OPNsense 19.7.2

OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. OPNsense started as a fork of pfSenseĀ® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project. OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.

Tags network firewalls security
License BSDL-2
State stable

Recent Releases

19.7.205 Aug 2019 15:03 minor bugfix: Here are the full patch notes: o system: missing "" in legacy output via Syslog-ng o system: fix writing gateway information for DNS servers o system: allow gateway to work in DHCPv6 WAN when no router solicitation is available o firewall: unhide automatic interface-based output rules o firewall: unhide automatic non-interface-based floating rules o firewall: lift length restriction in NAT rule description o firewall: avoid newlines in rule descriptions o firewall: only show usable addresses in NAT outbound rules o interfaces: fix extended CARP output when parsing interface information o interfaces: add more outputs to overview page to increase usefulness o interfaces: use shared DHCP lease reader for ARP list o captive portal: fix binary read issue in Python 3 o dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe) o firmware: handle file signature verify correctly with multiple fingerprint repositories o firmware: Aivian mirror is no longer active o firmware: Cloudfence mirror in Brazil added o plugins: os-acme-client 1.24 1 o plugins: os-bind 1.6 (contributed by crazy-max) o plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max) o plugins: os-grid_example 1.0 2 o plugins: os-helloworld Python 3 compatibility 3 o plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz) o plugins: os-sunnyvalley 1.0 4 5 o src: fix panic from Intel CPU vulnerability mitigation 6 o src: fix multiple telnet client vulnerabilities 7 o src: fix pts write-after-free 8 o src: fix kernel memory disclosure in freebsd32_ioctl 9 o src: fix reference count overflow in mqueuefs 10 o src: fix byhve out-of-bounds read in XHCI device 11 o src: fix file descriptor reference count leak 12 o ports: libevent 2.1.11 13
19.7.125 Jul 2019 14:36 minor bugfix: Here are the full patch notes: o system: do not create automatic copies of existing gateways o system: do not translate empty tunables descriptions o system: remove unwanted form action tags o system: do not include Syslog-ng in rc.freebsd handler o system: fix manual system log stop/start/restart o system: scoped IPv6 " " could confuse mwexecf(), use plain mwexec() instead o system: allow curl-based downloads to use both trusted and local authorities o system: fix group privilege print and correctly redirect after edit o system: use cached address list in referrer check o system: fix Syslog-ng search stats o firewall: HTML-escape dynamic entries to display aliases o firewall: display correct IP version in automatic rules o firewall: fix a warning while reading empty outbound rules configuration o firewall: skip illegal log lines in live log o interfaces: performance improvements for configurations with hundreds of interfaces o reporting: performance improvements for Python 3 NetFlow aggregator rewrite o dhcp: move advanced router advertisement options to correct config section o ipsec: replace global array access with function to ensure side-effect free boot o ipsec: change DPD action on start to "dpdaction = restart" o ipsec: remove already default "dpdaction = none" if not set o ipsec: use interface IP address in local ID when doing NAT before IPsec o web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen o plugins: os-acme-client 1.24 1 o plugins: os-bind 1.6 2 o plugins: os-dnscrypt-proxy 1.5 3 o plugins: os-frr now restricts characters BGP prefix-list and route-maps 4 o plugins: os-google-cloud-sdk 1.0 5 o ports: curl 7.65.3 6 o ports: monit 5.26.0 7 o ports: openssh 8.0p1 8 o ports: php 7.2.20 9 o ports: python 3.7.4 10 o ports: sqlite 3.29.0 11 o ports: squid 4.8 12
19.723 Jul 2019 05:20 major feature: These are the most prominent changes since version 19.1: o List automatic firewall rules o Statistics for all firewall rules o Alias JSON import / export o Optional statistics for aliases o Firewall rule locator for live log and automatic rules o Rewritten gateway handling and switching o Remote logging via Syslog-ng o LDAP group sync support o Support certificate signing requests o Route-based IPsec support (VTI) o XMLRPC sync support for alias, VHID, widgets o Unbound host overrides alias support o Web proxy and IPsec authentication using PAM o Parent web proxy support o Web proxy login privilege via group o Improved reliability and utility of opnsense-patch o Dpinger and DHCP servers ported to plugin framework o Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese o Spanish as a new language o Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin o Netmap update for VirtIO, VLAN child and vmxnet support o Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
19.1.1005 Jul 2019 08:36 minor bugfix: Here are the full patch notes: o system: change certificate manager actions to POST o system: fix account removal with missing "-g" option o system: add dashboard widgets to XMLRPC sync o firewall: fix live log rule label mismatch caused by optimisation o firewall: fix alias import with alias references included o firewall: change default sorting of aliases to names o firmware: add homelab.no mirror (contributed by Thomas Jensen) o intrusion detection: when toggling rules keep the current action o intrusion detection: suppress mystery PHP 7.2+ warning in API o intrusion detection: show SID in alert view o web proxy: add cache reset button o web proxy: correct syslog export o plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman) o plugins: os-etpro-telemetry Python 3 support o plugins: os-frr 1.11 1 o plugins: os-nginx 1.14 2 o plugins: os-rspamd 1.7 3 o plugins: os-tinc Python 3 support o ports: ca_root_nss 3.44.1 o ports: curl 7.65.1 4 o ports: libevent 2.1.10 5 o ports: libxml 2.9.9 6 o ports: libressl 2.9.2 7 8 o ports: phalcon 3.4.4 9 o ports: strongswan 5.8.0 10 o ports: unbound 1.9.2 11
19.1.911 Jun 2019 08:13 minor bugfix: Here are the full patch notes: o system: add LDAP group synchronisation feature o system: allow an arbitrary group for sudo like ssh login o system: stop using a lock around resolv.conf handling o system: rename a number of service-related functions o system: login not using cache-safe image yet o system: add pluginctl -s support o system: restyle config backup page o system: fix log split view regression of 19.1.8 o interfaces: remove DHCPv6 on delete and clear config on IPsec assignment o interfaces: small VIP restructure and IPv6 alias to IPv6 device o interfaces: subtle changes in IPv6 and variable naming o interfaces: add missing does_interface_exist() checks o firewall: support multiple interfaces per NAT port forward rule o captive portal: use "onestop" to stop service o intrusion detection: missing header ID in alerts tab o ipsec: remove remnants of gateway group interface selection o ipsec: use indirect plugin calls in interface code o openvpn: add live-search to longer lists in server page o openvpn: support --cryptoapicert export (sponsored by m.a.x it) o opnevpn: correctly check for translation in get_carp_interface_status() o openvpn: use waitforpid() to properly wait for instanes to come up o openvpn: translate GUI error values when returning them o openvpn: revamp status page o unbound: leases watcher file rotation issue o web proxy: squid log in readable date format (contributed by nhirokinet) o web proxy: fix non-local authentication regression of 19.1.7 o plugins: os-bind 1.5 1 o plugins: os-clamav 1.7 2 o plugins: os-dnscrypt-proxy 1.4 3 o plugins: os-dyndns clouldflare wildcard domain support o plugins: os-nginx 1.13 4 o plugins: os-openconnect 1.4.0 5 o plugins: os-redis 1.1 6 o plugins: os-rspamd 1.6 7 o plugins: os-theme-cicada 1.18 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.18 (contributed by Team Rebellion) o ports: curl 7.65.0 8 o ports: lighttpd 1.4.54 9 o ports: python 3.7.3 10 o ports: openssl 1.0.2s 11 o por
