17.7 “Free Fox” Series

For more than two and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We are writing to you today to announce the final release of version 17.7, nicknamed “Free Fox”, which, over the course of the last 6 months, includes highlights such as SafeStack application hardening, the Realtek re(4) driver for better network stability, a Quagga plugin with broad routing protocol support and the Unbound resolver as the new default. Additionally, translations for Czech, Chinese, Japanese, Portuguese and German have been completed for the first time during this development cycle.

Focus in OPNsense has shifted to improving and streamlining its various systems and providing continuous updates, which amounts to over 300 individual changes made since 17.1 so far. The plugin infrastructure is growing as well thanks to our awesome contributors Frank Wall, Frank Brendel, Fabian Franz and Michael Muenz. And we, last but not least, have been working more closely than ever with HardenedBSD by unifying our ports infrastructure.

Download links, an installation guide [1] and the checksums for the images can be found below.

• Europe: https://opnsense.c0urier.net/releases/17.7/

• US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/17.7/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.7/

• South America: http://mirror.upb.edu.co/opnsense/releases/17.7/

• South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/17.7/

• Full mirror list: https://opnsense.org/download/

17.7.12 (January 18, 2018)

As 18.1 is drawing near this stable update for the 17.7 series could be the last one. So whether there will be a hotfix to enable the update path or a full 17.7.13 remains to be seen, but we will keep you informed either way. The targeted release date for 18.1 is January 29.

For now we refrain from letting users upgrade directly to the release candidates, but suffice to say that with the development version accompanying this update it is possible from the console. And again thank you to all early adopters which have made the release candidates a thoroughly enjoyable experience.

Here are the full patch notes:

• system: use correct crypto library to gather GUI SSL ciphers

• system: do not wrap action buttons in tunables page

• system: fix CA serial number decrement on save

• firmware: remove the discontinued hotfix backend support

• firmware: allow dot in package name during package action

• firmware: remove defunct mirrors

• interfaces: make level of detail stick in packet capture

• interfaces: auto-lock problematic interfaces upon assignment

• firewall: make NAT reflection enable less ambiguous

• firewall: fix NAT formatting in states dump page

• network time: fix for valid negative offset in health graph

• network time: OPNsense NTP pool is now available

• network time: fix parsing of overly overlong lines

• web proxy: use PID file instead of daemon name for status probe

• wizard: add unbound to wizard and uncheck DNSSEC by default

• ui: HTML compliance fixes button in link usage (contributed by NOYB)

• mvc: added mutable service controller

• mvc: added sub-tab layout partials

• mvc: do not render empty toggle header

• plugins: acme-client 1.13 [1] (contributed by Frank Wall)

• plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)

• plugins: helloworld 1.4

• plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)

• plugins: tor 1.4 adds contact info (contributed by Fabian Franz)

• plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)

• ports: libressl 2.6.4 [2]

• ports: php 7.1.13 [3]

A hotfix release was issued as 17.7.12_1:

• firmware: warn about end of life and enable upgrade path to 18.1

17.7.11 (December 20, 2017)

A tiny update to round up the year. An amazing one it has been. We wish everyone happy holidays and see you again next year!

Here are the full patch notes:

• system: numerical sort for “Use” and “MTU” columns in route diagnostics

• system: gateway group edit tier selection issue with jQuery3

• system: minor cleanups in the certificates backend

• firewall: move anti-lockout rule to advanced settings

• interfaces: minor cleanups in the backend

• reporting: rework configuration handling on the settings page

• dnsmasq: minor cleanups in the backend

• firmware: strip the architecture from the base / kernel set version display

• firmware: backend preparations for full base / kernel set lock and reinstall

• firmware: increase crash report file limit to 2 MB

• ipsec: minor cleanups in the backend

• unbound: register DHCP domain name for interface if found

• network time: show full remote address and fix page boxing on status page

• network time: add advanced custom options

• network time: fix leap second save

• network time: minor cleanups in the backend

• wizard: properly redirect on input errors in system wizard

• mvc: ignore client-side anchors in breadcrumb generation

• ui: do not use a CSRF input element ID

• plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz)

• ports: libxml 2.4.7 [1]

• ports: py-ipaddress 1.0.19

17.7.10 (December 14, 2017)

A regression sneaked into 17.7.9 that updated Lighttpd web server which made the captive portal incompatible with the newer version. We are also bundling OpenSSL updates for both the ports and source. Last but not least, Suricata and Hyperscan have been bumped to their latest versions.

Here are the full patch notes:

• system: allow user-based language setting through Lobby: Password

• system: allow strict interface binding for OpenSSH

• system: prepare for MVC-based routing pages

• firmware: prepare for production / development release type selection

• firewall: fix a PHP warning when no user rules are installed

• firewall: add refresh button to table diagnostics page

• captive portal: fix chroot regression since lighttpd web server update in 17.7.9

• interfaces: provide a link-local IPv6 when asking for addresses

• intrusion detection: sync port-groups to default template

• ipsec: upgrade vici lib to match strongSwan package

• network time: fix a PHP warning during NMEA deselect

• mvc: do not throw disabled errors in handler

• plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing

• plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz)

• plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz)

• src: OpenSSL multiple vulnerabilities [1] [2]

• ports: hyperscan 4.6.0 [3]

• ports: openssl 1.0.2n [4]

• ports: suricata 4.0.3 [5]

Two plugin hotfixes have been additionally issued:

• plugins: os-quagga 1.4.3_1 fixes service startup regression

• plugins: os-rfc2136 1.1_1 fixes edit button in IE 11

17.7.9 (December 07, 2017)

Today a XSS vulnerability in the certificate manager is being fixed that is based on a crafted certificate being imported into the system. PHP was finally updated from 7.0 to 7.1 which should make things a bit faster. Last but not least, the HAProxy plugin by Frank Wall receives a major update for improved usability, several new features and two bug fixes.

