15.7 “Brave Badger” Series

While the summer is hot, we push forward to what now is 15.7 – nicknamed ‘Brave Badger’ – right in front of you. A lot of effort went into this project during the past 6 months, and we dare say it has been worth all of it. We would like to thank our followers and friends and feedback givers and forum lurkers and contributors and doubters and supporters that helped to make 15.7 what it is. We wouldn’t be here without any of you. Thank you.

In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to everyone. What changes is that development will move to a different branch so that from now on regressions are less likely and therefore stability will increase further. The provided images may also be the only ones for the next 6 months as we are confident in their longevity and the online upgrade path. We have also bumped the LibreSSL flavour to a production-ready state and encourage everyone to try it out. The installer’s import configuration tool coupled with a quick and easy installation can help you move from OpenSSL to LibreSSL and back seamlessly.

The biggest addition is the intrusion detection integration (suricata) as well as new local and remote blacklists options for the proxy server (squid). Security-wise, it has been rather quiet with only a few CVEs in third-party tools. Please see the full patch notes for details and references:

  • kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric traffic shaping when NAT is involved

  • kernel: fix recurse lock panic for tmpfs in conjunction with unionfs

  • kernel: applied two stable patches that prevent squid from crashing [1]

  • kernel: retired ALTQ support

  • base: sendmail TLS/DH Interoperability Improvement [2]

  • base: improved iconv(3) UTF-7 support [3]

  • base: inconsistency between locale and rune locale states [4]

  • notable ports updates: phalcon 2.0.3 [5] , curl 7.43.0_2 [6] , openssh 6.8p1_8, python 2.7.10 [7] , perl 5.20.2_5 [8] , ntp 4.2.8p3 [9] , libxml2 2.9.2_3 [10] , openldap24-server 2.4.41 [11]

  • opnsense-update: will no longer try to reinstall the istalled version after a fresh installation

  • bsdinstaller: bring back cpdup to error out on low memory installation (you need 1 GB of RAM, or work around installation using the nano image)

  • traffic shaper: removed legacy queues support in favour of the new traffic shaper functionality

  • traffic shaper: allow direct enable/disable toggle

  • proxy: fix the initial daemon start on bootup

  • proxy: added LAN as the default interface configuration

  • proxy: local and remote blacklists with regex support

  • intrusion detection: initial release of our IDS GUI based on suricata

  • gateways: monitoring mode gained IPv6 support

  • captive portal: fix idle timeout bug

  • captive portal: do not delete the wrong zone when having multiple configurations

  • captive portal: removed include files from exposed web directory

  • backend: always regenerate users and groups to avoid corruption after an unclean shutdown

  • backend: wait for configd socket to come up to address a startup race issue

  • backend: clean up configd socket on exit

  • backend: fixed regression that prevented user scripts from being started via /etc/rc.conf

  • gateways: only show apinger in services when monitoring is enabled for a gateway

  • languages: brought Simplified Chinese to 49% completed, German to 30% completed

  • universal plug and play: make page invoke static to remove exploitability of the legacy packages framework

  • crash reporter: finally enabled the send button and provides human-readable feedback whether the submission was complete

  • console: added non-interactive interface assignment for headless deployments

  • ssh: disable password authentication on factory reset to align with the standard configuration

  • diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view

  • users: prompt for old password on password change to prevent account hijacking

  • users: stripped the impossible scponly user privileges since said utility has never been part of our ecosystem

Images can be found on any of our mirrors, but they may take a few hours to sync. The checksums are attached at the end of this announcement for convenience.

https://opnsense.org/download/

15.7.25 (January 18, 2016)

This is good-bye. 6 months have passed and 15.7 has served us well. In only 10 days 16.1 will be out and it is looking shiny. Please study the end of life announcement on the firmware page before attempting to upgrade to the next version.

As such, we have incorporated all of the outstanding security issues of last week, mostly related to FreeBSD and OpenSSH. Patches for the GUI are light; all pending improvements go directly into the next major release.

Here are the full patch notes:

  • src: SCTP ICMPv6 error message vulnerability [1]

  • src: ntp panic threshold bypass vulnerability [2]

  • src: Linux compatibility layer incorrect futex handling [3]

  • src: Linux compatibility layer setgroups(2) system call vulnerability [4]

  • src: TCP MD5 signature denial of service [5]

  • src: Insecure default snmpd.config permissions [6]

  • src: OpenSSH client information leak [7]

  • src: Invalid TCP checksums with pf(4) [8]

  • src: YP/NIS client library critical bug [9]

  • ports: sqlite 3.10.0 [10] , easy-rsa 3.0.1 [11] , openssh-portable 7.1p2 [12]

  • traffic graphs: fix truncation of IP address to 14 characters

  • firmware: EOL announcement for 15.7 added, ready for upgrading to 16.1 on January 28

  • firmware: added mirror provided by RageNetwork (Munich, DE)

  • menu: fix navigation after editing IPsec mobile clients (contributed by Manuel Faux)

  • trust: properly reference CA in intermediate CAs (contributed by Manuel Faux)

15.7.24 (January 11, 2016)

We’re back, and we have a lot of neat changes and security updates for you. Most notably, the firewall pages received a lot of subtle tweaks to improve user experience. Secondly, the firmware pages gained the plugins management feature. And last but not least, the kernel and base upgrade gained better signature support [1] that ties right into FreeBSD’s pkg verification mechanism, how cool is that!

We’d like to use this opportunity to thank four of our regular contributors who’ve helped us to advance further than we could have dreamed. A big thank you to Manuel Faux, Fabian Franz, Frank Wall and Andreas Martin! And no, we do not make these up as we go. ;)

Here are the full patch notes:

  • ports: suricata 2.0.11 [2] , dhcp6 20080615_5 [3] , lighttpd 1.4.39 [4]

  • ports: syslogd 10.2, mpd 5.8 [5] , ca_root_nss 3.21, dnsmasq 2.75_1 [6]

  • ports: ntp 4.2.8p5 [7] , php 5.6.17 [8] , python 2.7.11_1 [9]

  • ports: miniupnpd 1.9.20151212, openvpn 2.3.10 [10]

  • opnsense-update: add opnsense-verify and opnsense-sign

  • opnsense-update: improve verification of signatures of kernel and base upgrades

  • menu: bring back dashboard entry due to popular demand

  • menu: fix interface listing error when its description is empty

  • menu: moved license file to lobby section for visibility

  • menu: order VPN services for icon adjustment (contributed by Fabian Franz)

  • menu: renamed “config manager” to “configuration” and “certificate manager” to “trust”

