17.1 “Eclectic Eagle” Series

The OPNsense team is proud to announce the final availability of version 17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0, the SSH remote installer, new languages Italian / Czech / Portuguese, state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to media size to name only a few.

We would like to encourage everyone to supervise this major upgrade physically. As such, it cannot be performed from the GUI. Instead, go to the root console menu, choose option 12 and type “17.1” at the prompt. The process will download a full set of updates and reboot multiple times. All operating system files and packages will be reinstalled as a consequence. This process can also be remotely triggered via SSH.

For fresh installations images are provided with OpenSSL for 32 and 64 bit Intel architectures. The new SSH installer feature will be listening on the LAN port 192.168.1.1, give out DHCP leases to clients and can connect using the user “root” (console menu) or “installer” (the installer, of course) with the default password “opnsense”. The respective checksums for the images can be found below this announcement and the direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

17.1.11 (July 25, 2017)

An IPv6 problem has finally been fixed which could prevent reclaiming address leases during an interface reload, especially when OpenVPN was running. Thanks to everyone involved in tracking this down! Also, the last bits for the new GUI major upgrade feature are now in place. The 17.7 upgrade path will be unlocked on July 31, which will require installing one tiny final update.

Here are the full patch notes:

  • firmware: added major GUI upgrade code for upcoming 17.7 release

  • firmware: added major GUI cron upgrade parameter “ALLOW_RISKY_MAJOR_UPGRADE”

  • interfaces: dhcp6c can now properly reload without leaking its listening socket to e.g. OpenVPN

  • rc: allow to optionally prevent launch of configd via rc.conf variable

  • openvpn: normalise line endings of used certificates

  • openvpn: fix config handling in GUI pages for PHP 7.1

  • plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)

  • ports: perl 5.24.2 [1]

  • ports: strongswan 5.5.3 [2]

17.1.10 (July 18, 2017)

Quick update, nothing overly fancy this week. :)

Here are the full patch notes:

  • system: harden GUI by removing TLS_RSA_WITH_3DES_EDE_CBC_SHA

  • system: harden GUI by improving Secure Attribute cookie usage

  • system: harden GUI by using DH-4096 parameters

  • system: allow to reverse password / token order in TOTP authentication

  • system: add swap file option for SSD operation

  • interfaces: speed up GUI handling with configurations of more than 150 VLANs

  • interfaces: stop is_ipaddrv6() from accepting subnets

  • ipsec: IKEv2 can handle multiple phase 1 with the same IP

  • ipsec: list non-routed connections

  • unbound: removed obsolete so-rcvbuf optimisation code

  • net-mgmt/zabbix-agent: validation fix (contributed by Frank Wall)

  • net/quagga: version 1.3.1 (contributed by Frabian Franz and Michael Muenz)

  • layout: update to Font-Awesome 4.7

  • mvc: add setMultiple() to OptionField

  • ports: phalcon 3.2.1 [1]

  • ports: php 7.0.21 [2]

  • ports: php70-openssl CRL hotfix

  • ports: bind 9.11.1-P3 [3]

  • ports: unbound 1.6.4 [4]

  • ports: suricata 3.2.3 [5]

17.1.9 (July 04, 2017)

Quite the list of changes after a few weeks of a turbulent summer. This update addresses Stack Clash, OpenVPN, Bind and cURL security issues, see the reference links below.

17.7 is almost here, which means we have skipped over Alpha and Beta phase due to the fact that the base system is staying on FreeBSD 11.0. What you can expect is a Release Candidate within a week and a smooth transition.

Here are the full patch notes:

  • firewall: move gateway switching from system to firewall advanced settings

  • firewall: keep category selection when changing tabs

  • firewall: do not skip gateway switch parsing too early (contributed by Stephane Lesimple)

  • interfaces: show VLAN description during edit

  • firmware: opnsense-revert can now handle multiple packages at once

  • firmware: opnsense-patch can now handle permission changes from patches

  • dnsmasq: use canned –bogus-priv for no_private_reverse

  • dnsmasq: separate log file, ACL and menu entries

  • dynamic dns: fix update for IPv6 (contributed by Alexander Leisentritt)

  • dynamic dns: remove usage of CURLAUTH_ANY (contributed by Alexander Leisentritt)

  • intrusion detection: suppress “fast mode available” boot warning in PCAP mode

  • openvpn: plugin framework adaption

  • unbound: add local-zone typetransparent for PTR zone (contributed by Davide Gerhard)

  • unbound: separate log file, ACL and menu entries

  • wizard: remove HTML from description strings

  • mvc: group relation to something other than uuid if needed

  • mvc: rework “item in” for our Volt templates

  • lang: Czech to 100% translated (contributed by Pavel Borecki)

  • plugins: zabbix-agent 1.1 (contributed by Frank Wall)

  • plugins: haproxy 1.16 (contributed by Frank Wall)

  • plugins: acme-client 1.8 (contributed by Frank Wall)

  • plugins: tinc fix for switch mode (contributed by Johan Grip)

  • plugins: monit 1.3 (contributed by Frank Brendel)

  • src: support dhclient supersede statement for option 54 (contributed by Fabian Kurtz)

  • src: add Intel Atom Cherryview SOC HSUART support

  • src: add the ID for the Huawei ME909S LTE modem

  • src: HardenedBSD Stack Clash mitigations [1]

  • ports: sqlite 3.19.3 [2]

  • ports: openvpn 2.4.3 [3]

  • ports: sudo 1.8.20p2 [4]

  • ports: dnsmasq 2.77 [5]

  • ports: openldap 2.4.45 [6]

  • ports: php 7.0.20 [7]

  • ports: suricata 3.2.2 [8]

  • ports: squid 3.5.26 [9]

  • ports: ca_root_nss 3.31

  • ports: bind 9.11.1-P2 [10]

  • ports: unbound 1.6.3 [11]

  • ports: curl 7.54.1 [12]

17.1.8 (June 01, 2017)

It is with pleasure that we announce the availability of SafeStack in the OPNsense ports tree as our latest addition via our valued HardenendBSD friendship. While SafeStack is already deployed for the base operating system, it had not previously been applied to the ports tree.