19.1.822 May 2019 08:29 minor bugfix: Here are the full patch notes: o system: address CVE-2019-11816 privilege escalation bugs 1 (reported by Arnaud Cordier) o system: /etc/hosts generation without interface_has_gateway() o system: show correct timestamp in config restore save message (contributed by nhirokinet) o system: list the commands for the pluginctl utility when no argument is given o system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly o system: use absolute path in widget ACLs (reported by Netgate) o system: RRD-related cleanups for less code exposure o interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion) o interfaces: replace legacy_getall_interface_addresses() usage o firewall: fix port validation in aliases with leading / trailing spaces o firewall: fix outbound NAT translation display in overview page o firewall: prevent CARP outgoing packets from using the configured gateway o firewall: use CARP net.inet.carp.demotion to control current demotion in status page o firewall: stop live log poller on error result o dhcpd: change rule priority to 1 to avoid bogon clash o dnsmasq: only admins may edit custom options field o firmware: use insecure mode for base and kernel sets when package fingerprints are disabled o firmware: add optional device support for base and kernel sets o firmware: add Hostcentral mirror (HTTP, Melbourne, Australia) o ipsec: always reset rightallowany to default when writing configuration o lang: say "hola" to Spanish as the newest available GUI language o lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese o network time: only admins may edit custom options field o openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure o openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette) o openvpn: remove custom options field from wizard o unbound: only admins may ed
19.1.702 May 2019 13:37 minor bugfix: Here are the full patch notes: o system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services) o system: support for syncing alias and VHID to the slave o system: cleanly rewrite CA root files and add local trusted CAs as well o system: disable backup cron job when no backup is enabled o system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri) o system: migrate health graph scripts to Python 3.6 o interfaces: properly add and remove IPv6 trackers after interface apply o interfaces: validate prefix ID of IPv6 trackers so that each ID is unique o interfaces: display "0x" in prefix ID field so that it is clear that value is in hex o interfaces: fix passing VLAN name in interface_virtual_create() o interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters o interfaces: allow link-local address on bridges via optional setting o interfaces: PPP-related code cleanups o firewall: prevent double-escaping of text in rules page o firewall: handle IDNA encode failures in aliases o firewall: alias import / export option o captive portal: update to bootstrap 3.4.1 o captive portal: fix a race in directory creation and listClients() o dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner) o dhcp: merge static mac addresses with leases o dhcp: prevent double-escaping of text in leases page o firmware: add private log file for major upgrade package install step o firmware: use a safer major upgrade package install mode o firmware: retain /etc/motd on base updates o ipsec: implemented wildcard includes (contributed by Mark Plomer) o ipsec: only apply mobile PFS to mobile phase 2 o ipsec: restyle mobile settings a little o ipsec: switch XAuth to PAM o ipsec: partial fix for static routes on routed tunnels during boot o network time: reload RRD since NTP has a setting for it o web proxy: fix PAC weekday match labels
19.1.612 Apr 2019 14:46 minor bugfix: Here are the full patch notes: o system: let dashboard only accept its own POST requests o system: remove obsolete symlink to opnsense-auth o system: skip PHP E_WARNING log level until 19.7 o system: numerous PHP 7.2 warning fixes o dhcp: DHCPD server check in relay only if interface is active o dnsmasq: skip empty custom options o intrusion prevention: do not drop flowbits:noalert rules o unbound: add ACL entries for OpenVPN by default o mvc: controller cleanups in firewall shaper, web proxy and captive portal o plugins: numerous PHP 7.2 warning fixes o plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm) o plugins: os-nginx 1.11 1 o ports: php 7.2.17 2 o ports: py-certifi 2019.3.9 3
19.1.508 Apr 2019 05:36 minor bugfix: These are the full patch notes: o system: improve gateway status return when monitoring is off o system: warn user about future deprecation of "user-config-readonly" privilege o system: support certificate signing requests (contributed by nhirokinet) o system: syslog does not need to do a background startup since it backgrounds itself o system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz) o system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri) o interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys) o interfaces: take all unknown arguments as real interfaces in interfaces_addresses() o interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses o interfaces: move mpd.script to new location (may require interface reconfigure) o firewall: proper locking of aliases before config action on delete o firewall: correctly set outbound NAT destination as network o firewall: add support for DSCP in shaper (contributed by Michael Muenz) o firewall: add support for IDN in aliases (contributed by Smart-Soft) o captive portal: allow access to this host (contributed by Fredrik Ronnvall) o firmware: fix parsing of packages in multi-repo env and revoked fingerprint message o firmware: add University of Kent to the firmware mirrors o ipsec: only use explicit reqid when using route-based interfaces o ipsec: correctly set install policy option on newly created phase 1 entries o ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration o ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin) o ipsec: properly quote UNITY_BANNER for multi-line support o ipsec: support for dynamic remote gateways o monit: add migration/validation for service/test type dependency (contributed by Frank Brendel) o monit: added missing "not on" label o openvpn: support static-challenge formatted password o openvpn: properly load custom config field in exporter o openvpn:
19.1.412 Mar 2019 11:44 minor bugfix: Here are the full patch notes: Here are the full patch notes: o system: remove erroneously translated hostname example (contributed by nhirokinet) o firewall: fix validation regression in outbound NAT introduced in 19.1.3 o firewall: mock labels for NAT rules in live log as pf does not offer label support o interfaces: do not background LAGG ifconfig destroy o installer: revert to use network connection to allow CTRL+C and resume o ipsec: added Virtual Tunnel Interface (VTI) support o unbound: fix nested statistics items read o mvc: remove old Phalcon volt template workarounds from when scopes were broken o mvc: fix bug in model relation field values merge o plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz) o plugins: os-telegraf missed invoke of setup.sh o plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz) o plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft) o plugins: os-nginx 1.9 1 o src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv) o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots o ports: monit 5.25.3 2 o ports: ntp 4.2.8p13 3 o ports: php 7.1.27 4 o ports: suricata 4.1.3 5
19.1.308 Mar 2019 10:01 minor bugfix: Here are the full patch notes: o system: improve LDAPS mode and related authentication cleanups o system: move enable checkbox to the top in remote logging settings o system: allow reset of tunables to to factory defaults o system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1) o firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall) o interfaces: probe media before applying new settings o interfaces: correctly compare MAC addresses o dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner) o firmware: move duty to return the correct set name / ID to opnsense-version o firmware: finally revoke 18.7 fingerprint o intrusion detection: minor template cleanups using helpers.empty() o ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries o ipsec: allow easier override of colours in widget (contributed by Fabian Franz) o monit: add validation for test type (contributed by Frank Brendel) o openvpn: add auth-nocache option in exporter o openvpn: validate certificate type for servers o unbound: add host overrides alias support o web proxy: add auth to parent proxy (contributed by Michael Muenz) o backend: add helpers.empty() in configd o mvc: simplify save / close / cancel button labels o mvc: add sorting for field list types o rc: move all template generation to early stage o ui: improve escaping of displayed data in static pages o ui: escape button values in static pages o ui: avoid short PHP tags o plugins: os-dnscrypt-proxy 1.3 1 o plugins: os-frr brings in missing area range code 2 o plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz) o plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion) o plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion) o plugins: os-vnstat /var MFS fix 3 o plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz) o ports: openssl 1.
