17.1 “Eclectic Eagle” Series¶

The OPNsense team is proud to announce the final availability of version 17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0, the SSH remote installer, new languages Italian / Czech / Portuguese, state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to media size to name only a few.

We would like to encourage everyone to supervise this major upgrade physically. As such, it cannot be performed from the GUI. Instead, go to the root console menu, choose option 12 and type “17.1” at the prompt. The process will download a full set of updates and reboot multiple times. All operating system files and packages will be reinstalled as a consequence. This process can also be remotely triggered via SSH.

For fresh installations images are provided with OpenSSL for 32 and 64 bit Intel architectures. The new SSH installer feature will be listening on the LAN port 192.168.1.1, give out DHCP leases to clients and can connect using the user “root” (console menu) or “installer” (the installer, of course) with the default password “opnsense”. The respective checksums for the images can be found below this announcement and the direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

17.1.11 (July 25, 2017)¶

An IPv6 problem has finally been fixed which could prevent reclaiming address leases during an interface reload, especially when OpenVPN was running. Thanks to everyone involved in tracking this down! Also, the last bits for the new GUI major upgrade feature are now in place. The 17.7 upgrade path will be unlocked on July 31, which will require installing one tiny final update.

Here are the full patch notes:

firmware: added major GUI upgrade code for upcoming 17.7 release
firmware: added major GUI cron upgrade parameter “ALLOW_RISKY_MAJOR_UPGRADE”
interfaces: dhcp6c can now properly reload without leaking its listening socket to e.g. OpenVPN
rc: allow to optionally prevent launch of configd via rc.conf variable
openvpn: normalise line endings of used certificates
openvpn: fix config handling in GUI pages for PHP 7.1
plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)
ports: perl 5.24.2 [1]
ports: strongswan 5.5.3 [2]

17.1.10 (July 18, 2017)¶

Quick update, nothing overly fancy this week. :)

Here are the full patch notes:

system: harden GUI by removing TLS_RSA_WITH_3DES_EDE_CBC_SHA
system: harden GUI by improving Secure Attribute cookie usage
system: harden GUI by using DH-4096 parameters
system: allow to reverse password / token order in TOTP authentication
system: add swap file option for SSD operation
interfaces: speed up GUI handling with configurations of more than 150 VLANs
interfaces: stop is_ipaddrv6() from accepting subnets
ipsec: IKEv2 can handle multiple phase 1 with the same IP
ipsec: list non-routed connections
unbound: removed obsolete so-rcvbuf optimisation code
net-mgmt/zabbix-agent: validation fix (contributed by Frank Wall)
net/quagga: version 1.3.1 (contributed by Frabian Franz and Michael Muenz)
layout: update to Font-Awesome 4.7
mvc: add setMultiple() to OptionField
ports: phalcon 3.2.1 [1]
ports: php 7.0.21 [2]
ports: php70-openssl CRL hotfix
ports: bind 9.11.1-P3 [3]
ports: unbound 1.6.4 [4]
ports: suricata 3.2.3 [5]

17.1.9 (July 04, 2017)¶

Quite the list of changes after a few weeks of a turbulent summer. This update addresses Stack Clash, OpenVPN, Bind and cURL security issues, see the reference links below.

17.7 is almost here, which means we have skipped over Alpha and Beta phase due to the fact that the base system is staying on FreeBSD 11.0. What you can expect is a Release Candidate within a week and a smooth transition.

Here are the full patch notes:

firewall: move gateway switching from system to firewall advanced settings
firewall: keep category selection when changing tabs
firewall: do not skip gateway switch parsing too early (contributed by Stephane Lesimple)
interfaces: show VLAN description during edit
firmware: opnsense-revert can now handle multiple packages at once
firmware: opnsense-patch can now handle permission changes from patches
dnsmasq: use canned –bogus-priv for no_private_reverse
dnsmasq: separate log file, ACL and menu entries
dynamic dns: fix update for IPv6 (contributed by Alexander Leisentritt)
dynamic dns: remove usage of CURLAUTH_ANY (contributed by Alexander Leisentritt)
intrusion detection: suppress “fast mode available” boot warning in PCAP mode
openvpn: plugin framework adaption
unbound: add local-zone typetransparent for PTR zone (contributed by Davide Gerhard)
unbound: separate log file, ACL and menu entries
wizard: remove HTML from description strings
mvc: group relation to something other than uuid if needed
mvc: rework “item in” for our Volt templates
lang: Czech to 100% translated (contributed by Pavel Borecki)
plugins: zabbix-agent 1.1 (contributed by Frank Wall)
plugins: haproxy 1.16 (contributed by Frank Wall)
plugins: acme-client 1.8 (contributed by Frank Wall)
plugins: tinc fix for switch mode (contributed by Johan Grip)
plugins: monit 1.3 (contributed by Frank Brendel)
src: support dhclient supersede statement for option 54 (contributed by Fabian Kurtz)
src: add Intel Atom Cherryview SOC HSUART support
src: add the ID for the Huawei ME909S LTE modem
src: HardenedBSD Stack Clash mitigations [1]
ports: sqlite 3.19.3 [2]
ports: openvpn 2.4.3 [3]
ports: sudo 1.8.20p2 [4]
ports: dnsmasq 2.77 [5]
ports: openldap 2.4.45 [6]
ports: php 7.0.20 [7]
ports: suricata 3.2.2 [8]
ports: squid 3.5.26 [9]
ports: ca_root_nss 3.31
ports: bind 9.11.1-P2 [10]
ports: unbound 1.6.3 [11]
ports: curl 7.54.1 [12]

17.1.8 (June 01, 2017)¶

It is with pleasure that we announce the availability of SafeStack in the OPNsense ports tree as our latest addition via our valued HardenendBSD friendship. While SafeStack is already deployed for the base operating system, it had not previously been applied to the ports tree.