SafeStack is an exploit mitigation developed by clang/llvm. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfils that dependency by including the HardenedBSD ASLR implementation, which follows the original PaX design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to her advantage.

It is still rather quiet security-wise. Despite updating OpenSSL, it does not contain any security updates this time.

Here are the full patch notes:

  • system: tweak the HTTP_REFERER error message (contributed by Michael Muenz)

  • system: IPv6 SSL cipher selection fix (contributed by Alexander Graf)

  • system: only probe gateway monitor when it is running

  • system: move web GUI to plugin framework

  • system: improve ssh key newline write

  • system: allow up to 8 name servers

  • firewall: add CARP option “Disable preempt”

  • firewall: move CARP preempt to later boot stage

  • firewall: allow port ranges in the form of “80-100” in addition to “80:100”

  • interfaces: track6 edge case requires HUP for either reload or linkup

  • ipsec: fix widget count after strongSwan 5.5.2 update

  • intrusion detection: add advanced feature default-packet-size

  • firmware: new mirror for Dept. of CSE, Yuan Ze University, Taiwan [1]

  • rc: advertise live mode just above the login prompt

  • rc: improve the set IP menu option with far gateway selection, DHCP, DNS, track6, etc.

  • mvc: send forms as type-safe JSON data

  • mvc: correct multi-value sort in template helper

  • mvc: fix validation issue when storing a value for the first time

  • lang: minor updates for Chinese (contributed by Tianmo)

  • lang: Japanese 100% completed (contributed by Chie and Takeshi Taguchi)

  • plugins: quagga 1.2 with initial BGP support (contributed by Fabian Franz and Michael Muenz)

  • plugins: zabbix-agent 1.0 (contributed by Frank Wall)

  • plugins: haproxy 1.15 (contributed by Fabian Franz and Frank Wall)

  • ports: enabled SafeStack for applicable amd64 packages, ported over by HardenedBSD

  • ports: openssl 1.0.2l [2]

17.1.7 (May 18, 2017)

OpenVPN released version 2.4.2 and also 2.3.15 which come with two high profile fixes addressing CVE-2017-7479 and CVE-2017-7478. While we still aim for OpenVPN 2.4 adoption during the 17.1 series, we have deferred updating the release version from 2.3 to 2.4 at this point to be able to respond more quickly.

Here are the full patch notes:

  • system: fix gateway failover edge cases missed in 17.1.6

  • system: fix default route display in diagnostics page

  • system: consistent precision display in gateway monitoring loss and RTT

  • system: correctly restart cron via backend call

  • system: use the internal RC script name instead file name to load its variables

  • system: keep WAN DHCPv6 configuration option on console port reassign

  • system: unify the console yes/no prompts to indicate their default behaviour

  • system: separate row and unhide button for 2FA OTP QR code display

  • system: prevent stripping of migrated configuration during factory reset

  • firmware: opnsense-bootstrap bare-mode addition for installing repository metadata only

  • firmware: opnsense-bootstrap will never be deleted in case it is required for recovery

  • firmware: opnsense-revert now always properly reverts the core package

  • firmware: fix argument parsing in all update and development utilities

  • firewall: do not save range when end port is empty

  • firewall: do not automatically reload filter after alias delete

  • firewall: skip well-known ports for ranges

  • firewall: fetching bogon files should not use fetch internal auto-retry

  • interfaces: fix bug that prevented creation of IPv6 cache IP files (contributed by @theq89)

  • interfaces: defer reload of the filter on IPv6 renewal and keep it local

  • interfaces: avoid potential configure loops in IPv4 renewal

  • interfaces: improve diagnostic messages on boot

  • interfaces: correct usage of interface cache files and properly clear them during boot

  • ipsec: enable CA field for hybrid and mutual RSA Xauth

  • dynamic dns: fix prototype declaration (contributed by Evgeny Bevz)

  • dynamic dns: add support for STRATO

  • mvc: fix iteration over several config nodes to avoid “Node no longer exists” type warnings

  • plugins: quagga 1.1.1 fixes reload of BGPv4 tables and modal closing (contributed by Fabian Franz)

  • plugins: monit 1.1 fixes import sender address and validation (contributed by Frank Brendel)

  • src: removed duplicate unbound from FreeBSD base system

  • src: added locales to e.g. allow tmux to start up correctly

  • src: Xen migration enhancements [1]

  • src: allow TOS value zero and add extended DSCP support

  • ports: openvpn 2.3.15 [2]

  • ports: php 7.0.19 [3]

  • ports: squid 3.5.25 [4]

  • ports: sudo 1.8.20 [5]

17.1.6 (May 04, 2017)

Other than the usual bulk of improvements, the Quagga plugin gained BGP support and the Phalcon framework is now able to run smoothly on PHP 7.1, which we are targeting for 17.7. The next bit of planned work in the 17.1 series is switching OpenVPN to version 2.4. It can already be previewed in the development version.