19.1.207 Mar 2019 06:29 minor bugfix: Here are the full patch notes: o system: move session files into their own directory (forces the current sessions to expire) o system: add validation check for time period for Dpinger (contributed by Team Rebellion) o system: hide "show certificate info" button of pending CSR (contributed by nhirokinet) o system: move opnsense-auth to libexec, but keep a symlink in sbin directory o system: escaping issue in gateway edit page o system: fix ACL for halt and reboot pages o firewall: fix alias entry replacement in utility page o firewall: prevent new alias creation when adding an address o firewall: capture "nat" traffic like we do for "rdr" in live log o firewall: escaping issues in schedule edit page o interfaces: push dhclient and dhcp6c log messages to system log o interfaces: write all nameservers via dhclient-script in multi WAN scenarios o interfaces: check for valid alias IP in dhclient-script o interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups o interfaces: avoid reading empty interface configurations o firmware: bootstrap rework for HTTPS repository URL o firmware: patch cache and assorted improvements o firmware: minor update utility cleanups o firmware: remove compatibility stubs for pre-19.1 version reads o firmware: show revoked package mirror error in GUI if applicable o firmware: bump RageNetwork mirror to HTTPS o firmware: be more careful about parsing version info o dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall) o intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression 1 o intrusion detection: support required rules/files in metadata package o intrusion detection: less extensive logging o ipsec: fix escaping issue in mobile page o monit: fix address validation o openvpn: obey verify-x509-name for remote access (user auth) o openvpn: proper daemonize instead of background job o openvpn: extract full CA chain for setup o openvpn: m
19.1.106 Feb 2019 07:21 minor bugfix: Here are the full patch notes: o system: address XSS-prone escaping issues 1 o firewall: add port range validation to shaper inputs o firewall: drop description validation constraints o interfaces: DHCP override MTU option (contributed by Team Rebellion) o interfaces: properly configure SIM PIN on custom modems o reporting: prevent cleanup from deleting current data when future data exists o ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller) o openvpn: multiple client export fixes o web proxy: add ESD files to Windows cache option (contributed by R-Adrian) o plugins: os-acme-client 1.20 2 o plugins: os-dyndns fix for themed colours (contributed by Team Rebellion) o plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send o plugins: os-nginx 1.7 3 o plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood) o plugins: os-theme-cicada 1.14 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.13 (contributed by Team Rebellion) o ports: ca_root_nss 3.42.1 o ports: lighttpd 1.4.53 4 o ports: py-request 2.21.0 5
19.104 Feb 2019 09:45 major feature: These are the most prominent changes since version 18.7: o fully functional firewall alias API o PIE firewall shaper support o firewall NAT rule logging support o 2FA via LDAP-TOTP combination o WPAD / PAC and parent proxy support in the web proxy o P12 certificate export with custom passwords o Dpinger is now the default gateway monitor o ET Pro Telemetry edition plugin 2 o extended IPv6 DUID support o Dnsmasq DNSSEC support o OpenVPN client export API o Realtek NIC driver version 1.95 o HardenedBSD 11.2, LibreSSL 2.7 o Unbound 1.8, Suricata 4.1 o Phalcon 3.4, Perl 5.28 o firmware health check extended to cover all OS files, HTTPS mirror default o updates are browser cache-safe regarding CSS and JavaScript assets o collapsible side bar menu in the default theme o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian o API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins
18.7.1008 Jan 2019 08:27 minor feature: Here are the full patch notes: o system: P12 certificate export now allows to specify a password o system: allow plain IPv6 for LDAP and RADIUS host o system: properly sort columns with size units in activity page o system: remove references to "automatic" in HA help texts o system: add option to only show temperature of one core in widget o system: speed up isArraySequential() o system: introduce configdp_run() variant o system: assorted code cleanups o interfaces: only show name servers offered by individual link in status page o interfaces: DUID-LL generator fix (contributed by Team Rebellion) o interfaces: show disabled and virtual interfaces in groups o interfaces: change wireless page interface iterators o interfaces: change LAGG page interface iterators o interfaces: remove unused get_dns_servers() o interfaces: assorted code cleanups o firewall: fix an exception error in alias config read o firewall: fix typo in outbound NAT destination help text o firewall: rename "Localhost" to "Loopback" for clarity in virtual IP pages o firewall: unify anti-lockout behaviour to match rules and GUI display o firewall: switch to tokenizer for shaper source and destination fields o firewall: fix alias utility issue when adding into empty alias o firewall: correct alias name limit to 31 characters o firewall: bring back auto-complete for nested aliases o firewall: NAT rules on reflection for port forwards only when address exists on interface o firewall: lower bogon download retry attempts to 3 o firewall: schedule JS code update o captive portal: add setting to always send accounting requests o captive portal: assorted code cleanups o dhcp: DHCPv6 leases not always correctly displayed (contributed by Team Rebellion) o dhcp: override IPv6 PD range fix (contributed by Team Rebellion) o dhcp: switch subnet verification to new network interface retrieval o firmware: individual error messages during base and kernel installation o firmware: obsolete set usage has been removed, e
18.7.913 Dec 2018 07:45 minor feature: Here are the full patch notes: o system: allow setting alternative names on CSR o system: add link-local routes with correct scope o system: fix LDAP import button for Firefox o system: assorted cleanups in HTML and PHP code o interfaces: add note about CGN addresses included in private range o interfaces: fix checksum disable for IPv6 TX / RX flags o interfaces: multiple type DUID support (contributed by Team Rebellion) o interfaces: properly read and write dhcp6c DUID binary file o interfaces: do not read VLAN capabilities from nonexistent interfaces o interfaces: removal of PEAR.inc from IPv6 address library o interfaces: assorted cleanups in HTML and PHP code o firewall: only suffix subnet alias entry when a network is expected o firewall: default alias protocol to both IPv4 and IPv6 o firewall: fix validation of outbound NAT destination alias o firewall: fix performance regression in get_alias_description() o firewall: repair defunct "no nat proto carp all" rule o firewall: limit type to CARP when checking for VIP VHID reuse o firewall: refactor subnet retrieval in VIP deletion o firewall: display VHID for IP alias in overview o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion) o firewall: ignore empty values in alias migration (contributed by Frank Wall) o firewall: assorted cleanups in HTML and PHP code o captive portal: work around service boot ordering issue o captive portal: change "onestop" to "stop" in backend action o dnsmasq: add DNSSEC option o dnsmasq: assorted cleanups in HTML and PHP code o dhcp: show lease count in page heading o dhcp: refactor IPv6 subnet read o dhcp: fix DDNS IPv6 algorithm use o dhcp: assorted cleanups in HTML and PHP code o firmware: opnsense-version can now handle kernel, base and plugin metadata o firmware: when pkg needs to be updated do not prompt for base and kernel set o firmware: use embedded obso
