Recent Releases
18.7.913 Dec 2018 07:45
minor feature:
Here are the full patch notes:
o system: allow setting alternative names on CSR
o system: add link-local routes with correct scope
o system: fix LDAP import button for Firefox
o system: assorted cleanups in HTML and PHP code
o interfaces: add note about CGN addresses included in private range
o interfaces: fix checksum disable for IPv6 TX / RX flags
o interfaces: multiple type DUID support (contributed by Team Rebellion)
o interfaces: properly read and write dhcp6c DUID binary file
o interfaces: do not read VLAN capabilities from nonexistent interfaces
o interfaces: removal of PEAR.inc from IPv6 address library
o interfaces: assorted cleanups in HTML and PHP code
o firewall: only suffix subnet alias entry when a network is expected
o firewall: default alias protocol to both IPv4 and IPv6
o firewall: fix validation of outbound NAT destination alias
o firewall: fix performance regression in get_alias_description()
o firewall: repair defunct "no nat proto carp all" rule
o firewall: limit type to CARP when checking for VIP VHID reuse
o firewall: refactor subnet retrieval in VIP deletion
o firewall: display VHID for IP alias in overview
o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups
o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
o firewall: ignore empty values in alias migration (contributed by Frank Wall)
o firewall: assorted cleanups in HTML and PHP code
o captive portal: work around service boot ordering issue
o captive portal: change "onestop" to "stop" in backend action
o dnsmasq: add DNSSEC option
o dnsmasq: assorted cleanups in HTML and PHP code
o dhcp: show lease count in page heading
o dhcp: refactor IPv6 subnet read
o dhcp: fix DDNS IPv6 algorithm use
o dhcp: assorted cleanups in HTML and PHP code
o firmware: opnsense-version can now handle kernel, base and plugin metadata
o firmware: when pkg needs to be updated do not prompt for base and kernel set
o firmware: use embedded obso
18.7.823 Nov 2018 06:17
minor feature:
Here are the full patch notes:
o system: show the actual validation messages for NextCloud backup constraints
o system: LDAP import button primary colour and prevent default page submit
o system: add LDAP+TOTP authentication variant (2FA)
o system: avoid silent fatal error when LDAP OUs could not be retrieved
o system: avoid duplicated cookies on login page by not closing session
o system: allow to fully disable misc. reboot failsafe backups
o system: switch default argument for return_gateways_status()
o system: add "Synchronize config to backup" button to HA status page
o system: disable help text expand when backup fields have no help text
o system: sort user and group lists alphabetically
o interfaces: add CARP info to legacy_interfaces_details()
o interfaces: removal of find_interface_subnet() and find_interface_subnetv6()
o interfaces: introduce find_interface_network() and find_interface_networkv6()
o interfaces: refactor find_interface_ip() and find_interface_ipv6()
o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll()
o firewall: extend outbound NAT address source and destination with networks
o firewall: fix save error when alias name contains an underscore
o firewall: do not set days or hours when update frequency is empty
o firewall: increase resolve() performance for aliases
o firmware: change packaging to be able to place files in the root directory
o reporting: fix possible division by zero in NetFlow aggregator
o dhcp: reorder arguments of function services_dhcpd_configure()
o dhcp: consolidate service probe of IPv6 and router advertisement daemons
o dhcp: fix clear hook on log file delete
o importer: make clear that /conf/config.xml is required for any import to take place
o monit: add quotes and timeout to custom program path (contributed by Frank Brendel)
o monit: add SSL options to mail server connection (contributed by Frank Brendel)
o network time: improve GPS status parsing
o openvpn: add remote address as route when s
18.7.708 Nov 2018 19:00
minor feature:
Here are the full patch notes:
o system: CVE-2018-18958 prevent restore of configuration of read-only user 1 (reported by brainrecursion)
o system: prevent related read-only user configuration manipulation for history and defaults pages
o system: prevent several creative ways to strip read-only privileges in the user and group manager
o system: allow wildcards in certificate subject alternative name
o system: avoid direct global access in routing setup
o system: do not offer root-only opnsense-shell to non-root users
o system: remove FreeBSD 10 password workaround
o interfaces: use pure jquery to avoid browser-specific behaviour
o interfaces: nonfunctional cleanups in backend and interface GUI configuration
o interfaces: clear the correct files IPv6 state files on interface down
o interfaces: wait for PPPoE to fully exit on interface down
o firewall: fix port alias conversion under new API
o firewall: missing filter reload for port alias types
o firewall: missing "other" type in VIP network expand
o firewall: disabled alias should leave us with an empty one
o firewall: category for "United States" moves from Pacific to America
o firewall: resolve outbound NAT interface address in kernel
o dhcp: only map enabled interfaces in IPv4 leases
o dhcp: interface iteration code cleanups
o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
o firmware: add log file for package manager output
o monit: use theme override for widget CSS (contributed by Fabian Franz)
o ntp: internal cleanup of function argument order
o rc: improvements in service startup scripting
o rc: print date and time after successful boot
o unbound: disable redirect type until fixed
o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno)
