16.1 “Crafty Coyote” Series¶
No, we would not say it was easy getting here, but booting into 16.1 for the first time sure is as relieving (and exciting) as it could get for our project growing beyond what we had ever imagined. It has been more than a year since OPNsense first came out. Back then it was FreeBSD 10.0. Not even two months after, 10.1 was introduced along with the opnsense-update utility. Today is the day for FreeBSD 10.2, the latest and greatest release currently available for broader driver support and stability improvements.
16.1 is nicknamed “Crafty Coyote” in honour of our beloved childhood TV sessions. It is the accumulation of 6 months of work, having had our focus on reengineering the captive portal, native intrusion prevention, plugin support, and transforming the reporting frontend into something more modern and flexible just to name a few [1] . Apart from the recently published security advisories (see patch notes below), we have included a quick navigation feature which can be activated by pressing (TAB) followed by search keywords and hitting (ENTER) to go to the desired page. Last but not least, a larger batch of improvements and fixes went into assorted sections of the GUI that certainly help to get your work done without ending up dazed and confused.
Speaking of clearing things up, there is more… While Ad, Franco and a couple of amazing external contributors have been busy writing and reviewing code, Jos worked in the shadows to bring to you a fully revised set of project documentation in the form of an online handbook [2] . More content will follow as we slow down development speed a bit in order to catch up. We will have to see how that works out. ;)
Another thing we have noticed is that translations are hard! We have planned to finish a translation for this iteration, but the sheer amount of work overwhelmed even the sizeable German translation team. The German translation is now at 77% percent completed with Japanese, Chinese and French chasing tails. If you want to help drop us a line at project@opnsense.org for details on how to contribute.
All images have been pushed as well, although may take a bit more time to reach a mirror near you. You can find the checksums attached at the end of this announcement.
https://opnsense.org/download/
16.1.20 (July 22, 2016)¶
We are pushing out 16.1.20 a little earlier than expected to fix a GUI regression that can affect users with IPv6. Sorry about that.
Since this is the last 16.1 series release, the firmware page offers an overview of migration hints for the 16.7 series. We are expecting to be right on schedule, namely July 28. Oh, and by the way, the next release will be called “Dancing Dolphin”.
Here are the full patch notes:
firmware: end-of-life announcement and preparation for 16.7 upgrade
services: fix a missing dependency for the DHCPv6 service probing
Stay safe, Your OPNsense team
16.1.19 (July 21, 2016)¶
It is time for a last full stable release before we offer our 16.1.20 end-of-life version, which then can be used to upgrade to the 16.7 series.
Most changes presented today were either long-running development additions for 16.7 or small reports that came up during the 16.7-RC testing period. Another prominent fix addresses an issue with sporadic premature captive portal authentication timeouts that one of our awesome forum members helped to debug.
Here are the full patch notes:
ports: suricata 3.0.2 [1] , squid 3.5.20 [1] , expat 2.2.0 [3] , haproxy 1.6.7 [4] , bind 9.10.4-P2 [5]
firewall: hide previously selected nested aliases from the autocompletion on alias edit
firewall: fix log view to properly render all of its html
firewall: fix link to IPv6 disable setting on rules screen
firewall: remove CARP restriction of matching interface subnet
interfaces: fix IPv6 subnet bits count on interface status
interfaces: traffic graphs now show more device types
gateways: prevent spurious dynamic default gateways from showing up
gateways: change the creation order of dynamic gateways to allow overriding their settings correctly
firmware: refine ignore of temporary error 500 in GUI during upgrades
firmware: default config has been adapted to set up new style dashboard entries during e.g. factory reset
firmware: validate source and destination entries in NPT
firmware: audited mirror list and disabled non-working entries
services: do not show disabled DHCPv6 server when prefix delegation is not used
services: do not run boot-up routines for proxy server and intrusion detection when disabled
services: fix router advertisements subnet bits save
intrusion detection: improved alert browsing with action filter
proxy server: ACL setup can now include manual pre and post hooks
wizard: fixed alignment of page titles and contents
captive portal: ignore incomplete MAC entries to avoid premature logout of active user
openvpn: fix display of selected CRL in server settings
16.1.18 (June 30, 2016)¶
Before we get on with the release candidate for 16.7, we are proudly presenting the latest and greatest stable addition to the 16.1 series.
No time to lose, enjoy the summer!
Here are the full patch notes:
system: properly run fsck on boot if needed
system: new Cron page and API now available for general use
system: QR codes are now generated locally in the browser (contributed by Fabian Franz)
system: harden serial config write against power failures
system: allow serial config to attach to all available ttys
system: added missing ACL entry for LDAP user import page
system: reworked log page layout and dependencies
firmware: detach / reattach support for upgrade page
firmware: mirror and flavour selection moved to respective page
interfaces: improvements for 4G devices (sponsored by OSNet.eu [1] )
interfaces: debug mode and logging for rtsold in DHCPv6 mode
dhcp: separate pages for router advertisements and service control
dhcp: IPv6 server as a stand-alone process for service control
dhcp: fixed and improved writing of dynamic DNS configuration
ports: python 2.7.11_3 [2] , unbound 1.5.9 [3] , curl 7.49.1 [4] , openssl 1.0.2_14 [5] , sudo 1.8.17p1 [6] , php 5.6.23 [7] , pcre 8.39 [8] , haproxy 1.6.6 [9]
src: tzdata updated to 2016e [10]
src: fix pf fragement timeout [11]
16.1.17 (June 15, 2016)¶
Today we offer complementary improvements and fixes to your swinging installation in the hopes that they will make your daily experience even better, rounded off with a pinch of SSL crypto updates.
In other news, we are getting ready for a first 16.7 release candidate after having finished the full work on the FreeBSD 10.3 base system including the addition of HardenedBSD’s ASLR. More on this next week.