18.7.823 Nov 2018 06:17 minor feature: Here are the full patch notes: o system: show the actual validation messages for NextCloud backup constraints o system: LDAP import button primary colour and prevent default page submit o system: add LDAP+TOTP authentication variant (2FA) o system: avoid silent fatal error when LDAP OUs could not be retrieved o system: avoid duplicated cookies on login page by not closing session o system: allow to fully disable misc. reboot failsafe backups o system: switch default argument for return_gateways_status() o system: add "Synchronize config to backup" button to HA status page o system: disable help text expand when backup fields have no help text o system: sort user and group lists alphabetically o interfaces: add CARP info to legacy_interfaces_details() o interfaces: removal of find_interface_subnet() and find_interface_subnetv6() o interfaces: introduce find_interface_network() and find_interface_networkv6() o interfaces: refactor find_interface_ip() and find_interface_ipv6() o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll() o firewall: extend outbound NAT address source and destination with networks o firewall: fix save error when alias name contains an underscore o firewall: do not set days or hours when update frequency is empty o firewall: increase resolve() performance for aliases o firmware: change packaging to be able to place files in the root directory o reporting: fix possible division by zero in NetFlow aggregator o dhcp: reorder arguments of function services_dhcpd_configure() o dhcp: consolidate service probe of IPv6 and router advertisement daemons o dhcp: fix clear hook on log file delete o importer: make clear that /conf/config.xml is required for any import to take place o monit: add quotes and timeout to custom program path (contributed by Frank Brendel) o monit: add SSL options to mail server connection (contributed by Frank Brendel) o network time: improve GPS status parsing o openvpn: add remote address as route when s
18.7.708 Nov 2018 19:00 minor feature: Here are the full patch notes: o system: CVE-2018-18958 prevent restore of configuration of read-only user 1 (reported by brainrecursion) o system: prevent related read-only user configuration manipulation for history and defaults pages o system: prevent several creative ways to strip read-only privileges in the user and group manager o system: allow wildcards in certificate subject alternative name o system: avoid direct global access in routing setup o system: do not offer root-only opnsense-shell to non-root users o system: remove FreeBSD 10 password workaround o interfaces: use pure jquery to avoid browser-specific behaviour o interfaces: nonfunctional cleanups in backend and interface GUI configuration o interfaces: clear the correct files IPv6 state files on interface down o interfaces: wait for PPPoE to fully exit on interface down o firewall: fix port alias conversion under new API o firewall: missing filter reload for port alias types o firewall: missing "other" type in VIP network expand o firewall: disabled alias should leave us with an empty one o firewall: category for "United States" moves from Pacific to America o firewall: resolve outbound NAT interface address in kernel o dhcp: only map enabled interfaces in IPv4 leases o dhcp: interface iteration code cleanups o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion) o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner) o firmware: add log file for package manager output o monit: use theme override for widget CSS (contributed by Fabian Franz) o ntp: internal cleanup of function argument order o rc: improvements in service startup scripting o rc: print date and time after successful boot o unbound: disable redirect type until fixed o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno) o shell: stop router adve
18.7.629 Oct 2018 08:20 minor feature: Here are the full patch notes: o firewall: resolve interface address ":0" for port forwarding in kernel o firewall: list action corrections (contributed by Thomas Bandixen) o firewall: add support for the PIE shaper (contributed by Michael Muenz) o firewall: migrate to new alias API including a new failsafe o firewall: repair log widget for plugin themes o interfaces: do not remove CARP addresses on link-down o interfaces: get pfsync MTU from actual CARP interface o interfaces: add backend call returning all interface data o interfaces: partially rewrite ping, port and traceroute tools o interfaces: improve IPv6 merging in make_ipv6_64_address() o interfaces: use correct IPv6 interface where appropriate o interfaces: replace get_configured_interface_list() usage o interfaces: small refactoring around interface up and down code o system: cleanups in utility and config functions o captive portal: added connect action in API (contributed by zvs44) o firmware: move build-time version information to core version file o firmware: rename backend script "audit" to "security" for clarity o ipsec: bring back service widget lost back in 2016 o monit: change status page to support easier CSS styling o unbound: set up a full chroot including local log socket o unbound: replace custom msort() function with standard function o unbound: use correct IPv4 or IPv6 interface for address lookups o webgui: use interfaces_addresses() for interface binding o mvc: show an error message on failed model migrations o mvc: refactor __items access via iterateItems() o mvc: accept style keyword on all input types o mvc: improved menu API endpoint integration o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz) o plugins: os-dyndns validates custom updates solely for URL input o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz) o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.7 (contributed
18.7.519 Oct 2018 06:51 minor feature: o system: add (de)select all option in LDAP importer o firewall: keep previous content for URL alias on fetch error o firewall: make schedule icon reflect current schedule state (contributed by framer99) o firewall: toggle and migration fix for upcoming alias API o firewall: round-robin limitation is for host alias outbound NAT only o firewall: resolve network addresses in kernel for static routes bypass option o firewall: do not clean up visible records when limit was not reached o firewall: do not hardcode live log pass / block colours o firewall: add live log direction icons o firmware: shorten shaper name and assorted cleanups o firmware: fix upgrade compatibility with FreeBSD 11.2 o firmware: use opnsense-version where appropriate o firmware: correctly translate GUI buttons (contributed by Smart-Soft) o dnsmasq: use more robust approach to interface binding o ipsec: more secure phase 1 default settings (contributed by Michael Muenz) o ipsec: support for multiple phase 1 DH groups and hashes o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina) o unbound: fix usage of the remote control backend calls o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option o web proxy: several corrections for PAC template o backend: fix CPU hogging when reading on already disconnected streams o mvc: speed up parsing very large config files o mvc: add single select constraint o mvc: add UUID field to the result of addBase (contributed by CJ) o ui: sidebar UX improvements (contributed by Team Rebellion) o ui: use single guillemets for previous/next page o plugins: os-acme-client /var MFS awareness o plugins: os-cicada 1.5 (contributed by Team Rebellion) o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz) o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich) o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz) o plugin
18.7.428 Sep 2018 05:40 minor feature: Here are the full patch notes: o system: correctly unset DNS override allow setting when saving o system: remove unused / default arguments from get_possible_listen_ips() o system: note that HA disable preempt requires reboot (contributed by Michael Muenz) o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion) o interfaces: lower MTU via tracked IPv6 interface MTU o interfaces: 6RD IPv4 prefix override is now prefix-only o firewall: also show scheduler info in shaper status (contributed by Michael Muenz) o firmware: introduce opnsense-version utility and fully template build metadata o firmware: annotate HTTP(S) status in mirrors in descriptions o firmware: avoid base upgrade error when /proc is mounted o monit: change mail format field for alerts to text area (contributed by Frank Brendel) o openssh: further tweak new interface bind approach introduced in 18.7.3 o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder) o web proxy: support WPAD / PAC (contributed by Fabian Franz) o ui: minified sidebar improvements (contributed by Team Rebellion) o ui: introduce cache_safe() to invalidate browser cache after updates o plugins: os-dyndns wildcard support for Namecheap o plugins: os-ntopng 1.0 (contributed by Michael Muenz) o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz) o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel) o plugins: os-snmp compatibility fixes for version detection and listen interface core changes o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion) o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz) o plugins: os-upnp compatibility fixes for version detection core changes o src: fix out-of-bounds read vulnerability in libarchive o src: update
