Recent Releases
19.7.205 Aug 2019 15:03
minor bugfix:
Here are the full patch notes:
o system: missing "" in legacy output via Syslog-ng
o system: fix writing gateway information for DNS servers
o system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
o firewall: unhide automatic interface-based output rules
o firewall: unhide automatic non-interface-based floating rules
o firewall: lift length restriction in NAT rule description
o firewall: avoid newlines in rule descriptions
o firewall: only show usable addresses in NAT outbound rules
o interfaces: fix extended CARP output when parsing interface information
o interfaces: add more outputs to overview page to increase usefulness
o interfaces: use shared DHCP lease reader for ARP list
o captive portal: fix binary read issue in Python 3
o dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
o firmware: handle file signature verify correctly with multiple fingerprint repositories
o firmware: Aivian mirror is no longer active
o firmware: Cloudfence mirror in Brazil added
o plugins: os-acme-client 1.24 1
o plugins: os-bind 1.6 (contributed by crazy-max)
o plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
o plugins: os-grid_example 1.0 2
o plugins: os-helloworld Python 3 compatibility 3
o plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
o plugins: os-sunnyvalley 1.0 4 5
o src: fix panic from Intel CPU vulnerability mitigation 6
o src: fix multiple telnet client vulnerabilities 7
o src: fix pts write-after-free 8
o src: fix kernel memory disclosure in freebsd32_ioctl 9
o src: fix reference count overflow in mqueuefs 10
o src: fix byhve out-of-bounds read in XHCI device 11
o src: fix file descriptor reference count leak 12
o ports: libevent 2.1.11 13
19.7.125 Jul 2019 14:36
minor bugfix:
Here are the full patch notes:
o system: do not create automatic copies of existing gateways
o system: do not translate empty tunables descriptions
o system: remove unwanted form action tags
o system: do not include Syslog-ng in rc.freebsd handler
o system: fix manual system log stop/start/restart
o system: scoped IPv6 " " could confuse mwexecf(), use plain mwexec() instead
o system: allow curl-based downloads to use both trusted and local authorities
o system: fix group privilege print and correctly redirect after edit
o system: use cached address list in referrer check
o system: fix Syslog-ng search stats
o firewall: HTML-escape dynamic entries to display aliases
o firewall: display correct IP version in automatic rules
o firewall: fix a warning while reading empty outbound rules configuration
o firewall: skip illegal log lines in live log
o interfaces: performance improvements for configurations with hundreds of interfaces
o reporting: performance improvements for Python 3 NetFlow aggregator rewrite
o dhcp: move advanced router advertisement options to correct config section
o ipsec: replace global array access with function to ensure side-effect free boot
o ipsec: change DPD action on start to "dpdaction = restart"
o ipsec: remove already default "dpdaction = none" if not set
o ipsec: use interface IP address in local ID when doing NAT before IPsec
o web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
o plugins: os-acme-client 1.24 1
o plugins: os-bind 1.6 2
o plugins: os-dnscrypt-proxy 1.5 3
o plugins: os-frr now restricts characters BGP prefix-list and route-maps 4
o plugins: os-google-cloud-sdk 1.0 5
o ports: curl 7.65.3 6
o ports: monit 5.26.0 7
o ports: openssh 8.0p1 8
o ports: php 7.2.20 9
o ports: python 3.7.4 10
o ports: sqlite 3.29.0 11
o ports: squid 4.8 12
19.723 Jul 2019 05:20
major feature:
These are the most prominent changes since version 19.1:
o List automatic firewall rules
o Statistics for all firewall rules
o Alias JSON import / export
o Optional statistics for aliases
o Firewall rule locator for live log and automatic rules
o Rewritten gateway handling and switching
o Remote logging via Syslog-ng
o LDAP group sync support
o Support certificate signing requests
o Route-based IPsec support (VTI)
o XMLRPC sync support for alias, VHID, widgets
o Unbound host overrides alias support
o Web proxy and IPsec authentication using PAM
o Parent web proxy support
o Web proxy login privilege via group
o Improved reliability and utility of opnsense-patch
o Dpinger and DHCP servers ported to plugin framework
o Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o Spanish as a new language
o Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
o Netmap update for VirtIO, VLAN child and vmxnet support
o Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
19.1.1005 Jul 2019 08:36
minor bugfix:
Here are the full patch notes:
o system: change certificate manager actions to POST
o system: fix account removal with missing "-g" option
o system: add dashboard widgets to XMLRPC sync
o firewall: fix live log rule label mismatch caused by optimisation
o firewall: fix alias import with alias references included
o firewall: change default sorting of aliases to names
o firmware: add homelab.no mirror (contributed by Thomas Jensen)
o intrusion detection: when toggling rules keep the current action
o intrusion detection: suppress mystery PHP 7.2+ warning in API
o intrusion detection: show SID in alert view
o web proxy: add cache reset button
o web proxy: correct syslog export
o plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
o plugins: os-etpro-telemetry Python 3 support
o plugins: os-frr 1.11 1
o plugins: os-nginx 1.14 2
o plugins: os-rspamd 1.7 3
o plugins: os-tinc Python 3 support
o ports: ca_root_nss 3.44.1
o ports: curl 7.65.1 4
o ports: libevent 2.1.10 5
o ports: libxml 2.9.9 6
o ports: libressl 2.9.2 7 8
o ports: phalcon 3.4.4 9
o ports: strongswan 5.8.0 10
o ports: unbound 1.9.2 11
19.1.911 Jun 2019 08:13
minor bugfix:
Here are the full patch notes:
o system: add LDAP group synchronisation feature
o system: allow an arbitrary group for sudo like ssh login
o system: stop using a lock around resolv.conf handling
o system: rename a number of service-related functions
o system: login not using cache-safe image yet
o system: add pluginctl -s support
o system: restyle config backup page
o system: fix log split view regression of 19.1.8
o interfaces: remove DHCPv6 on delete and clear config on IPsec assignment
o interfaces: small VIP restructure and IPv6 alias to IPv6 device
o interfaces: subtle changes in IPv6 and variable naming
o interfaces: add missing does_interface_exist() checks
o firewall: support multiple interfaces per NAT port forward rule
o captive portal: use "onestop" to stop service
o intrusion detection: missing header ID in alerts tab
o ipsec: remove remnants of gateway group interface selection
o ipsec: use indirect plugin calls in interface code
o openvpn: add live-search to longer lists in server page
o openvpn: support --cryptoapicert export (sponsored by m.a.x it)
o opnevpn: correctly check for translation in get_carp_interface_status()
o openvpn: use waitforpid() to properly wait for instanes to come up
o openvpn: translate GUI error values when returning them
o openvpn: revamp status page
o unbound: leases watcher file rotation issue
o web proxy: squid log in readable date format (contributed by nhirokinet)
o web proxy: fix non-local authentication regression of 19.1.7
o plugins: os-bind 1.5 1
o plugins: os-clamav 1.7 2
o plugins: os-dnscrypt-proxy 1.4 3
o plugins: os-dyndns clouldflare wildcard domain support
o plugins: os-nginx 1.13 4
o plugins: os-openconnect 1.4.0 5
o plugins: os-redis 1.1 6
o plugins: os-rspamd 1.6 7
o plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)
o ports: curl 7.65.0 8
o ports: lighttpd 1.4.54 9
o ports: python 3.7.3 10
o ports: openssl 1.0.2s 11
o por
19.1.822 May 2019 08:29
minor bugfix:
Here are the full patch notes:
o system: address CVE-2019-11816 privilege escalation bugs 1 (reported by Arnaud Cordier)
o system: /etc/hosts generation without interface_has_gateway()
o system: show correct timestamp in config restore save message (contributed by nhirokinet)
o system: list the commands for the pluginctl utility when no argument is given
o system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly
o system: use absolute path in widget ACLs (reported by Netgate)
o system: RRD-related cleanups for less code exposure
o interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
o interfaces: replace legacy_getall_interface_addresses() usage
