19.7 “Jazzy Jaguar” Series
For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
19.7, nicknamed “Jazzy Jaguar”, embodies an iteration of what should be considered enjoyable user experience for firewalls in general: improved statistics and visibility of rules, reliable and consistent live logging and alias utility improvements. Apart from the usual upgrades of third party software to up-to-date releases, OPNsense now also offers built-in remote system logging through Syslog-ng, route-based IPsec, updated translations with Spanish as a brand new and already fully translated language and newer Netmap code with VirtIO, VLAN child and vmxnet support.
Last but not least we would like to thank m.a.x. it for their sponsorship of the default gateway priority switching feature and their continued work of writing and maintaining plenty of community plugins. This time around, Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
Full mirror list: https://opnsense.org/download/
19.7.10 (January 27, 2020)
As Thursday nears the last preparations for 20.1 are underway. As a quick relief here is the End-Of-Life release of the 19.7 series with a tiny number of updates.
Remember that when 20.1 is available it will take up to a day before we release the hotfix with the major upgrade path enabled. Please be patient as we simply want to ensure that upgrades will not be bumpy affair. :)
Here are the full patch notes:
firewall: fix a typo in CARP validation
firmware: revoke 19.1 fingerprint
ipsec: add configurable dpdaction (contributed by Marcel Menzel)
mvc: BaseListField ignoring empty selected field
plugins: os-haproxy 2.20 [1]
plugins: os-mail-backup 1.1 [2]
plugins: os-nrpe 1.0 (contributed by Michael Muenz)
plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
plugins: os-vnstat 1.2 [3]
plugins: zabbix4-proxy 1.2 [4]
ports: ca_root_nss 3.49.1
ports: curl 7.68.0 [5]
ports: isc-dhcp 4.4.2 [6]
ports: urllib3 1.27.7 [7]
A hotfix release was issued as 19.7.10_1:
firmware: enable upgrade path to 20.1
19.7.9 (January 09, 2020)
As 20.1 nears we will be making adjustments to the scope of the release with an announcement following shortly.
For now, this update brings you a GeoIP database configuration page for aliases which is now required due to upstream database policy changes and a number of prominent third-party software updates we are happy to see included.
Here are the full patch notes:
system: use 825 days as the default maximum certificate lifetime
system: hide leaking hostname on SSH password auth (contributed by sooslaca)
system: remove unused “lifetime” parameter from user manager page
firewall: new GeoIP settings page to allow continued use of upstream database [1]
firewall: log when alias could not resolve a hostname
firewall: translate pfInfo page tabs (contributed by Smart-Soft)
firmware: add mirror MARWAN (Moroccan Academic & Research Wide Area Network)
dhcp: replace killbyname() usage which should not have killed both services
dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion)
mvc: PSR12 code style updates
plugins: os-acme-client 1.29 [2]
plugins: os-bind 1.12 [3]
plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group
plugins: os-frr 1.14 [4]
plugins: os-maltrail 1.3 [5]
plugins: os-nginx 1.17 [6]
plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz)
plugins: os-theme-cicada 1.24 (contributed by Team Rebellion)
plugins: os-zabbix4-proxy 1.1 [7]
ports: openssh 8.1p1 [8]
ports: openssl 1.0.2u [9]
ports: php 7.2.26 [10]
ports: phpseclib 2.0.23 [11]
ports: python 3.7.6 [12]
ports: strongswan 5.8.2 [13]
ports: sudo 1.8.30 [14]
ports: unbound 1.9.6 [15]
A hotfix release was issued as 19.7.9_1:
firewall: automatic business addition GeoIP feed
19.7.8 (December 18, 2019)
A number of updates including security and reliability fixes inside. Of note is the new elliptic curve certificate creation support and better firmware health check and recovery methods.