18.7.319 Sep 2018 07:27 minor feature: Here are the full patch notes: o system: gateways widget show/hide feature (contributed by Team Rebellion) o system: select correct IPv6 default route when underlying IPv6 interface differs o system: extended meta-matching for special characters in ACL patterns o system: show last diff by default in configuration history page o system: refactor password logic in user manager for clarity o system: link-local listen IPv6 requires reading underlying IPv6 interface o interfaces: avoid boot mismatch on several virtual plugin devices o interfaces: list widget show/hide feature (contributed by Team Rebellion) o interfaces: stats widget show/hide feature (contributed by Team Rebellion) o interfaces: stop wireless software before bringing down the interfaces o interfaces: fix selection issue for DHCPv6 PD "none" value o interfaces: make "64" the page default for DHCPv6 PD o interfaces: allow IPv4 address override in 6RD o interfaces: fix 18.7.2 gateway read regression in 6RD o interfaces: give each 6RD tracker a different IPv6 address o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss) o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion) o dhcp: do not show lease actions if interface cannot be found o dhcp: unhide DHCPv6 service when not using automatic PD o dnsmasq: annotate that "all" is the recommended interface binding option o importer: list all available ZFS pools (contributed by Smart-Soft) o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;) o importer: ZFS pools are now addressed as e.g. "zfs/zroot" o importer: always loop until exit or successful import o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz) o ipsec: change hash checkboxes in phase 2 to selectpicker o openssh: change interface bind logic to only bind to currently available addresses o openvpn: align status columns for client and P2P case (contributed by Andy Binde
18.7.207 Sep 2018 07:11 minor feature: Here are the full patch notes: o system: select correct network interface in case of IPv6 gateway lookups o system: tighten system wizard ACL and menu registration o system: do not wrap first column of log viewer (contributed by Alexander Graf) o firewall: return alias types to repair its outbound NAT rule edit o firewall: hide NAT redirect target port when port is not applicable o firewall: alias API is now live on the development version and will migrate your aliases to the new format o interfaces: allow explicit MTU to reach the 6RD device o interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion) o interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion) o interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer) o interfaces: remove incorrect display of prefix ID in help text for tracking configuration o interfaces: add groups to interface details output o interfaces: remove unused code and other nonfunctional cleanups o interfaces: use "x" in the list widget for no carrier o interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix o dhcp: remove unused inputs from static mapping page o dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra) o ipsec: add automatic key exchange option o openvpn: fix /32 host validation logic o openvpn: clean up control sockets prior to startup o openvpn: align user authentication to use common_name as username o mvc: add iterateItems() method to base field type to simplify call flow o mvc: fix configd asList helper (contributed by Fabian Franz) o mvc: add configd XML attributes to template parser o ui: allow version query to match on main.css probing o ui: footer cleanups and static page repairs where boxing was not correct o ui: no minified version for tokenize2 o ui: fix table headers in dialogs (contributed by Fabian Franz) o plugins: os-bind 1.1 add
18.7.122 Aug 2018 08:28 minor feature: Here are the full patch notes: o system: hide web server info from server tag o system: fix group privileges edit menu hint o system: add text area field to backup framework (contributed by Joao Vilaca) o interfaces: use NIC preference for VLAN hardware filtering in default config o interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion) o interfaces: fix PD when using DHCPv6 override on tracked interface o firewall: toggle filter and NAT rules using checkboxes o firewall: add state-policy if-bound option o firewall: added logging for tracing internal rule generator o firewall: fix ordering issue in port validation and disable o firewall: fix disabled reject action icon display (contributed by framer99) o captive portal: fix usage of vouchers and group with spaces in their names o captive portal: hide web server info from server tag o dnsmasq: fix listening behaviour on empty but set interface selection o firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback o firmware: do not show development version changelogs in releases o intrusion detection: reworked rule selection o ipsec: use selectpicker in mobile page o ipsec: add Brainpool EC groups o openvpn: do not remove client specific override files on disconnect o openvpn: do not create v6 gateway if disabled o shell: omit ":" from SSL fingerprint display o unbound: fix menu access for overrides o wizard: fix root password input o backend: call shutdown before close in background daemon o mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong) o mvc: minor glich in getFormData() we should ignore empty id fields o mvc: do not offer internal interfaces in generic interface selector o mvc: handle validations better by removing duplicate messages o mvc: fix two glitches in new tokenize field handling o mvc: add numeric field type o rc: update php.ini include paths (contributed by Joao Vilaca) o ui: fix spacing of containers in sta
18.701 Aug 2018 07:33 major feature: These are the most prominent changes since version 18.1: o improved WAN DHCPv6 and SLAAC connectivity and tracking o functional IPv6 Rapid Deployment (6RD) support o improved default route handling and gateway switching o OpenVPN default setup improvements for IPv6 and RADIUS attribute support o Dpinger gateway monitoring integration o password policies for local authentication and coupled TOTP o Monit core integration to eventually replace the legacy notifications o OpenSSH access via group and shell selection instead of privilege o pluggable backup framework with new Nextcloud option o sytem tunables are now also used as loader tunables o unrestricted VLAN usage for e.g. Xen o QinQ interface removal o firmware GUI speedup, improved error parsing and console reboot hint o ZFS on root boot support (installer support is pending, but opnsense-bootstrap works) o ZFS and MSDOS config import support o ISC DHCP version moves from 4.3 to 4.4 o RRDtool version moves from 1.2 to 1.7 o rework rc.syshook facility to use drop-in directories instead of suffixes o backports of FreeBSD 11.2 Intel NIC drivers o stand-alone frontend UI development tools o language updates for Czech, French, German, Portuguese (Brazil) o UI header security and SSL cipher hardening o extensive UI cleanups and menu consolidation o new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp, os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada, os-theme-rebellion, os-theme-tukan, os-wol 2.0
18.1.1326 Jul 2018 14:40 minor feature: Here are the full patch notes: o system: restart syslog when interface bind addresses may have changed o system: remove unused action_disable setting in gateway monitoring o firmware: new mirror Dataroute (Dusseldorf, DE) o ntp: typo in SiRF selection o openvpn: translate validated field names o rc: unset rcvar before evaluation (contributed by Nicholas de Jong) o installer: give basic tip that GUI IP can be set in console after install (contributed by stilez) o plugins: os-theme-cicada 1.2 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.1 (contributed by Team Rebellion) o ports: suricata 4.0.5 1