  • language: multiple translation improvements (contributed by Fabian Franz and Andreas Martin)

  • language: fix behaviour of numerous apply buttons when using a non-English translation

  • dashboard: don’t display widget headers when the actual widgets are no longer installed

  • backend: fix issue when configd target pattern cannot be found

  • carp: fix support for OpenVPN clients

  • system: remove the old FTP proxy implementation (use proxy server service instead)

  • system: pin down listbox size to unhide the search field

  • health: tidy up the layout by removing visual blockers and general bumpiness

  • access: fix setting of default values for new users

  • access: fix padding on user listing page

  • access: adjusted file type of API credentials to fix Chrome’s download blues (contributed by Fabian Franz)

  • configuration: fix replay of configuration backups

  • interfaces: fix redirect after applying an interface’s configuration

  • trust: properly set certificate digest algorithm in form after creation error

  • gateways: bring back display of descriptions (contributed by Frank Wall)

  • load balancer: bring back display of descriptions (contributed by Frank Wall)

  • ipsec: fix RSA authentication method check

  • ipsec: finally brought back lease display in widgets and status page

  • proxy: add configurable cache_mem setting

  • unbound: honour the “register DHCP leases in DNS” option (contributed by Manuel Faux)

  • unbound: reorder advanced features inclusion

  • dynamic dns: allow custom entries to set hostname to be used in e.g. OpenVPN exports

  • dynamic dns: updated cloudflare service binding

  • firewall: fix saving of zero values on virtual IP page

  • firewall: fix label for option source/invert in rules edit page (contributed by Frank Wall)

  • firewall: show warning banner on related pages when firewall is globally disabled (contributed by Manuel Faux)

  • firewall: add interface groups to firewall rules and port forwarding

  • firewall: add matching behaviour indicator for floating rules (contributed by Fabian Franz)

  • firewall: make quick matching behaviour the default for floating rules

  • firewall: fix spurious error when migrating alias from one interface to the next

  • firewall: sort alias listing for better overview

  • firewall: fix header alignment for schedule repeat section

  • firmware: added display of major announcements on the firmware page

  • firmware: added reinstall / (un)lock buttons for installed packages

  • firmware: added plugin listing to page with install / remove buttons

  • firmware: restructured the backend and improved its resilience

  • firmware: show the download size of the pending update in the update check response

  • firmware: added update verification signature for the upcoming 16.1 release series

  • captive portal (devel): fix text of two help messages (contributed by Fabian Franz)

15.7.23 (December 23, 2015)

As the end of the year 2015 is nearing, we push one last update. And it’s been a hell of a year! This is actually the 49th official update we’re releasing, so that gives you the idea of how serious we were about “once a week”. The major upgrade 16.1 is around the corner as well, although major is a bit of a stretch: the main reason for calling it 16.1 are the all new captive portal and FreeBSD 10.2. But that’s not the point. Here it is…

We would like to thank everyone for their resounding support through good and bad times, for lively discussions, outside contributions and all the encouragement we’ve received. We’ve set a reasonable pace for progress within our project and we will certainly keep it up for 2016. That’s the least we can do for you. After all, we do like to think we’ve built a little family.

Here are the full patch notes:

  • ports: bind 9.10.3-P2 [1] , python 2.7.11 [2] , openvpn 2.3.9 [3]

  • traffic shaper: page is now properly translated (contributed by Fabian Franz)

  • system: all remaining pages in this section have been reworked for clarity

  • logs: split up the old VPN multi-log page into their respective parts (L2TP, PPTP, PPPoE)

  • logs: added filtering option to all logs that previously missed it

  • certificates: now supports different extensions (Key Usage, Subject Alternative Name) and usage types

  • dhcp: allow commas in advanced DHCP client options (contributed by Simon van der Linden)

  • firewall: add direction indication icon to floating rules

  • firewall: lock port numbers on protocols that are not TCP/UDP

  • firewall: fix apply button on outbound NAT page in translation mode

  • traffic shaper: add TCP ACK/non-ACK matching options

  • proxy: two fixes for non-local authentication

15.7.22 (December 09, 2015)

So here are OpenSSL 1.0.2e and LibreSSL 2.2.5, finally! 15.7.22 itself is only tweaks and minor fixes. We take it as a good sign that there were no “oh no what did you do to the menu” complaints in the past week. Nobody missed the RRD graphs either. You guys are really cool.

The root cause for the filter reload timeout reports that some of you encountered in 15.7.19 has finally been found. The function filter_generate_optcfg_array() could be called hundreds of times in a single filter reload while only providing static interface data to the callers that did not change over the runtime of the reload. At some point it must have gotten so slow that a caching mechanism was added around the function, which caused the function’s output to get stuck, causing the initial bug report. Now it’s as fast as ever and glitch-free.

Here are the full patch notes:

  • dhcp: show lease description in status pages if available (contributed by Frank Wall)

  • firewall: improve and align display of RFC 1918 and IANA rules (contributed by Manuel Faux)

  • firewall: fix hover cursor on the filter log page (contributed by Manuel Faux)

  • firewall: show implicit IPv6 block rule if enabled in system settings (contributed by Manuel Faux)

  • firewall: extend pfInfo to show active rules (contributed by Manuel Faux)

  • unbound: fix JS to enable/disable interface selector (contributed by Manuel Faux)

  • unbound: fix starting of unbound via service status page (contributed by Manuel Faux)

  • proxy server: allow authentication against all available authentication servers

  • universal plug and play: fix read/write on the settings page

  • interfaces: break device configuration pages out of interface assignment section

  • backend: optimise filter reload to not collect overall interface information more than once

  • backend: reapply the cache removal in light of the filter reload fixing

  • backend: trigger config daemon templates on bootup

  • backend: throw error when attempting to trigger a nonexistent template

  • ports: curl 7.46 [1]

  • ports: openssl 1.0.2e [2]

  • ports: libressl 2.2.5 [3]

  • ports: squid 3.5.12 [4]

  • ports: lighttpd 1.4.38 [5]

15.7.21 (December 04, 2015)

Back in September we’ve started out to work on the excessive GUI padding and dispersed menu structure in order to get to a slick and clean page layout. We’ve transformed tab navigation into submenu items, pulling similar items together into one single category, adding distinctive icons as a highlight and anchor point. We’ve come to like it so much that we can’t wait for 16.1 to merge it in so here it is for everyone to enjoy. Work in this area will continue in tiny pieces as we go along. Send us feedback, let us know what we can push even further.