We are almost at the point of a 20.1-BETA release with an isolated images for early bird testing as a special present at this time of year. Stay tuned. :)
Here are the full patch notes:
system: “Mark Gateway as Down” also means exclude from default gateway selection
system: fix PHP warning on gateways list due to wrong variable scope
system: support elliptic curve TLS certificate creation (contributed by johnaheadley)
system: remove unused current directory PHP include
system: fix XSS in backup page and static menu pages
firewall: use referential integrity check for model data
reporting: improve NetFlow error handling (contributed by Frank Brendel)
dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w)
dhcp: fix range check for advanced router advertisement options (contributed by maurice-w)
dhcp: improve help texts for router advertisement modes (contributed by maurice-w)
dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w)
dhcp: fix storing advanced IPv6 options
firmware: add “copy to clipboard” button in update text box
firmware: use opnsense-revert in GUI reinstall package case
firmware: when storing installed plugin names remove their development counterparts
firmware: improved health check scope to include direct core package dependencies
openvpn: fix Firefox “nowrap” issue in client export page
backend: improve error handling while configd is either not active or not functional
mvc: route to default page when controller or action not found
mvc: field type refactor and unit tests
mvc: added opt-in referential integrity check for models
mvc: countless PSR12 style updates
mvc: add “NetMaskAllowed” option to validate on single addresses in NetworkField
plugins: os-bind 1.11 [1]
plugins: os-dyndns 1.18 adds Linode support (contributed by Andrew Gunnerson)
plugins: os-freeradius 1.9.5 [2]
plugins: os-frr 1.13 [3]
plugins: os-ftp-proxy style updates only
plugins: os-postfix 1.13 [4]
plugins: os-rspamd 1.9 [5]
plugins: os-theme-cicada 1.23 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.22 (contributed by Team Rebellion)
ports: ca_root_nss 3.48
ports: krb5 1.17.1 [6]
ports: php 7.2.25 [7]
ports: suricata 4.1.6 [8]
ports: unbound 1.9.5 [9]
19.7.7 (November 21, 2019)
Lots of small improvements. Of note are Eve JSON payload syslog export now works for 4 kb payload blobs. The outdated Google API PHP client was replaced. LibreSSL is now at version 3.0.2. Plus another Intel SA advisory via FreeBSD.
Here are the full patch notes:
system: generate self-signed server certificate for web GUI by default
system: let net.local.dgram.maxdgram default to 8192 bytes
system: spawn Dpinger process in background to avoid hangs
system: switch backup to Google API PHP client v2
system: add interface groups to HA sync
interfaces: remove the “Directly send SOLICIT” option
firewall: fix issue with label parsing when “tag” keyword was involved
firewall: skip empty lines in rule statistics parsing
firmware: add /etc/remote to whitelist, NTP GPS uses it
reporting: empty NetFlow egress default passes validation
reporting: show dialog when RRD is disabled
dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w)
dnsmasq: fix storing settings when no settings exist yet
intrusion detection: lower payload-buffer-size to prevent syslog size limit
intrusion detection: fix issue with escaped file name during rules download
unbound: exit wrapper when process not running
web proxy: added check on SNI field checkbox (contributed by Northguy)
mvc: fix forceReload()
plugins: os-acme-client 1.28 [1]
plugins: os-bind 1.10 [2]
plugins: os-nginx 1.16 [3]
plugins: os-nut 1.6 [4]
plugins: os-postfix 1.12 [5]
src: fix machine check exception on page size change [6]
src: bump libc syslog line size to 8k
src: import tzdata 2019c [7]
ports: curl 7.67.0 [8]
ports: libressl 3.0.2 [9]
ports: openvpn 2.4.8 [10]
ports: perl 5.30.1 [11]
ports: phalcon 3.4.5 [12]
ports: sqlite 3.30.1 [13]
ports: squid 4.9 [14]
ports: syslog-ng 3.24.1 [15]
19.7.6 (November 01, 2019)
As we are experiencing the Suricata community first hand in Amsterdam we though to release this version a bit earlier than planned. Included is the latest Suricata 5.0.0 release in the development version. That means later this November we will releasing version 5 to the production version as we finish up tweaking the integration and maybe pick up 5.0.1 as it becomes available.