Here is the change log for 16.1.17:
ports: isc-dhcp-server 4.3.4 [1] , syslogd 10.3, libressl 2.3.6 [2] , openssl 1.0.2_13 [3]
system: fix OTP QR code link to amend the first request
system: allow to override TRIM apply at boot time via /etc/fstab [4]
dashboard: fix OpenVPN test data display
dashboard: gateway widget style updated
interfaces: allow debug option for dhcp6 client
interfaces: allow to delete WAN as well
interfaces: properly restart the respective proxy ARP daemon
firewall: fixed HTML errors in NAT edit page
services: fixed unbound custom option handling
services: allow RA send behaviour to be configured
services: show correct dynamic DNS type when editing an existing entry
openvpn: bring back authentication method selector
openvpn: create interfaces at boot time and even when disabled
power: separate menu for power off and reboot functions
intrusion detection: allow to drop/reset log files
plugins: can now create local logging sockets for chroot environments
plugins: new HAProxy version 1.3 with assorted fixes (contributed by Frank Wall and Manus Freedom)
lang: major updates for Russian (contributed by Smart-Soft)
lang: assorted translation fixes (contributed by Fabian Franz)
lang: minor updates to Chinese, German and French
16.1.16 (June 06, 2016)¶
It has been a long journey for HardenedBSD and OPNsense, and finally the paths start to merge as the splendid and battle- proven ASLR implementation gets incorporated into the default installation! It is just the beginning as we will start to leverage the extra security by enabling position independent execution in 16.7 and merge more security-related features. We thank again the HardenedBSD team for their continued efforts on making this world a safer place.
In other news, there is a thoroughly revamped dashboard for you to enjoy and a handful of security fixes in FreeBSD and the ports ecosystem. LibreSSL has been updated to the latest production release and the BETA version is progressing nicely as we change our working mode from “rework all the things” to “polish all the things”. A release candidate is coming up soon.
Here are the patch notes for 16.1.16:
src: merged and enabled HardenedBSD’s ASLR implementation [1]
src: kernel stack disclosure in Linux compatibility layer [2]
src: kernel stack disclosure in 4.3BSD compatibility layer [3]
src: directory traversal in cpio [4]
ports: libressl 2.3.5 [5] , phalcon 2.0.13 [6] , dnsmasq 2.76 [7]
ports: apinger 0.7 [8] , curl 7.49 [9] , bind 9.10.4-p1 [10]
ports: php 5.6.22 [11] , sqlite 3.13.0 [12] , ntp 4.2.8p8 [13]
dashboard: movable widgets, multi-column support and improved look and feel
system: improved CSRF handling
system: allow far gateway support for non-subnet gateways
system: fix null routes add / delete
system: user/group privilege selection improvements
system fix missing cron job for GUI lock / expire
firmware: adds opnsense-patch tool for simple upstream repo patch apply
dns resolver: fix AAAA record save
dns forwarder: add custom port option for domain overrides
firewall: for us bogons do not extend to private networks
firewall: fix schedule clone when in use
interfaces: remove explicit ath(4) long distance support
interfaces: removed SVG traffic graphs in favour of modern replacements
captive portal: allow to drop all expired vouchers
cron: fix parameter ignore
layout: “Stacked-to-horizontal” emulation for mobile view
layout: consistent tooltip button placement
layout: fix footer on small screen size
plugins: fix HAProxy X-Forwarded-For header option
And here is the change log for 16.7 BETA:
interfaces: interface-based plugin system used by OpenVPN and IPSec
interfaces: removed complex PPPoE reset handling by optional cron job
plugins: allow local socket in chroot’ed services
plugins: removed L2TP, PPTP and PPPoE servers from core
firmware: allow resume for update page
firmware: dump / restore package database on shutdown / boot
firewall: removed proxy NAT reflection mode
firewall: properly start/stop proxy APR daemons
firewall: implement flexible scrub / normalisation config pages to zap hidden scrubbing code
firewall: removed “match” action from floating rules, no FreeBSD support
firewall: removed negate rules that would magically prevent load- balancing VPN links
system: migrated new cron handling to do privilege separation where possible
system: better branding support for boot loader on package install / remove
system: remove single forward GUI item for RFC 2893, can be set in NAT just as well
router advertisements: allow to set mode and min / max intervals
16.1.15 (May 25, 2016)¶
We are dropping in for a quick update bundling assorted fixes and general improvements throughout the code. Not much to add this week, see for yourselves…
Do not forget that ASLR is coming next week. :)
Here are the full patch notes for 16.1.15:
system: make authentication fallback configurable
system: settings cleanup and prettify
system: added explicit ETC timezone selection
high availability: add page for remote service control
high availability: properly enforce authentication
firmware: reboot and poweroff API actions
firmware: only kill GUI process, not captive portal
firmware: show errors in update window
firmware: keep polling for progress even when GUI restarts
backend: skip failing templates on bootup
trust: fix CA certificate count in overview
trust: allow key size up to 8192 bits
firewall: fix invalid NPT rule generation
firewall: speed up filter log pages
firewall: do not allow to change virtual IP mode after creation
firewall: moved settings page and rearranged settings accordingly
interfaces: unhook all but the last custom PHP module functions
interfaces: moved settings page and rearranged settings accordingly
dhcp: do not override RA settings after save
dns: resolver outgoing interface section moved to advanced as it will break setups with dynamic interfaces selected there
load balancer: sticky mode from firewall / system split off as separate setting
snmp: do not allow unicode in system location
intrusion detection: remove deprecated rbn-malvertisers.rules set
intrusion detection: add promiscuous mode / physical interface selection
overall: fix menu width on small size screens
overall: numerous translation fixes (contributed by Frederic Lietart)
overall: numerous translation fixes (contributed by Fabian Franz)
plugins: assorted bugfixes for HAProxy (contributed by Frank Wall)
mvc: fix translations by adding an escaping wrapper
And here are the patch notes for 16.7 BETA:
system: reworked the user / group manager privilege selection
firewall: IPv6 outbound NAT rework
interfaces: allow debug mode for DHCPv6 client
interfaces: remove ath(4) long distance helpers
dns: add custom port option for domain overrides
gateways/routes: fix for far gateway setups
overall: add stacked-to-horizontal feature for input forms
Stay safe, Your OPNsense team
16.1.14 (May 18, 2016)¶
It is time for something new. How about an update with your new NetFlow remote export. Or your local reporting frontend? Well, you can always use both if you like. Read all about it here:
https://docs.opnsense.org/manual/netflow.html
Furthermore, we have added the brand new AQM CoDel version 0.2.1 to the mix, yesterday’s FreeBSD security advisories, released the HAProxy plugin, bundled a full Japanese translation. And two-factor authentication support for our components? Yes, we also have that now. :)
There is also a refreshed website for our general viewing pleasure. Let us know what you think or what it is missing.