Here are the full patch notes:

• system: fix XSS with crafted certificates in certificate manager [1]

• system: removed duplicated firmware privileges

• system: fix resolving routes in diagnostics page

• system: regenerated DH parameters

• dhcp: support stateless DHCPv6

• firmware: kernel and base set visibility and better API session handling

• intrusion detection: improve download and install speed of et-open rules

• intrusion detection: add TLS and HTTP logging in eve and alert log viewer

• openvpn: allow remote network in peer to peer modes

• web proxy: better service and API session handling

• router advertisements: advertise on VIPs belonging to the same interface

• configd: allow template overrides via optional target directory

• mvc: prepare for user-based language setting (contributed by Alexander Shursha)

• mvc: prepare for auto-generated page titles

• mvc: tighten against frame-based attacks

• mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)

• ui: fix for deactivated storage in sticky “help all” toggle (contributed by Fabian Franz)

• ui: make “advanced mode” sticky too

• plugins: os-acme-client 1.12 [2] (contributed by Frank Wall)

• plugins: os-arp-scan (contributed by Giuseppe De Marco)

• plugins: os-clamav 1.3 (contributed by Alexander Shursha)

• plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)

• plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)

• plugins: os-haproxy 2.0 [3] (contributed by Frank Wall)

• plugins: os-relayd 1.2 fixes “check send” directive

• plugins: os-tor 1.3 (contributed by Fabian Franz)

• plugins: os-zabbix-agent 1.2 fixes service status indicator

• plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)

• ports: ca_root_nss 3.34.1

• ports: curl 7.57.0 [4]

• ports: lighttpd 1.4.48 [5]

• ports: php 7.1.12 [6]

• ports: pkg 1.10.3 [7]

• ports: py-Jinja2 2.10 [8]

• ports: syslogd 11.1

A hotfix release was issued as 17.7.9_8:

• system: correctly populate logging settings after clearing all logs

• firewall: fix 2 PHP 7.1 warnings

• ipsec: fix 2 PHP 7.1 warnings and one runtime error

• interfaces: fix a PHP 7.1 warning

• intrusion detection: add protocol display to alert dialog

• plugins: os-haproxy 2.1 fixes HSTS usage [9] (contributed by Frank Wall)

Another hotfix release was issued as 17.7.9_9:

• system: fix a PHP 7.1 runtime error in certificate generation

• plugins: os-haproxy 2.2 fixes rules parameters [10] (contributed by Frank Wall)

17.7.8 (November 22, 2017)

A shiny new update is available, addressing the recent security advisories from FreeBSD, OpenSSL, Sudo and a number of minor bugs.

To all our 18.1-BETA testers we say this: thank you! The results have been thoroughly positive. If you would like to participate as well, please take a closer look:

https://forum.opnsense.org/index.php?topic=6257.0

And here are the full patch notes:

• firewall: when CARP is disabled it should enable the “Block CARP traffic”

• firewall: isAlias() should return false when an empty name is provided

• firewall: support non-whitespace field separators for URL table alias (contributed by shonjir)

• firewall: table plugin support (contributed by Evgeny Bevz)

• firewall: properly skip L2TP and PPTP interfaces in IPFW

• firmware: add mirror courtesy of Ventura Systems, Columbia

• firmware: crash report file size limit for upload

• interfaces: prevent reconfigure of wireless device on rc.linkup

• reporting: clear tooltip in health graphs

• intrusion detection: prevent UI lockups by closing server sessions early

• intrusion detection: add advanced payload log option

• intrusion detection: improved alert inspection dialog

• ipsec: add passthrough networks support

• ipsec: add support for elliptical curve DH groups

• router advertisements: fix DHCPv6 start in “unmanaged” mode

• installer: limit swap partition size to 8 GB (contributed by Frank Wall)

• web proxy: add update cache support for Linux and Windows (contributed by Fabian Franz)

• web proxy: add support UTF-8 domain names (contributed by Alexander Shursha)

• web proxy: improved IPv6 alias support

• ui: make “full help” state sticky in client session

• lang: Japanese updates (contributed by Chie and Takeshi Taguchi)

• lang: German updates (contributed by Fabian Franz)

• lang: Russian updates (contributed by Smart-Soft)

• lang: Czech updates (contributed by Pavel Borecki)

• plugins: os-siproxd 1.2.1 with fix for RTP high port (contributed by mrpace2)

• plugins: os-smart 1.2 now indicates if no devices have been found (contributed by Larry Meaney)

• plugins: os-telegraf 1.1 adds network input setting (contributed by nycaleksey)

• plugins: os-tor 1.2 adds hidden service onion service client support (contributed by Fabian Franz)

• plugins: os-web-proxy 2.1 makes Kerberos hostname configurable (contributed by Evgeny Bevz)

• src: properly bzero kldstat structure to prevent information leak [1]

• src: fix kernel data leak via ptrace(PT_LWPINFO) [2]

• src: only refresh bsnmpd device table on a device add or remove event

• src: unclog reply-to to avoid default route in shared forwarding

• src: update timezone database information

• ports: phalcon 3.2.4 [3]

• ports: php 7.0.25 [4]

• ports: sqlite 3.21.0 [5]

• ports: openssl 1.0.2m [6]

• ports: ca_root_nss 3.34

• ports: sudo 1.8.21p2_1 [7]

17.7.7 (October 26, 2017)

OpenSSH is being updated to version 7.6, which means this change breaks compatibility with SSH protocol version 1 and refuses RSA keys smaller than 1024 bits. Ideally, none of this should matter in a security-aware deployment, but it is safer to double-check before the upgrade.

A new plugin for the Telegraf agent was released and we have reworked the GeoIP alias configuration to be less cumbersome. We would like to thank everyone for the steady stream of ideas and constructive discussion and ask for more!