LDAP TLS connectivity is now integrated into the system trust store, which ensures that all required root and intermediate certificates will be seen by the connection setup when they have been added to the authorities section. The same is true for trusting self-signed certificates. On top of this, IPsec now supports public key authentication as contributed by Pascal Mathis.
Here are the full patch notes:
system: hook LDAP TLS support into system-wide trust file
system: fix dpinger custom parameters not being honoured
system: fix PHP core loop fail in tunables overview
system: only allow P12 export if password confirmation matches
interfaces: change PCAP download to binary file stream
firewall: store reference to outbound NAT address instead of literal address
firewall: add log message for scheduled firewall reload
firmware: tie pkg dependency to core
ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl)
ipsec: add support for public key authentication (contributed by Pascal Mathis)
openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley)
backend: add run mode to pluginctl using JSON-based output
ui: fix tokenizer reorder on multiple saves, second try
plugins: os-acme-client 1.27 [1]
plugins: os-bind 1.9 [2]
plugins: os-nginx 1.15 [3]
plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel)
plugins: os-theme-cicada 1.22 (contributed by Team Rebellion)
ports: ca_root_nss 3.47
ports: php 7.2.24 [4]
ports: python 3.7.5 [5]
ports: sudo 1.8.29 [6]
19.7.5 (October 11, 2019)
Lots of plugin and ports updates this time with a few minor improvements in all core areas.
Behind the scenes we are starting to migrate the base system to version 12.1 which is supposed to hit the next 20.1 release. Stay tuned for more infos in the next month or so.
Here are the full patch notes:
system: show all swap partitions in system information widget
system: flatten services_get() in preparation for removal
system: pin Syslog-ng version to specific package name
system: fix LDAP/StartTLS with user import page
system: fix a PHP warning on authentication server page
system: replace most subprocess.call use
interfaces: fix devd handling of carp devices (contributed by stumbaumr)
firewall: improve firewall rules inline toggles
firewall: only allow TCP flags on TCP protocol
firewall: simplify help text for direction setting
firewall: make protocol log summary case insensitive
reporting: ignore malformed flow records
captive portal: fix type mismatch for timeout read
dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
ipsec: add margintime and rekeyfuzz options
ipsec: clear $dpdline correctly if not set
ui: fix tokenizer reorder on multiple saves
plugins: os-acme-client 1.26 [1]
plugins: os-bind will reload bind on record change (contributed by blablup)
plugins: os-etpro-telemetry minor subprocess.call replacement
plugins: os-freeradius 1.9.4 [2]
plugins: os-frr 1.12 [3]
plugins: os-haproxy 2.19 [4]
plugins: os-mailtrail 1.2 [5]
plugins: os-postfix 1.11 [6]
plugins: os-rspamd 1.8 [7]
plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
plugins: os-telegraf 1.7.6 [8]
plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
plugins: os-tinc minor subprocess.call replacement
plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
plugins: os-virtualbox 1.0 (contributed by andrewhotlab)
ports: expat 2.2.8 [10]
ports: ca_root_nss 3.46.1
ports: curl 7.66.0 [9]
ports: openssl 1.0.2t [11]
ports: php 7.2.23 [12]
ports: strongswan 5.8.1 [16]
ports: suricata 4.1.5 [17]
ports: syslog-ng 3.23.1 [18]
ports: unbound 1.9.4 [19]
A hotfix release was issued as 19.7.5_5:
ui: revert fix for tokenizer reorder on multiple saves for now
system: replace services_get() with plugins_services()
system: verbose print on “pluginctl -s” actions
19.7.4 (September 11, 2019)
A wee bit of updates for you… nothing overly exciting. On the other hand, we have updated the roadmap page to include 20.1 if you want to take a closer look [1] . More exciting for sure. :)
Here are the full patch notes:
system: fix legacy remote logging with custom port
system: regenerate CA bundle when modifying trusted authorities
system: fix translation order of tunables description
system: fix CARP maintenance mode bootup
firewall: missing daily refresh on GeoIP type
firewall: fix fetch of GeoIP alias if its name is same as its country
reporting: auto-load required kernel modules for NetFlow
reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
captive portal: optimise ipfw rule parsing
firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
unbound: support file-based custom includes
unbound: set absolute path to root.hints (contributed by h-town)
plugins: os-bind 1.8 [2] (contributed by ErikJStaab)
plugins: os-dnscrypt-proxy 1.6 [3] (contributed by ErikJStaab)
plugins: os-etpro-telemetry 1.4 [4]
plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
ports: ca_root_nss 3.46
ports: ldns 1.7.1 [5]
ports: pcre2 10.33 [6]
ports: php 7.2.22 [7]
ports: phpseclib 2.0.21 [8]
ports: unbound 1.9.3 [9]
A hotfix release was issued as 19.7.4_1:
captive portal: fix merge conflict in optimisation
19.7.3 (August 28, 2019)
Please enjoy this release with improved CARP utility and a number of smaller fixes and updates for the operating system and third party tools. You can now also toggle logging directly from the rule overview to make debugging easier.
