pfftpproxy default Increase UFS read-ahead speeds to match the state of hard drives and NCQ. vfs.read_max default Set the ephemeral port range to be lower. net.inet.ip.portrange.first default Drop packets to closed TCP ports without returning a RST net.inet.tcp.blackhole default Do not send ICMP port unreachable messages for closed UDP ports net.inet.udp.blackhole default Randomize the ID field in IP packets (default is 0: sequential IP IDs) net.inet.ip.random_id default Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. net.inet.ip.sourceroute default Source routing is another way for an attacker to try to reach non-routable addresses behind your box. It can also be used to probe for information about your internal networks. These functions come enabled as part of the standard FreeBSD core system. net.inet.ip.accept_sourceroute default Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect packets without returning a response. net.inet.icmp.drop_redirect default This option turns off the logging of redirect packets because there is no limit and this could fill up your logs consuming your whole hard drive. net.inet.icmp.log_redirect default Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway) net.inet.tcp.drop_synfin default Enable sending IPv4 redirects net.inet.ip.redirect default Enable sending IPv6 redirects net.inet6.ip6.redirect default Enable privacy settings for IPv6 (RFC 4941) net.inet6.ip6.use_tempaddr default Prefer privacy addresses and use them over the normal addresses net.inet6.ip6.prefer_tempaddr default Generate SYN cookies for outbound SYN-ACK packets net.inet.tcp.syncookies default Maximum incoming/outgoing TCP datagram size (receive) net.inet.tcp.recvspace default Maximum incoming/outgoing TCP datagram size (send) net.inet.tcp.sendspace default Do not delay ACK to try and piggyback it onto a data packet net.inet.tcp.delayed_ack default Maximum outgoing UDP datagram size net.inet.udp.maxdgram default Handling of non-IP packets which are not passed to pfil (see if_bridge(4)) net.link.bridge.pfil_onlyip default Set to 1 to additionally filter on the physical interface for locally destined packets net.link.bridge.pfil_local_phys default Set to 0 to disable filtering on the incoming and outgoing member interfaces. net.link.bridge.pfil_member default Set to 1 to enable filtering on the bridge interface net.link.bridge.pfil_bridge default Allow unprivileged access to tap(4) device nodes net.link.tap.user_open default Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid()) kern.randompid default Maximum size of the IP input queue net.inet.ip.intr_queue_maxlen default Disable CTRL+ALT+Delete reboot from keyboard. hw.syscons.kbd_reboot default Enable TCP extended debugging net.inet.tcp.log_debug default Set ICMP Limits net.inet.icmp.icmplim default TCP Offload Engine net.inet.tcp.tso default UDP Checksums net.inet.udp.checksum default Maximum socket buffer size kern.ipc.maxsockbuf default Page Table Isolation (Meltdown mitigation, requires reboot.) vm.pmap.pti default Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation) hw.ibrs_disable default Hide processes running as other