opensourcemirror
/
opnsense-docs
mirror of https://github.com/opnsense/docs.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Many typo fixes and some rewording (#80)

This commit is contained in:
MichaelDeciso 2018-11-08 20:59:18 +01:00 committed by Ad Schellevis
parent 86a9787cf3
commit 020c7c74ec
44 changed files with 151 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
LICENSE
View File

@ -38,8 +38,8 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
https://creativecommons.org/publicdomain/zero/1.0/
# Logo's
Logo's may be subject to additional copyrights, property
# Logos
Logos may be subject to additional copyrights, property
rights, trademarks etc. and may require the consent of a third party or the
license of these rights. Deciso B.V. does not represent or make any warranties
that it owns or licenses any of the mentioned, nor does it grant them.

2
README.md
View File

@ -22,7 +22,7 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
https://creativecommons.org/publicdomain/zero/1.0/
Logo's may be subject to additional copyrights, property
Logos may be subject to additional copyrights, property
rights, trademarks etc. and may require the consent of a third party or the
license of these rights. Deciso B.V. does not represent or make any warranties
that it owns or licenses any of the mentioned, nor does it grant them.

2
source/develop.rst
View File

@ -7,7 +7,7 @@ Development Manual
The OPNsense® project invites developers to start developing with OPNsense:
"For your own purpose or even better to join us in creating the best FreeBSD
based open source firewall available!" The development workflow & build process
has been redesigned to make it more straightforward and easy for developers to
have been redesigned to make it more straightforward and easy for developers to
build OPNsense.
Being able to get the sources and build it yourself is one of the key factors of

4
source/development/architecture.rst
View File

@ -81,7 +81,7 @@ first layer initializes Phalcons routing, which handles requests and
delivers them to the controller based on its url. User content is
generated using Volt templates, which are picked by the controller.
Because Phalcons default Models function with (relational) databases
and we are using xml data, our model implementation is custom. But
and we are using XML data, our model implementation is custom. But
wherever possible we use components from Phalcon (for example,
validation is handled using Phalcons classes). For a detailed
description on the routing principles used in OPNsense, visit Frontend
@ -98,7 +98,7 @@ controllers, with the use of views, can be found at :doc:`/development/frontend/
Models
------
All models are defined by a combination of a class and an xml containing
All models are defined by a combination of a class and an XML containing
a (nested) definition. More information on defining models can be found
at the frontend model page :doc:`/development/frontend/models`.

2
source/development/components/acl.rst
View File

@ -45,7 +45,7 @@ Using the system from php is rather simple:
Usage in Volt templates
-----------------------
The acl scheme is bound to the default UI controller, and can be used by
The ACL scheme is bound to the default UI controller, and can be used by
using the acl keyword:
.. code-block:: jinja

4
source/development/components/menusystem.rst
View File

@ -37,8 +37,8 @@ An example of how to create a menu, is given below:
// test, print menu as structured named array
print_r($menu->getItems("/testpage.php"));
The current version only implements a static menu defined by one xml file
(models/OPNsense/Base/Menu/Menu.xml), but extending with additional xml files
The current version only implements a static menu defined by one XML file
(models/OPNsense/Base/Menu/Menu.xml), but extending with additional XML files
is already supported in the component for future use.
--------

22
source/development/examples/helloworld.rst
View File

@ -120,7 +120,7 @@ Not all modules contain additional code in the php class, sometimes all
the standard behaviour is already sufficient for your
modules/application.
Which is the model xml template, our skeleton starts with something like
Which is the model XML template, our skeleton starts with something like
this:
.. code-block:: xml
@ -266,9 +266,9 @@ Adding Fields
.. rubric:: Adding fields to your model
:name: adding-fields-to-your-model
When building the skeleton, we have created an empty model (xml), which
When building the skeleton, we have created an empty model (XML), which
we are going to fill with some attributes now. The items section of the
model xml should contain the structure you want to use for your
model XML should contain the structure you want to use for your
application, you can create trees to hold data in here. All leaves
should contain a field type to identify and validate its content. The
list of attributes for our application can be translated to this:
@ -310,12 +310,12 @@ Enabled).
Presentation XML
----------------
.. rubric:: Create a presentation xml to feed your template
.. rubric:: Create a presentation XML to feed your template
:name: create-a-presentation-xml-to-feed-your-template
Because creating forms is one of the key assets of the system, we have
build some easy to use wrappers to guide you through the process. First
we create an xml file for the presentation, which defines fields to use
we create an XML file for the presentation, which defines fields to use
and adds some information for your template to render. Create a file in
your controller directory using the sub directory forms and name it
general.xml. Next copy in the following content:
@ -392,7 +392,7 @@ Create API calls
:name: create-api-calls-to-retrieve-and-store-data
The framework provides some helpful utilities to get and set data from
and to the configuration xml by using your defined model. First step in
and to the configuration XML by using your defined model. First step in
binding your model to the system is to add a method to the
SettingsController to fetch the data from our configuration (or provide
the defaults if there is no content).
@ -530,7 +530,7 @@ Lets give it a try and save our data, without modifying it first.
Next correct the errors and save again, on successful save the data
should be stored in the config.xml. If you want to change validation
messages, just edit the model xml and add your message in the
messages, just edit the model XML and add your message in the
ValidationMessage tag. For example:
.. code-block:: xml
@ -848,15 +848,15 @@ automatically picks up this new information.
Plugin to access control (ACL)
------------------------------
If we want to authorize users to access this module, we can add an acl
If we want to authorize users to access this module, we can add an ACL
to this module. Without it, only admin users can access it. Create an
xml file in the model directory name ACL/ACL.xml and place the following
XML file in the model directory name ACL/ACL.xml and place the following
content in it:
.. code-block:: xml
<acl>
<!-- unique acl key, must be globally unique for all acl's -->
<!-- unique acl key, must be globally unique for all ACLs -->
<page-user-helloworld>
<name>WebCfg - Users: Hello World! </name>
<description>Allow access to the Hello World! module</description>
@ -867,7 +867,7 @@ content in it:
</page-user-helloworld>
</acl>
This creates an acl key named “page-user-helloworld” which authorizes
This creates an ACL key named “page-user-helloworld” which authorizes
access to both the ui and API urls of this application. You can now
grant access to this module from the system user manager.