Here is the full list of changes:
system: try all backups for automatic revert when config.xml is damaged
system: do a system reset if all config.xml files are damaged
system: only show tunables reboot hint when applying tunables (contributed by Northguy)
system: use FQDN in system log remote messages
system: add defunct gateways to GUI in disabled state
interfaces: only allow VLAN parents that will work as VLAN parents
interfaces: optionally promote/demote CARP on service status
interfaces: CARP status page report with demotion level to avoid ambiguity
firewall: revert problematic 19.7.2 change “unhide automatic interface-based output rules”
firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
firewall: add logging toggle to rules overview (contributed by johnaheadley)
firewall: DHCPv6 relay would generate rules even if not enabled
firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
firmware: fix base and kernel package listing
intrusion detection: show change message after toggle or save
intrusion detection: rule download fix
monit: add parent devices to interface list (contributed by Frank Brendel)
monit: fix standard configuration migration (contributed by Frank Brendel)
reporting: skip illegal NetFlow records in flow parser
opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
backend: fix exception message string handling in Python 3
backend: add help to pluginctl utility
backend: configctl event handler support
mvc: log API key when authentication failed
ui: more consistent HTML (contributed by gisforgirard)
ui: sidebar bug fix (contributed by Team Rebellion)
ui: fix initFormAdvancedUI() on initial load
plugins: os-acme-client 1.25 [1]
plugins: os-bind 1.7 [2]
plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
plugins: os-haproxy 2.18 [3]
plugins: os-maltrail 1.1 [4]
plugins: os-nginx log rotation fix (contributed by Fabian Franz)
plugins: os-postfix 1.10 [5]
plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL)
plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)
plugins: os-wireguard 1.1 [6]
src: fix incorrect exception handling in libunwind [7]
src: fix multiple vulnerabilities in bzip2 [8]
src: fix ICMPv6 / MLDv2 out-of-bounds memory access [9]
src: fix insufficient message length validation in bsnmp library [10]
src: fix insufficient validation of guest-supplied data (e1000 device) [11]
src: fix IPv6 remote denial of service [12]
src: fix kernel memory disclosure from /dev/midistat [13]
src: fix reference count overflow in mqueuefs 32-bit compat [14]
ports: hostapd 2.9 [15]
ports: nghttp2 1.39.2 [16]
ports: openldap 2.4.48 [17]
ports: perl 5.30.0 [18]
ports: php 7.2.21 [19]
ports: py-openssl 19.0.0 [20]
ports: syslog-ng 3.22.1 [21]
ports: wpa_supplicant 2.9 [22]
19.7.2 (August 05, 2019)
This update ships the latest FreeBSD security advisories along with several smaller improvements and fixes. Sunny Valley Networks is the first vendor to introduce additional software to the plugin framework in the form of the Sensei plugin.
