18.7 “Happy Hippo” Series¶

For 3 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

Another 6 months passed by ever so quickly! The main goal for 18.7, nicknamed “Happy Hippo”, is stability so we have not yet begun to adopt FreeBSD 11.2, but there are several of its Intel NIC driver updates included to bridge the gap until 19.1 comes out. The upgrade also includes a tremendous amount of IPv6 improvements including 6RD support as well as authentication and backup framework consolidation. Please also take note that QinQ is no longer included in this release.

These are the most prominent changes since version 18.1:

improved WAN DHCPv6 and SLAAC connectivity and tracking
functional IPv6 Rapid Deployment (6RD) support
improved default route handling and gateway switching
OpenVPN default setup improvements for IPv6 and RADIUS attribute support
Dpinger gateway monitoring integration
password policies for local authentication and coupled TOTP
Monit core integration to eventually replace the legacy notifications
OpenSSH access via group and shell selection instead of privilege
pluggable backup framework with new Nextcloud option
sytem tunables are now also used as loader tunables
unrestricted VLAN usage for e.g. Xen
QinQ interface removal
firmware GUI speedup, improved error parsing and console reboot hint
ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
ZFS and MSDOS config import support
ISC DHCP version moves from 4.3 to 4.4
RRDtool version moves from 1.2 to 1.7
rework rc.syshook facility to use drop-in directories instead of suffixes
backports of FreeBSD 11.2 Intel NIC drivers
stand-alone frontend UI development tools
language updates for Czech, French, German, Portuguese (Brazil)
UI header security and SSL cipher hardening
extensive UI cleanups and menu consolidation
new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp, os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada, os-theme-rebellion, os-theme-tukan, os-wol 2.0

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/18.7/
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/18.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/18.7/
South America: http://mirror.upb.edu.co/opnsense/releases/18.7/
South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/18.7/
Full mirror list: https://opnsense.org/download/

18.7.10 (January 07, 2019)¶

2019 means 19.1 is almost here. In the meantime accept this small incremental update with goodies such as Suricata 4.1, custom passwords for P12 certificate export as well as fresh fixes in the FreeBSD base.

A lot of cleanups went into this update to make sure there will be a smooth transition to 19.1-RC for you early birds. We expect RC1 in 1-2 weeks and the final 19.1 on January 31.

Here are the full patch notes:

system: P12 certificate export now allows to specify a password
system: allow plain IPv6 for LDAP and RADIUS host
system: properly sort columns with size units in activity page
system: remove references to “automatic” in HA help texts
system: add option to only show temperature of one core in widget
system: speed up isArraySequential()
system: introduce configdp_run() variant
system: assorted code cleanups
interfaces: only show name servers offered by individual link in status page
interfaces: DUID-LL generator fix (contributed by Team Rebellion)
interfaces: show disabled and virtual interfaces in groups
interfaces: change wireless page interface iterators
interfaces: change LAGG page interface iterators
interfaces: remove unused get_dns_servers()
interfaces: assorted code cleanups
firewall: fix an exception error in alias config read
firewall: fix typo in outbound NAT destination help text
firewall: rename “Localhost” to “Loopback” for clarity in virtual IP pages
firewall: unify anti-lockout behaviour to match rules and GUI display
firewall: switch to tokenizer for shaper source and destination fields
firewall: fix alias utility issue when adding into empty alias
firewall: correct alias name limit to 31 characters
firewall: bring back auto-complete for nested aliases
firewall: NAT rules on reflection for port forwards only when address exists on interface
firewall: lower bogon download retry attempts to 3
firewall: schedule JS code update
captive portal: add setting to always send accounting requests
captive portal: assorted code cleanups
dhcp: DHCPv6 leases not always correctly displayed (contributed by Team Rebellion)
dhcp: override IPv6 PD range fix (contributed by Team Rebellion)
dhcp: switch subnet verification to new network interface retrieval
firmware: individual error messages during base and kernel installation
firmware: obsolete set usage has been removed, embedded into base set
firmware: always recalculate size returned in the GUI and use pkg-style units
firmware: migrate more scripting to opnsense-version
firmware: remove defunct dataroute mirror
importer: make current zpool visible, but immune to import
installer: find all possible configs and include them for startup
intrusion detection: change default alert level to notice
openvpn: allow empty remote subnet in client
openvpn: use new network interface retrieval
openvpn: assorted code cleanups
unbound: always add global DNS servers in forwarding mode
unbound: restart when crashed even if request came from unassociated interface
wizard: sync bogon help text with interfaces GUI counterparts
wizard: hint at updates after completion
wizard: assorted code cleanups
mvc: harden setFormData()
plugins: os-api-backup 1.0 allows API access to config.xml (contributed by Fabian Franz)
plugins: os-bind 1.4 [1] (contributed by Michael Muenz)
plugins: os-clamav fixes /var MFS permission mismatch
plugins: os-dnscrypt-proxy 1.1 allows manual server selection (contributed by Michael Muenz)
plugins: os-dyndns 1.1 fix for using apex domains with CloudFlare DDNS (contributed by Charles Ulrich)
plugins: os-frr 1.6 adds OSPF key ID and default route metric, BGP router ID, etc. (contributed by Michael Muenz and Fabian Franz)
plugins: os-haproxy 2.13 [2] (contributed by Frank Wall)
plugins: os-ntopng fixes HTTPS setup permission
plugins: os-openconnect 1.3.2 adds non-inter option, groups and client certificates, etc. (contributed by Diego Rivera and Michael Muenz)
plugins: os-postfix 1.8 [3] (contributed by Michael Muenz)
plugins: os-theme-cicada 1.12 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.11 (contributed by Team Rebellion)
plugins: os-upnp 1.3 allows up to 8 user permissions
src: bootpd buffer overflow [4]
src: kernel panic under load on Intel “Skylake” CPU [5]
src: ZFS vnode reclaim deadlock [6]
ports: curl 7.63.0 [7]
ports: libressl 2.7.5 [8]
ports: libxml 2.9.8 [9]
ports: phalcon 3.4.2 [10]
ports: suricata 4.1.2 [11] [12] [13]
ports: syslogd 11.2
ports: unbound 1.8.3 [14]

A hotfix release was issued as 18.7.10_3:

system: fix adding new route when the list was previously empty
openvpn: flip client remote networks back to multiple
unbound: do not switch off IPv6 when prefer IPv4 is set as Unbound always prefers IPv4

A hotfix release was issued as 18.7.10_4:

firmware: enable upgrade path to 19.1

18.7.9 (December 12, 2018)¶

To keep it snappy: enclosed are assorted updates and fixes, a new dnscrypt-proxy plugin as well as security updates from FreeBSD and third parties. Happy patch day!