o shell: stop router adve
18.7.629 Oct 2018 08:20
minor feature:
Here are the full patch notes:
o firewall: resolve interface address ":0" for port forwarding in kernel
o firewall: list action corrections (contributed by Thomas Bandixen)
o firewall: add support for the PIE shaper (contributed by Michael Muenz)
o firewall: migrate to new alias API including a new failsafe
o firewall: repair log widget for plugin themes
o interfaces: do not remove CARP addresses on link-down
o interfaces: get pfsync MTU from actual CARP interface
o interfaces: add backend call returning all interface data
o interfaces: partially rewrite ping, port and traceroute tools
o interfaces: improve IPv6 merging in make_ipv6_64_address()
o interfaces: use correct IPv6 interface where appropriate
o interfaces: replace get_configured_interface_list() usage
o interfaces: small refactoring around interface up and down code
o system: cleanups in utility and config functions
o captive portal: added connect action in API (contributed by zvs44)
o firmware: move build-time version information to core version file
o firmware: rename backend script "audit" to "security" for clarity
o ipsec: bring back service widget lost back in 2016
o monit: change status page to support easier CSS styling
o unbound: set up a full chroot including local log socket
o unbound: replace custom msort() function with standard function
o unbound: use correct IPv4 or IPv6 interface for address lookups
o webgui: use interfaces_addresses() for interface binding
o mvc: show an error message on failed model migrations
o mvc: refactor __items access via iterateItems()
o mvc: accept style keyword on all input types
o mvc: improved menu API endpoint integration
o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz)
o plugins: os-dyndns validates custom updates solely for URL input
o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz)
o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.7 (contributed
18.7.519 Oct 2018 06:51
minor feature:
o system: add (de)select all option in LDAP importer
o firewall: keep previous content for URL alias on fetch error
o firewall: make schedule icon reflect current schedule state (contributed by framer99)
o firewall: toggle and migration fix for upcoming alias API
o firewall: round-robin limitation is for host alias outbound NAT only
o firewall: resolve network addresses in kernel for static routes bypass option
o firewall: do not clean up visible records when limit was not reached
o firewall: do not hardcode live log pass / block colours
o firewall: add live log direction icons
o firmware: shorten shaper name and assorted cleanups
o firmware: fix upgrade compatibility with FreeBSD 11.2
o firmware: use opnsense-version where appropriate
o firmware: correctly translate GUI buttons (contributed by Smart-Soft)
o dnsmasq: use more robust approach to interface binding
o ipsec: more secure phase 1 default settings (contributed by Michael Muenz)
o ipsec: support for multiple phase 1 DH groups and hashes
o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina)
o unbound: fix usage of the remote control backend calls
o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option
o web proxy: several corrections for PAC template
o backend: fix CPU hogging when reading on already disconnected streams
o mvc: speed up parsing very large config files
o mvc: add single select constraint
o mvc: add UUID field to the result of addBase (contributed by CJ)
o ui: sidebar UX improvements (contributed by Team Rebellion)
o ui: use single guillemets for previous/next page
o plugins: os-acme-client /var MFS awareness
o plugins: os-cicada 1.5 (contributed by Team Rebellion)
o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz)
o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich)
o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz)
o plugin
18.7.428 Sep 2018 05:40
minor feature:
Here are the full patch notes:
o system: correctly unset DNS override allow setting when saving
o system: remove unused / default arguments from get_possible_listen_ips()
o system: note that HA disable preempt requires reboot (contributed by Michael Muenz)
o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion)
o interfaces: lower MTU via tracked IPv6 interface MTU
o interfaces: 6RD IPv4 prefix override is now prefix-only
o firewall: also show scheduler info in shaper status (contributed by Michael Muenz)
o firmware: introduce opnsense-version utility and fully template build metadata
o firmware: annotate HTTP(S) status in mirrors in descriptions
o firmware: avoid base upgrade error when /proc is mounted
o monit: change mail format field for alerts to text area (contributed by Frank Brendel)
o openssh: further tweak new interface bind approach introduced in 18.7.3
o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder)
o web proxy: support WPAD / PAC (contributed by Fabian Franz)
o ui: minified sidebar improvements (contributed by Team Rebellion)
o ui: introduce cache_safe() to invalidate browser cache after updates
o plugins: os-dyndns wildcard support for Namecheap
o plugins: os-ntopng 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz)
o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel)
o plugins: os-snmp compatibility fixes for version detection and listen interface core changes
o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion)
o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz)
o plugins: os-upnp compatibility fixes for version detection core changes
o src: fix out-of-bounds read vulnerability in libarchive
o src: update
18.7.319 Sep 2018 07:27
minor feature:
Here are the full patch notes:
o system: gateways widget show/hide feature (contributed by Team Rebellion)