Enjoy the security-silence this time around. :)

Here are the full patch notes:

  • system: proper autofill of imported CA fields

  • system: fix off by one and add validation for next serial in CA import

  • system: new global product info file and associated cleanups

  • system: prompt for new root password on console reset rather than using the factory default

  • system: remove PHP version specific code to automatically support newer versions such as PHP 7.1

  • system: raise PHP memory limit by 50%

  • firmware: show downgrades in update list as well

  • firmware: update pkg alongside other packages if it does not need an explicit upgrade

  • firmware: add plugin list to crash report if plugins are installed

  • interfaces: do not hide the save button when all interfaces have been assigned

  • firewall: support tag/tagged for manual outbound NAT

  • firewall: exclude IPv6 extension headers

  • firewall: disable filter association when no-rdr port forward option is selected

  • firewall: do not endlessly try to fetch bogons on systems with no connectivity

  • captive portal: fix autocomplete, autocapitalize and autocorrect (contributed by Johann Richard)

  • dhcp: fix static leases issue with loading settings into form

  • dhcp: add interface-mtu option

  • ipsec: move to plugin code framework

  • openvpn: fix possible start failure of servers using udp6 or tcp6

  • router advertisements: force restart of daemon to adapt to time zone change

  • unbound: statistics API (contributed by Fabian Franz)

  • web proxy: reorder pre-auth plugins and local auth settings (contributed by Evgeny Bevz)

  • mvc: set locale in APIControllerBase (contributed by Alexander Shursha)

  • mvc: dialog translations (contributed by Fabian Franz)

  • mvc: escape @ in menu entry to avoid error on mailto: url

  • plugins: igmp-proxy 1.1 renames internal service reload endpoint

  • plugins: quagga 1.1.0 adds BGP support and assorted fixes (contributed by Fabian Franz and Michael Muenz)

  • plugins: relayd 1.1 adds session timeout configuration (contributed by Frank Brendel)

  • plugins: snmp 1.1 renames internal service reload endpoint

  • ports: ca_root_nss 3.30.2

  • ports: phalcon 3.1.2 [1]

  • ports: unbound 1.6.2 [2]

17.1.5 (April 24, 2017)

After a brief timeout due to a super happy image release, 17.1.5 brings to you several longterm improvements for the firewall handling, dynamic DNS and several plugin updates, with Quagga and Monit as two brand new additions to the pool. As an especially longterm improvement, the German translation finally hit 100% completed thanks to the many contributors over the last two years.

We are currently working on extending SafeStack support to mission-critical third-party packages, testing the move to PHP 7.1 and finishing the associated roadmap for the upcoming 17.7 release. Stay tuned for more.

Here are the full patch notes:

  • system: show save message in correct language after language switch

  • firmware: remove obsoleted packages after a successful major update

  • firmware: flip the menu order of plugins and packages

  • firmware: switch to new embedded kernel/base set version

  • firewall: improve alias cleanup

  • firewall: new “select all” feature in firewall rules listings

  • firewall: add priority setting to advanced rules (contributed by djGrrr)

  • firewall: cleanup of gateway handling

  • firewall: cleanup of rule generation and fix for missing rules for group interface network (contributed by Ian Matyssik)

  • firewall: improve alias validation messages

  • dhcp: add route features to router advertisements

  • dhcp: add missing server pool loop counter

  • unbound: fix DHCP watcher using wrong timezone

  • unbound: improve DHCP watcher MAC address read

  • intrusion detection: use “auto” hostmode setting

  • web proxy: decode content when downloading ACL

  • web proxy: add all virtual IPs to listening configuration

  • web proxy: add extended file logging option

  • openssh: migrated to plugin framework code

  • openvpn: correctly export renegotiate time of zero

  • openvpn: reenable the XOR patch support

  • dynamic dns: multiple fixes and migrated to plugin framework code

  • rfc2136: multiple fixes and migrated to plugin framework code

  • rfc2136: separated code from dynamic DNS

  • rfc2136: added dashboard widget

  • lang: updates for Chinese, Czech, Japanese

  • lang: German translation hits 100% completed

  • plugins: gracefully deal with fatal parse errors in plugin code

  • plugins: acme-client 1.7 (contributed by Frank Wall)

  • plugins: haproxy 1.14 (contributed by Frank Wall)

  • plugins: monit 1.0 (contributed by Frank Brendel)

  • plugins: quagga 1.0.0 with OSPF and RIP support (contributed by Fabian Franz)

  • ports: pkg 1.10.1 [1] [2]

  • ports: sqlite 3.18.0 [3]

  • ports: curl 7.54 [4]

  • ports: openssh 7.5p1 [5]

  • ports: hyperscan 4.4.1 [6]

  • ports: dhcp6 20080615.2 [7]

  • ports: ca_root_nss 3.30.1

  • ports: bind 9.11.1 [8]

  • ports: strongswan 5.5.2 [9]

  • ports: php 7.0.18 [10]

17.1.4 (March 29, 2017)

The update finally addresses one of the larger issues with IPsec in 17.1 where traffic was not properly tracked by the packet filter and therefore causing spurious connection drops in TCP sessions. Another cool addition is the merge of the HardenedBSD SafeStack work to further harden our operating system application binaries.

Last but not least, the switch to the new virtual terminal driver is now fully functional and we intend to release new images based on 17.1.4 on Monday next week. Note this does not affect running installations.

Upgrading from a physical console may abort the firmware update due to an incompatible switch in the TTY settings. Simply log in again and restart the update to continue. Note this does not affect upgrades via GUI or SSH. Should problems arise, force a reinstall of the core package from the shell with the following command:

# opnsense-revert opnsense

Here are the full patch notes:

  • system: early installer switched for simpler config importer

  • system: no longer set shell privileges on password reset

  • system: avoid misinterpreting obsoleted options use_mfs_tmp_size and use_mfs_var_size

  • system: do not prompt for password on user edit

  • system: modernise console/tty settings

  • interfaces: always wait for dhclient exit

  • firewall: handle scheduled restarts via new plugin_cron() facility

  • traffic shaper: exclude IP address when using 3G/4G modems

  • dnsmasq: configure exclusively via plugin calls

  • ipsec: remove filtertunnel workaround in light of bundled kernel fix

  • ipsec: fix missing CA selection for mutual RSA

  • ipsec: require authentication header as first file

  • ipsec: include path consolidation

  • openvpn: allow tunnel network overrides to contain host addresses

  • openvpn: take client IP for topology subnet in CSC

  • openvpn: include patch consolidation

  • unbound: configure exclusively via plugin calls

  • web proxy: harden SSL ciphers (contributed by Fabian Franz)