groups security.bsd.see_other_gids default Hide processes running as other users security.bsd.see_other_uids default Enable/disable sending of ICMP redirects in response to IP packets for which a better, and for the sender directly reachable, route and next hop is known. net.inet.ip.redirect 0 Enable/disable dropping of ICMP Redirect packets net.inet.icmp.drop_redirect 1 normal fw01 ke.einsle.de admins System Administrators system 1999 0 2000 2004 page-all root System Administrator system admins $2y$10$BczaNfG.OdvX2e/udy1ekux4RvVYsQUdUCYohiyVB2Xle8he1V8ve 0 c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBbmVHd0NqOURGTDVxUnMzaFd5SEcyVm5kNGlUWVg1Y0dsN0FUZ1Y3MlZQTm5nYjVsNjNGbTlIbXdkNEtucENhY3lhWFBXQXlyYzIwY2QyNmZmZVRCc1hUQzhtSTc5R3dVWUVOQ3BTeFNLQW12eTlnSjdBUDF4eE93WkdSeCtKNWRyVldyZWpjUGtxQzJublZkZGtEODVyTkVBREo1KzJnNFl1UER2ZFg5cTI0WXg3cHdnUFoxVnJiWTZNOW9zMU03R3RhQzlBWWJNNk9ZdldBOHp2ai9EWUZEem1QelgvRzNnNThLYlBRaUxRakVXREZCbFlmSE9OWVlHRmdwZWdPakVFM09aV0JBWDhBanJTeUVoaGFFS1ZhZFhYV0M3OUxVRWF6SC8yUXZGOG44OFAzZ3lYbnhlckd5dHRCMlBmZmNPME5LOE51ME9pdWpuZlpNUG1yUFh3PT0gU1NILUtleSBSb2JlcnQgRWluc2xlIHByaXZhdA== $2y$10$7ELqsp0QYmp4a1m5pvSSGeEaJYK7ts3k2qzyfW0pWHdv9JlTpNTO6 user reinsle Robert Einsle c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBQkl3QUFBUUVBbmVHd0NqOURGTDVxUnMzaFd5SEcyVm5kNGlUWVg1Y0dsN0FUZ1Y3MlZQTm5nYjVsNjNGbTlIbXdkNEtucENhY3lhWFBXQXlyYzIwY2QyNmZmZVRCc1hUQzhtSTc5R3dVWUVOQ3BTeFNLQW12eTlnSjdBUDF4eE93WkdSeCtKNWRyVldyZWpjUGtxQzJublZkZGtEODVyTkVBREo1KzJnNFl1UER2ZFg5cTI0WXg3cHdnUFoxVnJiWTZNOW9zMU03R3RhQzlBWWJNNk9ZdldBOHp2ai9EWUZEem1QelgvRzNnNThLYlBRaUxRakVXREZCbFlmSE9OWVlHRmdwZWdPakVFM09aV0JBWDhBanJTeUVoaGFFS1ZhZFhYV0M3OUxVRWF6SC8yUXZGOG44OFAzZ3lYbnhlckd5dHRCMlBmZmNPME5LOE51ME9pdWpuZlpNUG1yUFh3PT0gU1NILUtleSBSb2JlcnQgRWluc2xlIHByaXZhdA== Z5PYOKETTBBCR3P6KRE7IVXJV4UWIMGH robert@einsle.de /bin/sh 2000 uid=reinsle,cn=users,dc=ke,dc=einsle,dc=de 5cb9f61ca1b7d 5cbee0f6db47c user brigitte uid=brigitte,cn=users,dc=ke,dc=einsle,dc=de $2y$10$AupvzUkABjsaSXD07stkhefd022OR1.nmDXdfoV9J0dpycRRzegLi 2001 user tobias uid=tobias,cn=users,dc=ke,dc=einsle,dc=de $2y$10$YKH4iJB2SxFr4rkaJXMMa.jy8fyUZgCe4kigMIPHWxWIiW5ub6Agu 2002 user teresa uid=teresa,cn=users,dc=ke,dc=einsle,dc=de $2y$10$RffJY1d1OFxRWJi7T4Y5H.UJCxfvUiAZl6xXlnOMFpNC2Z6CA0bd. 2003 $2y$10$Smx9jtcrqPWGnZzIFxUzveTrtGrJ/OHHFteatZlZjKMUV.7eVucP2 user oxidized Oxidized c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFDQVFEWFVETG9FVG9NcG1YbnRsaldKYjVlN2lRSEFSeGtQYjgzejljTDE5aDc0VzZjSjB4MnNmUzNIREdQQS9qc3VxcVpJajdQUVc0Y1ArTzd4blBJTjQzalZ6U3BZdTk1RU9pT0UzZWJSNTlZZHR3eVBrM0dtMUtLNDMyVG55NjFLSVpNSXFUZnNGMkZ5TlRGNld3N0xDalROOHdPb0I5YU84RW5icFZ2R0t4UlI5cTIrcVNMdVdUVXhoNS9OZk8wRHRpaEdHaXU2NHlkYzhuS0h3Y1VmK0NIN2Q4WkhOZGdtSEgraVNlUmgwNm9OcE1wR1hWamtuczFJT1RPT2FzWnFXVW9wc3pndTJPc2xzdTZ5NmV5eHplTjQ3R0hrUE83YWg5dVVRN1ZXaHZDS1FtY1FxUC8wRmptRWtLSjQ4S21USXdmNG9IUHRGMmRONWtYNGVwRGJrcGdVRWJhQzN1MWU4TEErWHppR3Q5cGFYa0UwS1VSRGxBVnp4T3lpSFlFSGNXVFluSk50d3BDYUIvdTJZY3VSTVptb1h2SUVZUUFRNEJ5OEY5dDNEQVJDWU5EYkIvTkpKSUNqWnhrMEgxK2E4ZlNnRTdSYTVuSzIwVGgrd0tQTWpwdG9sekFaUy9LMFphT3hHRWV5U1dHVU8wMXh4L0k3L3hYdENhUVpzWVJWc21rWkZoZXJQUnNwcE0xakhMamVTejZCdmRyQXY5bDBNK0M2blhpM1hJWU4rQThpaW5aa0pmait5TFdIcDhaaGpHdUR1L0xrRVI2b2pJNjduM2U4b1krN3pqbFJVMEIvYnpHVm5xOFdKdHRURHB4bTBkWitXbGVsdHdBYzZJUGR3ejV4clFXV0FucDB2eVF1L0lKb3pjbG5JcGd6NkNrQlBFY1k1aWtNU3BKaHc9PSBveGlkaXplZEBveGlkaXplZA== /bin/csh 