15.7.21 brings updates to some of the most important ports and RRD frontend pages have been completely removed. Unfortunately, we couldn’t squeeze in OpenSSL and LibreSSL at this point, but will follow up as soon as both of them are available.

Here are the full patch notes:

  • ports: phalcon 2.0.9 [1]

  • ports: php 5.6.16 [2]

  • ports: suricata 2.0.10 [3]

  • ports: openldap 2.4.43 [4]

  • ports: strongswan 5.3.5 [5]

  • menu: removed tab navigation in favour of submenu items

  • menu: removed the status and diagnostics from the top menu

  • menu: made the menu smaller and added distinctive icons

  • menu: order interfaces by their descriptive name

  • layout: removed several paddings and spurious boarders

  • rrd: removed the graphing frontend to complete our switch to System Health

  • rrd: moved remaining settings to System: Settings: Logs / Reporting

  • logs: can now narrow search using individual keywords separated by whitespace

  • logs: added a raw firewall view as a default page instead of having a setting for it

  • logs: ppp log messages won’t show up in the system messages anymore

  • universal plug and play: reworked settings page for clarity

  • gateways/routes/users: reworked all pages for clarity

  • settings: reworked admin access and general section for clarity

  • settings: password authentication and permit root login settings changes did not trigger an immediate sshd restart

  • ipsec: remove use of reqid in config

  • ipsec: fix ESP/AH options on multiple phase2 entries

  • ipsec: fix algorithm selection in phase1 and phase2

  • ipsec: properly handle status error when ipsec is not enabled

  • ipsec: subnet selection can now extend beyond 24 bits

  • ipsec: make NAT type configurable for phase2 (contributed by Frank Wall)

  • layout: updated to jQuery Bootgrid v1.3.1

  • language: many translations added (contributed by Frederic Lietart and Fabian Franz)

  • config: improve the session handling to ensure a responsive GUI

  • ntp: gps settings now work with translations and properly reselect the configured device

15.7.20 (November 25, 2015)

Today we proudly present to you 15.7.20, which includes several improvements and fixes in all areas. Notable from a development perspective are the opnsense-bootstrap tool, which can install the latest OPNsense version on a FreeBSD 10.1. Additionally, the development branch offers a sneak preview of Suricata in true IPS mode! Instructions on how to test it can be found in the forum [9] .

Here are the full patch notes:

  • src: fix kqueue write events never fired for files greater 2GB [1]

  • src: remove obsolete locking primitives IFA_LOCK() / IFA_UNLOCK()

  • src: enable netmap(4) driver support in the kernel

  • src: merge stf(4) driver modifications from pfSense [2]

  • ports: squid 5.3.11 [3]

  • ports: strongswan 5.3.4 [4]

  • ports: choparp 20150613 [5]

  • ports: libxml 2.9.3 [6]

  • ports: pkg 1.6.2 [7]

  • ports: opnsense-bootstrap, the infamous installer that works on stock FreeBSD [8]

  • intrusion detection: ignore json parse errors in eve log file

  • intrusion prevention (development): added Suricata 2.1beta4 in inline mode [9]

  • interfaces: reverted cache removal due to multiple speed regressions reports

  • backend: send timeouts with proper description to syslog

  • openvpn: fix auth server selection for translations

  • filter: make the status reload page provide better debug info

  • interfaces: fix mobile carrier selection on main interface edit page

  • interfaces: unify release/renew/connect/disconnect buttons in status page

  • dashboard: show cell mode for ppp if available

15.7.19 (November 13, 2015)

Time for the weekly update. :)

15.7.19 is a smaller maintenance release with a backend switch for IPsec reporting and a couple of minor fixes. With the help of the community, we’re also improving the consistency of the GUI translation with more commits already in the works.

Notable from a development version perspective are the API authentication and the revived voucher support for our new captive portal. This means two more roadmap items already finished for 16.1.

Here are the full patch notes:

  • ports: sudo 1.8.15 [1] , sqlite 3.9.2 [2]

  • aliases: make url tables useable

  • interfaces: fix faulty GUI caching issues [3]

  • ipsec: obey force nat traversal

  • ipsec: switch status page and widget from deprecated SMP to VICI interface for reliable output

  • ipsec: fixed remote network input validation

  • status: show more raw ipfw info in the commands section

  • config: don’t use notices in early/low level code

  • languages: a large number of old and new strings is now being properly translated (with contributions from Franz Fabian and Frederic Lietart)

  • languages: translation strings no longer use obfuscated argument reordering by default

  • languages: updated German and French to a newer version from translate.opnsense.org

  • captive portal (development): added a new voucher implementation

  • api (development): added API key authentication mechanism [4]

15.7.18 (November 04, 2015)

It took a while to track down a NTP regression with FreeBSD that turned out to be a flaw in the kernel itself. That’s now fixed for all FreeBSD versions. Thanks everyone for helping out here again. :)

This update brings quite a few fixes, especially with regard to VMware and Xen virtualisation plugins. If you are in need of such plugins for seamless guest support the installation is quite painless:

# pkg install os-vmware
# pkg install os-xen

In case of VMware, the masterplan is that vmx network devices will be persistent after reboot so that such devices can be embedded into the config.xml. Let us know how that works for you guys. Needless to say, we’ll keep working on making plugins accessible through the GUI with our next major version that is 16.1.

We’ve also been working on ironing out further IPsec hiccups and adding more features to the captive portal in the development version. Oh, and this: fresh images based on 15.7.18 will be available a couple of days after this release.

Here are the full patch notes:

  • plugins: updated the VMware plugin to support early boot for persistent vmx(4) device access

  • plugins: added the Xen plugin for automatic guest support

  • openvpn: fix server not saving interface without IP

  • crash reporter: remember email for continuous feedback

  • crash reporter: Suhosin PHP module no longer triggers crash reports

  • crash reporter: fixed 10 assorted crash reports

  • languages: fix all apply button prompts for non-English translations

  • languages: updated German and French via https://translate.opnsense.org

  • backend: added simple plugin hooks for boot up, early boot up and shutdown

  • GUI: hooked up the authentication backend rewrite

  • dhcp: remove illegal ifconfig tag in custom dhclient script

  • virtual ips: make subnet selectable on ipalias

  • ipsec: flip ipv4/ipv6 subnet options in phase2

  • ipsec: fix issue when using both tunnels and roadwarrior

  • ipsec: listen to disabled ipsec nat entries

  • ipsec: do not overwrite settings for rekey/reauth

  • proxy: fix error on saving special URL characters

  • aliases: fix missing url table items

  • aliases: hide minus when not applicable

  • ntp: don’t trigger set_gps_default on page load

  • captive portal (development): clean rewrite of RADIUS authentication/accounting