  • mvc: fix multiple scoping issues in base volt templates

  • lang: updates for Chinese, Czech, French, German, Portuguese

  • plugins: Let’s Encrypt 1.4 [1] [2] (contributed by Felix Kling and Frank Wall)

  • plugins: HAproxy 1.13 [3] (contributed by Frank Wall)

  • src: tzdata version 2017b [4]

  • src: HardenedBSD SafeStack for base applications [5]

  • src: fix IPsec skip parameter handling in IPv4

  • src: discard 3072 bytes in arc4_stir() (contributed by Codarren Velvindron)

  • ports: ca_root_nss 3.30

  • ports: php 7.0.17 [6]

  • ports: libarchive 3.3.1

  • ports: ntp 4.2.8p10 [7]

We are also happy to announce the availability of the renewed OPNsense 17.1 images based on this version. Apart from the numerous improvements since the initial release, the images have been switched to use the virtual console driver vt(4) as a default to address boot issues. They also feature a new config importer and fix the serial console display of the installer.

For more than two years now, OPNsense is driving innovation through modularising and hardening the code base, quick and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

Download links, an installation guide [8] and the checksums for the images can be found below.

# SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 911e4b343b0a7721a8c4f306ab0f84934a40d8829adb2fa808c4656a9a2ef7aa
# SHA256 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = ffedac68887b5c0dd619306058471e22c8f7f81c5eb14a566b788feb1d311b16
# SHA256 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 53c270a8078f956dbc923962e82ea4bc9b95b7ed9f09f048fd7ad6c86d38c839
# SHA256 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = f9914405f6ca9f0947ccc63d1dac088ec778112ee3a431d4b44d4b400f991106
# SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = 23a60c0790848965df1b0596fcdea64fa14a67a8ed8ec9c93ca87b1bc3f6ce03
# SHA256 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = 4ef91cc2f341dc39e356716f6b6d1e9dd646c9a3a30a7149978c79633639bb8f
# SHA256 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = ead413845f83d4c112a7c7fbe79047effe78082d1530f1e5502d84d18f41dde0
# SHA256 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 8c928797fa21025cbb54df4274ba3d61eb37b3978ab5ae66f843fa8c75d829e8
# MD5 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 26a6110fad91b2b5105bbb1e9de2c299
# MD5 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = 7fd648124a6e9b6386174572aab237a8
# MD5 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 34b3152ecde10e3869c4a3f0a0bb201d
# MD5 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = 6e1563a155a8715aa73e62be4cf0d542
# MD5 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = e2870d1b63cbca5aeead2b3148841e45
# MD5 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = e7942c3af773f7a991d37b1a8391a60b
# MD5 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = e6c3a6629a8c62d4a07d429f446f077a
# MD5 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 70cdb19b808b5b5ac522d02d8db911b9

17.1.3 (March 16, 2017)

A dozen bug fixes meet several dozen new features and enhancements, literally! This update is about making OPNsense more flexible with the tools that everybody knows: firewall management, DNS services and Let’s Encrypt.

This is also the stepping stone for providing new images based on 17.1 because the Hyper-V disk disappearance was now fixed upstream: a big thank you to Microsoft and FreeBSD for providing updates! The vt(4) console driver migration is still underway, as well as applying SafeStack for the amd64 architecture and chasing down an IPsec regression with FreeBSD 11.0. More on this next time, stay tuned.

Here is the full list of changes:

  • system: allow up to 32 characters in user and group names

  • system: mute cron job output to prevent spurious system mails

  • system: fix scrambled password option on user add

  • system: add captive portal session backup

  • system: fix CRL certificate count display

  • firmware: add mirror via Universidad Pontificia Bolivariana (Medellin, CO) [1]

  • firmware: add mirror via DMC Networks (Lincoln NE, US) [2]

  • firewall: add modulate state as an option for state tracking (contributed by Ian Matyssik)

  • firewall: add ruleset optimization option for better performance (contributed by Ian Matyssik)

  • firewall: improved the log widget (contributed by Fabian Franz)

  • firewall: port forwarding enhancements for tag, pool options and target subnet

  • firewall: allow virtual interfaces as interface group members and move to firewall section

  • firewall: allow port alias nesting

  • captive portal: improved ARP parsing

  • dyndns: support Google Domains (contributed by Alasley)

  • intrusion detection: improve ruleset selection indicators

  • openvpn: do not double-encode client auth credentials

  • openvpn: validate IPv4 CIDR more strictly to prevent startup error

  • openvpn: do not offer external CA for selection

  • rfc 2136: allow selection of record type (contributed by Elias Werberich)

  • unbound: option to not register IPv6 link-local addresses (contributed by Ian Matyssik)

  • unbound: do not explicitly register loopback when selected as listening interface

  • unbound: add serve-expired option

  • web proxy: update for non-transparent SSL bumping (contributed by Mikhail Morev)

  • web proxy: add notice to inform the user about the need to download new list

  • lang: Chinese updated to 100% completed (contributed by Tianmo)

  • lang: Portuguese (Portugal) updated to 100% completed (contributed by Carlos Meireles)

  • lang: updates for German, French and Dutch

  • mvc: add boolean type to tables (contributed by Frank Brendel)

  • mvc: handle backend execution error more gracefully

  • mvc: added test for existing API method

  • mvc: send booleans as strings, not integers in API forms

  • mvc: allow dynamic hiding of sections in forms via model

  • plugins: register group interface type for PPTP, L2TP and PPPoE

  • plugins: add lifetime expiry for Universal Plug and Play rules

  • plugins: Let’s Encrypt version 1.2 (contributed by Frank Wall) [3]

  • installer: do not configure console when /dev/ttyv0 is unavailable

  • installer: console settings now support vt(4) instead of syscons(4)