6
source/development/frontend/models.rst
View File

@ -4,7 +4,7 @@ Creating Models
A model represents the data which the application will use and takes
care of the interaction to that data. In OPNsense most of the relevant
data is physically stored in an xml structure (config.xml). The primary
data is physically stored in an XML structure (config.xml). The primary
goal for OPNsense models is to structure the use of configuration data,
by creating a clear abstraction layer.
@ -44,7 +44,7 @@ When you design a model, the next thing to do is to figure out what data is
relevant for your application or module and think of the rules it should comply
to (for example, if you need an email address you might want to validate the
input). Designing the actual model is as simple as creating an xml file and
putting in your structure, the name of our xml file should be the same as the
putting in your structure, the name of our XML file should be the same as the
base name of our model suffixed by .xml.
Using the same model, we would create the following file:
@ -91,7 +91,7 @@ Now let's explain what's happing here one tag at a time.
The content of a items tag describes the full tree based structure which holds
our data, in theory this could be as large as you want it to be, but keep in
mind that the content for your model should be logical and understandable. Every
node in the tree could have a type, which defines it's behavior, nodes without a
node in the tree could have a type, which defines its behavior, nodes without a
type are just containers.
From top to bottom we find the following nodes in our tree:

2
source/development/guidelines/basics.rst
View File

@ -78,7 +78,7 @@ implementation is one example of this stage.
**3)** Moving on
(re)build new parts, using our new modules, which provide a layered development
system to automatically support API calls from other systems and xml based model
system to automatically support API calls from other systems and XML based model
templates to describe configuration data.
*See also:*

4
source/development/how-tos/api.rst
View File

@ -41,7 +41,7 @@ Code sample (python)
--------------------
For the python code sample we use the nice "requests" library
(http://docs.python-requests.org/en/latest/), which makes http calls
(http://docs.python-requests.org/en/latest/), which makes HTTP calls
very easy.
Before you can start, make sure your OPNsense has a valid SSL
@ -102,7 +102,7 @@ Using curl
----------
Simple testing with curl is also possible, the sample below uses the
same credentials, but ignores the ssl certificate check (-k) for
same credentials, but ignores the SSL certificate check (-k) for
testing.
.. code-block:: sh

2
source/intro.rst
View File

@ -102,4 +102,4 @@ OPNsense Core Features
- Stateful inspection firewall
- Granular control over state table
- 802.1Q VLAN support
- and more..
- and more

4
source/legal.rst
View File

@ -108,9 +108,9 @@ Some pictures are licensed under the Creative Commons Zero (CC0) license:
https://creativecommons.org/publicdomain/zero/1.0/
-----------------
Logo's Copyright
Logos Copyright
-----------------
Logo's may be subject to additional copyrights, property
Logos may be subject to additional copyrights, property
rights, trademarks etc. and may require the consent of a third party or the
license of these rights. Deciso B.V. does not represent or make any warranties
that it owns or licenses any of the mentioned, nor does it grant them.

8
source/manual/aliases.rst
View File

@ -20,7 +20,7 @@ OPNsense offers the following alias types:
+------------+------------------------------------------------------+
| Ports | Port numbers or a port range like 20:30 |
+------------+------------------------------------------------------+
| URL Tables | A table of ip addresses that can be fetched |
| URL Tables | A table of IP addresses that can be fetched |
+------------+------------------------------------------------------+
| GeoIP | Select countries or whole regions |
+------------+------------------------------------------------------+
@ -44,7 +44,7 @@ Go to **Firewall->Diagnostics->pfTables** and select our newly created youtube t
.. image:: images/pftable_youtube.png
:width: 100%
As you can see there are multiple ip addresses for this domain.
As you can see there are multiple IP addresses for this domain.
--------
Networks
@ -64,7 +64,7 @@ section.
----------
URL Tables
----------
URL tables can be used to fetch a list of ip addresses from a remote server.
URL tables can be used to fetch a list of IP addresses from a remote server.
There are several IP lists available for free, most notably are the "Don't Route
Or Peer" lists from Spamhaus.
@ -152,7 +152,7 @@ Then concatenate both by defining a new list:
* servers { critical_servers , other_servers}.
The end result will be a list with all ip addresses in one alias list (servers).
The end result will be a list with all IP addresses in one alias list (servers).
------------------------------
Configure DROP and EDROP lists

