Recent Releases
18.1.901 Jun 2018 14:29
minor feature:
Here is the full list of changes:
o firewall: advanced option to reset states on IPv4 change
o interfaces: rename wancfg to lancfg in tracking code
o interfaces: further simplifications for dhclient usage
o reporting: add logging to database repair stage
o reporting: Insight click event issue
o system: use uppercase gateway names for compatibility
o system: gateway alert script always returns true
o system: align static ACL check with MVC variant
o system: pluggable backup support
o system: configurable user landing pages
o system: safety belt for password policy check
o wizard: add missing element IDs to fix scripting issues
o firmware: parse and return to be removed packages for update summary
o firmware: release type change properly updates the repository and summary
o firmware: extended settings can now be registered via XML files
o firmware: return repository errors in greater detail (4 new error types)
o firmware: make returned backend JSON a bit more human-readable
o firmware: fix leak of base/kernel update info on package manager updates
o firmware: refactor package manager update summary parsing for speed
o firmware: add and use API for major upgrades
o dhcp: fix unwanted name-server write in v6
o dhcp: ldap-server does not exist in v6
o intrusion detection: update classification.config
o intrusion detection: optional fast log to syslog
o ipsec: set ignore_acquire_ts to allow ASA compatibility
o ipsec: add ike_name to syslog output
o openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6
o console: manual pages for opnsense-importer and opnsense-installer
o console: let opnsense-installer set up an early runtime environment
o console: show firmware reboot hint prior to update when applicable
o console: longer timeout for opnsense-importer invoke on first boot
o console: proper return values for opnsense-importer in edge cases
o mvc: support multiple directories for detached UI development
o mvc: add AddressFamily option to NetworkField
o
18.1.822 May 2018 07:24
minor feature:
Here are the full patch notes:
o system: improve VLAN console assignment handling
o system: move backup crypto code to the only page using it
o system: improve validation for web GUI related settings
o system: split off monitor reload for upcoming dpinger integration
o system: default route handler skips an already active default route
o system: default route handler purges hint files only when switching to a newer route
o system: default gateway switching uses the standard default route handler
o system: properly add LDAP picker to ACL
o system: properly unset password expired message after password change
o interfaces: clear up use IPv4 connectivity and fix several typos
o interfaces: parse and report tunnel data
o interfaces: move dhclient-script to proper location
o interfaces: allow SLAAC to latch on to IPv4 link
o reporting: add destination address in Insight detail search
o dhcp: fix labels of services to align with menu
o dhcp: domain-search-list usage was removed in 2012
o ipsec: rewrite resolve_retry() for its only use case
o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano)
o ipsec: fix missing disable of DH group setting
o router advertisements: correctly merge DNS server arrays
o router advertisements: fix DNSSL settings
o router advertisements: fix duplicated subnet statements
o openssh: also use static interface IP addresses to listen on explicitly
o unbound: allow wildcard host entry (contributed by Eugen Mayer)
o webgui: also use static interface IP addresses to listen on explicitly
o backend: improve escaping of passed parameters
o ui: correct heigh of the login title bar
o ui: unify the label printing of interfaces
o ui: refactor script match for help messages
o rc: ZFS boot awareness
o plugins: os-cache 1.0 is an optional web server cache for the GUI/API
o plugins: os-debug 1.3 now holds its own PHP settings
o plugins: os-nut 1.0 (contributed by Michael Muenz)
o plugins: os-snmp 1.3 improves handling of interface binding
o plugi
18.1.704 May 2018 05:48
minor feature:
Here are the full patch notes:
o system: validate pfsync peer as IPv4-only
o system: flip order of arguments for system_routing_configure()
o system: convert cron to mutable model controller
o system: convert routing to mutable model controller
o system: log table header cleanup
o system: more aggressive factory reset and shut down after completion
o system: remove duplicate addresses before binding web GUI and OpenSSH
o system: fix Framed-Route parsing for RADIUS authentication
o system: properly translate save message on user language change
o interfaces: PPPoE link down script improvements
o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations
o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion)
o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion)
o interfaces: wait for dhcp6c to be stopped by pending apply
o interfaces: only reconfigure VLAN interface after edit when necessary
o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it
o interfaces: remove unused flush argument from various functions
o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert)
o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert)
o interfaces: remove obsolete address requirement for CARP VIPs
o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error
o interfaces: no more spurious redirection for dhclient invoke