SafeStack is an exploit mitigation developed by clang/llvm. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfils that dependency by including the HardenedBSD ASLR implementation, which follows the original PaX design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to her advantage.

It is still rather quiet security-wise. Despite updating OpenSSL, it does not contain any security updates this time.

Here are the full patch notes:

system: tweak the HTTP_REFERER error message (contributed by Michael Muenz)
system: IPv6 SSL cipher selection fix (contributed by Alexander Graf)
system: only probe gateway monitor when it is running
system: move web GUI to plugin framework
system: improve ssh key newline write
system: allow up to 8 name servers
firewall: add CARP option “Disable preempt”
firewall: move CARP preempt to later boot stage
firewall: allow port ranges in the form of “80-100” in addition to “80:100”
interfaces: track6 edge case requires HUP for either reload or linkup
ipsec: fix widget count after strongSwan 5.5.2 update
intrusion detection: add advanced feature default-packet-size
firmware: new mirror for Dept. of CSE, Yuan Ze University, Taiwan [1]
rc: advertise live mode just above the login prompt
rc: improve the set IP menu option with far gateway selection, DHCP, DNS, track6, etc.
mvc: send forms as type-safe JSON data
mvc: correct multi-value sort in template helper
mvc: fix validation issue when storing a value for the first time
lang: minor updates for Chinese (contributed by Tianmo)
lang: Japanese 100% completed (contributed by Chie and Takeshi Taguchi)
plugins: quagga 1.2 with initial BGP support (contributed by Fabian Franz and Michael Muenz)
plugins: zabbix-agent 1.0 (contributed by Frank Wall)
plugins: haproxy 1.15 (contributed by Fabian Franz and Frank Wall)
ports: enabled SafeStack for applicable amd64 packages, ported over by HardenedBSD
ports: openssl 1.0.2l [2]

17.1.7 (May 18, 2017)¶

OpenVPN released version 2.4.2 and also 2.3.15 which come with two high profile fixes addressing CVE-2017-7479 and CVE-2017-7478. While we still aim for OpenVPN 2.4 adoption during the 17.1 series, we have deferred updating the release version from 2.3 to 2.4 at this point to be able to respond more quickly.

Here are the full patch notes:

system: fix gateway failover edge cases missed in 17.1.6
system: fix default route display in diagnostics page
system: consistent precision display in gateway monitoring loss and RTT
system: correctly restart cron via backend call
system: use the internal RC script name instead file name to load its variables
system: keep WAN DHCPv6 configuration option on console port reassign
system: unify the console yes/no prompts to indicate their default behaviour
system: separate row and unhide button for 2FA OTP QR code display
system: prevent stripping of migrated configuration during factory reset
firmware: opnsense-bootstrap bare-mode addition for installing repository metadata only
firmware: opnsense-bootstrap will never be deleted in case it is required for recovery
firmware: opnsense-revert now always properly reverts the core package
firmware: fix argument parsing in all update and development utilities
firewall: do not save range when end port is empty
firewall: do not automatically reload filter after alias delete
firewall: skip well-known ports for ranges
firewall: fetching bogon files should not use fetch internal auto-retry
interfaces: fix bug that prevented creation of IPv6 cache IP files (contributed by theq89)
interfaces: defer reload of the filter on IPv6 renewal and keep it local
interfaces: avoid potential configure loops in IPv4 renewal
interfaces: improve diagnostic messages on boot
interfaces: correct usage of interface cache files and properly clear them during boot
ipsec: enable CA field for hybrid and mutual RSA Xauth
dynamic dns: fix prototype declaration (contributed by Evgeny Bevz)
dynamic dns: add support for STRATO
mvc: fix iteration over several config nodes to avoid “Node no longer exists” type warnings
plugins: quagga 1.1.1 fixes reload of BGPv4 tables and modal closing (contributed by Fabian Franz)
plugins: monit 1.1 fixes import sender address and validation (contributed by Frank Brendel)
src: removed duplicate unbound from FreeBSD base system
src: added locales to e.g. allow tmux to start up correctly
src: Xen migration enhancements [1]
src: allow TOS value zero and add extended DSCP support
ports: openvpn 2.3.15 [2]
ports: php 7.0.19 [3]
ports: squid 3.5.25 [4]
ports: sudo 1.8.20 [5]

17.1.6 (May 04, 2017)¶

Other than the usual bulk of improvements, the Quagga plugin gained BGP support and the Phalcon framework is now able to run smoothly on PHP 7.1, which we are targeting for 17.7. The next bit of planned work in the 17.1 series is switching OpenVPN to version 2.4. It can already be previewed in the development version.