Here are the full patch notes:
system: missing “<PRI>” in legacy output via Syslog-ng
system: fix writing gateway information for DNS servers
system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
firewall: unhide automatic interface-based output rules
firewall: unhide automatic non-interface-based floating rules
firewall: lift length restriction in NAT rule description
firewall: avoid newlines in rule descriptions
firewall: only show usable addresses in NAT outbound rules
interfaces: fix extended CARP output when parsing interface information
interfaces: add more outputs to overview page to increase usefulness
interfaces: use shared DHCP lease reader for ARP list
captive portal: fix binary read issue in Python 3
dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
firmware: handle file signature verify correctly with multiple fingerprint repositories
firmware: Aivian mirror is no longer active
firmware: Cloudfence mirror in Brazil added
plugins: os-bind 1.6 (contributed by crazy-max)
plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
plugins: os-grid_example 1.0 [1]
plugins: os-helloworld Python 3 compatibility [2]
plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
src: fix panic from Intel CPU vulnerability mitigation [5]
src: fix multiple telnet client vulnerabilities [6]
src: fix pts write-after-free [7]
src: fix kernel memory disclosure in freebsd32_ioctl [8]
src: fix reference count overflow in mqueuefs [9]
src: fix byhve out-of-bounds read in XHCI device [10]
src: fix file descriptor reference count leak [11]
ports: libevent 2.1.11 [12]
19.7.1 (July 25, 2019)
We do not wish to keep you from enjoying your summer time, but this is a recommended security update enriched with reliability fixes for the new 19.7 series. Of special note are performance improvements as well as a fix for a longstanding NAT before IPsec limitation.
Here are the full patch notes:
system: do not create automatic copies of existing gateways
system: do not translate empty tunables descriptions
system: remove unwanted form action tags
system: do not include Syslog-ng in rc.freebsd handler
system: fix manual system log stop/start/restart
system: scoped IPv6 “%” could confuse mwexecf(), use plain mwexec() instead
system: allow curl-based downloads to use both trusted and local authorities
system: fix group privilege print and correctly redirect after edit
system: use cached address list in referrer check
system: fix Syslog-ng search stats
firewall: HTML-escape dynamic entries to display aliases
firewall: display correct IP version in automatic rules
firewall: fix a warning while reading empty outbound rules configuration
firewall: skip illegal log lines in live log
interfaces: performance improvements for configurations with hundreds of interfaces
reporting: performance improvements for Python 3 NetFlow aggregator rewrite
dhcp: move advanced router advertisement options to correct config section
ipsec: replace global array access with function to ensure side-effect free boot
ipsec: change DPD action on start to “dpdaction = restart”
ipsec: remove already default “dpdaction = none” if not set
ipsec: use interface IP address in local ID when doing NAT before IPsec
web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
plugins: os-acme-client 1.24 [1]
plugins: os-bind 1.6 [2]
plugins: os-dnscrypt-proxy 1.5 [3]
plugins: os-frr now restricts characters BGP prefix-list and route-maps [4]
plugins: os-google-cloud-sdk 1.0 [5]
ports: curl 7.65.3 [6]
ports: monit 5.26.0 [7]
ports: openssh 8.0p1 [8]
ports: php 7.2.20 [9]
ports: python 3.7.4 [10]
ports: sqlite 3.29.0 [11]
ports: squid 4.8 [12]
19.7 (July 17, 2019)
For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
19.7, nicknamed “Jazzy Jaguar”, embodies an iteration of what should be considered enjoyable user experience for firewalls in general: improved statistics and visibility of rules, reliable and consistent live logging and alias utility improvements. Apart from the usual upgrades of third party software to up-to-date releases, OPNsense now also offers built-in remote system logging through Syslog-ng, route-based IPsec, updated translations with Spanish as a brand new and already fully translated language and newer Netmap code with VirtIO, VLAN child and vmxnet support.