o firewall: fix port validation in aliases with leading / trailing spaces
o firewall: fix outbound NAT translation display in overview page
o firewall: prevent CARP outgoing packets from using the configured gateway
o firewall: use CARP net.inet.carp.demotion to control current demotion in status page
o firewall: stop live log poller on error result
o dhcpd: change rule priority to 1 to avoid bogon clash
o dnsmasq: only admins may edit custom options field
o firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
o firmware: add optional device support for base and kernel sets
o firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
o ipsec: always reset rightallowany to default when writing configuration
o lang: say "hola" to Spanish as the newest available GUI language
o lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o network time: only admins may edit custom options field
o openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
o openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
o openvpn: remove custom options field from wizard
o unbound: only admins may ed
19.1.702 May 2019 13:37
minor bugfix:
Here are the full patch notes:
o system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
o system: support for syncing alias and VHID to the slave
o system: cleanly rewrite CA root files and add local trusted CAs as well
o system: disable backup cron job when no backup is enabled
o system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
o system: migrate health graph scripts to Python 3.6
o interfaces: properly add and remove IPv6 trackers after interface apply
o interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
o interfaces: display "0x" in prefix ID field so that it is clear that value is in hex
o interfaces: fix passing VLAN name in interface_virtual_create()
o interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
o interfaces: allow link-local address on bridges via optional setting
o interfaces: PPP-related code cleanups
o firewall: prevent double-escaping of text in rules page
o firewall: handle IDNA encode failures in aliases
o firewall: alias import / export option
o captive portal: update to bootstrap 3.4.1
o captive portal: fix a race in directory creation and listClients()
o dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
o dhcp: merge static mac addresses with leases
o dhcp: prevent double-escaping of text in leases page
o firmware: add private log file for major upgrade package install step
o firmware: use a safer major upgrade package install mode
o firmware: retain /etc/motd on base updates
o ipsec: implemented wildcard includes (contributed by Mark Plomer)
o ipsec: only apply mobile PFS to mobile phase 2
o ipsec: restyle mobile settings a little
o ipsec: switch XAuth to PAM
o ipsec: partial fix for static routes on routed tunnels during boot
o network time: reload RRD since NTP has a setting for it
o web proxy: fix PAC weekday match labels
19.1.612 Apr 2019 14:46
minor bugfix:
Here are the full patch notes:
o system: let dashboard only accept its own POST requests
o system: remove obsolete symlink to opnsense-auth
o system: skip PHP E_WARNING log level until 19.7
o system: numerous PHP 7.2 warning fixes
o dhcp: DHCPD server check in relay only if interface is active
o dnsmasq: skip empty custom options
o intrusion prevention: do not drop flowbits:noalert rules
o unbound: add ACL entries for OpenVPN by default
o mvc: controller cleanups in firewall shaper, web proxy and captive portal
o plugins: numerous PHP 7.2 warning fixes
o plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
o plugins: os-nginx 1.11 1
o ports: php 7.2.17 2
o ports: py-certifi 2019.3.9 3
19.1.508 Apr 2019 05:36
minor bugfix:
These are the full patch notes:
o system: improve gateway status return when monitoring is off
o system: warn user about future deprecation of "user-config-readonly" privilege
o system: support certificate signing requests (contributed by nhirokinet)
o system: syslog does not need to do a background startup since it backgrounds itself
o system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
o system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
o interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
o interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
o interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
o interfaces: move mpd.script to new location (may require interface reconfigure)
o firewall: proper locking of aliases before config action on delete
o firewall: correctly set outbound NAT destination as network
o firewall: add support for DSCP in shaper (contributed by Michael Muenz)
o firewall: add support for IDN in aliases (contributed by Smart-Soft)
o captive portal: allow access to this host (contributed by Fredrik Ronnvall)
o firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
o firmware: add University of Kent to the firmware mirrors
o ipsec: only use explicit reqid when using route-based interfaces
o ipsec: correctly set install policy option on newly created phase 1 entries
o ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
o ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
o ipsec: properly quote UNITY_BANNER for multi-line support
o ipsec: support for dynamic remote gateways
o monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
o monit: added missing "not on" label
o openvpn: support static-challenge formatted password
o openvpn: properly load custom config field in exporter
o openvpn:
19.1.412 Mar 2019 11:44
minor bugfix:
Here are the full patch notes:
Here are the full patch notes:
o system: remove erroneously translated hostname example (contributed by nhirokinet)
o firewall: fix validation regression in outbound NAT introduced in 19.1.3
o firewall: mock labels for NAT rules in live log as pf does not offer label support
o interfaces: do not background LAGG ifconfig destroy
o installer: revert to use network connection to allow CTRL+C and resume
o ipsec: added Virtual Tunnel Interface (VTI) support
o unbound: fix nested statistics items read
o mvc: remove old Phalcon volt template workarounds from when scopes were broken
o mvc: fix bug in model relation field values merge
o plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
o plugins: os-telegraf missed invoke of setup.sh
o plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
o plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
o plugins: os-nginx 1.9 1
o src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
o ports: monit 5.25.3 2
o ports: ntp 4.2.8p13 3
o ports: php 7.1.27 4
o ports: suricata 4.1.3 5
19.1.308 Mar 2019 10:01
minor bugfix:
Here are the full patch notes:
o system: improve LDAPS mode and related authentication cleanups
o system: move enable checkbox to the top in remote logging settings
o system: allow reset of tunables to to factory defaults
o system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
o firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
o interfaces: probe media before applying new settings
o interfaces: correctly compare MAC addresses
o dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
o firmware: move duty to return the correct set name / ID to opnsense-version
o firmware: finally revoke 18.7 fingerprint
o intrusion detection: minor template cleanups using helpers.empty()
o ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
o ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
o monit: add validation for test type (contributed by Frank Brendel)
o openvpn: add auth-nocache option in exporter
o openvpn: validate certificate type for servers
o unbound: add host overrides alias support
o web proxy: add auth to parent proxy (contributed by Michael Muenz)
o backend: add helpers.empty() in configd
o mvc: simplify save / close / cancel button labels
o mvc: add sorting for field list types
o rc: move all template generation to early stage
o ui: improve escaping of displayed data in static pages
o ui: escape button values in static pages
o ui: avoid short PHP tags
o plugins: os-dnscrypt-proxy 1.3 1
o plugins: os-frr brings in missing area range code 2
o plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
o plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-vnstat /var MFS fix 3
o plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
o ports: openssl 1.
