Recent Releases
18.1.610 Apr 2018 07:14
minor feature:
Here are the full patch notes:
o system: reverse reload order for gateway switching on OpenVPN
o system: implement password policies for local accounts
o system: separate web GUI and configd log files
o system: add syslog and login service visibility
o system: show root as disabled in user manager if disabled
o interfaces: no longer restrict VLAN driver capability
o firewall: switch back to old NAT auto-outbound behaviour
o firewall: reload schedules 1 minute later
o firewall: filter descriptions option does no longer exist
o firewall: updated anti-lockout link (contributed by Michael Muenz)
o firewall: fix help text in shaper masks (contributed by Michael Muenz)
o firewall: add delay option to pipe in shaper (contributed by Michael Muenz)
o reporting: add insight aggregator to service list
o dashboard: large CPU usage widget (contributed by Team Rebellion)
o dhcp: fix display of DUID in IPv6 leases
o firmware: let opnsense-patch apply chmod even in partially failed patches
o firmware: let opnsense-code fetch all remotes as well as prune them
o intrusion detection: provide custom.yaml for user edits
o web proxy: fix pid file pointer for service status probe
o ui: help data-for attribute (contributed by NOYB)
o ui: reversed zebra redraw on static page mobile forms
o ui: cleanup for unused classes in static pages
o mvc: add constraint type for dependent fields
o plugins: merge rc.plugins_configure code into pluginctl
o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)
o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)
o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox
o plugins: os-monit 1.7 fixes compatibility with UI rework
o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)
o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)
o plugins:
18.1.522 Mar 2018 07:05
minor feature:
Here are the full patch notes:
o system: optional prefix Google Drive backups with host and domain name
o system: also render tunables in loader.conf to obsolete loader.conf.local editing
o interfaces: allow /127, /128 and /32 static IP address configurations everywhere
o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion)
o interfaces: ignore dynamic linkup events for unassigned interfaces
o interfaces: hide previously assigned interfaces from bridges
o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode
o firewall: add VIP gateway option for PPPoE interfaces
o firewall: add update interval option to log widget (contributed by NOYB)
o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz)
o firmware: fix opnsense-code for src.git and ABI probing
o firmware: fix opnsense-patch file permission apply for plugins
o intrusion detection: support request headers in ruleset metadata
o openvpn: switch status to version 3 to avoid wrong parsing of commas
o openvpn: parse all states to retrieve all relevant connection status info
o captive portal: exclude "I" from simplified voucher character set for clarity
o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz)
o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel)
o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz)
o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament)
o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens)
o ui: update tokenizer to 2.6, visual tweaks and blur-add
o ui: buttons for services control in MVC (contributed by Smart-Soft)
o src: reinitialize IP header length after checksum calculation 1
o src: fix IPsec validation and use-after-free 2
o src: update timezone database information 3
o src: update file(1) to new version with security update 4
o src: add mitigations for two classes
18.1.412 Mar 2018 07:20
minor feature:
Here are the full patch notes:
o system: improved default route handling
o system: improved gateway switching
o system: cleanse username on LDAP import
o system: increase maximum size of firmware reports
o firewall: shaper backend refactor
o interfaces: improved reconfigure phase
o reporting: fix sporadic "non-numeric value encountered" error
o captive portal: add voucher expiry (contributed by Stephanowicz)
o intrusion detection: use latest ET Open rules for Suricata version 4
o intrusion detection: proper syslog with drops, requires log file reset
o intrusion detection: backend refactor
o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden)
o plugins: os-haproxy 2.6 1 (contributed by Frank Wall)
o ports: isc-dhcp 4.3.6P1 2
o ports: krb5 1.16 3
o ports: pkg 1.10.5
o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00
minor feature:
Here are the full patch notes:
o system: account for variable headers in top output
o system: move gateway status into main pages
o system: slightly reorder routing configuration calls
o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha)
o system: rework LDAP authentication container selection
o interfaces: avoid interaction of overview details with menu items
o interfaces: allow "reject leases from" option in DHCP advanced settings
o firewall: set alias cron update interval to 1 minute
o firewall: align alias cron update with its background call
o firewall: URL IP alias type missing in selections
o firewall: fix defunct alias target in outbound NAT
o firewall: ignore alias case while searching