2
source/manual/antivirus.rst
View File

@ -5,7 +5,7 @@
.. image:: images/eye_on_virus_new.jpg
:width: 100%
**OPNsense** offers the industry standard ICAP to protect http and https
**OPNsense** offers the industry standard ICAP to protect HTTP and HTTPS
connections against ransomware, trojans, viruses and other malware .
OPNsense offers a ClamAV plugin, which can be used with the C-ICAP plugin or relies on third

2
source/manual/captiveportal.rst
View File

@ -70,7 +70,7 @@ Bandwidth Management
The Built-in traffic shaper can be utilized to:
* Share bandwidth evenly
* Give priority to protocols port numbers and/or ip addresses
* Give priority to protocols port numbers and/or IP addresses
See also: :doc:`/manual/shaping`

6
source/manual/how-tos/SkyUK.rst
View File

@ -5,7 +5,7 @@ Setup for Sky UK ISP
**Introduction**
-----------------
This doc covers the setup of Opnsense on a Sky UK VDSL connection.
This doc covers the setup of OPNsense on a Sky UK VDSL connection.
Sky uses a simple IPoE connection, all that is required is a suitable modem
in bridge mode. If using a standard OpenReach modem then no setting is required
@ -67,7 +67,7 @@ requirement for Sky .
The only other requirement in this section is to select Prevent Release'.
This is there as the Sky DHCPv6 servers use a 'sticky' address. If the
Opnsense dhcp6 client sends a release signal to the server it's more than
OPNsense dhcp6 client sends a release signal to the server it's more than
likely that the allocated prefix will change, thus this setting, along with
the 'DHCP Unique Identifier' setting will attempt to mitigate this risk.
@ -76,7 +76,7 @@ Once these settings have been entered, click on 'Save' then 'Apply'.
**DHCP Unique Identifier**
--------------------------
Although Opnsense stores the IPv6 DUID it is possible this can be lost, this
Although OPNsense stores the IPv6 DUID it is possible this can be lost, this
again would probably result in a new prefix being given, therefore an option
to enter and store a DUID is given in the Interface:Settings menu.

6
source/manual/how-tos/cachingproxy.rst
View File

@ -82,7 +82,7 @@ interfaces in the **FTP proxy interfaces** field and **Apply**.
-------------------
Access Control List
-------------------
You can setup ACL's by clicking on the arrow next to **Forward Proxy** and select
You can setup ACLs by clicking on the arrow next to **Forward Proxy** and select
**Access Control List**. Here you can:
* Setup Allowed Subnets (By default the proxy interfaces will be allowed)
@ -156,7 +156,7 @@ LAN interface (if LAN is where your clients and proxy are on).
**Source** LAN net
**Destination Port Range** HTTP
**Category** Block Proxy Bypass
**Description** Block http bypass
**Description** Block HTTP bypass
============================ =====================
**Save**
@ -170,7 +170,7 @@ And one more rule to block HTTPS access:
**Source** LAN net
**Destination Port Range** HTTPS
**Category** Block Proxy Bypass
**Description** Block https bypass
**Description** Block HTTPS bypass
============================ =====================
**Save** & **Apply changes**

14
source/manual/how-tos/carp.rst
View File

@ -18,12 +18,12 @@ route our traffic to the internet.
:width: 100%
When using CARP ( `FreeBSD handbook on CARP <https://www.freebsd.org/doc/handbook/carp.html>`__ ), all
fail-safe interfaces should have a dedicated ip address which will be
combined with one shared virtual ip address to communicate to both
fail-safe interfaces should have a dedicated IP address which will be
combined with one shared virtual IP address to communicate to both
networks. In the picture above the dashed lines are used to mark the
virtual addresses.
The configuration file (xml) for both firewalls can be downloaded from
The configuration file (XML) for both firewalls can be downloaded from
the wiki.
-----------
@ -37,7 +37,7 @@ we will explain briefly first:
:name: carp
Common Address Redundancy Protocol uses IP protocol 112, is derived from
OpenBSD and uses multicast packets to signal it's neighbours about it's
OpenBSD and uses multicast packets to signal its neighbours about its
status. Always make sure that each interface can receive carp packets.
Every virtual interface must have a unique Virtual Host ID (vhid), which
is shared across the physical machines. To determine which physical
@ -100,7 +100,7 @@ pfSync protocol.
.. rubric:: Backup
:name: backup
The backup server needs it's own dedicated addresses, we will use these:
The backup server needs its own dedicated addresses, we will use these:
+----------+-------------------+
| LAN | 192.168.1.20/24 |
@ -180,7 +180,7 @@ consider. All clients should use the virtual address in stead of the
physical address it's normally propagating. Next thing to consider is
there will be two servers active at the same time, which should know of
each others pools. If dns requests are also forwarded by OPNsense, make
sure the dhcp server sends the right ip address. These are settings used
sure the dhcp server sends the right IP address. These are settings used
in our example (on the master server):
+--------------------+----------------+
@ -197,7 +197,7 @@ Setup HA sync (xmlrpc) and pfSync
First we should enable pfSync using our dedicated interface using the
master firewall. Go to System -> High Availability, enable pfsync and
select the interface used for pfSync. Next setup the peer ip to the
select the interface used for pfSync. Next setup the peer IP to the
other hosts address (10.0.0.2).
Now we need to configure the settings we want to duplicating to the

