OPNsense 21.1

OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. OPNsense started as a fork of pfSense® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project. OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.

Tags network firewalls security
License BSDL-2
State stable

Recent Releases

21.128 Jan 2021 20:34 major feature: Here are the full patch notes against 20.7.8: o system: use authentication factory for web GUI login o system: allow case-insensitive matching for LDAP user authentication o system: removed unused gateway API dashboard feed o system: removed spurious comma from certificate subject print and unified underlying code o system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers o system: generate a better self-signed certificate for web GUI default o system: allow self-signed renew for web GUI default (using "configctl webgui restart renew") o system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi) o system: first backup is same as current so ignore it on GUI and console o system: optionally allow TOTP users to regenerate a token from the password page o system: set hw.uart.console appropriately o system: reconfigure routes on bootup o system: relax gateway name validation o system: ignore disabled gateways in dpinger services o system: choose a better bind candidate for IPv4 in dpinger o interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist o interfaces: no longer assume configuration-less interfaces can reach static setup code o interfaces: fix PPP links not linking to its advanced configuration page o interfaces: read deprecated flag, allow family spec in (-)alias calls o interfaces: fix address removal in IPv6 CARP case o interfaces: pick proper route for 6RD and 6to4 tunnels o interfaces: support 6RD with single /64 prefix (contributed by Marcel Hofer) o firewall: support category filters for firewall and NAT rules (sponsored by Modirum) o firewall: add live log "host", "port" and "not" filters o firewall: create an appropriate max-mss scrub rule for IPv6 o firewall: fix anti-spoof option for separate bridge interfaces o firewall: display zeros and sort columns in pfTables (contributed by kulikov-a) o firewall: relax schedule name validation o reporting: prevent calling top talkers when no interfaces
20.7.821 Jan 2021 14:31 minor bugfix: Here are the full patch notes: o system: allow to recover from bad TLS certificate and/or bad settings in console interface assign o system: display destination port number in firewall log widget (contributed by Team Rebellion) o system: keep compatible TLS 1 defaults for web GUI on 20.7 series o system: set default certificate lifetime to 397 days o firewall: add type 128 to outgoing IPv6 RFC4890 requirements o firewall: add manual refresh button to live log o firewall: fix typo in ICMPv6 validation o firewall: fix minor regression in maintaining target alias file o firewall: fix all state value in pfTop (contributed by Lucas Held) o firewall: remove duplicated destination field in live log o firewall: add readonly actions to aliases permission (contributed by Manuel Faux) o firewall: category selector missing caption o reporting: add top talkers to revamped traffic graph page o reporting: fix name resolution filter change in insight o reporting: persist interface selection on traffic graph page o captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56 o dhcp: fix sorting of IPv6 static mappings (contributed by vnxme) o dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate) o firmware: opnsense-code now updates the current directory if nothing was specified o firmware: opnsense-code now uses flexible make.conf target from tools.git o firmware: opnsense-update now supports snapshot access via -z option o firmware: opnsense-update now fixes missing dependencies on the fly o firmware: fix some issues with missing repository on server o firmware: add version output and date to audit logs o ipsec: display remote host in status overview (contributed by garlic17) o opendns: add standalone mode o openssh: honour MAX_LISTEN_SOCKS o openvpn: set default certificate lifetime to 397 days in wizard o unbound: generate all configuration files in service controller o unbound: fix broken lines in large files (contributed by kulikov-a) o web proxy: lock ACL dow
20.7.721 Dec 2020 05:59 minor bugfix: Here are the full patch notes: o reporting: fix traffic graph widget link issue o system: simplify log format parsing o interfaces: fix DUID LL description (contributed by Gabriel Mazzocato) o unbound: fix dnsbl not reloading after update o plugins: os-acme-client 2.2 1 o plugins: os-freeradius 1.9.9 2 o plugins: os-frr 1.20 3 o plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch) o plugins: os-wireguard 1.4 4 o ports: curl 7.74.0 5 o ports: dhcp6c ignores advertise messages with none of requested data and missed status codes o ports: libressl 3.1.5 6 o ports: lighttpd 1.4.56 7 o ports: nss 3.60 8 o ports: openssl 1.1.1i 9 o ports: pcre2 10.36 10 o ports: sudo 1.9.4 11 o ports: sqlite 3.34.0 12 o ports: unbound 1.13.0 13
20.7.616 Dec 2020 06:08 minor bugfix: Here are the full patch notes: o system: no longer enforce alias names in gateways o system: add "step into" icon on log lines when filtering o system: add current CPU load progress bar (contributed by kulikov-a) o firewall: allow larger selection in live log o firewall: correctly select current IPv6 field in getInterfaceGateway() o firewall: add validation for ipv6-icmp combined with inet o reporting: traffic graph replacement using iftop o openvpn: calculate first network address as gateway address when only ifconfig_local is given o web proxy: throw startup error to user o plugins: os-acme-client 2.1 1 o plugins: os-frr 1.19 2 o plugins: os-mail-backup not available due to unaddressed security concerns o src: fix parsing of netmap legacy nmr- nr_ringid o src: fix mutex double unlock bug in netmap o src: minor misc netmap improvements o src: improve netmap(4) and vale(4) man pages o src: IPV6_PKTINFO support for v4-mapped IPv6 sockets o src: zero-initialize variables in HBSD PaX SEGVGUARD o src: fix execve/fexecve system call auditing 3 o src: fix uninitialized variable in ipfw 4 o src: fix race condition in callout CPU migration 5 o src: fix ICMPv6 use-after-free in error message handling 6 o src: fix multiple vulnerabilities in rtsold 7 o src: update timezone database information 8 o ports: krb5 1.18.3 9 o ports: nss 3.59 10 o ports: openldap 2.4.56 11 o ports: openssh 8.4p1 12 o ports: php 7.3.25 13 o ports: strongswan 5.9.1 14 o ports: suricata 5.0.5 15 o ports: syslog-ng 3.30.1 16
20.7.526 Nov 2020 09:22 minor bugfix: Here are the full patch notes: o system: syslog-ng related fixes during package management based restart o system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston) o web proxy: add toggle for pinger service (contributed by nowyouseeit) o web proxy: add missing X-Forwarded-For header option o mvc: new Base64Field type o mvc: new VirtualIPField type o plugins: os-acme-client 2.0 1 o plugins: os-bind 1.14 2 o plugins: os-chrony 1.1 3 o ports: monit 5.27.1 4 o ports: php 7.3.24 5 o ports: pkg upstream fix for upgrade script hang 6 o ports: strongswan 5.9.0 7
20.7.423 Oct 2020 06:40 minor bugfix: Here are the full patch notes: o system: switch web GUI address selection to avoid server.bind in IPv6 first case o system: fix defunct "use default" button on web GUI listen interfaces o system: signal "auth user changed" when a user is modified via web GUI o system: replace gateway widget and add proper API endpoint for it o system: fix reading displayName attribute on LDAP search (contributed by ServiusHack) o interfaces: change maximum MTU value to 65535 in accordance with RFC 791 o interfaces: update wireless device detection prefixes o interfaces: lexical sort interface keys for assignments o firewall: add support for network exclusions in network alias type o firewall: add NAT information to pfInfo page (contributed by kulikov-a) o firewall: associated NAT rules missed state keyword o firewall: allow "or" conditions in live log o firewall: use pfctl for alias IP check (contributed by kulikov-a) o dnsmasq: regenerate resolv.conf on save o dnsmasq: log queries option o intrusion detection: ignore pkill exit status when performing update o ipsec: add description to reconfigure action (contributed by Frank Wall) o unbound: rebuild unbound blacklist download o unbound: restructure reconfigure so that we always flush config o backend: add new "config changed" event using syshook structure (sponsored by Modirum) o mvc: add a few missing control widgets from log pages o ui: upgrade moment.js to 2.27.0 o plugins: os-freeradius 1.9.8 1 o plugins: os-git-backup 1.0 2 (sponsored by Modirum) o plugins: os-haproxy 2.25 3 o plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston) o src: extended netmap update and driver fixes o src: netmap tun and lagg support (contributed by Sunny Valley Networks) o src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux) o ports: curl 7.73.0 3 o ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977 o ports: nss 3.58 4 o ports: openssl 1.1.1h 5 o ports:
20.7.325 Sep 2020 04:55 minor bugfix: Here are the full patch notes: o system: use different shell gateway name to appease wizard o system: simplify CARP hook o interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage o firewall: add MAC type to top right filter selection o firewall: fix two scrub rule parsing bugs o firewall: omit group type interfaces in filter selection o intrusion detection: re-create rule cache after rule deployment o unbound: add "unbound-plus" section to XMLRPC sync o dhcp: adding DDNS values of each additional pool to the ddns_zones array (contributed by Mathieu St-Pierre) o dhcp: add static interface mode to router advertisements o rc: fix ssh key permissions on MSDOS import o rc: support service identifier in pluginctl -s mode o plugins: os-bind download link changes (contributed by gap579137) o plugins: os-chrony 1.0 (contributed by Michael Muenz) o plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler) o plugins: os-frr 1.17 1 o plugins: os-postfix 1.17 2 o plugins: os-rspamd 1.10 3 o plugins: os-theme-cicada 1.25 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.23 (contributed by Team Rebellion) o plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion) o plugins: os-wireguard 1.3 4 o plugins: os-zabbix-agent 1.8 5 o src: fix FreeBSD Linux ABI kernel panic 6 o src: fix SCTP socket use-after-free 7 o src: fix dhclient heap overflow 8 o src: fix ure device driver susceptible to packet-in-packet attack 9 o src: fix bhyve privilege escalation via VMCS access 10 o src: fix bhyve SVM guest escape 11 o src: fix ftpd privilege escalation via ftpchroot 12 o src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default o src: fix kernel panic while trying to read multicast stream o ports: mpd 5.9 13 o ports: nss 3.57 14 o ports: php 7.3.22 15 o ports: pkg 1.15.6 16
20.7.203 Sep 2020 07:40 minor bugfix: Here are the full patch notes: o system: set REQUESTS_CA_BUNDLE in environments o system: improve parsing for temperature sensors o system: add "new-password" hint for Chrome on login form o system: rename syslog services description and hide legacy mode when not enabled o system: force syslog-ng restart after boot sequence o system: properly read new style logging directories o reporting: replace line endings when sending traceback to syslog in flowd_aggregate o reporting: dd traffic graph filter for private IPv4 networks (contributed by kcaj-burr) o firewall: add MAC address alias type o firewall: be more verbose when fetching alias remote content o firewall: prevent pfctl error messages from being suppressed o firewall: exclude all reserved pf.conf keywords from alias name o firewall: bogons not loaded on initial load o firewall: reset damaged bogons files on startup o interfaces: add listen-queue-sizes in socket diagnostics o firmware: properly report an unsigned repository o firmware: revoke 20.1 fingerprint o intrusion detection: rule cache parse error on invalid metadata o intrusion detection: allow search for status enabled/disabled o web proxy: correct template replacement during build time o web proxy: bugfix in JSON access log o unbound: updated project block lists links (contributed by gap579137) o backend: add regex_replace template support o plugins: os-acme-client 1.36 1 o plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan) o plugins: os-haproxy 2.24 2 o plugins: os-stunnel 1.0.1 includes performance tweaks o plugins: os-telegraf 1.8.2 3 o plugins: os-tinc fixes cipher parsing on 20.7 o src: remove ACPI workaround for serial console on AMD EPYC o src: Make pf.conf ':0' ignore link-local v6 addresses too o src: default "show bad packets" tunable to off in e100 driver o src: fix unsolicited promisc mode in e1000 driver o src: add valectl to the system commands o ports: ca_root_nss/nss 3.56 4 o ports: curl 7.72.0 5 o por