o system: select correct IPv6 default route when underlying IPv6 interface differs
o system: extended meta-matching for special characters in ACL patterns
o system: show last diff by default in configuration history page
o system: refactor password logic in user manager for clarity
o system: link-local listen IPv6 requires reading underlying IPv6 interface
o interfaces: avoid boot mismatch on several virtual plugin devices
o interfaces: list widget show/hide feature (contributed by Team Rebellion)
o interfaces: stats widget show/hide feature (contributed by Team Rebellion)
o interfaces: stop wireless software before bringing down the interfaces
o interfaces: fix selection issue for DHCPv6 PD "none" value
o interfaces: make "64" the page default for DHCPv6 PD
o interfaces: allow IPv4 address override in 6RD
o interfaces: fix 18.7.2 gateway read regression in 6RD
o interfaces: give each 6RD tracker a different IPv6 address
o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss)
o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion)
o dhcp: do not show lease actions if interface cannot be found
o dhcp: unhide DHCPv6 service when not using automatic PD
o dnsmasq: annotate that "all" is the recommended interface binding option
o importer: list all available ZFS pools (contributed by Smart-Soft)
o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;)
o importer: ZFS pools are now addressed as e.g. "zfs/zroot"
o importer: always loop until exit or successful import
o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz)
o ipsec: change hash checkboxes in phase 2 to selectpicker
o openssh: change interface bind logic to only bind to currently available addresses
o openvpn: align status columns for client and P2P case (contributed by Andy Binde
18.7.207 Sep 2018 07:11
minor feature:
Here are the full patch notes:
o system: select correct network interface in case of IPv6 gateway lookups
o system: tighten system wizard ACL and menu registration
o system: do not wrap first column of log viewer (contributed by Alexander Graf)
o firewall: return alias types to repair its outbound NAT rule edit
o firewall: hide NAT redirect target port when port is not applicable
o firewall: alias API is now live on the development version and will migrate your aliases to the new format
o interfaces: allow explicit MTU to reach the 6RD device
o interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion)
o interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion)
o interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer)
o interfaces: remove incorrect display of prefix ID in help text for tracking configuration
o interfaces: add groups to interface details output
o interfaces: remove unused code and other nonfunctional cleanups
o interfaces: use "x" in the list widget for no carrier
o interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix
o dhcp: remove unused inputs from static mapping page
o dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra)
o ipsec: add automatic key exchange option
o openvpn: fix /32 host validation logic
o openvpn: clean up control sockets prior to startup
o openvpn: align user authentication to use common_name as username
o mvc: add iterateItems() method to base field type to simplify call flow
o mvc: fix configd asList helper (contributed by Fabian Franz)
o mvc: add configd XML attributes to template parser
o ui: allow version query to match on main.css probing
o ui: footer cleanups and static page repairs where boxing was not correct
o ui: no minified version for tokenize2
o ui: fix table headers in dialogs (contributed by Fabian Franz)
o plugins: os-bind 1.1 add
18.7.122 Aug 2018 08:28
minor feature:
Here are the full patch notes:
o system: hide web server info from server tag
o system: fix group privileges edit menu hint
o system: add text area field to backup framework (contributed by Joao Vilaca)
o interfaces: use NIC preference for VLAN hardware filtering in default config
o interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion)
o interfaces: fix PD when using DHCPv6 override on tracked interface
o firewall: toggle filter and NAT rules using checkboxes
o firewall: add state-policy if-bound option
o firewall: added logging for tracing internal rule generator
o firewall: fix ordering issue in port validation and disable
o firewall: fix disabled reject action icon display (contributed by framer99)
o captive portal: fix usage of vouchers and group with spaces in their names
o captive portal: hide web server info from server tag
o dnsmasq: fix listening behaviour on empty but set interface selection
o firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback
o firmware: do not show development version changelogs in releases
o intrusion detection: reworked rule selection
o ipsec: use selectpicker in mobile page
o ipsec: add Brainpool EC groups
o openvpn: do not remove client specific override files on disconnect
o openvpn: do not create v6 gateway if disabled
o shell: omit ":" from SSL fingerprint display
o unbound: fix menu access for overrides
o wizard: fix root password input
o backend: call shutdown before close in background daemon
o mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong)
o mvc: minor glich in getFormData() we should ignore empty id fields
o mvc: do not offer internal interfaces in generic interface selector
o mvc: handle validations better by removing duplicate messages
o mvc: fix two glitches in new tokenize field handling
o mvc: add numeric field type
o rc: update php.ini include paths (contributed by Joao Vilaca)
o ui: fix spacing of containers in sta
18.701 Aug 2018 07:33
major feature:
These are the most prominent changes since version 18.1:
o improved WAN DHCPv6 and SLAAC connectivity and tracking
o functional IPv6 Rapid Deployment (6RD) support
o improved default route handling and gateway switching
o OpenVPN default setup improvements for IPv6 and RADIUS attribute support
o Dpinger gateway monitoring integration
o password policies for local authentication and coupled TOTP
o Monit core integration to eventually replace the legacy notifications
o OpenSSH access via group and shell selection instead of privilege
o pluggable backup framework with new Nextcloud option
o sytem tunables are now also used as loader tunables
o unrestricted VLAN usage for e.g. Xen
o QinQ interface removal
o firmware GUI speedup, improved error parsing and console reboot hint
o ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
o ZFS and MSDOS config import support
o ISC DHCP version moves from 4.3 to 4.4
o RRDtool version moves from 1.2 to 1.7
o rework rc.syshook facility to use drop-in directories instead of suffixes
o backports of FreeBSD 11.2 Intel NIC drivers
o stand-alone frontend UI development tools
o language updates for Czech, French, German, Portuguese (Brazil)
o UI header security and SSL cipher hardening
o extensive UI cleanups and menu consolidation
o new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp,
os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada,
os-theme-rebellion, os-theme-tukan, os-wol 2.0
18.1.1326 Jul 2018 14:40
minor feature:
Here are the full patch notes:
o system: restart syslog when interface bind addresses may have changed
o system: remove unused action_disable setting in gateway monitoring
o firmware: new mirror Dataroute (Dusseldorf, DE)
o ntp: typo in SiRF selection
o openvpn: translate validated field names
o rc: unset rcvar before evaluation (contributed by Nicholas de Jong)
o installer: give basic tip that GUI IP can be set in console after install (contributed by stilez)
o plugins: os-theme-cicada 1.2 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.1 (contributed by Team Rebellion)
o ports: suricata 4.0.5 1
18.1.1219 Jul 2018 05:50
minor feature:
Here is the full list of changes:
o system: improve local account expire cron job to also flush passwords and SSH keys
o system: show fingerprint in certificate details (contributed by Robin Schneider)
o system: fix NextCloud file name format (contributed by Fabian Franz)
o system: allow remote backup via cron command
o interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used
o firewall: do not trigger rules scheduling if scheduled rule is disabled
o firewall: allow to select external aliases
o firewall: ignore namelookup when no nameservers are configured
o dashboard: remove tooltips from CPU widgets (contributed by Team Rebellion)
o dashboard: add date to large CPU widget data
o firmware: add Aalborg University mirror
o intrusion detection: add missing classification category
o ipsec: add mutual RSA and EAP-MSCHAPv2 support
o wizard: make clear that "admin password" means "root password"
o ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice
o mvc: switch from the default _GET '_url' to _SERVER 'REQUEST_URI' and let Phalcon handle the routing
o mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus)
o mvc: multiselect may allow empty option, no need to give blank item too
o mvc: add support for application specific field types
o ui: top level menu item link pivots and security improvements (contributed by Max Orelus)
o plugins: os-net-snmp 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.1 (contributed by Michael Muenz)
o plugins: os-web-proxy-sso UI fixes (contributed by Smart-Soft)
18.1.1103 Jul 2018 08:29
minor feature:
Here are the full patch notes:
o system: enforce full password policy check for local passwords including TOTP
o system: add RFC 7919 DH parameter files for upcoming 18.7 feature
o system: add 3072-bit RSA key length options to certificates (contributed by Justin Coffman)
o system: move auto-cron jobs to plugin files
o interfaces: refactor reload handling around interfaces_configure()
o interfaces: allow private addresses in 6RD
o interfaces: check existence of "status" (contributed by Tian Yunhao)
o reporting: add NetFlow/Insight database force repair function
o dhcp: update from ISC version 4.3 to 4.4
o importer: allow ZFS import for upcoming 18.7 ZFS installer feature
o importer: allow import from simple MSDOS USB drives
o intrusion detection: add app detect rules (contributed by Michael Muenz)
o rc: suppress message of service not enabled on NetFlow backup
o rc: use exec in /etc/rc and /etc/rc.shutdown hooks
o rc: rework rc.syshook facility to be driven by directories and not suffixes
o unbound: remove defunct unbound_statistics() function
o plugins: os-postfix 1.4 advanced force recipient check (contributed by Michael Muenz)
o plugins: service start corrections for accompanying rc.syshook changes
o src: incorrect TLB shootdown for Xen-based guests 1
o src: lazy FPU state restore information disclosure 2
o src: enable usage of locate(1) utility
o ports: isc-dhcp 4.4.1 3
o ports: php 7.1.19 4
o ports: unbound 1.7.3 5
18.1.1026 Jun 2018 06:21
minor feature:
Here are the full patch notes:
o system: provide default for user language
o system: do not allow spaces in group names
o system: dpinger gateway monitor option (contributed by Team Rebellion)
o system: prepare for upcoming DH parameter regeneration feature
o system: Nextcloud backup support (contributed by Fabian Franz)
o system: userid 0 has trouble with s in redirects, use d instead
o system: QR code quiet zone support 1
o system: add selectpicker style where previously missing
o firmware: allow both origin.conf and OPNsense.conf to be used for repository setup
o firmware: exclude password database files from base update as it breaks sudo