  • captive portal (development): added a session overview feature to the new

  • captive portal (development): fixed template download file name in Google Chrome

  • src: Implement pubkey support for pkg(7) bootstrap [1]

  • src: rpcbind remote denial of service [2]

  • src: Applications exiting due to segmentation violation on a correct memory address [3]

  • src: tzdata updated to 2015g [4]

  • ports: ntp 4.2.8p4 [5]

  • ports: pkg 1.6.1 [6] [7]

  • ports: sqlite 3.9.1 [8]

  • ports: suricata 2.0.9 [9]

  • ports: php 5.6.15 [10]

# SHA256 (OPNsense-15.7.18-OpenSSL-cdrom-amd64.iso.bz2) = f193e04ce0f0d2b1eab54b246f5b4931cdd50ed0a97015a363e8ece24449825d
# SHA256 (OPNsense-15.7.18-OpenSSL-nano-amd64.img.bz2) = f1cfa7ff9f2fe30361f92773aa6fe416ac5bb3e27bd98c1b470f32ceea9ee4eb
# SHA256 (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) = e95698fac21e8bef7ac8c8e66406fcbece583a32db325da19be810d33a714147
# SHA256 (OPNsense-15.7.18-OpenSSL-vga-amd64.img.bz2) = 3cc366d5e48f74bba5a07466cbaa2808d98fba422814d3cafbbffb5e2847c888
# SHA256 (OPNsense-15.7.18-OpenSSL-cdrom-i386.iso.bz2) = 57229a3873d6020979e8ebb1dff1c97b14166afff7da6d5ca7e5b32a17e40207
# SHA256 (OPNsense-15.7.18-OpenSSL-nano-i386.img.bz2) = e89464b51c52c02a9d1a15d168190f23b7d72030be5b31db4bd5a78cfa0a108f
# SHA256 (OPNsense-15.7.18-OpenSSL-serial-i386.img.bz2) = 0eb92ffcbe6d4152b79e89e71984b5a3d00cf0e2e0946868331fd93a506cf54c
# SHA256 (OPNsense-15.7.18-OpenSSL-vga-i386.img.bz2) = 284157e596dd77551ce6ce4e5b661614273abcfaa590f6d4553903172332f370
# MD5 (OPNsense-15.7.18-OpenSSL-cdrom-amd64.iso.bz2) = 7718af5a632a426c7e3832e4cf6e7f91
# MD5 (OPNsense-15.7.18-OpenSSL-nano-amd64.img.bz2) = 88018ba7ec8c6e6906054a03106020c6
# MD5 (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) = 50879c1a12ca65b95ebd5a77eea389e5
# MD5 (OPNsense-15.7.18-OpenSSL-vga-amd64.img.bz2) = 764c8a9c42b13cdfc73d1025e9795901
# MD5 (OPNsense-15.7.18-OpenSSL-cdrom-i386.iso.bz2) = ce115445d922883c1e57457503b7d044
# MD5 (OPNsense-15.7.18-OpenSSL-nano-i386.img.bz2) = 947d4955775295f09ef849b8ac7757a6
# MD5 (OPNsense-15.7.18-OpenSSL-serial-i386.img.bz2) = 4b7affd7c051e15171ef2ee4869739b6
# MD5 (OPNsense-15.7.18-OpenSSL-vga-i386.img.bz2) = 59b796e2a2a68cb699bb67b79f08c808

15.7.17 (October 20, 2015)

So this is 15.7.17 with a couple of neat things under the hood: AES-NI is now supported by both LibreSSL and OpenSSL. Other than that only minor fixes went in along with the latest version bumps for cURL, Squid, Unbound and (of course) LibreSSL.

The development version has more things happening: we’ve reorganised the menu to get rid of the “Status” and “Diagnostics” section, updating layouts and minimising padding of the bootstrap theme. And that’s not all, because we’re also replacing the old captive portal! The new captive portal can already be tested and will receive more features as we near version 16.1. Let us know what you think.

Here are the full patch notes:

  • ports: both LibreSSL and OpenSSL now support AES-NI acceleration

  • ports: curl 7.45 [1] , squid 3.5.10 [2] , unbound 1.5.5 [3] , libressl 2.2.4 [4]

  • layout: bumped font awesome to 4.4

  • dhcp: dhcpd leases did not always reload dhcpleases daemon

  • openvpn: fix Strict User/CN matching checkbox behaviour

  • ipsec: fix tunnel identification when using NAT

  • dns filter: add OpenDNS IPv6 servers

  • dns resolver: fix apply glitch that would blank the settings temporarily

  • log files: search is now case-insensitive

  • firmware: improved reboot detection feedback

  • crash reporter: improved wording as reports without contact info may be hard to fix

  • virtual ip: fix possible apply glitch with new VIP

  • synchronisation: do not error on target down, log it instead

  • languages: French is at 35% and German is at 65% complete now

  • development: the captive portal has been replaced with a newly implemented variant based on our MVC standards – if you still want to use the old one please use the release package instead (although any feedback for the new captive portal is greatly appreciated)

15.7.16 (October 10, 2015)

We’ve spent three great days in Nuremberg at it-sa, thanks for everybody who dropped by.

Originally we wanted to push out 15.7.16 earlier, but faced an interesting challenge with the latest FreeBSD package manager version update. To that end, we are probably going to release new images for 15.7.17 with the new package manager included just to make sure we can retain a clean and flat upgrade process even for the images. But fear not, online upgrades are still working as expected.

Speaking of releases and images, we’ve had recent feedback about what we call releases that do not necessarily offer images. We do this because in a weekly update cycle it is far too complicated to bundle verified images. The versioning scheme does not reflect this at the moment, but we’ve had similar intentions when we moved away from the old 15.1 scheme. Long story short, we will try to make this more clear in the future. The preferred method of installation is via the latest available image that should be upgraded immediately after installation.

Since the build tools are open, it’s not a particular problem to build a newer version yourself or if you require one that comes directly from us just let us know so we can help your specific use case. Last but not least, here are the full patch notes:

  • ports: phalcon 2.0.8 [1] , php 5.6.14[3]

  • unbound: improved DNS rebind protection

  • traffic shaper: improved description field validation

  • wizard: bring back missing files

  • captive portal: redirect after successful RADIUS login

  • health: fix reading of ntpd RRD data

  • config manager: fix revert and delete in translations

  • config daemon: don’t pass stderr on script output call

  • languages: German now 64% complete

15.7.15 (September 30, 2015)

We hope you guys are having a good week? Because if not we have a treat for you: the wait for System Health [1] is finally over and the best part is that it’ll just work with your previously collected RRD data. :) We kindly ask you to provide feedback via the usual channels in order to make it even better. There’s still a lot of time till 16.1 hits the shelves, so to speak.

