18.1 “Groovy Gecko” Series

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We humbly present to you the sum of another major iteration of the OPNsense firewall. Over the second half of 2017 well over 500 changes have made it into this release, nicknamed “Groovy Gecko”. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. For more details please find the attached list of changes below.

The upgrade track from 17.7 will be available later today. Please be patient. :)

Meltdown and Spectre patches are currently being worked on in FreeBSD [1] , but there is no reliable timeline. We will keep you up to date through the usual channels as more news become available. Hang in there!

These are the most prominent changes since version 17.7:

  • FreeBSD 11.1, PHP 7.1 and jQuery 3 migration

  • Realtek vendor NIC driver version 1.94

  • Portable NAT before IPsec support

  • Local group restriction feature in OpenVPN and IPsec

  • OpenVPN multi-remote support for clients

  • Strict interface binding for SSH and web GUI

  • Improved MVC tabs and general page layout

  • Shared forwarding now works on IPv6, in conjunction with “try-forwarding” and improved reply-to multi-WAN behaviour

  • Easy-to-use update cache support for Linux and Windows in web proxy

  • Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)

  • Revamped HAProxy plugin with introduction pages

  • Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status

  • Alias backend rewrite for future extensibility

  • Plugin-capable firewall NAT rules

  • Migration of system routes UI and backend to MVC (also available via API)

  • Reverse DNS support for insight reporting (also available via API)

  • Fully rewritten firewall live log in MVC (also available via API)

  • New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter

Download links, an installation guide [2] and the checksums for the images can be found below as well.

18.1.13 (July 24, 2018)

It is that time of the year again: this update is the last one in the 18.1 series and 18.7, nicknamed “Happy Hippo”, will be released next week!

The transition will be seamless when heeding the upgrade notes to be published with the 18.7 images on July 31. All 18.7-RC users will be able to upgrade right away. After a number of hours we will enable the upgrade path with a small hotfix to 18.1.13. This process may take up to 24 hours so please do not be alarmed about delays.

Here are the full patch notes:

  • system: restart syslog when interface bind addresses may have changed

  • system: remove unused action_disable setting in gateway monitoring

  • firmware: new mirror Dataroute (Dusseldorf, DE)

  • ntp: typo in SiRF selection

  • openvpn: translate validated field names

  • rc: unset rcvar before evaluation (contributed by Nicholas de Jong)

  • installer: give basic tip that GUI IP can be set in console after install (contributed by stilez)

  • plugins: os-theme-cicada 1.2 (contributed by Team Rebellion)

  • plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.1 (contributed by Team Rebellion)

  • ports: suricata 4.0.5 [1]

A hotfix release was issued as 18.1.13_1:

  • firmware: enable upgrade path to 18.7

18.1.12 (July 13, 2018)

This update ships a few minor bug fixes and several feature tweaks that were either wished for or contributed by the community. That is why we wholeheartedly love our community. <3

Here is the full list of changes:

  • system: improve local account expire cron job to also flush passwords and SSH keys

  • system: show fingerprint in certificate details (contributed by Robin Schneider)

  • system: fix Nextcloud file name format (contributed by Fabian Franz)

  • system: allow remote backup via cron command

  • interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used

  • firewall: do not trigger rules scheduling if scheduled rule is disabled

  • firewall: allow to select external aliases

  • firewall: ignore namelookup when no nameservers are configured

  • dashboard: remove tooltips from CPU widgets (contributed by Team Rebellion)

  • dashboard: add date to large CPU widget data

  • firmware: add Aalborg University mirror

  • intrusion detection: add missing classification category

  • ipsec: add mutual RSA and EAP-MSCHAPv2 support

  • wizard: make clear that “admin password” means “root password”

  • ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice

  • mvc: switch from the default $_GET[“_url”] to $_SERVER[“REQUEST_URI”] and let Phalcon handle the routing

  • mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus)

  • mvc: multiselect may allow empty option, no need to give blank item too

  • mvc: add support for application-specific field types

  • ui: top level menu item link pivots and security improvements (contributed by Max Orelus)

  • plugins: os-net-snmp 1.0 (contributed by Michael Muenz)

  • plugins: os-openconnect 1.1 (contributed by Michael Muenz)

  • plugins: os-web-proxy-sso UI fixes (contributed by Smart-Soft)

Stay safe, Your OPNsense team

18.1.11 (July 02, 2018)

A small update ships several improvements and preparations for the upcoming version 18.7. We are also bundling a patch for the lazy FPU state restore information disclosure.

Here are the full patch notes:

  • system: enforce full password policy check for local passwords including TOTP

  • system: add RFC 7919 DH parameter files for upcoming 18.7 feature

  • system: add 3072-bit RSA key length options to certificates (contributed by Justin Coffman)

  • system: move auto-cron jobs to plugin files

  • interfaces: refactor reload handling around interfaces_configure()

  • interfaces: allow private addresses in 6RD

  • interfaces: check existence of “status” (contributed by Tian Yunhao)

  • reporting: add NetFlow/Insight database force repair function

  • dhcp: update from ISC version 4.3 to 4.4

  • importer: allow ZFS import for upcoming 18.7 ZFS installer feature

  • importer: allow import from simple MSDOS USB drives

  • intrusion detection: add app detect rules (contributed by Michael Muenz)

  • rc: suppress message of service not enabled on NetFlow backup

  • rc: use exec in /etc/rc and /etc/rc.shutdown hooks

  • rc: rework rc.syshook facility to be driven by directories and not suffixes

  • unbound: remove defunct unbound_statistics() function

  • plugins: os-postfix 1.4 advanced force recipient check (contributed by Michael Muenz)

  • plugins: service start corrections for accompanying rc.syshook changes

  • src: incorrect TLB shootdown for Xen-based guests [1]

  • src: lazy FPU state restore information disclosure [2]

  • src: enable usage of locate(1) utility

  • ports: isc-dhcp 4.4.1 [3]

  • ports: php 7.1.19 [4]

  • ports: unbound 1.7.3 [5]

18.1.10 (June 21, 2018)

This update ships with the optional gateway monitoring tool dpinger and a new config backup option onto Nextcloud. SSL crypto libraries have been updated to address CVE-2018-0732 along with other updates to assorted third party software.