o firewall: remove a side effect from filter_delete_states_for_down_gateways()
o firewall: adjust maximum table entries for error-free bogonsv6 usage
o firewall: add buckets option to traffic shaper
o firewall: update help text for port ranges (contributed by Michael Muenz)
o power: power off modal to indicate that the GUI is no longer responsive
o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14
minor feature:
Here are the full patch notes:
o system: reverse reload order for gateway switching on OpenVPN
o system: implement password policies for local accounts
o system: separate web GUI and configd log files
o system: add syslog and login service visibility
o system: show root as disabled in user manager if disabled
o interfaces: no longer restrict VLAN driver capability
o firewall: switch back to old NAT auto-outbound behaviour
o firewall: reload schedules 1 minute later
o firewall: filter descriptions option does no longer exist
o firewall: updated anti-lockout link (contributed by Michael Muenz)
o firewall: fix help text in shaper masks (contributed by Michael Muenz)
o firewall: add delay option to pipe in shaper (contributed by Michael Muenz)
o reporting: add insight aggregator to service list
o dashboard: large CPU usage widget (contributed by Team Rebellion)
o dhcp: fix display of DUID in IPv6 leases
o firmware: let opnsense-patch apply chmod even in partially failed patches
o firmware: let opnsense-code fetch all remotes as well as prune them
o intrusion detection: provide custom.yaml for user edits
o web proxy: fix pid file pointer for service status probe
o ui: help data-for attribute (contributed by NOYB)
o ui: reversed zebra redraw on static page mobile forms
o ui: cleanup for unused classes in static pages
o mvc: add constraint type for dependent fields
o plugins: merge rc.plugins_configure code into pluginctl
o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)
o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)
o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox
o plugins: os-monit 1.7 fixes compatibility with UI rework
o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)
o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)
o plugins:
18.1.522 Mar 2018 07:05
minor feature:
Here are the full patch notes:
o system: optional prefix Google Drive backups with host and domain name
o system: also render tunables in loader.conf to obsolete loader.conf.local editing
o interfaces: allow /127, /128 and /32 static IP address configurations everywhere
o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion)
o interfaces: ignore dynamic linkup events for unassigned interfaces
o interfaces: hide previously assigned interfaces from bridges
o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode
o firewall: add VIP gateway option for PPPoE interfaces
o firewall: add update interval option to log widget (contributed by NOYB)
o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz)
o firmware: fix opnsense-code for src.git and ABI probing
o firmware: fix opnsense-patch file permission apply for plugins
o intrusion detection: support request headers in ruleset metadata
o openvpn: switch status to version 3 to avoid wrong parsing of commas
o openvpn: parse all states to retrieve all relevant connection status info
o captive portal: exclude "I" from simplified voucher character set for clarity
o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz)
o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel)
o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz)
o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament)
o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens)
o ui: update tokenizer to 2.6, visual tweaks and blur-add
o ui: buttons for services control in MVC (contributed by Smart-Soft)
o src: reinitialize IP header length after checksum calculation 1
o src: fix IPsec validation and use-after-free 2
o src: update timezone database information 3
o src: update file(1) to new version with security update 4
o src: add mitigations for two classes
18.1.412 Mar 2018 07:20
minor feature:
Here are the full patch notes:
o system: improved default route handling
o system: improved gateway switching
o system: cleanse username on LDAP import
o system: increase maximum size of firmware reports
o firewall: shaper backend refactor
o interfaces: improved reconfigure phase
o reporting: fix sporadic "non-numeric value encountered" error
o captive portal: add voucher expiry (contributed by Stephanowicz)
o intrusion detection: use latest ET Open rules for Suricata version 4
o intrusion detection: proper syslog with drops, requires log file reset
o intrusion detection: backend refactor
o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden)
o plugins: os-haproxy 2.6 1 (contributed by Frank Wall)
o ports: isc-dhcp 4.3.6P1 2
o ports: krb5 1.16 3
o ports: pkg 1.10.5
o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00
minor feature:
Here are the full patch notes:
o system: account for variable headers in top output
o system: move gateway status into main pages
o system: slightly reorder routing configuration calls
o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha)
o system: rework LDAP authentication container selection
o interfaces: avoid interaction of overview details with menu items
o interfaces: allow "reject leases from" option in DHCP advanced settings