18.1.1219 Jul 2018 05:50 minor feature: Here is the full list of changes: o system: improve local account expire cron job to also flush passwords and SSH keys o system: show fingerprint in certificate details (contributed by Robin Schneider) o system: fix NextCloud file name format (contributed by Fabian Franz) o system: allow remote backup via cron command o interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used o firewall: do not trigger rules scheduling if scheduled rule is disabled o firewall: allow to select external aliases o firewall: ignore namelookup when no nameservers are configured o dashboard: remove tooltips from CPU widgets (contributed by Team Rebellion) o dashboard: add date to large CPU widget data o firmware: add Aalborg University mirror o intrusion detection: add missing classification category o ipsec: add mutual RSA and EAP-MSCHAPv2 support o wizard: make clear that "admin password" means "root password" o ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice o mvc: switch from the default _GET '_url' to _SERVER 'REQUEST_URI' and let Phalcon handle the routing o mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus) o mvc: multiselect may allow empty option, no need to give blank item too o mvc: add support for application specific field types o ui: top level menu item link pivots and security improvements (contributed by Max Orelus) o plugins: os-net-snmp 1.0 (contributed by Michael Muenz) o plugins: os-openconnect 1.1 (contributed by Michael Muenz) o plugins: os-web-proxy-sso UI fixes (contributed by Smart-Soft)
18.1.1103 Jul 2018 08:29 minor feature: Here are the full patch notes: o system: enforce full password policy check for local passwords including TOTP o system: add RFC 7919 DH parameter files for upcoming 18.7 feature o system: add 3072-bit RSA key length options to certificates (contributed by Justin Coffman) o system: move auto-cron jobs to plugin files o interfaces: refactor reload handling around interfaces_configure() o interfaces: allow private addresses in 6RD o interfaces: check existence of "status" (contributed by Tian Yunhao) o reporting: add NetFlow/Insight database force repair function o dhcp: update from ISC version 4.3 to 4.4 o importer: allow ZFS import for upcoming 18.7 ZFS installer feature o importer: allow import from simple MSDOS USB drives o intrusion detection: add app detect rules (contributed by Michael Muenz) o rc: suppress message of service not enabled on NetFlow backup o rc: use exec in /etc/rc and /etc/rc.shutdown hooks o rc: rework rc.syshook facility to be driven by directories and not suffixes o unbound: remove defunct unbound_statistics() function o plugins: os-postfix 1.4 advanced force recipient check (contributed by Michael Muenz) o plugins: service start corrections for accompanying rc.syshook changes o src: incorrect TLB shootdown for Xen-based guests 1 o src: lazy FPU state restore information disclosure 2 o src: enable usage of locate(1) utility o ports: isc-dhcp 4.4.1 3 o ports: php 7.1.19 4 o ports: unbound 1.7.3 5
18.1.1026 Jun 2018 06:21 minor feature: Here are the full patch notes: o system: provide default for user language o system: do not allow spaces in group names o system: dpinger gateway monitor option (contributed by Team Rebellion) o system: prepare for upcoming DH parameter regeneration feature o system: Nextcloud backup support (contributed by Fabian Franz) o system: userid 0 has trouble with s in redirects, use d instead o system: QR code quiet zone support 1 o system: add selectpicker style where previously missing o firmware: allow both origin.conf and OPNsense.conf to be used for repository setup o firmware: exclude password database files from base update as it breaks sudo o interfaces: clean up reload structure for single interfaces o interfaces: remove unused interface reload script o interfaces: simplify semantics of link_interface_to_track6() o interfaces: assorted cleanups in the code o firewall: add enable flag to shaper rules o firewall: improve parsing speed of firewall log o firewall: fix wrong alias reference in outbound rules o firewall: generate ipfw comments for debugging (contributed by Robin Schneider) o firewall: move color settings from schedules to theme (contributed by Fabian Franz) o intrusion detection: correct typo in CSS o openvpn: raise default DH parameter to 2048 bit o console: pass output of stop scripts to user during halt/reboot o console: clarify that installer is for installing when SSH is off also o rc: change NetFlow backup to only stop/start when needed o rc: backup and restore via XML files again o rc: slightly refactor halt/reboot/shutdown o rc: break out config stop script o rc: simplify configctl plumbing o ui: add country flags for upcoming changes in GeoIP handling o ui: trigger onChange event to support custom hooks in form post o ui: change multi-select default from tokenizer to selectpicker o ui: add support for custom separators in select items o plugins: test for template scripts before executing them o plugins: os-acme-client fixes password field
18.1.901 Jun 2018 14:29 minor feature: Here is the full list of changes: o firewall: advanced option to reset states on IPv4 change o interfaces: rename wancfg to lancfg in tracking code o interfaces: further simplifications for dhclient usage o reporting: add logging to database repair stage o reporting: Insight click event issue o system: use uppercase gateway names for compatibility o system: gateway alert script always returns true o system: align static ACL check with MVC variant o system: pluggable backup support o system: configurable user landing pages o system: safety belt for password policy check o wizard: add missing element IDs to fix scripting issues o firmware: parse and return to be removed packages for update summary o firmware: release type change properly updates the repository and summary o firmware: extended settings can now be registered via XML files o firmware: return repository errors in greater detail (4 new error types) o firmware: make returned backend JSON a bit more human-readable o firmware: fix leak of base/kernel update info on package manager updates o firmware: refactor package manager update summary parsing for speed o firmware: add and use API for major upgrades o dhcp: fix unwanted name-server write in v6 o dhcp: ldap-server does not exist in v6 o intrusion detection: update classification.config o intrusion detection: optional fast log to syslog o ipsec: set ignore_acquire_ts to allow ASA compatibility o ipsec: add ike_name to syslog output o openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6 o console: manual pages for opnsense-importer and opnsense-installer o console: let opnsense-installer set up an early runtime environment o console: show firmware reboot hint prior to update when applicable o console: longer timeout for opnsense-importer invoke on first boot o console: proper return values for opnsense-importer in edge cases o mvc: support multiple directories for detached UI development o mvc: add AddressFamily option to NetworkField o
18.1.822 May 2018 07:24 minor feature: Here are the full patch notes: o system: improve VLAN console assignment handling o system: move backup crypto code to the only page using it o system: improve validation for web GUI related settings o system: split off monitor reload for upcoming dpinger integration o system: default route handler skips an already active default route o system: default route handler purges hint files only when switching to a newer route o system: default gateway switching uses the standard default route handler o system: properly add LDAP picker to ACL o system: properly unset password expired message after password change o interfaces: clear up use IPv4 connectivity and fix several typos o interfaces: parse and report tunnel data o interfaces: move dhclient-script to proper location o interfaces: allow SLAAC to latch on to IPv4 link o reporting: add destination address in Insight detail search o dhcp: fix labels of services to align with menu o dhcp: domain-search-list usage was removed in 2012 o ipsec: rewrite resolve_retry() for its only use case o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano) o ipsec: fix missing disable of DH group setting o router advertisements: correctly merge DNS server arrays o router advertisements: fix DNSSL settings o router advertisements: fix duplicated subnet statements o openssh: also use static interface IP addresses to listen on explicitly o unbound: allow wildcard host entry (contributed by Eugen Mayer) o webgui: also use static interface IP addresses to listen on explicitly o backend: improve escaping of passed parameters o ui: correct heigh of the login title bar o ui: unify the label printing of interfaces o ui: refactor script match for help messages o rc: ZFS boot awareness o plugins: os-cache 1.0 is an optional web server cache for the GUI/API o plugins: os-debug 1.3 now holds its own PHP settings o plugins: os-nut 1.0 (contributed by Michael Muenz) o plugins: os-snmp 1.3 improves handling of interface binding o plugi