  • src: fix system hang when booting when PCI-express HotPlug is enabled [4]

  • src: fix NIS master updates are not pushed to NIS slave [5]

  • src: fix compatibility with Hyper-V/storage after KB3172614 or KB3179574 [6]

  • src: make makewhatis output reproducible [7]

  • src: fix multiple vulnerabilities of OpenSSL [8]

  • src: properly build i386 with netmap(4) device to fix IPS mode

  • src: tzdata updated to version 2017a [9]

  • ports: php 7.0.16 [10]

  • ports: phalcon 3.0.4 [11]

  • ports: ca_root_nss 3.29.3

  • ports: sqlite 3.17.0 [12]

  • ports: curl 7.53.1 [13]

  • ports: unbound 1.6.1 [14]

17.1.2 (February 22, 2017)

This update addresses a longstanding issue with the overall reliability of Realtek NICs by replacing the FreeBSD driver with its latest vendor driver equivalent. The results including inline intrusion prevention have been promising to say the least. We thank Realtek for its recent release of version 1.93 and our users for pursuing the unthinkable with us. :)

Speaking of intrusion prevention, Suricata and Hyperscan have been updated to their latest versions which will now prevent crashes with older 64 bit CPUs that do not have the SSSE3 instruction set.

Language updates have been plenty, with a new and very busy contributor for Chinese. Xie xie!

Furthermore, the shared forwarding between both packet filters introduced in OPNsense 17.1 has now been disabled by default and can be manually reenabled from the GUI on Firewall: Settings: Advanced.

Here are the full patch notes:

  • system: allow to issue reboots via cron

  • system: allow to change password for imported users

  • firmware: run autoremove on minor operations

  • firmware: plugin detection via configd

  • wizard: rework modelling and UX

  • interfaces: fix wlan probe to not yield an empty interface

  • interfaces: fix bug in subnet matching on tun interfaces on FreeBSD 11.0 (contributed by djGrrr)

  • interfaces: add VLAN Priority (PCP) setting to VLAN config (contributed by djGrrr)

  • firewall: shared forwarding is off by default, added advanced config option

  • captive portal: redirect using HTTP code 302

  • captive portal: add group enforcement

  • captive portal: fix transparent web proxy mode on FreeBSD 11.0

  • dhcp: do not link to WOL page if plugin is not installed (contributed by Frank Wall)

  • ipsec: add mobike switch, change leftsendcert to always, etc.

  • unbound: provide link local interface selection

  • lang: Chinese to 65% completed (contributed by Tianmo)

  • lang: Czech to 86% completed (contributed by Pavel Borecki)

  • lang: Portuguese (Brazil) to 100% completed (contributed by Thiago Basilio)

  • lang: Portuguese (Portugal) to 69% completed (contributed by Carlos Meireles)

  • lang: minor updates to French and German

  • src: net.pf.share_forward now off by default

  • src: HardenedBSD procfs hardening

  • src: HardenedBSD disable unprivileged process debugging

  • src: replace Realtek re(4) driver with vendor version 1.93

  • src: add AE3000 and AE6000 to supported run(4) devices

  • src: revert a crash candidate micro-optimisation in rwlock

  • plugins: introduce development plugin variants

  • plugins: os-tinc 1.2 with network mode selection

  • ports: switch to MIT Kerberos version 5 release 1.14.4

  • ports: open-vm-tools integrated authentication fix

  • ports: bind 9.11.0-P3 [1]

  • ports: unbound 1.6.0 [2]

  • ports: tinc 1.0.31 [3]

  • ports: suricata 3.2.1 [4]

  • ports: hyperscan 4.4.0 [5]

  • ports: ca_root_nss 3.29

17.1.1 (February 09, 2017)

This week we are introducing a number of reliability fixes especially with regard to our move to FreeBSD 11.0 and PHP 7.0; most prominently a NAT fix for the shared filter forwarding and repairing the CRL generation. You will also find a few interesting IPsec additions. ;)

In case the shared forwarding is still giving you trouble on 17.1.1, run the following command to use the old behaviour and report back to us:

# sysctl net.pf.share_forward=0

Here are the full patch notes:

  • system: LDAP picker CSRF error solved by introducing session-based security tokens

  • system: fixed CRL generation inside PHP OpenSSL module

  • system: fix a typo with Portuguese (Portugal) in language selector

  • system: do not interpret passed values in wizard

  • system: fix forum link in message of the day

  • firewall: direction “any” was not respected in floating rules

  • firewall: fix double encoding of NO NAT for NAT addresses (contributed by djGrrr)

  • firewall: improve validation between IPv4 and IPv6 to prevent faulty rule generation

  • firmware: opnsense-update utility now unlocks packages before performing major upgrades

  • firmware: opnsense-revert utility now retains the automatic flag

  • firmware: revoked the 16.7 update fingerprints

  • dhcp: change relay text to make it clear multiple servers are supported (contributed by GurliGebis)

  • ipsec: add EAP-RADIUS support (contributed by GurliGebis)

  • ipsec: set filtertunnel sysctl values to fix TCP teardown

  • ipsec: fix hidden interface rules tab

  • ipsec: add AES-GCM support

  • openvpn: fixed CRL generation inside PHP OpenSSL module

  • openvpn: do not escape advanced options on export

  • openvpn: fix hidden interface rules tab

  • mvc: multiple tab usage CSRF errors solved by introducing session-based security tokens

  • mvc: fix HTTP status codes on CSRF errors

  • mvc: soft-fail on missing classes in ModelRelationField (contributed by Frank Wall)

  • plugins: os-acme-client 1.1 [1] (contributed by Frank Wall)

  • plugins: os-haproxy 1.12 [2] (contributed by Frank Wall)

  • src: pf(4) shared forwarding fix during NAT

  • src: pf(4) sysctl switch to disable shared forwarding

  • src: fix a panic with stf(4) interfaces

  • src: unhide hard disks under Hyper-V

  • ports: pkg 1.9.4 [3] [4]

  • ports: pcre 8.40 [5]

  • ports: libressl 2.4.5 [6]

  • ports: libevent 2.1.8 [7]

  • ports: squid 3.5.24 [8]

17.1 (January 31, 2017)

The OPNsense team is proud to announce the final availability of version 17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0, the SSH remote installer, new languages Italian / Czech / Portuguese, state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to media size to name only a few.