Here are the full patch notes:

  • system: provide default for user language

  • system: do not allow spaces in group names

  • system: dpinger gateway monitor option (contributed by Team Rebellion)

  • system: prepare for upcoming DH parameter regeneration feature

  • system: Nextcloud backup support (contributed by Fabian Franz)

  • system: userid 0 has trouble with %s in redirects, use %d instead

  • system: QR code quiet zone support [1]

  • system: add selectpicker style where previously missing

  • firmware: allow both origin.conf and OPNsense.conf to be used for repository setup

  • firmware: exclude password database files from base update as it breaks sudo

  • interfaces: clean up reload structure for single interfaces

  • interfaces: remove unused interface reload script

  • interfaces: simplify semantics of link_interface_to_track6()

  • interfaces: assorted cleanups in the code

  • firewall: add enable flag to shaper rules

  • firewall: improve parsing speed of firewall log

  • firewall: fix wrong alias reference in outbound rules

  • firewall: generate ipfw comments for debugging (contributed by Robin Schneider)

  • firewall: move color settings from schedules to theme (contributed by Fabian Franz)

  • intrusion detection: correct typo in CSS

  • openvpn: raise default DH parameter to 2048 bit

  • console: pass output of stop scripts to user during halt/reboot

  • console: clarify that installer is for installing when SSH is off also

  • rc: change NetFlow backup to only stop/start when needed

  • rc: backup and restore via XML files again

  • rc: slightly refactor halt/reboot/shutdown

  • rc: break out config stop script

  • rc: simplify configctl plumbing

  • ui: add country flags for upcoming changes in GeoIP handling

  • ui: trigger onChange event to support custom hooks in form post

  • ui: change multi-select default from tokenizer to selectpicker

  • ui: add support for custom separators in select items

  • plugins: test for template scripts before executing them

  • plugins: os-acme-client fixes password field usage

  • plugins: os-relayd 2.0 MVC rewrite (contributed by Frank Brendel)

  • plugins: os-smart 1.3 translation and UI fixes (contributed by Fabian Franz)

  • plugins: os-upnp daemon now uses CHECK_PORTINUSE and PF_FILTER_RULES port options

  • plugins: os-zerotier 1.3.2 translation and UI fixes (contributed by Smart-Soft)

  • ports: ca_root_nss 3.37.3

  • ports: libressl 2.6.5 [2]

  • ports: openssl patch for CVE-2018-0732 [3]

  • ports: phalcon 3.4.0 [4]

  • ports: sqlite 3.24.0 [5]

  • ports: strongswan 5.6.3 [6]

  • ports: unbound 1.7.2 [7]

18.1.9 (May 31, 2018)

This update is going forward with a larger batch of firmware update improvements that are important for 18.7 and beyond, addressing the former lack of error handling, check for update speed and API check capabilities for major upgrades.

Intrusion detection syslog behaviour changes slightly after a number of good discussions, meaning that now syslog is always on, but fast log alert info is steered by the former syslog option making the option the best of both worlds and enabling future syslog export, which is now also available in the development version.

Last but not least we want to mention the work done on allowing detached UI development which is now included in the release. For more information check out the UI development tools [1] that have been released alongside.

There is more preparation underway for 18.7, but that info will have to wait as it eludes the context of this announcement. Feel free to frequently check the milestone progress in the forums [2] in the meantime.

Here is the full list of changes:

  • firewall: advanced option to reset states on IPv4 change

  • interfaces: rename $wancfg to $lancfg in tracking code

  • interfaces: further simplifications for dhclient usage

  • reporting: add logging to database repair stage

  • reporting: Insight click event issue

  • system: use uppercase gateway names for compatibility

  • system: gateway alert script always returns true

  • system: align static ACL check with MVC variant

  • system: pluggable backup support

  • system: configurable user landing pages

  • system: safety belt for password policy check

  • wizard: add missing element IDs to fix scripting issues

  • firmware: parse and return to be removed packages for update summary

  • firmware: release type change properly updates the repository and summary

  • firmware: extended settings can now be registered via XML files

  • firmware: return repository errors in greater detail (4 new error types)

  • firmware: make returned backend JSON a bit more human-readable

  • firmware: fix leak of base/kernel update info on package manager updates

  • firmware: refactor package manager update summary parsing for speed

  • firmware: add and use API for major upgrades

  • dhcp: fix unwanted name-server write in v6

  • dhcp: ldap-server does not exist in v6

  • intrusion detection: update classification.config

  • intrusion detection: optional fast log to syslog

  • ipsec: set ignore_acquire_ts to allow ASA compatibility

  • ipsec: add ike_name to syslog output

  • openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6

  • console: manual pages for opnsense-importer and opnsense-installer

  • console: let opnsense-installer set up an early runtime environment

  • console: show firmware reboot hint prior to update when applicable

  • console: longer timeout for opnsense-importer invoke on first boot

  • console: proper return values for opnsense-importer in edge cases

  • mvc: support multiple directories for detached UI development

  • mvc: add AddressFamily option to NetworkField

  • mvc: non-functional menu node name tweaks

  • rc: action changes for “||” avoidance

  • ui: fix tokenizer selection when values and labels do not match

  • ui: serve 404 when page was not found

  • ui: add and use SVG logo support

  • ui: upgrade nvd3 to version 1.8.6

  • plugins: os-acme-client 1.15 [3] (contributed by Frank Wall and Omar Khalil)

  • plugins: os-freeradius 1.7.0 (contributed by Michael Muenz)

  • plugins: os-haproxy 2.7 [4] (contributed by Frank Wall)

  • plugins: os-postfix 1.3 (contributed by Michael Muenz)

  • plugins: os-siproxd 1.3 (contributed by Michael Muenz)

  • plugins: os-telegraf 1.4.0 (contributed by Michael Muenz)

  • plugins: os-theme-ciaca 1.1 (contributed by Team Rebellion)

  • plugins: os-theme-rebellion 1.1 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.0 (contributed by Team Rebellion)

  • ports: ca_root_nss 3.37.1

  • ports: curl 7.60.0 [5]

  • ports: pcre 8.42 [6]

  • ports: php 7.1.18 [7]

  • ports: pkg upstream fix for segfault on upgrade [8]

  • ports: unbound 1.7.1 [9]

18.1.8 (May 17, 2018)

This update to 18.1.8 contains several improvements, kernel security patches and third-party software updates.

Highlights include boot support on an otherwise installed ZFS. The default route handling was improved to minimise issues with unstable links. A NUT plugin is now available as well as a second optional theme.