Enjoy the security-silence this time around. :)

Here are the full patch notes:

system: proper autofill of imported CA fields
system: fix off by one and add validation for next serial in CA import
system: new global product info file and associated cleanups
system: prompt for new root password on console reset rather than using the factory default
system: remove PHP version specific code to automatically support newer versions such as PHP 7.1
system: raise PHP memory limit by 50%
firmware: show downgrades in update list as well
firmware: update pkg alongside other packages if it does not need an explicit upgrade
firmware: add plugin list to crash report if plugins are installed
interfaces: do not hide the save button when all interfaces have been assigned
firewall: support tag/tagged for manual outbound NAT
firewall: exclude IPv6 extension headers
firewall: disable filter association when no-rdr port forward option is selected
firewall: do not endlessly try to fetch bogons on systems with no connectivity
captive portal: fix autocomplete, autocapitalize and autocorrect (contributed by Johann Richard)
dhcp: fix static leases issue with loading settings into form
dhcp: add interface-mtu option
ipsec: move to plugin code framework
openvpn: fix possible start failure of servers using udp6 or tcp6
router advertisements: force restart of daemon to adapt to time zone change
unbound: statistics API (contributed by Fabian Franz)
web proxy: reorder pre-auth plugins and local auth settings (contributed by Evgeny Bevz)
mvc: set locale in APIControllerBase (contributed by Alexander Shursha)
mvc: dialog translations (contributed by Fabian Franz)
mvc: escape @ in menu entry to avoid error on mailto: url
plugins: igmp-proxy 1.1 renames internal service reload endpoint
plugins: quagga 1.1.0 adds BGP support and assorted fixes (contributed by Fabian Franz and Michael Muenz)
plugins: relayd 1.1 adds session timeout configuration (contributed by Frank Brendel)
plugins: snmp 1.1 renames internal service reload endpoint
ports: ca_root_nss 3.30.2
ports: phalcon 3.1.2 [1]
ports: unbound 1.6.2 [2]

17.1.5 (April 24, 2017)¶

After a brief timeout due to a super happy image release, 17.1.5 brings to you several longterm improvements for the firewall handling, dynamic DNS and several plugin updates, with Quagga and Monit as two brand new additions to the pool. As an especially longterm improvement, the German translation finally hit 100% completed thanks to the many contributors over the last two years.

We are currently working on extending SafeStack support to mission-critical third-party packages, testing the move to PHP 7.1 and finishing the associated roadmap for the upcoming 17.7 release. Stay tuned for more.

Here are the full patch notes:

system: show save message in correct language after language switch
firmware: remove obsoleted packages after a successful major update
firmware: flip the menu order of plugins and packages
firmware: switch to new embedded kernel/base set version
firewall: improve alias cleanup
firewall: new “select all” feature in firewall rules listings
firewall: add priority setting to advanced rules (contributed by djGrrr)
firewall: cleanup of gateway handling
firewall: cleanup of rule generation and fix for missing rules for group interface network (contributed by Ian Matyssik)
firewall: improve alias validation messages
dhcp: add route features to router advertisements
dhcp: add missing server pool loop counter
unbound: fix DHCP watcher using wrong timezone
unbound: improve DHCP watcher MAC address read
intrusion detection: use “auto” hostmode setting
web proxy: decode content when downloading ACL
web proxy: add all virtual IPs to listening configuration
web proxy: add extended file logging option
openssh: migrated to plugin framework code
openvpn: correctly export renegotiate time of zero
openvpn: reenable the XOR patch support
dynamic dns: multiple fixes and migrated to plugin framework code
rfc2136: multiple fixes and migrated to plugin framework code
rfc2136: separated code from dynamic DNS
rfc2136: added dashboard widget
lang: updates for Chinese, Czech, Japanese
lang: German translation hits 100% completed
plugins: gracefully deal with fatal parse errors in plugin code
plugins: acme-client 1.7 (contributed by Frank Wall)
plugins: haproxy 1.14 (contributed by Frank Wall)
plugins: monit 1.0 (contributed by Frank Brendel)
plugins: quagga 1.0.0 with OSPF and RIP support (contributed by Fabian Franz)
ports: pkg 1.10.1 [1] [2]
ports: sqlite 3.18.0 [3]
ports: curl 7.54 [4]
ports: openssh 7.5p1 [5]
ports: hyperscan 4.4.1 [6]
ports: dhcp6 20080615.2 [7]
ports: ca_root_nss 3.30.1
ports: bind 9.11.1 [8]
ports: strongswan 5.5.2 [9]
ports: php 7.0.18 [10]

17.1.4 (March 29, 2017)¶

The update finally addresses one of the larger issues with IPsec in 17.1 where traffic was not properly tracked by the packet filter and therefore causing spurious connection drops in TCP sessions. Another cool addition is the merge of the HardenedBSD SafeStack work to further harden our operating system application binaries.

Last but not least, the switch to the new virtual terminal driver is now fully functional and we intend to release new images based on 17.1.4 on Monday next week. Note this does not affect running installations.

Upgrading from a physical console may abort the firmware update due to an incompatible switch in the TTY settings. Simply log in again and restart the update to continue. Note this does not affect upgrades via GUI or SSH. Should problems arise, force a reinstall of the core package from the shell with the following command:

# opnsense-revert opnsense

Here are the full patch notes:

system: early installer switched for simpler config importer
system: no longer set shell privileges on password reset
system: avoid misinterpreting obsoleted options use_mfs_tmp_size and use_mfs_var_size
system: do not prompt for password on user edit
system: modernise console/tty settings
interfaces: always wait for dhclient exit
firewall: handle scheduled restarts via new plugin_cron() facility
traffic shaper: exclude IP address when using 3G/4G modems
dnsmasq: configure exclusively via plugin calls
ipsec: remove filtertunnel workaround in light of bundled kernel fix
ipsec: fix missing CA selection for mutual RSA
ipsec: require authentication header as first file
ipsec: include path consolidation
openvpn: allow tunnel network overrides to contain host addresses
openvpn: take client IP for topology subnet in CSC
openvpn: include patch consolidation
unbound: configure exclusively via plugin calls
web proxy: harden SSL ciphers (contributed by Fabian Franz)
mvc: fix multiple scoping issues in base volt templates
lang: updates for Chinese, Czech, French, German, Portuguese
plugins: Let’s Encrypt 1.4 [1] [2] (contributed by Felix Kling and Frank Wall)
plugins: HAproxy 1.13 [3] (contributed by Frank Wall)
src: tzdata version 2017b [4]
src: HardenedBSD SafeStack for base applications [5]
src: fix IPsec skip parameter handling in IPv4
src: discard 3072 bytes in arc4_stir() (contributed by Codarren Velvindron)
ports: ca_root_nss 3.30
ports: php 7.0.17 [6]
ports: libarchive 3.3.1
ports: ntp 4.2.8p10 [7]

We are also happy to announce the availability of the renewed OPNsense 17.1 images based on this version. Apart from the numerous improvements since the initial release, the images have been switched to use the virtual console driver vt(4) as a default to address boot issues. They also feature a new config importer and fix the serial console display of the installer.

