Recent Releases
21.128 Jan 2021 20:34
major feature:
Here are the full patch notes against 20.7.8:
o system: use authentication factory for web GUI login
o system: allow case-insensitive matching for LDAP user authentication
o system: removed unused gateway API dashboard feed
o system: removed spurious comma from certificate subject print and unified underlying code
o system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
o system: generate a better self-signed certificate for web GUI default
o system: allow self-signed renew for web GUI default (using "configctl webgui restart renew")
o system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
o system: first backup is same as current so ignore it on GUI and console
o system: optionally allow TOTP users to regenerate a token from the password page
o system: set hw.uart.console appropriately
o system: reconfigure routes on bootup
o system: relax gateway name validation
o system: ignore disabled gateways in dpinger services
o system: choose a better bind candidate for IPv4 in dpinger
o interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
o interfaces: no longer assume configuration-less interfaces can reach static setup code
o interfaces: fix PPP links not linking to its advanced configuration page
o interfaces: read deprecated flag, allow family spec in (-)alias calls
o interfaces: fix address removal in IPv6 CARP case
o interfaces: pick proper route for 6RD and 6to4 tunnels
o interfaces: support 6RD with single /64 prefix (contributed by Marcel Hofer)
o firewall: support category filters for firewall and NAT rules (sponsored by Modirum)
o firewall: add live log "host", "port" and "not" filters
o firewall: create an appropriate max-mss scrub rule for IPv6
o firewall: fix anti-spoof option for separate bridge interfaces
o firewall: display zeros and sort columns in pfTables (contributed by kulikov-a)
o firewall: relax schedule name validation
o reporting: prevent calling top talkers when no interfaces
20.7.821 Jan 2021 14:31
minor bugfix:
Here are the full patch notes:
o system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
o system: display destination port number in firewall log widget (contributed by Team Rebellion)
o system: keep compatible TLS 1 defaults for web GUI on 20.7 series
o system: set default certificate lifetime to 397 days
o firewall: add type 128 to outgoing IPv6 RFC4890 requirements
o firewall: add manual refresh button to live log
o firewall: fix typo in ICMPv6 validation
o firewall: fix minor regression in maintaining target alias file
o firewall: fix all state value in pfTop (contributed by Lucas Held)
o firewall: remove duplicated destination field in live log
o firewall: add readonly actions to aliases permission (contributed by Manuel Faux)
o firewall: category selector missing caption
o reporting: add top talkers to revamped traffic graph page
o reporting: fix name resolution filter change in insight
o reporting: persist interface selection on traffic graph page
o captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56
o dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
o dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate)
o firmware: opnsense-code now updates the current directory if nothing was specified
o firmware: opnsense-code now uses flexible make.conf target from tools.git
o firmware: opnsense-update now supports snapshot access via -z option
o firmware: opnsense-update now fixes missing dependencies on the fly
o firmware: fix some issues with missing repository on server
o firmware: add version output and date to audit logs
o ipsec: display remote host in status overview (contributed by garlic17)
o opendns: add standalone mode
o openssh: honour MAX_LISTEN_SOCKS
o openvpn: set default certificate lifetime to 397 days in wizard
o unbound: generate all configuration files in service controller
o unbound: fix broken lines in large files (contributed by kulikov-a)
o web proxy: lock ACL dow
20.7.721 Dec 2020 05:59
minor bugfix:
Here are the full patch notes:
o reporting: fix traffic graph widget link issue
o system: simplify log format parsing
o interfaces: fix DUID LL description (contributed by Gabriel Mazzocato)
o unbound: fix dnsbl not reloading after update
o plugins: os-acme-client 2.2 1
o plugins: os-freeradius 1.9.9 2
o plugins: os-frr 1.20 3
o plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch)
o plugins: os-wireguard 1.4 4
o ports: curl 7.74.0 5
o ports: dhcp6c ignores advertise messages with none of requested data and missed status codes
o ports: libressl 3.1.5 6
o ports: lighttpd 1.4.56 7
o ports: nss 3.60 8
o ports: openssl 1.1.1i 9
o ports: pcre2 10.36 10
o ports: sudo 1.9.4 11
o ports: sqlite 3.34.0 12
o ports: unbound 1.13.0 13
20.7.616 Dec 2020 06:08
minor bugfix:
Here are the full patch notes:
o system: no longer enforce alias names in gateways
o system: add "step into" icon on log lines when filtering
o system: add current CPU load progress bar (contributed by kulikov-a)
o firewall: allow larger selection in live log
o firewall: correctly select current IPv6 field in getInterfaceGateway()
o firewall: add validation for ipv6-icmp combined with inet
o reporting: traffic graph replacement using iftop
o openvpn: calculate first network address as gateway address when only ifconfig_local is given
o web proxy: throw startup error to user
o plugins: os-acme-client 2.1 1
o plugins: os-frr 1.19 2
o plugins: os-mail-backup not available due to unaddressed security concerns
o src: fix parsing of netmap legacy nmr- nr_ringid
o src: fix mutex double unlock bug in netmap
o src: minor misc netmap improvements
o src: improve netmap(4) and vale(4) man pages
o src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
o src: zero-initialize variables in HBSD PaX SEGVGUARD
o src: fix execve/fexecve system call auditing 3
o src: fix uninitialized variable in ipfw 4
o src: fix race condition in callout CPU migration 5
o src: fix ICMPv6 use-after-free in error message handling 6
o src: fix multiple vulnerabilities in rtsold 7
o src: update timezone database information 8
o ports: krb5 1.18.3 9
o ports: nss 3.59 10
o ports: openldap 2.4.56 11
o ports: openssh 8.4p1 12
o ports: php 7.3.25 13
o ports: strongswan 5.9.1 14
o ports: suricata 5.0.5 15
o ports: syslog-ng 3.30.1 16
20.7.526 Nov 2020 09:22
minor bugfix:
Here are the full patch notes:
o system: syslog-ng related fixes during package management based restart
o system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston)
o web proxy: add toggle for pinger service (contributed by nowyouseeit)
o web proxy: add missing X-Forwarded-For header option
o mvc: new Base64Field type
o mvc: new VirtualIPField type
o plugins: os-acme-client 2.0 1
o plugins: os-bind 1.14 2
o plugins: os-chrony 1.1 3
o ports: monit 5.27.1 4
o ports: php 7.3.24 5
o ports: pkg upstream fix for upgrade script hang 6
o ports: strongswan 5.9.0 7
20.7.423 Oct 2020 06:40
minor bugfix:
Here are the full patch notes:
o system: switch web GUI address selection to avoid server.bind in IPv6 first case
o system: fix defunct "use default" button on web GUI listen interfaces
o system: signal "auth user changed" when a user is modified via web GUI
o system: replace gateway widget and add proper API endpoint for it
o system: fix reading displayName attribute on LDAP search (contributed by ServiusHack)
o interfaces: change maximum MTU value to 65535 in accordance with RFC 791
o interfaces: update wireless device detection prefixes
o interfaces: lexical sort interface keys for assignments
o firewall: add support for network exclusions in network alias type
o firewall: add NAT information to pfInfo page (contributed by kulikov-a)
o firewall: associated NAT rules missed state keyword
o firewall: allow "or" conditions in live log
o firewall: use pfctl for alias IP check (contributed by kulikov-a)
o dnsmasq: regenerate resolv.conf on save
o dnsmasq: log queries option
o intrusion detection: ignore pkill exit status when performing update
o ipsec: add description to reconfigure action (contributed by Frank Wall)
o unbound: rebuild unbound blacklist download
o unbound: restructure reconfigure so that we always flush config
o backend: add new "config changed" event using syshook structure (sponsored by Modirum)
o mvc: add a few missing control widgets from log pages
o ui: upgrade moment.js to 2.27.0
o plugins: os-freeradius 1.9.8 1
o plugins: os-git-backup 1.0 2 (sponsored by Modirum)
o plugins: os-haproxy 2.25 3
o plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston)
o src: extended netmap update and driver fixes
o src: netmap tun and lagg support (contributed by Sunny Valley Networks)
o src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux)
o ports: curl 7.73.0 3
o ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977
o ports: nss 3.58 4
o ports: openssl 1.1.1h 5
o ports:
20.7.325 Sep 2020 04:55
minor bugfix:
Here are the full patch notes:
o system: use different shell gateway name to appease wizard
o system: simplify CARP hook
o interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage
o firewall: add MAC type to top right filter selection
o firewall: fix two scrub rule parsing bugs
o firewall: omit group type interfaces in filter selection
o intrusion detection: re-create rule cache after rule deployment
o unbound: add "unbound-plus" section to XMLRPC sync
o dhcp: adding DDNS values of each additional pool to the ddns_zones array (contributed by Mathieu St-Pierre)
o dhcp: add static interface mode to router advertisements
o rc: fix ssh key permissions on MSDOS import
o rc: support service identifier in pluginctl -s mode
o plugins: os-bind download link changes (contributed by gap579137)
o plugins: os-chrony 1.0 (contributed by Michael Muenz)
o plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler)
o plugins: os-frr 1.17 1
o plugins: os-postfix 1.17 2
o plugins: os-rspamd 1.10 3
o plugins: os-theme-cicada 1.25 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.23 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
o plugins: os-wireguard 1.3 4
o plugins: os-zabbix-agent 1.8 5
o src: fix FreeBSD Linux ABI kernel panic 6
o src: fix SCTP socket use-after-free 7
o src: fix dhclient heap overflow 8
o src: fix ure device driver susceptible to packet-in-packet attack 9
o src: fix bhyve privilege escalation via VMCS access 10
o src: fix bhyve SVM guest escape 11
o src: fix ftpd privilege escalation via ftpchroot 12
o src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
o src: fix kernel panic while trying to read multicast stream
o ports: mpd 5.9 13
o ports: nss 3.57 14
o ports: php 7.3.22 15
o ports: pkg 1.15.6 16
20.7.203 Sep 2020 07:40
minor bugfix:
Here are the full patch notes:
o system: set REQUESTS_CA_BUNDLE in environments
o system: improve parsing for temperature sensors
o system: add "new-password" hint for Chrome on login form
o system: rename syslog services description and hide legacy mode when not enabled
o system: force syslog-ng restart after boot sequence
o system: properly read new style logging directories
o reporting: replace line endings when sending traceback to syslog in flowd_aggregate
o reporting: dd traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
o firewall: add MAC address alias type
o firewall: be more verbose when fetching alias remote content
o firewall: prevent pfctl error messages from being suppressed
o firewall: exclude all reserved pf.conf keywords from alias name
o firewall: bogons not loaded on initial load
o firewall: reset damaged bogons files on startup
o interfaces: add listen-queue-sizes in socket diagnostics
o firmware: properly report an unsigned repository
o firmware: revoke 20.1 fingerprint
o intrusion detection: rule cache parse error on invalid metadata
o intrusion detection: allow search for status enabled/disabled
o web proxy: correct template replacement during build time
o web proxy: bugfix in JSON access log
o unbound: updated project block lists links (contributed by gap579137)
o backend: add regex_replace template support
o plugins: os-acme-client 1.36 1
o plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
o plugins: os-haproxy 2.24 2
o plugins: os-stunnel 1.0.1 includes performance tweaks
o plugins: os-telegraf 1.8.2 3
o plugins: os-tinc fixes cipher parsing on 20.7
o src: remove ACPI workaround for serial console on AMD EPYC
o src: Make pf.conf ':0' ignore link-local v6 addresses too
o src: default "show bad packets" tunable to off in e100 driver
o src: fix unsolicited promisc mode in e1000 driver
o src: add valectl to the system commands
o ports: ca_root_nss/nss 3.56 4
o ports: curl 7.72.0 5
o por
20.7.123 Aug 2020 05:58
minor bugfix:
Here are the full patch notes:
o system: split log process name into separate column
o system: filter new style log directories accordingly
o system: add delay to improve syslog-ng startup
o system: properly switch login page to latest jQuery 3.5.1
o firewall: add select boxes for static filters in live log
o firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
o firmware: bring back Chinese Aivian mirror
o firmware: remove defunct opn.sense.nz and RageNetwork mirrors
o web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
o backend: cap log messages to 4000 characters to prevent longer messages from vanishing
o plugins: os-acme-client 1.35 1
o plugins: os-frr 1.15 2
o plugins: os-postfix 1.15 3
o plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