Here are the full patch notes:

  • system: improve VLAN console assignment handling

  • system: move backup crypto code to the only page using it

  • system: improve validation for web GUI related settings

  • system: split off monitor reload for upcoming dpinger integration

  • system: default route handler skips an already active default route

  • system: default route handler purges hint files only when switching to a newer route

  • system: default gateway switching uses the standard default route handler

  • system: properly add LDAP picker to ACL

  • system: properly unset password expired message after password change

  • interfaces: clear up use IPv4 connectivity and fix several typos

  • interfaces: parse and report tunnel data

  • interfaces: move dhclient-script to proper location

  • interfaces: allow SLAAC to latch on to IPv4 link

  • reporting: add destination address in Insight detail search

  • dhcp: fix labels of services to align with menu

  • dhcp: domain-search-list usage was removed in 2012

  • ipsec: rewrite resolve_retry() for its only use case

  • ipsec: improve RADIUS secret escaping (contributed by Rafael Cano)

  • ipsec: fix missing disable of DH group setting

  • router advertisements: correctly merge DNS server arrays

  • router advertisements: fix DNSSL settings

  • router advertisements: fix duplicated subnet statements

  • openssh: also use static interface IP addresses to listen on explicitly

  • unbound: allow wildcard host entry (contributed by Eugen Mayer)

  • webgui: also use static interface IP addresses to listen on explicitly

  • backend: improve escaping of passed parameters

  • ui: correct heigh of the login title bar

  • ui: unify the label printing of interfaces

  • ui: refactor script match for help messages

  • rc: ZFS boot awareness

  • plugins: os-cache 1.0 is an optional web server cache for the GUI/API

  • plugins: os-debug 1.3 now holds its own PHP settings

  • plugins: os-nut 1.0 (contributed by Michael Muenz)

  • plugins: os-snmp 1.3 improves handling of interface binding

  • plugins: os-theme-cicada 1.0 (contributed by Rene via Team Rebellion)

  • src: mishandling of x86 debug exceptions [1]

  • src: multiple small kernel memory disclosures [2]

  • src: timezone database information updates [3]

  • ports: ca_root_nss 3.37

  • ports: krb5 1.16.1 [4]

  • ports: liblz4 1.8.2 [5]

  • ports: python 2.7.15 [6]

  • ports: sqlite 3.23.1 [7]

  • ports: sudo 1.8.23 [8]

18.1.7 (May 03, 2018)

It has been a while and judging by the extensive list of changes below one can easily see why. The impact footprint of this update, however, is relatively small. With this update we are also moving into the 18.7-BETA phase where avid users are invited to flip their release version from production to development in the firmware GUI settings.

Extensive work has been done for DHCPv6 connectivity by the wonderful folks of Team Rebellion, e.g. fixing the stale daemon issues that prevented connectivity after reconfiguration. OpenVPN was updated to version 2.4.6 and received a substantial server setup rejuventation to allow out of the box IPv6 usage. LibreSSL received a bump in order to correctly speed up AESNI, something that was not working since its update to version 2.6.

Users of the web proxy with IDNA domains must take note that the previous implementation was removed in favour of a less intrusive approach that does not require encoding and decoding domain names in the configuration. All domains are now stored verbatim and are only encoded during web proxy runtime setup. Formerly created and thus now wrongly encoded domains need to be deleted and added back. We are sorry for any inconvenience caused.

Here are the full patch notes:

  • system: validate pfsync peer as IPv4-only

  • system: flip order of arguments for system_routing_configure()

  • system: convert cron to mutable model controller

  • system: convert routing to mutable model controller

  • system: log table header cleanup

  • system: more aggressive factory reset and shut down after completion

  • system: remove duplicate addresses before binding web GUI and OpenSSH

  • system: fix Framed-Route parsing for RADIUS authentication

  • system: properly translate save message on user language change

  • interfaces: PPPoE link down script improvements

  • interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations

  • interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion)

  • interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion)

  • interfaces: wait for dhcp6c to be stopped by pending apply

  • interfaces: only reconfigure VLAN interface after edit when necessary

  • interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it

  • interfaces: remove unused $flush argument from various functions

  • interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert)

  • interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert)

  • interfaces: remove obsolete address requirement for CARP VIPs

  • interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error

  • interfaces: no more spurious redirection for dhclient invoke

  • firewall: remove a side effect from filter_delete_states_for_down_gateways()

  • firewall: adjust maximum table entries for error-free bogonsv6 usage

  • firewall: add buckets option to traffic shaper

  • firewall: update help text for port ranges (contributed by Michael Muenz)

  • power: power off modal to indicate that the GUI is no longer responsive

  • captive portal: add traffic data and IP address to RADIUS accounting messages (contributed by fvanroie)

  • captive portal: fix voucher table rendering issue seen in Firefox

  • intrusion detection: add destination IP to alert search (contributed by Jeffrey Gentes)

  • intrusion detection: add abuse.ch URLhaus rules

  • ipsec: keep road warrior rightsubnet to default as stated by the docs

  • ipsec: add missing phase 2 DH groups

  • openvpn: switch to interface “any” for IPv6-friendly defaults

  • openvpn: remove side-effects from configuration code

  • openvpn: let CIDR validation tell us that only one network is expected

  • openvpn: allow explicit selection of tcp4 and udp4

  • openvpn: wizard can now set IPv4/IPv6 tunnel, local and remote addresses

  • openvpn: improved automatic local port selection in wizard

  • openvpn: bigger wizard button on server list page

  • openvpn: allow IPv6-only tunnel setups

  • openvpn: assorted cleanups in the associated GUI pages

  • unbound: fix a faulty format string

  • web proxy: use error_directory translation as set by system language (contributed by Smart-Soft)

  • web proxy: add support for SNMP (contributed by Smart-Soft)

  • web proxy: rewrite the IDN support to only affect the template write

  • console: make tracking the default for LAN IPv6 during interface reconfiguration

  • console: reset VLANs as stated during port reconfiguration

  • mvc: track attached models of model relation fields

  • mvc: remove obsoleted “page-” prefix check for ACL

  • mvc: unit tests for DependConstraint

  • mvc: only use configdpRun() when needed

  • rc: generate and permanently save host ID

  • rc: always reload VPN after filter to allow for better default gateway switching

  • rc: reconfigure IPv4 and IPv6 only once after boot

  • rc: do not run plugin reconfigure if a system configuration is not present

  • ui: merge system activity and services diagnostics menu

  • ui: move defaults page from firmware to configuration section

  • ui: fix issue with typeahead selection in tokenizer

  • ui: order reporting menu naturally

  • lang: updates for Czech, French, German, Portuguese (Brazil)

  • plugins: os-acme-client 1.14 adds support for CloudDNS (contributed by Frank Wall)

  • plugins: os-freeradius 1.5.3_1 fixes form property auto-select

  • plugins: os-monit 1.7_1 merges setup code into migration framework

  • plugins: os-postfix 1.2 relax relay host validation (contributed by Michael Muenz)

  • plugins: os-rspamd 1.3 adds file for milter headers (contributed by Fabian Franz)

  • plugins: os-snmp 1.2 avoids usage of does_interface_exist()

  • plugins: os-web-proxy-useracl 1.1._1 reworks IDN support

  • plugins: os-zabbix-agent 1.3 adds working default values (contributed by Frank Wall)

  • ports: enable previously defunct AES-NI acceleration in LibreSSL 2.6

  • ports: switch from dhcp6 to our own lightweight dhcp6c [1]

  • ports: sudo upstream patch to correct a FreeBSD issue [2]

  • ports: openldap 2.4.46 [3]

  • ports: openssh 7.7p1 [4]

  • ports: openvpn 2.4.6 [5]

  • ports: perl 5.26.2 [6]

  • ports: php 7.1.17 [7]

  • ports: sqlite 3.23.0 [8]

A hotfix release was issued as 18.1.7_1:

  • mvc: fix regression in model relation load order [9]

18.1.6 (April 09, 2018)

With Meltdown and Spectre just behind us here comes another round of security advisories and assorted changes.