18.1.704 May 2018 05:48 minor feature: Here are the full patch notes: o system: validate pfsync peer as IPv4-only o system: flip order of arguments for system_routing_configure() o system: convert cron to mutable model controller o system: convert routing to mutable model controller o system: log table header cleanup o system: more aggressive factory reset and shut down after completion o system: remove duplicate addresses before binding web GUI and OpenSSH o system: fix Framed-Route parsing for RADIUS authentication o system: properly translate save message on user language change o interfaces: PPPoE link down script improvements o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion) o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion) o interfaces: wait for dhcp6c to be stopped by pending apply o interfaces: only reconfigure VLAN interface after edit when necessary o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it o interfaces: remove unused flush argument from various functions o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert) o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert) o interfaces: remove obsolete address requirement for CARP VIPs o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error o interfaces: no more spurious redirection for dhclient invoke o firewall: remove a side effect from filter_delete_states_for_down_gateways() o firewall: adjust maximum table entries for error-free bogonsv6 usage o firewall: add buckets option to traffic shaper o firewall: update help text for port ranges (contributed by Michael Muenz) o power: power off modal to indicate that the GUI is no longer responsive o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14 minor feature: Here are the full patch notes: o system: reverse reload order for gateway switching on OpenVPN o system: implement password policies for local accounts o system: separate web GUI and configd log files o system: add syslog and login service visibility o system: show root as disabled in user manager if disabled o interfaces: no longer restrict VLAN driver capability o firewall: switch back to old NAT auto-outbound behaviour o firewall: reload schedules 1 minute later o firewall: filter descriptions option does no longer exist o firewall: updated anti-lockout link (contributed by Michael Muenz) o firewall: fix help text in shaper masks (contributed by Michael Muenz) o firewall: add delay option to pipe in shaper (contributed by Michael Muenz) o reporting: add insight aggregator to service list o dashboard: large CPU usage widget (contributed by Team Rebellion) o dhcp: fix display of DUID in IPv6 leases o firmware: let opnsense-patch apply chmod even in partially failed patches o firmware: let opnsense-code fetch all remotes as well as prune them o intrusion detection: provide custom.yaml for user edits o web proxy: fix pid file pointer for service status probe o ui: help data-for attribute (contributed by NOYB) o ui: reversed zebra redraw on static page mobile forms o ui: cleanup for unused classes in static pages o mvc: add constraint type for dependent fields o plugins: merge rc.plugins_configure code into pluginctl o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz) o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz) o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox o plugins: os-monit 1.7 fixes compatibility with UI rework o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz) o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz) o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion) o plugins:
18.1.522 Mar 2018 07:05 minor feature: Here are the full patch notes: o system: optional prefix Google Drive backups with host and domain name o system: also render tunables in loader.conf to obsolete loader.conf.local editing o interfaces: allow /127, /128 and /32 static IP address configurations everywhere o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion) o interfaces: ignore dynamic linkup events for unassigned interfaces o interfaces: hide previously assigned interfaces from bridges o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode o firewall: add VIP gateway option for PPPoE interfaces o firewall: add update interval option to log widget (contributed by NOYB) o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz) o firmware: fix opnsense-code for src.git and ABI probing o firmware: fix opnsense-patch file permission apply for plugins o intrusion detection: support request headers in ruleset metadata o openvpn: switch status to version 3 to avoid wrong parsing of commas o openvpn: parse all states to retrieve all relevant connection status info o captive portal: exclude "I" from simplified voucher character set for clarity o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz) o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel) o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz) o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament) o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens) o ui: update tokenizer to 2.6, visual tweaks and blur-add o ui: buttons for services control in MVC (contributed by Smart-Soft) o src: reinitialize IP header length after checksum calculation 1 o src: fix IPsec validation and use-after-free 2 o src: update timezone database information 3 o src: update file(1) to new version with security update 4 o src: add mitigations for two classes
18.1.412 Mar 2018 07:20 minor feature: Here are the full patch notes: o system: improved default route handling o system: improved gateway switching o system: cleanse username on LDAP import o system: increase maximum size of firmware reports o firewall: shaper backend refactor o interfaces: improved reconfigure phase o reporting: fix sporadic "non-numeric value encountered" error o captive portal: add voucher expiry (contributed by Stephanowicz) o intrusion detection: use latest ET Open rules for Suricata version 4 o intrusion detection: proper syslog with drops, requires log file reset o intrusion detection: backend refactor o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden) o plugins: os-haproxy 2.6 1 (contributed by Frank Wall) o ports: isc-dhcp 4.3.6P1 2 o ports: krb5 1.16 3 o ports: pkg 1.10.5 o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00 minor feature: Here are the full patch notes: o system: account for variable headers in top output o system: move gateway status into main pages o system: slightly reorder routing configuration calls o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha) o system: rework LDAP authentication container selection o interfaces: avoid interaction of overview details with menu items o interfaces: allow "reject leases from" option in DHCP advanced settings o firewall: set alias cron update interval to 1 minute o firewall: align alias cron update with its background call o firewall: URL IP alias type missing in selections o firewall: fix defunct alias target in outbound NAT o firewall: ignore alias case while searching o firewall: move rule category filter to the top of the page o firewall: show IPv6 ports in live log and fix details for TCP o firewall: move general settings to AliasParser and fix Alias constructor to receive them o firewall: if the name of the alias equals its content try to resolve o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion) o dhcp: UEFI 64 network boot using wrong arch type o dhcp: validate maximum interface MTU o dhcp: add validation for DUID fields o ipsec: auto-route disable setting (contributed by Namezero) o network time: inline NMEA checksum calculator (contributed by Fabian Franz) o network time: fix stratum level write o unbound: optimize outgoing-range differently o unbound: local zone setting (contributed by NOYB) o ui: fix cropped dropdown regression o mvc: translate option values (contributed by Alexander Shursha) o mvc: fix access to undefined property translator o mvc: fix typo in getBase() o mvc: improve phpdoc o rc: protect console menu again, but keep shell invoke for rc.d subsystem o rc: fix some typos (contributed by John Eismeier) o rc: proper includes for plugin post-install hook o rc: recover all known shells o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20 minor feature: Here are the full patch notes: o system: avoid default route from disappearing when no manual gateways are set o firewall: fix outbound NAT for OpenVPN interfaces o interfaces: multiple overview page improvements (contributed by NOYB) o firmware: revoke 17.7 update fingerprint o console: check for root invoke in importer, installer and console menu o intrusion detection: always show schedule tab o intrusion detection: log first drop of a flow o intrusion detection: add a log file viewer o unbound: add num-queries-per-thread option values for 4096 and 8192 o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB) o ui: HTML compliance for attribute "type" on script element (contributed by NOYB) o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB) o ui: checkbox and radio button label children tweaks (contributed by NOYB) o ui: break help text on small screens o ui use pluggable locations for theme files o ui: remove table-responsive padding on small screens o ui: user-scalable viewport (contributed by NOYB) o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz) o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz) o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz) o ports: phalcon 3.3.1 o ports: php 7.1.14