And now, here is the full change log for 16.1.14:
src: tzdata updated to 2014d [1]
src: dummynet AQM updated to 0.2.1 [2]
src: fix multiple OpenSSL vulnerabilities [3]
src: fix excessive latency in x86 IPI delivery [4]
src: fix memory leak in ZFS [5]
src: fix buffer overflow in keyboard driver [6]
src: fix incorrect argument handling in sendmsg [7]
ports: sqlite 3.12.2 [8] , openvpn 2.3.11 [9] , squid 3.5.19 [10]
plugins: HAProxy plugin version 1.0 (contributed by Frank Wall)
lang: Japanese 100% completed
lang: updates for French and German
interfaces: removed polling support
interfaces: allow subnet size of 31 bits
high availability: can now sync DNS resolver configuration
cron: reworked job registration
system: do not unload cryptodev to prevent panics when used by OpenVPN
system: user expiration date edit now has a fancy date picker
system: add RFC 6238 (TOTP) support for two-factor authentication
reporting: added local NetFlow reporting frontend [11]
reporting: added remote NetFlow exporter for multiple sources [12]
firewall: fixed schedule cloning
services: lower intervals for router advertisement messages
And this is the change log for 16.7 BETA:
firmware: assorted improvements for error reporting and smooth operation
firmware: partial fix for Nano update issues when RAM is too small
intrusion detection: promiscuous interface mode for better VLAN operation
gateways/routes: support for gateways outside of the interface subnet
routes: fixed null routes / blackholes
interfaces: SVG traffic graphs replaced by modern alternative
dashboard: finished the rework, ready for general testing
firewall: removed the need for custom kernel patches for schedules
lang: numerous improvements (contributed by Fabian Franz)
16.1.13 (May 04, 2016)¶
Ever so swiftly we are adopting the OpenSSL and LibreSSL updates and welcome the cooperation between both projects on this one. Way to go guys!
In other news, NTP and Bind were updated to their latest versions. The gateway monitoring tool Apinger can now properly handle NTP taking over time from time to time. Er, anyway, language packs will become pluggable in the long run and the MVC work for the HAProxy plugin is now completely bundled with the release. Plugin release is currently scheduled for 16.1.14.
Here is the full change log for 16.1.13:
ports: ntp 4.2.8p7 [1] , bind 9.10.4 [2] , php 5.6.21 [3] , libressl 2.2.7 [4] , openssl 1.0.2h [5]
languages: newly packaged translations with latest updates
gateways: apinger monitoring quality is no longer affected by NTP operation
backend: lowered configd connection timeout for better response time when unavailable
backend: plugged numerous minor crash reports caused by configd
backup: reworked backup strategies for RRD and DHCP leases
interfaces: allow bridges with at least one member
rc: defer recover for packages to avoid database duplication
intrusion detection: added an eicar test ruleset
intrusion detection: fixed sort order of rulesets
captive portal: properly catch exception for accounting background job
firewall: annotate deprecated ICMP types in rule filter selection
firewall: direction arrows in rule overview now have different colours for easier distinction
gui: correct HTML escaping in MVC between client-side JavaScript and server-side API
gui: various improvements in MVC components required for upcoming HAProxy plugin
gui: enable tooltips in MVC base template
gui: set HTTP-only cookie
And here is what changed in 16.7 Beta:
dashboard: selectable multi-column count
dashboard: half-way through widget modernisation
dashboard: brought back drag and drop for widget reordering
dashboard: new pluggable API backend for widgets
languages: added first steps for Turkish
backend: removed legacy PHP module for interface information collection
gui: improve and streamline CSRF protection
netflow: fixed bug with reporting frontend in Safari
16.1.12 (April 27, 2016)¶
How are you doing? We have been doing fine, trying new things, moving on further… The progress for our upcoming version 16.7 now accumulates to 3 full months. To that end we are making the transition from ALPHA toi BETA on the 16.7 development series. And since we have been asked to incorporate development change logs as well, look no further (well, look below).
Anyway, 16.1.12 brings a handful of anticipated additions like FreeBSD’s package manager version 1.7.2 and the ability to use CoDel / FQ-Codel in the traffic shaper. We have also started to move services to the plugin framework instead of having them in the base installation. And, maybe as a last point, initial work for fixing the trusty apinger utility for gateway monitoring has surfaced.