Three mentionable changes are included: We are switching back to single-source automatic outbound NAT on the primary IP instead of using all additional VIPs on the interface as was the case with OPNsense 17.7 and earlier. The hardware-assisted VLAN capability check was removed from the system enabling e.g. XEN users to create VLANs. And the multi-WAN traffic shaping experience has been corrected for non-default interfaces within the scope of shared forwarding.

Expected is an image release based on this version some time within the next week for completeness.

Here are the full patch notes:

  • system: reverse reload order for gateway switching on OpenVPN

  • system: implement password policies for local accounts

  • system: separate web GUI and configd log files

  • system: add syslog and login service visibility

  • system: show root as disabled in user manager if disabled

  • interfaces: no longer restrict VLAN driver capability

  • firewall: switch back to the pre-18.1 auto-outbound NAT behaviour

  • firewall: reload schedules 1 minute later

  • firewall: filter descriptions option does no longer exist

  • firewall: updated anti-lockout link (contributed by Michael Muenz)

  • firewall: fix help text in shaper masks (contributed by Michael Muenz)

  • firewall: add delay option to pipe in shaper (contributed by Michael Muenz)

  • reporting: add insight aggregator to service list

  • dashboard: large CPU usage widget (contributed by Team Rebellion)

  • dhcp: fix display of DUID in IPv6 leases

  • firmware: let opnsense-patch apply chmod even in partially failed patches

  • firmware: let opnsense-code fetch all remotes as well as prune them

  • intrusion detection: provide custom.yaml for user edits

  • web proxy: fix pid file pointer for service status probe

  • ui: help data-for attribute (contributed by NOYB)

  • ui: reversed zebra redraw on static page mobile forms

  • ui: cleanup for unused classes in static pages

  • mvc: add constraint type for dependent fields

  • plugins: merge rc.plugins_configure code into pluginctl

  • plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)

  • plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)

  • plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox

  • plugins: os-monit 1.7 fixes compatibility with UI rework

  • plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)

  • plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)

  • plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)

  • plugins: os-web-proxy-sso 2.2 adds XMLRPC sync (contributed by Smart-Soft)

  • plugins: os-web-proxy-useracl 1.1 adds XMLRPC sync (contributed by Smart-Soft)

  • plugins: os-zabbix-agent 1.2_1 fixes service controls

  • src: fix mutli-wan traffic shaper on non-default gateway interfaces

  • src: ipsec crash or denial of service [1]

  • src: vt console memory disclosure [2]

  • src: multiple minor kernel memory disclosures [3]

  • src: timezone database information update [4]

  • ports: dnsmasq 2.79 [5]

  • ports: openssl 1.0.2o [6]

  • ports: perl 5.26.1 [7]

  • ports: php 7.1.16 [8]

  • ports: squid 3.5.27 adds LDAP authentication

We are also happy to announce the immediate availability of the renewed OPNsense 18.1 images based on version 18.1.6. Apart from the numerous improvements since the initial release, the images contain three relevant fixes:

  • Fix Unbound DNS parameter underflow on systems with higher number of CPUs

  • Disable Health Reporting (RRD) by default on Nano images to reduce write cycles

  • Disable TRIM by default on Nano images to prevent corruptions of the file system

The full list of changes of the OPNsense 18.1 series can be reviewed using their original announcements:

Download links, an installation guide [9] and the checksums for the images can be found below as well.

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5kMyxEWUoyY3y8JLlOnz
# j2dE1QPYmWspn5Diqf1T6uSh0/HA8TwnRvI4m82dC2kgnafVB85zIS+rXQLiyJZI
# JEqmBS5f54kVcyJPVORe7NepJq372amAMTcpPwH4b0SS9ZETebAOyuHjdG/lCjKD
# yt5W5ZvaMiDMWLVuw1ZlTIxLgkRuCHsk66E1bdoiIMdZPoyk2Q9WQd3PynLRBVHC
# iT32cJ/NlHiLEALp0wcNr+FllmFQXahQ5R1uBcsE/IXa7Tg0QXlW7s5+d6NTwQ/d
# 7NVnfZzH8IiO0A/9O5jbBsD6HLmity5nMI+RBwFQ9OQoBNxl5aakkusizT6diMYb
# PG+zPZsWo/ADqsbg1U/MMLJXD8CDFjcerhIDrrWSIVlSmQKw97nMK/TdUsqnVl7N
# uDLl0RHe+N6ndmNGTQGg5HbrTmYKSEGBdS4xFtO60JCxubzfpvnkDnPCIJtxWukf
# TzhORJHj2vkGLDA5FocTSOY76lWUO4qJQBA2bB3GtGbCm/nM4TlHpL4Kbf10IUJk
# j1tRFi8gXNOhrdplFAR+lV/yy58/+ZOg61Yz7UvYG/A9rxGkyVmIjzB/4S6Wstye
# IA6vpfzHwHq82hMqafCSB2KJciuKVEgVO6DHLV03VLTPqkJVsCbWXHgNjK2fQCFX
# JeXNX68TcObIJzqbiegZYo8CAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-18.1.6-OpenSSL-dvd-amd64.iso.bz2) = ee296edf026abd23b01d04c2aee7b9a0578ad4b3aa039e50eb40f720f13eac58
# SHA256 (OPNsense-18.1.6-OpenSSL-nano-amd64.img.bz2) = 204e87a93b5bd0f7742e90bef8ae20bfd7c362a73ee29054a96356e9649572b3
# SHA256 (OPNsense-18.1.6-OpenSSL-serial-amd64.img.bz2) = 063dc97b4177a932ba0bb243bec54b6b568ed84e515445b3eae7ba54f087478f
# SHA256 (OPNsense-18.1.6-OpenSSL-vga-amd64.img.bz2) = 9be03dccce94705c35c476ea7ca0e2f42c70049ecc5c681a6dfe92b7f21d7c34
# SHA256 (OPNsense-18.1.6-OpenSSL-dvd-i386.iso.bz2) = 06883a48295529bb7fae9fff4a77bbb95df9fcb08554f4c73aa3e0b894a4158b
# SHA256 (OPNsense-18.1.6-OpenSSL-nano-i386.img.bz2) = ea87270fb5c83943c7cccae12ae9579f4f3a82489a901881cd4a786b7e09009d
# SHA256 (OPNsense-18.1.6-OpenSSL-serial-i386.img.bz2) = 3ccbdf4fd31913afc93b0b51b4784df01d22ec03156659efe78d36ab2dcf222f
# SHA256 (OPNsense-18.1.6-OpenSSL-vga-i386.img.bz2) = 252b16aae7592faf3d5912b5394124e494db7797ebeec7d6b7fae9a52ad28cd4

18.1.5 (March 21, 2018)

Today ships Meltdown and Spectre V2 mitigation for amd64, the latter only effective with the corresponding microcode update. However, the combating of speculative execution security issues remains an ongoing quest for the unforeseeable future. To avoid surprises HardenedBSD has enabled Meltdown mitigation (PTI) by default even for AMD CPUs who have not yet been found vulnerable. Performance impact is luckily minimal here, although the Spectre V2 mitigation (IBRS) can slow down CPUs with the respective microcode updates in place.