Here are the full patch notes:

system: allow setting alternative names on CSR
system: add link-local routes with correct scope
system: fix LDAP import button for Firefox
system: assorted cleanups in HTML and PHP code
interfaces: add note about CGN addresses included in private range
interfaces: fix checksum disable for IPv6 TX / RX flags
interfaces: multiple type DUID support (contributed by Team Rebellion)
interfaces: properly read and write dhcp6c DUID binary file
interfaces: do not read VLAN capabilities from nonexistent interfaces
interfaces: removal of PEAR.inc from IPv6 address library
interfaces: assorted cleanups in HTML and PHP code
firewall: only suffix subnet alias entry when a network is expected
firewall: default alias protocol to both IPv4 and IPv6
firewall: fix validation of outbound NAT destination alias
firewall: fix performance regression in get_alias_description()
firewall: repair defunct “no nat proto carp all” rule
firewall: limit type to CARP when checking for VIP VHID reuse
firewall: refactor subnet retrieval in VIP deletion
firewall: display VHID for IP alias in overview
firewall: DHCPv6 outgoing firewall rule changed to “from (self)” to fix static setups
firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
firewall: ignore empty values in alias migration (contributed by Frank Wall)
firewall: assorted cleanups in HTML and PHP code
captive portal: work around service boot ordering issue
captive portal: change “onestop” to “stop” in backend action
dnsmasq: add DNSSEC option
dnsmasq: assorted cleanups in HTML and PHP code
dhcp: show lease count in page heading
dhcp: refactor IPv6 subnet read
dhcp: fix DDNS IPv6 algorithm use
dhcp: assorted cleanups in HTML and PHP code
firmware: opnsense-version can now handle kernel, base and plugin metadata
firmware: when pkg needs to be updated do not prompt for base and kernel set
firmware: use embedded obsolete file list for removal on base set install
intrusion detection: fix daily cron job, was actually monthly
ipsec: assorted cleanups in HTML and PHP code
openvpn: assorted cleanups in HTML and PHP code
unbound: only use IPv6 when enabled and IPv4 is not preferred
unbound: restart after VPN is up
unbound: updated help text for verbosity level (contributed by Northguy)
unbound: assorted cleanups in HTML and PHP code
web proxy: move bump_step1 down (contributed by Michael Muenz)
mvc: missing isset() in routes migration
mvc: Phalcon 3.4.2 scope compatibility fix
mvc: assorted fixes in PHPDoc
mvc: fix advanced field bug in dialogs (contributed by Fabian Franz)
mvc: SetIfConstraint (contributed by Fabian Franz)
mvc: hidden input field (contributed by Fabian Franz)
mvc: json-data access support (contributed by Fabian Franz)
ui: remove markup from user indicator
ui: sidebar fixes (contributed by Team Rebellion)
plugins: os-acme-client 1.18 with GratisDNS and ACME DNS support (contributed by Frank Wall, ricobach, TuEye)
plugins: os-bind 1.3 adds Google and Yahoo safe search (contributed by Michael Muenz)
plugins: os-dnscrypt-proxy 1.0 (contributed by Michael Muenz)
plugins: os-freeradius 1.8.3 makes use of certificates clearer (contributed by Michael Muenz)
plugins: os-haproxy 2.12 HTTP/2 support, http-request before use_backend (contributed by Frank Wall, Mathias Aerts)
plugins: os-net-snmp 1.3 mark device as L3 enabled via SysServices (contributed by Michael Muenz)
plugins: os-nginx 1.5 with lots of new features [1] (contributed by Fabian Franz, Carlos Cesario, Julio Cesar Camargo, fzoske)
plugins: os-nut 1.4 adds listen directive and more flexible arguments (contributed by Michael Muenz)
plugins: os-postfix 1.7 adds address rewriting, sender/recipient BCC and domain masquerading (contributed by Michael Muenz)
plugins: os-theme-cicada 1.11 (contributed by Team Rebellion)
plugins: os-theme-rebellion 1.8.1 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.10 (contributed by Team Rebellion)
src: fix multiple vulnerabilities in NFS server code [2]
src: fix ICMP buffer underwrite [3]
src: timezone database information update [4]
src: fix deferred kernel loading breaks loader password [5]
src: fix insufficient bounds checking in bhyve(8) device model [6]
ports: lighttpd 1.4.52 [7]
ports: sqlite 3.26.0 [8]
ports: perl 5.26.3 [9]
ports: php 7.1.25 [10]
ports: hostapd / wpa_supplicant 2.7 [11]
ports: unbound 1.8.2 [12]

18.7.8 (November 22, 2018)¶

This stable update finally brings you the promised LDAP+TOTP authentication, but also renewed language translations and several third party software updates for software such as OpenSSL, OpenSSH and Sudo. A reboot is not required, but recommended.

Here are the full patch notes:

system: show the actual validation messages for NextCloud backup constraints
system: LDAP import button primary colour and prevent default page submit
system: add LDAP+TOTP authentication variant (2FA)
system: avoid silent fatal error when LDAP OUs could not be retrieved
system: avoid duplicated cookies on login page by not closing session
system: allow to fully disable misc. reboot failsafe backups
system: switch default argument for return_gateways_status()
system: add “Synchronize config to backup” button to HA status page
system: disable help text expand when backup fields have no help text
system: sort user and group lists alphabetically
interfaces: add CARP info to legacy_interfaces_details()
interfaces: removal of find_interface_subnet() and find_interface_subnetv6()
interfaces: introduce find_interface_network() and find_interface_networkv6()
interfaces: refactor find_interface_ip() and find_interface_ipv6()
interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll()
firewall: extend outbound NAT address source and destination with networks
firewall: fix save error when alias name contains an underscore
firewall: do not set days or hours when update frequency is empty
firewall: increase resolve() performance for aliases
firmware: change packaging to be able to place files in the root directory
reporting: fix possible division by zero in NetFlow aggregator
dhcp: reorder arguments of function services_dhcpd_configure()
dhcp: consolidate service probe of IPv6 and router advertisement daemons
dhcp: fix clear hook on log file delete
importer: make clear that /conf/config.xml is required for any import to take place
monit: add quotes and timeout to custom program path (contributed by Frank Brendel)
monit: add SSL options to mail server connection (contributed by Frank Brendel)
network time: improve GPS status parsing
openvpn: add remote address as route when set during linkup
shell: interface banner now only shows enabled interfaces
unbound: do not clear statistics when querying them
lang: updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
mvc: fix toggleBase returning failed result when using $enabled
mvc: fix PortField validation and make well-known ports optional
mvc: fix checking empty string in grid view (contributed by Smart-Soft)
rc: make it more obvious in /boot/loader.conf that system tunables work as well
ui: sidebar performance optimisation (contributed by Team Rebellion)
ui: vertically center current menu item on visible screen when height is too small
plugins: os-haproxy 2.10 [1] [2] [3] (contributed by Frank Wall)
plugins: os-igmp-proxy forces reinstall due to missing core function
plugins: os-ntopng 1.1 adds HTTPS support (contributed by Michael Muenz)
plugins: os-nut fix for config file generation (contributed by Michael Muenz)
plugins: os-postfix fixes typo (contributed by Michael Muenz)
plugins: os-telegraf 1.7.2 adds validation messages to tags (contributed by Michael Muenz)
plugins: os-theme-cicada 1.9 (contributed by Team Rebellion)
plugins: os-upnp removes unused function
plugins: os-zabbix-agent 1.4 [4] (contributed by Frank Wall)
ports: cyrus-sasl 2.1.27 [5]
ports: lighttpd 1.4.51 [6]
ports: openssh 7.9p1 [7]
ports: openssl 1.0.2q [8]
ports: php 7.1.24 [9]
ports: pkg minor upstream fixes
ports: sudo 1.8.26 [10]

18.7.7 (November 08, 2018)¶

Today we are addressing CVE-2018-18958 regarding an unenforced “deny config write” privilege. The issue was reported by brainrecursion this Monday and subsequently fixed along with several related issues. The “deny config write” privilege coupled with admin or user and group manager rights are affected combinations. It is an uncommon way to configure access as the “deny config write” privilege is commonly used for role-based access to non-system services, e.g. captive portals.

As we cannot be sure that no further issues of this sort exist please refrain from using the “deny config write” privilege or at least stop giving access to system services or full admin rights to these users or groups. In the midterm we will be looking for replacements of the current privilege for something that is more generic and robust in enforcement.

Additionally, the update to Suricata 4.0.6 addresses the SMTP crash vulnerability CVE-2018-18956. Since the update does not reboot without an operating system update please manually restart the intrusion detection service.

Here are the full patch notes:

system: CVE-2018-18958 prevent restore of configuration of read-only user [1] (reported by brainrecursion)
system: prevent related read-only user configuration manipulation for history and defaults pages
system: prevent several creative ways to strip read-only privileges in the user and group manager
system: allow wildcards in certificate subject alternative name
system: avoid direct $global access in routing setup
system: do not offer root-only opnsense-shell to non-root users
system: remove FreeBSD 10 password workaround
interfaces: use pure jquery to avoid browser-specific behaviour
interfaces: nonfunctional cleanups in backend and interface GUI configuration
interfaces: clear the correct files IPv6 state files on interface down
interfaces: wait for PPPoE to fully exit on interface down
firewall: fix port alias conversion under new API
firewall: missing filter reload for port alias types
firewall: missing “other” type in VIP network expand
firewall: disabled alias should leave us with an empty one
firewall: category for “United States” moves from Pacific to America
firewall: resolve outbound NAT interface address in kernel
dhcp: only map enabled interfaces in IPv4 leases
dhcp: interface iteration code cleanups
dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
firmware: add log file for package manager output
monit: use theme override for widget CSS (contributed by Fabian Franz)
ntp: internal cleanup of function argument order
rc: improvements in service startup scripting
rc: print date and time after successful boot
unbound: disable redirect type until fixed
web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno)
shell: stop router advertisement daemon too on console port reassign
mvc: remove errors in cron and monit API
plugins: os-freeradius 1.8.2 (contributed by Michael Muenz and Reza Ebrahimi)
plugins: os-nut 1.3 apcsmart and blazer_usb driver, reworked UI (contributed by Michael Muenz)
plugins: os-telegraf 1.7.1 adds ZFS input (contributed by Michael Muenz)
plugins: os-tinc now sets all defined subnets (contributed by QDaniel)
plugins: os-theme-cicada 1.8 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.8 (contributed by Team Rebellion)
plugins: os-smart 1.5 standard widget coloring (contributed by Fabian Franz)
plugins: os-rspamd now uses scan_mime_parts (contributed by Michael Muenz)
ports: curl 7.62.0 [2]
ports: krb5 1.16.2 [3]
ports: strongswan 5.7.1 [4]
ports: suricata 4.0.6 [5]

18.7.6 (October 25, 2018)¶

We are back for new features, updates and reliability fixes. Noteworthy are the addition of the PIE shaper option and firewall alias API. Both Unbound and Dnsmasq have been updated to their latest version.

Here are the full patch notes:

firewall: resolve interface address “:0” for port forwarding in kernel
firewall: list action corrections (contributed by Thomas Bandixen)
firewall: add support for the PIE shaper (contributed by Michael Muenz)
firewall: migrate to new alias API including a new failsafe
firewall: repair log widget for plugin themes
interfaces: do not remove CARP addresses on link-down
interfaces: get pfsync MTU from actual CARP interface
interfaces: add backend call returning all interface data
interfaces: partially rewrite ping, port and traceroute tools
interfaces: improve IPv6 merging in make_ipv6_64_address()
interfaces: use correct IPv6 interface where appropriate
interfaces: replace get_configured_interface_list() usage
interfaces: small refactoring around interface up and down code
system: cleanups in utility and config functions
captive portal: added connect action in API (contributed by zvs44)
firmware: move build-time version information to core version file
firmware: rename backend script “audit” to “security” for clarity
ipsec: bring back service widget lost back in 2016
monit: change status page to support easier CSS styling
unbound: set up a full chroot including local log socket
unbound: replace custom msort() function with standard function
unbound: use correct IPv4 or IPv6 interface for address lookups
webgui: use interfaces_addresses() for interface binding
mvc: show an error message on failed model migrations
mvc: refactor __items access via iterateItems()
mvc: accept style keyword on all input types
mvc: improved menu API endpoint integration
plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz)
plugins: os-dyndns validates custom updates solely for URL input
plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz)
plugins: os-theme-cicada 1.6 (contributed by Team Rebellion)
plugins: os-theme-rebellion 1.7 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.5 (contributed by Team Rebellion)
plugins: os-zerotier reorders VPN menu entry (contributed by Michael Muenz)
src: fix regression in IPv6 fragment reassembly [1]
src: fix NULL pointer dereference in freebsd4_getfsstat [2]
src: fix DoS in listen syscall over IPv6 socket [3]
src: fix small kernel memory disclosures [4]
ports: unbound 1.8.1 [5]
ports: dnsmasq 2.80 [6]