o interfaces: clean up reload structure for single interfaces
o interfaces: remove unused interface reload script
o interfaces: simplify semantics of link_interface_to_track6()
o interfaces: assorted cleanups in the code
o firewall: add enable flag to shaper rules
o firewall: improve parsing speed of firewall log
o firewall: fix wrong alias reference in outbound rules
o firewall: generate ipfw comments for debugging (contributed by Robin Schneider)
o firewall: move color settings from schedules to theme (contributed by Fabian Franz)
o intrusion detection: correct typo in CSS
o openvpn: raise default DH parameter to 2048 bit
o console: pass output of stop scripts to user during halt/reboot
o console: clarify that installer is for installing when SSH is off also
o rc: change NetFlow backup to only stop/start when needed
o rc: backup and restore via XML files again
o rc: slightly refactor halt/reboot/shutdown
o rc: break out config stop script
o rc: simplify configctl plumbing
o ui: add country flags for upcoming changes in GeoIP handling
o ui: trigger onChange event to support custom hooks in form post
o ui: change multi-select default from tokenizer to selectpicker
o ui: add support for custom separators in select items
o plugins: test for template scripts before executing them
o plugins: os-acme-client fixes password field
18.1.901 Jun 2018 14:29
minor feature:
Here is the full list of changes:
o firewall: advanced option to reset states on IPv4 change
o interfaces: rename wancfg to lancfg in tracking code
o interfaces: further simplifications for dhclient usage
o reporting: add logging to database repair stage
o reporting: Insight click event issue
o system: use uppercase gateway names for compatibility
o system: gateway alert script always returns true
o system: align static ACL check with MVC variant
o system: pluggable backup support
o system: configurable user landing pages
o system: safety belt for password policy check
o wizard: add missing element IDs to fix scripting issues
o firmware: parse and return to be removed packages for update summary
o firmware: release type change properly updates the repository and summary
o firmware: extended settings can now be registered via XML files
o firmware: return repository errors in greater detail (4 new error types)
o firmware: make returned backend JSON a bit more human-readable
o firmware: fix leak of base/kernel update info on package manager updates
o firmware: refactor package manager update summary parsing for speed
o firmware: add and use API for major upgrades
o dhcp: fix unwanted name-server write in v6
o dhcp: ldap-server does not exist in v6
o intrusion detection: update classification.config
o intrusion detection: optional fast log to syslog
o ipsec: set ignore_acquire_ts to allow ASA compatibility
o ipsec: add ike_name to syslog output
o openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6
o console: manual pages for opnsense-importer and opnsense-installer
o console: let opnsense-installer set up an early runtime environment
o console: show firmware reboot hint prior to update when applicable
o console: longer timeout for opnsense-importer invoke on first boot
o console: proper return values for opnsense-importer in edge cases
o mvc: support multiple directories for detached UI development
o mvc: add AddressFamily option to NetworkField
o
18.1.822 May 2018 07:24
minor feature:
Here are the full patch notes:
o system: improve VLAN console assignment handling
o system: move backup crypto code to the only page using it
o system: improve validation for web GUI related settings
o system: split off monitor reload for upcoming dpinger integration
o system: default route handler skips an already active default route
o system: default route handler purges hint files only when switching to a newer route
o system: default gateway switching uses the standard default route handler
o system: properly add LDAP picker to ACL
o system: properly unset password expired message after password change
o interfaces: clear up use IPv4 connectivity and fix several typos
o interfaces: parse and report tunnel data
o interfaces: move dhclient-script to proper location
o interfaces: allow SLAAC to latch on to IPv4 link
o reporting: add destination address in Insight detail search
o dhcp: fix labels of services to align with menu
o dhcp: domain-search-list usage was removed in 2012
o ipsec: rewrite resolve_retry() for its only use case
o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano)
o ipsec: fix missing disable of DH group setting
o router advertisements: correctly merge DNS server arrays
o router advertisements: fix DNSSL settings
o router advertisements: fix duplicated subnet statements
o openssh: also use static interface IP addresses to listen on explicitly
o unbound: allow wildcard host entry (contributed by Eugen Mayer)
o webgui: also use static interface IP addresses to listen on explicitly
o backend: improve escaping of passed parameters
o ui: correct heigh of the login title bar
o ui: unify the label printing of interfaces
o ui: refactor script match for help messages
o rc: ZFS boot awareness
o plugins: os-cache 1.0 is an optional web server cache for the GUI/API
o plugins: os-debug 1.3 now holds its own PHP settings
o plugins: os-nut 1.0 (contributed by Michael Muenz)
o plugins: os-snmp 1.3 improves handling of interface binding
o plugi
18.1.704 May 2018 05:48
minor feature:
Here are the full patch notes:
o system: validate pfsync peer as IPv4-only
o system: flip order of arguments for system_routing_configure()
o system: convert cron to mutable model controller
o system: convert routing to mutable model controller
o system: log table header cleanup