2
source/manual/how-tos/edrop.rst
View File

@ -130,7 +130,7 @@ lower right corner.
---------------
Check pf Tables
---------------
To list the ip addresses that are currently in the DROP and EDROP lists go to
To list the IP addresses that are currently in the DROP and EDROP lists go to
**Firewall->Diagnostics->pfTables** and select the list you want to see:
.. image:: images/spamhaus_pftable.png

6
source/manual/how-tos/insight.rst
View File

@ -83,8 +83,8 @@ Clicking on a piece of the pie will open a detailed view for further analysis.
IP Addresses Pie Chart
----------------------
The IP addresses pie chart works the same as the ports pie chart and shows the
percentage per ip number. One can change the view by clicking or double clicking
on one of the shown ip numbers.
percentage per IP number. One can change the view by clicking or double clicking
on one of the shown IP numbers.
Clicking on a piece of the pie will open a detailed view for further analysis.
@ -106,7 +106,7 @@ When opening the details view by clicking on the tab one can make a new query.
:width: 100%
After selecting a valid date range (form/to) and interface one can further limit
the output by filtering on port or ip address. Select the refresh icon to update
the output by filtering on port or IP address. Select the refresh icon to update
the detailed output. Leave Port and Address empty for a full detailed listing.
.. image:: images/insight_full_details.png

2
source/manual/how-tos/installaws.rst
View File

@ -29,7 +29,7 @@ Choose an instance type
---------------------------------
Step 3 - Configure security group
---------------------------------
To configure security group, make sure you allow https access from your own network.
To configure security group, make sure you allow HTTPS access from your own network.
.. image:: images/aws_configure_security_group.png
:width: 100%

2
source/manual/how-tos/ipsec-road.rst
View File

@ -16,7 +16,7 @@ OPNsense and give you configuration examples for:
.. Note::
For the sample we will use a private ip for our WAN connection.
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on wan to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
*(Dont forget to save and apply)*

36
source/manual/how-tos/ipsec-s2s.rst
View File

@ -16,7 +16,7 @@ connection (you local network need to different than that of the remote network)
.. Note::
For the sample we will use a private ip for our WAN connection.
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on wan to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
*(Dont forget to save and apply)*
@ -170,11 +170,11 @@ Full Network Diagram Including IPsec Tunnel
}
------------------------------
Firewall Rules Site A & Site B
------------------------------
---------------------------------------
Firewall Rules Site A & Site B (part 1)
---------------------------------------
To allow IPsec Tunnel Connections, the following should be allowed on WAN for on
sites:
sites (under **Firewall->Rules->WAN**):
* Protocol ESP
* UDP Traffic on Port 500 (ISAKMP)
@ -185,13 +185,7 @@ sites:
.. Note::
You can further limit the traffic by the source ip of the remote host.
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
interface.
.. image:: images/ipsec_ipsec_lan_rule.png
:width: 100%
You can further limit the traffic by the source IP of the remote host.
-----------------------
Step 1 - Phase 1 Site A
@ -206,7 +200,7 @@ General information
**Key Exchange version** V2
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Remote gateway** 172.10.2.1 *the public ip address of your remote OPNsense*
**Remote gateway** 172.10.2.1 *the public IP address of your remote OPNsense*
**Description** Site B *freely chosen description*
========================= ============= ================================================
@ -320,7 +314,8 @@ And Apply changes:
.. image:: images/ipsec_s2s_vpn_p1a_success.png
:width: 100%
**You are done configuring Site A.**
**You are almost done configuring Site A (only some firewall settings remain, which we'll address later).**
**We will now proceed setting up Site B**
-----------------------------
@ -337,7 +332,7 @@ General information
**Key Exchange version** V2
**Internet Protocol** IPv4
**Interface** WAN *choose the interface connected to the internet*
**Remote gateway** 172.10.1.1 *the public ip address of your remote OPNsense*
**Remote gateway** 172.10.1.1 *the public IP address of your remote OPNsense*
**Description** Site A *freely chosen description*
========================= ============= ================================================
@ -455,8 +450,15 @@ And Apply changes:
.. image:: images/ipsec_s2s_vpn_p1a_success.png
:width: 100%
**You are done configuring Site B.**
---------------------------------------
Firewall Rules Site A & Site B (part 2)
---------------------------------------
To allow traffic passing to your LAN subnet you need to add a rule to the IPsec
interface (under **Firewall->Rules->IPsec**).
.. image:: images/ipsec_ipsec_lan_rule.png
:width: 100%
------------------
IPsec Tunnel Ready
@ -511,7 +513,7 @@ Phase 1 works but no phase 2 tunnels are connected
---------------------------------------------------
Did you set the correct local and remote networks. A common mistake is to fill in
the ip address of the remote host in stead of its network ending with **x.x.x.0**
the IP address of the remote host in stead of its network ending with **x.x.x.0**
Common issues are unequal settings. Both ends must use the same encryption standard.