Here is the full change log for 16.1.12:
ports: pkg 1.7.2 [1] [2] [3] , sqlite 3.12.1 [4] , squid 3.5.17 [5]
firewall: skip anti-lockout WAN rule when only LAN is connected
firewall: clean up unused alias tabes
firewall: improve alias usage validation
firewall: validate / transform url content before save
traffic shaper: add Codel / FQ-CoDel support [6]
firmware: changed “halt” to “power off”
firmware: advertise current product and os version in API
firmware: kernel and base fetch will now advertise download progress
interfaces: translation fixes (contributed by Fabian Franz)
system: fix RRD boot error for CPU temperature graph
gateways: code modernisation for the trusty apinger utility
ipsec: added service control to log page
captive portal: cleanse cert output before write
proxy: cleanse cert output before write
proxy: do not stop authenticating after an empty string
proxy: added log page to ACL
proxy: remove auth local database as default
smart: removed from base, can be installed as plugin “os-smart”
And this is the change log for 16.7 BETA:
netflow: finished exporter capable of sending NetFlow to multiple remote destinations
netflow: finished local reporting frontend on top of collected NetFlow data
interfaces: polling mode has been deprecated and will be phased out soon
vpn: L2TP, PPTP and PPPoE servers have been ported to use MPD5
vpn: legacy servers have been prepared to be moved from base install to plugins
cron: code preparations for opening up the MVC cron API
tests: added a unit test framework and several tests
backup: reworked the RRD and DHCP leases backup strategies
backup: added the ability to also backup local NetFlow data
plugins: added the HAProxy plugin (contributed by Frank Wall)
kernel: CoDel / FQ-CoDel AQM patch version 0.2
kernel: HardenedBSD’s ASLR
languages: translations have their own repository and package now
languages: updated Dutch, French, German, Japanese, Russian
languages: can now collect strings from all plugins
languages: first steps for Portuguese
16.1.11 (April 18, 2016)¶
We are skipping a bit ahead with 16.1.11 to address a CSRF vulnerability, which outlines the path we have been on since we started [1] and we will surely continue this security-aware trend.
In other news, this update includes native GeoIP alias support, captive portal voucher customisations requested by many and the last batch of Russian, effectively bringing it to 100% completed. Wow!
Here is the full change log:
services: fix CSRF vulnerability in status_services.php [2]
www: strengthen CSRF secret generation for legacy pages
dhcp: bring back usage of the authoritative directive
system: allow periodic backups of RRD and DHCP for non-MFS
openvpn: status page would not show the correct process status
captive portal: add option for less secure passwords, password and username length
firewall: add GeoIP aliases feature
languages: completed Russian translation (contributed by Smart-Soft)
languages: updated French
16.1.10 (April 14, 2016)¶
It has been a quite uneventful week. Suricata and Squid have been upgraded to their latest versions and you can find their individual change logs below. The next part of the Russian translation brings it to number one with a dreamy 83% completed. Otherwise only small fixes and improvements have been made and those will not even require a reboot.
Here is the full list of changes:
traffic shaper: added individual tabs to quick navigation
traffic shaper: fix behaviour on pppoe devices
openvpn: revive windows installer binaries
firewall: validate alias url download
system: improved config history and backup pages layout
system: increased backup count default from 30 to 60
system: moved several settings to different pages for better technology alignment
system: /var /tmp MFS awareness for crash dumps added
trust: add “IP security IKE intermediate” to server key usage
firmware: moved reboot, halt and defaults pages to new home
proxy: add redirection rule creation link for HTTPS proxy (contributed by Fabian Franz)
pptp: prevent service from printing boot messages due to a stale entry in the default config.xml
interfaces: show LAGG protocol in overview page
languages: another large batch of Russian, now 83% complete (contributed by Smart-Soft)
languages: updated French, German and Japanese
16.1.9 (April 08, 2016)¶
We expect all of you are doing well? It has been a longer while since the last update so 16.1.9 has got a bit of everything to keep the spirits high. :)
There is tremendous progress in the translations. It just so happens that we now have a comprehensive Russian translation as well which is going to be completed in the upcoming weeks. Many thanks to Smart-Soft for making this happen. The contender is Japanese through the work of Chie Taguchi, who did most of the translation that we have had for a year. It is going to be a close race to the finish line for both languages. Then again, the whole translation team is doing an amazing job.
As polarising as it may be, we have added HTTPS support in the proxy server. Another noteworthy item is StrongSwan 5.4.0, which helps to address IPSec status page hangs that some have observed with complex setups. We are looking for feedback for these items, please do write in.
Here are the full patch notes:
src: tzdata updated to 2016c [1]
src: prevent kernel panic on ipfw/dummynet module unload
src: let ng_ether_attach() only attach to supported types to avoid kernel panics
ports: curl 7.48.0 [2] , strongswan 5.4.0 [3] , pcre 8.38 (patched CVE-2016-1283) [4] , php 5.6.20 [5]
languages: added Russian to the release, now 60% complete (contributed by Smart-Soft)
languages: updated Japanese, now 70% complete (contributed by Chie Taguchi)
languages: updated German, now 81% complete
languages: updated French, now 50% complete
firewall: allow editing of up to 5000 aliases
firewall: remove link to associated filter rule edit as edit is not allowed
firewall: add port range check to aliases edit
firewall: when alias URL SSL verification is off, do not verify the hostname either
firewall: condense alias pages into a single view
firewall: remember scrolling position to return to the previous position after edit
firewall: alias import now supports type selection (network and host types)
firmware: added German-based mirror (contributed by Alexander Lauster)
system: load modules before setting tunables to support settings for modules
system: fix boot issue that prevented SSH from starting up in some instances
interface: do not show wireless parents on the assignment page as it cannot be assigned
ipsec: individual collapse/expand for status page
dhcp: allow backwards-compatibility with imported configs
captive portal: fix missing busyTimeout on voucher database access
openvpn: remember scrolling position to return to the previous position after edit
proxy: HTTPS support added
proxy: added ability to change the hostname and admin email (contributed by Frederic Lietart)
proxy: avoid race condition on cache dir creation (contributed by Frederic Lietart)
development: allow hiding of menu entries using the Visibility=”delete” attribute
16.1.8 (May 23, 2016)¶
This quick 16.1.8 is not a big update, but it means a lot. We have finished our full sweep of the GUI to update the look and feel of all pages and made the code ready for what is to come now: new features that are on our roadmap for 16.7. The first one will be the HTTPS proxy, but there is also NetFlow and improved statistics / reporting on the shortlist.