The 18.1-BETA call for testing will be out in the next 24 hours as well for all enthusiasts who want to test-drive the change from FreeBSD 11.0 to 11.1. It has been an unconventional development cycle and this time around there will be no images until 18.1-RC in late December or January.

And here are the full patch notes:

• firewall: GeoIP alias edit UX rework

• reporting: increase database timeout to 60 seconds

• firmware: add server in Frankfurt, DE courtesy of ieji.de

• firmware: base / kernel lock API

• firmware: details dialog for plugins

• firmware: assorted minor UI tweaks

• dhcp: improve sorting of DHCP leases (contributed by Larry Meaney)

• ipsec: add rightsourceip = %radius for eap-radius

• ipsec: moved firewall rule generation to plugin code

• web proxy: remove default value of visible_hostname

• mvc: translate navigation tabs (contributed by Alexander Shursha)

• mvc: prevent faulty child node removal in serializeToConfig()

• plugins: os-freeradius 1.2.0 adds EAP-TLS support (contributed by Michael Muenz)

• plugins: os-intrusion-detection-content-snort-vrt 1.0 (contributed by shonjir)

• plugins: os-telegraf 1.0 for amd64 only (contributed by Michael Muenz)

• plugins: os-tor 1.1 fixes VIP usage and initial setup

• ports: curl 7.56.1 [1]

• ports: openssh 7.6p1 [2]

• ports: suricata 4.0.1 [3]

A hotfix release was issued as 17.7.7_1:

• firewall: fix regression in host alias edit

• plugins: os-freeradius 1.2.1 with EAP fix (contributed by Michael Muenz)

17.7.6 (October 20, 2017)

What a KRACKing week it has been! In order to move past the WPA2 attacks we have updated hostapd and wpa_supplicant to their latest version 2.6 including the released security fixes. If you use wireless devices you are advised to reboot to properly reload all wireless services.

In more positive news, plugins for Web Proxy SSO support and Siproxd have been publicly released with this version. Additionally, multi-remote OpenVPN client configurations are now easily possible via the GUI. We also thank Fabian Abplanalp and HiHo.ch for providing a mirror in Switzerland.

Here are the full patch notes:

• interfaces: mitigate KRACK attacks [1] by using patched hostapd and wpa_supplicant from ports

• interfaces: added ARP flush to diagnostics page (contributed by Giuseppe De Marco)

• firmware: opnsense-revert man page examples (contributed by Marco Woitschitzky)

• firmware: opnsense-update provides locks for the kernel and base sets

• firmware: opnsense-update provides remote size of kernel and base sets

• firmware: new mirror in Switzerland via HiHo.ch (contributed by Fabian Abplanalp)

• firmware: preparations for upcoming page and user-facing feature improvements

• reporting: traffic mini-graphs switch places with their plain throughput values

• reporting: return empty file when parameters are missing from insight data export

• captive portal: improved column header texts in session view

• ipsec: hide mode selection in phase 1 under IKEv2

• openvpn: multi-remote support for clients

• web proxy: allow plugin reload through pluginctl

• ui: bootgrid tweaks (contributed by Fabian Franz)

• ui: info command addition to bootgrid (contributed by David Harrigan)

• rc: pluggable /var MFS support and micromanaging of boot tasks

• configd: parameter handling rework

• plugins: os-c-icap 1.3 adds server log view (contributed by Michael Muenz)

• plugins: os-clamav 1.1 adds version info display and /var MFS support (contributed by Alexander Shursha)

• plugins: os-freeradius 1.1 (contributed by Michael Muenz)

• plugins: os-monit 1.4 M/Monit support and fixes (contributed by Frank Brendel)

• plugins: os-siproxd 1.0 (contributed by Michael Muenz)

• plugins: os-web-proxy-sso 2.0 (contributed by Smart-Soft)

• plugins: os-zerotier 1.3 adds remote network info and local.conf setting (contributed by David Harrigan)

• ports: curl 7.56.0 [2]

• ports: hostapd 2.6_1 [3]

• ports: phalcon 3.2.3 [4]

• ports: unbound 1.6.7 [5]

• ports: wpa_supplicant 2.6_2 [3]

17.7.5 (October 05, 2017)

This update includes a larger number of security-related updates in third party software recently published. We do recommend a reboot to ensure all services are restarted correctly.

Here are the full patch notes:

• system: always return unique list of active DNS servers

• system: remove obsolete fast forwarding sysctl usage

• gateways: appropriate use of link local scope gateway targets

• interfaces: start rtsold in directly send SOLICIT case as well

• firewall: improve virtual IP VHID edit handling

• firmware: prevent submit of empty crash reports

• web proxy: fix ICAP username header usage (contributed by Alexander Shursha)

• plugins: os-c-icap 1.2 local squid authentication (contributed by Alexander Shursha)

• plugins: os-collectd 1.1 graphite post and prefix (contributed by Michael Muenz)

• plugins: os-intrusion-detection-content-et-pro 1.0

• plugins: os-quagga 1.4.2 OSPF router ID support (contributed by Fabian Franz)

• ports: dnsmasq 2.78 [1]

• ports: kerberos 1.15.2 [2]

• ports: openvpn 2.4.4 [3]

• ports: perl 5.24.3 [4]

• ports: php 7.0.24 [5]

• ports: python 2.7.14 [6]

We also are happy to announce the immediate availability of the renewed OPNsense 17.7 images based on version 17.7.5. Apart from the numerous improvements since the initial release, the images contain an addition for single interfaces SSH installer scenarios as well as an PPPoE multi-AP kernel patch. And due to popular demand the dynamic DNS plugin now comes preinstalled, something we missed in the original 17.7 plugin conversion process.