20.7.123 Aug 2020 05:58 minor bugfix: Here are the full patch notes: o system: split log process name into separate column o system: filter new style log directories accordingly o system: add delay to improve syslog-ng startup o system: properly switch login page to latest jQuery 3.5.1 o firewall: add select boxes for static filters in live log o firmware: ignore mandoc.db files in health output as the system will regenerate them weekly o firmware: bring back Chinese Aivian mirror o firmware: remove defunct opn.sense.nz and RageNetwork mirrors o web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology) o backend: cap log messages to 4000 characters to prevent longer messages from vanishing o plugins: os-acme-client 1.35 1 o plugins: os-frr 1.15 2 o plugins: os-postfix 1.15 3 o plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion) o src: set the current VNET before calling netisr_dispatch() in ng_iface(4) o src: assorted multicast group join/leave corrections o src: fix vmx driver packet loss and degraded performance 4 o src: fix memory corruption in USB network device driver 5 o src: fix multiple vulnerabilities in sqlite3 6 o src: fix sendmsg(2) privilege escalation 7 o ports: perl 5.32.0 8 o ports: squid 4.12 9
20.706 Aug 2020 11:29 major feature: Here are the full patch notes against version 20.7-RC1: o system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol) o installer: welcome users as genuine 20.7 installer o web proxy: do not try to force cachemanager access to use ICAP o plugins: os-collectd 1.3 2 o plugins: os-zabbix5-proxy 1.3 3 o src: prevent netgraph page fault for LTE usage o ports: dnsmasq 2.82 4 o ports: monit 5.27.0 5 o ports: nss 3.55 6 o ports: sudo 1.9.2 7
20.1.924 Jul 2020 08:23 minor feature: Here are the full patch notes: o system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo) o firewall: validate if NAT destination contains a port o firewall: prevent config_read_array() from adding an empty lo0 o network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) o network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) o mvc: LegacyLinkField not allowed to return null in __toString() o plugins: os-collectd 1.3 1 o plugins: os-dyndns 1.22 2 o plugins: os-telegraf 1.8.1 3 o plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion) o plugins: os-tinc fixes switch mode 4 o plugins: os-wireguard 1.2 5 o ports: ca_root_nss 3.54 o ports: curl 7.71.1 6 o ports: dnsmasq 2.82 7 o ports: monit 5.27.0 8 o ports: php 7.3.20 9 o ports: python 3.7.8 10 o ports: sqlite 3.32.3 11 o ports: syslog-ng 3.27.1 12
20.1.803 Jul 2020 14:51 minor feature: Here are the full patch notes: o system: simpler get_interface_ip() usage in IPv4 renewal o system: allow HA sync of network time settings o system: download all filtered items in log export o system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz) o interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker) o firewall: fix missing address filter error by moving NAT targets to runtime resolve o firewall: prevent gateway protocol mismatch from breaking the ruleset o firewall: work around categories typeahead issue with recent jQuery libraries o firewall: improve alias help text (contributed by Team Rebellion) o firewall: switch from single log filter to one per attribute o intrusion detection: when enabling rules prefixed with '# ' consume the extra space (contributed by Tra5is) o intrusion detection: less sensitive rule parsing o intrusion detection: compress stats.log backups o ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick) o unbound: add DNS64 support (contributed by Maurice Walker) o web proxy: fix wrong button label for Download ACLs (contributed by 90er) o mvc: add sort_flags optional parameter support (contributed by NOYB) o rc: add full PATH to rc.syshook invoke o plugins: os-acme-client 1 2 o plugins: os-dnscrypt-proxy 1.8 3 o plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper) o plugins: os-freeradius 1.9.7 4 o plugins: os-haproxy 2.23 5 o plugins: os-intrusion-detection-content-snort-vrt 1.1 o plugins: os-stunnel 1.0 6 (sponsored by Incenter Technology) o plugins: os-tayga 1.1 7 o plugins: os-theme-rebellion 1.8.4 8 o ports: ca_root_nss 3.53 o ports: curl 7.71.0 9 o ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory 10 o ports: krb5 1.18.2 11 o ports: ntp 4.2.8p15 12 o ports: pcre 8.44 13 o ports: perl 5.30.3 14 o ports: php 7.3.19 15 o ports: python CVE-2019-18348 and CVE-2020-8492 o port
20.1.721 May 2020 05:07 minor feature: Here are the full patch notes: o system: default net.inet.icmp.reply_from_interface to 1 o system: fix static gateway wizard handing o firewall: allow outbound NAT source and destination port ranges o interfaces: use interfaces_primary_address6() inside get_interface_ipv6() o dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu) o unbound: prevent wildcard domains for the local system domain o backend: suppress inconsequential IDNA warnings for aliases o backend: add option to return a key value list for TLS ciphers o mvc: reference constraint pointing validation results to the wrong field o plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber) o src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real) o src: fix pf shared forwarding on non-existing interfaces o src: patch in tty 3wire autologin support o src: fix insufficient packet length validation in libalias 1 o src: fix memory disclosure vulnerability in libalias 2 o src: fix improper checking in SCTP-AUTH shared key update 3 o src: fix use after free in cryptodev module 4 o src: update to tzdata 2020a 5 o ports: ca_root_nss 3.52 o ports: curl 7.70.0 6 o ports: dhcp6c v20200512 o ports: hyperscan 5.2.1 7 o ports: openldap 2.4.50 8 o ports: pcre2 10.35 9 o ports: php 7.3.18 10
20.1.601 May 2020 05:05 minor feature: Here are the full patch notes: o system: add data length option to gateway monitor settings o firewall: avoid greedy matching with live log parsing regression from 20.1.5 o firmware: detect runtime defaults when using "make upgrade" with core.git o firmware: clean up packaging code and support ".link" file extension o firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap o firmware: enable to optionally reach master branch when using opnsense-boostrap o firmware: allow overriding CORE_ABI when using opnsense-bootstrap o firmware: copy make.conf instead of linking when using opnsense-code o firmware: always fetch tools.git when using opnsense-code o rc: use "onifexists" for VGA TTY instead of "on" o rc: missing ntpd user on 20.7 / 12.1 o plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz) o src: fix ipfw invalid mbuf handling 1 o ports: libyaml 0.2.4 2 o ports: openssl 1.1.1g 3 o ports: py-yaml 5.3.1 4 o ports: radvd 2.18 5 o ports: sqlite 3.31.1 6 o ports: squid 4.11 7 o ports: suricata 4.1.8 8
20.1.527 Apr 2020 06:50 minor feature: Here are the full patch notes: o system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs o system: simplify validations in gateway monitor settings o interfaces: mark VXLAN and loopback devices as configurable o interfaces: validation typo caused failure to communicate unassignable targets o interfaces: netstat tree view GUI and API o interfaces: use libxo to extract ARP data o firewall: checkbox selection ignores visibility setting o firewall: add network group type to combine aliases cleanly o firewall: IPv6 essential icmpv6 allow for :: o firewall: new shaper statistics GUI and API o firewall: support filter log messages with PID o reporting: when flow times are not returned stick to receive timestamp o openvpn: use multihome when selecting "any" interface with UDP o unbound: create shared startup script for background task o mvc: also store "" field value as initial state to prevent empty fields as being marked as changed o mvc: firewall source NAT ranges support in plugins o mvc: keep options in static set for PortField o mvc: support interface targets without addresses o mvc. add "migration_prefix" attribute to model o mvc: catch ArgumentCountError o mvc: skip empty gateway artefact o plugins: os-acme-client 1.31 1 o plugins: os-firewall 1.0 API supplemental package o plugins: os-haproxy 2.22 2 o plugins: os-unbound-plus 1.1 3 o plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23) o ports: ca_root_nss 3.51.1 o ports: dnsmasq 2.81 4 o ports: krb5 1.18.1 5 o ports: openvpn 2.4.9 6 o ports: php 7.2.30 7 o ports: py-certifi 2020.4.5.1 o ports: strongswan 5.8.4 8
20.1.409 Apr 2020 14:33 minor feature: Here are the full patch notes: o system: add missing strtolower() in LDAP sync response o system: fix /var/run/legacy_log socket creation race with Syslog-ng o system: add info button to display privilege / ACL endpoints o system: make IPsec tap tunables overwriteable o firewall: floating means either all interfaces or more than one selected o firewall: simplify group maintenance by only applying them on filter reload o interfaces: use primary IPv6 and support VIP tracking o interfaces: multiple changes in radvd.conf setup (contributed by maurice-w) o dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior) o firmware: mirror opnsense.ieji.de renamed to opn.sense.nz o openvpn: improve openvpn_port_used() logic o unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint o unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w) o mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper o mvc: limit dropdown size to 10 is none specified o mvc: support inheritance of the ArrayField type o mvc: synchronize backup timestamps with revisions o mvc: fixed width for timestamp column in logging o mvc: init errorMessage to prevent crash reports o shell: use interfaces_primary_address6() for correct IPv6 display o shell: append a newline in pluginctl -g mode o plugins: os-acme-client 1.30 1 o plugins: os-bind 1.13 2 o plugins: os-freeradius 1.9.6 3 o plugins: os-haproxy 2.21 4 o plugins: os-maltrail 1.5 5 o plugins: os-nginx 1.19 6 o plugins: os-nut 1.7 7 o plugins: os-postfix 1.14 8 o plugins: os-tayga 1.0 (contributed by Michael Muenz) o plugins: os-telegraf 1.7.7 9 o plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval) o lang: multiple updates to supported languages o lang: new Turkish translation (contributed by Aydin Yakar) o src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers o src: f
20.1.319 Mar 2020 06:53 minor feature: Here are the full patch notes: o system: match group CN case-insensitive o system: added pluggable log format parsing facility o system: update nsComment in OpenSSL config (contributed by vnxme) o interfaces: fix missing default gateway switch on linkup event o firewall: properly lock alias_util API (contributed by Cedric Deconinck) o firewall: flush priority sections to /tmp/rules.debug o firewall: do not escape internal URLs o firmware: revoke 19.7 fingerprint o ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme) o ipsec: add MVC service control API o monit: simplify Monit reload o openvpn: properly swapped help texts regarding routes o unbound: multiple fixes in DHCP watcher o mvc: fix CountryField for static options o mvc: extend PortField to support multiple items o mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults o mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types o mvc: apply PSR12 style as found on master o ui: add jQuery plugin to support a simple service reload/action button o ui: hook bootgrid javascript texts o plugins: os-munin-node 1.0 (contributed by Michael Muenz) o plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley o plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd) o ports: ca_root_nss 3.51 o ports: ntp 4.2.8p14 1
20.1.209 Mar 2020 09:15 minor feature: Here are the full patch notes: o system: fix leap year issue in new log reader o system: add valid from and to dates to user certs display o system: drop unused services.inc and diag_logs_template.inc o interfaces: make sure descriptions are properly cleansed o interfaces: introduce interfaces_primary_address6() o interfaces: validate interface input in packet capture o firewall: immediately download GeoIP if not already found o firewall: improve performance when working with large number of aliases o firewall: fix visibility on internal CARP rules o captive portal: fix expiry and validity for vouchers (contributed by xx4h) o dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w) o dhcp: add icons next to online/offline lease status (contributed by Tyler Ham) o ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel) o unbound: minor changes while scanning ACL subnets o web proxy: work around to skip passing additional auth properties o backend: allow pluginctl to return config.xml values o console: improve type checks in set address function o rc: join CARP early startup scripts o plugins: os-dnscrypt-proxy fix for setup.sh on reboot o plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson) o plugins: os-maltrail 1.4 1 o plugins: os-nrpe fix for setup.sh on reboot o plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme) o src: fix imprecise ordering of SSP canary initialization 2 o src: fix nmount invalid pointer dereference 3 o src: fix libfetch buffer overflow 4 o src: fix kernel stack data disclosure 5 o ports: ca_root_nss 3.50 o ports: php 7.2.28 6 o ports: squid 4.10 7 o ports: suricata 4.1.7 8 o ports: syslog-ng 3.25.1 9 o ports: unbound 1.10.0 10
20.1.120 Feb 2020 14:53 minor feature: Here are the full patch notes: o system: increase size of user SSH key input box o system: fix faulty PPP log link in the menu o system: fix a PHP warning on the general settings page o interfaces: update maximum MTU for 10Gb NICs (contributed by Len White) o firewall: fix rule statistics display for rules using tagging o reporting: fix missing separator in NetFlow configuration o firmware: add Quantum mirror in Hungary o openvpn: fix ifconfig-ipv6-push format o plugins: os-dnscrypt-proxy 1.7 1 o plugins: os-net-snmp 1.4 2 o plugins: os-nginx 1.18 3 o plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion) o ports: lighttpd 1.4.55 4 o ports: openldap 2.4.49 5 o ports: pkg libfetch security fix 6 o ports: sudo 1.8.31 7