8
source/manual/how-tos/multiwan.rst
View File

@ -1,7 +1,7 @@
===============
Setup Multi WAN
===============
Multi WAN scenario's are commonly used for failover or load balancing, but combinations
Multi WAN scenarios are commonly used for failover or load balancing, but combinations
are also possible with OPNsense.
.. blockdiag::
@ -47,10 +47,10 @@ We defined WAN and WAN2, where WAN will be our primary (default) gateway.
Step 1 - Add monitor IPs
-------------------------
You may skip this step if you already have setup the monitoring ip and both gateways
You may skip this step if you already have setup the monitoring IP and both gateways
are shown as online.
To add a monitoring ip go to **System->Gateways->All** and click on the first pencil
To add a monitoring IP go to **System->Gateways->All** and click on the first pencil
symbol to edit the first gateway.
Now make sure the following is configured:
@ -208,4 +208,4 @@ Combining Balancing & Failover
------------------------------
To combine Load Balancing with Failover you will have 2 or more WAN connections
for Balancing purposes and 1 or more for Failover. OPNsense offers 5 tiers
(Failover groups) each tier can hold multiple ISP's/WAN gateways.
(Failover groups) each tier can hold multiple ISPs/WAN gateways.

2
source/manual/how-tos/netflow_exporter.rst
View File

@ -18,5 +18,5 @@ For local analysis using Insight also enable **Capture local**.
Depending on the application you would like to use select **Version** 5 or 9.
Remember that version 5 does not support IPv6.
Add your **Destinations** (ip:port then enter) local ip will be added automatic
Add your **Destinations** (ip:port then enter) local IP will be added automatic
if Capture local is selected.

10
source/manual/how-tos/proxyicapantivirus.rst
View File

@ -1,7 +1,7 @@
===========================
Setup Anti Virus Protection
===========================
OPNsense can offer http and https protection by utilizing its highly flexible
OPNsense can offer HTTP and HTTPS protection by utilizing its highly flexible
proxy and the industry standard ICAP. An external engine from one of the known
vendors is used to offer maximum protection against malware, such as ransomware,
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
@ -42,11 +42,11 @@ Step 4 - Connect the Engine
---------------------------
Now connect the server that the engine is installed on to OPNsense trough either
a switch or a direct cable connection. Preferable use a separate network for this
traffic to make sure the unencrypted ICAP traffic can's be tapped.
traffic to make sure the unencrypted ICAP traffic can't be tapped.
.. Note::
ICAP traffic is not encrypted, meaning you have to make sure the traffic is not
visible to anyone else. When using transparent https mode it is best to configure
visible to anyone else. When using transparent HTTPS mode it is best to configure
a separate interface for ICAP traffic and connect the Server (Engine) directly
with a crosslink cable. Alternatively one may use a VLAN for this purpose.
@ -70,8 +70,8 @@ Step 6 - Test using EICAR
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
on this page you will find several files you can test.
First test the http protocol version and if that works the https version if you
have also configured the transparent ssl proxy mode.
First test the HTTP protocol version. If that works, test the HTTP version if you
have also configured the transparent SSL proxy mode.
.. Warning::
**IMPORTANT NOTE** :

6
source/manual/how-tos/proxyicapantivirusinternal.rst
View File

@ -1,7 +1,7 @@
==================================================
Setup Anti Virus Protection using OPNsense Plugins
==================================================
OPNsense can offer http and https protection by utilizing its highly flexible
OPNsense can offer HTTP and HTTPS protection by utilizing its highly flexible
proxy and the industry standard ICAP. An external engine from one of the known
vendors is used to offer maximum protection against malware, such as ransomware,
trojans and viruses. This protection can be further enhanced by the built-in Intrusion
@ -62,8 +62,8 @@ Step 5 - Test using EICAR
To test if the engine is operational and functional go to http://www.eicar.org/85-0-Download.html
on this page you will find several files you can test.
First test the http protocol version and if that works the https version if you
have also configured the transparent ssl proxy mode.
First test the HTTP protocol version. If that works, test the HTTPS version if you
have also configured the transparent SSL proxy mode.
.. Warning::
**IMPORTANT NOTE** :

10
source/manual/how-tos/proxytransparent.rst
View File

@ -7,14 +7,14 @@ can be configured to run in transparent mode, this mean the clients browser does
not have to be configured for the web proxy, but all traffic is diverted to the
proxy automatically by utilizing Network Address Translation.
In this How To, we will explain the basic http as well as https (ssl bump) transparent
In this How To, we will explain the basic HTTP as well as HTTPS (SSL bump) transparent
proxy modes.
.. Warning::
The Transparent SSL/HTTPS proxy mode uses a technique also called man-in-the-middle,
only configure and use this if your know what you are doing. When configured wrong
you may end up in lessing your security defenses significantly instead of enhancing
them. Using a transparent https proxy can be a dangerous practice and may not be
only configure and use this if you know what you are doing. When configured incorrectly
you may end up in lessening your security defenses significantly instead of enhancing
them. Using a transparent HTTPS proxy can be a dangerous practice and may not be
allowed by the services you use, for instance e-banking.
Step 1 - Basic Proxy Setup
@ -33,7 +33,7 @@ And Click **Apply**.
Step 3 - NAT/Firewall Rule
---------------------------------
A simple way to add the NAT/Firewall Rule is to click on the **(i)** icon on the
A simple way to add the NAT/Firewall Rule is to click the **(i)** icon on the
left of the **Enable Transparent HTTP proxy** option and click on **add a new firewall rule**.
.. image:: images/screenshot_enable_transparent_http.png