For almost 3 years now, OPNsense is driving innovation through modularising and hardening the code base, quick and reliable firmware upgrades, multi- language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The full list of changes of OPNsense 17.7 can be reviewed using their original announcements:

• 17.7: https://forum.opnsense.org/index.php?topic=5604.0

• 17.7.1: https://forum.opnsense.org/index.php?topic=5863.0

• 17.7.2: https://forum.opnsense.org/index.php?topic=5956.0

• 17.7.3: https://forum.opnsense.org/index.php?topic=5994.0

• 17.7.4: https://forum.opnsense.org/index.php?topic=6041.0

• 17.7.5: this document

We would also like to use this opportunity to remind everyone that OPNsense is and always will be free software. All of its source code and associated build tools can be found here:

https://github.com/opnsense

Download links, an installation guide, the full list of changes and the checksums for the images can be found below.

Download Locations

• Europe: https://opnsense.c0urier.net/releases/17.7/

• US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/17.7/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.7/

• South America: http://mirror.upb.edu.co/opnsense/releases/17.7/

• South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/17.7/

• Full mirror list: https://opnsense.org/download/

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for version 17.7 is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4pnxN5WeJxgthgJzfHEh
# iLYO5g6MItkv0YdNKNEUdij+wcYpPKNlvpI11QLEMGBy5gQJPuD9dlJYZiafIPwc
# 9TYSAjuvmZMf7DPWK6xRouTOyvpxROH3ncAEqIGjONr9VrH3hZNcbp3gvbcS+AuH
# yo8Tfyka7xtaBZGVkVeXYLuobUishdWMSsmB06BcPzBYDK+suIVrg4Y0sPcm4ST2
# o3RN5UbDYE4NTdOoBbswdTK8gqH5O81gdsm5F0AVisuJ2lYbY/rx/Ya9axc85Yyg
# tU9RbLl0453X6sES0XtdZigkD20RQ0dLqL1deGVVtPKuK0n09jPRMdyncN03lg4+
# UxMycSXbnCajOjmajCtRFUfBBf+LcMdY1Pw+JbVYu//OApi14UBforjOoA+8fA30
# d5PnzAWChpAlyuprtxgvGJXvk6cN7cVVWimwNAP70p7fMsFkslXUlrs7xt42+HCB
# qRmGPiBkP5xdryKxZmpM7j9v7b6zp/9qH9ZeAuu/YY5cKNV4HEsyQ8fQVZE6CxTJ
# Q0mgRrMAFinAC8dEv7V1BPbc03qXzqzKSUqy11zi8eH09SKB/LHmgFMghqzZ9jlD
# tJdZTRdl8pd6PxRLXzXHLum0ziRQlRMxKXevHZyU57MpskkCzrZuxOFb+jOHJpeP
# 4Kda10Dp7ujPdFHg1TEqQb0CAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-17.7.5-OpenSSL-dvd-amd64.iso.bz2) = 3fab5b7f4596dc0300e4b36fb5fe8647ebd42750e6e28f5c7f1424ee07c350ec
# SHA256 (OPNsense-17.7.5-OpenSSL-nano-amd64.img.bz2) = 2924ceec3f11206e866c6146112ae14d304cd5e18acb3803a923e04019651c1b
# SHA256 (OPNsense-17.7.5-OpenSSL-serial-amd64.img.bz2) = 7a85ae36b52d6f85239b7a936cefa5c53dddfa272b968e24bc6b61c77f4dfbce
# SHA256 (OPNsense-17.7.5-OpenSSL-vga-amd64.img.bz2) = 730dfaad385642902d00dc7361fea6c6c7e1c1861cb576d54df03f9d8d2e29c6
# SHA256 (OPNsense-17.7.5-OpenSSL-dvd-i386.iso.bz2) = bece516dd4e0fafbd4fee07b5559563a66abd542a8eff9f3e833bc320338028f
# SHA256 (OPNsense-17.7.5-OpenSSL-nano-i386.img.bz2) = 9ea24329650487dc08b7e846bec4b0e75ae965c1ba948d02a0857f1b4dfc989c
# SHA256 (OPNsense-17.7.5-OpenSSL-serial-i386.img.bz2) = e600c0c223778425ed990ae3f34d68cbb705c563d1c309190fedbcc97f45861e
# SHA256 (OPNsense-17.7.5-OpenSSL-vga-i386.img.bz2) = 0600eedd7842187ccfa1f97642959d10fe290d2db60d10687d0089627f574efe

# MD5 (OPNsense-17.7.5-OpenSSL-dvd-amd64.iso.bz2) = ac69d1963ee0a45e705f3f7044d84511
# MD5 (OPNsense-17.7.5-OpenSSL-nano-amd64.img.bz2) = e5f8f7a321e16d7d1af0d99a0b2b8a80
# MD5 (OPNsense-17.7.5-OpenSSL-serial-amd64.img.bz2) = c8512821190515e9cc3ab6f7e76369dc
# MD5 (OPNsense-17.7.5-OpenSSL-vga-amd64.img.bz2) = 811eeb34bfb853b3f3f2185c244c8051
# MD5 (OPNsense-17.7.5-OpenSSL-dvd-i386.iso.bz2) = bfed9e4446738797525a3c6f790c4507
# MD5 (OPNsense-17.7.5-OpenSSL-nano-i386.img.bz2) = a56def558397d6f20a9ada4ab5cd9848
# MD5 (OPNsense-17.7.5-OpenSSL-serial-i386.img.bz2) = 404dc9a7d5f84244428d1e82302a45f2
# MD5 (OPNsense-17.7.5-OpenSSL-vga-i386.img.bz2) = b3ea683a928324d3fd149c2580bdde57

17.7.4 (September 27, 2017)

Another week, another update. Most notably, the Tor plugin has been officially released.

New images finally follow in 17.7.5 and we are happy to report that the shared forwarding additions are already up and running on the FreeBSD 11.1 kernel with two major improvements: IPv6 support and tryforward compatibility! That means 18.1-BETA and an associated public call for testing are not too far out at this point.