19.1.207 Mar 2019 06:29
minor bugfix:
Here are the full patch notes:
o system: move session files into their own directory (forces the current sessions to expire)
o system: add validation check for time period for Dpinger (contributed by Team Rebellion)
o system: hide "show certificate info" button of pending CSR (contributed by nhirokinet)
o system: move opnsense-auth to libexec, but keep a symlink in sbin directory
o system: escaping issue in gateway edit page
o system: fix ACL for halt and reboot pages
o firewall: fix alias entry replacement in utility page
o firewall: prevent new alias creation when adding an address
o firewall: capture "nat" traffic like we do for "rdr" in live log
o firewall: escaping issues in schedule edit page
o interfaces: push dhclient and dhcp6c log messages to system log
o interfaces: write all nameservers via dhclient-script in multi WAN scenarios
o interfaces: check for valid alias IP in dhclient-script
o interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
o interfaces: avoid reading empty interface configurations
o firmware: bootstrap rework for HTTPS repository URL
o firmware: patch cache and assorted improvements
o firmware: minor update utility cleanups
o firmware: remove compatibility stubs for pre-19.1 version reads
o firmware: show revoked package mirror error in GUI if applicable
o firmware: bump RageNetwork mirror to HTTPS
o firmware: be more careful about parsing version info
o dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
o intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression 1
o intrusion detection: support required rules/files in metadata package
o intrusion detection: less extensive logging
o ipsec: fix escaping issue in mobile page
o monit: fix address validation
o openvpn: obey verify-x509-name for remote access (user auth)
o openvpn: proper daemonize instead of background job
o openvpn: extract full CA chain for setup
o openvpn: m
19.1.106 Feb 2019 07:21
minor bugfix:
Here are the full patch notes:
o system: address XSS-prone escaping issues 1
o firewall: add port range validation to shaper inputs
o firewall: drop description validation constraints
o interfaces: DHCP override MTU option (contributed by Team Rebellion)
o interfaces: properly configure SIM PIN on custom modems
o reporting: prevent cleanup from deleting current data when future data exists
o ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
o openvpn: multiple client export fixes
o web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
o plugins: os-acme-client 1.20 2
o plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
o plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
o plugins: os-nginx 1.7 3
o plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
o plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
o ports: ca_root_nss 3.42.1
o ports: lighttpd 1.4.53 4
o ports: py-request 2.21.0 5
19.104 Feb 2019 09:45
major feature:
These are the most prominent changes since version 18.7:
o fully functional firewall alias API
o PIE firewall shaper support
o firewall NAT rule logging support
o 2FA via LDAP-TOTP combination
o WPAD / PAC and parent proxy support in the web proxy
o P12 certificate export with custom passwords
o Dpinger is now the default gateway monitor
o ET Pro Telemetry edition plugin 2
o extended IPv6 DUID support
o Dnsmasq DNSSEC support
o OpenVPN client export API
o Realtek NIC driver version 1.95
o HardenedBSD 11.2, LibreSSL 2.7
o Unbound 1.8, Suricata 4.1
o Phalcon 3.4, Perl 5.28
o firmware health check extended to cover all OS files, HTTPS mirror default
o updates are browser cache-safe regarding CSS and JavaScript assets
o collapsible side bar menu in the default theme
o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins
18.7.1008 Jan 2019 08:27
minor feature:
Here are the full patch notes:
o system: P12 certificate export now allows to specify a password
o system: allow plain IPv6 for LDAP and RADIUS host
o system: properly sort columns with size units in activity page
o system: remove references to "automatic" in HA help texts
o system: add option to only show temperature of one core in widget
o system: speed up isArraySequential()
o system: introduce configdp_run() variant
o system: assorted code cleanups
o interfaces: only show name servers offered by individual link in status page
o interfaces: DUID-LL generator fix (contributed by Team Rebellion)
o interfaces: show disabled and virtual interfaces in groups
o interfaces: change wireless page interface iterators
o interfaces: change LAGG page interface iterators
o interfaces: remove unused get_dns_servers()
o interfaces: assorted code cleanups
o firewall: fix an exception error in alias config read
o firewall: fix typo in outbound NAT destination help text
o firewall: rename "Localhost" to "Loopback" for clarity in virtual IP pages
o firewall: unify anti-lockout behaviour to match rules and GUI display
o firewall: switch to tokenizer for shaper source and destination fields
o firewall: fix alias utility issue when adding into empty alias
o firewall: correct alias name limit to 31 characters
o firewall: bring back auto-complete for nested aliases
o firewall: NAT rules on reflection for port forwards only when address exists on interface
o firewall: lower bogon download retry attempts to 3
o firewall: schedule JS code update
o captive portal: add setting to always send accounting requests
o captive portal: assorted code cleanups
o dhcp: DHCPv6 leases not always correctly displayed (contributed by Team Rebellion)
o dhcp: override IPv6 PD range fix (contributed by Team Rebellion)
o dhcp: switch subnet verification to new network interface retrieval
o firmware: individual error messages during base and kernel installation
o firmware: obsolete set usage has been removed, e
18.7.913 Dec 2018 07:45
minor feature:
Here are the full patch notes:
o system: allow setting alternative names on CSR
o system: add link-local routes with correct scope
o system: fix LDAP import button for Firefox
o system: assorted cleanups in HTML and PHP code
o interfaces: add note about CGN addresses included in private range
o interfaces: fix checksum disable for IPv6 TX / RX flags
o interfaces: multiple type DUID support (contributed by Team Rebellion)
o interfaces: properly read and write dhcp6c DUID binary file
o interfaces: do not read VLAN capabilities from nonexistent interfaces
o interfaces: removal of PEAR.inc from IPv6 address library
o interfaces: assorted cleanups in HTML and PHP code
o firewall: only suffix subnet alias entry when a network is expected
o firewall: default alias protocol to both IPv4 and IPv6
o firewall: fix validation of outbound NAT destination alias
o firewall: fix performance regression in get_alias_description()
o firewall: repair defunct "no nat proto carp all" rule
o firewall: limit type to CARP when checking for VIP VHID reuse
o firewall: refactor subnet retrieval in VIP deletion
o firewall: display VHID for IP alias in overview
o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups
o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
o firewall: ignore empty values in alias migration (contributed by Frank Wall)
o firewall: assorted cleanups in HTML and PHP code
o captive portal: work around service boot ordering issue
o captive portal: change "onestop" to "stop" in backend action
o dnsmasq: add DNSSEC option
o dnsmasq: assorted cleanups in HTML and PHP code
o dhcp: show lease count in page heading
o dhcp: refactor IPv6 subnet read
o dhcp: fix DDNS IPv6 algorithm use
o dhcp: assorted cleanups in HTML and PHP code
o firmware: opnsense-version can now handle kernel, base and plugin metadata
o firmware: when pkg needs to be updated do not prompt for base and kernel set
o firmware: use embedded obso
18.7.823 Nov 2018 06:17
minor feature:
Here are the full patch notes:
o system: show the actual validation messages for NextCloud backup constraints
o system: LDAP import button primary colour and prevent default page submit
o system: add LDAP+TOTP authentication variant (2FA)
o system: avoid silent fatal error when LDAP OUs could not be retrieved
o system: avoid duplicated cookies on login page by not closing session
o system: allow to fully disable misc. reboot failsafe backups
o system: switch default argument for return_gateways_status()
o system: add "Synchronize config to backup" button to HA status page
o system: disable help text expand when backup fields have no help text
o system: sort user and group lists alphabetically
o interfaces: add CARP info to legacy_interfaces_details()
o interfaces: removal of find_interface_subnet() and find_interface_subnetv6()