o src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
o src: assorted multicast group join/leave corrections
o src: fix vmx driver packet loss and degraded performance 4
o src: fix memory corruption in USB network device driver 5
o src: fix multiple vulnerabilities in sqlite3 6
o src: fix sendmsg(2) privilege escalation 7
o ports: perl 5.32.0 8
o ports: squid 4.12 9
20.706 Aug 2020 11:29
major feature:
Here are the full patch notes against version 20.7-RC1:
o system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
o installer: welcome users as genuine 20.7 installer
o web proxy: do not try to force cachemanager access to use ICAP
o plugins: os-collectd 1.3 2
o plugins: os-zabbix5-proxy 1.3 3
o src: prevent netgraph page fault for LTE usage
o ports: dnsmasq 2.82 4
o ports: monit 5.27.0 5
o ports: nss 3.55 6
o ports: sudo 1.9.2 7
20.1.924 Jul 2020 08:23
minor feature:
Here are the full patch notes:
o system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
o firewall: validate if NAT destination contains a port
o firewall: prevent config_read_array() from adding an empty lo0
o network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
o network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
o mvc: LegacyLinkField not allowed to return null in __toString()
o plugins: os-collectd 1.3 1
o plugins: os-dyndns 1.22 2
o plugins: os-telegraf 1.8.1 3
o plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
o plugins: os-tinc fixes switch mode 4
o plugins: os-wireguard 1.2 5
o ports: ca_root_nss 3.54
o ports: curl 7.71.1 6
o ports: dnsmasq 2.82 7
o ports: monit 5.27.0 8
o ports: php 7.3.20 9
o ports: python 3.7.8 10
o ports: sqlite 3.32.3 11
o ports: syslog-ng 3.27.1 12
20.1.803 Jul 2020 14:51
minor feature:
Here are the full patch notes:
o system: simpler get_interface_ip() usage in IPv4 renewal
o system: allow HA sync of network time settings
o system: download all filtered items in log export
o system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)
o interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)
o firewall: fix missing address filter error by moving NAT targets to runtime resolve
o firewall: prevent gateway protocol mismatch from breaking the ruleset
o firewall: work around categories typeahead issue with recent jQuery libraries
o firewall: improve alias help text (contributed by Team Rebellion)
o firewall: switch from single log filter to one per attribute
o intrusion detection: when enabling rules prefixed with '# ' consume the extra space (contributed by Tra5is)
o intrusion detection: less sensitive rule parsing
o intrusion detection: compress stats.log backups
o ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)
o unbound: add DNS64 support (contributed by Maurice Walker)
o web proxy: fix wrong button label for Download ACLs (contributed by 90er)
o mvc: add sort_flags optional parameter support (contributed by NOYB)
o rc: add full PATH to rc.syshook invoke
o plugins: os-acme-client 1 2
o plugins: os-dnscrypt-proxy 1.8 3
o plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)
o plugins: os-freeradius 1.9.7 4
o plugins: os-haproxy 2.23 5
o plugins: os-intrusion-detection-content-snort-vrt 1.1
o plugins: os-stunnel 1.0 6 (sponsored by Incenter Technology)
o plugins: os-tayga 1.1 7
o plugins: os-theme-rebellion 1.8.4 8
o ports: ca_root_nss 3.53
o ports: curl 7.71.0 9
o ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory 10
o ports: krb5 1.18.2 11
o ports: ntp 4.2.8p15 12
o ports: pcre 8.44 13
o ports: perl 5.30.3 14
o ports: php 7.3.19 15
o ports: python CVE-2019-18348 and CVE-2020-8492
o port
20.1.721 May 2020 05:07
minor feature:
Here are the full patch notes:
o system: default net.inet.icmp.reply_from_interface to 1
o system: fix static gateway wizard handing
o firewall: allow outbound NAT source and destination port ranges
o interfaces: use interfaces_primary_address6() inside get_interface_ipv6()
o dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu)
o unbound: prevent wildcard domains for the local system domain
o backend: suppress inconsequential IDNA warnings for aliases
o backend: add option to return a key value list for TLS ciphers
o mvc: reference constraint pointing validation results to the wrong field
o plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber)
o src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)
o src: fix pf shared forwarding on non-existing interfaces
o src: patch in tty 3wire autologin support
o src: fix insufficient packet length validation in libalias 1
o src: fix memory disclosure vulnerability in libalias 2
o src: fix improper checking in SCTP-AUTH shared key update 3
o src: fix use after free in cryptodev module 4
o src: update to tzdata 2020a 5
o ports: ca_root_nss 3.52
o ports: curl 7.70.0 6
o ports: dhcp6c v20200512
o ports: hyperscan 5.2.1 7
o ports: openldap 2.4.50 8
o ports: pcre2 10.35 9
o ports: php 7.3.18 10
20.1.601 May 2020 05:05
minor feature:
Here are the full patch notes:
o system: add data length option to gateway monitor settings
o firewall: avoid greedy matching with live log parsing regression from 20.1.5
o firmware: detect runtime defaults when using "make upgrade" with core.git
o firmware: clean up packaging code and support ".link" file extension
o firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap
o firmware: enable to optionally reach master branch when using opnsense-boostrap
o firmware: allow overriding CORE_ABI when using opnsense-bootstrap
o firmware: copy make.conf instead of linking when using opnsense-code
o firmware: always fetch tools.git when using opnsense-code
o rc: use "onifexists" for VGA TTY instead of "on"
o rc: missing ntpd user on 20.7 / 12.1
o plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz)
o src: fix ipfw invalid mbuf handling 1
o ports: libyaml 0.2.4 2
o ports: openssl 1.1.1g 3
o ports: py-yaml 5.3.1 4
o ports: radvd 2.18 5
o ports: sqlite 3.31.1 6
o ports: squid 4.11 7
o ports: suricata 4.1.8 8
20.1.527 Apr 2020 06:50
minor feature:
Here are the full patch notes:
o system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs
o system: simplify validations in gateway monitor settings
o interfaces: mark VXLAN and loopback devices as configurable
o interfaces: validation typo caused failure to communicate unassignable targets
o interfaces: netstat tree view GUI and API
o interfaces: use libxo to extract ARP data
o firewall: checkbox selection ignores visibility setting
o firewall: add network group type to combine aliases cleanly
o firewall: IPv6 essential icmpv6 allow for ::
o firewall: new shaper statistics GUI and API
o firewall: support filter log messages with PID
o reporting: when flow times are not returned stick to receive timestamp
o openvpn: use multihome when selecting "any" interface with UDP
o unbound: create shared startup script for background task
o mvc: also store "" field value as initial state to prevent empty fields as being marked as changed
o mvc: firewall source NAT ranges support in plugins
o mvc: keep options in static set for PortField
o mvc: support interface targets without addresses
o mvc. add "migration_prefix" attribute to model
o mvc: catch ArgumentCountError
o mvc: skip empty gateway artefact
o plugins: os-acme-client 1.31 1
o plugins: os-firewall 1.0 API supplemental package
o plugins: os-haproxy 2.22 2
o plugins: os-unbound-plus 1.1 3
o plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23)
o ports: ca_root_nss 3.51.1
o ports: dnsmasq 2.81 4
o ports: krb5 1.18.1 5
o ports: openvpn 2.4.9 6
o ports: php 7.2.30 7
o ports: py-certifi 2020.4.5.1
o ports: strongswan 5.8.4 8
20.1.409 Apr 2020 14:33
minor feature:
Here are the full patch notes:
o system: add missing strtolower() in LDAP sync response
o system: fix /var/run/legacy_log socket creation race with Syslog-ng
o system: add info button to display privilege / ACL endpoints
o system: make IPsec tap tunables overwriteable
o firewall: floating means either all interfaces or more than one selected
o firewall: simplify group maintenance by only applying them on filter reload
o interfaces: use primary IPv6 and support VIP tracking
o interfaces: multiple changes in radvd.conf setup (contributed by maurice-w)
o dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior)
o firmware: mirror opnsense.ieji.de renamed to opn.sense.nz
o openvpn: improve openvpn_port_used() logic
o unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint
o unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w)
o mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper
o mvc: limit dropdown size to 10 is none specified
o mvc: support inheritance of the ArrayField type
o mvc: synchronize backup timestamps with revisions
o mvc: fixed width for timestamp column in logging
o mvc: init errorMessage to prevent crash reports
o shell: use interfaces_primary_address6() for correct IPv6 display
o shell: append a newline in pluginctl -g mode
o plugins: os-acme-client 1.30 1
o plugins: os-bind 1.13 2
o plugins: os-freeradius 1.9.6 3
o plugins: os-haproxy 2.21 4
o plugins: os-maltrail 1.5 5
o plugins: os-nginx 1.19 6
o plugins: os-nut 1.7 7
o plugins: os-postfix 1.14 8
o plugins: os-tayga 1.0 (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.7 9
o plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval)
o lang: multiple updates to supported languages
o lang: new Turkish translation (contributed by Aydin Yakar)
o src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers
o src: f
20.1.319 Mar 2020 06:53
minor feature:
Here are the full patch notes:
o system: match group CN case-insensitive
o system: added pluggable log format parsing facility
o system: update nsComment in OpenSSL config (contributed by vnxme)
o interfaces: fix missing default gateway switch on linkup event
o firewall: properly lock alias_util API (contributed by Cedric Deconinck)
o firewall: flush priority sections to /tmp/rules.debug
o firewall: do not escape internal URLs
o firmware: revoke 19.7 fingerprint
o ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme)
o ipsec: add MVC service control API
o monit: simplify Monit reload
o openvpn: properly swapped help texts regarding routes
o unbound: multiple fixes in DHCP watcher
o mvc: fix CountryField for static options
o mvc: extend PortField to support multiple items
o mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults
o mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types
o mvc: apply PSR12 style as found on master
o ui: add jQuery plugin to support a simple service reload/action button
o ui: hook bootgrid javascript texts
o plugins: os-munin-node 1.0 (contributed by Michael Muenz)
o plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley
o plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd)
o ports: ca_root_nss 3.51
o ports: ntp 4.2.8p14 1
20.1.209 Mar 2020 09:15
minor feature:
Here are the full patch notes:
o system: fix leap year issue in new log reader
o system: add valid from and to dates to user certs display
o system: drop unused services.inc and diag_logs_template.inc
o interfaces: make sure descriptions are properly cleansed
o interfaces: introduce interfaces_primary_address6()
o interfaces: validate interface input in packet capture
o firewall: immediately download GeoIP if not already found
o firewall: improve performance when working with large number of aliases
o firewall: fix visibility on internal CARP rules
o captive portal: fix expiry and validity for vouchers (contributed by xx4h)
o dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w)
o dhcp: add icons next to online/offline lease status (contributed by Tyler Ham)
o ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel)
o unbound: minor changes while scanning ACL subnets
o web proxy: work around to skip passing additional auth properties
o backend: allow pluginctl to return config.xml values
o console: improve type checks in set address function
o rc: join CARP early startup scripts
o plugins: os-dnscrypt-proxy fix for setup.sh on reboot
o plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson)
o plugins: os-maltrail 1.4 1
o plugins: os-nrpe fix for setup.sh on reboot
o plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme)
o src: fix imprecise ordering of SSP canary initialization 2
o src: fix nmount invalid pointer dereference 3
o src: fix libfetch buffer overflow 4
o src: fix kernel stack data disclosure 5
o ports: ca_root_nss 3.50
o ports: php 7.2.28 6
o ports: squid 4.10 7
o ports: suricata 4.1.7 8
o ports: syslog-ng 3.25.1 9
o ports: unbound 1.10.0 10
20.1.120 Feb 2020 14:53
minor feature:
Here are the full patch notes:
o system: increase size of user SSH key input box
o system: fix faulty PPP log link in the menu
o system: fix a PHP warning on the general settings page
o interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)
o firewall: fix rule statistics display for rules using tagging
o reporting: fix missing separator in NetFlow configuration
o firmware: add Quantum mirror in Hungary
o openvpn: fix ifconfig-ipv6-push format
o plugins: os-dnscrypt-proxy 1.7 1
o plugins: os-net-snmp 1.4 2
o plugins: os-nginx 1.18 3
o plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)
o ports: lighttpd 1.4.55 4
o ports: openldap 2.4.49 5
o ports: pkg libfetch security fix 6
o ports: sudo 1.8.31 7
20.131 Jan 2020 09:03
major feature:
These are the most prominent changes since version 19.7:
o Captive portal performance improvements
o IPsec public key authentication support
