19.7 “Jazzy Jaguar” Series

For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

19.7, nicknamed “Jazzy Jaguar”, embodies an iteration of what should be considered enjoyable user experience for firewalls in general: improved statistics and visibility of rules, reliable and consistent live logging and alias utility improvements. Apart from the usual upgrades of third party software to up-to-date releases, OPNsense now also offers built-in remote system logging through Syslog-ng, route-based IPsec, updated translations with Spanish as a brand new and already fully translated language and newer Netmap code with VirtIO, VLAN child and vmxnet support.

Last but not least we would like to thank m.a.x. it for their sponsorship of the default gateway priority switching feature and their continued work of writing and maintaining plenty of community plugins. This time around, Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

19.7.10 (January 27, 2020)

As Thursday nears the last preparations for 20.1 are underway. As a quick relief here is the End-Of-Life release of the 19.7 series with a tiny number of updates.

Remember that when 20.1 is available it will take up to a day before we release the hotfix with the major upgrade path enabled. Please be patient as we simply want to ensure that upgrades will not be bumpy affair. :)

Here are the full patch notes:

  • firewall: fix a typo in CARP validation

  • firmware: revoke 19.1 fingerprint

  • ipsec: add configurable dpdaction (contributed by Marcel Menzel)

  • mvc: BaseListField ignoring empty selected field

  • plugins: os-haproxy 2.20 [1]

  • plugins: os-mail-backup 1.1 [2]

  • plugins: os-nrpe 1.0 (contributed by Michael Muenz)

  • plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)

  • plugins: os-vnstat 1.2 [3]

  • plugins: zabbix4-proxy 1.2 [4]

  • ports: ca_root_nss 3.49.1

  • ports: curl 7.68.0 [5]

  • ports: isc-dhcp 4.4.2 [6]

  • ports: urllib3 1.27.7 [7]

A hotfix release was issued as 19.7.10_1:

  • firmware: enable upgrade path to 20.1

19.7.9 (January 09, 2020)

As 20.1 nears we will be making adjustments to the scope of the release with an announcement following shortly.

For now, this update brings you a GeoIP database configuration page for aliases which is now required due to upstream database policy changes and a number of prominent third-party software updates we are happy to see included.

Here are the full patch notes:

  • system: use 825 days as the default maximum certificate lifetime

  • system: hide leaking hostname on SSH password auth (contributed by sooslaca)

  • system: remove unused “lifetime” parameter from user manager page

  • firewall: new GeoIP settings page to allow continued use of upstream database [1]

  • firewall: log when alias could not resolve a hostname

  • firewall: translate pfInfo page tabs (contributed by Smart-Soft)

  • firmware: add mirror MARWAN (Moroccan Academic & Research Wide Area Network)

  • dhcp: replace killbyname() usage which should not have killed both services

  • dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion)

  • mvc: PSR12 code style updates

  • plugins: os-acme-client 1.29 [2]

  • plugins: os-bind 1.12 [3]

  • plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group

  • plugins: os-frr 1.14 [4]

  • plugins: os-maltrail 1.3 [5]

  • plugins: os-nginx 1.17 [6]

  • plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz)

  • plugins: os-theme-cicada 1.24 (contributed by Team Rebellion)

  • plugins: os-zabbix4-proxy 1.1 [7]

  • ports: openssh 8.1p1 [8]

  • ports: openssl 1.0.2u [9]

  • ports: php 7.2.26 [10]

  • ports: phpseclib 2.0.23 [11]

  • ports: python 3.7.6 [12]

  • ports: strongswan 5.8.2 [13]

  • ports: sudo 1.8.30 [14]

  • ports: unbound 1.9.6 [15]

A hotfix release was issued as 19.7.9_1:

  • firewall: automatic business addition GeoIP feed

19.7.8 (December 18, 2019)

A number of updates including security and reliability fixes inside. Of note is the new elliptic curve certificate creation support and better firmware health check and recovery methods.