A day after 16.1.7 was out last week, FreeBSD 10.2-RELEASE-p14 was announced. Of the four patches enclosed, the two Hyper-V patches we have already brought to OPNsense over a month ago, the OpenSSH patch does not apply since we only use the port and already had it up-to-date. That leaves us with only one patch that we are shipping now to complete the experience.
Attention to everyone using OpenVPN + cryptodev acceleration: the cryptodev module along with older crypto drivers has been removed from the kernel itself, which means that if you need to keep using it, go to System: Settings: Misc and reconfigure your crypto hardware including an enable of cryptodev usage.
The refreshed images for 16.1 (based on 16.1.8) have been pushed to the mirrors. You can find the checksums attached at the end of this announcement.
https://opnsense.org/download/
Here are the full patch notes:
src: updated tzdata to version 2016b [1]
src: fix incorrect argument validation in sysarch [2]
src: fix pfi_table_update: cannot set new addresses
src: added APU2 temperature sensor support
proxy: better matching for overlapping URLs
universal plug and play: refactored pages for improved look and feel
vpn: refactored L2TP and PPTP pages for improved look and feel
openvpn: fix missed configure stage for Peer to Peer (TLS/SSL) mode
system: reworked the behaviour of thermal and crypto modules
firewall: tweaked a few rule indicator icons to improve clarity
firewall: improved alias validation on edit
interfaces: also add previous DHCP override fixes for IPv6
language: updated French and German
# SHA256 (OPNsense-16.1.8-OpenSSL-cdrom-amd64.iso.bz2) = 6cdf41e71ad98499bc1c787f03c1e7d055855434c1a7c7917d147a27b18eaecf
# SHA256 (OPNsense-16.1.8-OpenSSL-nano-amd64.img.bz2) = d290d9e4d63b5998573b88b4c5fbcee8a4af8448aaa363476945de075d20efd1
# SHA256 (OPNsense-16.1.8-OpenSSL-serial-amd64.img.bz2) = cbf459c8b0313cbd601af478317f2227e360871e83f60a3891be4b94a4feb948
# SHA256 (OPNsense-16.1.8-OpenSSL-vga-amd64.img.bz2) = 3d75b4e6a24a26e081a267b06b24b71cce15ab965e502cc66575fe6225cb9eb9
# SHA256 (OPNsense-16.1.8-OpenSSL-cdrom-i386.iso.bz2) = a25550ce5468903eb020da5e7a2bda6e306a92eb5c84949604c12cb3ffafa7f8
# SHA256 (OPNsense-16.1.8-OpenSSL-nano-i386.img.bz2) = 3a00cfba7c43fd63114616d3ee8964c953bbb69c53f284d69617b93d61aaa677
# SHA256 (OPNsense-16.1.8-OpenSSL-serial-i386.img.bz2) = 775ec2fc3a74996d1fa9b083799e25f6c4a28943ff0ce4508fbe44e897879748
# SHA256 (OPNsense-16.1.8-OpenSSL-vga-i386.img.bz2) = 919675cbec826ea81076a68985860c0d18da1a7c81d37636207b4f5e14d44c5b
# MD5 (OPNsense-16.1.8-OpenSSL-cdrom-amd64.iso.bz2) = f585005298cc39c3ad6629f71e6102ad
# MD5 (OPNsense-16.1.8-OpenSSL-nano-amd64.img.bz2) = 729f5c34254cdca51ae5ae1c50600ab3
# MD5 (OPNsense-16.1.8-OpenSSL-serial-amd64.img.bz2) = bb62af11eb4c3abe03b4f5fa3187ff1a
# MD5 (OPNsense-16.1.8-OpenSSL-vga-amd64.img.bz2) = f2331360601744806e8f34c03fa8c6f2
# MD5 (OPNsense-16.1.8-OpenSSL-cdrom-i386.iso.bz2) = e9a09094665b1183f49d42b9d5a2b785
# MD5 (OPNsense-16.1.8-OpenSSL-nano-i386.img.bz2) = ecd4c75c1d5aee3189958faa9102c851
# MD5 (OPNsense-16.1.8-OpenSSL-serial-i386.img.bz2) = 8b9429912fd0d7f853e238e5cee4866c
# MD5 (OPNsense-16.1.8-OpenSSL-vga-i386.img.bz2) = 509e381469817ab9c749f7a29956ea94
16.1.7 (March 16, 2016)¶
Time for a quick update! We are still polishing our non-MVC GUI pages to match the modern style of the MVC equivalents and fix a few minor bugs along the way. In these matters, we ask for your participation in critically reviewing the changes below in order to catch remaining issues as soon as possible. We expect to finish our full code sweep next week. After that we will shift focus to work on new features.
The upgrades from 15.7.25 to 16.1.x briefly stalled with 16.1.6 due to a dormant incompatibility in the FreeBSD package management tool after flipping from 10.1 to 10.2, so we went ahead and made it all better. More precaution in our own update tools will hopefully prevent such unwanted breakage in the future, but we understand that these things can slip through. :)
New images are on the way shortly after 16.1.8. We are also introducing the new “opnsense-stable” firmware path and some cool upgrade features for our brave testers. More explanations will follow soon.