2004 2005 2000 Europe/Berlin 0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org https 5d1e21b2c1e63 1 kedc01,Local Database fw.ke.einsle.de fw01.ke.einsle.de fw02.ke.einsle.de yes 1 1 2 1 1 1 hadp hadp hadp monthly 60 aesni 1 1 admins 1 enabled 1 1 https://cloud.einsle.de robert@einsle.de !Khyp1o= OPNsense-kempten2 de_DE 208.67.222.222 208.67.220.220 2620:0:ccc::2 2620:0:ccd::2 os-zerotier,os-net-snmp,os-freeradius,os-smart,os-etpro-telemetry https://pkg.opnsense.org 115200 video 5cb995ae6d61f ldap kedc01 172.24.10.11 7389 TCP - Standard 3 subtree dc=ke,dc=einsle,dc=de cn=users,dc=ke,dc=einsle,dc=de &(objectClass=inetOrgPerson) uid uid=sec_fw,cn=users,dc=ke,dc=einsle,dc=de b7G77HydYn9qUmLUqsnu 5cb9f38800630 5cb9b06943031 voucher CP Voucher 5cbaaea76ecc2 ldap-totp kedc01 TOTP 5cb9f38800630 172.24.10.11 7389 TCP - Standard 3 subtree dc=ke,dc=einsle,dc=de cn=users,dc=ke,dc=einsle,dc=de &(objectClass=inetOrgPerson) uid uid=sec_fw,cn=users,dc=ke,dc=einsle,dc=de b7G77HydYn9qUmLUqsnu 6 1 1 none none none none none none none none vtnet0 KDG 1 1 1 172.24.4.11 24 KDG_FRITZ slaac vtnet3 SERVER 1 172.24.10.2 24 vtnet1 MGMT 1 172.24.1.2 24 vtnet2 DMZ 1 172.24.2.2 24 vtnet4 ROBERT 1 172.24.42.2 24 track6 wan 0 vtnet5 BRIGITTE 1 172.24.50.2 24 vtnet6 TOBIAS 1 172.24.51.2 24 vtnet7 TERESA 1 172.24.52.2 24 vtnet8 VOIP 1 172.24.60.2 24 vtnet9 TEST 1 172.24.90.2 24 vtnet10 GAST 1 172.24.99.2 24 1 1 INTERN INTERN 1 group ztanv9hnl3ml6ep ZTROBBY 1 172.22.0.211 16 1 1 CLIENTS CLIENTS 1 group vtnet11 PFSYNC 1 172.24.11.2 24 ovpns1 OVPNS1 1 172.24.21.1 24 1 1 openvpn OpenVPN group 1 172.24.10.10 172.24.10.245 on on ke.einsle.de 172.24.10.11 public hybrid NET_kempten opt1 masq auf management opt1 inet reinsle@172.24.42.51 /firewall_nat_out_edit.php made changes 0 root@172.24.42.51 /firewall_nat_out_edit.php made changes HOST_tobias_ps4 1 wan inet 0 1 root@172.24.42.51 /firewall_nat_out_edit.php made changes root@172.24.42.51 /firewall_nat_out_edit.php made changes tcp wan inet dnat kdg:22021 auf horst nat_5cbede8ec8ff85.18793725 HOST_horst 22 1 wanip 22021 root@172.24.42.51 /firewall_nat_edit.php made changes root@172.24.42.51 /firewall_nat_edit.php made changes tcp wan inet dnat kdg:22022 auf fw nat_5cbab161f13b55.46013125 127.0.0.1 22 1 wanip 22022 root@172.24.42.173 /firewall_nat_edit.php made changes root@172.24.42.173 /firewall_nat_edit.php made changes tcp wan inet dnat kdg:22023 auf kedc01 nat_5cb9a87b941159.37025775 HOST_kedc01 22 1 wanip 22023 root@172.24.42.173 /firewall_nat_edit.php made changes root@172.24.42.51 /firewall_nat_edit.php made changes pass opt4,CLIENTS,opt2,opt9,INTERN,wan,opt1,opt3,lan,opt6,opt8,opt5,opt7 inet keep state Allow CARP any yes yes carp 1 1 root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes pass opt4,CLIENTS,opt2,opt9,INTERN,wan,opt1,opt11,openvpn,opt3,lan,opt6,opt8,opt5,opt7,opt10 inet keep state alle auf alle mit ping in yes yes icmp echoreq 1 1 root@172.24.42.173 