18.7.5 (October 17, 2018)¶

While the HardenedBSD 11.2 adoption is almost finished behind the scenes, this release merely revolves around minor corrections and additions that make your life easier. We are also confident that 18.7.6 finally ships the firewall alias API.

Of worthy mention are also the IPsec phase 1 changes that allow multiple DH groups and hashes to be selected simultaneously to tackle interoperability between different mobile client requirements. Also check out the Nginx plugin which has again extended its utility belt to include limiting, permanent bans, caching and more.

Here are the full patch notes:

system: add (de)select all option in LDAP importer
firewall: keep previous content for URL alias on fetch error
firewall: make schedule icon reflect current schedule state (contributed by framer99)
firewall: toggle and migration fix for upcoming alias API
firewall: round-robin limitation is for host alias outbound NAT only
firewall: resolve network addresses in kernel for static routes bypass option
firewall: do not clean up visible records when limit was not reached
firewall: do not hardcode live log pass / block colours
firewall: add live log direction icons
firmware: shorten shaper name and assorted cleanups
firmware: fix upgrade compatibility with FreeBSD 11.2
firmware: use opnsense-version where appropriate
firmware: correctly translate GUI buttons (contributed by Smart-Soft)
dnsmasq: use more robust approach to interface binding
ipsec: more secure phase 1 default settings (contributed by Michael Muenz)
ipsec: support for multiple phase 1 DH groups and hashes
openvpn: option to match CSO against common_name or login (contributed by Fabio Prina)
unbound: fix usage of the remote control backend calls
unbound: remove faulty “DHCP” label hint for IPv6 link-local registration option
web proxy: several corrections for PAC template
backend: fix CPU hogging when reading on already disconnected streams
mvc: speed up parsing very large config files
mvc: add single select constraint
mvc: add UUID field to the result of addBase (contributed by CJ)
ui: sidebar UX improvements (contributed by Team Rebellion)
ui: use single guillemets for previous/next page
plugins: os-acme-client /var MFS awareness
plugins: os-cicada 1.5 (contributed by Team Rebellion)
plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz)
plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich)
plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz)
plugins: os-nginx 1.2 [1] (contributed by Fabian Franz)
plugins: os-ntopng hides interface selection under advanced (contributed by Michael Muenz)
plugins: os-openconnect allows uppercase usernames (contributed by Michael Muenz)
plugins: os-postfix 1.6 adds port field (contributed by Michael Muenz)
plugins: os-telegraf 1.7.0 adds global tags, HAProxy input, prometheus output, fixes logging (contributed by Michael Muenz)
plugins: os-tukan 1.4 (contributed by Team Rebellion)
plugins: os-vnstat 1.0 (contributed by Michael Muenz)
plugins: os-zerotier fixes status table (contributed by Christoph Engelbert)
ports: mpd5 upstream MTU fix [2]
ports: PHP 7.1.23 [3]

A hotfix release was issued as 18.7.5_1:

mvc: do not speed up parsing very large config files until fixed

18.7.4 (September 27, 2018)¶

This update reboots into the latest and greatest Realtek driver version 1.95. Also included is a web proxy implementation of the WPAD protocol. Furthermore LibreSSL was moved from version 2.6 to 2.7.

Originally planned was the release of the firewall alias API, but this will have to way a while longer. Thank you for your understanding and support!

Here are the full patch notes:

system: correctly unset DNS override allow setting when saving
system: remove unused / default arguments from get_possible_listen_ips()
system: note that HA disable preempt requires reboot (contributed by Michael Muenz)
interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion)
interfaces: lower MTU via tracked IPv6 interface MTU
interfaces: 6RD IPv4 prefix override is now prefix-only
firewall: also show scheduler info in shaper status (contributed by Michael Muenz)
firmware: introduce opnsense-version utility and fully template build metadata
firmware: annotate HTTP(S) status in mirrors in descriptions
firmware: avoid base upgrade error when /proc is mounted
monit: change mail format field for alerts to text area (contributed by Frank Brendel)
openssh: further tweak new interface bind approach introduced in 18.7.3
openvpn: change abbreviated column title to “Bytes Received” (contributed by Andy Binder)
web proxy: support WPAD / PAC (contributed by Fabian Franz)
ui: minified sidebar improvements (contributed by Team Rebellion)
ui: introduce cache_safe() to invalidate browser cache after updates
plugins: os-dyndns wildcard support for Namecheap
plugins: os-ntopng 1.0 (contributed by Michael Muenz)
plugins: os-openconnect 1.2 allows “@” in username (contributed by Michael Muenz)
plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel)
plugins: os-snmp compatibility fixes for version detection and listen interface core changes
plugins: os-theme-cidada 1.4 (contributed by Team Rebellion)
plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.3 (contributed by Team Rebellion)
plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz)
plugins: os-upnp compatibility fixes for version detection core changes
src: fix out-of-bounds read vulnerability in libarchive
src: update re(4) driver to upstream version 1.95
ports: libressl 2.7.4 [1]
ports: php 7.1.22 [2]
ports: sqlite 3.25.1 [3]
ports: squid 3.5.28 [4]

18.7.3 (September 18, 2018)¶

Long-term IPv6 efforts continue in the form of further 6RD feature comfort and a few edge-case fixes in IPv6 interface selection. Please note there is a reboot necessary due to a security advisory amendment and errata patch.

Progress was made on the importer that blocked further efforts in ZFS installation originally planned for 18.7. You can now list available ZFS pool and import from any of those if you so wish. Props to Smart-Soft for the contribution.