20.131 Jan 2020 09:03 major feature: These are the most prominent changes since version 19.7: o Captive portal performance improvements o IPsec public key authentication support o Elliptic curve TLS certificate creation o CARP service demotion hook o VXLAN device support o Loopback device support o Extended firmware health audit checks o Support direction and non-quick on interface rules o Logging frontend migrated to MVC / API o PSR 12 coding style o Documentation for all core components o Python 3.7 is now the default Python version o LibreSSL 3.0 and OpenSSL 1.1.1 o Google Backup API 2.4 o jQuery 3.4.1 And here are the full patch notes against version 20.1-RC1: o installer: welcome users as genuine 20.1 installer o rc: revert growfs change since Nano does not grow anymore o plugins: os-mail-backup 1.1 2 o plugins: os-nrpe 1.0 (contributed by Michael Muenz) o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion) o plugins: os-vnstat 1.2 3 o plugins: zabbix4-proxy 1.2 4 o ports: ca_root_nss 3.49.2 o ports: curl 7.68.0 5 o ports: isc-dhcp 4.4.2 6 o ports: php 7.2.27 7 o ports: urllib3 1.27.7 8
19.7.1028 Jan 2020 10:01 minor bugfix: Here are the full patch notes: o firewall: fix a typo in CARP validation o firmware: revoke 19.1 fingerprint o ipsec: add configurable dpdaction (contributed by Marcel Menzel) o mvc: BaseListField ignoring empty selected field o plugins: os-haproxy 2.20 1 o plugins: os-mail-backup 1.1 2 o plugins: os-nrpe 1.0 (contributed by Michael Muenz) o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion) o plugins: os-vnstat 1.2 3 o plugins: zabbix4-proxy 1.2 4 o ports: ca_root_nss 3.49.1 o ports: curl 7.68.0 5 o ports: urllib3 1.27.7 6 o ports: isc-dhcp 4.4.2 7
19.7.910 Jan 2020 09:16 minor bugfix: Here are the full patch notes: o system: use 825 days as the default maximum certificate lifetime o system: hide leaking hostname on SSH password auth (contributed by sooslaca) o system: remove unused "lifetime" parameter from user manager page o firewall: new GeoIP settings page to allow continued use of upstream database 1 o firewall: log when alias couldn't resolve a hostname o firewall: translate pfInfo page tabs (contributed by Smart-Soft) o firmware: add mirror MARWAN (Moroccan Academic Research Wide Area Network) o dhcp: replace killbyname() usage which should not have killed both services o dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion) o mvc: PSR12 code style updates o plugins: os-acme-client 1.29 2 o plugins: os-bind 1.12 3 o plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group o plugins: os-frr 1.14 4 o plugins: os-maltrail 1.3 5 o plugins: os-nginx 1.17 6 o plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz) o plugins: os-theme-cicada 1.24 (contributed by Team Rebellion) o plugins: os-zabbix4-proxy 1.1 7 o ports: openssh 8.1p1 8 o ports: openssl 1.0.2u 9 o ports: php 7.2.26 10 o ports: phpseclib 2.0.23 11 o ports: python 3.7.6 12 o ports: strongswan 5.8.2 13 o ports: sudo 1.8.30 14 o ports: unbound 1.9.6 15
19.7.819 Dec 2019 09:25 minor bugfix: Here are the full patch notes: o system: "Mark Gateway as Down" also means exclude from default gateway selection o system: fix PHP warning on gateways list due to wrong variable scope o system: support elliptic curve TLS certificate creation (contributed by johnaheadley) o system: remove unused current directory PHP include o system: fix XSS in backup page and static menu pages o firewall: use referential integrity check for model data o reporting: improve NetFlow error handling (contributed by Frank Brendel) o dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w) o dhcp: fix range check for advanced router advertisement options (contributed by maurice-w) o dhcp: improve help texts for router advertisement modes (contributed by maurice-w) o dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w) o dhcp: fix storing advanced IPv6 options o firmware: add "copy to clipboard" button in update text box o firmware: use opnsense-revert in GUI reinstall package case o firmware: when storing installed plugin names remove their development counterparts o firmware: improved health check scope to include direct core package dependencies o openvpn: fix Firefox "nowrap" issue in client export page o backend: improve error handling while configd is either not active or not functional o mvc: route to default page when controller or action not found o mvc: field type refactor and unit tests o mvc: added opt-in referential integrity check for models o mvc: countless PSR12 style updates o mvc: add "NetMaskAllowed" option to validate on single addresses in NetworkField o plugins: os-bind 1.11 1 o plugins: os-dyndns 1.18 adds Linode support (contributed by eAndrew Gunnerson) o plugins: os-freeradius 1.9.5 2 o plugins: os-frr 1.13 3 o plugins: os-ftp-proxy style updates only o plugins: os-postfix 1.13 4 o plugins: os-rspamd 1.9 5 o plugins: os-theme-cicada 1.23 (contributed by Team Rebellion) o plugin
19.7.722 Nov 2019 11:41 minor bugfix: Here are the full patch notes: o system: generate self-signed server certificate for web GUI by default o system: let net.local.dgram.maxdgram default to 8192 bytes o system: spawn Dpinger process in background to avoid hangs o system: switch backup to Google API PHP client v2 o system: add interface groups to HA sync o interfaces: remove the "Directly send SOLICIT" option o firewall: fix issue with label parsing when "tag" keyword was involved o firewall: skip empty lines in rule statistics parsing o firmware: add /etc/remote to whitelist, NTP GPS uses it o reporting: empty NetFlow egress default passes validation o reporting: show dialog when RRD is disabled o dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w) o dnsmasq: fix storing settings when no settings exist yet o intrusion detection: lower payload-buffer-size to prevent syslog size limit o intrusion detection: fix issue with escaped file name during rules download o unbound: exit wrapper when process not running o web proxy: added check on SNI field checkbox (contributed by Northguy) o mvc: fix forceReload() o plugins: os-acme-client 1.28 1 o plugins: os-bind 1.10 2 o plugins: os-nginx 1.16 3 o plugins: os-nut 1.6 4 o plugins: os-postfix 1.12 5 o src: fix machine check exception on page size change 6 o src: bump libc syslog line size to 8k o src: import tzdata 2019c 7 o ports: curl 7.67.0 8 o ports: libressl 3.0.2 9 o ports: openvpn 2.4.8 10 o ports: perl 5.30.1 11 o ports: phalcon 3.4.5 12 o ports: sqlite 3.30.1 13 o ports: squid 4.9 14 o ports: syslog-ng 3.24.1 15
19.7.619 Nov 2019 11:44 minor bugfix: Here are the full patch notes: o system: hook LDAP TLS support into system-wide trust file o system: fix dpinger custom parameters not being honoured o system: fix PHP core loop fail in tunables overview o system: only allow P12 export if password confirmation matches o interfaces: change PCAP download to binary file stream o firewall: store reference to outbound NAT address instead of literal address o firewall: add log message for scheduled firewall reload o firmware: tie pkg dependency to core o ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl) o ipsec: add support for public key authentication (contributed by Pascal Mathis) o openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley) o backend: add run mode to pluginctl using JSON-based output o ui: fix tokenizer reorder on multiple saves, second try o plugins: os-acme-client 1.27 1 o plugins: os-bind 1.9 2 o plugins: os-nginx 1.15 3 o plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel) o plugins: os-theme-cicada 1.22 (contributed by Team Rebellion) o ports: ca_root_nss 3.47 o ports: php 7.2.24 4 o ports: python 3.7.5 5 o ports: sudo 1.8.29 6
19.7.514 Oct 2019 10:07 minor bugfix: Here are the full patch notes: o system: show all swap partitions in system information widget o system: flatten services_get() in preparation for removal o system: pin Syslog-ng version to specific package name o system: fix LDAP/StartTLS with user import page o system: fix a PHP warning on authentication server page o system: replace most subprocess.call use o interfaces: fix devd handling of carp devices (contributed by stumbaumr) o firewall: improve firewall rules inline toggles o firewall: only allow TCP flags on TCP protocol o firewall: simplify help text for direction setting o firewall: make protocol log summary case insensitive o reporting: ignore malformed flow records o captive portal: fix type mismatch for timeout read o dhcp: add note for static lease limitation with lease registration (contributed by Northguy) o ipsec: add margintime and rekeyfuzz options o ipsec: clear dpdline correctly if not set o ui: fix tokenizer reorder on multiple saves o plugins: os-acme-client 1.26 1 o plugins: os-bind will reload bind on record change (contributed by blablup) o plugins: os-etpro-telemetry minor subprocess.call replacement o plugins: os-freeradius 1.9.4 2 o plugins: os-frr 1.12 3 o plugins: os-haproxy 2.19 4 o plugins: os-theme-cicada 1.21 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.21 (contributed by Team Rebellion) o plugins: os-mailtrail 1.2 5 o plugins: os-postfix 1.11 6 o plugins: os-rspamd 1.8 7 o plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks) o plugins: os-telegraf 1.7.6 8 o plugins: os-tinc minor subprocess.call replacement o plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz) o plugins: os-virtualbox 1.0 (contributed by andrewhotlab) o ports: ca_root_nss 3.46.1 o ports: curl 7.66.0 9 o ports. expat 2.2.8 10 o ports: openssl 1.0.2t 11 o ports: php 7.2.23 12 o ports: pkg 1.12.0 13 14 15 o ports: strongswan 5.8.1 16 o ports: suricata 4.1.5 17 o ports: syslo
19.7.412 Sep 2019 09:53 minor bugfix: Here are the full patch notes: o system: fix legacy remote logging with custom port o system: regenerate CA bundle when modifying trusted authorities o system: fix translation order of tunables description o system: fix CARP maintenance mode bootup o firewall: missing daily refresh on GeoIP type o firewall: fix fetch of GeoIP alias if its name is same as its country o reporting: auto-load required kernel modules for NetFlow o reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel) o captive portal: optimise ipfw rule parsing o firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen) o unbound: support file-based custom includes o unbound: set absolute path to root.hints (contributed by h-town) o plugins: os-bind 1.8 2 (contributed by ErikJStaab) o plugins: os-dnscrypt-proxy 1.6 3 (contributed by ErikJStaab) o plugins: os-etpro-telemetry 1.4 4 o plugins: os-theme-cicada 1.20 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.20 (contributed by Team Rebellion) o ports: ca_root_nss 3.46 o ports: ldns 1.7.1 5 o ports: pcre2 10.33 6 o ports: php 7.2.22 7 o ports: phpseclib 2.0.21 8 o ports: unbound 1.9.3 9
19.7.328 Aug 2019 13:59 minor bugfix: Here is the full list of changes: o system: try all backups for automatic revert when config.xml is damaged o system: do a system reset if all config.xml files are damaged o system: only show tunables reboot hint when applying tunables (contributed by Northguy) o system: use FQDN in system log remote messages o system: add defunct gateways to GUI in disabled state o interfaces: only allow VLAN parents that will work as VLAN parents o interfaces: optionally promote/demote CARP on service status o interfaces: CARP status page report with demotion level to avoid ambiguity o firewall: revert problematic 19.7.2 change "unhide automatic interface-based output rules" o firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic o firewall: add logging toggle to rules overview (contributed by johnaheadley) o firewall: DHCPv6 relay would generate rules even if not enabled o firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository o firmware: fix base and kernel package listing o intrusion detection: show change message after toggle or save o intrusion detection: rule download fix o monit: add parent devices to interface list (contributed by Frank Brendel) o monit: fix standard configuration migration (contributed by Frank Brendel) o reporting: skip illegal NetFlow records in flow parser o opendns: migrate update hook from DynDNS plugin to core to make it fully automatic o backend: fix exception message string handling in Python 3 o backend: add help to pluginctl utility o backend: configctl event handler support o mvc: log API key when authentication failed o ui: more consistent HTML (contributed by gisforgirard) o ui: sidebar bug fix (contributed by Team Rebellion) o ui: fix initFormAdvancedUI() on initial load o plugins: os-acme-client 1.25 1 o plugins: os-bind 1.7 2 o plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS o plugins: os-haproxy 2.18 3 o plugins: os-maltrail 1.1
19.7.205 Aug 2019 15:03 minor bugfix: Here are the full patch notes: o system: missing "" in legacy output via Syslog-ng o system: fix writing gateway information for DNS servers o system: allow gateway to work in DHCPv6 WAN when no router solicitation is available o firewall: unhide automatic interface-based output rules o firewall: unhide automatic non-interface-based floating rules o firewall: lift length restriction in NAT rule description o firewall: avoid newlines in rule descriptions o firewall: only show usable addresses in NAT outbound rules o interfaces: fix extended CARP output when parsing interface information o interfaces: add more outputs to overview page to increase usefulness o interfaces: use shared DHCP lease reader for ARP list o captive portal: fix binary read issue in Python 3 o dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe) o firmware: handle file signature verify correctly with multiple fingerprint repositories o firmware: Aivian mirror is no longer active o firmware: Cloudfence mirror in Brazil added o plugins: os-acme-client 1.24 1 o plugins: os-bind 1.6 (contributed by crazy-max) o plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max) o plugins: os-grid_example 1.0 2 o plugins: os-helloworld Python 3 compatibility 3 o plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz) o plugins: os-sunnyvalley 1.0 4 5 o src: fix panic from Intel CPU vulnerability mitigation 6 o src: fix multiple telnet client vulnerabilities 7 o src: fix pts write-after-free 8 o src: fix kernel memory disclosure in freebsd32_ioctl 9 o src: fix reference count overflow in mqueuefs 10 o src: fix byhve out-of-bounds read in XHCI device 11 o src: fix file descriptor reference count leak 12 o ports: libevent 2.1.11 13