o Elliptic curve TLS certificate creation
o CARP service demotion hook
o VXLAN device support
o Loopback device support
o Extended firmware health audit checks
o Support direction and non-quick on interface rules
o Logging frontend migrated to MVC / API
o PSR 12 coding style
o Documentation for all core components
o Python 3.7 is now the default Python version
o LibreSSL 3.0 and OpenSSL 1.1.1
o Google Backup API 2.4
o jQuery 3.4.1
And here are the full patch notes against version 20.1-RC1:
o installer: welcome users as genuine 20.1 installer
o rc: revert growfs change since Nano does not grow anymore
o plugins: os-mail-backup 1.1 2
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2 3
o plugins: zabbix4-proxy 1.2 4
o ports: ca_root_nss 3.49.2
o ports: curl 7.68.0 5
o ports: isc-dhcp 4.4.2 6
o ports: php 7.2.27 7
o ports: urllib3 1.27.7 8
19.7.1028 Jan 2020 10:01
minor bugfix:
Here are the full patch notes:
o firewall: fix a typo in CARP validation
o firmware: revoke 19.1 fingerprint
o ipsec: add configurable dpdaction (contributed by Marcel Menzel)
o mvc: BaseListField ignoring empty selected field
o plugins: os-haproxy 2.20 1
o plugins: os-mail-backup 1.1 2
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2 3
o plugins: zabbix4-proxy 1.2 4
o ports: ca_root_nss 3.49.1
o ports: curl 7.68.0 5
o ports: urllib3 1.27.7 6
o ports: isc-dhcp 4.4.2 7
19.7.910 Jan 2020 09:16
minor bugfix:
Here are the full patch notes:
o system: use 825 days as the default maximum certificate lifetime
o system: hide leaking hostname on SSH password auth (contributed by sooslaca)
o system: remove unused "lifetime" parameter from user manager page
o firewall: new GeoIP settings page to allow continued use of upstream database 1
o firewall: log when alias couldn't resolve a hostname
o firewall: translate pfInfo page tabs (contributed by Smart-Soft)
o firmware: add mirror MARWAN (Moroccan Academic Research Wide Area Network)
o dhcp: replace killbyname() usage which should not have killed both services
o dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion)
o mvc: PSR12 code style updates
o plugins: os-acme-client 1.29 2
o plugins: os-bind 1.12 3
o plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group
o plugins: os-frr 1.14 4
o plugins: os-maltrail 1.3 5
o plugins: os-nginx 1.17 6
o plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.24 (contributed by Team Rebellion)
o plugins: os-zabbix4-proxy 1.1 7
o ports: openssh 8.1p1 8
o ports: openssl 1.0.2u 9
o ports: php 7.2.26 10
o ports: phpseclib 2.0.23 11
o ports: python 3.7.6 12
o ports: strongswan 5.8.2 13
o ports: sudo 1.8.30 14
o ports: unbound 1.9.6 15
19.7.819 Dec 2019 09:25
minor bugfix:
Here are the full patch notes:
o system: "Mark Gateway as Down" also means exclude from default gateway selection
o system: fix PHP warning on gateways list due to wrong variable scope
o system: support elliptic curve TLS certificate creation (contributed by johnaheadley)
o system: remove unused current directory PHP include
o system: fix XSS in backup page and static menu pages
o firewall: use referential integrity check for model data
o reporting: improve NetFlow error handling (contributed by Frank Brendel)
o dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w)
o dhcp: fix range check for advanced router advertisement options (contributed by maurice-w)
o dhcp: improve help texts for router advertisement modes (contributed by maurice-w)
o dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w)
o dhcp: fix storing advanced IPv6 options
o firmware: add "copy to clipboard" button in update text box
o firmware: use opnsense-revert in GUI reinstall package case
o firmware: when storing installed plugin names remove their development counterparts
o firmware: improved health check scope to include direct core package dependencies
o openvpn: fix Firefox "nowrap" issue in client export page
o backend: improve error handling while configd is either not active or not functional
o mvc: route to default page when controller or action not found
o mvc: field type refactor and unit tests
o mvc: added opt-in referential integrity check for models
o mvc: countless PSR12 style updates
o mvc: add "NetMaskAllowed" option to validate on single addresses in NetworkField
o plugins: os-bind 1.11 1
o plugins: os-dyndns 1.18 adds Linode support (contributed by eAndrew Gunnerson)
o plugins: os-freeradius 1.9.5 2
o plugins: os-frr 1.13 3
o plugins: os-ftp-proxy style updates only
o plugins: os-postfix 1.13 4
o plugins: os-rspamd 1.9 5
o plugins: os-theme-cicada 1.23 (contributed by Team Rebellion)
o plugin
19.7.722 Nov 2019 11:41
minor bugfix:
Here are the full patch notes:
o system: generate self-signed server certificate for web GUI by default
o system: let net.local.dgram.maxdgram default to 8192 bytes
o system: spawn Dpinger process in background to avoid hangs
o system: switch backup to Google API PHP client v2
o system: add interface groups to HA sync
o interfaces: remove the "Directly send SOLICIT" option
o firewall: fix issue with label parsing when "tag" keyword was involved
o firewall: skip empty lines in rule statistics parsing
o firmware: add /etc/remote to whitelist, NTP GPS uses it
o reporting: empty NetFlow egress default passes validation
o reporting: show dialog when RRD is disabled
o dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w)
o dnsmasq: fix storing settings when no settings exist yet
o intrusion detection: lower payload-buffer-size to prevent syslog size limit
o intrusion detection: fix issue with escaped file name during rules download
o unbound: exit wrapper when process not running
o web proxy: added check on SNI field checkbox (contributed by Northguy)
o mvc: fix forceReload()
o plugins: os-acme-client 1.28 1
o plugins: os-bind 1.10 2
o plugins: os-nginx 1.16 3
o plugins: os-nut 1.6 4
o plugins: os-postfix 1.12 5
o src: fix machine check exception on page size change 6
o src: bump libc syslog line size to 8k
o src: import tzdata 2019c 7
o ports: curl 7.67.0 8
o ports: libressl 3.0.2 9
o ports: openvpn 2.4.8 10
o ports: perl 5.30.1 11
o ports: phalcon 3.4.5 12
o ports: sqlite 3.30.1 13
o ports: squid 4.9 14
o ports: syslog-ng 3.24.1 15
19.7.619 Nov 2019 11:44
minor bugfix:
Here are the full patch notes:
o system: hook LDAP TLS support into system-wide trust file
o system: fix dpinger custom parameters not being honoured
o system: fix PHP core loop fail in tunables overview
o system: only allow P12 export if password confirmation matches
o interfaces: change PCAP download to binary file stream
o firewall: store reference to outbound NAT address instead of literal address
o firewall: add log message for scheduled firewall reload
o firmware: tie pkg dependency to core
o ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl)
o ipsec: add support for public key authentication (contributed by Pascal Mathis)
o openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley)
o backend: add run mode to pluginctl using JSON-based output
o ui: fix tokenizer reorder on multiple saves, second try
o plugins: os-acme-client 1.27 1
o plugins: os-bind 1.9 2
o plugins: os-nginx 1.15 3
o plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel)
o plugins: os-theme-cicada 1.22 (contributed by Team Rebellion)
o ports: ca_root_nss 3.47
o ports: php 7.2.24 4
o ports: python 3.7.5 5
o ports: sudo 1.8.29 6
19.7.514 Oct 2019 10:07
minor bugfix:
Here are the full patch notes:
o system: show all swap partitions in system information widget
o system: flatten services_get() in preparation for removal
o system: pin Syslog-ng version to specific package name
o system: fix LDAP/StartTLS with user import page
o system: fix a PHP warning on authentication server page
o system: replace most subprocess.call use
o interfaces: fix devd handling of carp devices (contributed by stumbaumr)
o firewall: improve firewall rules inline toggles
o firewall: only allow TCP flags on TCP protocol
o firewall: simplify help text for direction setting
o firewall: make protocol log summary case insensitive
o reporting: ignore malformed flow records
o captive portal: fix type mismatch for timeout read
o dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
o ipsec: add margintime and rekeyfuzz options
o ipsec: clear dpdline correctly if not set
o ui: fix tokenizer reorder on multiple saves
o plugins: os-acme-client 1.26 1
o plugins: os-bind will reload bind on record change (contributed by blablup)
o plugins: os-etpro-telemetry minor subprocess.call replacement
o plugins: os-freeradius 1.9.4 2
o plugins: os-frr 1.12 3
o plugins: os-haproxy 2.19 4
o plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
o plugins: os-mailtrail 1.2 5
o plugins: os-postfix 1.11 6
o plugins: os-rspamd 1.8 7
o plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
o plugins: os-telegraf 1.7.6 8
o plugins: os-tinc minor subprocess.call replacement
o plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
o plugins: os-virtualbox 1.0 (contributed by andrewhotlab)
o ports: ca_root_nss 3.46.1
o ports: curl 7.66.0 9
o ports. expat 2.2.8 10
o ports: openssl 1.0.2t 11
o ports: php 7.2.23 12
o ports: pkg 1.12.0 13 14 15
o ports: strongswan 5.8.1 16
o ports: suricata 4.1.5 17
o ports: syslo
19.7.412 Sep 2019 09:53
minor bugfix:
Here are the full patch notes:
o system: fix legacy remote logging with custom port
o system: regenerate CA bundle when modifying trusted authorities
o system: fix translation order of tunables description
o system: fix CARP maintenance mode bootup
o firewall: missing daily refresh on GeoIP type
o firewall: fix fetch of GeoIP alias if its name is same as its country
o reporting: auto-load required kernel modules for NetFlow
o reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
o captive portal: optimise ipfw rule parsing
o firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
o unbound: support file-based custom includes
o unbound: set absolute path to root.hints (contributed by h-town)
o plugins: os-bind 1.8 2 (contributed by ErikJStaab)
o plugins: os-dnscrypt-proxy 1.6 3 (contributed by ErikJStaab)
o plugins: os-etpro-telemetry 1.4 4
o plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
o ports: ca_root_nss 3.46
o ports: ldns 1.7.1 5
o ports: pcre2 10.33 6
o ports: php 7.2.22 7
o ports: phpseclib 2.0.21 8
o ports: unbound 1.9.3 9
19.7.328 Aug 2019 13:59
minor bugfix:
Here is the full list of changes:
o system: try all backups for automatic revert when config.xml is damaged
o system: do a system reset if all config.xml files are damaged
o system: only show tunables reboot hint when applying tunables (contributed by Northguy)
o system: use FQDN in system log remote messages
o system: add defunct gateways to GUI in disabled state
o interfaces: only allow VLAN parents that will work as VLAN parents
o interfaces: optionally promote/demote CARP on service status
o interfaces: CARP status page report with demotion level to avoid ambiguity
o firewall: revert problematic 19.7.2 change "unhide automatic interface-based output rules"
o firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
o firewall: add logging toggle to rules overview (contributed by johnaheadley)
o firewall: DHCPv6 relay would generate rules even if not enabled
o firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
o firmware: fix base and kernel package listing
o intrusion detection: show change message after toggle or save
o intrusion detection: rule download fix
o monit: add parent devices to interface list (contributed by Frank Brendel)
o monit: fix standard configuration migration (contributed by Frank Brendel)
o reporting: skip illegal NetFlow records in flow parser
o opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
o backend: fix exception message string handling in Python 3
o backend: add help to pluginctl utility
o backend: configctl event handler support
o mvc: log API key when authentication failed
o ui: more consistent HTML (contributed by gisforgirard)
o ui: sidebar bug fix (contributed by Team Rebellion)
o ui: fix initFormAdvancedUI() on initial load
o plugins: os-acme-client 1.25 1
o plugins: os-bind 1.7 2
o plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
o plugins: os-haproxy 2.18 3
o plugins: os-maltrail 1.1
19.7.205 Aug 2019 15:03
minor bugfix:
Here are the full patch notes:
o system: missing "" in legacy output via Syslog-ng
o system: fix writing gateway information for DNS servers
o system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
o firewall: unhide automatic interface-based output rules
o firewall: unhide automatic non-interface-based floating rules
o firewall: lift length restriction in NAT rule description
o firewall: avoid newlines in rule descriptions
o firewall: only show usable addresses in NAT outbound rules
o interfaces: fix extended CARP output when parsing interface information
o interfaces: add more outputs to overview page to increase usefulness
o interfaces: use shared DHCP lease reader for ARP list
o captive portal: fix binary read issue in Python 3
o dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
o firmware: handle file signature verify correctly with multiple fingerprint repositories
o firmware: Aivian mirror is no longer active
o firmware: Cloudfence mirror in Brazil added
o plugins: os-acme-client 1.24 1
o plugins: os-bind 1.6 (contributed by crazy-max)
o plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
o plugins: os-grid_example 1.0 2
o plugins: os-helloworld Python 3 compatibility 3
o plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
o plugins: os-sunnyvalley 1.0 4 5
o src: fix panic from Intel CPU vulnerability mitigation 6
o src: fix multiple telnet client vulnerabilities 7
o src: fix pts write-after-free 8
o src: fix kernel memory disclosure in freebsd32_ioctl 9
o src: fix reference count overflow in mqueuefs 10
o src: fix byhve out-of-bounds read in XHCI device 11
o src: fix file descriptor reference count leak 12
o ports: libevent 2.1.11 13
19.7.125 Jul 2019 14:36
minor bugfix:
Here are the full patch notes:
o system: do not create automatic copies of existing gateways
o system: do not translate empty tunables descriptions
o system: remove unwanted form action tags
o system: do not include Syslog-ng in rc.freebsd handler
o system: fix manual system log stop/start/restart
o system: scoped IPv6 " " could confuse mwexecf(), use plain mwexec() instead
o system: allow curl-based downloads to use both trusted and local authorities
o system: fix group privilege print and correctly redirect after edit
o system: use cached address list in referrer check
o system: fix Syslog-ng search stats
o firewall: HTML-escape dynamic entries to display aliases
o firewall: display correct IP version in automatic rules
o firewall: fix a warning while reading empty outbound rules configuration
o firewall: skip illegal log lines in live log
o interfaces: performance improvements for configurations with hundreds of interfaces
o reporting: performance improvements for Python 3 NetFlow aggregator rewrite
o dhcp: move advanced router advertisement options to correct config section
o ipsec: replace global array access with function to ensure side-effect free boot
o ipsec: change DPD action on start to "dpdaction = restart"
o ipsec: remove already default "dpdaction = none" if not set
o ipsec: use interface IP address in local ID when doing NAT before IPsec
o web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
o plugins: os-acme-client 1.24 1
o plugins: os-bind 1.6 2
o plugins: os-dnscrypt-proxy 1.5 3
o plugins: os-frr now restricts characters BGP prefix-list and route-maps 4
o plugins: os-google-cloud-sdk 1.0 5
o ports: curl 7.65.3 6
o ports: monit 5.26.0 7
o ports: openssh 8.0p1 8
o ports: php 7.2.20 9
o ports: python 3.7.4 10
o ports: sqlite 3.29.0 11
o ports: squid 4.8 12
19.723 Jul 2019 05:20
major feature:
These are the most prominent changes since version 19.1:
o List automatic firewall rules
o Statistics for all firewall rules
o Alias JSON import / export
o Optional statistics for aliases
o Firewall rule locator for live log and automatic rules
o Rewritten gateway handling and switching
o Remote logging via Syslog-ng
o LDAP group sync support
o Support certificate signing requests
o Route-based IPsec support (VTI)
o XMLRPC sync support for alias, VHID, widgets
o Unbound host overrides alias support
o Web proxy and IPsec authentication using PAM
o Parent web proxy support
o Web proxy login privilege via group
o Improved reliability and utility of opnsense-patch
o Dpinger and DHCP servers ported to plugin framework
o Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o Spanish as a new language
o Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
o Netmap update for VirtIO, VLAN child and vmxnet support
o Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
19.1.1005 Jul 2019 08:36
minor bugfix:
Here are the full patch notes:
o system: change certificate manager actions to POST
o system: fix account removal with missing "-g" option
o system: add dashboard widgets to XMLRPC sync
o firewall: fix live log rule label mismatch caused by optimisation
o firewall: fix alias import with alias references included
o firewall: change default sorting of aliases to names
o firmware: add homelab.no mirror (contributed by Thomas Jensen)
o intrusion detection: when toggling rules keep the current action
o intrusion detection: suppress mystery PHP 7.2+ warning in API
o intrusion detection: show SID in alert view
o web proxy: add cache reset button
o web proxy: correct syslog export
o plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
o plugins: os-etpro-telemetry Python 3 support
o plugins: os-frr 1.11 1
o plugins: os-nginx 1.14 2
o plugins: os-rspamd 1.7 3
o plugins: os-tinc Python 3 support
o ports: ca_root_nss 3.44.1
o ports: curl 7.65.1 4
o ports: libevent 2.1.10 5
o ports: libxml 2.9.9 6
o ports: libressl 2.9.2 7 8
o ports: phalcon 3.4.4 9
o ports: strongswan 5.8.0 10
o ports: unbound 1.9.2 11
19.1.911 Jun 2019 08:13
minor bugfix:
Here are the full patch notes:
o system: add LDAP group synchronisation feature
o system: allow an arbitrary group for sudo like ssh login
o system: stop using a lock around resolv.conf handling
o system: rename a number of service-related functions
o system: login not using cache-safe image yet
o system: add pluginctl -s support
o system: restyle config backup page
o system: fix log split view regression of 19.1.8
o interfaces: remove DHCPv6 on delete and clear config on IPsec assignment
o interfaces: small VIP restructure and IPv6 alias to IPv6 device
o interfaces: subtle changes in IPv6 and variable naming
o interfaces: add missing does_interface_exist() checks
o firewall: support multiple interfaces per NAT port forward rule
o captive portal: use "onestop" to stop service
o intrusion detection: missing header ID in alerts tab
o ipsec: remove remnants of gateway group interface selection
o ipsec: use indirect plugin calls in interface code
o openvpn: add live-search to longer lists in server page
o openvpn: support --cryptoapicert export (sponsored by m.a.x it)
o opnevpn: correctly check for translation in get_carp_interface_status()
o openvpn: use waitforpid() to properly wait for instanes to come up
o openvpn: translate GUI error values when returning them
o openvpn: revamp status page
o unbound: leases watcher file rotation issue
o web proxy: squid log in readable date format (contributed by nhirokinet)
o web proxy: fix non-local authentication regression of 19.1.7
o plugins: os-bind 1.5 1
o plugins: os-clamav 1.7 2
o plugins: os-dnscrypt-proxy 1.4 3
o plugins: os-dyndns clouldflare wildcard domain support
o plugins: os-nginx 1.13 4
o plugins: os-openconnect 1.4.0 5
o plugins: os-redis 1.1 6
o plugins: os-rspamd 1.6 7
o plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)
o ports: curl 7.65.0 8
o ports: lighttpd 1.4.54 9
o ports: python 3.7.3 10
o ports: openssl 1.0.2s 11
o por
19.1.822 May 2019 08:29
minor bugfix:
Here are the full patch notes:
o system: address CVE-2019-11816 privilege escalation bugs 1 (reported by Arnaud Cordier)
o system: /etc/hosts generation without interface_has_gateway()
o system: show correct timestamp in config restore save message (contributed by nhirokinet)
o system: list the commands for the pluginctl utility when no argument is given
o system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly
o system: use absolute path in widget ACLs (reported by Netgate)
o system: RRD-related cleanups for less code exposure
o interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
o interfaces: replace legacy_getall_interface_addresses() usage
o firewall: fix port validation in aliases with leading / trailing spaces
o firewall: fix outbound NAT translation display in overview page
o firewall: prevent CARP outgoing packets from using the configured gateway
o firewall: use CARP net.inet.carp.demotion to control current demotion in status page
o firewall: stop live log poller on error result
o dhcpd: change rule priority to 1 to avoid bogon clash
o dnsmasq: only admins may edit custom options field
o firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
o firmware: add optional device support for base and kernel sets
o firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
o ipsec: always reset rightallowany to default when writing configuration
o lang: say "hola" to Spanish as the newest available GUI language
o lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o network time: only admins may edit custom options field
o openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
o openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
o openvpn: remove custom options field from wizard
o unbound: only admins may ed
19.1.702 May 2019 13:37
minor bugfix:
Here are the full patch notes:
o system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
o system: support for syncing alias and VHID to the slave
o system: cleanly rewrite CA root files and add local trusted CAs as well
o system: disable backup cron job when no backup is enabled
o system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
o system: migrate health graph scripts to Python 3.6
o interfaces: properly add and remove IPv6 trackers after interface apply
o interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
o interfaces: display "0x" in prefix ID field so that it is clear that value is in hex
o interfaces: fix passing VLAN name in interface_virtual_create()
o interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
o interfaces: allow link-local address on bridges via optional setting
o interfaces: PPP-related code cleanups
o firewall: prevent double-escaping of text in rules page
o firewall: handle IDNA encode failures in aliases
o firewall: alias import / export option
o captive portal: update to bootstrap 3.4.1
o captive portal: fix a race in directory creation and listClients()
o dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
o dhcp: merge static mac addresses with leases
o dhcp: prevent double-escaping of text in leases page
o firmware: add private log file for major upgrade package install step
o firmware: use a safer major upgrade package install mode
o firmware: retain /etc/motd on base updates
o ipsec: implemented wildcard includes (contributed by Mark Plomer)
o ipsec: only apply mobile PFS to mobile phase 2
o ipsec: restyle mobile settings a little
o ipsec: switch XAuth to PAM
o ipsec: partial fix for static routes on routed tunnels during boot
o network time: reload RRD since NTP has a setting for it
o web proxy: fix PAC weekday match labels
19.1.612 Apr 2019 14:46
minor bugfix:
Here are the full patch notes:
o system: let dashboard only accept its own POST requests
o system: remove obsolete symlink to opnsense-auth
o system: skip PHP E_WARNING log level until 19.7
o system: numerous PHP 7.2 warning fixes
o dhcp: DHCPD server check in relay only if interface is active
o dnsmasq: skip empty custom options
o intrusion prevention: do not drop flowbits:noalert rules
o unbound: add ACL entries for OpenVPN by default
o mvc: controller cleanups in firewall shaper, web proxy and captive portal
o plugins: numerous PHP 7.2 warning fixes
o plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
o plugins: os-nginx 1.11 1
o ports: php 7.2.17 2
o ports: py-certifi 2019.3.9 3
19.1.508 Apr 2019 05:36
minor bugfix:
These are the full patch notes:
o system: improve gateway status return when monitoring is off
o system: warn user about future deprecation of "user-config-readonly" privilege
o system: support certificate signing requests (contributed by nhirokinet)
o system: syslog does not need to do a background startup since it backgrounds itself
o system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
o system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
o interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
o interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
o interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
o interfaces: move mpd.script to new location (may require interface reconfigure)
o firewall: proper locking of aliases before config action on delete
o firewall: correctly set outbound NAT destination as network
o firewall: add support for DSCP in shaper (contributed by Michael Muenz)
o firewall: add support for IDN in aliases (contributed by Smart-Soft)
o captive portal: allow access to this host (contributed by Fredrik Ronnvall)
o firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
o firmware: add University of Kent to the firmware mirrors
o ipsec: only use explicit reqid when using route-based interfaces
o ipsec: correctly set install policy option on newly created phase 1 entries
o ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
o ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
o ipsec: properly quote UNITY_BANNER for multi-line support
o ipsec: support for dynamic remote gateways
o monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
o monit: added missing "not on" label
o openvpn: support static-challenge formatted password
o openvpn: properly load custom config field in exporter
o openvpn:
19.1.412 Mar 2019 11:44
minor bugfix:
Here are the full patch notes:
Here are the full patch notes:
o system: remove erroneously translated hostname example (contributed by nhirokinet)
o firewall: fix validation regression in outbound NAT introduced in 19.1.3
o firewall: mock labels for NAT rules in live log as pf does not offer label support
o interfaces: do not background LAGG ifconfig destroy
o installer: revert to use network connection to allow CTRL+C and resume
o ipsec: added Virtual Tunnel Interface (VTI) support
o unbound: fix nested statistics items read
o mvc: remove old Phalcon volt template workarounds from when scopes were broken
o mvc: fix bug in model relation field values merge
o plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
o plugins: os-telegraf missed invoke of setup.sh
o plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
o plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
o plugins: os-nginx 1.9 1
o src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
o ports: monit 5.25.3 2
o ports: ntp 4.2.8p13 3
o ports: php 7.1.27 4
o ports: suricata 4.1.3 5
19.1.308 Mar 2019 10:01
minor bugfix:
Here are the full patch notes:
o system: improve LDAPS mode and related authentication cleanups
o system: move enable checkbox to the top in remote logging settings
o system: allow reset of tunables to to factory defaults
o system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
o firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
o interfaces: probe media before applying new settings
o interfaces: correctly compare MAC addresses
o dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
o firmware: move duty to return the correct set name / ID to opnsense-version
o firmware: finally revoke 18.7 fingerprint
o intrusion detection: minor template cleanups using helpers.empty()
o ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
o ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
o monit: add validation for test type (contributed by Frank Brendel)
o openvpn: add auth-nocache option in exporter
o openvpn: validate certificate type for servers
o unbound: add host overrides alias support
o web proxy: add auth to parent proxy (contributed by Michael Muenz)
o backend: add helpers.empty() in configd
o mvc: simplify save / close / cancel button labels
o mvc: add sorting for field list types
o rc: move all template generation to early stage
o ui: improve escaping of displayed data in static pages
o ui: escape button values in static pages
o ui: avoid short PHP tags
o plugins: os-dnscrypt-proxy 1.3 1
o plugins: os-frr brings in missing area range code 2
o plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
o plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-vnstat /var MFS fix 3
o plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
o ports: openssl 1.
19.1.207 Mar 2019 06:29
minor bugfix:
Here are the full patch notes:
o system: move session files into their own directory (forces the current sessions to expire)
o system: add validation check for time period for Dpinger (contributed by Team Rebellion)
o system: hide "show certificate info" button of pending CSR (contributed by nhirokinet)
o system: move opnsense-auth to libexec, but keep a symlink in sbin directory
o system: escaping issue in gateway edit page
o system: fix ACL for halt and reboot pages
o firewall: fix alias entry replacement in utility page
o firewall: prevent new alias creation when adding an address
o firewall: capture "nat" traffic like we do for "rdr" in live log
o firewall: escaping issues in schedule edit page
o interfaces: push dhclient and dhcp6c log messages to system log
o interfaces: write all nameservers via dhclient-script in multi WAN scenarios
o interfaces: check for valid alias IP in dhclient-script
o interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
o interfaces: avoid reading empty interface configurations
o firmware: bootstrap rework for HTTPS repository URL
o firmware: patch cache and assorted improvements
o firmware: minor update utility cleanups
o firmware: remove compatibility stubs for pre-19.1 version reads
o firmware: show revoked package mirror error in GUI if applicable
o firmware: bump RageNetwork mirror to HTTPS
o firmware: be more careful about parsing version info
o dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
o intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression 1
o intrusion detection: support required rules/files in metadata package
o intrusion detection: less extensive logging
o ipsec: fix escaping issue in mobile page
o monit: fix address validation
o openvpn: obey verify-x509-name for remote access (user auth)
o openvpn: proper daemonize instead of background job
o openvpn: extract full CA chain for setup
o openvpn: m
19.1.106 Feb 2019 07:21
minor bugfix:
Here are the full patch notes:
o system: address XSS-prone escaping issues 1
o firewall: add port range validation to shaper inputs
o firewall: drop description validation constraints
o interfaces: DHCP override MTU option (contributed by Team Rebellion)
o interfaces: properly configure SIM PIN on custom modems
o reporting: prevent cleanup from deleting current data when future data exists
o ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
o openvpn: multiple client export fixes
o web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
o plugins: os-acme-client 1.20 2
o plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
o plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
o plugins: os-nginx 1.7 3
o plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
o plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
o ports: ca_root_nss 3.42.1
o ports: lighttpd 1.4.53 4
o ports: py-request 2.21.0 5
19.104 Feb 2019 09:45
major feature:
These are the most prominent changes since version 18.7:
o fully functional firewall alias API
o PIE firewall shaper support
o firewall NAT rule logging support
o 2FA via LDAP-TOTP combination
o WPAD / PAC and parent proxy support in the web proxy
o P12 certificate export with custom passwords
o Dpinger is now the default gateway monitor
o ET Pro Telemetry edition plugin 2
o extended IPv6 DUID support
o Dnsmasq DNSSEC support
o OpenVPN client export API
o Realtek NIC driver version 1.95
o HardenedBSD 11.2, LibreSSL 2.7
o Unbound 1.8, Suricata 4.1
o Phalcon 3.4, Perl 5.28
o firmware health check extended to cover all OS files, HTTPS mirror default
o updates are browser cache-safe regarding CSS and JavaScript assets
o collapsible side bar menu in the default theme
o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins
18.7.1008 Jan 2019 08:27
minor feature:
Here are the full patch notes:
o system: P12 certificate export now allows to specify a password
o system: allow plain IPv6 for LDAP and RADIUS host
o system: properly sort columns with size units in activity page
o system: remove references to "automatic" in HA help texts
o system: add option to only show temperature of one core in widget
o system: speed up isArraySequential()
o system: introduce configdp_run() variant
o system: assorted code cleanups
o interfaces: only show name servers offered by individual link in status page
o interfaces: DUID-LL generator fix (contributed by Team Rebellion)
o interfaces: show disabled and virtual interfaces in groups
o interfaces: change wireless page interface iterators
o interfaces: change LAGG page interface iterators
o interfaces: remove unused get_dns_servers()
o interfaces: assorted code cleanups
o firewall: fix an exception error in alias config read
o firewall: fix typo in outbound NAT destination help text
o firewall: rename "Localhost" to "Loopback" for clarity in virtual IP pages
o firewall: unify anti-lockout behaviour to match rules and GUI display
o firewall: switch to tokenizer for shaper source and destination fields
o firewall: fix alias utility issue when adding into empty alias
o firewall: correct alias name limit to 31 characters
o firewall: bring back auto-complete for nested aliases
o firewall: NAT rules on reflection for port forwards only when address exists on interface
o firewall: lower bogon download retry attempts to 3
o firewall: schedule JS code update
o captive portal: add setting to always send accounting requests
o captive portal: assorted code cleanups
o dhcp: DHCPv6 leases not always correctly displayed (contributed by Team Rebellion)
o dhcp: override IPv6 PD range fix (contributed by Team Rebellion)
o dhcp: switch subnet verification to new network interface retrieval
o firmware: individual error messages during base and kernel installation
o firmware: obsolete set usage has been removed, e
18.7.913 Dec 2018 07:45
minor feature:
Here are the full patch notes:
o system: allow setting alternative names on CSR
o system: add link-local routes with correct scope
o system: fix LDAP import button for Firefox
o system: assorted cleanups in HTML and PHP code
o interfaces: add note about CGN addresses included in private range
o interfaces: fix checksum disable for IPv6 TX / RX flags
o interfaces: multiple type DUID support (contributed by Team Rebellion)
o interfaces: properly read and write dhcp6c DUID binary file
o interfaces: do not read VLAN capabilities from nonexistent interfaces
o interfaces: removal of PEAR.inc from IPv6 address library
o interfaces: assorted cleanups in HTML and PHP code
o firewall: only suffix subnet alias entry when a network is expected
o firewall: default alias protocol to both IPv4 and IPv6
o firewall: fix validation of outbound NAT destination alias
o firewall: fix performance regression in get_alias_description()
o firewall: repair defunct "no nat proto carp all" rule
o firewall: limit type to CARP when checking for VIP VHID reuse
o firewall: refactor subnet retrieval in VIP deletion
o firewall: display VHID for IP alias in overview
o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups
o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
o firewall: ignore empty values in alias migration (contributed by Frank Wall)
o firewall: assorted cleanups in HTML and PHP code
o captive portal: work around service boot ordering issue
o captive portal: change "onestop" to "stop" in backend action
o dnsmasq: add DNSSEC option
o dnsmasq: assorted cleanups in HTML and PHP code
o dhcp: show lease count in page heading
o dhcp: refactor IPv6 subnet read
o dhcp: fix DDNS IPv6 algorithm use
o dhcp: assorted cleanups in HTML and PHP code
o firmware: opnsense-version can now handle kernel, base and plugin metadata
o firmware: when pkg needs to be updated do not prompt for base and kernel set
o firmware: use embedded obso
18.7.823 Nov 2018 06:17
minor feature:
Here are the full patch notes:
o system: show the actual validation messages for NextCloud backup constraints
o system: LDAP import button primary colour and prevent default page submit
o system: add LDAP+TOTP authentication variant (2FA)
o system: avoid silent fatal error when LDAP OUs could not be retrieved
o system: avoid duplicated cookies on login page by not closing session
o system: allow to fully disable misc. reboot failsafe backups
o system: switch default argument for return_gateways_status()
o system: add "Synchronize config to backup" button to HA status page
o system: disable help text expand when backup fields have no help text
o system: sort user and group lists alphabetically
o interfaces: add CARP info to legacy_interfaces_details()
o interfaces: removal of find_interface_subnet() and find_interface_subnetv6()
o interfaces: introduce find_interface_network() and find_interface_networkv6()
o interfaces: refactor find_interface_ip() and find_interface_ipv6()
o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll()
o firewall: extend outbound NAT address source and destination with networks
o firewall: fix save error when alias name contains an underscore
o firewall: do not set days or hours when update frequency is empty
o firewall: increase resolve() performance for aliases
o firmware: change packaging to be able to place files in the root directory
o reporting: fix possible division by zero in NetFlow aggregator
o dhcp: reorder arguments of function services_dhcpd_configure()
o dhcp: consolidate service probe of IPv6 and router advertisement daemons
o dhcp: fix clear hook on log file delete
o importer: make clear that /conf/config.xml is required for any import to take place
o monit: add quotes and timeout to custom program path (contributed by Frank Brendel)
o monit: add SSL options to mail server connection (contributed by Frank Brendel)
o network time: improve GPS status parsing
o openvpn: add remote address as route when s
18.7.708 Nov 2018 19:00
minor feature:
Here are the full patch notes:
o system: CVE-2018-18958 prevent restore of configuration of read-only user 1 (reported by brainrecursion)
o system: prevent related read-only user configuration manipulation for history and defaults pages
o system: prevent several creative ways to strip read-only privileges in the user and group manager
o system: allow wildcards in certificate subject alternative name
o system: avoid direct global access in routing setup
o system: do not offer root-only opnsense-shell to non-root users
o system: remove FreeBSD 10 password workaround
o interfaces: use pure jquery to avoid browser-specific behaviour
o interfaces: nonfunctional cleanups in backend and interface GUI configuration
o interfaces: clear the correct files IPv6 state files on interface down
o interfaces: wait for PPPoE to fully exit on interface down
o firewall: fix port alias conversion under new API
o firewall: missing filter reload for port alias types
o firewall: missing "other" type in VIP network expand
o firewall: disabled alias should leave us with an empty one
o firewall: category for "United States" moves from Pacific to America
o firewall: resolve outbound NAT interface address in kernel
o dhcp: only map enabled interfaces in IPv4 leases
o dhcp: interface iteration code cleanups
o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
o firmware: add log file for package manager output
o monit: use theme override for widget CSS (contributed by Fabian Franz)
o ntp: internal cleanup of function argument order
o rc: improvements in service startup scripting