For more than two years now, OPNsense is driving innovation through modularising and hardening the code base, quick and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

Download links, an installation guide [8] and the checksums for the images can be found below.

Europe: https://opnsense.c0urier.net/releases/17.1.4/
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/17.1.4/
US West Coast: http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.4/
Full mirror list: https://opnsense.org/download/

# SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 911e4b343b0a7721a8c4f306ab0f84934a40d8829adb2fa808c4656a9a2ef7aa
# SHA256 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = ffedac68887b5c0dd619306058471e22c8f7f81c5eb14a566b788feb1d311b16
# SHA256 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 53c270a8078f956dbc923962e82ea4bc9b95b7ed9f09f048fd7ad6c86d38c839
# SHA256 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = f9914405f6ca9f0947ccc63d1dac088ec778112ee3a431d4b44d4b400f991106
# SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = 23a60c0790848965df1b0596fcdea64fa14a67a8ed8ec9c93ca87b1bc3f6ce03
# SHA256 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = 4ef91cc2f341dc39e356716f6b6d1e9dd646c9a3a30a7149978c79633639bb8f
# SHA256 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = ead413845f83d4c112a7c7fbe79047effe78082d1530f1e5502d84d18f41dde0
# SHA256 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 8c928797fa21025cbb54df4274ba3d61eb37b3978ab5ae66f843fa8c75d829e8

# MD5 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 26a6110fad91b2b5105bbb1e9de2c299
# MD5 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = 7fd648124a6e9b6386174572aab237a8
# MD5 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 34b3152ecde10e3869c4a3f0a0bb201d
# MD5 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = 6e1563a155a8715aa73e62be4cf0d542
# MD5 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = e2870d1b63cbca5aeead2b3148841e45
# MD5 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = e7942c3af773f7a991d37b1a8391a60b
# MD5 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = e6c3a6629a8c62d4a07d429f446f077a
# MD5 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 70cdb19b808b5b5ac522d02d8db911b9

17.1.3 (March 16, 2017)¶

A dozen bug fixes meet several dozen new features and enhancements, literally! This update is about making OPNsense more flexible with the tools that everybody knows: firewall management, DNS services and Let’s Encrypt.

This is also the stepping stone for providing new images based on 17.1 because the Hyper-V disk disappearance was now fixed upstream: a big thank you to Microsoft and FreeBSD for providing updates! The vt(4) console driver migration is still underway, as well as applying SafeStack for the amd64 architecture and chasing down an IPsec regression with FreeBSD 11.0. More on this next time, stay tuned.

Here is the full list of changes:

system: allow up to 32 characters in user and group names
system: mute cron job output to prevent spurious system mails
system: fix scrambled password option on user add
system: add captive portal session backup
system: fix CRL certificate count display
firmware: add mirror via Universidad Pontificia Bolivariana (Medellin, CO) [1]
firmware: add mirror via DMC Networks (Lincoln NE, US) [2]
firewall: add modulate state as an option for state tracking (contributed by Ian Matyssik)
firewall: add ruleset optimization option for better performance (contributed by Ian Matyssik)
firewall: improved the log widget (contributed by Fabian Franz)
firewall: port forwarding enhancements for tag, pool options and target subnet
firewall: allow virtual interfaces as interface group members and move to firewall section
firewall: allow port alias nesting
captive portal: improved ARP parsing
dyndns: support Google Domains (contributed by Alasley)
intrusion detection: improve ruleset selection indicators
openvpn: do not double-encode client auth credentials
openvpn: validate IPv4 CIDR more strictly to prevent startup error
openvpn: do not offer external CA for selection
rfc 2136: allow selection of record type (contributed by Elias Werberich)
unbound: option to not register IPv6 link-local addresses (contributed by Ian Matyssik)
unbound: do not explicitly register loopback when selected as listening interface
unbound: add serve-expired option
web proxy: update for non-transparent SSL bumping (contributed by Mikhail Morev)
web proxy: add notice to inform the user about the need to download new list
lang: Chinese updated to 100% completed (contributed by Tianmo)
lang: Portuguese (Portugal) updated to 100% completed (contributed by Carlos Meireles)
lang: updates for German, French and Dutch
mvc: add boolean type to tables (contributed by Frank Brendel)
mvc: handle backend execution error more gracefully
mvc: added test for existing API method
mvc: send booleans as strings, not integers in API forms
mvc: allow dynamic hiding of sections in forms via model
plugins: register group interface type for PPTP, L2TP and PPPoE
plugins: add lifetime expiry for Universal Plug and Play rules
plugins: Let’s Encrypt version 1.2 (contributed by Frank Wall) [3]
installer: do not configure console when /dev/ttyv0 is unavailable
installer: console settings now support vt(4) instead of syscons(4)
src: fix system hang when booting when PCI-express HotPlug is enabled [4]
src: fix NIS master updates are not pushed to NIS slave [5]
src: fix compatibility with Hyper-V/storage after KB3172614 or KB3179574 [6]
src: make makewhatis output reproducible [7]
src: fix multiple vulnerabilities of OpenSSL [8]
src: properly build i386 with netmap(4) device to fix IPS mode
src: tzdata updated to version 2017a [9]
ports: php 7.0.16 [10]
ports: phalcon 3.0.4 [11]
ports: ca_root_nss 3.29.3
ports: sqlite 3.17.0 [12]
ports: curl 7.53.1 [13]
ports: unbound 1.6.1 [14]