We would like to encourage everyone to supervise this major upgrade physically. As such, it cannot be performed from the GUI. Instead, go to the root console menu, choose option 12 and type “17.1” at the prompt. The process will download a full set of updates and reboot multiple times. All operating system files and packages will be reinstalled as a consequence. This process can also be remotely triggered via SSH.

For fresh installations images are provided with OpenSSL for 32 and 64 bit Intel architectures. The new SSH installer feature will be listening on the LAN port 192.168.1.1, give out DHCP leases to clients and can connect using the user “root” (console menu) or “installer” (the installer, of course) with the default password “opnsense”. The respective checksums for the images can be found below this announcement and the direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

Here is the list of major features that have been worked on since 16.7 was released 6 months ago:

  • cooperative firewall forwarding to allow traffic shaper/captive portal with multi-WAN

  • install media now boots up with SSH for headless remote installation

  • HardenedBSD ASLR and PIE compilation for most binaries

  • HardenedBSD SEGVGUARD to prevent ASLR brute force attacks

  • PHP 7.0 compatibility and general GUI speed improvements

  • replaced the CSRF implementation in the non-MVC pages

  • integrated authentication using PAM to allow e.g. 2FA (TOTP) over SSH

  • system secondary console support with new EFI and Mute options

  • Portuguese/Portugal as a release language (contributed by Carlos Meireles)

  • Portuguese/Brazil as a release language (contributed by Thiago Basilio)

  • Italian as a release language (contributed by Antonio Prado)

  • Czech as a release language (contributed by Pavel Borecki)

  • improved password security (contributed by OSnet)

  • FTP proxy plugin (contributed by Frank Brendel)

  • Let’s Encrypt Plugin [1] (contributed by Frank Wall)

  • Tinc VPN Plugin

  • IPsec tunnel isolation mode for interoperability

  • micro versioning/migrations for config items

  • constraint support for config items

  • rewritten Nano images with growfs(8) support

  • authentication methods are now fully pluggable

  • firewall rules are now fully pluggable

  • FreeBSD 11.0 including additional reliability fixes

Minor changes made since 16.7.14/17.1.r1:

  • system: always restore native /var layout on boot

  • system: make vt/sc configurable

  • web proxy: improve validation for SSL bump URL input (contributed by Fabian Franz)

  • web proxy: add plugin-capable pre/post authentication directories (contributed by Evgeny Bevz)

  • mvc: use empty string instead of “##Unlinked” in missing elements (contributed by Frank Wall)

  • www: replace CSRF implementation of static PHP pages

  • src: convert result of hash_packet6() into host byte order

  • src: correctly initialise subrulenr in pflog

  • ports: openssl 1.0.2k [2]

  • ports: php 7.0.15 [3]

Additionally, these migration caveats should be heeded before upgrading:

  • The integrated authentication framework is now used as a system-wide default including login(1), su(1) and sudo(8). This means that e.g. when 2FA is enabled for the GUI it will be used for low-level password prompts as well and plain passwords are disabled by default. If this behaviour is undesired, set the “Disable integrated authentication” option under System: Settings: Administration.

  • Disabled Gateway entries are now always honoured instead of being set up as a default gateway.

  • The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to “Serial” due to a wrong GUI default.

  • FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4) as the default. You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.

  • EFI boots may not yield a console anymore, the setting for VGA is wrong now and should be switched to “EFI” under System: Settings: Administration.

  • The access privileges for “Lobby: Login / Logout / Dashboard” and “Diagnostics: Backup / Restore” have been remapped internally and need to be reapplied when they have been assigned explicitly.

  • The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken. We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.

  • Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability. Please let us know about these right away.

  • The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy. Their respective configurations will be preserved by the system even if these plugins are not installed.

  • The Intel e1000 driver plugin has been removed due to an incompatibility with FreeBSD 11.0. All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in OPNsense 17.1 and reported to FreeBSD.

We would love to hear your feedback! As we want OPNsense the best it can be for you, please do not hesitate to contact us through any of the known channels:

# SHA256 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = 6cbd83204366c366b603a36f5586424dd779d84c2b34f2e2ba3d66137d28fe97
# SHA256 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = fc91680ad6933f4151afbd869b136d2d84348112dfd8f4837a1e8e0880aec1ec
# SHA256 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = 4ba88dc98733e38ffc7681f862ad7197b866a4b7fffb858d64403d32b42fee3f
# SHA256 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = de46b29fe8aa79bd9bab6d68c24b80759efd6ef59c235b296eb59adbe408d055
# SHA256 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = 29ee7759e7834d9fc162623af0172899a3cd79e25c5205ee935c5131a51e8777
# SHA256 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = a89c3b15e3689693f8ed0610d4bc8a03ef779c7576b0a6bf5ae16b8080ac8c4c
# SHA256 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 3314d0cdafa17900beda91a9a03a2325f164948f1e17421387532f4efdb9e9c4
# SHA256 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 6a63746d021095fc72ca20303b46c4994dea85cafd9bdfca948fa17afb28f80e
# MD5 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = b39a8440377b6a2aae5832e3caea23d7
# MD5 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = 583c7d4a4c4263d51e0fa153f8c021e4
# MD5 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = d4da49aa8f4d24ab0dc8ed7f025b7b46
# MD5 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = 5ea6b7771a35fbdd97abc99ca4da1b4c
# MD5 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = c8b63d4018ab072f9a2370e1040381d8
# MD5 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = 3989eb61efcc7057166e64662d26714a
# MD5 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 4ca5a146a050e46deffdac001e7b3f0d
# MD5 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 888f3b23a381d93600596f86c0f94cd4

17.1.r1 (January 20, 2017)

The wish list for our kernel improvements has been emptied just a week ago, which makes 17.1-RC1 look like the final 17.1 for all intents and purposes and already includes the stable upgrade path. Several features have been moved from the core to the plugins and may need to be reinstalled, namely Load Balancer, Wake on LAN, SNMP, IGMP Proxy and Universal Plug and Play. More details are listed below.