We are almost at the point of a 20.1-BETA release with an isolated images for early bird testing as a special present at this time of year. Stay tuned. :)

Here are the full patch notes:

  • system: “Mark Gateway as Down” also means exclude from default gateway selection

  • system: fix PHP warning on gateways list due to wrong variable scope

  • system: support elliptic curve TLS certificate creation (contributed by johnaheadley)

  • system: remove unused current directory PHP include

  • system: fix XSS in backup page and static menu pages

  • firewall: use referential integrity check for model data

  • reporting: improve NetFlow error handling (contributed by Frank Brendel)

  • dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w)

  • dhcp: fix range check for advanced router advertisement options (contributed by maurice-w)

  • dhcp: improve help texts for router advertisement modes (contributed by maurice-w)

  • dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w)

  • dhcp: fix storing advanced IPv6 options

  • firmware: add “copy to clipboard” button in update text box

  • firmware: use opnsense-revert in GUI reinstall package case

  • firmware: when storing installed plugin names remove their development counterparts

  • firmware: improved health check scope to include direct core package dependencies

  • openvpn: fix Firefox “nowrap” issue in client export page

  • backend: improve error handling while configd is either not active or not functional

  • mvc: route to default page when controller or action not found

  • mvc: field type refactor and unit tests

  • mvc: added opt-in referential integrity check for models

  • mvc: countless PSR12 style updates

  • mvc: add “NetMaskAllowed” option to validate on single addresses in NetworkField

  • plugins: os-bind 1.11 [1]

  • plugins: os-dyndns 1.18 adds Linode support (contributed by Andrew Gunnerson)

  • plugins: os-freeradius 1.9.5 [2]

  • plugins: os-frr 1.13 [3]

  • plugins: os-ftp-proxy style updates only

  • plugins: os-postfix 1.13 [4]

  • plugins: os-rspamd 1.9 [5]

  • plugins: os-theme-cicada 1.23 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.22 (contributed by Team Rebellion)

  • ports: ca_root_nss 3.48

  • ports: krb5 1.17.1 [6]

  • ports: php 7.2.25 [7]

  • ports: suricata 4.1.6 [8]

  • ports: unbound 1.9.5 [9]

19.7.7 (November 21, 2019)

Lots of small improvements. Of note are Eve JSON payload syslog export now works for 4 kb payload blobs. The outdated Google API PHP client was replaced. LibreSSL is now at version 3.0.2. Plus another Intel SA advisory via FreeBSD.

Here are the full patch notes:

  • system: generate self-signed server certificate for web GUI by default

  • system: let net.local.dgram.maxdgram default to 8192 bytes

  • system: spawn Dpinger process in background to avoid hangs

  • system: switch backup to Google API PHP client v2

  • system: add interface groups to HA sync

  • interfaces: remove the “Directly send SOLICIT” option

  • firewall: fix issue with label parsing when “tag” keyword was involved

  • firewall: skip empty lines in rule statistics parsing

  • firmware: add /etc/remote to whitelist, NTP GPS uses it

  • reporting: empty NetFlow egress default passes validation

  • reporting: show dialog when RRD is disabled

  • dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w)

  • dnsmasq: fix storing settings when no settings exist yet

  • intrusion detection: lower payload-buffer-size to prevent syslog size limit

  • intrusion detection: fix issue with escaped file name during rules download

  • unbound: exit wrapper when process not running

  • web proxy: added check on SNI field checkbox (contributed by Northguy)

  • mvc: fix forceReload()

  • plugins: os-acme-client 1.28 [1]

  • plugins: os-bind 1.10 [2]

  • plugins: os-nginx 1.16 [3]

  • plugins: os-nut 1.6 [4]

  • plugins: os-postfix 1.12 [5]

  • src: fix machine check exception on page size change [6]

  • src: bump libc syslog line size to 8k

  • src: import tzdata 2019c [7]