19.7.125 Jul 2019 14:36 minor bugfix: Here are the full patch notes: o system: do not create automatic copies of existing gateways o system: do not translate empty tunables descriptions o system: remove unwanted form action tags o system: do not include Syslog-ng in rc.freebsd handler o system: fix manual system log stop/start/restart o system: scoped IPv6 " " could confuse mwexecf(), use plain mwexec() instead o system: allow curl-based downloads to use both trusted and local authorities o system: fix group privilege print and correctly redirect after edit o system: use cached address list in referrer check o system: fix Syslog-ng search stats o firewall: HTML-escape dynamic entries to display aliases o firewall: display correct IP version in automatic rules o firewall: fix a warning while reading empty outbound rules configuration o firewall: skip illegal log lines in live log o interfaces: performance improvements for configurations with hundreds of interfaces o reporting: performance improvements for Python 3 NetFlow aggregator rewrite o dhcp: move advanced router advertisement options to correct config section o ipsec: replace global array access with function to ensure side-effect free boot o ipsec: change DPD action on start to "dpdaction = restart" o ipsec: remove already default "dpdaction = none" if not set o ipsec: use interface IP address in local ID when doing NAT before IPsec o web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen o plugins: os-acme-client 1.24 1 o plugins: os-bind 1.6 2 o plugins: os-dnscrypt-proxy 1.5 3 o plugins: os-frr now restricts characters BGP prefix-list and route-maps 4 o plugins: os-google-cloud-sdk 1.0 5 o ports: curl 7.65.3 6 o ports: monit 5.26.0 7 o ports: openssh 8.0p1 8 o ports: php 7.2.20 9 o ports: python 3.7.4 10 o ports: sqlite 3.29.0 11 o ports: squid 4.8 12
19.723 Jul 2019 05:20 major feature: These are the most prominent changes since version 19.1: o List automatic firewall rules o Statistics for all firewall rules o Alias JSON import / export o Optional statistics for aliases o Firewall rule locator for live log and automatic rules o Rewritten gateway handling and switching o Remote logging via Syslog-ng o LDAP group sync support o Support certificate signing requests o Route-based IPsec support (VTI) o XMLRPC sync support for alias, VHID, widgets o Unbound host overrides alias support o Web proxy and IPsec authentication using PAM o Parent web proxy support o Web proxy login privilege via group o Improved reliability and utility of opnsense-patch o Dpinger and DHCP servers ported to plugin framework o Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese o Spanish as a new language o Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin o Netmap update for VirtIO, VLAN child and vmxnet support o Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
19.1.1005 Jul 2019 08:36 minor bugfix: Here are the full patch notes: o system: change certificate manager actions to POST o system: fix account removal with missing "-g" option o system: add dashboard widgets to XMLRPC sync o firewall: fix live log rule label mismatch caused by optimisation o firewall: fix alias import with alias references included o firewall: change default sorting of aliases to names o firmware: add homelab.no mirror (contributed by Thomas Jensen) o intrusion detection: when toggling rules keep the current action o intrusion detection: suppress mystery PHP 7.2+ warning in API o intrusion detection: show SID in alert view o web proxy: add cache reset button o web proxy: correct syslog export o plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman) o plugins: os-etpro-telemetry Python 3 support o plugins: os-frr 1.11 1 o plugins: os-nginx 1.14 2 o plugins: os-rspamd 1.7 3 o plugins: os-tinc Python 3 support o ports: ca_root_nss 3.44.1 o ports: curl 7.65.1 4 o ports: libevent 2.1.10 5 o ports: libxml 2.9.9 6 o ports: libressl 2.9.2 7 8 o ports: phalcon 3.4.4 9 o ports: strongswan 5.8.0 10 o ports: unbound 1.9.2 11
19.1.911 Jun 2019 08:13 minor bugfix: Here are the full patch notes: o system: add LDAP group synchronisation feature o system: allow an arbitrary group for sudo like ssh login o system: stop using a lock around resolv.conf handling o system: rename a number of service-related functions o system: login not using cache-safe image yet o system: add pluginctl -s support o system: restyle config backup page o system: fix log split view regression of 19.1.8 o interfaces: remove DHCPv6 on delete and clear config on IPsec assignment o interfaces: small VIP restructure and IPv6 alias to IPv6 device o interfaces: subtle changes in IPv6 and variable naming o interfaces: add missing does_interface_exist() checks o firewall: support multiple interfaces per NAT port forward rule o captive portal: use "onestop" to stop service o intrusion detection: missing header ID in alerts tab o ipsec: remove remnants of gateway group interface selection o ipsec: use indirect plugin calls in interface code o openvpn: add live-search to longer lists in server page o openvpn: support --cryptoapicert export (sponsored by m.a.x it) o opnevpn: correctly check for translation in get_carp_interface_status() o openvpn: use waitforpid() to properly wait for instanes to come up o openvpn: translate GUI error values when returning them o openvpn: revamp status page o unbound: leases watcher file rotation issue o web proxy: squid log in readable date format (contributed by nhirokinet) o web proxy: fix non-local authentication regression of 19.1.7 o plugins: os-bind 1.5 1 o plugins: os-clamav 1.7 2 o plugins: os-dnscrypt-proxy 1.4 3 o plugins: os-dyndns clouldflare wildcard domain support o plugins: os-nginx 1.13 4 o plugins: os-openconnect 1.4.0 5 o plugins: os-redis 1.1 6 o plugins: os-rspamd 1.6 7 o plugins: os-theme-cicada 1.18 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.18 (contributed by Team Rebellion) o ports: curl 7.65.0 8 o ports: lighttpd 1.4.54 9 o ports: python 3.7.3 10 o ports: openssl 1.0.2s 11 o por
19.1.822 May 2019 08:29 minor bugfix: Here are the full patch notes: o system: address CVE-2019-11816 privilege escalation bugs 1 (reported by Arnaud Cordier) o system: /etc/hosts generation without interface_has_gateway() o system: show correct timestamp in config restore save message (contributed by nhirokinet) o system: list the commands for the pluginctl utility when no argument is given o system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly o system: use absolute path in widget ACLs (reported by Netgate) o system: RRD-related cleanups for less code exposure o interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion) o interfaces: replace legacy_getall_interface_addresses() usage o firewall: fix port validation in aliases with leading / trailing spaces o firewall: fix outbound NAT translation display in overview page o firewall: prevent CARP outgoing packets from using the configured gateway o firewall: use CARP net.inet.carp.demotion to control current demotion in status page o firewall: stop live log poller on error result o dhcpd: change rule priority to 1 to avoid bogon clash o dnsmasq: only admins may edit custom options field o firmware: use insecure mode for base and kernel sets when package fingerprints are disabled o firmware: add optional device support for base and kernel sets o firmware: add Hostcentral mirror (HTTP, Melbourne, Australia) o ipsec: always reset rightallowany to default when writing configuration o lang: say "hola" to Spanish as the newest available GUI language o lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese o network time: only admins may edit custom options field o openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure o openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette) o openvpn: remove custom options field from wizard o unbound: only admins may ed
19.1.702 May 2019 13:37 minor bugfix: Here are the full patch notes: o system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services) o system: support for syncing alias and VHID to the slave o system: cleanly rewrite CA root files and add local trusted CAs as well o system: disable backup cron job when no backup is enabled o system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri) o system: migrate health graph scripts to Python 3.6 o interfaces: properly add and remove IPv6 trackers after interface apply o interfaces: validate prefix ID of IPv6 trackers so that each ID is unique o interfaces: display "0x" in prefix ID field so that it is clear that value is in hex o interfaces: fix passing VLAN name in interface_virtual_create() o interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters o interfaces: allow link-local address on bridges via optional setting o interfaces: PPP-related code cleanups o firewall: prevent double-escaping of text in rules page o firewall: handle IDNA encode failures in aliases o firewall: alias import / export option o captive portal: update to bootstrap 3.4.1 o captive portal: fix a race in directory creation and listClients() o dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner) o dhcp: merge static mac addresses with leases o dhcp: prevent double-escaping of text in leases page o firmware: add private log file for major upgrade package install step o firmware: use a safer major upgrade package install mode o firmware: retain /etc/motd on base updates o ipsec: implemented wildcard includes (contributed by Mark Plomer) o ipsec: only apply mobile PFS to mobile phase 2 o ipsec: restyle mobile settings a little o ipsec: switch XAuth to PAM o ipsec: partial fix for static routes on routed tunnels during boot o network time: reload RRD since NTP has a setting for it o web proxy: fix PAC weekday match labels
19.1.612 Apr 2019 14:46 minor bugfix: Here are the full patch notes: o system: let dashboard only accept its own POST requests o system: remove obsolete symlink to opnsense-auth o system: skip PHP E_WARNING log level until 19.7 o system: numerous PHP 7.2 warning fixes o dhcp: DHCPD server check in relay only if interface is active o dnsmasq: skip empty custom options o intrusion prevention: do not drop flowbits:noalert rules o unbound: add ACL entries for OpenVPN by default o mvc: controller cleanups in firewall shaper, web proxy and captive portal o plugins: numerous PHP 7.2 warning fixes o plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm) o plugins: os-nginx 1.11 1 o ports: php 7.2.17 2 o ports: py-certifi 2019.3.9 3
19.1.508 Apr 2019 05:36 minor bugfix: These are the full patch notes: o system: improve gateway status return when monitoring is off o system: warn user about future deprecation of "user-config-readonly" privilege o system: support certificate signing requests (contributed by nhirokinet) o system: syslog does not need to do a background startup since it backgrounds itself o system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz) o system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri) o interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys) o interfaces: take all unknown arguments as real interfaces in interfaces_addresses() o interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses o interfaces: move mpd.script to new location (may require interface reconfigure) o firewall: proper locking of aliases before config action on delete o firewall: correctly set outbound NAT destination as network o firewall: add support for DSCP in shaper (contributed by Michael Muenz) o firewall: add support for IDN in aliases (contributed by Smart-Soft) o captive portal: allow access to this host (contributed by Fredrik Ronnvall) o firmware: fix parsing of packages in multi-repo env and revoked fingerprint message o firmware: add University of Kent to the firmware mirrors o ipsec: only use explicit reqid when using route-based interfaces o ipsec: correctly set install policy option on newly created phase 1 entries o ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration o ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin) o ipsec: properly quote UNITY_BANNER for multi-line support o ipsec: support for dynamic remote gateways o monit: add migration/validation for service/test type dependency (contributed by Frank Brendel) o monit: added missing "not on" label o openvpn: support static-challenge formatted password o openvpn: properly load custom config field in exporter o openvpn:
19.1.412 Mar 2019 11:44 minor bugfix: Here are the full patch notes: Here are the full patch notes: o system: remove erroneously translated hostname example (contributed by nhirokinet) o firewall: fix validation regression in outbound NAT introduced in 19.1.3 o firewall: mock labels for NAT rules in live log as pf does not offer label support o interfaces: do not background LAGG ifconfig destroy o installer: revert to use network connection to allow CTRL+C and resume o ipsec: added Virtual Tunnel Interface (VTI) support o unbound: fix nested statistics items read o mvc: remove old Phalcon volt template workarounds from when scopes were broken o mvc: fix bug in model relation field values merge o plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz) o plugins: os-telegraf missed invoke of setup.sh o plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz) o plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft) o plugins: os-nginx 1.9 1 o src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv) o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots o ports: monit 5.25.3 2 o ports: ntp 4.2.8p13 3 o ports: php 7.1.27 4 o ports: suricata 4.1.3 5
19.1.308 Mar 2019 10:01 minor bugfix: Here are the full patch notes: o system: improve LDAPS mode and related authentication cleanups o system: move enable checkbox to the top in remote logging settings o system: allow reset of tunables to to factory defaults o system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1) o firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall) o interfaces: probe media before applying new settings o interfaces: correctly compare MAC addresses o dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner) o firmware: move duty to return the correct set name / ID to opnsense-version o firmware: finally revoke 18.7 fingerprint o intrusion detection: minor template cleanups using helpers.empty() o ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries o ipsec: allow easier override of colours in widget (contributed by Fabian Franz) o monit: add validation for test type (contributed by Frank Brendel) o openvpn: add auth-nocache option in exporter o openvpn: validate certificate type for servers o unbound: add host overrides alias support o web proxy: add auth to parent proxy (contributed by Michael Muenz) o backend: add helpers.empty() in configd o mvc: simplify save / close / cancel button labels o mvc: add sorting for field list types o rc: move all template generation to early stage o ui: improve escaping of displayed data in static pages o ui: escape button values in static pages o ui: avoid short PHP tags o plugins: os-dnscrypt-proxy 1.3 1 o plugins: os-frr brings in missing area range code 2 o plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz) o plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion) o plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion) o plugins: os-vnstat /var MFS fix 3 o plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz) o ports: openssl 1.
19.1.207 Mar 2019 06:29 minor bugfix: Here are the full patch notes: o system: move session files into their own directory (forces the current sessions to expire) o system: add validation check for time period for Dpinger (contributed by Team Rebellion) o system: hide "show certificate info" button of pending CSR (contributed by nhirokinet) o system: move opnsense-auth to libexec, but keep a symlink in sbin directory o system: escaping issue in gateway edit page o system: fix ACL for halt and reboot pages o firewall: fix alias entry replacement in utility page o firewall: prevent new alias creation when adding an address o firewall: capture "nat" traffic like we do for "rdr" in live log o firewall: escaping issues in schedule edit page o interfaces: push dhclient and dhcp6c log messages to system log o interfaces: write all nameservers via dhclient-script in multi WAN scenarios o interfaces: check for valid alias IP in dhclient-script o interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups o interfaces: avoid reading empty interface configurations o firmware: bootstrap rework for HTTPS repository URL o firmware: patch cache and assorted improvements o firmware: minor update utility cleanups o firmware: remove compatibility stubs for pre-19.1 version reads o firmware: show revoked package mirror error in GUI if applicable o firmware: bump RageNetwork mirror to HTTPS o firmware: be more careful about parsing version info o dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall) o intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression 1 o intrusion detection: support required rules/files in metadata package o intrusion detection: less extensive logging o ipsec: fix escaping issue in mobile page o monit: fix address validation o openvpn: obey verify-x509-name for remote access (user auth) o openvpn: proper daemonize instead of background job o openvpn: extract full CA chain for setup o openvpn: m
19.1.106 Feb 2019 07:21 minor bugfix: Here are the full patch notes: o system: address XSS-prone escaping issues 1 o firewall: add port range validation to shaper inputs o firewall: drop description validation constraints o interfaces: DHCP override MTU option (contributed by Team Rebellion) o interfaces: properly configure SIM PIN on custom modems o reporting: prevent cleanup from deleting current data when future data exists o ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller) o openvpn: multiple client export fixes o web proxy: add ESD files to Windows cache option (contributed by R-Adrian) o plugins: os-acme-client 1.20 2 o plugins: os-dyndns fix for themed colours (contributed by Team Rebellion) o plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send o plugins: os-nginx 1.7 3 o plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood) o plugins: os-theme-cicada 1.14 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.13 (contributed by Team Rebellion) o ports: ca_root_nss 3.42.1 o ports: lighttpd 1.4.53 4 o ports: py-request 2.21.0 5
19.104 Feb 2019 09:45 major feature: These are the most prominent changes since version 18.7: o fully functional firewall alias API o PIE firewall shaper support o firewall NAT rule logging support o 2FA via LDAP-TOTP combination o WPAD / PAC and parent proxy support in the web proxy o P12 certificate export with custom passwords o Dpinger is now the default gateway monitor o ET Pro Telemetry edition plugin 2 o extended IPv6 DUID support o Dnsmasq DNSSEC support o OpenVPN client export API o Realtek NIC driver version 1.95 o HardenedBSD 11.2, LibreSSL 2.7 o Unbound 1.8, Suricata 4.1 o Phalcon 3.4, Perl 5.28 o firmware health check extended to cover all OS files, HTTPS mirror default o updates are browser cache-safe regarding CSS and JavaScript assets o collapsible side bar menu in the default theme o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian o API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins
18.7.1008 Jan 2019 08:27 minor feature: Here are the full patch notes: o system: P12 certificate export now allows to specify a password o system: allow plain IPv6 for LDAP and RADIUS host o system: properly sort columns with size units in activity page o system: remove references to "automatic" in HA help texts o system: add option to only show temperature of one core in widget o system: speed up isArraySequential() o system: introduce configdp_run() variant o system: assorted code cleanups o interfaces: only show name servers offered by individual link in status page o interfaces: DUID-LL generator fix (contributed by Team Rebellion) o interfaces: show disabled and virtual interfaces in groups o interfaces: change wireless page interface iterators o interfaces: change LAGG page interface iterators o interfaces: remove unused get_dns_servers() o interfaces: assorted code cleanups o firewall: fix an exception error in alias config read o firewall: fix typo in outbound NAT destination help text o firewall: rename "Localhost" to "Loopback" for clarity in virtual IP pages o firewall: unify anti-lockout behaviour to match rules and GUI display o firewall: switch to tokenizer for shaper source and destination fields o firewall: fix alias utility issue when adding into empty alias o firewall: correct alias name limit to 31 characters o firewall: bring back auto-complete for nested aliases o firewall: NAT rules on reflection for port forwards only when address exists on interface o firewall: lower bogon download retry attempts to 3 o firewall: schedule JS code update o captive portal: add setting to always send accounting requests o captive portal: assorted code cleanups o dhcp: DHCPv6 leases not always correctly displayed (contributed by Team Rebellion) o dhcp: override IPv6 PD range fix (contributed by Team Rebellion) o dhcp: switch subnet verification to new network interface retrieval o firmware: individual error messages during base and kernel installation o firmware: obsolete set usage has been removed, e
18.7.913 Dec 2018 07:45 minor feature: Here are the full patch notes: o system: allow setting alternative names on CSR o system: add link-local routes with correct scope o system: fix LDAP import button for Firefox o system: assorted cleanups in HTML and PHP code o interfaces: add note about CGN addresses included in private range o interfaces: fix checksum disable for IPv6 TX / RX flags o interfaces: multiple type DUID support (contributed by Team Rebellion) o interfaces: properly read and write dhcp6c DUID binary file o interfaces: do not read VLAN capabilities from nonexistent interfaces o interfaces: removal of PEAR.inc from IPv6 address library o interfaces: assorted cleanups in HTML and PHP code o firewall: only suffix subnet alias entry when a network is expected o firewall: default alias protocol to both IPv4 and IPv6 o firewall: fix validation of outbound NAT destination alias o firewall: fix performance regression in get_alias_description() o firewall: repair defunct "no nat proto carp all" rule o firewall: limit type to CARP when checking for VIP VHID reuse o firewall: refactor subnet retrieval in VIP deletion o firewall: display VHID for IP alias in overview o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion) o firewall: ignore empty values in alias migration (contributed by Frank Wall) o firewall: assorted cleanups in HTML and PHP code o captive portal: work around service boot ordering issue o captive portal: change "onestop" to "stop" in backend action o dnsmasq: add DNSSEC option o dnsmasq: assorted cleanups in HTML and PHP code o dhcp: show lease count in page heading o dhcp: refactor IPv6 subnet read o dhcp: fix DDNS IPv6 algorithm use o dhcp: assorted cleanups in HTML and PHP code o firmware: opnsense-version can now handle kernel, base and plugin metadata o firmware: when pkg needs to be updated do not prompt for base and kernel set o firmware: use embedded obso
18.7.823 Nov 2018 06:17 minor feature: Here are the full patch notes: o system: show the actual validation messages for NextCloud backup constraints o system: LDAP import button primary colour and prevent default page submit o system: add LDAP+TOTP authentication variant (2FA) o system: avoid silent fatal error when LDAP OUs could not be retrieved o system: avoid duplicated cookies on login page by not closing session o system: allow to fully disable misc. reboot failsafe backups o system: switch default argument for return_gateways_status() o system: add "Synchronize config to backup" button to HA status page o system: disable help text expand when backup fields have no help text o system: sort user and group lists alphabetically o interfaces: add CARP info to legacy_interfaces_details() o interfaces: removal of find_interface_subnet() and find_interface_subnetv6() o interfaces: introduce find_interface_network() and find_interface_networkv6() o interfaces: refactor find_interface_ip() and find_interface_ipv6() o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll() o firewall: extend outbound NAT address source and destination with networks o firewall: fix save error when alias name contains an underscore o firewall: do not set days or hours when update frequency is empty o firewall: increase resolve() performance for aliases o firmware: change packaging to be able to place files in the root directory o reporting: fix possible division by zero in NetFlow aggregator o dhcp: reorder arguments of function services_dhcpd_configure() o dhcp: consolidate service probe of IPv6 and router advertisement daemons o dhcp: fix clear hook on log file delete o importer: make clear that /conf/config.xml is required for any import to take place o monit: add quotes and timeout to custom program path (contributed by Frank Brendel) o monit: add SSL options to mail server connection (contributed by Frank Brendel) o network time: improve GPS status parsing o openvpn: add remote address as route when s
18.7.708 Nov 2018 19:00 minor feature: Here are the full patch notes: o system: CVE-2018-18958 prevent restore of configuration of read-only user 1 (reported by brainrecursion) o system: prevent related read-only user configuration manipulation for history and defaults pages o system: prevent several creative ways to strip read-only privileges in the user and group manager o system: allow wildcards in certificate subject alternative name o system: avoid direct global access in routing setup o system: do not offer root-only opnsense-shell to non-root users o system: remove FreeBSD 10 password workaround o interfaces: use pure jquery to avoid browser-specific behaviour o interfaces: nonfunctional cleanups in backend and interface GUI configuration o interfaces: clear the correct files IPv6 state files on interface down o interfaces: wait for PPPoE to fully exit on interface down o firewall: fix port alias conversion under new API o firewall: missing filter reload for port alias types o firewall: missing "other" type in VIP network expand o firewall: disabled alias should leave us with an empty one o firewall: category for "United States" moves from Pacific to America o firewall: resolve outbound NAT interface address in kernel o dhcp: only map enabled interfaces in IPv4 leases o dhcp: interface iteration code cleanups o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion) o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner) o firmware: add log file for package manager output o monit: use theme override for widget CSS (contributed by Fabian Franz) o ntp: internal cleanup of function argument order o rc: improvements in service startup scripting o rc: print date and time after successful boot o unbound: disable redirect type until fixed o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno) o shell: stop router adve