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes pass opt4,CLIENTS,opt2,opt9,INTERN,wan,opt1,opt11,openvpn,opt3,lan,opt6,opt8,opt5,opt7,opt10 inet keep state alle auf alle mit ssh in yes yes tcp 1 1 22 root@172.24.42.173 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes pass opt3,lan inet keep state robert,server auf firewall mit http in yes yes tcp 1 (self) 80 reinsle@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes pass opt3,lan inet keep state robert,server auf firewall mit https in yes yes tcp 1 (self) 443 reinsle@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes pass opt4,CLIENTS,opt2,opt9,INTERN,opt1,opt11,openvpn,opt3,lan,opt6,opt8,opt5,opt7,opt10 inet keep state kempten auf internet mit web any yes yes tcp
NET_kempten
1 PORT_web root@172.24.42.173 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
reject opt5 inet keep state any yes yes
HOSTS_51_teresa
1 root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes
1 wan tcp inet
HOST_kedc01
22
NAT dnat kdg:22023 auf kedc01 nat_5cb9a87b941159.37025775 root@172.24.42.51 /firewall_nat_edit.php made changes
1 wan tcp inet
127.0.0.1
22
NAT dnat kdg:22022 auf fw nat_5cbab161f13b55.46013125 root@172.24.42.173 /firewall_nat_edit.php made changes
pass wan inet keep state internet auf firewall mit openvpn udp 1 (self) 1194 root@172.24.42.173 /firewall_rules_edit.php made changes root@172.24.42.173 /firewall_rules_edit.php made changes 1 wan tcp inet
HOST_horst
22
NAT dnat kdg:22021 auf horst nat_5cbede8ec8ff85.18793725 root@172.24.42.51 /firewall_nat_edit.php made changes
pass inet Default allow LAN to any rule lan lan pass inet6 Default allow LAN IPv6 to any rule lan lan pass lan inet keep state kedc auf internet mit dns tcp/udp
HOSTS_kedc
NET_kempten
1 53
reinsle@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
pass lan inet keep state kedc auf internet mit ntp udp
HOSTS_kedc
NET_kempten
1 123
reinsle@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
pass lan inet keep state monitor auf internet mit all tcp
HOST_monitor
NET_kempten
1 PORT_icinga2
root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes
pass lan inet keep state monitor auf mgmt mit monitoring_porst tcp/udp
HOST_monitor
opt1 PORT_monitoring root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes
pass CLIENTS inet keep state intern auf internet mit ports_internet tcp/udp
NET_kempten
NET_kempten
1
root@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
pass CLIENTS inet keep state openvpn auf firewall udp 1 (self) 1194 root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes pass INTERN inet keep state intern auf kedc mit dns tcp/udp
NET_kempten
HOSTS_kedc
53
reinsle@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
pass INTERN inet keep state intern auf kedc mit ntp udp
NET_kempten
HOSTS_kedc
123
reinsle@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
pass INTERN inet keep state intern auf host mit 8006/tcp tcp
NET_kempten
HOST_horst
PORT_proxmox
reinsle@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
pass INTERN inet keep state intern auf kedc mit web tcp/udp
NET_kempten