  • ports: curl 7.67.0 [8]

  • ports: libressl 3.0.2 [9]

  • ports: openvpn 2.4.8 [10]

  • ports: perl 5.30.1 [11]

  • ports: phalcon 3.4.5 [12]

  • ports: sqlite 3.30.1 [13]

  • ports: squid 4.9 [14]

  • ports: syslog-ng 3.24.1 [15]

19.7.6 (November 01, 2019)

As we are experiencing the Suricata community first hand in Amsterdam we though to release this version a bit earlier than planned. Included is the latest Suricata 5.0.0 release in the development version. That means later this November we will releasing version 5 to the production version as we finish up tweaking the integration and maybe pick up 5.0.1 as it becomes available.

LDAP TLS connectivity is now integrated into the system trust store, which ensures that all required root and intermediate certificates will be seen by the connection setup when they have been added to the authorities section. The same is true for trusting self-signed certificates. On top of this, IPsec now supports public key authentication as contributed by Pascal Mathis.

Here are the full patch notes:

  • system: hook LDAP TLS support into system-wide trust file

  • system: fix dpinger custom parameters not being honoured

  • system: fix PHP core loop fail in tunables overview

  • system: only allow P12 export if password confirmation matches

  • interfaces: change PCAP download to binary file stream

  • firewall: store reference to outbound NAT address instead of literal address

  • firewall: add log message for scheduled firewall reload

  • firmware: tie pkg dependency to core

  • ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl)

  • ipsec: add support for public key authentication (contributed by Pascal Mathis)

  • openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley)

  • backend: add run mode to pluginctl using JSON-based output

  • ui: fix tokenizer reorder on multiple saves, second try

  • plugins: os-acme-client 1.27 [1]

  • plugins: os-bind 1.9 [2]

  • plugins: os-nginx 1.15 [3]

  • plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel)

  • plugins: os-theme-cicada 1.22 (contributed by Team Rebellion)

  • ports: ca_root_nss 3.47

  • ports: php 7.2.24 [4]

  • ports: python 3.7.5 [5]

  • ports: sudo 1.8.29 [6]

19.7.5 (October 11, 2019)

Lots of plugin and ports updates this time with a few minor improvements in all core areas.

Behind the scenes we are starting to migrate the base system to version 12.1 which is supposed to hit the next 20.1 release. Stay tuned for more infos in the next month or so.

Here are the full patch notes:

  • system: show all swap partitions in system information widget

  • system: flatten services_get() in preparation for removal

  • system: pin Syslog-ng version to specific package name

  • system: fix LDAP/StartTLS with user import page

  • system: fix a PHP warning on authentication server page

  • system: replace most subprocess.call use

  • interfaces: fix devd handling of carp devices (contributed by stumbaumr)

  • firewall: improve firewall rules inline toggles

  • firewall: only allow TCP flags on TCP protocol

  • firewall: simplify help text for direction setting

  • firewall: make protocol log summary case insensitive

  • reporting: ignore malformed flow records

  • captive portal: fix type mismatch for timeout read

  • dhcp: add note for static lease limitation with lease registration (contributed by Northguy)

  • ipsec: add margintime and rekeyfuzz options

  • ipsec: clear $dpdline correctly if not set

  • ui: fix tokenizer reorder on multiple saves

  • plugins: os-acme-client 1.26 [1]

  • plugins: os-bind will reload bind on record change (contributed by blablup)

  • plugins: os-etpro-telemetry minor subprocess.call replacement

  • plugins: os-freeradius 1.9.4 [2]

  • plugins: os-frr 1.12 [3]

  • plugins: os-haproxy 2.19 [4]

  • plugins: os-mailtrail 1.2 [5]

  • plugins: os-postfix 1.11 [6]

  • plugins: os-rspamd 1.8 [7]

  • plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)

  • plugins: os-telegraf 1.7.6 [8]

  • plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)

  • plugins: os-tinc minor subprocess.call replacement

  • plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)

  • plugins: os-virtualbox 1.0 (contributed by andrewhotlab)

  • ports: expat 2.2.8 [10]

  • ports: ca_root_nss 3.46.1

  • ports: curl 7.66.0 [9]

  • ports: openssl 1.0.2t [11]

  • ports: php 7.2.23 [12]

  • ports: pkg 1.12.0 [13] [14] [15]

  • ports: strongswan 5.8.1 [16]

  • ports: suricata 4.1.5 [17]

  • ports: syslog-ng 3.23.1 [18]

  • ports: unbound 1.9.4 [19]

A hotfix release was issued as 19.7.5_5:

  • ui: revert fix for tokenizer reorder on multiple saves for now

  • system: replace services_get() with plugins_services()

  • system: verbose print on “pluginctl -s” actions

19.7.4 (September 11, 2019)

A wee bit of updates for you… nothing overly exciting. On the other hand, we have updated the roadmap page to include 20.1 if you want to take a closer look [1] . More exciting for sure. :)

Here are the full patch notes:

  • system: fix legacy remote logging with custom port

  • system: regenerate CA bundle when modifying trusted authorities

  • system: fix translation order of tunables description

  • system: fix CARP maintenance mode bootup

  • firewall: missing daily refresh on GeoIP type

  • firewall: fix fetch of GeoIP alias if its name is same as its country

  • reporting: auto-load required kernel modules for NetFlow

  • reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)

  • captive portal: optimise ipfw rule parsing

  • firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)

  • unbound: support file-based custom includes

  • unbound: set absolute path to root.hints (contributed by h-town)

  • plugins: os-bind 1.8 [2] (contributed by ErikJStaab)

  • plugins: os-dnscrypt-proxy 1.6 [3] (contributed by ErikJStaab)

  • plugins: os-etpro-telemetry 1.4 [4]

  • plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)

  • ports: ca_root_nss 3.46

  • ports: ldns 1.7.1 [5]

  • ports: pcre2 10.33 [6]

  • ports: php 7.2.22 [7]

  • ports: phpseclib 2.0.21 [8]

  • ports: unbound 1.9.3 [9]

A hotfix release was issued as 19.7.4_1:

  • captive portal: fix merge conflict in optimisation

19.7.3 (August 28, 2019)

Please enjoy this release with improved CARP utility and a number of smaller fixes and updates for the operating system and third party tools. You can now also toggle logging directly from the rule overview to make debugging easier.

Here is the full list of changes:

  • system: try all backups for automatic revert when config.xml is damaged

  • system: do a system reset if all config.xml files are damaged

  • system: only show tunables reboot hint when applying tunables (contributed by Northguy)

  • system: use FQDN in system log remote messages

  • system: add defunct gateways to GUI in disabled state

  • interfaces: only allow VLAN parents that will work as VLAN parents

  • interfaces: optionally promote/demote CARP on service status

  • interfaces: CARP status page report with demotion level to avoid ambiguity

  • firewall: revert problematic 19.7.2 change “unhide automatic interface-based output rules”

  • firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic

  • firewall: add logging toggle to rules overview (contributed by johnaheadley)

  • firewall: DHCPv6 relay would generate rules even if not enabled

  • firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository

  • firmware: fix base and kernel package listing

  • intrusion detection: show change message after toggle or save

  • intrusion detection: rule download fix

  • monit: add parent devices to interface list (contributed by Frank Brendel)

  • monit: fix standard configuration migration (contributed by Frank Brendel)

  • reporting: skip illegal NetFlow records in flow parser

  • opendns: migrate update hook from DynDNS plugin to core to make it fully automatic

  • backend: fix exception message string handling in Python 3

  • backend: add help to pluginctl utility

  • backend: configctl event handler support

  • mvc: log API key when authentication failed

  • ui: more consistent HTML (contributed by gisforgirard)