To opt out of one or both features, the following values can now be persistently set under System: Settings: Tunables:

  • Disable PTI via “vm.pmap.pti” to “0” and a reboot, and

  • Disable IBRS via “hw.ibrs_disable” to “1” with a simple “Apply”.

Here are the full patch notes:

  • system: optional prefix Google Drive backups with host and domain name

  • system: also render tunables in loader.conf to obsolete loader.conf.local editing

  • interfaces: allow /127, /128 and /32 static IP address configurations everywhere

  • interfaces: improve logging and assorted cleanups (contributed by Team Rebellion)

  • interfaces: ignore dynamic linkup events for unassigned interfaces

  • interfaces: hide previously assigned interfaces from bridges

  • interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode

  • firewall: add VIP gateway option for PPPoE interfaces

  • firewall: add update interval option to log widget (contributed by NOYB)

  • firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz)

  • firmware: fix opnsense-code for src.git and ABI probing

  • firmware: fix opnsense-patch file permission apply for plugins

  • intrusion detection: support request headers in ruleset metadata

  • openvpn: switch status to version 3 to avoid wrong parsing of commas

  • openvpn: parse all states to retrieve all relevant connection status info

  • captive portal: exclude “I” from simplified voucher character set for clarity

  • plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz)

  • plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel)

  • plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz)

  • plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament)

  • plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens)

  • ui: update tokenizer to 2.6, visual tweaks and blur-add

  • ui: buttons for services control in MVC (contributed by Smart-Soft)

  • src: reinitialize IP header length after checksum calculation [1]

  • src: fix IPsec validation and use-after-free [2]

  • src: update timezone database information [3]

  • src: update file(1) to new version with security update [4]

  • src: add mitigations for two classes of speculative execution vulnerabilities on amd64 [5]

  • ports: ca_root_nss 3.36

  • ports: curl 7.59.0 [6]

  • ports: igmpproxy 0.2.1 [7]

  • ports: lighttpd 1.4.49 [8]

  • ports: openvpn 2.4.5 [9]

  • ports: phalcon 3.3.2 [10]

  • ports: php 7.1.15 [11]

  • ports: strongswan 5.6.2 fix for public key authentication [12]

18.1.4 (March 09, 2018)

This small update swiftly follows 18.1.3 with security updates for DHCP and strongSwan and assorted fixes including multi-WAN failover cases.

Here are the full patch notes:

  • system: improved default route handling

  • system: improved gateway switching

  • system: cleanse username on LDAP import

  • system: increase maximum size of firmware reports

  • firewall: shaper backend refactor

  • interfaces: improved reconfigure phase

  • reporting: fix sporadic “non-numeric value encountered” error

  • captive portal: add voucher expiry (contributed by Stephanowicz)

  • intrusion detection: use latest ET Open rules for Suricata version 4

  • intrusion detection: proper syslog with drops, requires log file reset

  • intrusion detection: backend refactor

  • plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden)

  • plugins: os-haproxy 2.6 [1] (contributed by Frank Wall)

  • ports: isc-dhcp 4.3.6P1 [2]

  • ports: krb5 1.16 [3]

  • ports: pkg 1.10.5

  • ports: strongswan 5.6.2 [4]

18.1.3 (March 05, 2018)

Security updates for Squid, Suricata and NTP are now available, although more are pending which would indicate a version 18.1.4 later this week. Also, a number of firewall section fixes have been included.

Here are the full patch notes:

  • system: account for variable headers in top output

  • system: move gateway status into main pages

  • system: slightly reorder routing configuration calls

  • system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha)

  • system: rework LDAP authentication container selection

  • interfaces: avoid interaction of overview details with menu items

  • interfaces: allow “reject leases from” option in DHCP advanced settings

  • firewall: set alias cron update interval to 1 minute

  • firewall: align alias cron update with its background call

  • firewall: URL IP alias type missing in selections

  • firewall: fix defunct alias target in outbound NAT

  • firewall: ignore alias case while searching

  • firewall: move rule category filter to the top of the page

  • firewall: show IPv6 ports in live log and fix details for TCP

  • firewall: move general settings to AliasParser and fix Alias constructor to receive them

  • firewall: if the name of the alias equals its content try to resolve

  • dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion)

  • dhcp: UEFI 64 network boot using wrong arch type

  • dhcp: validate maximum interface MTU

  • dhcp: add validation for DUID fields

  • ipsec: auto-route disable setting (contributed by Namezero)

  • network time: inline NMEA checksum calculator (contributed by Fabian Franz)

  • network time: fix stratum level write

  • unbound: optimize outgoing-range differently

  • unbound: local zone setting (contributed by NOYB)

  • ui: fix cropped dropdown regression

  • mvc: translate option values (contributed by Alexander Shursha)

  • mvc: fix access to undefined property translator

  • mvc: fix typo in getBase()

  • mvc: improve phpdoc

  • rc: protect console menu again, but keep shell invoke for rc.d subsystem

  • rc: fix some typos (contributed by John Eismeier)

  • rc: proper includes for plugin post-install hook

  • rc: recover all known shells

  • plugins: os-clamav 1.5 fixes log file parsing

  • plugins: os-frr 1.1 fixes service start on boot

  • plugins: os-haproxy 2.5 [1] with PROXY support and HAProxy 1.8 (contributed by Frank Wall)

  • plugins: os-monit 1.5 (contributed by Frank Brendel)

  • ports: mpd 5.8 [2]

  • ports: ntp 4.2.8p11 [3]

  • ports: squid 3.5.27 [4] [5]

  • ports: suricata 4.0.4 [6]

18.1.2 (February 08, 2018)

This update addresses an issue with OpenVPN client NAT since 18.1 and a default gateway disappearance during route reconfiguration. Assorted minor UI improvements have been made and both Phalcon and PHP are now on their latest version.