A special thank you goes to Carlos Meireles and Thiago Basilio, who brought to you Portuguese as a language choice (Portugal and Brazil, respectively). Awesome work!

Direct download links from our capable mirror providers (checksums below this announcement) are as follows:

https://opnsense.c0urier.net/releases/17.1.r1/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1.r1/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.r1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

If you have been running 17.1-BETA and want to switch to the stable upgrade path simply upgrade to 17.1-RC1 and run the following from the shell:

# # opnsense-update -t opnsense

Here is the full list of changes since 17.1-BETA:

  • core: default to integrated authentication (PAM) for su, login et al

  • core: lock down UNIX accounts for active integrated authentication

  • core: console option 11 now reloads all instead of only the web GUI

  • core: removed unused translations from console features

  • core: load AESNI by default

  • core: remove restrictions to not run DNS resolver and forwarder in parallel

  • core: use the sc console driver instead of vt

  • core: consolidate anti-lockout behaviour

  • core: optionally limit ciphers for web GUI

  • core: move individual XMLRPC sync options to their respective services

  • core: use rc.shutdown hook for graceful ACPI shutdown

  • core: fix locale setting in MVC (contributed by Alexander Shursha)

  • core: add translations to the wizard (contributed by Alexander Shursha)

  • core: fix several crash reports

  • core: use the ddb.conf that FreeBSD already provides

  • core: configure ddb even if no dump device was found

  • core: move bogon rules to fix DHCPv6 WAN scenarios

  • web proxy: allow to disable caching by zeroing cache_mem

  • plugins: the os-intel-em driver has been removed

  • plugins: configuration additions for os-tinc

  • plugins: exported several base features to plugins (os-snmp, os-igmp-proxy, os-wol, os-upnp, os-relayd)

  • lang: added Portuguese/Portugal (contributed by Carlos Meireles)

  • lang: added Portuguese/Brazil (contributed by Thiago Basilio)

  • src: wireless firmware now only available via kernel modules

  • src: the EM_MULTIQUEUE kernel option has been removed

  • src: HardenedBSD SEGVGUARD improvements

  • src: HardenedBSD force -fPIC when building PIEs

  • src: do not initialize the adapter on MTU change when ix status is down

  • src fix panic during lagg destruction with simultaneous status check

  • src: restore link state probing for e1000 82574 chipsets

  • src: IP cooperative forwarding rework, fixes IPv4 in pf

  • src: avoid deadlocks during lagg configuration

  • src: multiple fixes for netmap to repair emulation panics

Known issues in this version:

  • The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The impact on 6rd setups is currently unknown.

  • Fundamental WiFi stack changes in FreeBDS 11.0 could still affect operability.

  • Insight and Health statistics import from the early installer may not work.

  • Due to a Python 2.7.13 incompatibility the NetFlow connector may not work. A workaround is to revert to the Python 2.7.12 release. See the forum for details [1] .

  • The LibreSSL version will not be available until the final release.

  • The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to Serial due to a wrong GUI default.

Any help in making 17.1 the best it could possibly be for its final release January 31 is highly appreciated. Please do not hesitate to contact us through any of the known channels:

# SHA256 (OPNsense-17.1.r1-OpenSSL-cdrom-amd64.iso.bz2) = 96bc814644c89128baa8afc7a4f057bd02b364ada4c33ac1d98129a0a2f2dd50
# SHA256 (OPNsense-17.1.r1-OpenSSL-nano-amd64.img.bz2) = c777f3adea1621253a846bbd78c82993801e40085d1c9cab03a71d01e5c6d0a8
# SHA256 (OPNsense-17.1.r1-OpenSSL-serial-amd64.img.bz2) = 0e87555296c58a51e905e4fac97ea6fac397d748b1369bab9f4c108d6adf9993
# SHA256 (OPNsense-17.1.r1-OpenSSL-vga-amd64.img.bz2) = 08af040390230bffc2ac6e4eceb884c390e0058a0b8027f003eeaf601b38b909
# SHA256 (OPNsense-17.1.r1-OpenSSL-cdrom-i386.iso.bz2) = 3ef78129e57414cd765cfbe903b747e6efa1222f799cc1d2e8331a68279a7c87
# SHA256 (OPNsense-17.1.r1-OpenSSL-nano-i386.img.bz2) = 6a8040bf3b8a9c2bc9bb49b214c6a7612dca5235fa0314b474524e2ccdf38caf
# SHA256 (OPNsense-17.1.r1-OpenSSL-serial-i386.img.bz2) = 442b774948ae14428a8c76489139644e49c935db61e32055508974fe76686fc0
# SHA256 (OPNsense-17.1.r1-OpenSSL-vga-i386.img.bz2) = 27149d372ded7d069aec3e5aeab7708e53bf3ca8166193480863ace768a333d5
# MD5 (OPNsense-17.1.r1-OpenSSL-cdrom-amd64.iso.bz2) = 680161da68fee3c03904970e7aa89c94
# MD5 (OPNsense-17.1.r1-OpenSSL-nano-amd64.img.bz2) = 989bc7056ebaf08ff3ba06a5b56b2488
# MD5 (OPNsense-17.1.r1-OpenSSL-serial-amd64.img.bz2) = 00d92a840c6180fb87d59b2f6728f10f
# MD5 (OPNsense-17.1.r1-OpenSSL-vga-amd64.img.bz2) = 1574e871a3d64147e1a904074a4ff4b2
# MD5 (OPNsense-17.1.r1-OpenSSL-cdrom-i386.iso.bz2) = 0e409d30009af857b23e67e97451cc81
# MD5 (OPNsense-17.1.r1-OpenSSL-nano-i386.img.bz2) = 051a1072559982fce88fb39ef78aca77
# MD5 (OPNsense-17.1.r1-OpenSSL-serial-i386.img.bz2) = c32106dc7070ae462200e15fa707e19c
# MD5 (OPNsense-17.1.r1-OpenSSL-vga-i386.img.bz2) = 5ec394d7c2b331390d92baec41e3aece