o system: more aggressive factory reset and shut down after completion
o system: remove duplicate addresses before binding web GUI and OpenSSH
o system: fix Framed-Route parsing for RADIUS authentication
o system: properly translate save message on user language change
o interfaces: PPPoE link down script improvements
o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations
o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion)
o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion)
o interfaces: wait for dhcp6c to be stopped by pending apply
o interfaces: only reconfigure VLAN interface after edit when necessary
o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it
o interfaces: remove unused flush argument from various functions
o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert)
o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert)
o interfaces: remove obsolete address requirement for CARP VIPs
o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error
o interfaces: no more spurious redirection for dhclient invoke
o firewall: remove a side effect from filter_delete_states_for_down_gateways()
o firewall: adjust maximum table entries for error-free bogonsv6 usage
o firewall: add buckets option to traffic shaper
o firewall: update help text for port ranges (contributed by Michael Muenz)
o power: power off modal to indicate that the GUI is no longer responsive
o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14
minor feature:
Here are the full patch notes:
o system: reverse reload order for gateway switching on OpenVPN
o system: implement password policies for local accounts
o system: separate web GUI and configd log files
o system: add syslog and login service visibility
o system: show root as disabled in user manager if disabled
o interfaces: no longer restrict VLAN driver capability
o firewall: switch back to old NAT auto-outbound behaviour
o firewall: reload schedules 1 minute later
o firewall: filter descriptions option does no longer exist
o firewall: updated anti-lockout link (contributed by Michael Muenz)
o firewall: fix help text in shaper masks (contributed by Michael Muenz)
o firewall: add delay option to pipe in shaper (contributed by Michael Muenz)
o reporting: add insight aggregator to service list
o dashboard: large CPU usage widget (contributed by Team Rebellion)
o dhcp: fix display of DUID in IPv6 leases
o firmware: let opnsense-patch apply chmod even in partially failed patches
o firmware: let opnsense-code fetch all remotes as well as prune them
o intrusion detection: provide custom.yaml for user edits
o web proxy: fix pid file pointer for service status probe
o ui: help data-for attribute (contributed by NOYB)
o ui: reversed zebra redraw on static page mobile forms
o ui: cleanup for unused classes in static pages
o mvc: add constraint type for dependent fields
o plugins: merge rc.plugins_configure code into pluginctl
o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)
o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)
o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox
o plugins: os-monit 1.7 fixes compatibility with UI rework
o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)
o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)
o plugins:
18.1.522 Mar 2018 07:05
minor feature:
Here are the full patch notes:
o system: optional prefix Google Drive backups with host and domain name
o system: also render tunables in loader.conf to obsolete loader.conf.local editing
o interfaces: allow /127, /128 and /32 static IP address configurations everywhere
o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion)
o interfaces: ignore dynamic linkup events for unassigned interfaces
o interfaces: hide previously assigned interfaces from bridges
o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode
o firewall: add VIP gateway option for PPPoE interfaces
o firewall: add update interval option to log widget (contributed by NOYB)
o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz)
o firmware: fix opnsense-code for src.git and ABI probing
o firmware: fix opnsense-patch file permission apply for plugins
o intrusion detection: support request headers in ruleset metadata
o openvpn: switch status to version 3 to avoid wrong parsing of commas
o openvpn: parse all states to retrieve all relevant connection status info
o captive portal: exclude "I" from simplified voucher character set for clarity
o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz)
o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel)
o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz)
o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament)
o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens)
o ui: update tokenizer to 2.6, visual tweaks and blur-add
o ui: buttons for services control in MVC (contributed by Smart-Soft)
o src: reinitialize IP header length after checksum calculation 1
o src: fix IPsec validation and use-after-free 2
o src: update timezone database information 3
o src: update file(1) to new version with security update 4
o src: add mitigations for two classes
18.1.412 Mar 2018 07:20
minor feature:
Here are the full patch notes:
o system: improved default route handling
o system: improved gateway switching
o system: cleanse username on LDAP import
o system: increase maximum size of firmware reports
o firewall: shaper backend refactor
o interfaces: improved reconfigure phase
o reporting: fix sporadic "non-numeric value encountered" error
o captive portal: add voucher expiry (contributed by Stephanowicz)
o intrusion detection: use latest ET Open rules for Suricata version 4
o intrusion detection: proper syslog with drops, requires log file reset
o intrusion detection: backend refactor
o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden)