Here are the full patch notes:

  • system: avoid default route from disappearing when no manual gateways are set

  • firewall: fix outbound NAT for OpenVPN interfaces

  • interfaces: multiple overview page improvements (contributed by NOYB)

  • firmware: revoke 17.7 update fingerprint

  • console: check for root invoke in importer, installer and console menu

  • intrusion detection: always show schedule tab

  • intrusion detection: log first drop of a flow

  • intrusion detection: add a log file viewer

  • unbound: add num-queries-per-thread option values for 4096 and 8192

  • ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB)

  • ui: HTML compliance for attribute “type” on script element (contributed by NOYB)

  • ui: HTML compliance for “navigation” “role” on nav element (contributed by NOYB)

  • ui: checkbox and radio button label children tweaks (contributed by NOYB)

  • ui: break help text on small screens

  • ui: use pluggable locations for theme files

  • ui: remove table-responsive padding on small screens

  • ui: user-scalable viewport (contributed by NOYB)

  • mvc: CRUD functions for mutable model controller (contributed by Fabian Franz)

  • plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz)

  • plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz)

  • ports: phalcon 3.3.1

  • ports: php 7.1.14

A hotfix release was issued as 18.1.2_2:

  • console: do not yet check for root in console menu as it clashes with rc.d

  • mvc: fix a typo in the new CRUD getBase() call, currently unused

18.1.1 (February 02, 2018)

18.1.1 addresses issues in the previous release, while also updating the packages and plugins. Most notably, a Python library change made intrusion detection rules fetch fail previously and we fixed GUI and backend behaviour for two special NAT cases.

Here are the full patch notes:

  • firewall: ignore target port alias in port forwards when it equals the destination

  • firewall: align outbound NAT address output to edit page

  • firewall: use first region for country in GeoIP category instead of last one

  • system: improve layout of gateway status labels (contributed by Fabian Franz)

  • system: improve order of group / user setup as “wheel” was not added correctly on save

  • dashboard: touch device improvements in widgets (contributed by NOYB)

  • opendns: always refresh the setting on save

  • openvpn: open links in a new tab (contributed by Fabian Franz)

  • ui: system-wide HTML compliance improvements (contributed by NOYB)

  • plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco)

  • plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86)

  • plugins: os-freeradius 1.5.2 clarifies certificate validation (contributed by Michael Muenz)

  • plugins: os-openconnect 1.0 (contributed by Michael Muenz)

  • plugins: os-rfc2136 1.2 improves widget load

  • plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz)

  • plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz)

  • plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan)

  • ports: curl 7.58.0 [1]

  • ports: py27-cryptography 2.1.4

18.1 (January 29, 2018)

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We humbly present to you the sum of another major iteration of the OPNsense firewall. Over the second half of 2017 well over 500 changes have made it into this release, nicknamed “Groovy Gecko”. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. For more details please find the attached list of changes below.

The upgrade track from 17.7 will be available later today. Please be patient. :)

Meltdown and Spectre patches are currently being worked on in FreeBSD [1] , but there is no reliable timeline. We will keep you up to date through the usual channels as more news become available. Hang in there!

These are the most prominent changes since version 17.7:

  • FreeBSD 11.1, PHP 7.1 and jQuery 3 migration

  • Realtek vendor NIC driver version 1.94

  • Portable NAT before IPsec support

  • Local group restriction feature in OpenVPN and IPsec

  • OpenVPN multi-remote support for clients

  • Strict interface binding for SSH and web GUI

  • Improved MVC tabs and general page layout

  • Shared forwarding now works on IPv6, in conjunction with “try-forwarding” and improved reply-to multi-WAN behaviour

  • Easy-to-use update cache support for Linux and Windows in web proxy

  • Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)

  • Revamped HAProxy plugin with introduction pages

  • Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status

  • Alias backend rewrite for future extensibility

  • Plugin-capable firewall NAT rules

  • Migration of system routes UI and backend to MVC (also available via API)

  • Reverse DNS support for insight reporting (also available via API)

  • Fully rewritten firewall live log in MVC (also available via API)

  • New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter

Download links, an installation guide [2] and the checksums for the images can be found below as well.

Here is the full list of changes against version 18.1-RC2:

  • system: recover static version of PHP configuration files during boot

  • system: show warning dialog when editing web GUI listening interfaces

  • system: allow dots in certificate details

  • system: remove workaround for new 32 bit mmap disallow default (see below)

  • firewall: fix port range forward expansion

  • firewall: move alias directory to persistent memory

  • firewall: fix alias resolve during boot

  • firewall: revert VIP gateway option for PPPoE interfaces

  • interfaces: fix header link in list widget

  • interfaces: defer IP renewal during boot

  • installer: full password recovery mode enables user and sets local authentication

  • installer: prevent MFS transition on install media after import

  • network time: use all our time servers and prefer the first

  • ui: revert menu positioning improvements

  • plugins: os-freeradius 1.5.1 adds LDAP search filter (contributed by Michael Muenz)

  • plugins: os-haproxy 2.4 [3] (contributed by Frank Wall)

  • plugins: os-node_exporter 1.0 (contributed by David Harrigan)

  • plugins: os-postfix 1.0 (contributed by Michael Muenz)

  • plugins: os-rspamd 1.0 (contributed by Fabian Franz)

  • plugins: os-telegraf 1.2 adds graphite and graylog output (contributed by Michael Muenz)

  • src: do not protect VLAN PCP write with the sysctl

  • src: enable numbered user class ID option in dhclient

  • src: set hardening.pax.disallow_map32bit.status=1 by default

  • ports: ca_root_nss 3.35

  • ports: libressl 2.6.4 [4]

  • ports: php 7.1.13 [5]

  • ports: sudo 1.8.22 [6]

  • ports: unbound 1.6.8 [7]

A hotfix release was issued as 18.1_1:

  • firewall: repair logic for ICMP fixup required by pfctl

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5kMyxEWUoyY3y8JLlOnz
# j2dE1QPYmWspn5Diqf1T6uSh0/HA8TwnRvI4m82dC2kgnafVB85zIS+rXQLiyJZI
# JEqmBS5f54kVcyJPVORe7NepJq372amAMTcpPwH4b0SS9ZETebAOyuHjdG/lCjKD
# yt5W5ZvaMiDMWLVuw1ZlTIxLgkRuCHsk66E1bdoiIMdZPoyk2Q9WQd3PynLRBVHC
# iT32cJ/NlHiLEALp0wcNr+FllmFQXahQ5R1uBcsE/IXa7Tg0QXlW7s5+d6NTwQ/d
# 7NVnfZzH8IiO0A/9O5jbBsD6HLmity5nMI+RBwFQ9OQoBNxl5aakkusizT6diMYb
# PG+zPZsWo/ADqsbg1U/MMLJXD8CDFjcerhIDrrWSIVlSmQKw97nMK/TdUsqnVl7N
# uDLl0RHe+N6ndmNGTQGg5HbrTmYKSEGBdS4xFtO60JCxubzfpvnkDnPCIJtxWukf
# TzhORJHj2vkGLDA5FocTSOY76lWUO4qJQBA2bB3GtGbCm/nM4TlHpL4Kbf10IUJk
# j1tRFi8gXNOhrdplFAR+lV/yy58/+ZOg61Yz7UvYG/A9rxGkyVmIjzB/4S6Wstye
# IA6vpfzHwHq82hMqafCSB2KJciuKVEgVO6DHLV03VLTPqkJVsCbWXHgNjK2fQCFX
# JeXNX68TcObIJzqbiegZYo8CAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-18.1-OpenSSL-dvd-amd64.iso.bz2) = 3988c506c818c0861bb9beb38166123e9aca0814c0ef508779c1ebe9a8400c9c
# SHA256 (OPNsense-18.1-OpenSSL-nano-amd64.img.bz2) = ab284cfd62f095b8f745604099ee8b4f0b5cda06ec67ec72a3ffa921328635d5
# SHA256 (OPNsense-18.1-OpenSSL-serial-amd64.img.bz2) = 31eb6f7c44126258eb1b062d44dd92b1b0e3ebf57777c899f2df8858e5321b13
# SHA256 (OPNsense-18.1-OpenSSL-vga-amd64.img.bz2) = 714b347c3c62a9a1178f0b77661fa7e7ad8b0d06c1e174af1085fda761639505
# SHA256 (OPNsense-18.1-OpenSSL-dvd-i386.iso.bz2) = 10d27b8d0e5b4dde46be413088440db47e49f4eea3de53cc7339976c6471d26a
# SHA256 (OPNsense-18.1-OpenSSL-nano-i386.img.bz2) = 5c4289940f4c7f03eaf4c00d3b673bc85cb366a5f12334d00d19183dbafc221b
# SHA256 (OPNsense-18.1-OpenSSL-serial-i386.img.bz2) = ff63e759cdab3960119db159141a96f7e98ed0a427621585edc8362b9abf7a33
# SHA256 (OPNsense-18.1-OpenSSL-vga-i386.img.bz2) = c43712c87a3381102d33f2606fc666fdffde54d81a0f0b8c70cf334eddd4047c

18.1.r2 (January 15, 2018)

Long story short: we thank all early testers of 18.1-RC1! You guys have made it possible to push this online update of 18.1-RC2 sooner than anticipated.

Here are the full patch notes:

  • system: add workaround for new 32 bit mmap disallow default (requires reboot)

  • system: modify the boot sequence to improve initial IP assignment for PPPoE

  • system: support additional RADIUS attributes and show them in the authentication tester

  • system: only zap non-directories in /var/run on boot

  • system: remove mocked version string in high availability synchronisation

  • system: added mail facility remote logging

  • firewall: optional hash identifier for rules makes them easier to find in system file

  • firewall: support IPv4 + IPv6 selection for port forwards

  • firewall: add VIP gateway option for PPPoE interfaces

  • firewall: rename NPT to NPTv6 for clarity

  • firewall: race condition in creating alias directory

  • firewall: make NAT reflection enable less ambiguous

  • interfaces: fix “route change” usage in PPPoE name server setup

  • dhcp: properly route assigned IPv6 prefixes

  • firmware: new release type version is unknown when updates have never been checked

  • firmware: security audit previously said “upgrade done”

  • firmware: remove defunct mirrors

  • installer: allow to overwrite /boot even on read-only media

  • installer: restore DUID if found during early import

  • intrusion detection: fix backend scripts after refactor

  • openssh: tweak GUI display of greeting message

  • openssh: make not permitting root login explicit

  • openvpn: revert a change and fix deprecated option

  • web proxy: allow SSL nobump via CN

  • ui: HTML compliance fixes obsolete table attributes (contributed by NOYB)

  • ui: HTML compliance fixes attribute “type” on i-tag (contributed by NOYB)

  • ui: HTML compliance fixes attribute “for” on div-tag (contributed by NOYB)

  • ui: HTML compliance for license page and dashboard widgets (contributed by NOYB)

  • mvc: new validators for host names

  • plugins: pass update type on configure to avoid spurious syslog reloads

  • plugins: acme-client 1.13 [1] (contributed by Frank Wall)

  • plugins: c-icap 1.5 fixes startup race with clamav plugin

  • plugins: frr 1.0_1 fixes service probing

  • plugins: iperf 1.0 (contributed by Fabian Franz)

  • plugins: lldp 1.0 (contributed by Michael Muenz)

  • plugins: redis 1.0 (contributed by Fabian Franz)

The list of currently known issues 18.1-RC2:

  • The firewall NAT rule generation rewrite is not yet fully verified.

  • The web GUI recovery is not yet fully implemented.

18.1.r1 (January 11, 2018)

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We humbly present to you the sum of another major iteration of the OPNsense firewall. Over the second half of 2017 well over 500 changes have made it into this first release candidate. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. For more details please find the attached list of changes below.

Meltdown and Spectre patches are currently being worked on in FreeBSD [1] , but there is no reliable timeline. We will keep you up to date through the usual channels as more news become available. Hang in there!

Download links, an installation guide [2] and the checksums for the images can be found below as well.

Here is the full list of changes against version 17.7.11:

  • system: disabled AHCI MSI to prevent early mount failures with removable media

  • system: use correct crypto library to gather GUI SSL ciphers

  • system: added “save and go back” button to user edit page

  • system: removed obsolete host name routing support

  • system: do not wrap action buttons in tunables page

  • system: fix CA serial number decrement on save

  • system: added net.link.bridge.pfil_local_phys to tunables (contributed by David Harrigan)

  • system: routing configuration was converted to MVC/API (contributed by Fabian Franz)

  • firewall: enables shared forwarding in default configuration

  • firewall: enables sticky connections in default configuration

  • firewall: normal and dynamic log viewers have been superseded by live view

  • firewall: fold NAT reflection type selection into simple checkbox

  • firewall: added option for sticky outbound NAT for WAN VIPs

  • firewall: rewrite of the alias backend code

  • firewall: backend code cleanup

  • firewall: NAT rules have been made pluggable

  • firewall: add indicator for negated fields in shaper grid view (contributed by Fabian Franz)

  • firewall: better NAT formatting in states dump page

  • interfaces: DHCPv6 VLAN priority setting (contributed by Team Rebellion)

  • interfaces: DHCPv6 no release setting (contributed by Team Rebellion)

  • interfaces: only reload DHCPv6 upon correct reason (contributed by Team Rebellion)

  • interfaces: static IPv6 configuration over IPv4 link (contributed by Team Rebellion)

  • interfaces: allow persistent saving and customising of the system IPv6 DUID (contributed by Team Rebellion)

