diff --git a/opnsensebk/config-fw.nuestrared.org-20190404235132.xml b/opnsensebk/config-fw.nuestrared.org-20190404235132.xml new file mode 100644 index 0000000..638e8e1 --- /dev/null +++ b/opnsensebk/config-fw.nuestrared.org-20190404235132.xml @@ -0,0 +1,1114 @@ + + + opnsense + + + Disable the pf ftp proxy handler. + debug.pfftpproxy + default + + + Increase UFS read-ahead speeds to match the state of hard drives and NCQ. + vfs.read_max + default + + + Set the ephemeral port range to be lower. + net.inet.ip.portrange.first + default + + + Drop packets to closed TCP ports without returning a RST + net.inet.tcp.blackhole + default + + + Do not send ICMP port unreachable messages for closed UDP ports + net.inet.udp.blackhole + default + + + Randomize the ID field in IP packets (default is 0: sequential IP IDs) + net.inet.ip.random_id + default + + + + Source routing is another way for an attacker to try to reach non-routable addresses behind your box. + It can also be used to probe for information about your internal networks. These functions come enabled + as part of the standard FreeBSD core system. + + net.inet.ip.sourceroute + default + + + + Source routing is another way for an attacker to try to reach non-routable addresses behind your box. + It can also be used to probe for information about your internal networks. These functions come enabled + as part of the standard FreeBSD core system. + + net.inet.ip.accept_sourceroute + default + + + + Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects + to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect + packets without returning a response. + + net.inet.icmp.drop_redirect + default + + + + This option turns off the logging of redirect packets because there is no limit and this could fill + up your logs consuming your whole hard drive. + + net.inet.icmp.log_redirect + default + + + Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway) + net.inet.tcp.drop_synfin + default + + + Enable sending IPv4 redirects + net.inet.ip.redirect + default + + + Enable sending IPv6 redirects + net.inet6.ip6.redirect + default + + + Enable privacy settings for IPv6 (RFC 4941) + net.inet6.ip6.use_tempaddr + default + + + Prefer privacy addresses and use them over the normal addresses + net.inet6.ip6.prefer_tempaddr + default + + + Generate SYN cookies for outbound SYN-ACK packets + net.inet.tcp.syncookies + default + + + Maximum incoming/outgoing TCP datagram size (receive) + net.inet.tcp.recvspace + default + + + Maximum incoming/outgoing TCP datagram size (send) + net.inet.tcp.sendspace + default + + + Do not delay ACK to try and piggyback it onto a data packet + net.inet.tcp.delayed_ack + default + + + Maximum outgoing UDP datagram size + net.inet.udp.maxdgram + default + + + Handling of non-IP packets which are not passed to pfil (see if_bridge(4)) + net.link.bridge.pfil_onlyip + default + + + Set to 1 to additionally filter on the physical interface for locally destined packets + net.link.bridge.pfil_local_phys + default + + + Set to 0 to disable filtering on the incoming and outgoing member interfaces. + net.link.bridge.pfil_member + default + + + Set to 1 to enable filtering on the bridge interface + net.link.bridge.pfil_bridge + default + + + Allow unprivileged access to tap(4) device nodes + net.link.tap.user_open + default + + + Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid()) + kern.randompid + default + + + Maximum size of the IP input queue + net.inet.ip.intr_queue_maxlen + default + + + Disable CTRL+ALT+Delete reboot from keyboard. + hw.syscons.kbd_reboot + default + + + Enable TCP extended debugging + net.inet.tcp.log_debug + default + + + Set ICMP Limits + net.inet.icmp.icmplim + default + + + TCP Offload Engine + net.inet.tcp.tso + default + + + UDP Checksums + net.inet.udp.checksum + default + + + Maximum socket buffer size + kern.ipc.maxsockbuf + default + + + Page Table Isolation (Meltdown mitigation, requires reboot.) + vm.pmap.pti + default + + + Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation) + hw.ibrs_disable + default + + + Hide processes running as other groups + security.bsd.see_other_gids + default + + + Hide processes running as other users + security.bsd.see_other_uids + default + + + + normal + fw + nuestrared.org + on + + admins + System Administrators + system + 1999 + 0 + page-all + + + root + System Administrator + system + admins + $2y$10$eE36wle/4Ma00KlIY62XzO8dvMPlJCsY5H2H8J/Ej2crzlPEjtvWq + 0 + + 2000 + 2000 + America/Bogota + 0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org + + https + 5c7caf43d381f + 8443 + + + 5 + 1 + + yes + 1 + 1 + 2 + 1 + 1 + 1 + + hadp + hadp + hadp + + monthly + + + 60 + aesni + 1 + 1 + + admins + 1 + + enabled + 2222 + + + + 0 + + + + + OPNsense-Backup + + + 192.168.100.1 + 8.8.8.8 + en_US + + os-arp-scan,os-pppoe,os-acme-client,os-freeradius,os-iperf + + + 5c7ca8d772787 + radius + RadiusAuthNosRed + 10.132.1.1 + nw2gqat60 + 5 + 1812 + 1813 + + + 5c7ca90c59ead + voucher + VaucherAuthNosred + 1 + + + + 115200 + video + + + + vtnet0 + + 1 + 1 + + 1 + 192.168.100.254 + 24 + GW_WAN + + + vtnet1 + + 1 + 1 + + 10.132.1.1 + 16 + + + + + 1 + nuestrared.org + hmac-md5 + + + + + 10.132.60.10 + 10.132.80.245 + + + + + + + + on + + nuestrared.org + 10.132.1.2 + Domain nuestrared + + + fw + nuestrared.org + A + 10.132.1.1 + + + Firewall NuestraRED.org + + + + + + public + + + + + + + automatic + + + + + + pass + inet + Default allow LAN to any rule + lan + + lan + + + + + + + pass + inet6 + Default allow LAN IPv6 to any rule + lan + + lan + + + + + + + + + + + + ICMP + icmp + ICMP + + + + TCP + tcp + Generic TCP + + + + HTTP + http + Generic HTTP + + / + + 200 + + + + HTTPS + https + Generic HTTPS + + / + + 200 + + + + SMTP + send + Generic SMTP + + + 220 * + + + + + 0.opnsense.pool.ntp.org + on + lan + + + system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show + 2 + + + root@10.132.1.10 + + /api/captiveportal/settings/addZone/ made changes + + + + + + + + + + + + + + 0 + 0 + 0 + wan + 