o rc: print date and time after successful boot
o unbound: disable redirect type until fixed
o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno)
o shell: stop router adve
18.7.629 Oct 2018 08:20
minor feature:
Here are the full patch notes:
o firewall: resolve interface address ":0" for port forwarding in kernel
o firewall: list action corrections (contributed by Thomas Bandixen)
o firewall: add support for the PIE shaper (contributed by Michael Muenz)
o firewall: migrate to new alias API including a new failsafe
o firewall: repair log widget for plugin themes
o interfaces: do not remove CARP addresses on link-down
o interfaces: get pfsync MTU from actual CARP interface
o interfaces: add backend call returning all interface data
o interfaces: partially rewrite ping, port and traceroute tools
o interfaces: improve IPv6 merging in make_ipv6_64_address()
o interfaces: use correct IPv6 interface where appropriate
o interfaces: replace get_configured_interface_list() usage
o interfaces: small refactoring around interface up and down code
o system: cleanups in utility and config functions
o captive portal: added connect action in API (contributed by zvs44)
o firmware: move build-time version information to core version file
o firmware: rename backend script "audit" to "security" for clarity
o ipsec: bring back service widget lost back in 2016
o monit: change status page to support easier CSS styling
o unbound: set up a full chroot including local log socket
o unbound: replace custom msort() function with standard function
o unbound: use correct IPv4 or IPv6 interface for address lookups
o webgui: use interfaces_addresses() for interface binding
o mvc: show an error message on failed model migrations
o mvc: refactor __items access via iterateItems()
o mvc: accept style keyword on all input types
o mvc: improved menu API endpoint integration
o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz)
o plugins: os-dyndns validates custom updates solely for URL input
o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz)
o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.7 (contributed
18.7.519 Oct 2018 06:51
minor feature:
o system: add (de)select all option in LDAP importer
o firewall: keep previous content for URL alias on fetch error
o firewall: make schedule icon reflect current schedule state (contributed by framer99)
o firewall: toggle and migration fix for upcoming alias API
o firewall: round-robin limitation is for host alias outbound NAT only
o firewall: resolve network addresses in kernel for static routes bypass option
o firewall: do not clean up visible records when limit was not reached
o firewall: do not hardcode live log pass / block colours
o firewall: add live log direction icons
o firmware: shorten shaper name and assorted cleanups
o firmware: fix upgrade compatibility with FreeBSD 11.2
o firmware: use opnsense-version where appropriate
o firmware: correctly translate GUI buttons (contributed by Smart-Soft)
o dnsmasq: use more robust approach to interface binding
o ipsec: more secure phase 1 default settings (contributed by Michael Muenz)
o ipsec: support for multiple phase 1 DH groups and hashes
o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina)
o unbound: fix usage of the remote control backend calls
o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option
o web proxy: several corrections for PAC template
o backend: fix CPU hogging when reading on already disconnected streams
o mvc: speed up parsing very large config files
o mvc: add single select constraint
o mvc: add UUID field to the result of addBase (contributed by CJ)
o ui: sidebar UX improvements (contributed by Team Rebellion)
o ui: use single guillemets for previous/next page
o plugins: os-acme-client /var MFS awareness
o plugins: os-cicada 1.5 (contributed by Team Rebellion)
o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz)
o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich)
o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz)
o plugin
18.7.428 Sep 2018 05:40
minor feature:
Here are the full patch notes:
o system: correctly unset DNS override allow setting when saving
o system: remove unused / default arguments from get_possible_listen_ips()
o system: note that HA disable preempt requires reboot (contributed by Michael Muenz)
o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion)
o interfaces: lower MTU via tracked IPv6 interface MTU
o interfaces: 6RD IPv4 prefix override is now prefix-only
o firewall: also show scheduler info in shaper status (contributed by Michael Muenz)
o firmware: introduce opnsense-version utility and fully template build metadata
o firmware: annotate HTTP(S) status in mirrors in descriptions
o firmware: avoid base upgrade error when /proc is mounted
o monit: change mail format field for alerts to text area (contributed by Frank Brendel)
o openssh: further tweak new interface bind approach introduced in 18.7.3
o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder)
o web proxy: support WPAD / PAC (contributed by Fabian Franz)
o ui: minified sidebar improvements (contributed by Team Rebellion)
o ui: introduce cache_safe() to invalidate browser cache after updates
o plugins: os-dyndns wildcard support for Namecheap
o plugins: os-ntopng 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz)
o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel)
o plugins: os-snmp compatibility fixes for version detection and listen interface core changes
o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion)
o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz)
o plugins: os-upnp compatibility fixes for version detection core changes
o src: fix out-of-bounds read vulnerability in libarchive
o src: update
18.7.319 Sep 2018 07:27
minor feature:
Here are the full patch notes:
o system: gateways widget show/hide feature (contributed by Team Rebellion)
o system: select correct IPv6 default route when underlying IPv6 interface differs
o system: extended meta-matching for special characters in ACL patterns
o system: show last diff by default in configuration history page
o system: refactor password logic in user manager for clarity
o system: link-local listen IPv6 requires reading underlying IPv6 interface
o interfaces: avoid boot mismatch on several virtual plugin devices
o interfaces: list widget show/hide feature (contributed by Team Rebellion)
o interfaces: stats widget show/hide feature (contributed by Team Rebellion)
o interfaces: stop wireless software before bringing down the interfaces
o interfaces: fix selection issue for DHCPv6 PD "none" value
o interfaces: make "64" the page default for DHCPv6 PD
o interfaces: allow IPv4 address override in 6RD
o interfaces: fix 18.7.2 gateway read regression in 6RD
o interfaces: give each 6RD tracker a different IPv6 address
o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss)
o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion)
o dhcp: do not show lease actions if interface cannot be found
o dhcp: unhide DHCPv6 service when not using automatic PD
o dnsmasq: annotate that "all" is the recommended interface binding option
o importer: list all available ZFS pools (contributed by Smart-Soft)
o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;)
o importer: ZFS pools are now addressed as e.g. "zfs/zroot"
o importer: always loop until exit or successful import
o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz)
o ipsec: change hash checkboxes in phase 2 to selectpicker
o openssh: change interface bind logic to only bind to currently available addresses
o openvpn: align status columns for client and P2P case (contributed by Andy Binde
18.7.207 Sep 2018 07:11
minor feature:
Here are the full patch notes:
o system: select correct network interface in case of IPv6 gateway lookups
o system: tighten system wizard ACL and menu registration
o system: do not wrap first column of log viewer (contributed by Alexander Graf)
o firewall: return alias types to repair its outbound NAT rule edit
o firewall: hide NAT redirect target port when port is not applicable
o firewall: alias API is now live on the development version and will migrate your aliases to the new format
o interfaces: allow explicit MTU to reach the 6RD device
o interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion)
o interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion)
o interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer)
o interfaces: remove incorrect display of prefix ID in help text for tracking configuration
o interfaces: add groups to interface details output
o interfaces: remove unused code and other nonfunctional cleanups
o interfaces: use "x" in the list widget for no carrier
o interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix
o dhcp: remove unused inputs from static mapping page
o dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra)
o ipsec: add automatic key exchange option
o openvpn: fix /32 host validation logic
o openvpn: clean up control sockets prior to startup
o openvpn: align user authentication to use common_name as username
o mvc: add iterateItems() method to base field type to simplify call flow
o mvc: fix configd asList helper (contributed by Fabian Franz)
o mvc: add configd XML attributes to template parser
o ui: allow version query to match on main.css probing
o ui: footer cleanups and static page repairs where boxing was not correct
o ui: no minified version for tokenize2
o ui: fix table headers in dialogs (contributed by Fabian Franz)
o plugins: os-bind 1.1 add
18.7.122 Aug 2018 08:28
minor feature:
Here are the full patch notes:
o system: hide web server info from server tag
o system: fix group privileges edit menu hint
o system: add text area field to backup framework (contributed by Joao Vilaca)
o interfaces: use NIC preference for VLAN hardware filtering in default config
o interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion)
o interfaces: fix PD when using DHCPv6 override on tracked interface
o firewall: toggle filter and NAT rules using checkboxes
o firewall: add state-policy if-bound option
o firewall: added logging for tracing internal rule generator
o firewall: fix ordering issue in port validation and disable
o firewall: fix disabled reject action icon display (contributed by framer99)
o captive portal: fix usage of vouchers and group with spaces in their names
o captive portal: hide web server info from server tag
o dnsmasq: fix listening behaviour on empty but set interface selection
o firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback
o firmware: do not show development version changelogs in releases
o intrusion detection: reworked rule selection
o ipsec: use selectpicker in mobile page
o ipsec: add Brainpool EC groups
o openvpn: do not remove client specific override files on disconnect
o openvpn: do not create v6 gateway if disabled
o shell: omit ":" from SSL fingerprint display
o unbound: fix menu access for overrides
o wizard: fix root password input
o backend: call shutdown before close in background daemon
o mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong)
o mvc: minor glich in getFormData() we should ignore empty id fields
o mvc: do not offer internal interfaces in generic interface selector
o mvc: handle validations better by removing duplicate messages
o mvc: fix two glitches in new tokenize field handling
o mvc: add numeric field type
o rc: update php.ini include paths (contributed by Joao Vilaca)
o ui: fix spacing of containers in sta
18.701 Aug 2018 07:33
major feature:
These are the most prominent changes since version 18.1:
o improved WAN DHCPv6 and SLAAC connectivity and tracking
o functional IPv6 Rapid Deployment (6RD) support
o improved default route handling and gateway switching
o OpenVPN default setup improvements for IPv6 and RADIUS attribute support
o Dpinger gateway monitoring integration
o password policies for local authentication and coupled TOTP
o Monit core integration to eventually replace the legacy notifications
o OpenSSH access via group and shell selection instead of privilege
o pluggable backup framework with new Nextcloud option
o sytem tunables are now also used as loader tunables
o unrestricted VLAN usage for e.g. Xen
o QinQ interface removal
o firmware GUI speedup, improved error parsing and console reboot hint
o ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
o ZFS and MSDOS config import support
o ISC DHCP version moves from 4.3 to 4.4
o RRDtool version moves from 1.2 to 1.7
o rework rc.syshook facility to use drop-in directories instead of suffixes
o backports of FreeBSD 11.2 Intel NIC drivers
o stand-alone frontend UI development tools
o language updates for Czech, French, German, Portuguese (Brazil)
o UI header security and SSL cipher hardening
o extensive UI cleanups and menu consolidation
o new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp,
os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada,
os-theme-rebellion, os-theme-tukan, os-wol 2.0
18.1.1326 Jul 2018 14:40
minor feature:
Here are the full patch notes:
o system: restart syslog when interface bind addresses may have changed
o system: remove unused action_disable setting in gateway monitoring
o firmware: new mirror Dataroute (Dusseldorf, DE)
o ntp: typo in SiRF selection
o openvpn: translate validated field names
o rc: unset rcvar before evaluation (contributed by Nicholas de Jong)
o installer: give basic tip that GUI IP can be set in console after install (contributed by stilez)