Here are the full patch notes:
ports: pecl-radius 1.3.0 [1] , bind 9.10.3-P4 [2] , bsnmp-ucd 0.4.2 [3] , openssh 7.2p2 [4] , sqlite 3.11.1 [5]
captive portal: add session timeout to status info
firewall: fix non-report of errors when filter reload errors could not be parsed
pppoe server: make service control buttons work with multiple instances
wake on lan: reworked pages for a polished look and feel
load balancer: reworked pages for a polished look and feel
dashboard: better colouring for widget status bars
dns filter: reworked page for a polished look and feel
dns rfc2136: reworked pages for a polished look and feel
igmp proxy: reworked pages for a polished look and feel
system: routes diagnostics page ported to MVC
proxy: adjust category visibility as not all of them were shown before
firmware: fix an overzealous upgrade run when the package tool only changes options
firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD’s package tool
network time: reworked pages for a polished look and feel
system: removed NTP settings from general settings
snmp: refactored page for a polished look and feel
access: let only root access status.php as it leaks too much info
development: remove the automount features
development: added in-place package upgrades using the upstream repository
development: addition of “opnsense-stable” package on our way to nightly builds
development: opnsense-update can now install locally available base and kernel sets
16.1.6 (March 09, 2016)¶
It is update time! This time around, DHCP and DNS have been freshened up thoroughly, removing both potential and real problems from the GUI and underneath. Additionally, the proxy server gained ICAP support and a category-based remote block list selection.
Our firmware mirror support has finally been extended so that it is now possible to pull all updates from a single mirror, which will very soon make it possible to run a local mirror for your internal installations. We are also shipping the original FreeBSD OpenSSL patch, although the security issues cannot not surface on OPNsense. We just like to be thorough.
Here are the full patch notes:
src: Fix multiple vulnerabilities of OpenSSL [1]
src: update tzdata to 2016a [2]
ports: openssh 7.2p1 [3] , isc-dhcp-43 4.3.3P1_1 [4] , php 5.6.19 [5] , curl 7.41.1 [6]
firmware: mirror selection has been widened to include kernel/base upgrades
firmware: bootstrap utility can now directly install e.g. the development version
dhcp: all GUI pages have been reworked for a polished look and feel
proxy: added category-based remote file support if compressed file contains multiple files
proxy: added ICAP support (contributed by Fabian Franz)
proxy: hook up the transparent FTP proxy
proxy: add intercept on IPv6 for FTP and HTTP proxy options
logging: syslog facilities, like services, are now fully pluggable
vpn: stripped an invalid PPTP server configuration from the standard configuration
vpn: converted to pluggable syslog, menu and ACL
dyndns: all GUI pages have been reworked for a polished look and feel
dyndns: widget now shows IPv6 entries too
dns forwarder: all GUI pages have been reworked for a polished look and feel
dns resolver: all GUI pages have been reworked for a polished look and feel
dns resolver: rewrote the dhcp lease registration hooks
dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well
firewall: hide outbound nat rule input for “interface address” option and toggle bitmask correctly
interfaces: fix problem when VLAN tags weren’t generated properly
interfaces: improve interface capability reconfigure
ipsec: fix service restart behaviour from GUI
captive portal: add missing chain in certificate generation
configd: improve recovery and reload behaviour
load balancer: reordered menu entries for clarity
ntp: reordered menu entries for clarity
traffic shaper: fix mismatch for direction + dual interfaces setup
languages: updated German and French
16.1.5 (March 02, 2016)¶
It pleases us to say that although we ship the latest OpenSSL 1.0.2g today, we have had both SSv2 and SSv3 support disabled in our installation for a long while, so older installations are also not affected by yesterday’s announcement. On a slightly related note, LibreSSL was not affected at all.
With that out of the way, we also happily let you know that we are shipping RFC 4638 support with this stable release. We also push a fix for an upstream bug in Unbound and update Squid to the latest version… again. ;)
We have also announced the roadmap for 16.7. Take a look at our upcoming milestones:
https://opnsense.org/about/road-map/
And now, here are the full patch notes:
ports: squid 3.5.15 [1] , unbound 1.5.7 hotfix [2] , pkg 1.6.4 hotfix [3] , openssl 1.0.2g [4]
services: infrastructure rework for plugin additions
openvpn: added copy/move to client-specific overrides
openvpn: allow binding client-specific overrides to specific server(s)
openvpn: service on/off toggle via overview pages
openvpn: fix problem with service status display
openvpn: when services are disabled, make sure a reconfigure will always stop the associated process
vpn: transform PPTP, L2TP and PPPoE servers to plugin addition to be removed from base install for 16.7
vpn: add proper service probing for PPTP, L2TP and PPPoE servers
interfaces: added RFC 4638 support (MTU > 1492 in PPPoE)
ntp: disable when no servers are set
language: updates for Chinese, French and German
16.1.4 (February 24, 2016)¶
We pop in for a short stable update, namely 16.1.4. Squid has been updated to 3.5.14 and received a GUI entry for maximum_object_size to define since the default has been reported as a wee bit too small.
In other news, the final roadmap for 16.7 will be unveiled later this week after much internal discussion. Our main goals are to finish a full code audit, further alignment with FreeBSD and a few tiny surprises. Stay tuned for those. :)
Here are the full patch notes:
ports: squid 3.5.14 [1]
dhcp: fix menu expand with IPv6 configuration
captive portal: fix database timeout lock message
interfaces: fix expand/collapse on status page for Edge
proxy: add maximum_object_size setting for squid
load balancer: improve filter reload to prevent traffic lockout (contributed by Frank Wall)
layout: fix searchable dropdown truncation with IE
firewall: fix action buttons on alias edit
menu: updated help menu entries
16.1.3 (February 17, 2016)¶
It is time for a smaller update to 16.1.3. There is another fix for our Hyper-V users, the health section finally received its CPU temperature graph and a few ports have been updated to their latest version. Nothing of particular interest happened, no issues with glibc from our side today. :)
A number of assorted issues have been flushed from the code thanks to good use of the crash reporter. A special thank you goes to those of you who submit email addresses and a brief description along with the report. For us it is tremendously useful to get as many details as possible and to verify that our fixed work reliably in a particular use cases before shipping them.