This is a rather small maintenance release with a handful of fixes. The things that pop out are StrongSwan 5.3.3 [2] as well as the menu now being correctly translated when selecting a different language. And, BTW, behind the scenes we’re just now opening up our translation server that’ll make it even easier to contribute to language translations in the future.

Here are the full patch notes:

  • health: added feature to browse RRD data in a modern way

  • notable ports updates: strongswan 5.3.3

  • logs: added proxy server access log and updated the layout

  • users: fixed ldap import warning when no users could be found

  • dhcp6: fix IPv6 grabbing with PPPoE

  • openvpn: fix TLS auth enable behaviour in client settings

  • firewall: fix missing log option in save form

  • firewall: fix missing interface address in NAT page

  • firmware: sped up package queries and added package size column

  • wizard: multiple fixes and security improvements

  • menu: now properly translates into the selected language

  • traffic shaper: unload ipfw rules on disable

15.7.14 (September 22, 2015)

originally, we wanted to make 15.7.14 as boring as possible, but now we are shipping our major firewall section rework on top of intricate configuration management fixes instead. We should also note that the former improved configuration imports from older systems. Be sure to let us know when you find any issues with these changes.

From the third-party and/or security side not much has happened recently. We are shipping the latest Bind and Squid, for details see the provided links. Here are the full patch notes:

  • config: do not set login auto-complete on factory reset

  • config: fix faulty timezone on factory reset

  • config: improve config migration path for legacy config imports

  • config: new home in system section for the config history and backups

  • config: improved the config history differential view

  • notable port upgrades: bind 9.10.3 [1] , squid 3.5.9 [2]

  • firmware: added Supranet Communications mirror (Middleton, US)

  • firewall: reworked rules, schedules, virtual ip, nat and aliases pages

  • users: removed special handling of the “all” group

  • crash reporter: fixed 9 minor problem reports

  • wireless: only advertise supported modes of operation

  • system: fix theme selection for user-added themes

  • menu: fix expand on all interface edit pages

  • ntp: improve service status probing

  • diagnostics: fix authentication tester to work in conjunction with translations

  • languages: added French translation (33% complete)

  • languages: updated German translation (57% complete)

15.7.13 (September 15, 2015)

15.7.13 is a short GUI-only update since we’ve seen frequent validation errors in our crash reports. We’ve fixed that ahead of schedule and also push a larger under-the-hood preparation of the coming firewall section and menu rework while at it. Exciting stuff coming soon. :)

Here are the full patch notes:

  • diagnostics: added real backend code leading to upcoming privilege separation for pfInfo, pfTop, States and Tables pages

  • dynamic dns: introduce constant naming away from “DynDNS” or “DDNS”

  • gui: fix numerous typos spotted by our relentless translators

  • gui: fixed validation errors in new components

  • gui: removed partial shadow from active tab

  • ipsec: fixed missing redirect after apply

Stay safe, Your OPNsense team

15.7.12 (September 12, 2015)

The vacation time is over for most of us, and so we do roll on into what is going to be a busy autumn. As we haven’t had a release in 2 weeks a longer list of changes has accumulated. Most prominently, we have a security advisory for FreeBSD that may allow privilege escalation on amd64 architectures. More security-related updates are available for LibreSSL, Bind and PHP.

We’ve also been able to iron out the few IPsec configuration problems left related to the page rewrite thanks to relentless testing by Frank Wall and others. We appreciate any help in doing the same for the new Firewall pages we have staged in our development version [12] . Here is the full list of changes:

  • src: local privilege escalation in IRET handler [1]

  • src: disable ixgbe(4) flow-director support [2]

  • src: insufficient check of unsupported pkg(7) signature methods [3]

  • ports: libressl 2.2.3 [4] , bind 9.10.2P4 [5] , openldap24-client 2.4.42 [6]

  • ports: radvd 1.15 [7] , lighttpd 1.4.37 [8] , squid 3.5.8 [9]

  • ports: php 5.6.13 [10] , php-suhosin 0.9.38 [11]

  • dhcp: use reverse mask instead of reverse address in config

  • dns resolver: honour log verbosity toggle

  • ssh: remove ssh1 key from generating, it is no longer supported in openssh

  • filter: remove the unused snort2c table from generated rules

  • xmlrpc: properly regenerate /etc/hosts on sync

  • openvpn: fix TLS authentication option reset

  • ipsec: proper redirect after apply in mobile tab

  • ipsec: fix behaviour of enable rekey and enable reauth

  • ipsec: only suffix connection number with sequence with multiple entries

  • ipsec: fix diagnostics to be able to connect multi phase2 IKEv1 entries

  • ipsec: fix Call to undefined function filter_configure()

  • dashboard: traffic graph highlights are now branded in orange

  • theme: render dropdown boxes a bit better

  • theme: partial fix for wrapped tab display

  • crash reporter: fix spurious crash report after actual submission

  • crash reporter: assorted fixes for warnings and errors in the code

  • crash reporter: improve submit/dismiss button layout

15.7.11 (August 27, 2015)

As we’ve had a couple of pending issues that needed addressing before we push out new images, we’ve wrapped up 15.7.11 just now.

Here are the full patch notes:

  • dns resolver: switch unbound to use libevent to address “too many fds” log message

  • firmware: os-update package was renamed to opnsense-update so “os-” can be our plugin prefix

  • firewall: fix alias page not being available due to a dirty config.xml sample entry