  • ui: sidebar bug fix (contributed by Team Rebellion)

  • ui: fix initFormAdvancedUI() on initial load

  • plugins: os-acme-client 1.25 [1]

  • plugins: os-bind 1.7 [2]

  • plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS

  • plugins: os-haproxy 2.18 [3]

  • plugins: os-maltrail 1.1 [4]

  • plugins: os-nginx log rotation fix (contributed by Fabian Franz)

  • plugins: os-postfix 1.10 [5]

  • plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL)

  • plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)

  • plugins: os-wireguard 1.1 [6]

  • src: fix incorrect exception handling in libunwind [7]

  • src: fix multiple vulnerabilities in bzip2 [8]

  • src: fix ICMPv6 / MLDv2 out-of-bounds memory access [9]

  • src: fix insufficient message length validation in bsnmp library [10]

  • src: fix insufficient validation of guest-supplied data (e1000 device) [11]

  • src: fix IPv6 remote denial of service [12]

  • src: fix kernel memory disclosure from /dev/midistat [13]

  • src: fix reference count overflow in mqueuefs 32-bit compat [14]

  • ports: hostapd 2.9 [15]

  • ports: nghttp2 1.39.2 [16]

  • ports: openldap 2.4.48 [17]

  • ports: perl 5.30.0 [18]

  • ports: php 7.2.21 [19]

  • ports: py-openssl 19.0.0 [20]

  • ports: syslog-ng 3.22.1 [21]

  • ports: wpa_supplicant 2.9 [22]

19.7.2 (August 05, 2019)

This update ships the latest FreeBSD security advisories along with several smaller improvements and fixes. Sunny Valley Networks is the first vendor to introduce additional software to the plugin framework in the form of the Sensei plugin.

Here are the full patch notes:

  • system: missing “<PRI>” in legacy output via Syslog-ng

  • system: fix writing gateway information for DNS servers

  • system: allow gateway to work in DHCPv6 WAN when no router solicitation is available

  • firewall: unhide automatic interface-based output rules

  • firewall: unhide automatic non-interface-based floating rules

  • firewall: lift length restriction in NAT rule description

  • firewall: avoid newlines in rule descriptions

  • firewall: only show usable addresses in NAT outbound rules

  • interfaces: fix extended CARP output when parsing interface information

  • interfaces: add more outputs to overview page to increase usefulness

  • interfaces: use shared DHCP lease reader for ARP list

  • captive portal: fix binary read issue in Python 3

  • dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)

  • firmware: handle file signature verify correctly with multiple fingerprint repositories

  • firmware: Aivian mirror is no longer active

  • firmware: Cloudfence mirror in Brazil added

  • plugins: os-bind 1.6 (contributed by crazy-max)

  • plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)

  • plugins: os-grid_example 1.0 [1]

  • plugins: os-helloworld Python 3 compatibility [2]

  • plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)

  • plugins: os-sunnyvalley 1.0 [3] [4]

  • src: fix panic from Intel CPU vulnerability mitigation [5]

  • src: fix multiple telnet client vulnerabilities [6]

  • src: fix pts write-after-free [7]

  • src: fix kernel memory disclosure in freebsd32_ioctl [8]

  • src: fix reference count overflow in mqueuefs [9]

  • src: fix byhve out-of-bounds read in XHCI device [10]

  • src: fix file descriptor reference count leak [11]

  • ports: libevent 2.1.11 [12]

19.7.1 (July 25, 2019)

We do not wish to keep you from enjoying your summer time, but this is a recommended security update enriched with reliability fixes for the new 19.7 series. Of special note are performance improvements as well as a fix for a longstanding NAT before IPsec limitation.