8
source/manual/how-tos/proxywebfilter.rst
View File

@ -61,8 +61,8 @@ Press **Save Changes**.
--------------------------------
Step 3 - Download the Categories
--------------------------------
Now press Download ACL's, please note that this will take a while (can be several
minutes) as the full list (>19 MB) will be converted to squid acl's.
Now press Download ACLs, please note that this will take a while (can be several
minutes) as the full list (>19 MB) will be converted to squid ACLs.
-------------------------
Step 4 - Setup Categories
@ -108,7 +108,7 @@ LAN interface (if LAN is where your clients and proxy are on).
**Source** LAN net
**Destination Port Range** HTTP
**Category** Block Proxy Bypass
**Description** Block http bypass
**Description** Block HTTP bypass
============================ =====================
**Save**
@ -122,7 +122,7 @@ And one more rule to block HTTPS access:
**Source** LAN net
**Destination Port Range** HTTPS
**Category** Block Proxy Bypass
**Description** Block https bypass
**Description** Block HTTPS bypass
============================ =====================
**Save** & **Apply changes**

2
source/manual/how-tos/resources/config-OPNsense-ipsec-Site-B.xml
View File

@ -144,7 +144,7 @@
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<descr>Randomize PIDs (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>

58
source/manual/how-tos/shaper.rst
View File

@ -2,7 +2,7 @@
Setup Traffic Shaping
=====================
For this how-to we will look into these scenario's:
For this how-to we will look into these scenarios:
#. Reserve dedicated bandwidth for a realtime traffic such as (hosted) Voice Over IP (VOIP) server.
#. Share internet bandwidth amongst users evenly
@ -112,10 +112,10 @@ Create a rule for traffic directed towards the VOIP Server (Upload).
====================== ================= =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**source** any *The source ip to shape, leave on any*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source IP to shape, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 172.10.2.1 *The ip address of our VOIP server*
**destination** 172.10.2.1 *The IP address of our VOIP server*
**dst-port** any *Use any of the destination port if static*
**target** PipeUP-256kbps *Select the Upload 256 kbps Pipe*
**description** ShapeVOIPUpload *Enter a descriptive name*
@ -127,10 +127,10 @@ Create a rule for traffic coming from the VOIP Server (Download).
====================== ================= =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**source** 172.10.2.1 *The ip address of our VOIP server*
**proto** ip *Select the protocol, IP in our example*
**source** 172.10.2.1 *The IP address of our VOIP server*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination ip to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown256kbps *Select the Download 256 kbps Pipe*
**description** ShapeVOIPDown *Enter a descriptive name*
@ -141,7 +141,7 @@ Create a rule for all other internet upload traffic
====================== ================= =====================================================
**sequence** 31 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** 192.168.1.0/24 *The source IPs to shape, our LAN network*
**src-port** any *The source port to shape, leave on any*
**destination** any *the destination address, leave in any*
@ -156,8 +156,8 @@ Create a rule for all other internet download traffic
====================== =================== =====================================================
**sequence** 41 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**source** any *The source ip to shape, leave on any*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source IP to shape, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination IPs to shape, our LAN network*
**dst-port** any *The destination port to shape, leave on any*
@ -279,8 +279,8 @@ Create a rule for traffic directed towards the internet (Upload).
====================== ================= =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**source** 192.168.1.0/24 *The source ip to shape, select the LAN network*
**proto** ip *Select the protocol, IP in our example*
**source** 192.168.1.0/24 *The source IP to shape, select the LAN network*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination to shape, leave on any*
**dst-port** any *Use any of the destination port if static*
@ -294,10 +294,10 @@ Create a rule for traffic coming from the internet (Download).
====================== ================= =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** QueueDown-10Mbps *Select the Download 10 Mbps Queue*
**description** ShapeDownload *Enter a descriptive name*
@ -373,10 +373,10 @@ Create a rule for traffic coming from the internet (Download).
====================== ================= =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** 192.168.1.0/24 *The destination ip to shape, select LAN network*
**destination** 192.168.1.0/24 *The destination IP to shape, select LAN network*
**dst-port** any *The destination port to shape, leave on any*
**target** PipeDown-1Mbps *Select the Download 1 Mbps Pipe*
**description** ShapeDownload *Enter a descriptive name*
@ -384,7 +384,7 @@ Create a rule for traffic coming from the internet (Download).
.. Note::
If you want to limit traffic for a single ip then just enter the ip address
If you want to limit traffic for a single IP then just enter the IP address
in the destination field instead of the full LAN network range.
Now press |apply| to activate the traffic shaping rules.
@ -476,46 +476,46 @@ Create a rule for smtp download traffic (email)
====================== =================== =====================================================
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** smtp *The source port to shape, smtp or 25*
**destination** any *The destination ip to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-SMTP *Select the SMTP queue*
**description** ShapeSMTPDownload *Enter a descriptive name*
====================== =================== =====================================================
Create a rule for http download traffic
Create a rule for HTTP download traffic
====================== =================== =====================================================
**sequence** 21 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** http *The source port to shape, http or 80*
**destination** any *The destination ip to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-HTTP *Select the HTTP queue*
**description** ShapeHTTPDownload *Enter a descriptive name*
====================== =================== =====================================================
Adding an extra rule for https traffic is simple as we can use the same http queue if we like:
Adding an extra rule for HTTPS traffic is simple as we can use the same HTTP queue if we like:
====================== ==================== =====================================================
**sequence** 31 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** https *The source port to shape, https or 443*
**destination** any *The destination ip to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**target** Queue-HTTP *Select the HTTP queue*
**description** ShapeHTTPSDownload *Enter a descriptive name*
====================== ==================== =====================================================
This way http and https traffic will be treated the same (total max of 1 Mbps).
This way HTTP and HTTPS traffic will be treated the same (total max of 1 Mbps).
Now press |apply| to activate the traffic shaping rules.
@ -620,10 +620,10 @@ Create a rule for the download traffic
**sequence** 11 *Auto generated number, overwrite only when needed*
**interface** WAN *Select the interface connected to the internet*
**interface2** GuestNet *Select the interface that matches your GuestNet*
**proto** ip *Select the protocol, ip in our example*
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination ip to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**direction** in *Match incoming packages (download)*
**target** PipeDown-2Mbps *Select the Download pipe*
@ -639,7 +639,7 @@ Create a rule for the upload traffic
**proto** ip *Select the protocol, IP in our example*
**source** any *The source address, leave on any*
**src-port** any *The source port to shape, leave on any*
**destination** any *The destination ip to shape, leave on any*
**destination** any *The destination IP to shape, leave on any*
**dst-port** any *The destination port to shape, leave on any*
**direction** out *Match incoming packages (download)*
**target** PipeUp-1Mbps *Select the Download pipe*