  • ipsec: fix pages throwing warnings due to a dirty config.xml sample entry

  • ipsec: fix hash algorithm and protocol settings behaviour

  • openvpn: honour TLS authentication disable

  • themes: fix theme selection fallback not working in new components

  • diagnostics: unhide routing table headers

# SHA256 (OPNsense-15.7.11-OpenSSL-cdrom-amd64.iso.bz2) = 4e6a78e309945f950bb924345d3bb3571f4cc4891227129bbf7a9f462d1a0f6b
# SHA256 (OPNsense-15.7.11-OpenSSL-nano-amd64.img.bz2) = 714d2ab06db2d56b81421182a6315b6b7373defbc4f3d82f795e22371b8ef501
# SHA256 (OPNsense-15.7.11-OpenSSL-serial-amd64.img.bz2) = f644a45a770850aacee824a83992ecbf5f177ea05051f8907470d8d548183521
# SHA256 (OPNsense-15.7.11-OpenSSL-vga-amd64.img.bz2) = 3da0787d7e0d4708230f0d7b95a9617d74f7a3e12b861091b6eefa934d2a5564
# SHA256 (OPNsense-15.7.11-OpenSSL-cdrom-i386.iso.bz2) = 407a83caeaff638b046f8ee7b8fa0823eb8b5cae28458a376c80134f66555eea
# SHA256 (OPNsense-15.7.11-OpenSSL-nano-i386.img.bz2) = 03ab10b56367249d742b824a454891678025db576bca126fb97fa2a9e0297835
# SHA256 (OPNsense-15.7.11-OpenSSL-serial-i386.img.bz2) = cc316a27fee85107d358d6e970db69f9abae5cb67d33073026c9aec14210b9be
# SHA256 (OPNsense-15.7.11-OpenSSL-vga-i386.img.bz2) = b90cbc906324d3b1671302804b5f902eaab2180d0cdde4145e54614d61355e6c

15.7.10 (August 25, 2015)

15.7.10 is here with a larger number of third party updates as well as a security advisory for FreeBSD. Otherwise it’s relatively silent as we are still busy reworking the firewall section pages like we did with OpenVPN and IPSec recently.

We’ve also bumped the crash reporter into the system section as a tool to generate custom reports, delivering the shortest possible path to get in touch with us regarding bugs or other quirks that do not automatically generate a report. We are totally happy with the way you guys have already embraced the reporter and wish to see even more usage of it. It has helped us to identify issues and ship fixes a lot quicker.

Here are the full patch notes:

  • src: Multiple integer overflows in expat (libbsdxml) XML parser [1]

  • src: bumped tzdata to 2015f [2]

  • ports: curl 7.44.0 [3] , ca_root_nss 3.20, openssh-portable 7.1p1_1 [4] , sqlite 3.8.11.1 [5] , phalcon 2.0.7 [6] , pcre 8.37_4 [7]

  • crash reporter: create custom reports on demand

  • certificates: ca generation issues with recent LibreSSL

  • dns resolver: switched to ports-based Unbound (1.5.4) as per FreeBSD handbook

  • menu: moved the crash reporter to system category for visibility

  • menu: added hot-plugging support for upcoming plugins

  • acl: added hot-plugging support for upcoming plugins

  • ipsec: fix faulty behaviour on configuration changes

  • console: switched halt and reboot numbering

  • languages: bring German to 51% completed

  • graphs: remove obsolete CPU graph pages

15.7.9 (August 19, 2015)

What’s up! We are about to release new images to put a stake in the ground following roughly 500 commits since 15.7 was released in early July. FreeBSD 10.2 is around the corner, which makes this all the more important. First tests look promising, but it’ll have to wait a few more weeks to hopefully get rid of more custom patches and thorough testing. We’ve also made progress with nano-style images to improve interoperability between different media types. Images are scheduled to be released shortly after 15.7.10 for said release.

With that in mind, 15.7.9 is a maintenance release which only addresses our code before we make a bigger leap forward. Focus has been to improve firmware upgrades and crash reporter, all OpenVPN and IPSec configuration pages and a fix for recent LibreSSL flavours not wanting to generate certificates.

These are the full patch notes:

  • firmware: functional rework of update fetch and install, show reboot needed in alert box

  • interfaces: fixed spurious truncated interface names from showing up in the assignments

  • intrusion detection: improved rule select/deselect behaviour and alert querying

  • firewall/rules: fix missing apply button when another language is being used

  • crash reporter: multiple fixes, layout and submission improvements

  • firewall/logs: can now filter using IP version

  • firewall/nat: add anti-lockout rule for redirection

  • certificates: fix generation for LibreSSL flavour

  • openvpn: allow advanced settings for all server types

  • openvpn: reworked all configuration pages (especially client export)

  • ipsec: reworked all configuration pages

Stay safe, Your OPNsense team

15.7.8 (August 12, 2015)

While we do hope everyone is enjoying their summer vacation we’re rolling out a larger update due to multiple issues with FreeBSD and third party programs. We also have a feature that our community has been yearning for: the transparent proxy!

This time around, we took extra care with our development version and let features simmer there until they are fully ready to be rolled out. We already have VPN configuration improvements and firmware upgrade eye candy staged in the current development package. Join our forum to find out more:

https://forum.opnsense.org/

Here are the full patch notes:

  • src: shell injection vulnerability in patch [1]

  • src: routed remote denial of service vulnerability [2]

  • ports: dnsmasq 2.75 [3] , squid 3.5.7 [4] , openvpn 2.3.8 [5]

  • ports: libressl 2.2.2 [6] , lighttpd 1.4.36 [7] , php 5.6.12 [8]

  • ports: pcre 8.37_3 [9] , pkg 1.5.6 [10] , expat 2.1.0_3 [11]

  • dns resolver: improve bootstrapping of root directory to ensure service startup

  • firmware: fix handling of sample mirror file

  • firmware: added a mirror for China

  • firewall: always provide a sample bogons file for IPv6

  • firewall: avoid blocking dhcpv6 on WAN via bogons

  • menu: added 3 direct links to subpages

  • crash reporter: weekly batch of PHP warnings purged from the codebase

  • logs: reworked the firewall log summary page (yum, pie charts)

  • intrusion detection: fix query for empty result

  • intrusion detection: fix validation on new entries

  • proxy: added transparent proxy knob

15.7.7 (August 05, 2015)

This week’s 15.7.7 is a subtle maintenance release to wrap up remaining issues that came in via crash reports since 15.7.6.

Furthermore, we are not aware of any security issues in third party software.

Here are the full patch notes:

  • interfaces: VLAN on top of LAGG now correctly overrides flags on the actual parent interfaces

  • system: added firmware crypto flavour and mirror selection to general settings

  • logs: add missing prototype.js to fix pie charts display (contributed by Chong Cheung)

  • languages: updated German (42% complete) and Japanese (80% complete)

  • crash reporter: fixed assorted minor coding errors/warnings

  • system: improved LDAP bindings and user import (including fixes by Christian Schonberg)

  • proxy: added option to ignore subnets from getting into the access log

  • proxy: fixed automatic startup on /var MFS

  • intrusion detection: fixed automatic startup on /var MFS

  • menu: fix collapse/expand for DHCP (contributed by Chong Cheung)

  • menu: added logout option to user menu

Stay safe, Your OPNsense team

15.7.6 (July 31, 2015)

This is 15.7.6 due to several security advisories for FreeBSD as well as OpenSSH and Bind problems. Reference links are provided for external issues as always. More crash reports came in for issues that date back to as much as a few years long before we started OPNsense. We are very happy for the chance to finally flush them out of the code base.