o firewall: set alias cron update interval to 1 minute
o firewall: align alias cron update with its background call
o firewall: URL IP alias type missing in selections
o firewall: fix defunct alias target in outbound NAT
o firewall: ignore alias case while searching
o firewall: move rule category filter to the top of the page
o firewall: show IPv6 ports in live log and fix details for TCP
o firewall: move general settings to AliasParser and fix Alias constructor to receive them
o firewall: if the name of the alias equals its content try to resolve
o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion)
o dhcp: UEFI 64 network boot using wrong arch type
o dhcp: validate maximum interface MTU
o dhcp: add validation for DUID fields
o ipsec: auto-route disable setting (contributed by Namezero)
o network time: inline NMEA checksum calculator (contributed by Fabian Franz)
o network time: fix stratum level write
o unbound: optimize outgoing-range differently
o unbound: local zone setting (contributed by NOYB)
o ui: fix cropped dropdown regression
o mvc: translate option values (contributed by Alexander Shursha)
o mvc: fix access to undefined property translator
o mvc: fix typo in getBase()
o mvc: improve phpdoc
o rc: protect console menu again, but keep shell invoke for rc.d subsystem
o rc: fix some typos (contributed by John Eismeier)
o rc: proper includes for plugin post-install hook
o rc: recover all known shells
o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20
minor feature:
Here are the full patch notes:
o system: avoid default route from disappearing when no manual gateways are set
o firewall: fix outbound NAT for OpenVPN interfaces
o interfaces: multiple overview page improvements (contributed by NOYB)
o firmware: revoke 17.7 update fingerprint
o console: check for root invoke in importer, installer and console menu
o intrusion detection: always show schedule tab
o intrusion detection: log first drop of a flow
o intrusion detection: add a log file viewer
o unbound: add num-queries-per-thread option values for 4096 and 8192
o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB)
o ui: HTML compliance for attribute "type" on script element (contributed by NOYB)
o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB)
o ui: checkbox and radio button label children tweaks (contributed by NOYB)
o ui: break help text on small screens
o ui use pluggable locations for theme files
o ui: remove table-responsive padding on small screens
o ui: user-scalable viewport (contributed by NOYB)
o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz)
o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz)
o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz)
o ports: phalcon 3.3.1
o ports: php 7.1.14
18.1.102 Feb 2018 18:19
minor feature:
Here are the full patch notes:
o firewall: ignore target port alias in port forwards when it equals the destination
o firewall: align outbound NAT address output to edit page
o firewall: use first region for country in GeoIP category instead of last one
o system: improve layout of gateway status labels (contributed by Fabian Franz)
o system: improve order of group / user setup as "wheel" was not added correctly on save
o dashboard: touch device improvements in widgets (contributed by NOYB)
o opendns: always refresh the setting on save
o openvpn: open links in a new tab (contributed by Fabian Franz)
o ui: system-wide HTML compliance improvements (contributed by NOYB)
o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco)
o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86)
o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz)
o plugins: os-openconnect 1.0 (contributed by Michael Muenz)
o plugins: os-rfc2136 1.2 improves widget load
o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz)
o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz)
o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan)
o ports: curl 7.58.0 1
o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18
minor feature:
These are the most prominent changes since version 17.7:
o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration
o Realtek vendor NIC driver version 1.94
o Portable NAT before IPsec support
o Local group restriction feature in OpenVPN and IPsec
o OpenVPN multi-remote support for clients
o Strict interface binding for SSH and web GUI
o Improved MVC tabs and general page layout
o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour
o Easy-to-use update cache support for Linux and Windows in web proxy
o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)
o Revamped HAProxy plugin with introduction pages
o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status
o Alias backend rewrite for future extensibility
o Plugin-capable firewall NAT rules
o Migration of system routes UI and backend to MVC (also available via API)
o Reverse DNS support for insight reporting (also available via API)
o Fully rewritten firewall live log in MVC (also available via API)
o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18
minor feature:
Here are the full patch notes:
o system: use correct crypto library to gather GUI SSL ciphers
o system: do not wrap action buttons in tunables page
o system: fix CA serial number decrement on save
o firmware: remove the discontinued hotfix backend support
o firmware: allow dot in package name during package action
o firmware: remove defunct mirrors