o interfaces: introduce find_interface_network() and find_interface_networkv6()
o interfaces: refactor find_interface_ip() and find_interface_ipv6()
o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll()
o firewall: extend outbound NAT address source and destination with networks
o firewall: fix save error when alias name contains an underscore
o firewall: do not set days or hours when update frequency is empty
o firewall: increase resolve() performance for aliases
o firmware: change packaging to be able to place files in the root directory
o reporting: fix possible division by zero in NetFlow aggregator
o dhcp: reorder arguments of function services_dhcpd_configure()
o dhcp: consolidate service probe of IPv6 and router advertisement daemons
o dhcp: fix clear hook on log file delete
o importer: make clear that /conf/config.xml is required for any import to take place
o monit: add quotes and timeout to custom program path (contributed by Frank Brendel)
o monit: add SSL options to mail server connection (contributed by Frank Brendel)
o network time: improve GPS status parsing
o openvpn: add remote address as route when s
18.7.708 Nov 2018 19:00
minor feature:
Here are the full patch notes:
o system: CVE-2018-18958 prevent restore of configuration of read-only user 1 (reported by brainrecursion)
o system: prevent related read-only user configuration manipulation for history and defaults pages
o system: prevent several creative ways to strip read-only privileges in the user and group manager
o system: allow wildcards in certificate subject alternative name
o system: avoid direct global access in routing setup
o system: do not offer root-only opnsense-shell to non-root users
o system: remove FreeBSD 10 password workaround
o interfaces: use pure jquery to avoid browser-specific behaviour
o interfaces: nonfunctional cleanups in backend and interface GUI configuration
o interfaces: clear the correct files IPv6 state files on interface down
o interfaces: wait for PPPoE to fully exit on interface down
o firewall: fix port alias conversion under new API
o firewall: missing filter reload for port alias types
o firewall: missing "other" type in VIP network expand
o firewall: disabled alias should leave us with an empty one
o firewall: category for "United States" moves from Pacific to America
o firewall: resolve outbound NAT interface address in kernel
o dhcp: only map enabled interfaces in IPv4 leases
o dhcp: interface iteration code cleanups
o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
o firmware: add log file for package manager output
o monit: use theme override for widget CSS (contributed by Fabian Franz)
o ntp: internal cleanup of function argument order
o rc: improvements in service startup scripting
o rc: print date and time after successful boot
o unbound: disable redirect type until fixed
o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno)
o shell: stop router adve
18.7.629 Oct 2018 08:20
minor feature:
Here are the full patch notes:
o firewall: resolve interface address ":0" for port forwarding in kernel
o firewall: list action corrections (contributed by Thomas Bandixen)
o firewall: add support for the PIE shaper (contributed by Michael Muenz)
o firewall: migrate to new alias API including a new failsafe
o firewall: repair log widget for plugin themes
o interfaces: do not remove CARP addresses on link-down
o interfaces: get pfsync MTU from actual CARP interface
o interfaces: add backend call returning all interface data
o interfaces: partially rewrite ping, port and traceroute tools
o interfaces: improve IPv6 merging in make_ipv6_64_address()
o interfaces: use correct IPv6 interface where appropriate
o interfaces: replace get_configured_interface_list() usage
o interfaces: small refactoring around interface up and down code
o system: cleanups in utility and config functions
o captive portal: added connect action in API (contributed by zvs44)
o firmware: move build-time version information to core version file
o firmware: rename backend script "audit" to "security" for clarity
o ipsec: bring back service widget lost back in 2016
o monit: change status page to support easier CSS styling
o unbound: set up a full chroot including local log socket
o unbound: replace custom msort() function with standard function
o unbound: use correct IPv4 or IPv6 interface for address lookups
o webgui: use interfaces_addresses() for interface binding
o mvc: show an error message on failed model migrations
o mvc: refactor __items access via iterateItems()
o mvc: accept style keyword on all input types
o mvc: improved menu API endpoint integration
o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz)
o plugins: os-dyndns validates custom updates solely for URL input
o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz)
o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.7 (contributed
18.7.519 Oct 2018 06:51
minor feature:
o system: add (de)select all option in LDAP importer
o firewall: keep previous content for URL alias on fetch error
o firewall: make schedule icon reflect current schedule state (contributed by framer99)
o firewall: toggle and migration fix for upcoming alias API
o firewall: round-robin limitation is for host alias outbound NAT only
o firewall: resolve network addresses in kernel for static routes bypass option
o firewall: do not clean up visible records when limit was not reached
o firewall: do not hardcode live log pass / block colours
o firewall: add live log direction icons
o firmware: shorten shaper name and assorted cleanups
o firmware: fix upgrade compatibility with FreeBSD 11.2
o firmware: use opnsense-version where appropriate
o firmware: correctly translate GUI buttons (contributed by Smart-Soft)
o dnsmasq: use more robust approach to interface binding
o ipsec: more secure phase 1 default settings (contributed by Michael Muenz)
o ipsec: support for multiple phase 1 DH groups and hashes
o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina)
o unbound: fix usage of the remote control backend calls
o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option
o web proxy: several corrections for PAC template
o backend: fix CPU hogging when reading on already disconnected streams
o mvc: speed up parsing very large config files
o mvc: add single select constraint
o mvc: add UUID field to the result of addBase (contributed by CJ)
o ui: sidebar UX improvements (contributed by Team Rebellion)
o ui: use single guillemets for previous/next page
o plugins: os-acme-client /var MFS awareness
o plugins: os-cicada 1.5 (contributed by Team Rebellion)
o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz)
o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich)
o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz)
o plugin
18.7.428 Sep 2018 05:40
minor feature:
Here are the full patch notes:
o system: correctly unset DNS override allow setting when saving
o system: remove unused / default arguments from get_possible_listen_ips()
o system: note that HA disable preempt requires reboot (contributed by Michael Muenz)
o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion)
o interfaces: lower MTU via tracked IPv6 interface MTU
o interfaces: 6RD IPv4 prefix override is now prefix-only
o firewall: also show scheduler info in shaper status (contributed by Michael Muenz)
o firmware: introduce opnsense-version utility and fully template build metadata
o firmware: annotate HTTP(S) status in mirrors in descriptions
o firmware: avoid base upgrade error when /proc is mounted
o monit: change mail format field for alerts to text area (contributed by Frank Brendel)
o openssh: further tweak new interface bind approach introduced in 18.7.3
o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder)
o web proxy: support WPAD / PAC (contributed by Fabian Franz)
o ui: minified sidebar improvements (contributed by Team Rebellion)
o ui: introduce cache_safe() to invalidate browser cache after updates
o plugins: os-dyndns wildcard support for Namecheap
o plugins: os-ntopng 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz)
o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel)
o plugins: os-snmp compatibility fixes for version detection and listen interface core changes
o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion)
o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz)
o plugins: os-upnp compatibility fixes for version detection core changes
o src: fix out-of-bounds read vulnerability in libarchive
o src: update
18.7.319 Sep 2018 07:27
minor feature:
Here are the full patch notes:
o system: gateways widget show/hide feature (contributed by Team Rebellion)