And here are the full patch notes:

• system: remove revoked certificates from list of certificates to revoke

• firewall: add advanced setting to disable interface gateway rules

• firewall: ignore gateway weight of zero

• firewall: add reply-to specific gateway in pluggable rules

• firewall: support anchor quick keyword in pluggable rules

• intrusion detection: do not allow interface group in selection

• openvpn: ns-cert-type becomes remote-cert-tls in client export

• web proxy: ICAP exclude list (contributed by Alexander Shursha)

• mvc: support value attribute for model option data

• installer: UEFI partition size increased to 200 MB

• installer: always error on password mismatch

• plugins: os-acme-client 1.11 [1] (contributed by Frank Wall)

• plugins: os-c-icap 1.1 logging and virus scan settings (contributed by Michael Muenz)

• plugins: os-tor 1.0 (contributed by Fabian Franz)

• plugins: os-zerotier 1.2.0 allows local.conf settings (contributed by David Harrigan)

• ports: libnghttp2 1.26 [2]

• ports: unbound 1.6.6 [3]

• ports: hyperscan 4.5.2 [4]

• ports: py-openssl 17.3.0 [5]

• ports: py-cryptography 2.03 [6]

17.7.3 (September 19, 2017)

We have the tiniest update today just to keep things fresh and moving forward. :)

Here are the full patch notes:

• interfaces: IPv6 tracking now configures DNS to exclusively use local service or global settings

• interfaces: fix provider selection for PPP

• intrusion detection: fix changing the action of rules prefixed with “#alert”

• ipsec: fix access to the shared key edit page

• web proxy: adjust default URLs for ICAP (contributed by Fabian Franz)

• plugins: os-dyndns 1.3 fixes Namecheap updates

• plugins: os-quagga 1.4.1 adds logging (contributed by Fabian Franz)

• ports: sudo 1.8.21p2 [1]

17.7.2 (September 13, 2017)

Today brings antivirus to your web proxy via plugins as promised in the last release announcement. Please note that we have updated the documentation on those subjects, something you will see with increasing frequency from now on.

Here are the full patch notes:

• system: make log file views adapt to log format to fix date display

• system: removed m0n0wall/pfSense config migration code

• reporting: traffic graph mini-graph additions (contributed by Jeffrey Gentes)

• firewall: align NAT target port to destination port when creating a new entry

• firewall: remove spurious filter reload page

• firewall: wrong double-encode in schedule descriptions

• firewall: naturally order settings menu

• firmware: fix ALLOW_RISKY_MAJOR_UPGRADE cron job parameter

• firmware: add new trusted fingerprint key for upcoming rotation

• firmware: ABI auto-append on custom flavour entry without multiple directories

• captive portal: small UX tweaks for dialogs and spacing

• intrusion detection: selectable home networks as advanced option

• intrusion detection: missing gzip decode on download

• unbound: restart on new WAN IP if explicit interface matches

• web proxy: log name now starts with a module name

• rc: clear /var/run contents on bootup

• ui: improved PHP 7.1 compatibility for static pages

• ui: updated nvd3 to version 1.8.5-dev

• ui: allow runtime bootgrid translation (contributed by Fabian Franz)

• plugins: migrate plugin models on install

• plugins: only restart configd once on reinstall

• plugins: os-acme-client 1.10 [1] (contributed by Frank Wall)

• plugins: os-clamav 1.0 [2] (contributed by Michael Muenz)

• plugins: os-c-icap 1.0 [3] (contributed by Michael Muenz)

• plugins: os-dyndns fix for Cloudflare proxy status (contributed by sll552)

• plugins: os-mdns-repeater [4] 1.0 (contributed by Fabian Franz)

• plugins: os-zerotier 1.1.0 (contributed by David Harrigan)

• ports: mpd 5.8_2 [5] [6]

• ports: php 7.0.23 [7]

• ports: sudo 1.8.21p1 [8]

17.7.1 (August 31, 2017)

Our first stable round of version 17.7 brings a number of improvements, fixes and software updates for third party services. Special attention goes to the major bump of LibreSSL from 2.4 to 2.5. NAT before IPsec is now also neatly integrated and there are new plugins for fast Collectd and Zerotier setup.

We would also like to use this opportunity to remind everyone that OPNsense is and always will be free software. All of its source code and associated build tools can be found here:

https://github.com/opnsense

Over the course of the coming weeks, we will be focusing on releasing the roadmap for version 18.1, ClamAV integration, PHP 7.1 and going back to a more frequent update schedule.

Here are the hotfixes issued with 17.7.1_2:

• system: ensure vital /var directories exist when not using /var MFS

• firewall: fix root-based cross-site scripting in pfInfo diagnostics

Here are the full patch notes of the initial 17.7.1:

• system: add email and comment field to users

• system: do not set LC_ALL locale

• firewall: fix floating rules default for quick parameter (contributed by Frank Wall)

• firewall: support outbound NAT source invert

• firewall: allow SSH installer anti-lockout on setups with only one interface

• firewall: add back interface gateway pinning when the protocol is assigned

• firewall: add optional VHID to support alias IP on CARP

• firewall: use privilege separation to fetch diagnostic states

• firmware: revoke 17.1 fingerprint

• interfaces: better labels for DHCPv6 extended settings (contributed by Fabian Franz)

• interfaces: fix display of validation error from gateway addition request

• interfaces: do not write defunct advanced settings

• interfaces: add ability to lock vital interfaces to prevent reboot network recovery

• interfaces: split device create and rename ifconfig calls as a single call can be unstable

• interfaces: probe VLAN hardware settings before changing

• reporting: better insight database corruption detection and repair

• captive portal: better login database corruption detection and repair

• captive portal: fix startup after unclean shutdown

• dhcp: fix string offset warnings in leases page (contributed by Elias Werberich)

• intrusion detection: fix startup after config import if no remote files have been downloaded yet

• ipsec: portable NAT before IPsec support [1]

• openvpn: fix Tunnelblick link on export page (contributed by Stefan Husch)