On the plugin side development for the upcoming WireGuard VPN, ntopng and vnStat plugins continues. Check the forum for further updates.

Here are the full patch notes:

system: gateways widget show/hide feature (contributed by Team Rebellion)
system: select correct IPv6 default route when underlying IPv6 interface differs
system: extended meta-matching for special characters in ACL patterns
system: show last diff by default in configuration history page
system: refactor password logic in user manager for clarity
system: link-local listen IPv6 requires reading underlying IPv6 interface
interfaces: avoid boot mismatch on several virtual plugin devices
interfaces: list widget show/hide feature (contributed by Team Rebellion)
interfaces: stats widget show/hide feature (contributed by Team Rebellion)
interfaces: stop wireless software before bringing down the interfaces
interfaces: fix selection issue for DHCPv6 PD “none” value
interfaces: make “64” the page default for DHCPv6 PD
interfaces: allow IPv4 address override in 6RD
interfaces: fix 18.7.2 gateway read regression in 6RD
interfaces: give each 6RD tracker a different IPv6 address
dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss)
dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion)
dhcp: do not show lease actions if interface cannot be found
dhcp: unhide DHCPv6 service when not using automatic PD
dnsmasq: annotate that “all” is the recommended interface binding option
importer: list all available ZFS pools (contributed by Smart-Soft)
importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;)
importer: ZFS pools are now addressed as e.g. “zfs/zroot”
importer: always loop until exit or successful import
intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz)
ipsec: change hash checkboxes in phase 2 to selectpicker
openssh: change interface bind logic to only bind to currently available addresses
openvpn: align status columns for client and P2P case (contributed by Andy Binder)
shell: change banner and setaddr interface iteration
unbound: swap stub-zone for forward-zone in overrides (contributed by John Keates)
static: interface iteration conversions in system, firewall and interfaces pages
ui: fix firmware-product file access when using ui_devtools
plugins: os-bind 1.2 log file viewer and oversized list removal (contributed by Michael Muenz)
plugins: os-c-icap 1.6 (contributed by Michael Muenz)
plugins: os-dyndns 1.9 allow plus sign in username (contributed by Charles Ulrich)
plugins: os-haproxy 2.9 backend HTTP reuse option (contributed by andrewheberle)
plugins: os-net-snmp 1.1 IPv6 compatibility (contributed by MrXermon)
plugins: os-rfc2136 1.4 widget style tweaks
plugins: os-theme-rebellion 1.5 style update (contributed by Team Rebellion)
plugins: os-tinc 1.4 log facility fix
src: fix print of stf(4) interface information
src: fix regression in Lazy FPU remediation [1]
src: fix improper ELF header parsing [2]
ports: curl 7.61.1 [3]
ports: lighttpd 1.4.50 [4]
ports: sudo 1.8.25p1 [5]

18.7.2 (September 06, 2018)¶

Lots of third party security updates, plugin updates and minor enhancements in overall system reliability.

In other news the firewall alias API has been finished in the development version. If you use the development version you cannot go back to the production version until the API has been released there as well, which is probably 18.7.3 so not too far away. We are happy about all reports of the new alias pages and API usability.

We will soon begin the migration work for FreeBSD 11.2 for 19.1, but please keep in mind that we will be issuing security advisories to 11.1 when they arise even beyond the original end of life policy.

Here are the full patch notes:

system: select correct network interface in case of IPv6 gateway lookups
system: tighten system wizard ACL and menu registration
system: do not wrap first column of log viewer (contributed by Alexander Graf)
firewall: return alias types to repair its outbound NAT rule edit
firewall: hide NAT redirect target port when port is not applicable
firewall: alias API is now live on the development version and will migrate your aliases to the new format
interfaces: allow explicit MTU to reach the 6RD device
interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion)
interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion)
interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer)
interfaces: remove incorrect display of prefix ID in help text for tracking configuration
interfaces: add groups to interface details output
interfaces: remove unused code and other nonfunctional cleanups
interfaces: use “x” in the list widget for no carrier
interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix
dhcp: remove unused inputs from static mapping page
dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra)
ipsec: add automatic key exchange option
openvpn: fix /32 host validation logic
openvpn: clean up control sockets prior to startup
openvpn: align user authentication to use common_name as username
mvc: add iterateItems() method to base field type to simplify call flow
mvc: fix configd asList helper (contributed by Fabian Franz)
mvc: add configd XML attributes to template parser
ui: allow version query to match on main.css probing
ui: footer cleanups and static page repairs where boxing was not correct
ui: no minified version for tokenize2
ui: fix table headers in dialogs (contributed by Fabian Franz)
plugins: os-bind 1.1 adds 3 DNSBL providers (contributed by Michael Muenz)
plugins: os-freeradius 1.8.0 adds basic SQLite support (contributed by Michael Muenz)
plugins: os-haproxy 2.8 [1] (contributed by Frank Wall)
plugins: os-nginx 1.0 (contributed by Fabian Franz)
plugins: os-postfix 1.5 allow empty destination in transport (contributed by Michael Muenz)
plugins: os-telegraf 1.5.1 adds ElasticSearch output and disk ignore fix (contributed by Michael Muenz)
plugins: os-theme-rebellion 1.4 style fixes
src: L1 terminal fault (L1TF) kernel information disclosure [2]
src: resource exhaustion in IP fragment reassembly [3]
ports: ntp 4.2.8p12 [4]
ports: openssl 1.0.2p [5]
ports: phalcon 3.4.1 [6]
ports: php 7.1.21 [7]
ports: sudo 1.8.24 [8]
ports: wpa_supplicant security updates [9]

18.7.1 (August 14, 2018)¶

This is the first stable update and includes security updates for several third party software and FreeBSD. A Bind plugin was released with DNSBL support and the reported problems with the HAProxy plugin have been sorted out thanks to enthusiastic reporters and testers.