o plugins: os-theme-cicada 1.2 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.1 (contributed by Team Rebellion)
o ports: suricata 4.0.5 1
18.1.1219 Jul 2018 05:50
minor feature:
Here is the full list of changes:
o system: improve local account expire cron job to also flush passwords and SSH keys
o system: show fingerprint in certificate details (contributed by Robin Schneider)
o system: fix NextCloud file name format (contributed by Fabian Franz)
o system: allow remote backup via cron command
o interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used
o firewall: do not trigger rules scheduling if scheduled rule is disabled
o firewall: allow to select external aliases
o firewall: ignore namelookup when no nameservers are configured
o dashboard: remove tooltips from CPU widgets (contributed by Team Rebellion)
o dashboard: add date to large CPU widget data
o firmware: add Aalborg University mirror
o intrusion detection: add missing classification category
o ipsec: add mutual RSA and EAP-MSCHAPv2 support
o wizard: make clear that "admin password" means "root password"
o ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice
o mvc: switch from the default _GET '_url' to _SERVER 'REQUEST_URI' and let Phalcon handle the routing
o mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus)
o mvc: multiselect may allow empty option, no need to give blank item too
o mvc: add support for application specific field types
o ui: top level menu item link pivots and security improvements (contributed by Max Orelus)
o plugins: os-net-snmp 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.1 (contributed by Michael Muenz)
o plugins: os-web-proxy-sso UI fixes (contributed by Smart-Soft)
18.1.1103 Jul 2018 08:29
minor feature:
Here are the full patch notes:
o system: enforce full password policy check for local passwords including TOTP
o system: add RFC 7919 DH parameter files for upcoming 18.7 feature
o system: add 3072-bit RSA key length options to certificates (contributed by Justin Coffman)
o system: move auto-cron jobs to plugin files
o interfaces: refactor reload handling around interfaces_configure()
o interfaces: allow private addresses in 6RD
o interfaces: check existence of "status" (contributed by Tian Yunhao)
o reporting: add NetFlow/Insight database force repair function
o dhcp: update from ISC version 4.3 to 4.4
o importer: allow ZFS import for upcoming 18.7 ZFS installer feature
o importer: allow import from simple MSDOS USB drives
o intrusion detection: add app detect rules (contributed by Michael Muenz)
o rc: suppress message of service not enabled on NetFlow backup
o rc: use exec in /etc/rc and /etc/rc.shutdown hooks
o rc: rework rc.syshook facility to be driven by directories and not suffixes
o unbound: remove defunct unbound_statistics() function
o plugins: os-postfix 1.4 advanced force recipient check (contributed by Michael Muenz)
o plugins: service start corrections for accompanying rc.syshook changes
o src: incorrect TLB shootdown for Xen-based guests 1
o src: lazy FPU state restore information disclosure 2
o src: enable usage of locate(1) utility
o ports: isc-dhcp 4.4.1 3
o ports: php 7.1.19 4
o ports: unbound 1.7.3 5
18.1.1026 Jun 2018 06:21
minor feature:
Here are the full patch notes:
o system: provide default for user language
o system: do not allow spaces in group names
o system: dpinger gateway monitor option (contributed by Team Rebellion)
o system: prepare for upcoming DH parameter regeneration feature
o system: Nextcloud backup support (contributed by Fabian Franz)
o system: userid 0 has trouble with s in redirects, use d instead
o system: QR code quiet zone support 1
o system: add selectpicker style where previously missing
o firmware: allow both origin.conf and OPNsense.conf to be used for repository setup
o firmware: exclude password database files from base update as it breaks sudo
o interfaces: clean up reload structure for single interfaces
o interfaces: remove unused interface reload script
o interfaces: simplify semantics of link_interface_to_track6()
o interfaces: assorted cleanups in the code
o firewall: add enable flag to shaper rules
o firewall: improve parsing speed of firewall log
o firewall: fix wrong alias reference in outbound rules
o firewall: generate ipfw comments for debugging (contributed by Robin Schneider)
o firewall: move color settings from schedules to theme (contributed by Fabian Franz)
o intrusion detection: correct typo in CSS
o openvpn: raise default DH parameter to 2048 bit
o console: pass output of stop scripts to user during halt/reboot
o console: clarify that installer is for installing when SSH is off also
o rc: change NetFlow backup to only stop/start when needed
o rc: backup and restore via XML files again
o rc: slightly refactor halt/reboot/shutdown
o rc: break out config stop script
o rc: simplify configctl plumbing
o ui: add country flags for upcoming changes in GeoIP handling
o ui: trigger onChange event to support custom hooks in form post
o ui: change multi-select default from tokenizer to selectpicker
o ui: add support for custom separators in select items
o plugins: test for template scripts before executing them
o plugins: os-acme-client fixes password field
18.1.901 Jun 2018 14:29
minor feature:
Here is the full list of changes:
o firewall: advanced option to reset states on IPv4 change
o interfaces: rename wancfg to lancfg in tracking code
o interfaces: further simplifications for dhclient usage
o reporting: add logging to database repair stage
o reporting: Insight click event issue
o system: use uppercase gateway names for compatibility
o system: gateway alert script always returns true
o system: align static ACL check with MVC variant
o system: pluggable backup support
o system: configurable user landing pages
o system: safety belt for password policy check
o wizard: add missing element IDs to fix scripting issues
o firmware: parse and return to be removed packages for update summary
o firmware: release type change properly updates the repository and summary
o firmware: extended settings can now be registered via XML files
o firmware: return repository errors in greater detail (4 new error types)
o firmware: make returned backend JSON a bit more human-readable
o firmware: fix leak of base/kernel update info on package manager updates
o firmware: refactor package manager update summary parsing for speed
o firmware: add and use API for major upgrades
o dhcp: fix unwanted name-server write in v6
o dhcp: ldap-server does not exist in v6
o intrusion detection: update classification.config
o intrusion detection: optional fast log to syslog
o ipsec: set ignore_acquire_ts to allow ASA compatibility
o ipsec: add ike_name to syslog output
o openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6
o console: manual pages for opnsense-importer and opnsense-installer
o console: let opnsense-installer set up an early runtime environment
o console: show firmware reboot hint prior to update when applicable
o console: longer timeout for opnsense-importer invoke on first boot
o console: proper return values for opnsense-importer in edge cases
o mvc: support multiple directories for detached UI development
o mvc: add AddressFamily option to NetworkField
o
18.1.822 May 2018 07:24
minor feature:
Here are the full patch notes:
o system: improve VLAN console assignment handling
o system: move backup crypto code to the only page using it
o system: improve validation for web GUI related settings
o system: split off monitor reload for upcoming dpinger integration
o system: default route handler skips an already active default route
o system: default route handler purges hint files only when switching to a newer route
o system: default gateway switching uses the standard default route handler
o system: properly add LDAP picker to ACL
o system: properly unset password expired message after password change
o interfaces: clear up use IPv4 connectivity and fix several typos
o interfaces: parse and report tunnel data
o interfaces: move dhclient-script to proper location
o interfaces: allow SLAAC to latch on to IPv4 link
o reporting: add destination address in Insight detail search
o dhcp: fix labels of services to align with menu
o dhcp: domain-search-list usage was removed in 2012
o ipsec: rewrite resolve_retry() for its only use case
o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano)
o ipsec: fix missing disable of DH group setting
o router advertisements: correctly merge DNS server arrays
o router advertisements: fix DNSSL settings
o router advertisements: fix duplicated subnet statements
o openssh: also use static interface IP addresses to listen on explicitly
o unbound: allow wildcard host entry (contributed by Eugen Mayer)
o webgui: also use static interface IP addresses to listen on explicitly
o backend: improve escaping of passed parameters
o ui: correct heigh of the login title bar
o ui: unify the label printing of interfaces
o ui: refactor script match for help messages
o rc: ZFS boot awareness
o plugins: os-cache 1.0 is an optional web server cache for the GUI/API
o plugins: os-debug 1.3 now holds its own PHP settings
o plugins: os-nut 1.0 (contributed by Michael Muenz)
o plugins: os-snmp 1.3 improves handling of interface binding
o plugi
18.1.704 May 2018 05:48
minor feature:
Here are the full patch notes:
o system: validate pfsync peer as IPv4-only
o system: flip order of arguments for system_routing_configure()
o system: convert cron to mutable model controller
o system: convert routing to mutable model controller
o system: log table header cleanup
o system: more aggressive factory reset and shut down after completion
o system: remove duplicate addresses before binding web GUI and OpenSSH
o system: fix Framed-Route parsing for RADIUS authentication
o system: properly translate save message on user language change
o interfaces: PPPoE link down script improvements
o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations
o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion)
o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion)
o interfaces: wait for dhcp6c to be stopped by pending apply
o interfaces: only reconfigure VLAN interface after edit when necessary
o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it
o interfaces: remove unused flush argument from various functions
o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert)
o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert)
o interfaces: remove obsolete address requirement for CARP VIPs
o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error
o interfaces: no more spurious redirection for dhclient invoke
o firewall: remove a side effect from filter_delete_states_for_down_gateways()
o firewall: adjust maximum table entries for error-free bogonsv6 usage
o firewall: add buckets option to traffic shaper
o firewall: update help text for port ranges (contributed by Michael Muenz)
o power: power off modal to indicate that the GUI is no longer responsive
o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14
minor feature:
Here are the full patch notes:
o system: reverse reload order for gateway switching on OpenVPN
o system: implement password policies for local accounts
o system: separate web GUI and configd log files
o system: add syslog and login service visibility
o system: show root as disabled in user manager if disabled
o interfaces: no longer restrict VLAN driver capability
o firewall: switch back to old NAT auto-outbound behaviour
o firewall: reload schedules 1 minute later
o firewall: filter descriptions option does no longer exist
o firewall: updated anti-lockout link (contributed by Michael Muenz)
o firewall: fix help text in shaper masks (contributed by Michael Muenz)
o firewall: add delay option to pipe in shaper (contributed by Michael Muenz)
o reporting: add insight aggregator to service list
o dashboard: large CPU usage widget (contributed by Team Rebellion)
o dhcp: fix display of DUID in IPv6 leases
o firmware: let opnsense-patch apply chmod even in partially failed patches
o firmware: let opnsense-code fetch all remotes as well as prune them
o intrusion detection: provide custom.yaml for user edits
o web proxy: fix pid file pointer for service status probe
o ui: help data-for attribute (contributed by NOYB)
o ui: reversed zebra redraw on static page mobile forms
o ui: cleanup for unused classes in static pages
o mvc: add constraint type for dependent fields
o plugins: merge rc.plugins_configure code into pluginctl
o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)
o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)
o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox
o plugins: os-monit 1.7 fixes compatibility with UI rework
o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)
o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)
o plugins:
18.1.522 Mar 2018 07:05
minor feature:
Here are the full patch notes:
o system: optional prefix Google Drive backups with host and domain name
o system: also render tunables in loader.conf to obsolete loader.conf.local editing
o interfaces: allow /127, /128 and /32 static IP address configurations everywhere
o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion)
o interfaces: ignore dynamic linkup events for unassigned interfaces
o interfaces: hide previously assigned interfaces from bridges
o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode
o firewall: add VIP gateway option for PPPoE interfaces
o firewall: add update interval option to log widget (contributed by NOYB)
o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz)
o firmware: fix opnsense-code for src.git and ABI probing
o firmware: fix opnsense-patch file permission apply for plugins
o intrusion detection: support request headers in ruleset metadata
o openvpn: switch status to version 3 to avoid wrong parsing of commas
o openvpn: parse all states to retrieve all relevant connection status info
o captive portal: exclude "I" from simplified voucher character set for clarity
o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz)
o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel)
o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz)
o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament)
o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens)
o ui: update tokenizer to 2.6, visual tweaks and blur-add
o ui: buttons for services control in MVC (contributed by Smart-Soft)
o src: reinitialize IP header length after checksum calculation 1
o src: fix IPsec validation and use-after-free 2
o src: update timezone database information 3
o src: update file(1) to new version with security update 4
o src: add mitigations for two classes
18.1.412 Mar 2018 07:20
minor feature:
Here are the full patch notes:
o system: improved default route handling
o system: improved gateway switching
o system: cleanse username on LDAP import
o system: increase maximum size of firmware reports
o firewall: shaper backend refactor
o interfaces: improved reconfigure phase
o reporting: fix sporadic "non-numeric value encountered" error
o captive portal: add voucher expiry (contributed by Stephanowicz)
o intrusion detection: use latest ET Open rules for Suricata version 4
o intrusion detection: proper syslog with drops, requires log file reset
o intrusion detection: backend refactor
o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden)
o plugins: os-haproxy 2.6 1 (contributed by Frank Wall)
o ports: isc-dhcp 4.3.6P1 2
o ports: krb5 1.16 3
o ports: pkg 1.10.5
o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00
minor feature:
Here are the full patch notes:
o system: account for variable headers in top output
o system: move gateway status into main pages
o system: slightly reorder routing configuration calls
o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha)
o system: rework LDAP authentication container selection
o interfaces: avoid interaction of overview details with menu items
o interfaces: allow "reject leases from" option in DHCP advanced settings
o firewall: set alias cron update interval to 1 minute
o firewall: align alias cron update with its background call
o firewall: URL IP alias type missing in selections
o firewall: fix defunct alias target in outbound NAT
o firewall: ignore alias case while searching
o firewall: move rule category filter to the top of the page
o firewall: show IPv6 ports in live log and fix details for TCP
o firewall: move general settings to AliasParser and fix Alias constructor to receive them
o firewall: if the name of the alias equals its content try to resolve
o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion)
o dhcp: UEFI 64 network boot using wrong arch type
o dhcp: validate maximum interface MTU
o dhcp: add validation for DUID fields
o ipsec: auto-route disable setting (contributed by Namezero)
o network time: inline NMEA checksum calculator (contributed by Fabian Franz)
o network time: fix stratum level write
o unbound: optimize outgoing-range differently
o unbound: local zone setting (contributed by NOYB)
o ui: fix cropped dropdown regression
o mvc: translate option values (contributed by Alexander Shursha)
o mvc: fix access to undefined property translator
o mvc: fix typo in getBase()
o mvc: improve phpdoc
o rc: protect console menu again, but keep shell invoke for rc.d subsystem
o rc: fix some typos (contributed by John Eismeier)
o rc: proper includes for plugin post-install hook
o rc: recover all known shells
o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20
minor feature:
Here are the full patch notes:
o system: avoid default route from disappearing when no manual gateways are set
o firewall: fix outbound NAT for OpenVPN interfaces
o interfaces: multiple overview page improvements (contributed by NOYB)
o firmware: revoke 17.7 update fingerprint
o console: check for root invoke in importer, installer and console menu
o intrusion detection: always show schedule tab
o intrusion detection: log first drop of a flow
o intrusion detection: add a log file viewer
o unbound: add num-queries-per-thread option values for 4096 and 8192
o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB)
o ui: HTML compliance for attribute "type" on script element (contributed by NOYB)
o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB)
o ui: checkbox and radio button label children tweaks (contributed by NOYB)
o ui: break help text on small screens
o ui use pluggable locations for theme files
o ui: remove table-responsive padding on small screens
o ui: user-scalable viewport (contributed by NOYB)
o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz)
o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz)
o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz)
o ports: phalcon 3.3.1
o ports: php 7.1.14
18.1.102 Feb 2018 18:19
minor feature:
Here are the full patch notes:
o firewall: ignore target port alias in port forwards when it equals the destination
o firewall: align outbound NAT address output to edit page
o firewall: use first region for country in GeoIP category instead of last one
o system: improve layout of gateway status labels (contributed by Fabian Franz)
o system: improve order of group / user setup as "wheel" was not added correctly on save
o dashboard: touch device improvements in widgets (contributed by NOYB)
o opendns: always refresh the setting on save
o openvpn: open links in a new tab (contributed by Fabian Franz)
o ui: system-wide HTML compliance improvements (contributed by NOYB)
o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco)
o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86)
o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz)
o plugins: os-openconnect 1.0 (contributed by Michael Muenz)
o plugins: os-rfc2136 1.2 improves widget load
o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz)
o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz)
o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan)
o ports: curl 7.58.0 1
o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18
minor feature:
These are the most prominent changes since version 17.7:
o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration
o Realtek vendor NIC driver version 1.94
o Portable NAT before IPsec support
o Local group restriction feature in OpenVPN and IPsec
o OpenVPN multi-remote support for clients
o Strict interface binding for SSH and web GUI
o Improved MVC tabs and general page layout
o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour
o Easy-to-use update cache support for Linux and Windows in web proxy
o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)
o Revamped HAProxy plugin with introduction pages
o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status
o Alias backend rewrite for future extensibility
o Plugin-capable firewall NAT rules
o Migration of system routes UI and backend to MVC (also available via API)
o Reverse DNS support for insight reporting (also available via API)
o Fully rewritten firewall live log in MVC (also available via API)
o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18
minor feature:
Here are the full patch notes:
o system: use correct crypto library to gather GUI SSL ciphers
o system: do not wrap action buttons in tunables page
o system: fix CA serial number decrement on save
o firmware: remove the discontinued hotfix backend support
o firmware: allow dot in package name during package action
o firmware: remove defunct mirrors
o interfaces: make level of detail stick in packet capture
o interfaces: auto-lock problematic interfaces upon assignment
o firewall: make NAT reflection enable less ambiguous
o firewall: fix NAT formatting in states dump page
o network time: fix for valid negative offset in health graph
o network time: OPNsense NTP pool is now available
o network time: fix parsing of overly overlong lines
o web proxy: use PID file instead of daemon name for status probe
o wizard: add unbound to wizard and uncheck DNSSEC by default
o ui: HTML compliance fixes button in link usage (contributed by NOYB)
o mvc: added mutable service controller
o mvc: added sub-tab layout partials
o mvc: do not render empty toggle header
o plugins: acme-client 1.13 1 (contributed by Frank Wall)
o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)
o plugins: helloworld 1.4
o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)
o plugins: tor 1.4 adds contact info (contributed by Fabian Franz)
o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)
o ports: libressl 2.6.4 2
o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12
minor feature:
Here are the full patch notes:
o system: numerical sort for "Use" and "MTU" columns in route diagnostics
o system: gateway group edit tier selection issue with jQuery3
o system: minor cleanups in the certificates backend
o firewall: move anti-lockout rule to advanced settings
o interfaces: minor cleanups in the backend
o reporting: rework configuration handling on the settings page
o dnsmasq: minor cleanups in the backend
o firmware: strip the architecture from the base / kernel set version display
o firmware: backend preparations for full base / kernel set lock and reinstall
o firmware: increase crash report file limit to 2 MB
o ipsec: minor cleanups in the backend
o unbound: register DHCP domain name for interface if found
o network time: show full remote address and fix page boxing on status page
o network time: add advanced custom options
o network time: fix leap second save
o network time: minor cleanups in the backend
o wizard: properly redirect on input errors in system wizard
o mvc: ignore client-side anchors in breadcrumb generation
o ui: do not use a CSRF input element ID
o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz)
o ports: libxml 2.4.7 1
o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56
minor feature:
Here are the full patch notes:
o system: allow user-based language setting through Lobby: Password
o system: allow strict interface binding for OpenSSH
o system: prepare for MVC-based routing pages
o firmware: prepare for production / development release type selection
o firewall: fix a PHP warning when no user rules are installed
o firewall: add refresh button to table diagnostics page
o captive portal: fix chroot regression since lighttpd web server update in 17.7.9
o interfaces: provide a link-local IPv6 when asking for addresses
o intrusion detection: sync port-groups to default template
o ipsec: upgrade vici lib to match strongSwan package
o network time: fix a PHP warning during NMEA deselect
o mvc: do not throw disabled errors in handler
o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing
o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz)
o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz)
o src: OpenSSL multiple vulnerabilities 1 2
o ports: hyperscan 4.6.0 3
o ports: openssl 1.0.2n 4
o ports: suricata 4.0.3 5
Two plugin hotfixes have been additionally issued:
o plugins: os-quagga 1.4.3_1 fixes service startup regression
o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29
minor feature:
Here are the full patch notes:
o system: fix XSS with crafted certificates in certificate manager 1
o system: removed duplicated firmware privileges
o system: fix resolving routes in diagnostics page
o system: regenerated DH parameters
o dhcp: support stateless DHCPv6
o firmware: kernel and base set visibility and better API session handling
o intrusion detection: improve download and install speed of et-open rules
o intrusion detection: add TLS and HTTP logging in eve and alert log viewer
o openvpn: allow remote network in peer to peer modes
o web proxy: better service and API session handling
o router advertisements: advertise on VIPs belonging to the same interface
o configd: allow template overrides via optional target directory
o mvc: prepare for use-based language setting (contributed by Alexander Shursha)
o mvc: prepare for auto-generated page titles
o mvc: tighten against frame-based attacks
o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)
o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz)
o ui: make "advanced mode" sticky too
o plugins: os-acme-client 1.12 2 (contributed by Frank Wall)
o plugins: os-arp-scan (contributed by Giuseppe De Marco)
o plugins: os-clamav 1.3 (contributed by Alexander Shursha)
o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)
o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)
o plugins: os-haproxy 2.0 3 (contributed by Frank Wall)
o plugins: os-relayd 1.2 fixes "check send" directive
o plugins: os-tor 1.3 (contributed by Fabian Franz)
o plugins: os-zabbix-agent 1.2 fixes service status indicator
o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)
o ports: ca_root_nss 3.34.1
o ports: curl 7.57.0 4
o ports: lighttpd 1.4.48 5
o ports: php 7.1.12 6
o ports: pkg 1.10.3 7
o ports: py-Jinja2 2.10 8
o ports: syslogd 11.1
Homepage
Download