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 + + + W0D23 + 4 + ac + 0 + 0 + + + + + + + + + + + + + lan + + + + + + md5 + 0 + + + + + + LDAPS + + + + dc=example,dc=domain,dc=com + (uid=%{%{Stripped-User-Name}:-%{User-Name}}) + (objectClass=posixGroup) + + + + + 1 + authnosred + nw2gqat60 + 10.132.0.0/16 + + + + + 1 + 0 + 0 + 1 + 1 + 1 + 1 + 1 + files + 1 + 1 + 1 + + + + + 1 + kleper + ferkaton76 + Usuario Kleper + + + + + + + + + + + + + + + + + + + + + + + lan + wan + v9 + + + + 0 + + + + + + AcmeClient + 1 + 0 + 0 + * + * + * + root + acmeclient cron-auto-renew + + AcmeClient Cronjob for Certificate AutoRenewal + + + + + + 1 + 1 + 99c58055-2319-49fe-b941-ad1030604bcf + prod + 43580 + 600 + 0 + + + + + normal + + + + 5c7cab505cb087.20055669 + 1 + NuestraRED.org + Acme NuestraRED Firewall + correo@nuestrared.org + letsencrypt + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBNEkyMmNxT2wxNzkzVjA2ZUtOOGpMTHlKcm1BdzdNV01EcGgrWmF1cWJ1cHFXODl6CnRiRm5vN3VJTm1QWEl2eHR1MGxNb1hmeDFHWStxUDVlOVVXU1BJQXhaelpsU2FhTkJFRkRSRzZUeXh2UGFZVzIKeFVpenNvOEJVNVR5cDdJT3VqeVFreXVEaVg4K2haQStsRmxlamlaT3B0ZmZ0OGwrT2VjY0hrZXozMmh6TytPKwo4N280VytPMUdLaXdlSTVqVldBeXpIc2lzdFQ0enlaOE9qNGNKOGRVcnVSb0g1Qk1TaWk5Rk1vd3hHaDhvNkJHCmhTeGhNaCtCTTcrdGFRN1Uxekptc0FQSTRWVFluMTVYcUxWMG9TNnhaTy9Id2dQSWJvTjhIRHMzNEVGU3F4V2gKUWI4R3FadG90YlJIeEliQmsxWHJqZGl0aHFDREp1eWdNWEFDUksxZnBvdkQxRWdaRkxXQTVKTWJURTIyUkhPSwpzT25OUllldUQyNXhTNXpOZnB5c1pEOFpUb2JWcUcwTDBlS09TdGhzditJdDdBZGgrd1VsRGFFaW00M1UxVXhPCjNqMkp5UEphMzBjczd2MkEyUE5MTDByVDNCb1JEWG5MeU00NHRESkRDc284UjJ4d01zR3dYd21HenlXZUVnT20KTTdqek8waVhNaTFHR0tncDNvNG5yczVpTzVFeVRoWkRGaGhPSmN0OXBGSm92MVlZUGRHa3BFT3FZL1cwZ05xNgpNTGJlQXc0Z0VSWGpGY3dWZUNBeVBKQXl3dGVrVlovS3RKQU54TDh0K1RlNXJPVlJNbCtoTWVrYlMyWE4rUjJCCmZ1S3hMK0RBZDh5WlJqMVBvd0xPYmpvSHBBZmkxQlMxRjA3SWtEb1hlbHJ3TlNjMzZxMXQ4UTRERFpVQ0F3RUEKQVFLQ0FnQkx4d2Jld09MaVg3YUNQQUdiZ1ZGNWMxWnpCZnI4cTkyTHYySklKUm9xdStpUWV2MXRQeVRlV0JhcgpaQjNockpYTE1mMHVNQy9ub1dsYjFodHRZY0Ryc2NiNk1aMFVzYU84MzlrM2FxbHRUVUU5TnVacXhSSC9HOHN5CnpYemxvbXpkNURwVnI4Vi96UFRvVmJrSWp2QWR3RWVpZmc3OUVuNEtSRGQwOEhWKzJ0eW9SVDdYT094ejllL1QKRm5vVzlOWUlwYUgrNXo3YVlveGtPM1NJb3hVVlIyc0lhZ1BKUXdTN3NldTg3RTV3dVdIMlJjd0dmT2QvNXFuUApNTXZ3UEJVUFdlN1ZUekdtK043eFNRRUQ2ZGdsM0gvNHRBSVJNdjJjYmJxZ1BFdXEzZUJyNDZ5N1p4OTBkUUZzCjhCMlg4SEc2cXJBRytpdjAxbzNyd01aK2FISWE0UjRCRXpPa1ZWRTliNWs3amV1WHB3a1F2NzM1alJ5cDBocWgKTEVNSldrblFVN1lyUkF2TnJhM0tUaXladSs2QkRSeHJjMkR0eVpxbVl5dml4amlzRVNFQXpUM1Mrb2hYV2RJcgpLekw5a2JEN1k1NDBJSXFnbTJQM1pzZ2JNWGNoSTFQMjkyWnQzNkl2ZlVueXF6aW1XaXhibnFuaHRYMzFBUllPCnhOUkJYRVUyOEZUdVUzQ1BQMmluZE5LeVhRaVhCSWtpTEE3anRrWWNBZW84NDRRaFR2aUplWUdwOGtlN1RzN3MKeW0vSm9nN1FpWjhrQlUydGhPUUdFeGpySS82TktlTEMrajFSeXFFZHQ1QjZNaFdGYkt4UXc5WnlWdHZwOFc0VgpCUjQyNnJKMWNzMzFaazBsbDBXaEFUSWpEWmJzdkJucUtVQUY4dVc2UEd5VzdCbkhNUUtDQVFFQTlCYzVzdXhLCjJUejJXOXRBWDgxOEFUQTdjZnRWWHh1NDFEQmFJenNSWUxidVMxWXJJQ2tRZWdwZmFrNVJITkpmek5sUVlGaXQKWUl1NWY1VWpxM0ZNZFRYQXp5VUxSRUEydDk0R3ZmMVpCYW13emRUV2NaZjV2MktNQmdJYk05QlRSQkFGNnJoRQpLNWpTMG9GcmN5Sy9GMUlIOHIzbkgwVFVtSHNYSnNHaG1OMVpyUzZTdW52dzBKZGtHNmN0UUd3V0UzcjNWODYyCi9KaUdQeWxIR09BZ2dGSzBBKzlJTHZKVUZMMG1EeEhHUkw0M3lFd3B6bXUvVmhqQ3pnTE9scUJjb295V3FDTDMKeExQaDNqWEV1QVBOUVYvakJkbnpVaEJ6VXQ2eGl1YWIwNTV2bjd6Umk1NlBtY1duRTM5RWs5aHVOTlNUWmlWcgp3V3VoNVZSeExIYVRud0tDQVFFQTY0SjJMNW94WnpPd1ZCczEwKzdndEpuREZPM0FRZm1QZmxUNHJOQUZreVR1CjVNY1NQNWQyZVdCMzNqaWVpYm1MbjJZbGVVTktHdWpHelZsbERQRTVmN2pZOXpyRWtlZUhqZHZZUGdPTFczT00KMkVKeVBIalppSnNla1RIaEtpVjlTT1FNZVZBQVo2LzdnMGpoZUZsbEs5b3A0dW12RnlsbEZCWFBiYVJMaDhxYgpVU21tSk52WDFUWFo4UXZJYjN4V09RRVI4c08wMnRmOHZ2OXQzSk5MVnhSaEVud245dUt1d25KNjNudURkUmZKCjJtMEZ5WlVwS21ObFhKcVcrVVRWVk9NclQ5UU9jWGdoYU1NTjkzTXN6OUUvUUtQb2tiYUpBVnR0Q3hJN0w4RFoKVVBqS3kxMlpLOUhMUnJmdFQzTWpnM0swaXpNb3ZwdVA2LzhwWWRkeVN3S0NBUUJyNU94TFM2bVdOeDFLNHpLawpabWMrK3p2N21UWldjU0dWSWI1bVBsRGpLRmxURWNiRVU0S0YvNW5IbXRDOTVid1ZCNlpBd0ZIN0VDZ3gzaEhEClViU1RSdXh3WkJhRDE4S1lLZHRmRmVMSTN3WlpKWkNZNjYyb3pIM0tsaG5DSUg3OTRmdExrcUlIaDJrQlJkWGkKTWVTNEFUbWtNZzg4d2ljYk02VzdLdklzYVFPZnlxdHZKU1FBZ0RydkFrbTlaVW1vMkwwR29rZytoWWtwMkN3bQpNY1FNRlFLZmpxQ2dwOXRFdzR0VU0rNHBLcy9yaU1jZUNJQ3VKUW5QR0d5TEpsMXNPS3JMclpGSjhKMlJwTURNCitsazdZWkF2WVBUdVBIbE5rMFIxZXBROHlaYmJ6Qkh3SG1tcGRqWHhKMXQvNHJac1FkN1owd2E3bThFWFp1a1QKMTJKUEFvSUJBUUM1Z2xka0libytoNm1pWnBpYzZ6SlhNRE5KZmdtT0xtMUlYdGhQRDhFRWFmZy9mMHV4aWJaSgozNklzQ2o5ZlR5ZGJGTlA1MC9aQWdoRnUyYmJPWGdrandWQXVWajFXaktEckxqd0VoVGcxZml4NGdNYUpPY3hvClhYL1RjUTNpN0FybTZyT2tyMDdTWGYzcEtQUnBuMGtoSk1VUHQzRXk5bWxuUzlMTGs3bm5LY0gwU2JGVW9WTSsKNEI5ZlR4L0FLWm1sWjJGaTc2TzdLcDB0T2ZpbzRlRmJvM0xmWTZyN1B3M1hudU9IOHBUWEhEams5REcxMnVmRgpPdXd4NkpkNW5DM0tvdktQL0FLd2dLY1laV1RRQVFwUVhJdk5lQThQRUZDVklCWWh2V2Vmc3ZHN1pXNGdpUWJKClRJVXBuR0d5em9ndjE1KzljanZyQUpCNm5kQlVBS2hIQW9JQkFRQ0FDcVFBVHRtcWJab2tkS0xnb0Y0TDYwZjQKS0Urc2thNlJLVm9URFI2azQycWRzYVhkdnhlR3g5dFh2TUxiUVlsL0pxSzZUL3o3YUhPeSsvblk0R1FGcFhlNwpLMW5qWnRwWnA5cjRKQW5pMmI5U09nVFdqanZvZHlYQ3RLYXExcGVjVG5ZSlpLSkMzdHc2cktkL3lWL0xvRzh4CjkxYjFQUmFGKzVnL2s5dXBwdDJ0aDd3VzM3MU03d0lKRmtWajNodzhvdXhxbXN5YjZEWmJkTytVSXhoT0tGSksKQVg4cjdUTnU4bWVuc0k0WS9pL1RVc0NuK1VxbGN2MjUyMGNyNGJmeTJzNlZ5YUUrYVpKcW5ReTBNSTRrVmhCTgpTNm5MbkpoRHNqU2x0NlNqeTZjdXlMZDdkOXN1NG0rKzhuMjNFNXVJMGlrem8wSG9hcjZLMXFUYllBYk0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K + 1551674297 + + + + + 5c7cab9aa643d0.89304687 + 1 + fw.nuestrared.org + Certificado Firewall + + e49750e6-4d42-4047-94e7-abed03a2075a + b6df93fa-c08c-4829-90f9-8c9f9f870f8a + key_4096 + 0 + + 1 + 60 + 5c7caf43d381f + 1551675203 + + + + + + + 5c7cab7c72b502.94225746 + 1 + DreamhostAPI + Dominios en Dreamhost + dns01 + opnsense + 1 + wan + + 1 + + dns_dreamhost + 120 + + + + + + + + + + + + + + + + + + + + + + + 1 + + + + + + + 9ZZB2XMH5X43TYMM + + + + + + + + + + + + + + + + + + + + + 1 + + + + + cloudflare + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 5c7caeb7f09452.55378870 + 1 + RenewFirewall + + restart_gui + + + + + + + + + 1 + 120 + 120 + 127.0.0.1 + 25 + root + nosred2018 + 0 + auto + 1 + syslog facility log_daemon + + + + 0 + root + TWbu5i5T0lm4LBLjnkSp + 2812 + + + 5 + 1 + + + 0 + root@localhost.local + 0 + + + 10 + + + + 1 + $HOST + system + + + + 300 +