17.1.2 (February 22, 2017)¶

This update addresses a longstanding issue with the overall reliability of Realtek NICs by replacing the FreeBSD driver with its latest vendor driver equivalent. The results including inline intrusion prevention have been promising to say the least. We thank Realtek for its recent release of version 1.93 and our users for pursuing the unthinkable with us. :)

Speaking of intrusion prevention, Suricata and Hyperscan have been updated to their latest versions which will now prevent crashes with older 64 bit CPUs that do not have the SSSE3 instruction set.

Language updates have been plenty, with a new and very busy contributor for Chinese. Xie xie!

Furthermore, the shared forwarding between both packet filters introduced in OPNsense 17.1 has now been disabled by default and can be manually reenabled from the GUI on Firewall: Settings: Advanced.

Here are the full patch notes:

system: allow to issue reboots via cron
system: allow to change password for imported users
firmware: run autoremove on minor operations
firmware: plugin detection via configd
wizard: rework modelling and UX
interfaces: fix wlan probe to not yield an empty interface
interfaces: fix bug in subnet matching on tun interfaces on FreeBSD 11.0 (contributed by djGrrr)
interfaces: add VLAN Priority (PCP) setting to VLAN config (contributed by djGrrr)
firewall: shared forwarding is off by default, added advanced config option
captive portal: redirect using HTTP code 302
captive portal: add group enforcement
captive portal: fix transparent web proxy mode on FreeBSD 11.0
dhcp: do not link to WOL page if plugin is not installed (contributed by Frank Wall)
ipsec: add mobike switch, change leftsendcert to always, etc.
unbound: provide link local interface selection
lang: Chinese to 65% completed (contributed by Tianmo)
lang: Czech to 86% completed (contributed by Pavel Borecki)
lang: Portuguese (Brazil) to 100% completed (contributed by Thiago Basilio)
lang: Portuguese (Portugal) to 69% completed (contributed by Carlos Meireles)
lang: minor updates to French and German
src: net.pf.share_forward now off by default
src: HardenedBSD procfs hardening
src: HardenedBSD disable unprivileged process debugging
src: replace Realtek re(4) driver with vendor version 1.93
src: add AE3000 and AE6000 to supported run(4) devices
src: revert a crash candidate micro-optimisation in rwlock
plugins: introduce development plugin variants
plugins: os-tinc 1.2 with network mode selection
ports: switch to MIT Kerberos version 5 release 1.14.4
ports: open-vm-tools integrated authentication fix
ports: bind 9.11.0-P3 [1]
ports: unbound 1.6.0 [2]
ports: tinc 1.0.31 [3]
ports: suricata 3.2.1 [4]
ports: hyperscan 4.4.0 [5]
ports: ca_root_nss 3.29

17.1.1 (February 09, 2017)¶

This week we are introducing a number of reliability fixes especially with regard to our move to FreeBSD 11.0 and PHP 7.0; most prominently a NAT fix for the shared filter forwarding and repairing the CRL generation. You will also find a few interesting IPsec additions. ;)

In case the shared forwarding is still giving you trouble on 17.1.1, run the following command to use the old behaviour and report back to us:

# sysctl net.pf.share_forward=0

Here are the full patch notes:

system: LDAP picker CSRF error solved by introducing session-based security tokens
system: fixed CRL generation inside PHP OpenSSL module
system: fix a typo with Portuguese (Portugal) in language selector
system: do not interpret passed values in wizard
system: fix forum link in message of the day
firewall: direction “any” was not respected in floating rules
firewall: fix double encoding of NO NAT for NAT addresses (contributed by djGrrr)
firewall: improve validation between IPv4 and IPv6 to prevent faulty rule generation
firmware: opnsense-update utility now unlocks packages before performing major upgrades
firmware: opnsense-revert utility now retains the automatic flag
firmware: revoked the 16.7 update fingerprints
dhcp: change relay text to make it clear multiple servers are supported (contributed by GurliGebis)
ipsec: add EAP-RADIUS support (contributed by GurliGebis)
ipsec: set filtertunnel sysctl values to fix TCP teardown
ipsec: fix hidden interface rules tab
ipsec: add AES-GCM support
openvpn: fixed CRL generation inside PHP OpenSSL module
openvpn: do not escape advanced options on export
openvpn: fix hidden interface rules tab
mvc: multiple tab usage CSRF errors solved by introducing session-based security tokens
mvc: fix HTTP status codes on CSRF errors
mvc: soft-fail on missing classes in ModelRelationField (contributed by Frank Wall)
plugins: os-acme-client 1.1 [1] (contributed by Frank Wall)
plugins: os-haproxy 1.12 [2] (contributed by Frank Wall)
src: pf(4) shared forwarding fix during NAT
src: pf(4) sysctl switch to disable shared forwarding
src: fix a panic with stf(4) interfaces
src: unhide hard disks under Hyper-V
ports: pkg 1.9.4 [3] [4]
ports: pcre 8.40 [5]
ports: libressl 2.4.5 [6]
ports: libevent 2.1.8 [7]
ports: squid 3.5.24 [8]

17.1 (January 31, 2017)¶

The OPNsense team is proud to announce the final availability of version 17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0, the SSH remote installer, new languages Italian / Czech / Portuguese, state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to media size to name only a few.