Here are the full patch notes:

  • system: do not create automatic copies of existing gateways

  • system: do not translate empty tunables descriptions

  • system: remove unwanted form action tags

  • system: do not include Syslog-ng in rc.freebsd handler

  • system: fix manual system log stop/start/restart

  • system: scoped IPv6 “%” could confuse mwexecf(), use plain mwexec() instead

  • system: allow curl-based downloads to use both trusted and local authorities

  • system: fix group privilege print and correctly redirect after edit

  • system: use cached address list in referrer check

  • system: fix Syslog-ng search stats

  • firewall: HTML-escape dynamic entries to display aliases

  • firewall: display correct IP version in automatic rules

  • firewall: fix a warning while reading empty outbound rules configuration

  • firewall: skip illegal log lines in live log

  • interfaces: performance improvements for configurations with hundreds of interfaces

  • reporting: performance improvements for Python 3 NetFlow aggregator rewrite

  • dhcp: move advanced router advertisement options to correct config section

  • ipsec: replace global array access with function to ensure side-effect free boot

  • ipsec: change DPD action on start to “dpdaction = restart”

  • ipsec: remove already default “dpdaction = none” if not set

  • ipsec: use interface IP address in local ID when doing NAT before IPsec

  • web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen

  • plugins: os-acme-client 1.24 [1]

  • plugins: os-bind 1.6 [2]

  • plugins: os-dnscrypt-proxy 1.5 [3]

  • plugins: os-frr now restricts characters BGP prefix-list and route-maps [4]

  • plugins: os-google-cloud-sdk 1.0 [5]

  • ports: curl 7.65.3 [6]

  • ports: monit 5.26.0 [7]

  • ports: openssh 8.0p1 [8]

  • ports: php 7.2.20 [9]

  • ports: python 3.7.4 [10]

  • ports: sqlite 3.29.0 [11]

  • ports: squid 4.8 [12]

19.7 (July 17, 2019)

For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

19.7, nicknamed “Jazzy Jaguar”, embodies an iteration of what should be considered enjoyable user experience for firewalls in general: improved statistics and visibility of rules, reliable and consistent live logging and alias utility improvements. Apart from the usual upgrades of third party software to up-to-date releases, OPNsense now also offers built-in remote system logging through Syslog-ng, route-based IPsec, updated translations with Spanish as a brand new and already fully translated language and newer Netmap code with VirtIO, VLAN child and vmxnet support.

Last but not least we would like to thank m.a.x. it for their sponsorship of the default gateway priority switching feature and their continued work of writing and maintaining plenty of community plugins. This time around, Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

These are the most prominent changes since version 19.1:

  • List automatic firewall rules

  • Statistics for all firewall rules

  • Alias JSON import / export

  • Optional statistics for aliases

  • Firewall rule locator for live log and automatic rules

  • Rewritten gateway handling and switching

  • Remote logging via Syslog-ng

  • LDAP group sync support

  • Support certificate signing requests

  • Route-based IPsec support (VTI)

  • XMLRPC sync support for alias, VHID, widgets

  • Unbound host overrides alias support

  • Web proxy and IPsec authentication using PAM

  • Parent web proxy support

  • Web proxy login privilege via group

  • Improved reliability and utility of opnsense-patch

  • Dpinger and DHCP servers ported to plugin framework

  • Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese

  • Spanish as a new language

  • Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin

  • Netmap update for VirtIO, VLAN child and vmxnet support

  • Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4

And here are the full changes against version 19.7-RC1:

  • system: lower automatic gateway priority for tunnel interfaces

  • system: only show enabled interfaces on gateway edit

  • system: speed up console banner interface print

  • interfaces: typo in default WAN selection for packet capture

  • interfaces: support multiple interfaces for packet capture

  • interfaces: fix ambiguity in get_parent_interface()

  • firewall: restart filterlog with every filter reload

  • firmware: add update syshook

  • ipsec: phase2 IP type selector using the wrong class

  • reporting: fix Insight bug not processing top port and address statistics

  • ui: window_highlight_table_option() fix for Safari

  • wizard: improve logo contrast in welcome message

  • plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)

  • plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets

  • plugins: os-haproxy 2.17 [2] [3]

  • plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)

  • plugins: os-maltrail 1.0 (contributed by Michael Muenz)

  • plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)

  • plugins: os-tinc chroot setup with resolv.conf

  • plugins: os-wireguard 1.0 (contributed by Michael Muenz)

  • plugins: os-wol 2.2 fixes byte conversion

  • src: bump netmap ring size, still too small in FreeBSD

  • src: add FCC6_FCCA regulatory domain to ath_hal(4)

  • src: restore IPV6_NEXTHOP option support

  • src: fix privilege escalation in cd(4) driver [4]

  • src: fix kernel stack disclosure in UFS/FFS [5]

  • src: fix iconv buffer overflow [6]

  • src: import tzdata 2019b

  • ports: ca_root_nss 3.45

  • ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output

  • ports: postfix update is now non-interactive to prevent stalls

  • ports: rrdtool 1.7.2 [7]

Known issues and limitations:

  • Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to “Services: Web Proxy: Administration” tab “Support” and click “Reset”.

  • Web proxy login privilege is no longer available. Access may be restricted by a group selector instead.

  • Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.

  • OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.

The public key for the 19.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2) = e022217d367abaf4fd1360f83e4664d28b3f37932dfe720974b9d7dc33bf50f7
# SHA256 (OPNsense-19.7-OpenSSL-nano-amd64.img.bz2) = 6fffefa0b09daea397e83f67bf730392125b720043c455597c05d3d80c2baa29
# SHA256 (OPNsense-19.7-OpenSSL-serial-amd64.img.bz2) = 98854d5a0a03850273aa2ebdd7e7b095dfec6a1e6b57341817bb5f5ffab2ca7b
# SHA256 (OPNsense-19.7-OpenSSL-vga-amd64.img.bz2) = 523e924586e431ccd421bb85ba1245ce4c8f3a6141b59623f5083d3e36bac592
# SHA256 (OPNsense-19.7-OpenSSL-dvd-i386.iso.bz2) = 64c4e58966ab373a0aa6a544b020a39c5b86ecb79cb2988ac1f74b382c7d4765
# SHA256 (OPNsense-19.7-OpenSSL-nano-i386.img.bz2) = 3fa6af965f5996a718982617b5a13199747d237a669867b1ffecc951c3ebe455
# SHA256 (OPNsense-19.7-OpenSSL-serial-i386.img.bz2) = f0c76142f83b4988defa3fddc7a4cf2d930cbb0aee623d7b064462e25e146297
# SHA256 (OPNsense-19.7-OpenSSL-vga-i386.img.bz2) = b425882604886a395730abeaa6a26b8805647609712f61c342cee29f58160006

19.7.r1 (July 09, 2019)

For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full changes against version 19.1.10:

  • system: new remote syslog setup via Syslog-ng

  • system: gateway handling rewrite

  • system: default gateway switching priority control (sponsored by m.a.x. it [2] )

  • system: dpinger ported to plugin framework

  • system: bring back PHP warning log level

  • system: use authentication factory for user import

  • interfaces: VLAN, bridge, LAGG, GRE, GIF setup refactor

  • interfaces: improve load sequence to allow DHCPv6 on bridges

  • interfaces: GIF, GRE, IPsec and OpenVPN will no longer accept IP configuration

  • interfaces: speed up get_real_interface() by assuming interfaces exist

  • interfaces: sort interface groups and require rules apply if necessary (contributed by Robin Schneider)

  • interfaces: background PPPoE connect and disconnect

  • interfaces: only IP-address allowed in PPP gateway (contributed by Smart-Soft)

  • interfaces: simplified linking VIPs to interfaces

  • interfaces: removed interface_has_gateway()

  • interfaces: removed interface_has_gatewayv6()

  • interfaces: removed get_failover_interface()