The update requires a reboot. Here are the full patch notes:

  • src: shell injection vulnerability in patch(1) [1]

  • src: resource exhaustion in TCP reassembly [2]

  • src: OpenSSH multiple vulnerabilities [3]

  • ports: phalcon 2.0.6 [4] , openssh 6.9p1 [5] , bind 9.10.2P3 [6] , dnsmasq 2.74 [7]

  • opnsense-update: can now replace mirror locations

  • crash reporter: fixed numerous remotely-submitted warnings and bugs

  • universal plug and play: fixed concurrent enable for UPnP and NAT-PMP (contributed by Chong Cheung)

  • intrusion detection: reload general settings after download

  • intrusion detection: revised rule and ruleset toggle

  • firmware: better upgrade reboot detection

  • proxy: fix service start when IPv6 was disabled via system settings

  • system: revised the VLAN acceleration disable option to properly unset the interface flags

15.7.5 (July 28, 2015)

First of all thanks to everyone who has been using the crash reporter in the last few days. It’s helped us tremendously in tracking down faulty code bits that were invisible prior to 15.7.4. In order to keep the reports fresh we’re hereby pushing out 15.7.5 a bit earlier than usual.

No third-party code will be updated; no reboot necessary. Here are the full patch notes:

  • menu: fixed expand/collapse behaviour on subpages

  • ipsec: fix a bug that prevented using a CARP address

  • crash reporter: 200 reports helped to identify and fix 23 unique issues

  • crash reporter: add dmesg.boot to files to be submitted

Stay safe, Your OPNsense team

15.7.4 (July 24, 2015)

Another week it is, this time with a rather exciting TCP state fix in the FreeBSD kernel. We’ve also taken the time to work through most of the code base to eradicate code warnings and now enable them by default in the crash reporter. We’re half-expecting another stable update early next week just to make sure your infrastructure keeps running as smoothly as possible.

Here are the the full patch notes:

  • updated sudo 1.8.14p3 [1] , pcre 8.37_2 [2] , and FreeBSD 10.1-RELEASE-p15 [3]

  • firmware: fix upgrade when using opnsense-devel package

  • proxy: fix config write for multiple interfaces

  • crash reporter: raise PHP log level to warnings after an extensive cleanup

  • dashboard: made widgets translatable (contributed by Fabian Franz)

  • firewall logs: usability improvements (contributed by Fabian Franz)

  • languages: Simplified Chinsese 64% complete

  • languages: German 40% complete

  • menu: fixed navigation for PPPoE edit

15.7.3 (July 17, 2015)

This is a quick 15.7.3 to address the recently released PHP 5.6.11 as well as small fixes and further firmware experience improvements. We’ve also taken the time to refine our version 16.1 road map items for you to review and discuss:

https://opnsense.org/about/road-map/

The full list of changes are as follows:

  • ports: php 5.6.11 [1] , pkg 1.5.5 [2] , ca_root_nss 3.19.2, phalcon 2.0.5 [3] , isc-dhcp42-server 4.2.8_1 [4]

  • backup: fix infinite reboot loop on interface mismatch

  • firmware: show locally installed packages

  • firmware: reboot dialog now responsively redirects when the system is back up

  • dashboard: upgrade link now directly launches into the firmware upgrade

  • dashboard: added a system log widget (contributed by Sascha Linke)

  • languages: merged German translation progress (contributed by Fabian Franz)

  • xmlrpc: fix sync of static routes

  • bogons: fix overwrite-on-upgrade bug

That’s all for now. Really.

15.7.2 (July 10, 2015)

It’s us. Again. Following the recent OpenSSL announcement of CVE-2015-1793 we are pushing out 15.7.2 earlier than expected. It is notable that FreeBSD 10.1 as well as LibreSSL are not affected. However, if you are running OPNsense with OpenSSL you should upgrade immediately. Services are not restarted automatically, so a reboot is advised but not mandatory. Please take a responsible course of action.

Here are the full patch notes:

  • notable ports updates: phalcon 2.0.4 [1] , libressl 2.2.1 [2] , openssl 1.0.2d [3]

  • opnsense-update: can now switch from/to LibreSSL/OpenSSL on the fly (needs root shell for now)

  • ssh: work around a shutdown bug that prevents other users from logging in (requires a reboot if used)

  • console: allow the root menu to run one-shot shell commands too

  • console: clean up the version advertisement in the banner

  • dashboard: colour hostap wifi as green when up

  • backup: do not redirect on interface mismatch, reboot right away instead

  • system: migrated /var and /tmp memory disks to tmpfs (requires a reboot if used)

  • proxy: fix the startup when used on a /var memory disk (requires a manual start after boot)

  • intrusion detection: fix the startup when used on a /var memory disk (requires a manual start after boot)

  • intrusion detection: enable the uricontent keyword for the ET ruleset

15.7.1 (July 08, 2015)

We hope you guys are doing well. We are certainly happy with our first production release out in the open. :) Now that that’s taken care of, we have the opportunity to introduce stable braches for 15.7.x, with this week’s 15.7.1 as the first of many.

Squid and Bind have CVE-related fixes. Otherwise, only minor fixes and improvements went into this release. If you are being affected by the DHCP server startup issue reboots are necessary in order to fix the root cause. Please follow these steps:

  1. Upgrade to 15.7.1 using your preferred method.

  2. Disable RAM disks in “System: Settings: Misc.” and reboot.

  3. Enable RAM disks in “System: Settings: Misc.” and reboot.

  4. The DHCP server will now startup correctly.

Here is the full list of changes:

  • overall: introducing stable updates for 15.7.x

  • ports: bind910 9.10.2-P2 [1] , freetype2 2.6 [2] , squid 3.5.6 [3]

  • crash reporter: fixed the upload of additional files

  • system: always have a symlink available for /var/db/pkg

  • system: protect sshd against OOM kills

  • system: can now properly select time zones which have a sub-sub-category

  • intrusion detection: switch default interface to WAN

  • menu: added awareness for further routing tabs

  • login: switch off “autocapitalize” and “autocorrect” for username field

  • status: do not scale RRD graphs over 100% of their actual size

  • languages: minor tweaks for the German translation

15.7 (July 02, 2015)

While the summer is hot, we push forward to what now is 15.7 – nicknamed ‘Brave Badger’ – right in front of you. A lot of effort went into this project during the past 6 months, and we dare say it has been worth all of it. We would like to thank our followers and friends and feedback givers and forum lurkers and contributors and doubters and supporters that helped to make 15.7 what it is. We wouldn’t be here without any of you. Thank you.