2
source/manual/how-tos/sslvpn_client.rst
View File

@ -29,7 +29,7 @@ and give you configuration examples for:
.. Note::
For the sample we will use a private ip for our WAN connection.
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on wan to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
*(Dont forget to save and apply)*

4
source/manual/how-tos/sslvpn_s2s.rst
View File

@ -2,7 +2,7 @@
Setup SSL VPN site to site tunnel
=================================
Site to site VPN's connect two locations with static public IP addresses and allow
Site to site VPNs connect two locations with static public IP addresses and allow
traffic to be routed between the two networks. This is most commonly used to
connect an organization's branch offices back to its main office, so branch users
can access network resources in the main office.
@ -16,7 +16,7 @@ connection (you local network need to different than that of the remote network)
.. Note::
For the sample we will use a private ip for our WAN connection.
For the sample we will use a private IP for our WAN connection.
This requires us to disable the default block rule on wan to allow private traffic.
To do so, go to the **Interfaces->[WAN]** and uncheck "Block private networks".
*(Don't forget to save and apply)*

6
source/manual/how-tos/user-radius.rst
View File

@ -6,15 +6,15 @@ is easy just go to **System->Access->Servers** and click on **Add server** in th
Fill in the form:
============================== =============== ========================================================
============================== =============== =========================================================
**Descriptive name** radius_test *Enter a descriptive name*
**Type** Radius *Select Radius*
**Hostname or IP address** 10.10.10.1 *Enter the IP of your Radius server*
**Shared Secret** secret *Shared secret for your Radius server*
**Services offered** Authentication *Select Authentication,for Captive portal + accounting*
**Authentication port value** 1812 *Port number, 1812 is default for accounting it's 1813*
**Authentication port value** 1812 *Port number, 1812 is default; for accounting it's 1813*
**Authentication Timeout** 5 *Timeout for Radius to respond on requests*
============================== =============== ========================================================
============================== =============== =========================================================
Use the tester under **System->Access->Tester** to test the Radius server.

4
source/manual/install.rst
View File

@ -344,8 +344,8 @@ By default you have to log in to enter the console.
VLANs and assigning interfaces
If choose to do manual interface assignment or when no config file can be
found then you are asked to assign Interfaces and VLANs. VLANs are optional.
If you do not need VLAN's then choose **no**. You can always configure
VLAN's at a later time.
If you do not need VLANs then choose **no**. You can always configure
VLANs at a later time.
LAN, WAN and optional interfaces
The first interface is the LAN interface. Type the appropriate

2
source/manual/ipv6.rst
View File

@ -6,7 +6,7 @@ Using IPv6
:width: 100%
OPNsense fully supports IPv6 for routing and firewall. However there are lots of
different options to utilize IPv6. Currently these scenario's are known to work:
different options to utilize IPv6. Currently these scenarios are known to work:
* Native IPv6 only
* Dual Stack IPv4 + IPv6