• openvpn: fix connected timestamp and bytes up/down display

• openvpn: write proxy auth file in shared key export

• openvpn: minor display tweaks in widget and configuration pages

• openvpn: local group restriction feature

• update: rename bootstrap “-V” argument to “-r” for consistency

• update: fix code bug for /etc/make.conf link rewrite on upgrade

• update: support “-S” argument to probe remote set size

• update: support loading kernel debug sets via “-g” option

• mvc: add standard dialog helper (contributed by Frank Wall)

• mvc: simplify language selection code (contributed by Alexander Shursha)

• mvc: allow to run targeted model migration if requested

• mvc: ensure backend-cached JSON data is valid

• lang: small updates to Chinese and German

• lang: Japanese back at 100% (contributed by Chie and Takeshi Taguchi)

• plugins: several updates for PHP 7.1 compatibility

• plugins: os-acme-client 1.9 (contributed by Frank Wall)

• plugins: os-collectd 1.0 (contributed by Michael Muenz)

• plugins: os-freeradius 1.0.1 (contributed by Micheal Muenz)

• plugins: os-dyndns 1.2 removes legacy notification support and adds regfish IPv4 and IPv6 as a provider

• plugins: os-haproxy 1.17 adds hard stop feature to avoid shutdown stalls (contributed by Frank Wall)

• plugins: os-rfc2136 1.1 removes legacy notification support

• plugins: os-zerotier 1.0 (contributed by David Harrigan)

• src: fix panic in PPPoE session lookup (contributed by Alex Dupre)

• src: add new USB ID for Sierra LTE modem

• src: fix VNET kernel panic with asynchronous I/O [2]

• ports: curl 7.55.1 [3]

• ports: isc-dhcp 4.3.6 [4]

• ports: libressl 2.5.5 [5]

• ports: phalcon 3.2.2 [6]

• ports: php 7.0.22 [7]

• ports: sqlite 3.20.1 [8]

• ports: strongswan 5.6.0 [9]

• ports: suricata 4.0.0 [10]

• ports: unbound 1.6.5 [11]

17.7 (July 31, 2017)

For more than two and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We are writing to you today to announce the final release of version 17.7, nicknamed “Free Fox”, which, over the course of the last 6 months, includes highlights such as SafeStack application hardening, the Realtek re(4) driver for better network stability, a Quagga plugin with broad routing protocol support and the Unbound resolver as the new default. Additionally, translations for Czech, Chinese, Japanese, Portuguese and German have been completed for the first time during this development cycle.

Focus in OPNsense has shifted to improving and streamlining its various systems and providing continuous updates, which amounts to over 300 individual changes made since 17.1 so far. The plugin infrastructure is growing as well thanks to our awesome contributors Frank Wall, Frank Brendel, Fabian Franz and Michael Muenz. And we, last but not least, have been working more closely than ever with HardenedBSD by unifying our ports infrastructure.

Download links, an installation guide [1] and the checksums for the images can be found below.

• Europe: https://opnsense.c0urier.net/releases/17.7/

• US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/17.7/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.7/

• South America: http://mirror.upb.edu.co/opnsense/releases/17.7/

• South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/17.7/

• Full mirror list: https://opnsense.org/download/

Here is the full list of changes against version 17.7-RC2:

• interfaces: dhcp6c can now properly reload without leaking its listening socket to e.g. OpenVPN

• interfaces: correctly write Host-Uniq string in PPPoE configuration (contributed by Paolo Velati)

• firmware: fix JavaScript typo in the GUI that would prevent an update with a pending reboot

• firmware: zap spurious newlines in end-of-life message

• rc: allow to optionally prevent launch of configd via rc.conf variable

• rc: print root file system when boot is completed

• lang: Chinese 91% completed (contributed by Tianmo)

• lang: Czech 94% completed (contributed by Pavel Borecki)

• lang: German 100% completed (contributed by Fabian Franz et al)

• lang: Japanese 92% completed (contributed by Chie and Takeshi Taguchi)

• lang: Russian 89% completed (contributed by Smart-Soft)

• plugins: os-freeradius 1.0.0 (contributed by Michael Muenz)

• plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)

• src: do not update the LAGG link layer address when destroying a LAGG clone

• src pull the next header as well to restore filtering on incoming IPsec NAT-T traffic

• ports: haproxy 1.7.8 [2]

• ports: strongswan 5.5.3 [3]

The list of currently known issues with 17.7:

• Users from 17.7-RC2 may have trouble upgrading via the GUI [4] . Run “opnsense-patch 246513c” from the command line to correct this problem.

• A regression in floating rules in 17.7 does not honour the non-quick setting [5] . Run “opnsense-patch f25d8b” from the command line to correct this problem.

• The dynamic DNS functionality was moved to the “os-dyndns” plugin. It must be reinstalled after the upgrade if needed. Its settings are kept.

• The RFC 2136 functionality was moved to the “os-rfc2136” plugin. It must be reinstalled after the upgrade if needed. Its settings are kept.