In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to everyone. What changes is that development will move to a different branch so that from now on regressions are less likely and therefore stability will increase further. The provided images may also be the only ones for the next 6 months as we are confident in their longevity and the online upgrade path. We have also bumped the LibreSSL flavour to a production-ready state and encourage everyone to try it out. The installer’s import configuration tool coupled with a quick and easy installation can help you move from OpenSSL to LibreSSL and back seamlessly.

The biggest addition is the intrusion detection integration (suricata) as well as new local and remote blacklists options for the proxy server (squid). Security-wise, it has been rather quiet with only a few CVEs in third-party tools. Please see the full patch notes for details and references:

  • kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric traffic shaping when NAT is involved

  • kernel: fix recurse lock panic for tmpfs in conjunction with unionfs

  • kernel: applied two stable patches that prevent squid from crashing [1]

  • kernel: retired ALTQ support

  • base: sendmail TLS/DH Interoperability Improvement [2]

  • base: improved iconv(3) UTF-7 support [3]

  • base: inconsistency between locale and rune locale states [4]

  • notable ports updates: phalcon 2.0.3 [5] , curl 7.43.0_2 [6] , openssh 6.8p1_8, python 2.7.10 [7] , perl 5.20.2_5 [8] , ntp 4.2.8p3 [9] , libxml2 2.9.2_3 [10] , openldap24-server 2.4.41 [11]

  • opnsense-update: will no longer try to reinstall the istalled version after a fresh installation

  • bsdinstaller: bring back cpdup to error out on low memory installation (you need 1 GB of RAM, or work around installation using the nano image)

  • traffic shaper: removed legacy queues support in favour of the new traffic shaper functionality

  • traffic shaper: allow direct enable/disable toggle

  • proxy: fix the initial daemon start on bootup

  • proxy: added LAN as the default interface configuration

  • proxy: local and remote blacklists with regex support

  • intrusion detection: initial release of our IDS GUI based on suricata

  • gateways: monitoring mode gained IPv6 support

  • captive portal: fix idle timeout bug

  • captive portal: do not delete the wrong zone when having multiple configurations

  • captive portal: removed include files from exposed web directory

  • backend: always regenerate users and groups to avoid corruption after an unclean shutdown

  • backend: wait for configd socket to come up to address a startup race issue

  • backend: clean up configd socket on exit

  • backend: fixed regression that prevented user scripts from being started via /etc/rc.conf

  • gateways: only show apinger in services when monitoring is enabled for a gateway

  • languages: brought Simplified Chinese to 49% completed, German to 30% completed

  • universal plug and play: make page invoke static to remove exploitability of the legacy packages framework

  • crash reporter: finally enabled the send button and provides human-readable feedback whether the submission was complete

  • console: added non-interactive interface assignment for headless deployments

  • ssh: disable password authentication on factory reset to align with the standard configuration

  • diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view

  • users: prompt for old password on password change to prevent account hijacking

  • users: stripped the impossible scponly user privileges since said utility has never been part of our ecosystem

Images can be found on any of our mirrors, but they may take a few hours to sync. The checksums are attached at the end of this announcement for convenience.

https://opnsense.org/download/

# SHA256 (OPNsense-15.7_LibreSSL-cdrom-amd64.iso.bz2) = 2251b042f47c710e3f940f1fca417f46b3f1f437e37973ae0ba11aa396a38501
# SHA256 (OPNsense-15.7_LibreSSL-nano-amd64.img.bz2) = 52a94a8cd9ace6733a6e311445cccbb27360a97a7c8ec5f9c8fe303be59dcf99
# SHA256 (OPNsense-15.7_LibreSSL-serial-amd64.img.bz2) = cc9a9827548984f5fc2b10222207b7088919c2da91bcdd29cdcc0f9890696b94
# SHA256 (OPNsense-15.7_LibreSSL-vga-amd64.img.bz2) = ae5c9882202e859a17074dffe433e7b2e160b3a0317a14f8562287122f4daf03
# SHA256 (OPNsense-15.7_LibreSSL-cdrom-i386.iso.bz2) = cbb6398e841db4d69f33e7a837d64636d87648a98fba3f1adf267cc168591ff7
# SHA256 (OPNsense-15.7_LibreSSL-nano-i386.img.bz2) = cb6cb90811310a2d15100505603fe853bd4c5044704061549a1671e35b7dc3c2
# SHA256 (OPNsense-15.7_LibreSSL-serial-i386.img.bz2) = 7e0fd8138f8b3e416b3cd72d095a2f6821c41175e2e4b69500e4c7088847bd0b
# SHA256 (OPNsense-15.7_LibreSSL-vga-i386.img.bz2) = f0c6cc573e0afec7bc9252e91f9e9164f11eee1298f5ce84ec8ec84f87ae160e
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-amd64.iso.bz2) = 35f2bea1791db432ec625d155852403a6d1bfed468ab35ee3d3c448005bf555e
# SHA256 (OPNsense-15.7_OpenSSL-nano-amd64.img.bz2) = 8352cf10edaaff5bd2fe9f7322e67acb4fbe76238b82d0b60d7222f34a0adf7e
# SHA256 (OPNsense-15.7_OpenSSL-serial-amd64.img.bz2) = c995407085b06b0d1f1a4c00e7962ba89e2a7daefb21a6a24519861d92403b2b
# SHA256 (OPNsense-15.7_OpenSSL-vga-amd64.img.bz2) = 5630a50e2c23ab49ff95f62d61993f3038652f1225baefe1a3cc7d641b70af30
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-i386.iso.bz2) = b27053f6afe979fe4b682538457dd5f3993e02a44f3f30638874d9c58a1f3504
# SHA256 (OPNsense-15.7_OpenSSL-nano-i386.img.bz2) = 410cab97a35660033ab1572cfa7eb0f411e08abf7325261185b645e361e15a19
# SHA256 (OPNsense-15.7_OpenSSL-serial-i386.img.bz2) = 5c0eacd5fd13abd5b575d7cb085ea5c4ad7e08250d8aac1f264965a01554c8e9
# SHA256 (OPNsense-15.7_OpenSSL-vga-i386.img.bz2) = 7a525085fa7140e3561ed3336a11a27c8ceafcab24bf871fd88900a15c5b69b6