18.1.102 Feb 2018 18:19 minor feature: Here are the full patch notes: o firewall: ignore target port alias in port forwards when it equals the destination o firewall: align outbound NAT address output to edit page o firewall: use first region for country in GeoIP category instead of last one o system: improve layout of gateway status labels (contributed by Fabian Franz) o system: improve order of group / user setup as "wheel" was not added correctly on save o dashboard: touch device improvements in widgets (contributed by NOYB) o opendns: always refresh the setting on save o openvpn: open links in a new tab (contributed by Fabian Franz) o ui: system-wide HTML compliance improvements (contributed by NOYB) o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco) o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86) o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz) o plugins: os-openconnect 1.0 (contributed by Michael Muenz) o plugins: os-rfc2136 1.2 improves widget load o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz) o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz) o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan) o ports: curl 7.58.0 1 o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18 minor feature: These are the most prominent changes since version 17.7: o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration o Realtek vendor NIC driver version 1.94 o Portable NAT before IPsec support o Local group restriction feature in OpenVPN and IPsec o OpenVPN multi-remote support for clients o Strict interface binding for SSH and web GUI o Improved MVC tabs and general page layout o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour o Easy-to-use update cache support for Linux and Windows in web proxy o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT) o Revamped HAProxy plugin with introduction pages o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status o Alias backend rewrite for future extensibility o Plugin-capable firewall NAT rules o Migration of system routes UI and backend to MVC (also available via API) o Reverse DNS support for insight reporting (also available via API) o Fully rewritten firewall live log in MVC (also available via API) o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18 minor feature: Here are the full patch notes: o system: use correct crypto library to gather GUI SSL ciphers o system: do not wrap action buttons in tunables page o system: fix CA serial number decrement on save o firmware: remove the discontinued hotfix backend support o firmware: allow dot in package name during package action o firmware: remove defunct mirrors o interfaces: make level of detail stick in packet capture o interfaces: auto-lock problematic interfaces upon assignment o firewall: make NAT reflection enable less ambiguous o firewall: fix NAT formatting in states dump page o network time: fix for valid negative offset in health graph o network time: OPNsense NTP pool is now available o network time: fix parsing of overly overlong lines o web proxy: use PID file instead of daemon name for status probe o wizard: add unbound to wizard and uncheck DNSSEC by default o ui: HTML compliance fixes button in link usage (contributed by NOYB) o mvc: added mutable service controller o mvc: added sub-tab layout partials o mvc: do not render empty toggle header o plugins: acme-client 1.13 1 (contributed by Frank Wall) o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB) o plugins: helloworld 1.4 o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB) o plugins: tor 1.4 adds contact info (contributed by Fabian Franz) o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft) o ports: libressl 2.6.4 2 o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12 minor feature: Here are the full patch notes: o system: numerical sort for "Use" and "MTU" columns in route diagnostics o system: gateway group edit tier selection issue with jQuery3 o system: minor cleanups in the certificates backend o firewall: move anti-lockout rule to advanced settings o interfaces: minor cleanups in the backend o reporting: rework configuration handling on the settings page o dnsmasq: minor cleanups in the backend o firmware: strip the architecture from the base / kernel set version display o firmware: backend preparations for full base / kernel set lock and reinstall o firmware: increase crash report file limit to 2 MB o ipsec: minor cleanups in the backend o unbound: register DHCP domain name for interface if found o network time: show full remote address and fix page boxing on status page o network time: add advanced custom options o network time: fix leap second save o network time: minor cleanups in the backend o wizard: properly redirect on input errors in system wizard o mvc: ignore client-side anchors in breadcrumb generation o ui: do not use a CSRF input element ID o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz) o ports: libxml 2.4.7 1 o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56 minor feature: Here are the full patch notes: o system: allow user-based language setting through Lobby: Password o system: allow strict interface binding for OpenSSH o system: prepare for MVC-based routing pages o firmware: prepare for production / development release type selection o firewall: fix a PHP warning when no user rules are installed o firewall: add refresh button to table diagnostics page o captive portal: fix chroot regression since lighttpd web server update in 17.7.9 o interfaces: provide a link-local IPv6 when asking for addresses o intrusion detection: sync port-groups to default template o ipsec: upgrade vici lib to match strongSwan package o network time: fix a PHP warning during NMEA deselect o mvc: do not throw disabled errors in handler o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz) o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz) o src: OpenSSL multiple vulnerabilities 1 2 o ports: hyperscan 4.6.0 3 o ports: openssl 1.0.2n 4 o ports: suricata 4.0.3 5 Two plugin hotfixes have been additionally issued: o plugins: os-quagga 1.4.3_1 fixes service startup regression o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29 minor feature: Here are the full patch notes: o system: fix XSS with crafted certificates in certificate manager 1 o system: removed duplicated firmware privileges o system: fix resolving routes in diagnostics page o system: regenerated DH parameters o dhcp: support stateless DHCPv6 o firmware: kernel and base set visibility and better API session handling o intrusion detection: improve download and install speed of et-open rules o intrusion detection: add TLS and HTTP logging in eve and alert log viewer o openvpn: allow remote network in peer to peer modes o web proxy: better service and API session handling o router advertisements: advertise on VIPs belonging to the same interface o configd: allow template overrides via optional target directory o mvc: prepare for use-based language setting (contributed by Alexander Shursha) o mvc: prepare for auto-generated page titles o mvc: tighten against frame-based attacks o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz) o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz) o ui: make "advanced mode" sticky too o plugins: os-acme-client 1.12 2 (contributed by Frank Wall) o plugins: os-arp-scan (contributed by Giuseppe De Marco) o plugins: os-clamav 1.3 (contributed by Alexander Shursha) o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu) o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz) o plugins: os-haproxy 2.0 3 (contributed by Frank Wall) o plugins: os-relayd 1.2 fixes "check send" directive o plugins: os-tor 1.3 (contributed by Fabian Franz) o plugins: os-zabbix-agent 1.2 fixes service status indicator o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz) o ports: ca_root_nss 3.34.1 o ports: curl 7.57.0 4 o ports: lighttpd 1.4.48 5 o ports: php 7.1.12 6 o ports: pkg 1.10.3 7 o ports: py-Jinja2 2.10 8 o ports: syslogd 11.1