+ + + + 0079eb63-53b6-4ec9-9fe8-4148ccd9f856,cf5e41d6-6721-49d0-aa32-1dbd614a92eb,dbb00b9b-ffcb-4833-94ef-15e4aaf43059,543e1993-5cf2-4db3-b625-3452d6c54c8e + + + + 1 + RootFs + filesystem + + + / + 300 +
+ + + + d45c8e90-5796-4e47-b159-67d4bf5b17dc + + + + 0 + carp_status_change + custom + + + /usr/local/opnsense/scripts/OPNsense/Monit/carp_status + 300 +
+ + + + a0a620e0-6474-4906-809f-3c612f193d91 + + + + 0 + gateway_alert + custom + + + /usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert + 300 +
+ + + + 2b0582ff-d02c-482a-97b8-603902f5906f + + + + Ping + Custom + failed ping + alert + + + + NetworkLink + Custom + failed link + alert + + + + NetworkSaturation + Custom + saturation is greater than 75% + alert + + + + MemoryUsage + Custom + memory usage is greater than 75% + alert + + + + CPUUsage + Custom + cpu usage is greater than 75% + alert + + + + LoadAvg1 + Custom + loadavg (1min) is greater than 8 + alert + + + + LoadAvg5 + Custom + loadavg (5min) is greater than 6 + alert + + + + LoadAvg15 + Custom + loadavg (15min) is greater than 4 + alert + + + + SpaceUsage + Custom + space usage is greater than 75% + alert + + + + ChangedStatus + Custom + changed status + alert + + + + NonZeroStatus + Custom + status != 0 + alert + + + + + + 0 + + + + 1 + 1 + + + + + + 1 + on + strip + 1 + 1 + correo@nuestrared.org + nuestrared.org + + + 0 + /var/squid/cache + 256 + 2 + 256 + 16 + 256 + 1 + 1 + + + + 0 + 2048 + 1024 + 1024 + 256 + + + 0 + + 0 + username + password + + + + + + + lan + 3128 + 3129 + 0 + 0 + 5c7caf43d2e5f + .nuestrared.org + 16 + 8 + 0 + 3401 + public + + 2121 + 0 + 1 + 0 + + 10.132.0.0/16 + + + + + + + 80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http + 443:https + + + + 1 + shallalist + http://www.shallalist.de/Downloads/shallalist.tar.gz + + + finance/moneylending,automobile/boats,porn,ringtones,drugs,socialnet,dynamic,anonvpn,library,science/astronomy,costtraps,finance/insurance,chat,politics,searchengines,shopping,aggressive,hospitals,urlshortener,adv,weapons,updatesites,recreation/restaurants,radiotv,alcohol,isp,finance/trading,webmail,sex/lingerie,religion,tracker,music,automobile/planes,hobby/gardening,recreation/humor,hobby/games-misc,redirector,gamble,fortunetelling,jobsearch,finance/banking,hobby/cooking,webtv,government,models,automobile/bikes,downloads,hobby/pets,warez,homestyle,recreation/martialarts,spyware,recreation/wellness,news,hobby/games-online,recreation/travel,webphone,sex/education,finance/other,automobile/cars,dating,remotecontrol,forum,violence,imagehosting,podcasts,movies,webradio,military,hacking,finance/realestate,science/chemistry,education/schools,recreation/sports + 1 + Shallalist Blacklist + + + + + + + 0 + icap://[::1]:1344/avscan + icap://[::1]:1344/avscan + 1 + 0 + 0 + X-Username + 1 + 1024 + 60 + + + + + OPNsense proxy authentication + 2 + 5 + + + + + + + + 1 + 0 + lan + RadiusAuthNosRed,VaucherAuthNosred + 1 + + 15 + 30 + 1 + 5c7caf43d381f + fw.nuestrared.org + + + 0 + 0 +