We would like to encourage everyone to supervise this major upgrade physically. As such, it cannot be performed from the GUI. Instead, go to the root console menu, choose option 12 and type “17.1” at the prompt. The process will download a full set of updates and reboot multiple times. All operating system files and packages will be reinstalled as a consequence. This process can also be remotely triggered via SSH.

For fresh installations images are provided with OpenSSL for 32 and 64 bit Intel architectures. The new SSH installer feature will be listening on the LAN port 192.168.1.1, give out DHCP leases to clients and can connect using the user “root” (console menu) or “installer” (the installer, of course) with the default password “opnsense”. The respective checksums for the images can be found below this announcement and the direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

Here is the list of major features that have been worked on since 16.7 was released 6 months ago:

cooperative firewall forwarding to allow traffic shaper/captive portal with multi-WAN
install media now boots up with SSH for headless remote installation
HardenedBSD ASLR and PIE compilation for most binaries
HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
PHP 7.0 compatibility and general GUI speed improvements
replaced the CSRF implementation in the non-MVC pages
integrated authentication using PAM to allow e.g. 2FA (TOTP) over SSH
system secondary console support with new EFI and Mute options
Portuguese/Portugal as a release language (contributed by Carlos Meireles)
Portuguese/Brazil as a release language (contributed by Thiago Basilio)
Italian as a release language (contributed by Antonio Prado)
Czech as a release language (contributed by Pavel Borecki)
improved password security (contributed by OSnet)
FTP proxy plugin (contributed by Frank Brendel)
Let’s Encrypt Plugin [1] (contributed by Frank Wall)
Tinc VPN Plugin
IPsec tunnel isolation mode for interoperability
micro versioning/migrations for config items
constraint support for config items
rewritten Nano images with growfs(8) support
authentication methods are now fully pluggable
firewall rules are now fully pluggable
FreeBSD 11.0 including additional reliability fixes

Minor changes made since 16.7.14/17.1.r1:

system: always restore native /var layout on boot
system: make vt/sc configurable
web proxy: improve validation for SSL bump URL input (contributed by Fabian Franz)
web proxy: add plugin-capable pre/post authentication directories (contributed by Evgeny Bevz)
mvc: use empty string instead of “##Unlinked” in missing elements (contributed by Frank Wall)
www: replace CSRF implementation of static PHP pages
src: convert result of hash_packet6() into host byte order
src: correctly initialise subrulenr in pflog
ports: openssl 1.0.2k [2]
ports: php 7.0.15 [3]

Additionally, these migration caveats should be heeded before upgrading:

The integrated authentication framework is now used as a system-wide default including login(1), su(1) and sudo(8). This means that e.g. when 2FA is enabled for the GUI it will be used for low-level password prompts as well and plain passwords are disabled by default. If this behaviour is undesired, set the “Disable integrated authentication” option under System: Settings: Administration.
Disabled Gateway entries are now always honoured instead of being set up as a default gateway.
The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to “Serial” due to a wrong GUI default.
FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4) as the default. You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.
EFI boots may not yield a console anymore, the setting for VGA is wrong now and should be switched to “EFI” under System: Settings: Administration.
The access privileges for “Lobby: Login / Logout / Dashboard” and “Diagnostics: Backup / Restore” have been remapped internally and need to be reapplied when they have been assigned explicitly.
The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken. We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.
Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability. Please let us know about these right away.
The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy. Their respective configurations will be preserved by the system even if these plugins are not installed.
The Intel e1000 driver plugin has been removed due to an incompatibility with FreeBSD 11.0. All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in OPNsense 17.1 and reported to FreeBSD.

We would love to hear your feedback! As we want OPNsense the best it can be for you, please do not hesitate to contact us through any of the known channels:

# SHA256 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = 6cbd83204366c366b603a36f5586424dd779d84c2b34f2e2ba3d66137d28fe97
# SHA256 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = fc91680ad6933f4151afbd869b136d2d84348112dfd8f4837a1e8e0880aec1ec
# SHA256 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = 4ba88dc98733e38ffc7681f862ad7197b866a4b7fffb858d64403d32b42fee3f
# SHA256 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = de46b29fe8aa79bd9bab6d68c24b80759efd6ef59c235b296eb59adbe408d055
# SHA256 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = 29ee7759e7834d9fc162623af0172899a3cd79e25c5205ee935c5131a51e8777
# SHA256 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = a89c3b15e3689693f8ed0610d4bc8a03ef779c7576b0a6bf5ae16b8080ac8c4c
# SHA256 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 3314d0cdafa17900beda91a9a03a2325f164948f1e17421387532f4efdb9e9c4
# SHA256 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 6a63746d021095fc72ca20303b46c4994dea85cafd9bdfca948fa17afb28f80e

# MD5 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = b39a8440377b6a2aae5832e3caea23d7
# MD5 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = 583c7d4a4c4263d51e0fa153f8c021e4
# MD5 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = d4da49aa8f4d24ab0dc8ed7f025b7b46
# MD5 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = 5ea6b7771a35fbdd97abc99ca4da1b4c
# MD5 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = c8b63d4018ab072f9a2370e1040381d8
# MD5 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = 3989eb61efcc7057166e64662d26714a
# MD5 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 4ca5a146a050e46deffdac001e7b3f0d
# MD5 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 888f3b23a381d93600596f86c0f94cd4

17.1.r1 (January 20, 2017)¶

The wish list for our kernel improvements has been emptied just a week ago, which makes 17.1-RC1 look like the final 17.1 for all intents and purposes and already includes the stable upgrade path. Several features have been moved from the core to the plugins and may need to be reinstalled, namely Load Balancer, Wake on LAN, SNMP, IGMP Proxy and Universal Plug and Play. More details are listed below.