o system: select correct IPv6 default route when underlying IPv6 interface differs
o system: extended meta-matching for special characters in ACL patterns
o system: show last diff by default in configuration history page
o system: refactor password logic in user manager for clarity
o system: link-local listen IPv6 requires reading underlying IPv6 interface
o interfaces: avoid boot mismatch on several virtual plugin devices
o interfaces: list widget show/hide feature (contributed by Team Rebellion)
o interfaces: stats widget show/hide feature (contributed by Team Rebellion)
o interfaces: stop wireless software before bringing down the interfaces
o interfaces: fix selection issue for DHCPv6 PD "none" value
o interfaces: make "64" the page default for DHCPv6 PD
o interfaces: allow IPv4 address override in 6RD
o interfaces: fix 18.7.2 gateway read regression in 6RD
o interfaces: give each 6RD tracker a different IPv6 address
o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss)
o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion)
o dhcp: do not show lease actions if interface cannot be found
o dhcp: unhide DHCPv6 service when not using automatic PD
o dnsmasq: annotate that "all" is the recommended interface binding option
o importer: list all available ZFS pools (contributed by Smart-Soft)
o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;)
o importer: ZFS pools are now addressed as e.g. "zfs/zroot"
o importer: always loop until exit or successful import
o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz)
o ipsec: change hash checkboxes in phase 2 to selectpicker
o openssh: change interface bind logic to only bind to currently available addresses
o openvpn: align status columns for client and P2P case (contributed by Andy Binde
18.7.207 Sep 2018 07:11
minor feature:
Here are the full patch notes:
o system: select correct network interface in case of IPv6 gateway lookups
o system: tighten system wizard ACL and menu registration
o system: do not wrap first column of log viewer (contributed by Alexander Graf)
o firewall: return alias types to repair its outbound NAT rule edit
o firewall: hide NAT redirect target port when port is not applicable
o firewall: alias API is now live on the development version and will migrate your aliases to the new format
o interfaces: allow explicit MTU to reach the 6RD device
o interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion)
o interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion)
o interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer)
o interfaces: remove incorrect display of prefix ID in help text for tracking configuration
o interfaces: add groups to interface details output
o interfaces: remove unused code and other nonfunctional cleanups
o interfaces: use "x" in the list widget for no carrier
o interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix
o dhcp: remove unused inputs from static mapping page
o dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra)
o ipsec: add automatic key exchange option
o openvpn: fix /32 host validation logic
o openvpn: clean up control sockets prior to startup
o openvpn: align user authentication to use common_name as username
o mvc: add iterateItems() method to base field type to simplify call flow
o mvc: fix configd asList helper (contributed by Fabian Franz)
o mvc: add configd XML attributes to template parser
o ui: allow version query to match on main.css probing
o ui: footer cleanups and static page repairs where boxing was not correct
o ui: no minified version for tokenize2
o ui: fix table headers in dialogs (contributed by Fabian Franz)
o plugins: os-bind 1.1 add
18.7.122 Aug 2018 08:28
minor feature:
Here are the full patch notes:
o system: hide web server info from server tag
o system: fix group privileges edit menu hint
o system: add text area field to backup framework (contributed by Joao Vilaca)
o interfaces: use NIC preference for VLAN hardware filtering in default config
o interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion)
o interfaces: fix PD when using DHCPv6 override on tracked interface
o firewall: toggle filter and NAT rules using checkboxes
o firewall: add state-policy if-bound option
o firewall: added logging for tracing internal rule generator
o firewall: fix ordering issue in port validation and disable
o firewall: fix disabled reject action icon display (contributed by framer99)
o captive portal: fix usage of vouchers and group with spaces in their names
o captive portal: hide web server info from server tag
o dnsmasq: fix listening behaviour on empty but set interface selection
o firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback
o firmware: do not show development version changelogs in releases
o intrusion detection: reworked rule selection
o ipsec: use selectpicker in mobile page
o ipsec: add Brainpool EC groups
o openvpn: do not remove client specific override files on disconnect
o openvpn: do not create v6 gateway if disabled
o shell: omit ":" from SSL fingerprint display
o unbound: fix menu access for overrides
o wizard: fix root password input
o backend: call shutdown before close in background daemon
o mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong)
o mvc: minor glich in getFormData() we should ignore empty id fields
o mvc: do not offer internal interfaces in generic interface selector
o mvc: handle validations better by removing duplicate messages
o mvc: fix two glitches in new tokenize field handling
o mvc: add numeric field type
o rc: update php.ini include paths (contributed by Joao Vilaca)
o ui: fix spacing of containers in sta
18.701 Aug 2018 07:33
major feature:
These are the most prominent changes since version 18.1:
o improved WAN DHCPv6 and SLAAC connectivity and tracking
o functional IPv6 Rapid Deployment (6RD) support
o improved default route handling and gateway switching
o OpenVPN default setup improvements for IPv6 and RADIUS attribute support
o Dpinger gateway monitoring integration
o password policies for local authentication and coupled TOTP
o Monit core integration to eventually replace the legacy notifications
o OpenSSH access via group and shell selection instead of privilege
o pluggable backup framework with new Nextcloud option
o sytem tunables are now also used as loader tunables
o unrestricted VLAN usage for e.g. Xen
o QinQ interface removal
o firmware GUI speedup, improved error parsing and console reboot hint
o ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
o ZFS and MSDOS config import support
o ISC DHCP version moves from 4.3 to 4.4
o RRDtool version moves from 1.2 to 1.7
o rework rc.syshook facility to use drop-in directories instead of suffixes
o backports of FreeBSD 11.2 Intel NIC drivers
o stand-alone frontend UI development tools
o language updates for Czech, French, German, Portuguese (Brazil)
o UI header security and SSL cipher hardening
o extensive UI cleanups and menu consolidation
o new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp,
os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada,
os-theme-rebellion, os-theme-tukan, os-wol 2.0
18.1.1326 Jul 2018 14:40
minor feature:
Here are the full patch notes:
o system: restart syslog when interface bind addresses may have changed
o system: remove unused action_disable setting in gateway monitoring
o firmware: new mirror Dataroute (Dusseldorf, DE)
o ntp: typo in SiRF selection
o openvpn: translate validated field names
o rc: unset rcvar before evaluation (contributed by Nicholas de Jong)
o installer: give basic tip that GUI IP can be set in console after install (contributed by stilez)
o plugins: os-theme-cicada 1.2 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.1 (contributed by Team Rebellion)
o ports: suricata 4.0.5 1
18.1.1219 Jul 2018 05:50
minor feature:
Here is the full list of changes:
o system: improve local account expire cron job to also flush passwords and SSH keys
o system: show fingerprint in certificate details (contributed by Robin Schneider)
o system: fix NextCloud file name format (contributed by Fabian Franz)
o system: allow remote backup via cron command
o interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used
o firewall: do not trigger rules scheduling if scheduled rule is disabled
o firewall: allow to select external aliases
o firewall: ignore namelookup when no nameservers are configured
o dashboard: remove tooltips from CPU widgets (contributed by Team Rebellion)
o dashboard: add date to large CPU widget data
o firmware: add Aalborg University mirror
o intrusion detection: add missing classification category