  • interfaces: automatic backup and restore of the system IPv6 DUID

  • interfaces: deferred reload of plugins and VPN upon new interface IP request

  • interfaces: DNS lookup API for firewall live log and insight reporting

  • interfaces: make level of detail stick in packet capture

  • interfaces: auto-lock problematic interfaces upon assignment

  • reporting: do not mark multiple sub-tabs in health page as active

  • firmware: allow to change the package release type

  • firmware: add a package health audit

  • firmware: list installed plugins at the top of the list

  • firmware: visibility for base and kernel sets in packages listing

  • firmware: allow base and kernel set reinstall and locking

  • firmware: remove the discontinued hotfix backend support

  • firmware: allow dot in package name during package action

  • installer: swap partition opt-out during guided installation

  • installer: root password reset tool for existing installations

  • installer: restore IPv6 DUID on config import

  • installer: limit swap partition size to 8 GB (contributed by Frank Wall)

  • ipsec: removed obsolete dynamic host name support

  • ipsec: local group authentication setting

  • ipsec: removed the obsolete “IPsec XAUTH dialin” privilege

  • network time: OPNsense NTP pool is now available and used in default configuration

  • network time: fix for valid negative offset in health graph

  • network time: fix parsing of overly overlong lines

  • openvpn: backend code cleanup

  • openvpn: multiple wizard fixes

  • power: reboot poll dialog

  • web proxy: proper reload on cache setting toggle

  • web proxy: use PID file instead of daemon name for status probe

  • web gui: strict interface binding

  • web gui: removed login autocomplete toggle, now off by design

  • wizard: add Unbound to wizard and unset DNSSEC by default

  • ui: reworked service control look and feel

  • ui: folded tabs for firewall rules, DHCP / RA interfaces and wireless status into menu

  • ui: HTML compliance fixes button in link usage (contributed by NOYB)

  • ui: auto-position menu when item list does not fit the screen

  • ui: reworked sub-tab look and feel

  • ui: added menu cache

  • ui: unification of layout of MVC and static page headers

  • ui: migrated to jQuery 3

  • ui: eliminate 300 ms tap delay (contributed by NOYB)

  • mvc: added ACL cache

  • mvc: added code-based ACL extensions

  • mvc: reload syslog settings for plugins

  • mvc: allow input fields to render as read-only (contributed by David Harrigan)

  • mvc: proper target page redirect after login

  • mvc: added mutable service controller

  • mvc: added sub-tab layout partials

  • mvc: do not render empty toggle header

  • plugins: c-icap 1.4 with multiple UI improvements (contributed by Alexander Shursha)

  • plugins: clamav 1.4 with multiple UI improvements (contributed by Alexander Shursha)

  • plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)

  • plugins: freeradius 1.5.0 with basic LDAP support (contributed by Michael Muenz)

  • plugins: frr 1.0 (contributed by Fabian Franz and Michael Muenz)

  • plugins: haproxy 2.3 allows disabling the introduction pages (contributed by Frank Wall)

  • plugins: helloworld 1.4

  • plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)

  • plugins: quagga 1.4.4 is end of life, please use FRR instead

  • plugins: tinc 1.3 with path MTU discovery

  • plugins: tor 1.4 adds contact info (contributed by Fabian Franz)

  • plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)

  • src: update Realtek driver to vendor version 1.94

  • src update FreeBSD to 11.1-RELEASE-p6 with HardenedBSD additions

  • src: shared forwarding for IPv6 and try-forward support

  • ports: libressl 2.6.4 [3]

The list of currently known issues with 18.1-RC1:

  • The firewall NAT rule generation rewrite is not yet fully verified.

  • The web GUI recovery is not yet fully implemented.

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5kMyxEWUoyY3y8JLlOnz
# j2dE1QPYmWspn5Diqf1T6uSh0/HA8TwnRvI4m82dC2kgnafVB85zIS+rXQLiyJZI
# JEqmBS5f54kVcyJPVORe7NepJq372amAMTcpPwH4b0SS9ZETebAOyuHjdG/lCjKD
# yt5W5ZvaMiDMWLVuw1ZlTIxLgkRuCHsk66E1bdoiIMdZPoyk2Q9WQd3PynLRBVHC
# iT32cJ/NlHiLEALp0wcNr+FllmFQXahQ5R1uBcsE/IXa7Tg0QXlW7s5+d6NTwQ/d
# 7NVnfZzH8IiO0A/9O5jbBsD6HLmity5nMI+RBwFQ9OQoBNxl5aakkusizT6diMYb
# PG+zPZsWo/ADqsbg1U/MMLJXD8CDFjcerhIDrrWSIVlSmQKw97nMK/TdUsqnVl7N
# uDLl0RHe+N6ndmNGTQGg5HbrTmYKSEGBdS4xFtO60JCxubzfpvnkDnPCIJtxWukf
# TzhORJHj2vkGLDA5FocTSOY76lWUO4qJQBA2bB3GtGbCm/nM4TlHpL4Kbf10IUJk
# j1tRFi8gXNOhrdplFAR+lV/yy58/+ZOg61Yz7UvYG/A9rxGkyVmIjzB/4S6Wstye
# IA6vpfzHwHq82hMqafCSB2KJciuKVEgVO6DHLV03VLTPqkJVsCbWXHgNjK2fQCFX
# JeXNX68TcObIJzqbiegZYo8CAwEAAQ==
# -----END PUBLIC KEY-----

As always with our pre-releases, only OpenSSL is provided at this point, but can be switched for LibreSSL as soon as the release is available. This release candidate does update directly into the 18.1 stable track and subsequent release candidates. Please let us know about your experience!

# SHA256 (OPNsense-18.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 2a92811d93bcad7de7752a650f9bf934a4d92b190c673bb8d0314474984a5b11
# SHA256 (OPNsense-18.1.r1-OpenSSL-nano-amd64.img.bz2) = e2a8026c20a3a91b63b1b1195eab689254dbfa80f05e98b8cd24d9b2b6c35356
# SHA256 (OPNsense-18.1.r1-OpenSSL-serial-amd64.img.bz2) = 944a05acefe1466a8189b2318faa48e39a2e5226853557397c0dcefff8023f26
# SHA256 (OPNsense-18.1.r1-OpenSSL-vga-amd64.img.bz2) = f8a763ad3b566be3bafa1291210145050431fc79c9f91d151166b57f6ff3e956
# SHA256 (OPNsense-18.1.r1-OpenSSL-dvd-i386.iso.bz2) = 0d29b20a9f806a1a8e443c7d0ebcab0edab8f5c7a9f8fb629fb136956c15994e
# SHA256 (OPNsense-18.1.r1-OpenSSL-nano-i386.img.bz2) = 65bcad5ebe84a7246a361638436fb1052647ab0b0de44ca57e6a7a1c2a143461
# SHA256 (OPNsense-18.1.r1-OpenSSL-serial-i386.img.bz2) = 751db8e6d94b7c453b8a37c856725e4299fb929fbf74ae7700fbbe9e56bff0b9
# SHA256 (OPNsense-18.1.r1-OpenSSL-vga-i386.img.bz2) = 9bb56ca458d54d6cf50c767c3e389e14aa26b27246ae5e266d2d689939c34137