8
source/manual/multiwan.rst
View File

@ -1,7 +1,7 @@
=========
Multi WAN
=========
Multi WAN scenario's are commonly used for failover or load balancing, but combinations
Multi WAN scenarios are commonly used for failover or load balancing, but combinations
are also possible with OPNsense.
.. blockdiag::
@ -30,7 +30,7 @@ connectivity is fully restored so will the routing switch back to the primary IS
------------------
WAN Load Balancing
------------------
Load balancing can be used to split the load between two (or more) ISP's. This
Load balancing can be used to split the load between two (or more) ISPs. This
enhances the total available bandwidth and/or lowers the load on each ISP.
The principle is simple: Each WAN connection (gateway) gets a portion of the traffic.
@ -39,10 +39,10 @@ The traffic can be divided equally or weighted.
------------------------------
Combining Balancing & Failover
------------------------------
It is also possible to combine Load Balancing with Failover in such scenario's
It is also possible to combine Load Balancing with Failover in such scenarios
you will have 2 or more WAN connections for Balancing purposes and 1 or more for
Failover. OPNsense offers 5 tiers (Failover groups) each tier can hold multiple
ISP's/WAN gateways.
ISPs/WAN gateways.
-------------
Configuration

4
source/manual/netflow.rst
View File

@ -11,13 +11,13 @@ is very fast with little overhead compared to softflowd or pfflowd.
While many monitoring solutions such as Nagios, Cacti and vnstat only capture traffic
statistics, Netflow captures complete packet flows including source, destination
ip and port number.
IP and port number.
OPNsense offers full support for exporting Netflow data to external collectors as
well as a comprehensive Analyzer for on-the-box analysis and live monitoring.
OPNsense is the only open source solution with a built-in Netflow analyzer integrated
into it's Graphical User Interface.
into its Graphical User Interface.
------------------
Supported Versions

6
source/manual/opnsense_tools.rst
View File

@ -55,12 +55,12 @@ The latest update of OPNsense to version 18.1.5 did a minor jump for the IPSec p
From this moment your VPNs are unstable and only a restart helps.
To check if the update of the package is the reason you can easily revert the package
to it's previous state while running the latest OPNsense version itself
to its previous state while running the latest OPNsense version itself.
# opnsense-revert -r 18.1.4 strongswan
With this command you will on e.g. 18.1.5 while reverting the package strongswan to it's version it was in 18.1.4.
If you want to go back to the current release version just just
With this command you can, for example, run OPNsense 18.1.5 while using the 18.1.4 version of strongswan.
If you want to go back to the current release version just do
# opnsense-revert strongswan

7
source/manual/proxy.rst
View File

@ -66,7 +66,7 @@ category based web filter support. Main features include:
* Fetch from a remote URL
* Supports flat file list and category based compressed lists
* Automatically convert category based blacklists to squid ACL's
* Automatically convert category based blacklists to squid ACLs
* Keep up to date with the built-in scheduler
* Compatible with most popular blacklist
@ -75,13 +75,10 @@ Transparent Mode
----------------
The transparent mode means all request will be diverted to the proxy without any
configuration on your client. Transparent mode works very well with unsecured http
requests, however with secured (SSL) https connection the proxy will become a
requests, however with secured (SSL) HTTPS connection the proxy will become a
man-in-the-middle as the client will "talk" to the proxy and the proxy will encrypt
the traffic with its master key that the client is required to trust.
While we do not encourage the use of https in transparent mode, this feature is
scheduled for release in version 16.7.
.. Warning::
Using a transparent HTTPS proxy can be a dangerous practice and may not be
allowed by the services you use, for instance e-banking.

2
source/manual/shaping.rst
View File

@ -24,7 +24,7 @@ OPNsense traffic shaping is a reliable solution to limit bandwidth or prioritize
traffic and can be combined with other functions such as captive portal or high
availability (CARP).
Bandwidth limitations can be defined based upon the interface(s), ip source &
Bandwidth limitations can be defined based upon the interface(s), IP source &
destination, direction of traffic (in/out) and port numbers (application).
Available bandwidth can be shared evenly over all users, this allows for

2
source/relations/hardenedbsd.rst
View File

@ -43,4 +43,4 @@ HardenedBSD's core team consists of Oliver Pinter and Shawn Webb.
Cooperation with OPNsense
-------------------------
In May 2015, HardenedBSD announced their cooperation with OPNsense.
A HardenedBSD-flavored versions of OPNsense is available as of June 2015.
A HardenedBSD-flavored version of OPNsense is available as of June 2015.

6
source/relations/osi.rst
View File

@ -17,9 +17,9 @@ community-recognized body for reviewing and approving licenses as OSD-conformant
-----------------------
------------------
Relations OPNsense
------------------
--------------------
Relation to OPNsense
--------------------
OPNsense is licensed under an Open Source Initiative `approved license <http://opensource.org/licenses>`__. OPNsense
is and will be available with the simple 2-clause BSD license. We believe an
open source project should provide the sources and the tools to build it.

2
themes/opnsense/sass/_theme_rst.sass
View File

@ -288,7 +288,7 @@
// rST seems to want dds to be treated as the browser would, indented.
dd
margin: 0 0 $base-line-height / 2 $base-line-height
// This is what Sphinx spits out for it's autodocs. Depending upon what language the person is referencing
// This is what Sphinx spits out for its autodocs. Depending upon what language the person is referencing
// these things usually have a class of "method" or "class" or something similar, but really who knows.
// Sphinx doesn't give me a generic class on these, so unfortunately I have to apply it to the root dl.
// This makes me terribly unhappy and makes this code very nesty. Unfortunately I've seen hand-written docs