Enough with the announcing already, here are the full patch notes:
src: hyperv/kvp: wake up the daemon if it is sleeping due to poll() [1]
src: Use correct src/dst ports when removing states in pf [2]
src: finish the boot loader branding by adding a shiny logo
ports: unbound 1.5.7 [3] , openldap 2.4.44 [4] , ca_root_nss 3.22, php 5.7.18 [5] , phalcon 2.0.10 [6] , pkg 1.6.4 [7] [8]
interfaces: collapsible overview for each interface
shaper: fix issue with model when not able to save an old config
health: added pages to ACL for configurable user access
health: record system CPU temperature in additional graph
firmware: add UK-based mirror (contributed by Will Jones)
access: force a visible and non-critical page on non-access redirect
access: make sure “/” is handled like “/index.php”
configuration: add a number of previously missing config sections for selection on restore/backup
firewall: bring back alias nesting
dhcp: add missing DNS resolver awareness
dhcp: fix multiple minor crash reports
radvd: add missing DNS resolver awareness
captive portal: ensure MAC address is saved in lowercase and improve validation
captive portal: fix unicode issue in template generation
captive portal: correct syslog redirection regression
crash reporter: limit log size upload to 1MB
cron: fix validation of hour value
intrusion detection: show origin link of rule sets in details
services: add background daemon to known services for easy reload
services: add captive portal to known services for easy reload
services: improve redirect on service reload in diagnostics page
16.1.2 (February 05, 2016)¶
It is time for a swift update for our dear Hyper-V users. There is a packet forwarding regression in FreeBSD 10.2 that has not been added as errata yet so we had to pin it down with the help of three brave testers. If you happen to want to run Hyper-V without going through the issue, install from an older 15.7 image and upgrade directly to avoid the bad version.
To improve upon Suricata 3.0 and the SSL fingerprint lists we are now enabling users to add user-defined rules for adding and enforcing their own fingerprints. But wait, that is not all. On top of that the IP geolocation feature was added as well while at it. :)
Otherwise, only smaller bugs have been addressed to make 16.1 look even shinier. The FreeBSD security advisory for OpenSSL got integrated too, but is not of much concern since we consistently use the ports version for our components. The important fixes have been shipped with version 16.1.1 back on Monday.
Here are the full patch notes:
src: OpenSSL SSLv2 ciphersuite downgrade vulnerability [1]
src: Fix packet forwarding in Hyper-V netvsc driver [2]
src: Honour disabled pf(4) log flag on dropped packets with IP options [3]
wizard: fix certificate generation for OpenVPN
firewall: fix interface selection on post issues in floating rules
firewall: make category filter multi-select for maximum convenience
firewall: do not hide gateways from the gateway selection
firewall: added null routes to the gateway selection
firewall: rather than hiding associated nat rules, remove their edit and clone buttons so they can still be deleted manually
dns resolver: fix $numprocs setting in config according to manual
dns resolver: do not render illegal output for empty IPv6 addresses
dhcp: applying static mappings with DNS resolver enabled no longer seems stuck in apply step
search: resize box on focus and also propagate proxy server tabs
system: fix inversion bug of the default pass logging setting
captive portal: properly log messages to associated log file
intrusion detection: can now add user rules based on SSL fingerprints and IP geolocation
16.1.1 (February 02, 2016)¶
Today we are following up on the OpenSSL advisories. LibreSSL was not affected (surprise, surprise), but received a tiny fix to sync up with the deprecation of the high-severity SSL_OP_SINGLE_DH_USE option of its sibling.
In other news, we are shipping a few minor fixes along with all-new SSL-centric rulesets for the intrusion prevention courtesy of abuse.ch [3] . Protect your assets, they are worth it!
Without fuzz, here are the full patch notes:
intrusion prevention: add SSL fingerprint blacklist and other abuse lists (courtesy of abuse.ch [3] )
captive portal: limit the max vouchers per call
captive portal: change voucher download filename to match group name
captive portal: strip bad characters from group name
captive portal: fix multiple voucher generation
firewall: add rule categorisation tag field
search: tweak padding to align with right visual boarder
console: fix halt script to show product name again
firmware: revoked the old 15.7 update fingerprint
interfaces: fix VLAN edit page to show the correct page name
squid: fix authentication script permission regression
dashboard: remove non-authoriative hardware crypto probing
system: do not accept an authentication server with an empty name
system: added hint that device polling setting needs reboot (contributed by Olivier Paroz)
system: assorted translation fixes (contributed by Fabian Franz)
logging: unhide IGMP packets from firewall log view (contributed by Isaac Levy)
16.1 (January 28, 2016)¶
No, we would not say it was easy getting here, but booting into 16.1 for the first time sure is as relieving (and exciting) as it could get for our project growing beyond what we had ever imagined. It has been more than a year since OPNsense first came out. Back then it was FreeBSD 10.0. Not even two months after, 10.1 was introduced along with the opnsense-update utility. Today is the day for FreeBSD 10.2, the latest and greatest release currently available for broader driver support and stability improvements.
16.1 is nicknamed “Crafty Coyote” in honour of our beloved childhood TV sessions. It is the accumulation of 6 months of work, having had our focus on reengineering the captive portal, native intrusion prevention, plugin support, and transforming the reporting frontend into something more modern and flexible just to name a few [1] . Apart from the recently published security advisories (see patch notes below), we have included a quick navigation feature which can be activated by pressing (TAB) followed by search keywords and hitting (ENTER) to go to the desired page. Last but not least, a larger batch of improvements and fixes went into assorted sections of the GUI that certainly help to get your work done without ending up dazed and confused.