Last but not least we would like to thank m.a.x. it for their sponsorship of the default gateway priority switching feature and their continued work of writing and maintaining plenty of community plugins. This time around, Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
Full mirror list: https://opnsense.org/download/
These are the most prominent changes since version 19.1:
List automatic firewall rules
Statistics for all firewall rules
Alias JSON import / export
Optional statistics for aliases
Firewall rule locator for live log and automatic rules
Rewritten gateway handling and switching
Remote logging via Syslog-ng
LDAP group sync support
Support certificate signing requests
Route-based IPsec support (VTI)
XMLRPC sync support for alias, VHID, widgets
Unbound host overrides alias support
Web proxy and IPsec authentication using PAM
Parent web proxy support
Web proxy login privilege via group
Improved reliability and utility of opnsense-patch
Dpinger and DHCP servers ported to plugin framework
Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
Spanish as a new language
Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
Netmap update for VirtIO, VLAN child and vmxnet support
Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
And here are the full changes against version 19.7-RC1:
system: lower automatic gateway priority for tunnel interfaces
system: only show enabled interfaces on gateway edit
system: speed up console banner interface print
interfaces: typo in default WAN selection for packet capture
interfaces: support multiple interfaces for packet capture
interfaces: fix ambiguity in get_parent_interface()
firewall: restart filterlog with every filter reload
firmware: add update syshook
ipsec: phase2 IP type selector using the wrong class
reporting: fix Insight bug not processing top port and address statistics
ui: window_highlight_table_option() fix for Safari
wizard: improve logo contrast in welcome message
plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
plugins: os-maltrail 1.0 (contributed by Michael Muenz)
plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
plugins: os-tinc chroot setup with resolv.conf
plugins: os-wireguard 1.0 (contributed by Michael Muenz)
plugins: os-wol 2.2 fixes byte conversion
src: bump netmap ring size, still too small in FreeBSD
src: add FCC6_FCCA regulatory domain to ath_hal(4)
src: restore IPV6_NEXTHOP option support
src: fix privilege escalation in cd(4) driver [4]
src: fix kernel stack disclosure in UFS/FFS [5]
src: fix iconv buffer overflow [6]
src: import tzdata 2019b
ports: ca_root_nss 3.45
ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
ports: postfix update is now non-interactive to prevent stalls
ports: rrdtool 1.7.2 [7]
Known issues and limitations:
Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to “Services: Web Proxy: Administration” tab “Support” and click “Reset”.
Web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
The public key for the 19.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2) = e022217d367abaf4fd1360f83e4664d28b3f37932dfe720974b9d7dc33bf50f7
# SHA256 (OPNsense-19.7-OpenSSL-nano-amd64.img.bz2) = 6fffefa0b09daea397e83f67bf730392125b720043c455597c05d3d80c2baa29
# SHA256 (OPNsense-19.7-OpenSSL-serial-amd64.img.bz2) = 98854d5a0a03850273aa2ebdd7e7b095dfec6a1e6b57341817bb5f5ffab2ca7b
# SHA256 (OPNsense-19.7-OpenSSL-vga-amd64.img.bz2) = 523e924586e431ccd421bb85ba1245ce4c8f3a6141b59623f5083d3e36bac592
# SHA256 (OPNsense-19.7-OpenSSL-dvd-i386.iso.bz2) = 64c4e58966ab373a0aa6a544b020a39c5b86ecb79cb2988ac1f74b382c7d4765
# SHA256 (OPNsense-19.7-OpenSSL-nano-i386.img.bz2) = 3fa6af965f5996a718982617b5a13199747d237a669867b1ffecc951c3ebe455
# SHA256 (OPNsense-19.7-OpenSSL-serial-i386.img.bz2) = f0c76142f83b4988defa3fddc7a4cf2d930cbb0aee623d7b064462e25e146297
# SHA256 (OPNsense-19.7-OpenSSL-vga-i386.img.bz2) = b425882604886a395730abeaa6a26b8805647609712f61c342cee29f58160006
19.7.r1 (July 09, 2019)
For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
Full mirror list: https://opnsense.org/download/
Here are the full changes against version 19.1.10:
system: new remote syslog setup via Syslog-ng
system: gateway handling rewrite
system: default gateway switching priority control (sponsored by m.a.x. it [2] )
system: dpinger ported to plugin framework
system: bring back PHP warning log level
system: use authentication factory for user import
interfaces: VLAN, bridge, LAGG, GRE, GIF setup refactor