  • interfaces: removed rc.kill_states

  • firewall: ability to view automatic rules

  • firewall: rule origin locator in live log and automatic rules listing

  • firewall: show statistics for all active rules including automatic ones

  • firewall: optional statistics for alias tables

  • firewall: fix translation of shaper mask “none” value

  • firewall: add ipv6-icmp type selection

  • firewall: rule listing layout update

  • reporting: new NetFlow reader in Python 3

  • reporting: validate that NetFlow WAN interfaces are also added to listening interfaces

  • dhcp: ported to plugin framework

  • dhcp: added failover split to DHCPv4 (contributed by Wolfgang Pedot)

  • dhcp: fix ddnsdomainprimary setting validation

  • dhcp: added advanced options for router advertisements

  • dhcp: removed remove rasend/ranosend checkbox

  • dhcp: simplify DHCPv4 interface lookup on lease page

  • dhcp: use AdvDefaultLifetime 0 when default route shall not be advertised

  • firmware: support reading package repository and origin

  • firmware: warn on third party package installation

  • firmware: synchronise update checks to avoid “not responding” errors

  • firmware: fix empty update list on release type change

  • images: nano image now supports future-proof number of inodes

  • installer: support password reset in opnsense-importer

  • intrusion detection: allow rule action bulk changes

  • intrusion detection: minor usability improvements

  • intrusion detection: support eve system log output

  • openvpn: removed gateway group listening support

  • openvpn: no longer restart servers on CARP events

  • openvpn: reduced complexity in service handling

  • web proxy: replace proxy login privilege “user-proxy-auth” with group selector

  • backend: ported remaining scripts to Python 3

  • backend: add helpers.glob() to enable template traversal

  • backend: new “monitor” hook for rc.syshook

  • mvc: do not add “none” in AuthGroupField if multiple select

  • mvc: allow sorting JsonKeyValueStoreField by value

  • ui: remember previous selected columns and row count on several MVC pages

  • ui: apply alert reminders for several MVC pages

  • ui: add failed callback to saveFormToEndpoint()

  • ui: core theme color update

  • ui: fix file size suffix (contributed by Fabian Franz)

  • ui: add useRequestHandlerOnGet option

  • ui: bootstrap 3.4.1 [3]

  • src: netmap VirtIO, VLAN child and vmxnet support

  • src: fix races in tun(4)/tap(4) drivers

  • ports: squid 4.7 [4]

  • ports: syslog-ng 3.21.1 [5]

Known issues and limitations:

  • Filterlog spamming console due to new Syslog-ng integration. Temporary workaround is stopping filterlog via “pkill filterlog”.

  • OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.

  • The web proxy login privilege is no longer available. Access may be restricted by a group selector instead.

  • Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to “Services: Web Proxy: Administration” tab “Support” and click “Reset”.

  • Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.

The public key for the 19.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 5014dba896a425d15fbedcb44f2deec7fb5aee6a1b7c95833b819f8d352de6a1
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-amd64.img.bz2) = b9d6ccbfdcb88f813a6494efb13647d1715500551c7dc51f632766b19189c6bc
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-amd64.img.bz2) = 86050bffa626247cfe0374d28994a52f9e10490b20a81539f5d2784676280c17
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-amd64.img.bz2) = 3a7ae31f6429e519060a717b6248d13620a1e5caba43f44afaf4a7dd4e6634e6
# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-i386.iso.bz2) = 4c0e54982d92279e7273c74cac183290e89219f75b4c1f55a42bad0331bdf321
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-i386.img.bz2) = 5db5dfc0bfb15a593dae689b58e65d556e935c326741729ad37507a952a51426
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-i386.img.bz2) = a20422c81c62c79264aec2cf83cb8734e2e0c954881200e6bc46d372f2432cf9
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-i386.img.bz2) = f6ba92f987c024697e6599b72d905ac9a4fdcfe61c71e3f060dccf1efccd6d82