Here are the full patch notes:

system: hide web server info from server tag
system: fix group privileges edit menu hint
system: add text area field to backup framework (contributed by Joao Vilaca)
interfaces: use NIC preference for VLAN hardware filtering in default config
interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion)
interfaces: fix PD when using DHCPv6 override on tracked interface
firewall: toggle filter and NAT rules using checkboxes
firewall: add state-policy if-bound option
firewall: added logging for tracing internal rule generator
firewall: fix ordering issue in port validation and disable
firewall: fix disabled reject action icon display (contributed by framer99)
captive portal: fix usage of vouchers and group with spaces in their names
captive portal: hide web server info from server tag
dnsmasq: fix listening behaviour on empty but set interface selection
firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback
firmware: do not show development version changelogs in releases
intrusion detection: reworked rule selection
ipsec: use selectpicker in mobile page
ipsec: add Brainpool EC groups
openvpn: do not remove client specific override files on disconnect
openvpn: do not create v6 gateway if disabled
shell: omit “:” from SSL fingerprint display
unbound: fix menu access for overrides
wizard: fix root password input
backend: call shutdown before close in background daemon
mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong)
mvc: minor glich in getFormData() we should ignore empty id fields
mvc: do not offer internal interfaces in generic interface selector
mvc: handle validations better by removing duplicate messages
mvc: fix two glitches in new tokenize field handling
mvc: add numeric field type
rc: update php.ini include paths (contributed by Joao Vilaca)
ui: fix spacing of containers in static pages
ui: fix sidebar collapse in MVC pages for supported themes
ui: blank problem advanced button (contributed by Team Rebellion)
ui: store preference for sidebar toggle and remember the current setting on resize
plugins: os-acme-client 1.16 adds several DNS providers, ECC renewal fix and OSCP must staple (contributed by Omar Khalil)
plugins: os-bind 1.0 with blacklist (DNSBL) support (contributed by Michael Muenz)
plugins: os-smart 1.4 with style fixes (contributed by Fabian Franz)
plugins: os-wol 2.0 fixes ACL pattern and interface selection
plugins: os-theme-cicada 1.3 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.2 (contributed by Team Rebellion)
src: resource exhaustion in TCP reassembly [1]
ports: curl 7.61.0 [2]
ports: hyperscan 4.7.0 [3]
ports: mpd5 upstream fixes [4] [5]
ports: py-cryptography 2.3 [6]
ports: py-idna 2.7 [7]

A hotfix release was issued as 18.7.1_3:

system: fix policy check on empty password save
captive portal: fix duplicated server tag
openvpn: address P2P TLS /30 network client-connect validation quirk
plugins: os-acme-client 1.17 [1] (contributed by Frank Wall and Alexander Graf)

18.7 (July 31, 2018)¶

For 3 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

Another 6 months passed by ever so quickly! The main goal for 18.7, nicknamed “Happy Hippo”, is stability so we have not yet begun to adopt FreeBSD 11.2, but there are several of its Intel NIC driver updates included to bridge the gap until 19.1 comes out. The upgrade also includes a tremendous amount of IPv6 improvements including 6RD support as well as authentication and backup framework consolidation. Please also take note that QinQ is no longer included in this release.

These are the most prominent changes since version 18.1:

improved WAN DHCPv6 and SLAAC connectivity and tracking
functional IPv6 Rapid Deployment (6RD) support
improved default route handling and gateway switching
OpenVPN default setup improvements for IPv6 and RADIUS attribute support
Dpinger gateway monitoring integration
password policies for local authentication and coupled TOTP
Monit core integration to eventually replace the legacy notifications
OpenSSH access via group and shell selection instead of privilege
pluggable backup framework with new Nextcloud option
sytem tunables are now also used as loader tunables
unrestricted VLAN usage for e.g. Xen
QinQ interface removal
firmware GUI speedup, improved error parsing and console reboot hint
ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
ZFS and MSDOS config import support
ISC DHCP version moves from 4.3 to 4.4
RRDtool version moves from 1.2 to 1.7
rework rc.syshook facility to use drop-in directories instead of suffixes
backports of FreeBSD 11.2 Intel NIC drivers
stand-alone frontend UI development tools
language updates for Czech, French, German, Portuguese (Brazil)
UI header security and SSL cipher hardening
extensive UI cleanups and menu consolidation
new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp, os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada, os-theme-rebellion, os-theme-tukan, os-wol 2.0

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/18.7/
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/18.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/18.7/
South America: http://mirror.upb.edu.co/opnsense/releases/18.7/
South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/18.7/
Full mirror list: https://opnsense.org/download/

Here are the full changes against version 18.7-RC2:

system: clarify help for preventing local nameserver usage in general settings
system: deal with ACL trailing slash wildcards due to its removal from menu links
system: allow LDAP user import even when multiple authentications servers are set
system: merge duplicated encrypt() and decrypt() config backup implementations
system: extend encrypt() and decrypt() with optional header, footer and attribute usage
system: optional encryption of Nextcloud backup through user-specified password (contributed by Fabian Franz)
interfaces: do not yield IPv6 tunnel addresses via legacy_getall_interface_addresses()
firewall: rules alias preview on hover when no description was provided
firewall: transitional code for upcoming alias API usage
firewall: remove alias types urltable_ports and url_ports
firewall: revert only binding to first interface address due to ambiguity in IPv6 local-link setups
dnsmasq: unconditionally listen on loopback device but avoid binding more than 127.0.0.1 in IPv4
installer: properly accept cancel on guided install
installer: removed unused mail log feature
ipsec: remove validation to support for IPv6 over IPv4 tunnel and vice versa
web proxy: more elaborate fix of IDNA encode with leading dots
mvc: always use std_bootgrid_reload() for bootgrid reloads
ui: sidebar menu support for optional themes (contributed by Team Rebellion)
plugins: os-dyndns 1.8 fixes Eurodns support
plugins: os-theme-rebellion 1.3 (contributed by Team Rebellion)
plugins: os-relayd 2.2 (contributed by Frank Brendel)
plugins: os-siproxd 1.3 (contributed by Michael Muenz)
ports: dhcp6c v20180720 with fix for raw support (contributed by Team Rebellion)
ports: php 7.1.20 [2]

Migration notes and minor incomatibilities to look out for:

SSH access is now bound to the “wheel” group which is automatically added to “admins” group, which “root” is a member of. “root” is the only user that has a default shell, namely opnsense-shell, which is the root console menu.
SSH access can be set for an arbitrary group as well under System: Administration for non-members of “admins” group. However, in both cases only SCP works due to a request in the forum to be more proactive regarding yielding of shell access rights. If you want a user to gain true SSH access you need to change their shell from “nologin” to an installed shell in their respective settings.
Web GUI HTTPS ciphers have been hardened. To gain access please use a recent browser.
The authentication fallback for the GUI/system has been removed in favour of selecting multiple authentication servers at once. Reassign your fallback as a primary authentication method or now use more than two methods.
It has been found that although WAN interfaces require gateways to function, they do not necessarily have to be assigned in single-WAN scenarios to avoid interfering with WAN reply behaviour. The “none” selection was therefore changed to “auto-detect” to reflect this and now is the recommended setting unless multi-WAN is used.
In preparation for the firewall alias API the per-item descriptions have been removed along with support for the deprecated types urltable_ports and url_ports.
OpenVPN /31 tunnel network calculation changed to use the first and last address as network address and broadcast address do not exist. If you are affected, adjust your clients or export their configuration again which includes the configuration fix. Additionally, /32 tunnel networks are now prohibited.