A special thank you goes to Carlos Meireles and Thiago Basilio, who brought to you Portuguese as a language choice (Portugal and Brazil, respectively). Awesome work!

Direct download links from our capable mirror providers (checksums below this announcement) are as follows:

https://opnsense.c0urier.net/releases/17.1.r1/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1.r1/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.r1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

If you have been running 17.1-BETA and want to switch to the stable upgrade path simply upgrade to 17.1-RC1 and run the following from the shell:

# # opnsense-update -t opnsense

Here is the full list of changes since 17.1-BETA:

core: default to integrated authentication (PAM) for su, login et al
core: lock down UNIX accounts for active integrated authentication
core: console option 11 now reloads all instead of only the web GUI
core: removed unused translations from console features
core: load AESNI by default
core: remove restrictions to not run DNS resolver and forwarder in parallel
core: use the sc console driver instead of vt
core: consolidate anti-lockout behaviour
core: optionally limit ciphers for web GUI
core: move individual XMLRPC sync options to their respective services
core: use rc.shutdown hook for graceful ACPI shutdown
core: fix locale setting in MVC (contributed by Alexander Shursha)
core: add translations to the wizard (contributed by Alexander Shursha)
core: fix several crash reports
core: use the ddb.conf that FreeBSD already provides
core: configure ddb even if no dump device was found
core: move bogon rules to fix DHCPv6 WAN scenarios
web proxy: allow to disable caching by zeroing cache_mem
plugins: the os-intel-em driver has been removed
plugins: configuration additions for os-tinc
plugins: exported several base features to plugins (os-snmp, os-igmp-proxy, os-wol, os-upnp, os-relayd)
lang: added Portuguese/Portugal (contributed by Carlos Meireles)
lang: added Portuguese/Brazil (contributed by Thiago Basilio)
src: wireless firmware now only available via kernel modules
src: the EM_MULTIQUEUE kernel option has been removed
src: HardenedBSD SEGVGUARD improvements
src: HardenedBSD force -fPIC when building PIEs
src: do not initialize the adapter on MTU change when ix status is down
src fix panic during lagg destruction with simultaneous status check
src: restore link state probing for e1000 82574 chipsets
src: IP cooperative forwarding rework, fixes IPv4 in pf
src: avoid deadlocks during lagg configuration
src: multiple fixes for netmap to repair emulation panics

Known issues in this version:

The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The impact on 6rd setups is currently unknown.
Fundamental WiFi stack changes in FreeBDS 11.0 could still affect operability.
Insight and Health statistics import from the early installer may not work.
Due to a Python 2.7.13 incompatibility the NetFlow connector may not work. A workaround is to revert to the Python 2.7.12 release. See the forum for details [1] .
The LibreSSL version will not be available until the final release.
The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to Serial due to a wrong GUI default.

Any help in making 17.1 the best it could possibly be for its final release January 31 is highly appreciated. Please do not hesitate to contact us through any of the known channels:

# SHA256 (OPNsense-17.1.r1-OpenSSL-cdrom-amd64.iso.bz2) = 96bc814644c89128baa8afc7a4f057bd02b364ada4c33ac1d98129a0a2f2dd50
# SHA256 (OPNsense-17.1.r1-OpenSSL-nano-amd64.img.bz2) = c777f3adea1621253a846bbd78c82993801e40085d1c9cab03a71d01e5c6d0a8
# SHA256 (OPNsense-17.1.r1-OpenSSL-serial-amd64.img.bz2) = 0e87555296c58a51e905e4fac97ea6fac397d748b1369bab9f4c108d6adf9993
# SHA256 (OPNsense-17.1.r1-OpenSSL-vga-amd64.img.bz2) = 08af040390230bffc2ac6e4eceb884c390e0058a0b8027f003eeaf601b38b909
# SHA256 (OPNsense-17.1.r1-OpenSSL-cdrom-i386.iso.bz2) = 3ef78129e57414cd765cfbe903b747e6efa1222f799cc1d2e8331a68279a7c87
# SHA256 (OPNsense-17.1.r1-OpenSSL-nano-i386.img.bz2) = 6a8040bf3b8a9c2bc9bb49b214c6a7612dca5235fa0314b474524e2ccdf38caf
# SHA256 (OPNsense-17.1.r1-OpenSSL-serial-i386.img.bz2) = 442b774948ae14428a8c76489139644e49c935db61e32055508974fe76686fc0
# SHA256 (OPNsense-17.1.r1-OpenSSL-vga-i386.img.bz2) = 27149d372ded7d069aec3e5aeab7708e53bf3ca8166193480863ace768a333d5