o plugins: os-haproxy 2.6 1 (contributed by Frank Wall)
o ports: isc-dhcp 4.3.6P1 2
o ports: krb5 1.16 3
o ports: pkg 1.10.5
o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00
minor feature:
Here are the full patch notes:
o system: account for variable headers in top output
o system: move gateway status into main pages
o system: slightly reorder routing configuration calls
o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha)
o system: rework LDAP authentication container selection
o interfaces: avoid interaction of overview details with menu items
o interfaces: allow "reject leases from" option in DHCP advanced settings
o firewall: set alias cron update interval to 1 minute
o firewall: align alias cron update with its background call
o firewall: URL IP alias type missing in selections
o firewall: fix defunct alias target in outbound NAT
o firewall: ignore alias case while searching
o firewall: move rule category filter to the top of the page
o firewall: show IPv6 ports in live log and fix details for TCP
o firewall: move general settings to AliasParser and fix Alias constructor to receive them
o firewall: if the name of the alias equals its content try to resolve
o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion)
o dhcp: UEFI 64 network boot using wrong arch type
o dhcp: validate maximum interface MTU
o dhcp: add validation for DUID fields
o ipsec: auto-route disable setting (contributed by Namezero)
o network time: inline NMEA checksum calculator (contributed by Fabian Franz)
o network time: fix stratum level write
o unbound: optimize outgoing-range differently
o unbound: local zone setting (contributed by NOYB)
o ui: fix cropped dropdown regression
o mvc: translate option values (contributed by Alexander Shursha)
o mvc: fix access to undefined property translator
o mvc: fix typo in getBase()
o mvc: improve phpdoc
o rc: protect console menu again, but keep shell invoke for rc.d subsystem
o rc: fix some typos (contributed by John Eismeier)
o rc: proper includes for plugin post-install hook
o rc: recover all known shells
o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20
minor feature:
Here are the full patch notes:
o system: avoid default route from disappearing when no manual gateways are set
o firewall: fix outbound NAT for OpenVPN interfaces
o interfaces: multiple overview page improvements (contributed by NOYB)
o firmware: revoke 17.7 update fingerprint
o console: check for root invoke in importer, installer and console menu
o intrusion detection: always show schedule tab
o intrusion detection: log first drop of a flow
o intrusion detection: add a log file viewer
o unbound: add num-queries-per-thread option values for 4096 and 8192
o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB)
o ui: HTML compliance for attribute "type" on script element (contributed by NOYB)
o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB)
o ui: checkbox and radio button label children tweaks (contributed by NOYB)
o ui: break help text on small screens
o ui use pluggable locations for theme files
o ui: remove table-responsive padding on small screens
o ui: user-scalable viewport (contributed by NOYB)
o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz)
o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz)
o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz)
o ports: phalcon 3.3.1
o ports: php 7.1.14
18.1.102 Feb 2018 18:19
minor feature:
Here are the full patch notes:
o firewall: ignore target port alias in port forwards when it equals the destination
o firewall: align outbound NAT address output to edit page
o firewall: use first region for country in GeoIP category instead of last one
o system: improve layout of gateway status labels (contributed by Fabian Franz)
o system: improve order of group / user setup as "wheel" was not added correctly on save
o dashboard: touch device improvements in widgets (contributed by NOYB)
o opendns: always refresh the setting on save
o openvpn: open links in a new tab (contributed by Fabian Franz)
o ui: system-wide HTML compliance improvements (contributed by NOYB)
o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco)
o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86)
o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz)
o plugins: os-openconnect 1.0 (contributed by Michael Muenz)
o plugins: os-rfc2136 1.2 improves widget load
o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz)
o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz)
o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan)
o ports: curl 7.58.0 1
o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18
minor feature:
These are the most prominent changes since version 17.7:
o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration
o Realtek vendor NIC driver version 1.94
o Portable NAT before IPsec support
o Local group restriction feature in OpenVPN and IPsec
o OpenVPN multi-remote support for clients
o Strict interface binding for SSH and web GUI
o Improved MVC tabs and general page layout
o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour
o Easy-to-use update cache support for Linux and Windows in web proxy
o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)
o Revamped HAProxy plugin with introduction pages
o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status
o Alias backend rewrite for future extensibility
o Plugin-capable firewall NAT rules
o Migration of system routes UI and backend to MVC (also available via API)
o Reverse DNS support for insight reporting (also available via API)
o Fully rewritten firewall live log in MVC (also available via API)
o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18
minor feature:
Here are the full patch notes:
o system: use correct crypto library to gather GUI SSL ciphers
o system: do not wrap action buttons in tunables page
o system: fix CA serial number decrement on save
o firmware: remove the discontinued hotfix backend support
o firmware: allow dot in package name during package action
o firmware: remove defunct mirrors
o interfaces: make level of detail stick in packet capture
o interfaces: auto-lock problematic interfaces upon assignment
o firewall: make NAT reflection enable less ambiguous
o firewall: fix NAT formatting in states dump page
o network time: fix for valid negative offset in health graph
o network time: OPNsense NTP pool is now available
o network time: fix parsing of overly overlong lines
o web proxy: use PID file instead of daemon name for status probe
o wizard: add unbound to wizard and uncheck DNSSEC by default
o ui: HTML compliance fixes button in link usage (contributed by NOYB)
o mvc: added mutable service controller
o mvc: added sub-tab layout partials
o mvc: do not render empty toggle header
o plugins: acme-client 1.13 1 (contributed by Frank Wall)
o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)
o plugins: helloworld 1.4
o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)
o plugins: tor 1.4 adds contact info (contributed by Fabian Franz)
o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)
o ports: libressl 2.6.4 2
o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12
minor feature:
Here are the full patch notes:
o system: numerical sort for "Use" and "MTU" columns in route diagnostics
o system: gateway group edit tier selection issue with jQuery3
o system: minor cleanups in the certificates backend
o firewall: move anti-lockout rule to advanced settings
o interfaces: minor cleanups in the backend
o reporting: rework configuration handling on the settings page
o dnsmasq: minor cleanups in the backend
o firmware: strip the architecture from the base / kernel set version display
o firmware: backend preparations for full base / kernel set lock and reinstall
o firmware: increase crash report file limit to 2 MB
o ipsec: minor cleanups in the backend
o unbound: register DHCP domain name for interface if found
o network time: show full remote address and fix page boxing on status page
o network time: add advanced custom options
o network time: fix leap second save
o network time: minor cleanups in the backend
o wizard: properly redirect on input errors in system wizard
o mvc: ignore client-side anchors in breadcrumb generation
o ui: do not use a CSRF input element ID
o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz)
o ports: libxml 2.4.7 1
o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56
minor feature:
Here are the full patch notes:
o system: allow user-based language setting through Lobby: Password
o system: allow strict interface binding for OpenSSH
o system: prepare for MVC-based routing pages
o firmware: prepare for production / development release type selection
o firewall: fix a PHP warning when no user rules are installed
o firewall: add refresh button to table diagnostics page
o captive portal: fix chroot regression since lighttpd web server update in 17.7.9
o interfaces: provide a link-local IPv6 when asking for addresses
o intrusion detection: sync port-groups to default template
o ipsec: upgrade vici lib to match strongSwan package
o network time: fix a PHP warning during NMEA deselect
o mvc: do not throw disabled errors in handler
o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing
o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz)
o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz)
o src: OpenSSL multiple vulnerabilities 1 2
o ports: hyperscan 4.6.0 3
o ports: openssl 1.0.2n 4
o ports: suricata 4.0.3 5
Two plugin hotfixes have been additionally issued:
o plugins: os-quagga 1.4.3_1 fixes service startup regression
o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29
minor feature:
Here are the full patch notes:
o system: fix XSS with crafted certificates in certificate manager 1
o system: removed duplicated firmware privileges
o system: fix resolving routes in diagnostics page
o system: regenerated DH parameters
o dhcp: support stateless DHCPv6
o firmware: kernel and base set visibility and better API session handling
o intrusion detection: improve download and install speed of et-open rules
o intrusion detection: add TLS and HTTP logging in eve and alert log viewer
o openvpn: allow remote network in peer to peer modes
o web proxy: better service and API session handling
o router advertisements: advertise on VIPs belonging to the same interface
o configd: allow template overrides via optional target directory
o mvc: prepare for use-based language setting (contributed by Alexander Shursha)
o mvc: prepare for auto-generated page titles
o mvc: tighten against frame-based attacks
o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)
o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz)
o ui: make "advanced mode" sticky too
o plugins: os-acme-client 1.12 2 (contributed by Frank Wall)
o plugins: os-arp-scan (contributed by Giuseppe De Marco)
o plugins: os-clamav 1.3 (contributed by Alexander Shursha)
o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)
o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)
o plugins: os-haproxy 2.0 3 (contributed by Frank Wall)
o plugins: os-relayd 1.2 fixes "check send" directive
o plugins: os-tor 1.3 (contributed by Fabian Franz)
o plugins: os-zabbix-agent 1.2 fixes service status indicator
o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)
o ports: ca_root_nss 3.34.1
o ports: curl 7.57.0 4
o ports: lighttpd 1.4.48 5
o ports: php 7.1.12 6
o ports: pkg 1.10.3 7
o ports: py-Jinja2 2.10 8
o ports: syslogd 11.1
Homepage
Download