o firewall: move rule category filter to the top of the page
o firewall: show IPv6 ports in live log and fix details for TCP
o firewall: move general settings to AliasParser and fix Alias constructor to receive them
o firewall: if the name of the alias equals its content try to resolve
o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion)
o dhcp: UEFI 64 network boot using wrong arch type
o dhcp: validate maximum interface MTU
o dhcp: add validation for DUID fields
o ipsec: auto-route disable setting (contributed by Namezero)
o network time: inline NMEA checksum calculator (contributed by Fabian Franz)
o network time: fix stratum level write
o unbound: optimize outgoing-range differently
o unbound: local zone setting (contributed by NOYB)
o ui: fix cropped dropdown regression
o mvc: translate option values (contributed by Alexander Shursha)
o mvc: fix access to undefined property translator
o mvc: fix typo in getBase()
o mvc: improve phpdoc
o rc: protect console menu again, but keep shell invoke for rc.d subsystem
o rc: fix some typos (contributed by John Eismeier)
o rc: proper includes for plugin post-install hook
o rc: recover all known shells
o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20
minor feature:
Here are the full patch notes:
o system: avoid default route from disappearing when no manual gateways are set
o firewall: fix outbound NAT for OpenVPN interfaces
o interfaces: multiple overview page improvements (contributed by NOYB)
o firmware: revoke 17.7 update fingerprint
o console: check for root invoke in importer, installer and console menu
o intrusion detection: always show schedule tab
o intrusion detection: log first drop of a flow
o intrusion detection: add a log file viewer
o unbound: add num-queries-per-thread option values for 4096 and 8192
o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB)
o ui: HTML compliance for attribute "type" on script element (contributed by NOYB)
o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB)
o ui: checkbox and radio button label children tweaks (contributed by NOYB)
o ui: break help text on small screens
o ui use pluggable locations for theme files
o ui: remove table-responsive padding on small screens
o ui: user-scalable viewport (contributed by NOYB)
o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz)
o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz)
o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz)
o ports: phalcon 3.3.1
o ports: php 7.1.14
18.1.102 Feb 2018 18:19
minor feature:
Here are the full patch notes:
o firewall: ignore target port alias in port forwards when it equals the destination
o firewall: align outbound NAT address output to edit page
o firewall: use first region for country in GeoIP category instead of last one
o system: improve layout of gateway status labels (contributed by Fabian Franz)
o system: improve order of group / user setup as "wheel" was not added correctly on save
o dashboard: touch device improvements in widgets (contributed by NOYB)
o opendns: always refresh the setting on save
o openvpn: open links in a new tab (contributed by Fabian Franz)
o ui: system-wide HTML compliance improvements (contributed by NOYB)
o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco)
o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86)
o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz)
o plugins: os-openconnect 1.0 (contributed by Michael Muenz)
o plugins: os-rfc2136 1.2 improves widget load
o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz)
o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz)
o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan)
o ports: curl 7.58.0 1
o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18
minor feature:
These are the most prominent changes since version 17.7:
o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration
o Realtek vendor NIC driver version 1.94
o Portable NAT before IPsec support
o Local group restriction feature in OpenVPN and IPsec
o OpenVPN multi-remote support for clients
o Strict interface binding for SSH and web GUI
o Improved MVC tabs and general page layout
o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour
o Easy-to-use update cache support for Linux and Windows in web proxy
o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)
o Revamped HAProxy plugin with introduction pages
o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status
o Alias backend rewrite for future extensibility
o Plugin-capable firewall NAT rules
o Migration of system routes UI and backend to MVC (also available via API)
o Reverse DNS support for insight reporting (also available via API)
o Fully rewritten firewall live log in MVC (also available via API)
o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18
minor feature:
Here are the full patch notes:
o system: use correct crypto library to gather GUI SSL ciphers
o system: do not wrap action buttons in tunables page
o system: fix CA serial number decrement on save
o firmware: remove the discontinued hotfix backend support
o firmware: allow dot in package name during package action
o firmware: remove defunct mirrors
o interfaces: make level of detail stick in packet capture
o interfaces: auto-lock problematic interfaces upon assignment