17.1.b (December 16, 2016)

With the best wishes for the holiday season attached we hereby humbly present our 17.1-BETA images and thank everyone for their early input, valid questions and generally keeping us on our toes throughout the past months. The next major release features FreeBSD 11.0, the SSH remote installer, new languages Italian and Czech, state-of-the-art HardenedBSD security features, PHP 7.0, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to the media size to name only a few.

These will be the only beta images. They are not suitable for production environments. Release candidate builds will start in January in order to provide production-ready images. Checksums can be found below this announcement. Direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1.b/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1.b/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.b/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

Here is a list of hand-picked major features that were worked on since 16.7:

  • system secondary console support with new EFI and Mute options

  • installer now boots up with SSH for headless remote installation

  • Italian as a release language (contributed by Antonio Prado)

  • Czech as a release language (contributed by Pavel Borecki)

  • HardenedBSD ASLR and PIE compilation for most binaries

  • HardenedBSD SEGVGUARD to prevent ASLR brute force attacks

  • PHP 7.0 compatibility and general GUI speed improvements

  • improved password security (contributed by OSnet)

  • FTP proxy plugin (contributed by Frank Brendel)

  • PAM authentication module, e.g. 2FA on SSH

  • IPsec tunnel isolation mode for interoperability

  • Intel em(4) driver version 7.6.2 as a plugin

  • micro versioning/migrations for config items

  • constraint support for config items

  • rewritten Nano images with growfs(8) support

  • authentication methods are now fully pluggable

  • firewall rules are now fully pluggable

  • Tinc VPN Plugin

  • FreeBSD 11.0

Known issues in this version:

  • The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The impact on 6rd setups is currently unknown.

  • The installer character set is not entirely correct due to the default console switch to vt(4).

  • Fundamental WiFi stack changes in FreeBDS 11.0 may still affect overall operability.

  • Insight and Health statistics import from the early installer do not work.

  • The LibreSSL version will not be available until the final release.

Any help in making 17.1 the best it could possibly be for its final release at the end of January 2017 is highly appreciated. Please do not hesitate to contact us through any of the known channels:

# SHA256 (OPNsense-17.1.b-OpenSSL-cdrom-amd64.iso.bz2) = 6ed4e335757f5f58e34f3f59984a06183612ed0cffd5a9238f85b1a156a56039
# SHA256 (OPNsense-17.1.b-OpenSSL-nano-amd64.img.bz2) = 70b89467d6dc9cadaa7c855764a8bb91f0fe118bba60074ab1d8f41362a7042a
# SHA256 (OPNsense-17.1.b-OpenSSL-serial-amd64.img.bz2) = affae7605fde77827e975597de5280db746f85c1ed38794ce647a6ad7c2f945d
# SHA256 (OPNsense-17.1.b-OpenSSL-vga-amd64.img.bz2) = 6f99cc3d0ef8d328eb43985b8d01cffe2e7f65e886015c65c84c062e33f15fbb
# SHA256 (OPNsense-17.1.b-OpenSSL-cdrom-i386.iso.bz2) = b799f8260ae1a55848c126d7be52c51e92ae3d11c0eaf347a506e7e59c92fd9c
# SHA256 (OPNsense-17.1.b-OpenSSL-nano-i386.img.bz2) = 86186e5b5af8be2818385497f8bdf5c3128c7864e502502676424193bcce9461
# SHA256 (OPNsense-17.1.b-OpenSSL-serial-i386.img.bz2) = 7b20afc07fc2ca45b6cee66c855d2576170a04684dae0cb65243a8abaa9be684
# SHA256 (OPNsense-17.1.b-OpenSSL-vga-i386.img.bz2) = 1fc58fade2e15a30afec82b3fff553344557e6903b69c2f48e20976373543d1e
# MD5 (OPNsense-17.1.b-OpenSSL-cdrom-amd64.iso.bz2) = 221b6b63642051518cd190b63775d5a5
# MD5 (OPNsense-17.1.b-OpenSSL-nano-amd64.img.bz2) = 67ff68890113bb2b4223a2336cfc5d01
# MD5 (OPNsense-17.1.b-OpenSSL-serial-amd64.img.bz2) = e757bef2fcb5e444cad8b7d8991314fe
# MD5 (OPNsense-17.1.b-OpenSSL-vga-amd64.img.bz2) = c2c56a542856fd0b84f299d7dd783b17
# MD5 (OPNsense-17.1.b-OpenSSL-cdrom-i386.iso.bz2) = c210c342a6d618e7c1ebcdefdf1e3f9d
# MD5 (OPNsense-17.1.b-OpenSSL-nano-i386.img.bz2) = 1c036f6707f9922c40748be44592462a
# MD5 (OPNsense-17.1.b-OpenSSL-serial-i386.img.bz2) = ff07d0d4f9e62a99896de8228ceba41b
# MD5 (OPNsense-17.1.b-OpenSSL-vga-i386.img.bz2) = 3f67a06ca99137d135d1fc9713912aff