o interfaces: make level of detail stick in packet capture
o interfaces: auto-lock problematic interfaces upon assignment
o firewall: make NAT reflection enable less ambiguous
o firewall: fix NAT formatting in states dump page
o network time: fix for valid negative offset in health graph
o network time: OPNsense NTP pool is now available
o network time: fix parsing of overly overlong lines
o web proxy: use PID file instead of daemon name for status probe
o wizard: add unbound to wizard and uncheck DNSSEC by default
o ui: HTML compliance fixes button in link usage (contributed by NOYB)
o mvc: added mutable service controller
o mvc: added sub-tab layout partials
o mvc: do not render empty toggle header
o plugins: acme-client 1.13 1 (contributed by Frank Wall)
o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)
o plugins: helloworld 1.4
o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)
o plugins: tor 1.4 adds contact info (contributed by Fabian Franz)
o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)
o ports: libressl 2.6.4 2
o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12
minor feature:
Here are the full patch notes:
o system: numerical sort for "Use" and "MTU" columns in route diagnostics
o system: gateway group edit tier selection issue with jQuery3
o system: minor cleanups in the certificates backend
o firewall: move anti-lockout rule to advanced settings
o interfaces: minor cleanups in the backend
o reporting: rework configuration handling on the settings page
o dnsmasq: minor cleanups in the backend
o firmware: strip the architecture from the base / kernel set version display
o firmware: backend preparations for full base / kernel set lock and reinstall
o firmware: increase crash report file limit to 2 MB
o ipsec: minor cleanups in the backend
o unbound: register DHCP domain name for interface if found
o network time: show full remote address and fix page boxing on status page
o network time: add advanced custom options
o network time: fix leap second save
o network time: minor cleanups in the backend
o wizard: properly redirect on input errors in system wizard
o mvc: ignore client-side anchors in breadcrumb generation
o ui: do not use a CSRF input element ID
o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz)
o ports: libxml 2.4.7 1
o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56
minor feature:
Here are the full patch notes:
o system: allow user-based language setting through Lobby: Password
o system: allow strict interface binding for OpenSSH
o system: prepare for MVC-based routing pages
o firmware: prepare for production / development release type selection
o firewall: fix a PHP warning when no user rules are installed
o firewall: add refresh button to table diagnostics page
o captive portal: fix chroot regression since lighttpd web server update in 17.7.9
o interfaces: provide a link-local IPv6 when asking for addresses
o intrusion detection: sync port-groups to default template
o ipsec: upgrade vici lib to match strongSwan package
o network time: fix a PHP warning during NMEA deselect
o mvc: do not throw disabled errors in handler
o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing
o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz)
o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz)
o src: OpenSSL multiple vulnerabilities 1 2
o ports: hyperscan 4.6.0 3
o ports: openssl 1.0.2n 4
o ports: suricata 4.0.3 5
Two plugin hotfixes have been additionally issued:
o plugins: os-quagga 1.4.3_1 fixes service startup regression
o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29
minor feature:
Here are the full patch notes:
o system: fix XSS with crafted certificates in certificate manager 1
o system: removed duplicated firmware privileges
o system: fix resolving routes in diagnostics page
o system: regenerated DH parameters
o dhcp: support stateless DHCPv6
o firmware: kernel and base set visibility and better API session handling
o intrusion detection: improve download and install speed of et-open rules
o intrusion detection: add TLS and HTTP logging in eve and alert log viewer
o openvpn: allow remote network in peer to peer modes
o web proxy: better service and API session handling
o router advertisements: advertise on VIPs belonging to the same interface
o configd: allow template overrides via optional target directory
o mvc: prepare for use-based language setting (contributed by Alexander Shursha)
o mvc: prepare for auto-generated page titles
o mvc: tighten against frame-based attacks
o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)
o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz)
o ui: make "advanced mode" sticky too
o plugins: os-acme-client 1.12 2 (contributed by Frank Wall)
o plugins: os-arp-scan (contributed by Giuseppe De Marco)
o plugins: os-clamav 1.3 (contributed by Alexander Shursha)
o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)
o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)
o plugins: os-haproxy 2.0 3 (contributed by Frank Wall)
o plugins: os-relayd 1.2 fixes "check send" directive
o plugins: os-tor 1.3 (contributed by Fabian Franz)
o plugins: os-zabbix-agent 1.2 fixes service status indicator
o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)
o ports: ca_root_nss 3.34.1
o ports: curl 7.57.0 4
o ports: lighttpd 1.4.48 5
o ports: php 7.1.12 6
o ports: pkg 1.10.3 7
o ports: py-Jinja2 2.10 8
o ports: syslogd 11.1
Homepage
Download