Speaking of clearing things up, there is more… While Ad, Franco and a couple of amazing external contributors have been busy writing and reviewing code, Jos worked in the shadows to bring to you a fully revised set of project documentation in the form of an online handbook [2] . More content will follow as we slow down development speed a bit in order to catch up. We will have to see how that works out. ;)
Another thing we have noticed is that translations are hard! We have planned to finish a translation for this iteration, but the sheer amount of work overwhelmed even the sizeable German translation team. The German translation is now at 77% percent completed with Japanese, Chinese and French chasing tails. If you want to help drop us a line at project@opnsense.org for details on how to contribute.
All images have been pushed as well, although may take a bit more time to reach a mirror near you. You can find the checksums attached at the end of this announcement.
https://opnsense.org/download/
Finally, here are the full patch notes:
src: FreeBSD 10.2-RELEASE-p11 [4]
bootstrap: can now update from any available FreeBSD 10 release
ports: libarchive 3.1.2_6 [5] , Suricata 3.0 [6] , squid 3.5.13 [7] , bind 9.10.3P3 [8] , sqlite 3.10.2 [9] , ntp 4.2.8p6 [10]
firewall: lock source / destination port settings when neither TCP nor UDP is selected
firewall: simplify the outbound page to hide unwanted items and zap complicated explanations (contributed by Manuel Faux)
firewall: do not leak floating rules into other interface tabs
firewall: add clear button to all log file types
firewall: hide NAT rules from normal rules screen
firewall: removed the unsupported dscp rule option
firewall: display alias descriptions as tooltips (contributed by Manuel Faux)
universal plug and play: switch to secure mode as the new default
unbound: add MX entries to host overrides (contributed by Manuel Faux)
gateways: always safe the monitor IP regardless of monitoring being on or off
gateways: properly add and remove routes for monitors on toggle
backend: fix harmless error message caused by a sample template
high availability: allow specification of a different port for synchronisation
high availability: special characters are now being properly preserved
high availability: added new captive portal and traffic shaper as sync options
high availability: reworked and pruned the client synchronisation
firmware: optional php extensions now peacefully coexist with preinstalled extensions
firmware: update plugin list on refresh to reveal available plugin list
intrusion detection: adds intrusion prevention mode for netmap(4) devices (must disable Hardware CRC manually)
captive portal: completely rewritten on top of our new components
proxy: hook up remote ACL settings to translation engine (contributed by Fabian Franz)
proxy: add support for compressed ACLs (.gz, .tar.gz, .tgz, .zip)
proxy: fix toggle for storage log
ipsec: improve display of tunnel overview
openvpn: provide full ca chain on client export (contributed by Manuel Faux)
openvpn: fix engine detection for LibreSSL
layout: all tooltips and icons of action buttons have been updated for proper look and feel (contributed by Manuel Faux)
layout: added the infamous quick navigation feature
layout: consolidated the display of the upper right corner as “user@host.domain”
interfaces: reworked all the pages for proper look and feel
interfaces: ARP and NDP tables have been rewritten and now properly show vendor info
login: improved look and feel
dashboard: rss widget has been reworked and its library has been updated to a new version
config: recover last backup automatically on broken xml
menu: properly aligned submenu icons
system: removed XDebug package from the default installation
We thank all our contributors and users for their ongoing love and support. <3
# SHA256 (OPNsense-16.1-OpenSSL-cdrom-amd64.iso.bz2) = bd94c4bf304fa99d7fb426061cf17f45fa2e427cef3ab089704e14b2b570b261
# SHA256 (OPNsense-16.1-OpenSSL-nano-amd64.img.bz2) = abd0c9beb843ad8232f9fc5f0b6c68318993b55529bc06a8c331587863a6c13f
# SHA256 (OPNsense-16.1-OpenSSL-serial-amd64.img.bz2) = 9a5faaebc6cba481199bbc2ae5395877c8acf0dfa225e643ec5c3258e5014c4f
# SHA256 (OPNsense-16.1-OpenSSL-vga-amd64.img.bz2) = 85e3c4275460758565cb0eced8c69afd13a26eb8b9116d86db80be098b6d3e4b
# SHA256 (OPNsense-16.1-OpenSSL-cdrom-i386.iso.bz2) = 8346db1a23563895f071a51ea86be00f7e405e5df709943b26435c13f1c898f1
# SHA256 (OPNsense-16.1-OpenSSL-nano-i386.img.bz2) = 380819194a3c5a508b161153cc532e8c1caaba31b08bdb01643493438634d2ab
# SHA256 (OPNsense-16.1-OpenSSL-serial-i386.img.bz2) = 1a413fb0563cc63e1b80278df303b092b219d6d58a87f841b7389a1a4939734a
# SHA256 (OPNsense-16.1-OpenSSL-vga-i386.img.bz2) = 16a360b05d3fd325499baa6bd38fcd19090ac1d5c3d8ba2a8fa3e763137e87fc
# MD5 (OPNsense-16.1-OpenSSL-cdrom-amd64.iso.bz2) = 941e9cd797e4189868398fcd057a428e
# MD5 (OPNsense-16.1-OpenSSL-nano-amd64.img.bz2) = ededf0767412daafcb8209a3fbf85714
# MD5 (OPNsense-16.1-OpenSSL-serial-amd64.img.bz2) = 0094c6275128a35e6f8bf965178245eb
# MD5 (OPNsense-16.1-OpenSSL-vga-amd64.img.bz2) = ddaae54fe90634ca8223f483cebebaa2
# MD5 (OPNsense-16.1-OpenSSL-cdrom-i386.iso.bz2) = d1a216d5eed3534d7f33a6a4482851e2
# MD5 (OPNsense-16.1-OpenSSL-nano-i386.img.bz2) = 871f23a40d3eee49350fe06cadb37884
# MD5 (OPNsense-16.1-OpenSSL-serial-i386.img.bz2) = be04acd8c51347711c4a5f58b711da8e
# MD5 (OPNsense-16.1-OpenSSL-vga-i386.img.bz2) = 549267467adbf194505c6daaae589ee8