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for version 17.7 is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4pnxN5WeJxgthgJzfHEh
# iLYO5g6MItkv0YdNKNEUdij+wcYpPKNlvpI11QLEMGBy5gQJPuD9dlJYZiafIPwc
# 9TYSAjuvmZMf7DPWK6xRouTOyvpxROH3ncAEqIGjONr9VrH3hZNcbp3gvbcS+AuH
# yo8Tfyka7xtaBZGVkVeXYLuobUishdWMSsmB06BcPzBYDK+suIVrg4Y0sPcm4ST2
# o3RN5UbDYE4NTdOoBbswdTK8gqH5O81gdsm5F0AVisuJ2lYbY/rx/Ya9axc85Yyg
# tU9RbLl0453X6sES0XtdZigkD20RQ0dLqL1deGVVtPKuK0n09jPRMdyncN03lg4+
# UxMycSXbnCajOjmajCtRFUfBBf+LcMdY1Pw+JbVYu//OApi14UBforjOoA+8fA30
# d5PnzAWChpAlyuprtxgvGJXvk6cN7cVVWimwNAP70p7fMsFkslXUlrs7xt42+HCB
# qRmGPiBkP5xdryKxZmpM7j9v7b6zp/9qH9ZeAuu/YY5cKNV4HEsyQ8fQVZE6CxTJ
# Q0mgRrMAFinAC8dEv7V1BPbc03qXzqzKSUqy11zi8eH09SKB/LHmgFMghqzZ9jlD
# tJdZTRdl8pd6PxRLXzXHLum0ziRQlRMxKXevHZyU57MpskkCzrZuxOFb+jOHJpeP
# 4Kda10Dp7ujPdFHg1TEqQb0CAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-17.7-OpenSSL-dvd-amd64.iso.bz2) = 4169765919a01bd9a6313e7ff896976342bf13803e4c4979272f192c83a98ae6
# SHA256 (OPNsense-17.7-OpenSSL-nano-amd64.img.bz2) = 0eee04cbb084536bfa51e3cb6032e61d57ed904b01e5d2590b981ff16f1498b9
# SHA256 (OPNsense-17.7-OpenSSL-serial-amd64.img.bz2) = bc8b529accab5609aafaac04504cae48cbb69eb2320b72eadb9c3a1f1b0d4832
# SHA256 (OPNsense-17.7-OpenSSL-vga-amd64.img.bz2) = ade47234f81738138e05cdc2c2137515006da9bde7dba74df91d4503b96abca1
# SHA256 (OPNsense-17.7-OpenSSL-dvd-i386.iso.bz2) = df725d845014333b05f3a96cb8cbbb48dc5d712db72f7de94d5ac94fb17bcf89
# SHA256 (OPNsense-17.7-OpenSSL-nano-i386.img.bz2) = cde4440c15b0aee668353b6e6a394a0b98171a655574d2495933eb8e14181794
# SHA256 (OPNsense-17.7-OpenSSL-serial-i386.img.bz2) = 4aa1547dd50e23aa794925b997694631f713fc6a7325968faef67a4fbf7a11e3
# SHA256 (OPNsense-17.7-OpenSSL-vga-i386.img.bz2) = a9af8114d30adf391668c60d1a003c8c4a58aa6d73d461c2260131b824175ec6

# MD5 (OPNsense-17.7-OpenSSL-dvd-amd64.iso.bz2) = ec6fa7916fd41a5e09bcbbcadfe20941
# MD5 (OPNsense-17.7-OpenSSL-nano-amd64.img.bz2) = edded194ec7482bc8f55930c84f8021d
# MD5 (OPNsense-17.7-OpenSSL-serial-amd64.img.bz2) = 2a8953c1acaee9a56cd9c9cea710ef19
# MD5 (OPNsense-17.7-OpenSSL-vga-amd64.img.bz2) = 46d7c2446b9c8f79683d8067b97cc86e
# MD5 (OPNsense-17.7-OpenSSL-dvd-i386.iso.bz2) = 39f862a95ed2edb39ec9aa1d7db5c521
# MD5 (OPNsense-17.7-OpenSSL-nano-i386.img.bz2) = b11917992d6ca36f1d6e6c5265231cd7
# MD5 (OPNsense-17.7-OpenSSL-serial-i386.img.bz2) = e8549d9b882e67612221b7c0fef5814a
# MD5 (OPNsense-17.7-OpenSSL-vga-i386.img.bz2) = 143f0f352c7e697dc9ad42b0af641058

17.7.r2 (July 21, 2017)

For more than two and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We are writing to you today to announce the second release candidate for version 17.7, which, over the course of the last 5 months, includes highlights such as SafeStack application hardening, the Realtek re(4) driver for network stability, a Quagga plugin with broad routing protocol support and the Unbound resolver as the new default. Additionally, translations for Czech, Chinese, Japanese, Portuguese and German have been completed during this iteration.

Focus in OPNsense has shifted to improving and streamlining its various systems and providing continuous updates, which amounts to over 300 individual changes made since 17.1 so far. The plugin infrastructure is growing as well thanks to our awesome contributors Frank Wall, Frank Brendel, Fabian Franz and Michael Muenz. And we, last but not least, have been working more closely than ever with HardenedBSD by unifying our ports infrastructure. Although this is only the beginning, let us not skip ahead.

Here is the full list of changes against version 17.7-RC1:

• system: harden GUI by removing TLS_RSA_WITH_3DES_EDE_CBC_SHA

• system: harden GUI by improving Secure Attribute cookie usage

• system: harden GUI by using DH-4096 parameters

• system: regenerate Diffie-Hellman parameters

• system: allow to reverse password / token order in TOTP authentication

• system: added major GUI firmware upgrade code

• interfaces: fix WLAN device clone creation

• interfaces: improve LAGG MTU handling and reconfigure

• interfaces: Host-Uniq configuration option for PPPoE connections

• ipsec: IKEv2 can handle multiple phase 1 with the same IP

• installer: request password change after installation

• installer: now properly advertises itself as version 17.7

• rc: batch-run bootup command before starting services

• openvpn: normalise line endings like web GUI does

• openvpn: fix config read/write on PHP 7.1

• mvc: squelch a PHP notice on an undefined element in forms (contributed by Evgeny Bevz)

• lang: update Chinese, Czech, German, Japanese

• plugins: enable stable plugins for 17.7

• plugins: os-dyndns 1.1 fixes menu entry visibility

• plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)

• ports: php 7.0.21 [1]

• ports: perl 5.24.2 [2]

• ports: suricata 3.2.3 [3]

• ports: unbound 1.6.4 [4]

The list of currently known issues with 17.7-RC2:

• LAGG device destroy may cause a kernel panic. A fix is scheduled for 17.7.