o ipsec: add mutual RSA and EAP-MSCHAPv2 support
o wizard: make clear that "admin password" means "root password"
o ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice
o mvc: switch from the default _GET '_url' to _SERVER 'REQUEST_URI' and let Phalcon handle the routing
o mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus)
o mvc: multiselect may allow empty option, no need to give blank item too
o mvc: add support for application specific field types
o ui: top level menu item link pivots and security improvements (contributed by Max Orelus)
o plugins: os-net-snmp 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.1 (contributed by Michael Muenz)
o plugins: os-web-proxy-sso UI fixes (contributed by Smart-Soft)
18.1.1103 Jul 2018 08:29
minor feature:
Here are the full patch notes:
o system: enforce full password policy check for local passwords including TOTP
o system: add RFC 7919 DH parameter files for upcoming 18.7 feature
o system: add 3072-bit RSA key length options to certificates (contributed by Justin Coffman)
o system: move auto-cron jobs to plugin files
o interfaces: refactor reload handling around interfaces_configure()
o interfaces: allow private addresses in 6RD
o interfaces: check existence of "status" (contributed by Tian Yunhao)
o reporting: add NetFlow/Insight database force repair function
o dhcp: update from ISC version 4.3 to 4.4
o importer: allow ZFS import for upcoming 18.7 ZFS installer feature
o importer: allow import from simple MSDOS USB drives
o intrusion detection: add app detect rules (contributed by Michael Muenz)
o rc: suppress message of service not enabled on NetFlow backup
o rc: use exec in /etc/rc and /etc/rc.shutdown hooks
o rc: rework rc.syshook facility to be driven by directories and not suffixes
o unbound: remove defunct unbound_statistics() function
o plugins: os-postfix 1.4 advanced force recipient check (contributed by Michael Muenz)
o plugins: service start corrections for accompanying rc.syshook changes
o src: incorrect TLB shootdown for Xen-based guests 1
o src: lazy FPU state restore information disclosure 2
o src: enable usage of locate(1) utility
o ports: isc-dhcp 4.4.1 3
o ports: php 7.1.19 4
o ports: unbound 1.7.3 5
18.1.1026 Jun 2018 06:21
minor feature:
Here are the full patch notes:
o system: provide default for user language
o system: do not allow spaces in group names
o system: dpinger gateway monitor option (contributed by Team Rebellion)
o system: prepare for upcoming DH parameter regeneration feature
o system: Nextcloud backup support (contributed by Fabian Franz)
o system: userid 0 has trouble with s in redirects, use d instead
o system: QR code quiet zone support 1
o system: add selectpicker style where previously missing
o firmware: allow both origin.conf and OPNsense.conf to be used for repository setup
o firmware: exclude password database files from base update as it breaks sudo
o interfaces: clean up reload structure for single interfaces
o interfaces: remove unused interface reload script
o interfaces: simplify semantics of link_interface_to_track6()
o interfaces: assorted cleanups in the code
o firewall: add enable flag to shaper rules
o firewall: improve parsing speed of firewall log
o firewall: fix wrong alias reference in outbound rules
o firewall: generate ipfw comments for debugging (contributed by Robin Schneider)
o firewall: move color settings from schedules to theme (contributed by Fabian Franz)
o intrusion detection: correct typo in CSS
o openvpn: raise default DH parameter to 2048 bit
o console: pass output of stop scripts to user during halt/reboot
o console: clarify that installer is for installing when SSH is off also
o rc: change NetFlow backup to only stop/start when needed
o rc: backup and restore via XML files again
o rc: slightly refactor halt/reboot/shutdown
o rc: break out config stop script
o rc: simplify configctl plumbing
o ui: add country flags for upcoming changes in GeoIP handling
o ui: trigger onChange event to support custom hooks in form post
o ui: change multi-select default from tokenizer to selectpicker
o ui: add support for custom separators in select items
o plugins: test for template scripts before executing them
o plugins: os-acme-client fixes password field
18.1.901 Jun 2018 14:29
minor feature:
Here is the full list of changes:
o firewall: advanced option to reset states on IPv4 change
o interfaces: rename wancfg to lancfg in tracking code
o interfaces: further simplifications for dhclient usage
o reporting: add logging to database repair stage
o reporting: Insight click event issue
o system: use uppercase gateway names for compatibility
o system: gateway alert script always returns true
o system: align static ACL check with MVC variant
o system: pluggable backup support
o system: configurable user landing pages
o system: safety belt for password policy check
o wizard: add missing element IDs to fix scripting issues
o firmware: parse and return to be removed packages for update summary
o firmware: release type change properly updates the repository and summary
o firmware: extended settings can now be registered via XML files
o firmware: return repository errors in greater detail (4 new error types)
o firmware: make returned backend JSON a bit more human-readable
o firmware: fix leak of base/kernel update info on package manager updates
o firmware: refactor package manager update summary parsing for speed
o firmware: add and use API for major upgrades
o dhcp: fix unwanted name-server write in v6
o dhcp: ldap-server does not exist in v6
o intrusion detection: update classification.config
o intrusion detection: optional fast log to syslog
o ipsec: set ignore_acquire_ts to allow ASA compatibility
o ipsec: add ike_name to syslog output
o openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6
o console: manual pages for opnsense-importer and opnsense-installer
o console: let opnsense-installer set up an early runtime environment
o console: show firmware reboot hint prior to update when applicable
o console: longer timeout for opnsense-importer invoke on first boot
o console: proper return values for opnsense-importer in edge cases
o mvc: support multiple directories for detached UI development
o mvc: add AddressFamily option to NetworkField
o
18.1.822 May 2018 07:24
minor feature:
Here are the full patch notes:
o system: improve VLAN console assignment handling
o system: move backup crypto code to the only page using it
o system: improve validation for web GUI related settings
o system: split off monitor reload for upcoming dpinger integration
o system: default route handler skips an already active default route
o system: default route handler purges hint files only when switching to a newer route
o system: default gateway switching uses the standard default route handler
o system: properly add LDAP picker to ACL
o system: properly unset password expired message after password change
o interfaces: clear up use IPv4 connectivity and fix several typos
o interfaces: parse and report tunnel data
o interfaces: move dhclient-script to proper location
o interfaces: allow SLAAC to latch on to IPv4 link
o reporting: add destination address in Insight detail search
o dhcp: fix labels of services to align with menu
o dhcp: domain-search-list usage was removed in 2012
o ipsec: rewrite resolve_retry() for its only use case
o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano)
o ipsec: fix missing disable of DH group setting
o router advertisements: correctly merge DNS server arrays
o router advertisements: fix DNSSL settings
o router advertisements: fix duplicated subnet statements
o openssh: also use static interface IP addresses to listen on explicitly
o unbound: allow wildcard host entry (contributed by Eugen Mayer)
o webgui: also use static interface IP addresses to listen on explicitly
o backend: improve escaping of passed parameters
o ui: correct heigh of the login title bar
o ui: unify the label printing of interfaces
o ui: refactor script match for help messages
o rc: ZFS boot awareness
o plugins: os-cache 1.0 is an optional web server cache for the GUI/API
o plugins: os-debug 1.3 now holds its own PHP settings
o plugins: os-nut 1.0 (contributed by Michael Muenz)
o plugins: os-snmp 1.3 improves handling of interface binding
o plugi
18.1.704 May 2018 05:48
minor feature:
Here are the full patch notes:
o system: validate pfsync peer as IPv4-only
o system: flip order of arguments for system_routing_configure()
o system: convert cron to mutable model controller
o system: convert routing to mutable model controller
o system: log table header cleanup