18.7.629 Oct 2018 08:20 minor feature: Here are the full patch notes: o firewall: resolve interface address ":0" for port forwarding in kernel o firewall: list action corrections (contributed by Thomas Bandixen) o firewall: add support for the PIE shaper (contributed by Michael Muenz) o firewall: migrate to new alias API including a new failsafe o firewall: repair log widget for plugin themes o interfaces: do not remove CARP addresses on link-down o interfaces: get pfsync MTU from actual CARP interface o interfaces: add backend call returning all interface data o interfaces: partially rewrite ping, port and traceroute tools o interfaces: improve IPv6 merging in make_ipv6_64_address() o interfaces: use correct IPv6 interface where appropriate o interfaces: replace get_configured_interface_list() usage o interfaces: small refactoring around interface up and down code o system: cleanups in utility and config functions o captive portal: added connect action in API (contributed by zvs44) o firmware: move build-time version information to core version file o firmware: rename backend script "audit" to "security" for clarity o ipsec: bring back service widget lost back in 2016 o monit: change status page to support easier CSS styling o unbound: set up a full chroot including local log socket o unbound: replace custom msort() function with standard function o unbound: use correct IPv4 or IPv6 interface for address lookups o webgui: use interfaces_addresses() for interface binding o mvc: show an error message on failed model migrations o mvc: refactor __items access via iterateItems() o mvc: accept style keyword on all input types o mvc: improved menu API endpoint integration o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz) o plugins: os-dyndns validates custom updates solely for URL input o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz) o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.7 (contributed
18.7.519 Oct 2018 06:51 minor feature: o system: add (de)select all option in LDAP importer o firewall: keep previous content for URL alias on fetch error o firewall: make schedule icon reflect current schedule state (contributed by framer99) o firewall: toggle and migration fix for upcoming alias API o firewall: round-robin limitation is for host alias outbound NAT only o firewall: resolve network addresses in kernel for static routes bypass option o firewall: do not clean up visible records when limit was not reached o firewall: do not hardcode live log pass / block colours o firewall: add live log direction icons o firmware: shorten shaper name and assorted cleanups o firmware: fix upgrade compatibility with FreeBSD 11.2 o firmware: use opnsense-version where appropriate o firmware: correctly translate GUI buttons (contributed by Smart-Soft) o dnsmasq: use more robust approach to interface binding o ipsec: more secure phase 1 default settings (contributed by Michael Muenz) o ipsec: support for multiple phase 1 DH groups and hashes o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina) o unbound: fix usage of the remote control backend calls o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option o web proxy: several corrections for PAC template o backend: fix CPU hogging when reading on already disconnected streams o mvc: speed up parsing very large config files o mvc: add single select constraint o mvc: add UUID field to the result of addBase (contributed by CJ) o ui: sidebar UX improvements (contributed by Team Rebellion) o ui: use single guillemets for previous/next page o plugins: os-acme-client /var MFS awareness o plugins: os-cicada 1.5 (contributed by Team Rebellion) o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz) o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich) o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz) o plugin
18.7.428 Sep 2018 05:40 minor feature: Here are the full patch notes: o system: correctly unset DNS override allow setting when saving o system: remove unused / default arguments from get_possible_listen_ips() o system: note that HA disable preempt requires reboot (contributed by Michael Muenz) o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion) o interfaces: lower MTU via tracked IPv6 interface MTU o interfaces: 6RD IPv4 prefix override is now prefix-only o firewall: also show scheduler info in shaper status (contributed by Michael Muenz) o firmware: introduce opnsense-version utility and fully template build metadata o firmware: annotate HTTP(S) status in mirrors in descriptions o firmware: avoid base upgrade error when /proc is mounted o monit: change mail format field for alerts to text area (contributed by Frank Brendel) o openssh: further tweak new interface bind approach introduced in 18.7.3 o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder) o web proxy: support WPAD / PAC (contributed by Fabian Franz) o ui: minified sidebar improvements (contributed by Team Rebellion) o ui: introduce cache_safe() to invalidate browser cache after updates o plugins: os-dyndns wildcard support for Namecheap o plugins: os-ntopng 1.0 (contributed by Michael Muenz) o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz) o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel) o plugins: os-snmp compatibility fixes for version detection and listen interface core changes o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion) o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz) o plugins: os-upnp compatibility fixes for version detection core changes o src: fix out-of-bounds read vulnerability in libarchive o src: update
18.7.319 Sep 2018 07:27 minor feature: Here are the full patch notes: o system: gateways widget show/hide feature (contributed by Team Rebellion) o system: select correct IPv6 default route when underlying IPv6 interface differs o system: extended meta-matching for special characters in ACL patterns o system: show last diff by default in configuration history page o system: refactor password logic in user manager for clarity o system: link-local listen IPv6 requires reading underlying IPv6 interface o interfaces: avoid boot mismatch on several virtual plugin devices o interfaces: list widget show/hide feature (contributed by Team Rebellion) o interfaces: stats widget show/hide feature (contributed by Team Rebellion) o interfaces: stop wireless software before bringing down the interfaces o interfaces: fix selection issue for DHCPv6 PD "none" value o interfaces: make "64" the page default for DHCPv6 PD o interfaces: allow IPv4 address override in 6RD o interfaces: fix 18.7.2 gateway read regression in 6RD o interfaces: give each 6RD tracker a different IPv6 address o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss) o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion) o dhcp: do not show lease actions if interface cannot be found o dhcp: unhide DHCPv6 service when not using automatic PD o dnsmasq: annotate that "all" is the recommended interface binding option o importer: list all available ZFS pools (contributed by Smart-Soft) o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;) o importer: ZFS pools are now addressed as e.g. "zfs/zroot" o importer: always loop until exit or successful import o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz) o ipsec: change hash checkboxes in phase 2 to selectpicker o openssh: change interface bind logic to only bind to currently available addresses o openvpn: align status columns for client and P2P case (contributed by Andy Binde
18.7.207 Sep 2018 07:11 minor feature: Here are the full patch notes: o system: select correct network interface in case of IPv6 gateway lookups o system: tighten system wizard ACL and menu registration o system: do not wrap first column of log viewer (contributed by Alexander Graf) o firewall: return alias types to repair its outbound NAT rule edit o firewall: hide NAT redirect target port when port is not applicable o firewall: alias API is now live on the development version and will migrate your aliases to the new format o interfaces: allow explicit MTU to reach the 6RD device o interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion) o interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion) o interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer) o interfaces: remove incorrect display of prefix ID in help text for tracking configuration o interfaces: add groups to interface details output o interfaces: remove unused code and other nonfunctional cleanups o interfaces: use "x" in the list widget for no carrier o interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix o dhcp: remove unused inputs from static mapping page o dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra) o ipsec: add automatic key exchange option o openvpn: fix /32 host validation logic o openvpn: clean up control sockets prior to startup o openvpn: align user authentication to use common_name as username o mvc: add iterateItems() method to base field type to simplify call flow o mvc: fix configd asList helper (contributed by Fabian Franz) o mvc: add configd XML attributes to template parser o ui: allow version query to match on main.css probing o ui: footer cleanups and static page repairs where boxing was not correct o ui: no minified version for tokenize2 o ui: fix table headers in dialogs (contributed by Fabian Franz) o plugins: os-bind 1.1 add
18.7.122 Aug 2018 08:28 minor feature: Here are the full patch notes: o system: hide web server info from server tag o system: fix group privileges edit menu hint o system: add text area field to backup framework (contributed by Joao Vilaca) o interfaces: use NIC preference for VLAN hardware filtering in default config o interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion) o interfaces: fix PD when using DHCPv6 override on tracked interface o firewall: toggle filter and NAT rules using checkboxes o firewall: add state-policy if-bound option o firewall: added logging for tracing internal rule generator o firewall: fix ordering issue in port validation and disable o firewall: fix disabled reject action icon display (contributed by framer99) o captive portal: fix usage of vouchers and group with spaces in their names o captive portal: hide web server info from server tag o dnsmasq: fix listening behaviour on empty but set interface selection o firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback o firmware: do not show development version changelogs in releases o intrusion detection: reworked rule selection o ipsec: use selectpicker in mobile page o ipsec: add Brainpool EC groups o openvpn: do not remove client specific override files on disconnect o openvpn: do not create v6 gateway if disabled o shell: omit ":" from SSL fingerprint display o unbound: fix menu access for overrides o wizard: fix root password input o backend: call shutdown before close in background daemon o mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong) o mvc: minor glich in getFormData() we should ignore empty id fields o mvc: do not offer internal interfaces in generic interface selector o mvc: handle validations better by removing duplicate messages o mvc: fix two glitches in new tokenize field handling o mvc: add numeric field type o rc: update php.ini include paths (contributed by Joao Vilaca) o ui: fix spacing of containers in sta
18.701 Aug 2018 07:33 major feature: These are the most prominent changes since version 18.1: o improved WAN DHCPv6 and SLAAC connectivity and tracking o functional IPv6 Rapid Deployment (6RD) support o improved default route handling and gateway switching o OpenVPN default setup improvements for IPv6 and RADIUS attribute support o Dpinger gateway monitoring integration o password policies for local authentication and coupled TOTP o Monit core integration to eventually replace the legacy notifications o OpenSSH access via group and shell selection instead of privilege o pluggable backup framework with new Nextcloud option o sytem tunables are now also used as loader tunables o unrestricted VLAN usage for e.g. Xen o QinQ interface removal o firmware GUI speedup, improved error parsing and console reboot hint o ZFS on root boot support (installer support is pending, but opnsense-bootstrap works) o ZFS and MSDOS config import support o ISC DHCP version moves from 4.3 to 4.4 o RRDtool version moves from 1.2 to 1.7 o rework rc.syshook facility to use drop-in directories instead of suffixes o backports of FreeBSD 11.2 Intel NIC drivers o stand-alone frontend UI development tools o language updates for Czech, French, German, Portuguese (Brazil) o UI header security and SSL cipher hardening o extensive UI cleanups and menu consolidation o new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp, os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada, os-theme-rebellion, os-theme-tukan, os-wol 2.0