o firewall: make NAT reflection enable less ambiguous
o firewall: fix NAT formatting in states dump page
o network time: fix for valid negative offset in health graph
o network time: OPNsense NTP pool is now available
o network time: fix parsing of overly overlong lines
o web proxy: use PID file instead of daemon name for status probe
o wizard: add unbound to wizard and uncheck DNSSEC by default
o ui: HTML compliance fixes button in link usage (contributed by NOYB)
o mvc: added mutable service controller
o mvc: added sub-tab layout partials
o mvc: do not render empty toggle header
o plugins: acme-client 1.13 1 (contributed by Frank Wall)
o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)
o plugins: helloworld 1.4
o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)
o plugins: tor 1.4 adds contact info (contributed by Fabian Franz)
o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)
o ports: libressl 2.6.4 2
o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12
minor feature:
Here are the full patch notes:
o system: numerical sort for "Use" and "MTU" columns in route diagnostics
o system: gateway group edit tier selection issue with jQuery3
o system: minor cleanups in the certificates backend
o firewall: move anti-lockout rule to advanced settings
o interfaces: minor cleanups in the backend
o reporting: rework configuration handling on the settings page
o dnsmasq: minor cleanups in the backend
o firmware: strip the architecture from the base / kernel set version display
o firmware: backend preparations for full base / kernel set lock and reinstall
o firmware: increase crash report file limit to 2 MB
o ipsec: minor cleanups in the backend
o unbound: register DHCP domain name for interface if found
o network time: show full remote address and fix page boxing on status page
o network time: add advanced custom options
o network time: fix leap second save
o network time: minor cleanups in the backend
o wizard: properly redirect on input errors in system wizard
o mvc: ignore client-side anchors in breadcrumb generation
o ui: do not use a CSRF input element ID
o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz)
o ports: libxml 2.4.7 1
o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56
minor feature:
Here are the full patch notes:
o system: allow user-based language setting through Lobby: Password
o system: allow strict interface binding for OpenSSH
o system: prepare for MVC-based routing pages
o firmware: prepare for production / development release type selection
o firewall: fix a PHP warning when no user rules are installed
o firewall: add refresh button to table diagnostics page
o captive portal: fix chroot regression since lighttpd web server update in 17.7.9
o interfaces: provide a link-local IPv6 when asking for addresses
o intrusion detection: sync port-groups to default template
o ipsec: upgrade vici lib to match strongSwan package
o network time: fix a PHP warning during NMEA deselect
o mvc: do not throw disabled errors in handler
o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing
o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz)
o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz)
o src: OpenSSL multiple vulnerabilities 1 2
o ports: hyperscan 4.6.0 3
o ports: openssl 1.0.2n 4
o ports: suricata 4.0.3 5
Two plugin hotfixes have been additionally issued:
o plugins: os-quagga 1.4.3_1 fixes service startup regression
o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29
minor feature:
Here are the full patch notes:
o system: fix XSS with crafted certificates in certificate manager 1
o system: removed duplicated firmware privileges
o system: fix resolving routes in diagnostics page
o system: regenerated DH parameters
o dhcp: support stateless DHCPv6
o firmware: kernel and base set visibility and better API session handling
o intrusion detection: improve download and install speed of et-open rules
o intrusion detection: add TLS and HTTP logging in eve and alert log viewer
o openvpn: allow remote network in peer to peer modes
o web proxy: better service and API session handling
o router advertisements: advertise on VIPs belonging to the same interface
o configd: allow template overrides via optional target directory
o mvc: prepare for use-based language setting (contributed by Alexander Shursha)
o mvc: prepare for auto-generated page titles
o mvc: tighten against frame-based attacks
o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)
o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz)
o ui: make "advanced mode" sticky too
o plugins: os-acme-client 1.12 2 (contributed by Frank Wall)
o plugins: os-arp-scan (contributed by Giuseppe De Marco)
o plugins: os-clamav 1.3 (contributed by Alexander Shursha)
o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)
o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)
o plugins: os-haproxy 2.0 3 (contributed by Frank Wall)
o plugins: os-relayd 1.2 fixes "check send" directive
o plugins: os-tor 1.3 (contributed by Fabian Franz)
o plugins: os-zabbix-agent 1.2 fixes service status indicator
o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)
o ports: ca_root_nss 3.34.1
o ports: curl 7.57.0 4
o ports: lighttpd 1.4.48 5
o ports: php 7.1.12 6
o ports: pkg 1.10.3 7
o ports: py-Jinja2 2.10 8
o ports: syslogd 11.1
Homepage
Download