o system: more aggressive factory reset and shut down after completion
o system: remove duplicate addresses before binding web GUI and OpenSSH
o system: fix Framed-Route parsing for RADIUS authentication
o system: properly translate save message on user language change
o interfaces: PPPoE link down script improvements
o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations
o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion)
o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion)
o interfaces: wait for dhcp6c to be stopped by pending apply
o interfaces: only reconfigure VLAN interface after edit when necessary
o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it
o interfaces: remove unused flush argument from various functions
o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert)
o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert)
o interfaces: remove obsolete address requirement for CARP VIPs
o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error
o interfaces: no more spurious redirection for dhclient invoke
o firewall: remove a side effect from filter_delete_states_for_down_gateways()
o firewall: adjust maximum table entries for error-free bogonsv6 usage
o firewall: add buckets option to traffic shaper
o firewall: update help text for port ranges (contributed by Michael Muenz)
o power: power off modal to indicate that the GUI is no longer responsive
o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14
minor feature:
Here are the full patch notes:
o system: reverse reload order for gateway switching on OpenVPN
o system: implement password policies for local accounts
o system: separate web GUI and configd log files
o system: add syslog and login service visibility
o system: show root as disabled in user manager if disabled
o interfaces: no longer restrict VLAN driver capability
o firewall: switch back to old NAT auto-outbound behaviour
o firewall: reload schedules 1 minute later
o firewall: filter descriptions option does no longer exist
o firewall: updated anti-lockout link (contributed by Michael Muenz)
o firewall: fix help text in shaper masks (contributed by Michael Muenz)
o firewall: add delay option to pipe in shaper (contributed by Michael Muenz)
o reporting: add insight aggregator to service list
o dashboard: large CPU usage widget (contributed by Team Rebellion)
o dhcp: fix display of DUID in IPv6 leases
o firmware: let opnsense-patch apply chmod even in partially failed patches
o firmware: let opnsense-code fetch all remotes as well as prune them
o intrusion detection: provide custom.yaml for user edits
o web proxy: fix pid file pointer for service status probe
o ui: help data-for attribute (contributed by NOYB)
o ui: reversed zebra redraw on static page mobile forms
o ui: cleanup for unused classes in static pages
o mvc: add constraint type for dependent fields
o plugins: merge rc.plugins_configure code into pluginctl
o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)
o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)
o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox
o plugins: os-monit 1.7 fixes compatibility with UI rework
o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)
o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)
o plugins:
18.1.522 Mar 2018 07:05
minor feature:
Here are the full patch notes:
o system: optional prefix Google Drive backups with host and domain name
o system: also render tunables in loader.conf to obsolete loader.conf.local editing
o interfaces: allow /127, /128 and /32 static IP address configurations everywhere
o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion)
o interfaces: ignore dynamic linkup events for unassigned interfaces
o interfaces: hide previously assigned interfaces from bridges
o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode
o firewall: add VIP gateway option for PPPoE interfaces
o firewall: add update interval option to log widget (contributed by NOYB)
o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz)
o firmware: fix opnsense-code for src.git and ABI probing
o firmware: fix opnsense-patch file permission apply for plugins
o intrusion detection: support request headers in ruleset metadata
o openvpn: switch status to version 3 to avoid wrong parsing of commas
o openvpn: parse all states to retrieve all relevant connection status info
o captive portal: exclude "I" from simplified voucher character set for clarity
o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz)
o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel)
o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz)
o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament)
o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens)
o ui: update tokenizer to 2.6, visual tweaks and blur-add
o ui: buttons for services control in MVC (contributed by Smart-Soft)
o src: reinitialize IP header length after checksum calculation 1
o src: fix IPsec validation and use-after-free 2
o src: update timezone database information 3
o src: update file(1) to new version with security update 4
o src: add mitigations for two classes
18.1.412 Mar 2018 07:20
minor feature:
Here are the full patch notes:
o system: improved default route handling
o system: improved gateway switching
o system: cleanse username on LDAP import
o system: increase maximum size of firmware reports
o firewall: shaper backend refactor
o interfaces: improved reconfigure phase
o reporting: fix sporadic "non-numeric value encountered" error
o captive portal: add voucher expiry (contributed by Stephanowicz)
o intrusion detection: use latest ET Open rules for Suricata version 4
o intrusion detection: proper syslog with drops, requires log file reset
o intrusion detection: backend refactor
o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden)
o plugins: os-haproxy 2.6 1 (contributed by Frank Wall)
o ports: isc-dhcp 4.3.6P1 2
o ports: krb5 1.16 3
o ports: pkg 1.10.5
o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00
minor feature:
Here are the full patch notes:
o system: account for variable headers in top output
o system: move gateway status into main pages
o system: slightly reorder routing configuration calls
o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha)
o system: rework LDAP authentication container selection
o interfaces: avoid interaction of overview details with menu items
o interfaces: allow "reject leases from" option in DHCP advanced settings
o firewall: set alias cron update interval to 1 minute
o firewall: align alias cron update with its background call
o firewall: URL IP alias type missing in selections
o firewall: fix defunct alias target in outbound NAT
o firewall: ignore alias case while searching
o firewall: move rule category filter to the top of the page
o firewall: show IPv6 ports in live log and fix details for TCP
o firewall: move general settings to AliasParser and fix Alias constructor to receive them
o firewall: if the name of the alias equals its content try to resolve
o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion)
o dhcp: UEFI 64 network boot using wrong arch type
o dhcp: validate maximum interface MTU
o dhcp: add validation for DUID fields
o ipsec: auto-route disable setting (contributed by Namezero)
o network time: inline NMEA checksum calculator (contributed by Fabian Franz)
o network time: fix stratum level write
o unbound: optimize outgoing-range differently
o unbound: local zone setting (contributed by NOYB)
o ui: fix cropped dropdown regression
o mvc: translate option values (contributed by Alexander Shursha)
o mvc: fix access to undefined property translator
o mvc: fix typo in getBase()
o mvc: improve phpdoc
o rc: protect console menu again, but keep shell invoke for rc.d subsystem
o rc: fix some typos (contributed by John Eismeier)
o rc: proper includes for plugin post-install hook
o rc: recover all known shells
o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20
minor feature:
Here are the full patch notes:
o system: avoid default route from disappearing when no manual gateways are set
o firewall: fix outbound NAT for OpenVPN interfaces
o interfaces: multiple overview page improvements (contributed by NOYB)
o firmware: revoke 17.7 update fingerprint
o console: check for root invoke in importer, installer and console menu
o intrusion detection: always show schedule tab
o intrusion detection: log first drop of a flow
o intrusion detection: add a log file viewer
o unbound: add num-queries-per-thread option values for 4096 and 8192
o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB)
o ui: HTML compliance for attribute "type" on script element (contributed by NOYB)