• IPsec inbound packet filtering does not work under NAT-T. A fix is scheduled for 17.7.

• PPPoE Host-Uniq is still in the test phase and may not be fully operational.

• Configuration handling of static PHP is not always compatible with PHP 7.1 at this point. We are downgrading to 7.0 for the release of 17.7 to ensure integrity.

Users of 17.7-RC1 can upgrade to RC2 via the usual online updates. Images are not provided with this particular release. As always with our pre- releases, only OpenSSL is provided at this point, but can be switched for LibreSSL as soon as the release is available. This release candidate does update directly into the 17.7 stable track and subsequent release candidates. Please let us know about your experience!

17.7.r1 (July 14, 2017)

For more than two and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We are writing to you today to announce the first release candidate for version 17.7, which, over the course of the last 5 months, includes highlights such as SafeStack application hardening, the Realtek re(4) driver for network stability, a Quagga plugin with broad routing protocol support and the Unbound resolver as the new default. Additionally, translations for Czech, Chinese, Japanese, Portuguese and German have been completed during this iteration.

Focus in OPNsense has shifted to improving and streamlining its various systems and providing continuous updates, which amounts to over 300 individual changes made since 17.1 so far. The plugin infrastructure is growing as well thanks to our awesome contributors Frank Wall, Frank Brendel, Fabian Franz and Michael Muenz. And we, last but not least, have been working more closely than ever with HardenedBSD by unifying our ports infrastructure. Although this is only the beginning, let us not skip ahead.

Download links, an installation guide [1] and the checksums for the images can be found below.

• Europe: https://opnsense.c0urier.net/releases/17.7.r1/

• US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/17.7.r1/

• US West Coast: http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.7.r1/

• Full mirror list: https://opnsense.org/download/

Here is the full (and surprisingly sparse) list of changes against version 17.1.9:

• system: added swap file option for SSD deployments

• system: bring back crash reports for all types of kernel crashes

• system: LDAP server StartTLS connection mode (contributed by Eugen Mayer)

• system: prevent anonymous binds to AD by rejecting empty passwords

• console: rewrote the backup restore to fix a possible licensing issue

• interfaces: instead of renaming new interfaces create them with the target name

• interfaces: the IP renewal was redesigned to prevent spurious reloads

• firewall: gateway code refactored

• firewall: rule generation code refactored

• dynamic dns: removed from core, installable as plugin

• rfc 2136: removed from core, installable as plugin

• ipsec: removed stale BINAT configuration items

• proxy: hardened the SSL configuration (contributed by Fabian Franz)

• src: netgraph/pppoe: user-supplied Host-Uniq tag and PADM messages

The list of currently known issues with 17.7-RC1:

• WLAN devices cannot be created. A patch exists [2] to remedy this problem.

• LAGG device destroy may cause a kernel panic. A patch currently in testing.

• The installer identifies itself as 17.1.

As always with our pre-releases, only OpenSSL is provided at this point, but can be switched for LibreSSL as soon as the release is available. This release candidate does update directly into the 17.7 stable track and subsequent release candidates. Please let us know about your experience!

# SHA256 (OPNsense-17.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 7455ff527a5e7ed1eac6db650fd4ddbd0a3257d2a270489fd85e273c83786d95
# SHA256 (OPNsense-17.7.r1-OpenSSL-nano-amd64.img.bz2) = 8c7e23f3dadc22bd03e174cc768c171207d4a0d95f32273d7a4baaf2fa678b57
# SHA256 (OPNsense-17.7.r1-OpenSSL-serial-amd64.img.bz2) = 597ca2fd3dfc7031785a35f5b23092633dee5ee1e385870ec977f364204035ed
# SHA256 (OPNsense-17.7.r1-OpenSSL-vga-amd64.img.bz2) = ebaa162d7184286e8b1a03976e0c6bb7220dff7e2fda9d709a2e32334bdf7100
# SHA256 (OPNsense-17.7.r1-OpenSSL-dvd-i386.iso.bz2) = 79affa59a6b7319278964890779e97ce6c89f3441bccaf783610b29c708198d8
# SHA256 (OPNsense-17.7.r1-OpenSSL-nano-i386.img.bz2) = 36476da5610a90ac5e110d0a87a26356477b5ce1e17e551c06be09d3c23e35ae
# SHA256 (OPNsense-17.7.r1-OpenSSL-serial-i386.img.bz2) = 514d2fef9efd081d2294cb961478ea85b7527e7f71091f91beed329c7ba36b5c
# SHA256 (OPNsense-17.7.r1-OpenSSL-vga-i386.img.bz2) = 6dc5bc2264767722c722b3d5f7b116e943e41374612256b94c32c4f6bbd05a5d

# MD5 (OPNsense-17.7.r1-OpenSSL-dvd-amd64.iso.bz2) = f5ec6d052c59ac785b7c631e8f24cb4a
# MD5 (OPNsense-17.7.r1-OpenSSL-nano-amd64.img.bz2) = 986754b73391f8a6e063842bbdd0ce4b
# MD5 (OPNsense-17.7.r1-OpenSSL-serial-amd64.img.bz2) = 8fa9c85c2bff1339f131d572c667b84d
# MD5 (OPNsense-17.7.r1-OpenSSL-vga-amd64.img.bz2) = 2427efe4140f634086cbaa71da7aec03
# MD5 (OPNsense-17.7.r1-OpenSSL-dvd-i386.iso.bz2) = 23f1f152a40d352809796046053972c9
# MD5 (OPNsense-17.7.r1-OpenSSL-nano-i386.img.bz2) = 02f1cdb6a64f598b809045c262e21b58
# MD5 (OPNsense-17.7.r1-OpenSSL-serial-i386.img.bz2) = 4c330c7dc7d8728bc061e4ba2399490c
# MD5 (OPNsense-17.7.r1-OpenSSL-vga-i386.img.bz2) = 0e5aa3f9117371e6c2acf93b29b25c79