18.1.1326 Jul 2018 14:40 minor feature: Here are the full patch notes: o system: restart syslog when interface bind addresses may have changed o system: remove unused action_disable setting in gateway monitoring o firmware: new mirror Dataroute (Dusseldorf, DE) o ntp: typo in SiRF selection o openvpn: translate validated field names o rc: unset rcvar before evaluation (contributed by Nicholas de Jong) o installer: give basic tip that GUI IP can be set in console after install (contributed by stilez) o plugins: os-theme-cicada 1.2 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.1 (contributed by Team Rebellion) o ports: suricata 4.0.5 1
18.1.1219 Jul 2018 05:50 minor feature: Here is the full list of changes: o system: improve local account expire cron job to also flush passwords and SSH keys o system: show fingerprint in certificate details (contributed by Robin Schneider) o system: fix NextCloud file name format (contributed by Fabian Franz) o system: allow remote backup via cron command o interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used o firewall: do not trigger rules scheduling if scheduled rule is disabled o firewall: allow to select external aliases o firewall: ignore namelookup when no nameservers are configured o dashboard: remove tooltips from CPU widgets (contributed by Team Rebellion) o dashboard: add date to large CPU widget data o firmware: add Aalborg University mirror o intrusion detection: add missing classification category o ipsec: add mutual RSA and EAP-MSCHAPv2 support o wizard: make clear that "admin password" means "root password" o ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice o mvc: switch from the default _GET '_url' to _SERVER 'REQUEST_URI' and let Phalcon handle the routing o mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus) o mvc: multiselect may allow empty option, no need to give blank item too o mvc: add support for application specific field types o ui: top level menu item link pivots and security improvements (contributed by Max Orelus) o plugins: os-net-snmp 1.0 (contributed by Michael Muenz) o plugins: os-openconnect 1.1 (contributed by Michael Muenz) o plugins: os-web-proxy-sso UI fixes (contributed by Smart-Soft)
18.1.1103 Jul 2018 08:29 minor feature: Here are the full patch notes: o system: enforce full password policy check for local passwords including TOTP o system: add RFC 7919 DH parameter files for upcoming 18.7 feature o system: add 3072-bit RSA key length options to certificates (contributed by Justin Coffman) o system: move auto-cron jobs to plugin files o interfaces: refactor reload handling around interfaces_configure() o interfaces: allow private addresses in 6RD o interfaces: check existence of "status" (contributed by Tian Yunhao) o reporting: add NetFlow/Insight database force repair function o dhcp: update from ISC version 4.3 to 4.4 o importer: allow ZFS import for upcoming 18.7 ZFS installer feature o importer: allow import from simple MSDOS USB drives o intrusion detection: add app detect rules (contributed by Michael Muenz) o rc: suppress message of service not enabled on NetFlow backup o rc: use exec in /etc/rc and /etc/rc.shutdown hooks o rc: rework rc.syshook facility to be driven by directories and not suffixes o unbound: remove defunct unbound_statistics() function o plugins: os-postfix 1.4 advanced force recipient check (contributed by Michael Muenz) o plugins: service start corrections for accompanying rc.syshook changes o src: incorrect TLB shootdown for Xen-based guests 1 o src: lazy FPU state restore information disclosure 2 o src: enable usage of locate(1) utility o ports: isc-dhcp 4.4.1 3 o ports: php 7.1.19 4 o ports: unbound 1.7.3 5
18.1.1026 Jun 2018 06:21 minor feature: Here are the full patch notes: o system: provide default for user language o system: do not allow spaces in group names o system: dpinger gateway monitor option (contributed by Team Rebellion) o system: prepare for upcoming DH parameter regeneration feature o system: Nextcloud backup support (contributed by Fabian Franz) o system: userid 0 has trouble with s in redirects, use d instead o system: QR code quiet zone support 1 o system: add selectpicker style where previously missing o firmware: allow both origin.conf and OPNsense.conf to be used for repository setup o firmware: exclude password database files from base update as it breaks sudo o interfaces: clean up reload structure for single interfaces o interfaces: remove unused interface reload script o interfaces: simplify semantics of link_interface_to_track6() o interfaces: assorted cleanups in the code o firewall: add enable flag to shaper rules o firewall: improve parsing speed of firewall log o firewall: fix wrong alias reference in outbound rules o firewall: generate ipfw comments for debugging (contributed by Robin Schneider) o firewall: move color settings from schedules to theme (contributed by Fabian Franz) o intrusion detection: correct typo in CSS o openvpn: raise default DH parameter to 2048 bit o console: pass output of stop scripts to user during halt/reboot o console: clarify that installer is for installing when SSH is off also o rc: change NetFlow backup to only stop/start when needed o rc: backup and restore via XML files again o rc: slightly refactor halt/reboot/shutdown o rc: break out config stop script o rc: simplify configctl plumbing o ui: add country flags for upcoming changes in GeoIP handling o ui: trigger onChange event to support custom hooks in form post o ui: change multi-select default from tokenizer to selectpicker o ui: add support for custom separators in select items o plugins: test for template scripts before executing them o plugins: os-acme-client fixes password field
18.1.901 Jun 2018 14:29 minor feature: Here is the full list of changes: o firewall: advanced option to reset states on IPv4 change o interfaces: rename wancfg to lancfg in tracking code o interfaces: further simplifications for dhclient usage o reporting: add logging to database repair stage o reporting: Insight click event issue o system: use uppercase gateway names for compatibility o system: gateway alert script always returns true o system: align static ACL check with MVC variant o system: pluggable backup support o system: configurable user landing pages o system: safety belt for password policy check o wizard: add missing element IDs to fix scripting issues o firmware: parse and return to be removed packages for update summary o firmware: release type change properly updates the repository and summary o firmware: extended settings can now be registered via XML files o firmware: return repository errors in greater detail (4 new error types) o firmware: make returned backend JSON a bit more human-readable o firmware: fix leak of base/kernel update info on package manager updates o firmware: refactor package manager update summary parsing for speed o firmware: add and use API for major upgrades o dhcp: fix unwanted name-server write in v6 o dhcp: ldap-server does not exist in v6 o intrusion detection: update classification.config o intrusion detection: optional fast log to syslog o ipsec: set ignore_acquire_ts to allow ASA compatibility o ipsec: add ike_name to syslog output o openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6 o console: manual pages for opnsense-importer and opnsense-installer o console: let opnsense-installer set up an early runtime environment o console: show firmware reboot hint prior to update when applicable o console: longer timeout for opnsense-importer invoke on first boot o console: proper return values for opnsense-importer in edge cases o mvc: support multiple directories for detached UI development o mvc: add AddressFamily option to NetworkField o
18.1.822 May 2018 07:24 minor feature: Here are the full patch notes: o system: improve VLAN console assignment handling o system: move backup crypto code to the only page using it o system: improve validation for web GUI related settings o system: split off monitor reload for upcoming dpinger integration o system: default route handler skips an already active default route o system: default route handler purges hint files only when switching to a newer route o system: default gateway switching uses the standard default route handler o system: properly add LDAP picker to ACL o system: properly unset password expired message after password change o interfaces: clear up use IPv4 connectivity and fix several typos o interfaces: parse and report tunnel data o interfaces: move dhclient-script to proper location o interfaces: allow SLAAC to latch on to IPv4 link o reporting: add destination address in Insight detail search o dhcp: fix labels of services to align with menu o dhcp: domain-search-list usage was removed in 2012 o ipsec: rewrite resolve_retry() for its only use case o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano) o ipsec: fix missing disable of DH group setting o router advertisements: correctly merge DNS server arrays o router advertisements: fix DNSSL settings o router advertisements: fix duplicated subnet statements o openssh: also use static interface IP addresses to listen on explicitly o unbound: allow wildcard host entry (contributed by Eugen Mayer) o webgui: also use static interface IP addresses to listen on explicitly o backend: improve escaping of passed parameters o ui: correct heigh of the login title bar o ui: unify the label printing of interfaces o ui: refactor script match for help messages o rc: ZFS boot awareness o plugins: os-cache 1.0 is an optional web server cache for the GUI/API o plugins: os-debug 1.3 now holds its own PHP settings o plugins: os-nut 1.0 (contributed by Michael Muenz) o plugins: os-snmp 1.3 improves handling of interface binding o plugi
18.1.704 May 2018 05:48 minor feature: Here are the full patch notes: o system: validate pfsync peer as IPv4-only o system: flip order of arguments for system_routing_configure() o system: convert cron to mutable model controller o system: convert routing to mutable model controller o system: log table header cleanup o system: more aggressive factory reset and shut down after completion o system: remove duplicate addresses before binding web GUI and OpenSSH o system: fix Framed-Route parsing for RADIUS authentication o system: properly translate save message on user language change o interfaces: PPPoE link down script improvements o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion) o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion) o interfaces: wait for dhcp6c to be stopped by pending apply o interfaces: only reconfigure VLAN interface after edit when necessary o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it o interfaces: remove unused flush argument from various functions o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert) o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert) o interfaces: remove obsolete address requirement for CARP VIPs o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error o interfaces: no more spurious redirection for dhclient invoke o firewall: remove a side effect from filter_delete_states_for_down_gateways() o firewall: adjust maximum table entries for error-free bogonsv6 usage o firewall: add buckets option to traffic shaper o firewall: update help text for port ranges (contributed by Michael Muenz) o power: power off modal to indicate that the GUI is no longer responsive o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14 minor feature: Here are the full patch notes: o system: reverse reload order for gateway switching on OpenVPN o system: implement password policies for local accounts o system: separate web GUI and configd log files o system: add syslog and login service visibility o system: show root as disabled in user manager if disabled o interfaces: no longer restrict VLAN driver capability o firewall: switch back to old NAT auto-outbound behaviour o firewall: reload schedules 1 minute later o firewall: filter descriptions option does no longer exist o firewall: updated anti-lockout link (contributed by Michael Muenz) o firewall: fix help text in shaper masks (contributed by Michael Muenz) o firewall: add delay option to pipe in shaper (contributed by Michael Muenz) o reporting: add insight aggregator to service list o dashboard: large CPU usage widget (contributed by Team Rebellion) o dhcp: fix display of DUID in IPv6 leases o firmware: let opnsense-patch apply chmod even in partially failed patches o firmware: let opnsense-code fetch all remotes as well as prune them o intrusion detection: provide custom.yaml for user edits o web proxy: fix pid file pointer for service status probe o ui: help data-for attribute (contributed by NOYB) o ui: reversed zebra redraw on static page mobile forms o ui: cleanup for unused classes in static pages o mvc: add constraint type for dependent fields o plugins: merge rc.plugins_configure code into pluginctl o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz) o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz) o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox o plugins: os-monit 1.7 fixes compatibility with UI rework o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz) o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz) o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion) o plugins:
18.1.522 Mar 2018 07:05 minor feature: Here are the full patch notes: o system: optional prefix Google Drive backups with host and domain name o system: also render tunables in loader.conf to obsolete loader.conf.local editing o interfaces: allow /127, /128 and /32 static IP address configurations everywhere o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion) o interfaces: ignore dynamic linkup events for unassigned interfaces o interfaces: hide previously assigned interfaces from bridges o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode o firewall: add VIP gateway option for PPPoE interfaces o firewall: add update interval option to log widget (contributed by NOYB) o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz) o firmware: fix opnsense-code for src.git and ABI probing o firmware: fix opnsense-patch file permission apply for plugins o intrusion detection: support request headers in ruleset metadata o openvpn: switch status to version 3 to avoid wrong parsing of commas o openvpn: parse all states to retrieve all relevant connection status info o captive portal: exclude "I" from simplified voucher character set for clarity o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz) o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel) o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz) o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament) o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens) o ui: update tokenizer to 2.6, visual tweaks and blur-add o ui: buttons for services control in MVC (contributed by Smart-Soft) o src: reinitialize IP header length after checksum calculation 1 o src: fix IPsec validation and use-after-free 2 o src: update timezone database information 3 o src: update file(1) to new version with security update 4 o src: add mitigations for two classes
18.1.412 Mar 2018 07:20 minor feature: Here are the full patch notes: o system: improved default route handling o system: improved gateway switching o system: cleanse username on LDAP import o system: increase maximum size of firmware reports o firewall: shaper backend refactor o interfaces: improved reconfigure phase o reporting: fix sporadic "non-numeric value encountered" error o captive portal: add voucher expiry (contributed by Stephanowicz) o intrusion detection: use latest ET Open rules for Suricata version 4 o intrusion detection: proper syslog with drops, requires log file reset o intrusion detection: backend refactor o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden) o plugins: os-haproxy 2.6 1 (contributed by Frank Wall) o ports: isc-dhcp 4.3.6P1 2 o ports: krb5 1.16 3 o ports: pkg 1.10.5 o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00 minor feature: Here are the full patch notes: o system: account for variable headers in top output o system: move gateway status into main pages o system: slightly reorder routing configuration calls o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha) o system: rework LDAP authentication container selection o interfaces: avoid interaction of overview details with menu items o interfaces: allow "reject leases from" option in DHCP advanced settings o firewall: set alias cron update interval to 1 minute o firewall: align alias cron update with its background call o firewall: URL IP alias type missing in selections o firewall: fix defunct alias target in outbound NAT o firewall: ignore alias case while searching o firewall: move rule category filter to the top of the page o firewall: show IPv6 ports in live log and fix details for TCP o firewall: move general settings to AliasParser and fix Alias constructor to receive them o firewall: if the name of the alias equals its content try to resolve o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion) o dhcp: UEFI 64 network boot using wrong arch type o dhcp: validate maximum interface MTU o dhcp: add validation for DUID fields o ipsec: auto-route disable setting (contributed by Namezero) o network time: inline NMEA checksum calculator (contributed by Fabian Franz) o network time: fix stratum level write o unbound: optimize outgoing-range differently o unbound: local zone setting (contributed by NOYB) o ui: fix cropped dropdown regression o mvc: translate option values (contributed by Alexander Shursha) o mvc: fix access to undefined property translator o mvc: fix typo in getBase() o mvc: improve phpdoc o rc: protect console menu again, but keep shell invoke for rc.d subsystem o rc: fix some typos (contributed by John Eismeier) o rc: proper includes for plugin post-install hook o rc: recover all known shells o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20 minor feature: Here are the full patch notes: o system: avoid default route from disappearing when no manual gateways are set o firewall: fix outbound NAT for OpenVPN interfaces o interfaces: multiple overview page improvements (contributed by NOYB) o firmware: revoke 17.7 update fingerprint o console: check for root invoke in importer, installer and console menu o intrusion detection: always show schedule tab o intrusion detection: log first drop of a flow o intrusion detection: add a log file viewer o unbound: add num-queries-per-thread option values for 4096 and 8192 o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB) o ui: HTML compliance for attribute "type" on script element (contributed by NOYB) o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB) o ui: checkbox and radio button label children tweaks (contributed by NOYB) o ui: break help text on small screens o ui use pluggable locations for theme files o ui: remove table-responsive padding on small screens o ui: user-scalable viewport (contributed by NOYB) o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz) o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz) o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz) o ports: phalcon 3.3.1 o ports: php 7.1.14
18.1.102 Feb 2018 18:19 minor feature: Here are the full patch notes: o firewall: ignore target port alias in port forwards when it equals the destination o firewall: align outbound NAT address output to edit page o firewall: use first region for country in GeoIP category instead of last one o system: improve layout of gateway status labels (contributed by Fabian Franz) o system: improve order of group / user setup as "wheel" was not added correctly on save o dashboard: touch device improvements in widgets (contributed by NOYB) o opendns: always refresh the setting on save o openvpn: open links in a new tab (contributed by Fabian Franz) o ui: system-wide HTML compliance improvements (contributed by NOYB) o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco) o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86) o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz) o plugins: os-openconnect 1.0 (contributed by Michael Muenz) o plugins: os-rfc2136 1.2 improves widget load o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz) o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz) o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan) o ports: curl 7.58.0 1 o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18 minor feature: These are the most prominent changes since version 17.7: o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration o Realtek vendor NIC driver version 1.94 o Portable NAT before IPsec support o Local group restriction feature in OpenVPN and IPsec o OpenVPN multi-remote support for clients o Strict interface binding for SSH and web GUI o Improved MVC tabs and general page layout o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour o Easy-to-use update cache support for Linux and Windows in web proxy o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT) o Revamped HAProxy plugin with introduction pages o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status o Alias backend rewrite for future extensibility o Plugin-capable firewall NAT rules o Migration of system routes UI and backend to MVC (also available via API) o Reverse DNS support for insight reporting (also available via API) o Fully rewritten firewall live log in MVC (also available via API) o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18 minor feature: Here are the full patch notes: o system: use correct crypto library to gather GUI SSL ciphers o system: do not wrap action buttons in tunables page o system: fix CA serial number decrement on save o firmware: remove the discontinued hotfix backend support o firmware: allow dot in package name during package action o firmware: remove defunct mirrors o interfaces: make level of detail stick in packet capture o interfaces: auto-lock problematic interfaces upon assignment o firewall: make NAT reflection enable less ambiguous o firewall: fix NAT formatting in states dump page o network time: fix for valid negative offset in health graph o network time: OPNsense NTP pool is now available o network time: fix parsing of overly overlong lines o web proxy: use PID file instead of daemon name for status probe o wizard: add unbound to wizard and uncheck DNSSEC by default o ui: HTML compliance fixes button in link usage (contributed by NOYB) o mvc: added mutable service controller o mvc: added sub-tab layout partials o mvc: do not render empty toggle header o plugins: acme-client 1.13 1 (contributed by Frank Wall) o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB) o plugins: helloworld 1.4 o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB) o plugins: tor 1.4 adds contact info (contributed by Fabian Franz) o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft) o ports: libressl 2.6.4 2 o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12 minor feature: Here are the full patch notes: o system: numerical sort for "Use" and "MTU" columns in route diagnostics o system: gateway group edit tier selection issue with jQuery3 o system: minor cleanups in the certificates backend o firewall: move anti-lockout rule to advanced settings o interfaces: minor cleanups in the backend o reporting: rework configuration handling on the settings page o dnsmasq: minor cleanups in the backend o firmware: strip the architecture from the base / kernel set version display o firmware: backend preparations for full base / kernel set lock and reinstall o firmware: increase crash report file limit to 2 MB o ipsec: minor cleanups in the backend o unbound: register DHCP domain name for interface if found o network time: show full remote address and fix page boxing on status page o network time: add advanced custom options o network time: fix leap second save o network time: minor cleanups in the backend o wizard: properly redirect on input errors in system wizard o mvc: ignore client-side anchors in breadcrumb generation o ui: do not use a CSRF input element ID o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz) o ports: libxml 2.4.7 1 o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56 minor feature: Here are the full patch notes: o system: allow user-based language setting through Lobby: Password o system: allow strict interface binding for OpenSSH o system: prepare for MVC-based routing pages o firmware: prepare for production / development release type selection o firewall: fix a PHP warning when no user rules are installed o firewall: add refresh button to table diagnostics page o captive portal: fix chroot regression since lighttpd web server update in 17.7.9 o interfaces: provide a link-local IPv6 when asking for addresses o intrusion detection: sync port-groups to default template o ipsec: upgrade vici lib to match strongSwan package o network time: fix a PHP warning during NMEA deselect o mvc: do not throw disabled errors in handler o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz) o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz) o src: OpenSSL multiple vulnerabilities 1 2 o ports: hyperscan 4.6.0 3 o ports: openssl 1.0.2n 4 o ports: suricata 4.0.3 5 Two plugin hotfixes have been additionally issued: o plugins: os-quagga 1.4.3_1 fixes service startup regression o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29 minor feature: Here are the full patch notes: o system: fix XSS with crafted certificates in certificate manager 1 o system: removed duplicated firmware privileges o system: fix resolving routes in diagnostics page o system: regenerated DH parameters o dhcp: support stateless DHCPv6 o firmware: kernel and base set visibility and better API session handling o intrusion detection: improve download and install speed of et-open rules o intrusion detection: add TLS and HTTP logging in eve and alert log viewer o openvpn: allow remote network in peer to peer modes o web proxy: better service and API session handling o router advertisements: advertise on VIPs belonging to the same interface o configd: allow template overrides via optional target directory o mvc: prepare for use-based language setting (contributed by Alexander Shursha) o mvc: prepare for auto-generated page titles o mvc: tighten against frame-based attacks o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz) o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz) o ui: make "advanced mode" sticky too o plugins: os-acme-client 1.12 2 (contributed by Frank Wall) o plugins: os-arp-scan (contributed by Giuseppe De Marco) o plugins: os-clamav 1.3 (contributed by Alexander Shursha) o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu) o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz) o plugins: os-haproxy 2.0 3 (contributed by Frank Wall) o plugins: os-relayd 1.2 fixes "check send" directive o plugins: os-tor 1.3 (contributed by Fabian Franz) o plugins: os-zabbix-agent 1.2 fixes service status indicator o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz) o ports: ca_root_nss 3.34.1 o ports: curl 7.57.0 4 o ports: lighttpd 1.4.48 5 o ports: php 7.1.12 6 o ports: pkg 1.10.3 7 o ports: py-Jinja2 2.10 8 o ports: syslogd 11.1