o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB)
o ui: checkbox and radio button label children tweaks (contributed by NOYB)
o ui: break help text on small screens
o ui use pluggable locations for theme files
o ui: remove table-responsive padding on small screens
o ui: user-scalable viewport (contributed by NOYB)
o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz)
o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz)
o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz)
o ports: phalcon 3.3.1
o ports: php 7.1.14
18.1.102 Feb 2018 18:19
minor feature:
Here are the full patch notes:
o firewall: ignore target port alias in port forwards when it equals the destination
o firewall: align outbound NAT address output to edit page
o firewall: use first region for country in GeoIP category instead of last one
o system: improve layout of gateway status labels (contributed by Fabian Franz)
o system: improve order of group / user setup as "wheel" was not added correctly on save
o dashboard: touch device improvements in widgets (contributed by NOYB)
o opendns: always refresh the setting on save
o openvpn: open links in a new tab (contributed by Fabian Franz)
o ui: system-wide HTML compliance improvements (contributed by NOYB)
o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco)
o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86)
o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz)
o plugins: os-openconnect 1.0 (contributed by Michael Muenz)
o plugins: os-rfc2136 1.2 improves widget load
o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz)
o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz)
o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan)
o ports: curl 7.58.0 1
o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18
minor feature:
These are the most prominent changes since version 17.7:
o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration
o Realtek vendor NIC driver version 1.94
o Portable NAT before IPsec support
o Local group restriction feature in OpenVPN and IPsec
o OpenVPN multi-remote support for clients
o Strict interface binding for SSH and web GUI
o Improved MVC tabs and general page layout
o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour
o Easy-to-use update cache support for Linux and Windows in web proxy
o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)
o Revamped HAProxy plugin with introduction pages
o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status
o Alias backend rewrite for future extensibility
o Plugin-capable firewall NAT rules
o Migration of system routes UI and backend to MVC (also available via API)
o Reverse DNS support for insight reporting (also available via API)
o Fully rewritten firewall live log in MVC (also available via API)
o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18
minor feature:
Here are the full patch notes:
o system: use correct crypto library to gather GUI SSL ciphers
o system: do not wrap action buttons in tunables page
o system: fix CA serial number decrement on save
o firmware: remove the discontinued hotfix backend support
o firmware: allow dot in package name during package action
o firmware: remove defunct mirrors
o interfaces: make level of detail stick in packet capture
o interfaces: auto-lock problematic interfaces upon assignment
o firewall: make NAT reflection enable less ambiguous
o firewall: fix NAT formatting in states dump page
o network time: fix for valid negative offset in health graph
o network time: OPNsense NTP pool is now available
o network time: fix parsing of overly overlong lines
o web proxy: use PID file instead of daemon name for status probe
o wizard: add unbound to wizard and uncheck DNSSEC by default
o ui: HTML compliance fixes button in link usage (contributed by NOYB)
o mvc: added mutable service controller
o mvc: added sub-tab layout partials
o mvc: do not render empty toggle header
o plugins: acme-client 1.13 1 (contributed by Frank Wall)
o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)
o plugins: helloworld 1.4
o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)
o plugins: tor 1.4 adds contact info (contributed by Fabian Franz)
o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)
o ports: libressl 2.6.4 2
o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12
minor feature:
Here are the full patch notes:
o system: numerical sort for "Use" and "MTU" columns in route diagnostics
o system: gateway group edit tier selection issue with jQuery3
o system: minor cleanups in the certificates backend
o firewall: move anti-lockout rule to advanced settings
o interfaces: minor cleanups in the backend
o reporting: rework configuration handling on the settings page
o dnsmasq: minor cleanups in the backend
o firmware: strip the architecture from the base / kernel set version display
o firmware: backend preparations for full base / kernel set lock and reinstall
o firmware: increase crash report file limit to 2 MB
o ipsec: minor cleanups in the backend
o unbound: register DHCP domain name for interface if found
o network time: show full remote address and fix page boxing on status page
o network time: add advanced custom options
o network time: fix leap second save
o network time: minor cleanups in the backend
o wizard: properly redirect on input errors in system wizard
o mvc: ignore client-side anchors in breadcrumb generation
o ui: do not use a CSRF input element ID
o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz)
o ports: libxml 2.4.7 1
o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56
minor feature:
Here are the full patch notes:
o system: allow user-based language setting through Lobby: Password
o system: allow strict interface binding for OpenSSH
o system: prepare for MVC-based routing pages
o firmware: prepare for production / development release type selection
o firewall: fix a PHP warning when no user rules are installed
o firewall: add refresh button to table diagnostics page
o captive portal: fix chroot regression since lighttpd web server update in 17.7.9
o interfaces: provide a link-local IPv6 when asking for addresses
o intrusion detection: sync port-groups to default template
o ipsec: upgrade vici lib to match strongSwan package
o network time: fix a PHP warning during NMEA deselect
o mvc: do not throw disabled errors in handler
o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing
o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz)
o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz)
o src: OpenSSL multiple vulnerabilities 1 2
o ports: hyperscan 4.6.0 3
o ports: openssl 1.0.2n 4
o ports: suricata 4.0.3 5
Two plugin hotfixes have been additionally issued:
o plugins: os-quagga 1.4.3_1 fixes service startup regression
o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29
minor feature:
Here are the full patch notes:
o system: fix XSS with crafted certificates in certificate manager 1
o system: removed duplicated firmware privileges
o system: fix resolving routes in diagnostics page
o system: regenerated DH parameters
o dhcp: support stateless DHCPv6
o firmware: kernel and base set visibility and better API session handling
o intrusion detection: improve download and install speed of et-open rules
o intrusion detection: add TLS and HTTP logging in eve and alert log viewer
o openvpn: allow remote network in peer to peer modes
o web proxy: better service and API session handling
o router advertisements: advertise on VIPs belonging to the same interface
o configd: allow template overrides via optional target directory
o mvc: prepare for use-based language setting (contributed by Alexander Shursha)
o mvc: prepare for auto-generated page titles
o mvc: tighten against frame-based attacks
o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)
o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz)
o ui: make "advanced mode" sticky too
o plugins: os-acme-client 1.12 2 (contributed by Frank Wall)
o plugins: os-arp-scan (contributed by Giuseppe De Marco)
o plugins: os-clamav 1.3 (contributed by Alexander Shursha)
o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)
o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)
o plugins: os-haproxy 2.0 3 (contributed by Frank Wall)
o plugins: os-relayd 1.2 fixes "check send" directive
o plugins: os-tor 1.3 (contributed by Fabian Franz)
o plugins: os-zabbix-agent 1.2 fixes service status indicator
o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)
o ports: ca_root_nss 3.34.1
o ports: curl 7.57.0 4
o ports: lighttpd 1.4.48 5
o ports: php 7.1.12 6
o ports: pkg 1.10.3 7
o ports: py-Jinja2 2.10 8
o ports: syslogd 11.1
Homepage
Download