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvkEFA2+DAhWXfucsgdvZ
# 8xxkuzNt0nYttTmbRtLVJRKREysOj3/nqBcFWtvLr3ooVhkbxVY7HPLEoicqFdG/
# +m5lLR2kI7hnZ2mpkl+/NKSixJaZkqXi5cQCp8KUlE7oOu3d6O5ZtTg4g40Ms8Dp
# bQw8oZo3NpBrQK3gEEEzNYgChkZwTrEZ1Y8v8+/3zggh44sqg4vA1j5g9jq3Ldms
# 3KnulBgettpHIapeAmbtCokaLaXxf4lgQxyUsy077aeNRptDpGG3D5ZQgtIjaYeE
# h3u51PaVTL5OY/2uvcTnxR/ZrrHpppkIutUGzGJo9KK0gfrXLi31r9e+xtBJYBdC
# FtdefujlV3Cfw1OFpUY/Y1p921xgHftNnrVDk+C9kl+FKf3qvFeyGCbd9V2k1JM2
# uXHDwbsjZNPhbxbqtCoCDMbsUjBsfWyAOIoZfXOSmqJQt3jBUvwXKwLKncVh4Tvu
# wxJGXNZXk/OCHVQYlx/uzwf5/ly/ApIwMKqr66E7mo0OVkPaME0uCCUJolugu9lI
# tW8TJVZryBCQMQ4XhPZkcny22I2oRI5nCu7baRrFNJ8gB8UYUnrIPTIJIhrjrVOg
# pFOxSb/tZAqtutFOE8F5+KwcgGlOBOKXPaNrdQ79X4kH7egChPrhm283rfW1oEG6
# 8rHzvP45S09L8o7OXUddo8UCAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-18.7-OpenSSL-dvd-amd64.iso.bz2) = 6b3528f8dea8de5c96de5547636fd51c40382c245b30eb215608acbd04fb7e91
# SHA256 (OPNsense-18.7-OpenSSL-nano-amd64.img.bz2) = cb0272f0bd945ea8070d9a40af2cd47a3b68e9bd389395b285bb9ab4128d1f00
# SHA256 (OPNsense-18.7-OpenSSL-serial-amd64.img.bz2) = a4556080532d22e9ab296e2c6e163b3d65d5fe54a642253e1c01a22721afa850
# SHA256 (OPNsense-18.7-OpenSSL-vga-amd64.img.bz2) = 4408840fba4177d44503968fce44d8ca7180003728660fd9c0a2e6920346008c

# SHA256 (OPNsense-18.7-OpenSSL-dvd-i386.iso.bz2) = 8ea49dcb512365a1e92e94fb38f1b4a85463ffacfb98c055e84e6340a6321ecf
# SHA256 (OPNsense-18.7-OpenSSL-nano-i386.img.bz2) = bdd753a63367944452d2d5d1e73e4aa9f3d607012d10c4274420d23867a4fbad
# SHA256 (OPNsense-18.7-OpenSSL-serial-i386.img.bz2) = f74f5fd1c24cc54002fa9b99a0c10b4402b3f748a315ff302126acb154cd2633
# SHA256 (OPNsense-18.7-OpenSSL-vga-i386.img.bz2) = 52208b57f9e89d235411df33faac71b8d9872d50947ff4c0dca6f552424a4d95

18.7.r2 (July 19, 2018)¶

So far so good. Here is another batch of changes for the upcoming 18.7 release from assorted areas. Also included is the latest Suricata 4.0.5.

We have bundled the firewall alias API progress under the hood, but it looks like we will miss our initial 18.7 target. Sorry about that. Though it should be worth the wait. :)

Here is the full list of changes against version 18.7-RC1:

system: show fingerprint in certificate details (contributed by Robin Schneider)
system: fix Nextcloud file name format (contributed by Fabian Franz)
system: allow remote backup via cron command
system: clarify interface labels for NetFlow generator
system: restart syslog when interface bind addresses may have changed
system: do not use forced down gateways for default gateway switching
system: allow USB-based serial ports
interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used
interfaces: 6rd validation and avoid listing on assignment page
firewall: remove virtual IP network address restrictions for IPv6
firewall: ignore namelookup when no nameservers are configured
firewall: drop detail description field in preparation for alias API
firewall: do not emit reflection rules for the wrong address family
firewall: properly handle 6rd / 6to4 tunnel device in rule generation
firewall: allow to select external aliases
dashboard: add a 6 widget columns option
firmware: slightly improve remote probing of kernel and base set
firmware: hide upgrade banner when update is done
installer: give basic tip that GUI IP can be set in console (contributed by stilez)
intrusion detection: clean up previously installed rules
ipsec: add mutual RSA and EAP-MSCHAPv2 support
monit: fix UI issues (contributed by Frank Brendel)
ntp: typo in SiRF selection
openvpn: change IP calculation of /31 tunnel networks (contributed by Daniil Baturin)
openvpn: move generation of client connect / disconnect directives to server mode block
openvpn: properly translate several validation messages
openvpn: disable use of /32 tunnel networks
shell: show SSH and HTTPS fingerprints in banner (contributed by Robin Schneider)
shell: reset DHCPv6 configuration during port reconfigure
shell: clarify install media login message (contributed by stilez)
shell: move banner display to top
unbound: add latest root hints to standard configuration
web proxy: allow to not use request or response URL in ICAP
mvc: multiselect may allow empty option, no need to give blank item too
plugins: os-frr 1.4 cleans up redistribute options (contributed by ShaRose)
plugins: os-zabbix-proxy 1.1 adds PSK-based encryption (contributed by fzoske)
plugins: os-theme-cicada 1.2 (contributed by Team Rebellion)
plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.1 (contributed by Team Rebellion)
plugins: os-openconnect 1.1 (contributed by Michael Muenz)
plugins: os-net-snmp 1.0 fix for listening field (contributed by Michael Muenz)
plugins: os-haproxy 2.7 restores multiselect where needed (contributed by Frank Wall)
plugins: os-web-proxy-sso 2.2 UI fixes (contributed by Smart-Soft)
ports: dhcp6c now supports raw option send and receive (contributed by Team Rebellion and Christoph Engelbert)
ports: suricata 4.0.5 [1]

As always with our pre-releases, only OpenSSL is provided at this point, but can be switched for LibreSSL as soon as the release is available. This release candidate does update directly into the 18.7 stable track and subsequent release candidates. Please let us know about your experience!