lan PORT_server root@172.24.42.51 /firewall_rules_edit.php made changes reinsle@172.24.42.51 /firewall_rules_edit.php made changes
pass INTERN inet keep state intern auf kedc mit ad_ports tcp
NET_kempten
HOST_kyo
root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes
pass opt4 inet keep state Block Teresa
172.24.50.201
1 root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes
block opt5 inet keep state Block Tobias 1 1 1 root@172.24.42.173 /firewall_rules_edit.php made changes root@172.24.42.173 /firewall_rules_edit.php made changes block opt5 inet keep state Block Teresa
HOSTS_51_teresa
1 root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes
pass opt12 inet keep state 1 1 root@172.24.42.51 /firewall_rules_edit.php made changes root@172.24.42.51 /firewall_rules_edit.php made changes
ICMP icmp ICMP TCP tcp Generic TCP HTTP http Generic HTTP / 200 HTTPS https Generic HTTPS / 200 SMTP send Generic SMTP 220 * 0.opnsense.pool.ntp.org system_information-container:00000000-col3:show,traffic_graphs-container:00000001-col3:show,proofpoint_et-container:00000002-col3:show,cpu_usage-container:00000003-col3:show,log-container:00000004-col3:show,services_status-container:00000005-col4:show,gateways-container:00000006-col4:show,interface_list-container:00000007-col4:show,openvpn-container:00000008-col4:show,carp_status-container:00000009-col4:show 2 root@172.24.42.51 Leave CARP maintenance mode 1 NET_kempten network 0 172.24.0.0/16 Netzwerke Kempten 1 NET_robert network 0 172.24.42.0/24 Netzwerk Robert 1 PORT_web port 0 80 443 5000 5001 8080 8443 Ports für WEB Zugriff 1 HOST_kedc01 host 0 172.24.10.11 HOST kedc01 1 HOST_kedc02 host 0 172.24.10.12 HOST kedc02 1 HOSTS_kedc host 0 HOST_kedc01 HOST_kedc02 1 PORT_proxmox port 0 8006 PORT proxmox tcp 8006 1 HOST_horst host 0 172.24.10.10 172.24.10.9 HOST horst 1 PORT_mail port 0 25 110 143 587 993 995 Ports für Mail 1 HOST_kyo host 0 172.24.10.51 HOST kyocera 1 HOST_monitor host 0 172.24.10.14 HOST monitor.ke.einsle.de 1 PORT_icinga2 port 0 5665 PORT icinga2 1 PORT_monitoring port 0 22 80 161 443 8291 PORT_web PORT_mail Ports Monitoring 1 PORT_ssh port 0 22 22020:22040 Ports SSH 1 HOST_tobias_ps4 host 0 172.24.51.195 Tobias PS4 1 PORTS_internet port 0 22 PORT_web PORT_mail 22020:22040 Ports zum Internetzugriff 1 HOST_nas host 0 172.24.10.16 nas.ke.einsle.de 1 PORT_fileshare port 0 42 53 88 135 137 138 139 389 445 636 853 1512 3268 3269 7389 7636 49150:49160 67:68 Ports fuer Windows AD und FileShare 1 PORT_server port 0 PORT_web PORT_fileshare PORT_mail 1 HOSTS_51_teresa host 0 172.24.51.164 172.24.51.201 0 1 1 0 on strip 1 0 admin@localhost.local 0 /var/squid/cache 256 100 16 256 0 0 0 2048 1024 1024 256 0 0 username password lan 3128 3129 0 0 4 5 0 3401 public 2121 0 1 0 80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http 443:https 0 icap://[::1]:1344/avscan icap://[::1]:1344/avscan 1 0 0 X-Username 1 1024 60 OPNsense proxy authentication 2 5 1 monitor nUTIRozDeJMiQ2Goj8BR nUTIRozDeJMiQ2Goj8BR 0 1 Kempten admin@einsle.de 0 1 mqfc2m8gTqPft9uvsTCYOl2tDC6OrnEI {} 1 abfd31bd476a99d9 Robby opt4,opt2,opt9,opt1,opt3,lan,opt6,opt8,opt5,opt7 wan v9 127.0.0.1:2056 1 1 0 opt9 Local Database 0 0 0 1 0 0