# MD5 (OPNsense-17.1.r1-OpenSSL-cdrom-amd64.iso.bz2) = 680161da68fee3c03904970e7aa89c94
# MD5 (OPNsense-17.1.r1-OpenSSL-nano-amd64.img.bz2) = 989bc7056ebaf08ff3ba06a5b56b2488
# MD5 (OPNsense-17.1.r1-OpenSSL-serial-amd64.img.bz2) = 00d92a840c6180fb87d59b2f6728f10f
# MD5 (OPNsense-17.1.r1-OpenSSL-vga-amd64.img.bz2) = 1574e871a3d64147e1a904074a4ff4b2
# MD5 (OPNsense-17.1.r1-OpenSSL-cdrom-i386.iso.bz2) = 0e409d30009af857b23e67e97451cc81
# MD5 (OPNsense-17.1.r1-OpenSSL-nano-i386.img.bz2) = 051a1072559982fce88fb39ef78aca77
# MD5 (OPNsense-17.1.r1-OpenSSL-serial-i386.img.bz2) = c32106dc7070ae462200e15fa707e19c
# MD5 (OPNsense-17.1.r1-OpenSSL-vga-i386.img.bz2) = 5ec394d7c2b331390d92baec41e3aece

17.1.b (December 16, 2016)¶

With the best wishes for the holiday season attached we hereby humbly present our 17.1-BETA images and thank everyone for their early input, valid questions and generally keeping us on our toes throughout the past months. The next major release features FreeBSD 11.0, the SSH remote installer, new languages Italian and Czech, state-of-the-art HardenedBSD security features, PHP 7.0, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to the media size to name only a few.

These will be the only beta images. They are not suitable for production environments. Release candidate builds will start in January in order to provide production-ready images. Checksums can be found below this announcement. Direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1.b/ (Europe) http://mirrors.nycbug.org/pub/opnsense/releases/17.1.b/ (US East Coast) http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.b/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

Here is a list of hand-picked major features that were worked on since 16.7:

system secondary console support with new EFI and Mute options
installer now boots up with SSH for headless remote installation
Italian as a release language (contributed by Antonio Prado)
Czech as a release language (contributed by Pavel Borecki)
HardenedBSD ASLR and PIE compilation for most binaries
HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
PHP 7.0 compatibility and general GUI speed improvements
improved password security (contributed by OSnet)
FTP proxy plugin (contributed by Frank Brendel)
PAM authentication module, e.g. 2FA on SSH
IPsec tunnel isolation mode for interoperability
Intel em(4) driver version 7.6.2 as a plugin
micro versioning/migrations for config items
constraint support for config items
rewritten Nano images with growfs(8) support
authentication methods are now fully pluggable
firewall rules are now fully pluggable
Tinc VPN Plugin
FreeBSD 11.0

Known issues in this version:

The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The impact on 6rd setups is currently unknown.
The installer character set is not entirely correct due to the default console switch to vt(4).
Fundamental WiFi stack changes in FreeBDS 11.0 may still affect overall operability.
Insight and Health statistics import from the early installer do not work.
The LibreSSL version will not be available until the final release.

Any help in making 17.1 the best it could possibly be for its final release at the end of January 2017 is highly appreciated. Please do not hesitate to contact us through any of the known channels:

# SHA256 (OPNsense-17.1.b-OpenSSL-cdrom-amd64.iso.bz2) = 6ed4e335757f5f58e34f3f59984a06183612ed0cffd5a9238f85b1a156a56039
# SHA256 (OPNsense-17.1.b-OpenSSL-nano-amd64.img.bz2) = 70b89467d6dc9cadaa7c855764a8bb91f0fe118bba60074ab1d8f41362a7042a
# SHA256 (OPNsense-17.1.b-OpenSSL-serial-amd64.img.bz2) = affae7605fde77827e975597de5280db746f85c1ed38794ce647a6ad7c2f945d
# SHA256 (OPNsense-17.1.b-OpenSSL-vga-amd64.img.bz2) = 6f99cc3d0ef8d328eb43985b8d01cffe2e7f65e886015c65c84c062e33f15fbb
# SHA256 (OPNsense-17.1.b-OpenSSL-cdrom-i386.iso.bz2) = b799f8260ae1a55848c126d7be52c51e92ae3d11c0eaf347a506e7e59c92fd9c
# SHA256 (OPNsense-17.1.b-OpenSSL-nano-i386.img.bz2) = 86186e5b5af8be2818385497f8bdf5c3128c7864e502502676424193bcce9461
# SHA256 (OPNsense-17.1.b-OpenSSL-serial-i386.img.bz2) = 7b20afc07fc2ca45b6cee66c855d2576170a04684dae0cb65243a8abaa9be684
# SHA256 (OPNsense-17.1.b-OpenSSL-vga-i386.img.bz2) = 1fc58fade2e15a30afec82b3fff553344557e6903b69c2f48e20976373543d1e

# MD5 (OPNsense-17.1.b-OpenSSL-cdrom-amd64.iso.bz2) = 221b6b63642051518cd190b63775d5a5
# MD5 (OPNsense-17.1.b-OpenSSL-nano-amd64.img.bz2) = 67ff68890113bb2b4223a2336cfc5d01
# MD5 (OPNsense-17.1.b-OpenSSL-serial-amd64.img.bz2) = e757bef2fcb5e444cad8b7d8991314fe
# MD5 (OPNsense-17.1.b-OpenSSL-vga-amd64.img.bz2) = c2c56a542856fd0b84f299d7dd783b17
# MD5 (OPNsense-17.1.b-OpenSSL-cdrom-i386.iso.bz2) = c210c342a6d618e7c1ebcdefdf1e3f9d
# MD5 (OPNsense-17.1.b-OpenSSL-nano-i386.img.bz2) = 1c036f6707f9922c40748be44592462a
# MD5 (OPNsense-17.1.b-OpenSSL-serial-i386.img.bz2) = ff07d0d4f9e62a99896de8228ceba41b
# MD5 (OPNsense-17.1.b-OpenSSL-vga-i386.img.bz2) = 3f67a06ca99137d135d1fc9713912aff