interfaces: improve load sequence to allow DHCPv6 on bridges
interfaces: GIF, GRE, IPsec and OpenVPN will no longer accept IP configuration
interfaces: speed up get_real_interface() by assuming interfaces exist
interfaces: sort interface groups and require rules apply if necessary (contributed by Robin Schneider)
interfaces: background PPPoE connect and disconnect
interfaces: only IP-address allowed in PPP gateway (contributed by Smart-Soft)
interfaces: simplified linking VIPs to interfaces
interfaces: removed interface_has_gateway()
interfaces: removed interface_has_gatewayv6()
interfaces: removed get_failover_interface()
interfaces: removed rc.kill_states
firewall: ability to view automatic rules
firewall: rule origin locator in live log and automatic rules listing
firewall: show statistics for all active rules including automatic ones
firewall: optional statistics for alias tables
firewall: fix translation of shaper mask “none” value
firewall: add ipv6-icmp type selection
firewall: rule listing layout update
reporting: new NetFlow reader in Python 3
reporting: validate that NetFlow WAN interfaces are also added to listening interfaces
dhcp: ported to plugin framework
dhcp: added failover split to DHCPv4 (contributed by Wolfgang Pedot)
dhcp: fix ddnsdomainprimary setting validation
dhcp: added advanced options for router advertisements
dhcp: removed remove rasend/ranosend checkbox
dhcp: simplify DHCPv4 interface lookup on lease page
dhcp: use AdvDefaultLifetime 0 when default route shall not be advertised
firmware: support reading package repository and origin
firmware: warn on third party package installation
firmware: synchronise update checks to avoid “not responding” errors
firmware: fix empty update list on release type change
images: nano image now supports future-proof number of inodes
installer: support password reset in opnsense-importer
intrusion detection: allow rule action bulk changes
intrusion detection: minor usability improvements
intrusion detection: support eve system log output
openvpn: removed gateway group listening support
openvpn: no longer restart servers on CARP events
openvpn: reduced complexity in service handling
web proxy: replace proxy login privilege “user-proxy-auth” with group selector
backend: ported remaining scripts to Python 3
backend: add helpers.glob() to enable template traversal
backend: new “monitor” hook for rc.syshook
mvc: do not add “none” in AuthGroupField if multiple select
mvc: allow sorting JsonKeyValueStoreField by value
ui: remember previous selected columns and row count on several MVC pages
ui: apply alert reminders for several MVC pages
ui: add failed callback to saveFormToEndpoint()
ui: core theme color update
ui: fix file size suffix (contributed by Fabian Franz)
ui: add useRequestHandlerOnGet option
ui: bootstrap 3.4.1 [3]
src: netmap VirtIO, VLAN child and vmxnet support
src: fix races in tun(4)/tap(4) drivers
ports: squid 4.7 [4]
ports: syslog-ng 3.21.1 [5]
Known issues and limitations:
Filterlog spamming console due to new Syslog-ng integration. Temporary workaround is stopping filterlog via “pkill filterlog”.
OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
The web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to “Services: Web Proxy: Administration” tab “Support” and click “Reset”.
Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
The public key for the 19.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 5014dba896a425d15fbedcb44f2deec7fb5aee6a1b7c95833b819f8d352de6a1
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-amd64.img.bz2) = b9d6ccbfdcb88f813a6494efb13647d1715500551c7dc51f632766b19189c6bc
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-amd64.img.bz2) = 86050bffa626247cfe0374d28994a52f9e10490b20a81539f5d2784676280c17
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-amd64.img.bz2) = 3a7ae31f6429e519060a717b6248d13620a1e5caba43f44afaf4a7dd4e6634e6
# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-i386.iso.bz2) = 4c0e54982d92279e7273c74cac183290e89219f75b4c1f55a42bad0331bdf321
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-i386.img.bz2) = 5db5dfc0bfb15a593dae689b58e65d556e935c326741729ad37507a952a51426
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-i386.img.bz2) = a20422c81c62c79264aec2cf83cb8734e2e0c954881200e6bc46d372f2432cf9
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-i386.img.bz2) = f6ba92f987c024697e6599b72d905ac9a4fdcfe61c71e3f060dccf1efccd6d82