18.7.r1 (July 11, 2018)¶

For 3 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

Another 6 months passed by ever so quickly! The main goal for 18.7 is stability so we have not yet begun to adopt FreeBSD 11.2, but there are several Intel NIC driver updates included to bridge the gap until 19.1 comes out. The upgrade also includes a tremendous amount of IPv6 improvements and authentication framework consolidation. Please also take note that QinQ is no longer included in this release.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/18.7/
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/18.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/18.7/
South America: http://mirror.upb.edu.co/opnsense/releases/18.7/
South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/18.7/
Full mirror list: https://opnsense.org/download/

Here are the full changes against version 18.1.11:

system: improve local account expire cron job to also flush passwords and SSH keys
system: do not account-lock root user to avoid meddling with cron
system: only write authorized SSH keys for login-capable users
system: Diffie-Helman parameter selection: auto, cron-based, RFC 7919
system: avoid use of expired nsCertType attribute in certificate purpose test (contributed by Justin Coffman)
system: steer SSH shell access via group to separate system-wide admins from SCP-only users
system: web GUI cipher hardening and optional HSTS use
system: administration settings now include session timeout and authentication server selection
system: remove authentication fallback in favour of allowing to select multiple servers at once
system: local password policies are now found via local database server edit
system: removed spurious LDAP user test page
system: allow to select a shell per user
system: unlimited sessions are no longer allowed
system: remote syslog support for intrusion detection
system: allow full validation on gateways added via interfaces configuration page
system: use red color on all administrator users and superuser groups in access lists
system: removed average tooltip indication from both CPU usage graphs on dashboard (contributed by Team Rebellion)
system: large CPU usage widget now shows the time and date for each data point
interfaces: allow tracking mode for SLAAC (ISP 018.net.il)
interfaces: rework IPv6 interface detection logic on PPP links
interfaces: optionally allow manual router advertisements and DHCPv6 for tracking (contributed by Team Rebellion)
interfaces: merged CARP BACKUP / MASTER handlers into rc.syshook
interfaces: optionally offer multi-wan and far gateway options for static interface configuration when adding a new gateway
interfaces: allow full interface reload cycle in overview page instead of split release/renew
interfaces: removed QinQ functionality
firewall: improved feedback and reading of filter reload errors
firewall: do not trigger rules scheduling if scheduled rule is disabled
firewall: do not automatically port-forward attached VIPs of an interface
dhcp: remove legacy wake on lan support from leases page
dnsmasq: listen on all interface addresses for selected interfaces
firmware: dedicated error for when package manager keeps running in background
firmware: new mirror Aalborg University (Aalborg, DK)
firmware: new mirror Dataroute (Dusseldorf, DE)
importer: keep asking for a partition if the selected partition is not supported by the importer
installer: use opnsense-importer on configuration import to avoid code duplication
installer: password recovery option only works for 18.7 onwards
installer: simplify GEOM mirror setup questions and resulting mirror name
intrusion detection: add support for rule version checks
ipsec: support mutual RSA with EAP-MSCHAPv2
monit: former plugin imported into core and brand new dashboard widget (contributed by Frank Brendel)
openvpn: client-specific overrides rework to support RADIUS attributes Framed-IP-Address, Framed-IP-Address, Framed-Route
openvpn: destroy device nodes when deleting servers or clients
unbound: create ACL entries for all interface addresses of selected interfaces
unbound: support ACL modes deny_non_local and refuse_non_local (contributed by DJFelix)
wizard: added a dedicated Diffie-Helman parameter selector
mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus)
mvc: switch from the default $_GET[“_url”] to $_SERVER[“REQUEST_URI”] and let Phalcon handle the routing
mvc: add support for application-specific field types
mvc: IDNA encode fails when input starts with a dot
rc: unset rcvar before evaluation (contributed by Nicholas de Jong)
rc: redesigned rc.initial as opnsense-shell utility with command line support and improved RC system interoperability
ui: top level menu item link pivots and security improvements (contributed by Max Orelus)
ui: assorted style updates and minor fixes in static pages to improve overall visual representation
ui: content security policy hardening (contributed by Fabian Franz)
ui: switch remaining use of Glyphicons to Font-Awesome in static pages
ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice
ui: order menu alphabetically in a number of places
ui: replaced JQuery Tokenize with Tokenize2
plugins: os-net-snmp 1.0 supports use of Net-SNMP (contributed by Michael Muenz)
plugins: os-wol 2.0.d is a MVC rewrite of the wake on LAN plugin (contributed by Fabian Franz)
src: keep the CARP data structure when an address is not being removed
src merge pfSense stf(4) / 6RD additions not in FreeBSD

The list of currently known issues with 18.7-RC1:

Boot may fail on Intel Denverton attached storage
6RD prefix calculation is not always correct
Monit UI glitch in multi-select fields
Apollo Lake errata patch pending
ZFS installer support is missing

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.7 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvkEFA2+DAhWXfucsgdvZ
# 8xxkuzNt0nYttTmbRtLVJRKREysOj3/nqBcFWtvLr3ooVhkbxVY7HPLEoicqFdG/
# +m5lLR2kI7hnZ2mpkl+/NKSixJaZkqXi5cQCp8KUlE7oOu3d6O5ZtTg4g40Ms8Dp
# bQw8oZo3NpBrQK3gEEEzNYgChkZwTrEZ1Y8v8+/3zggh44sqg4vA1j5g9jq3Ldms
# 3KnulBgettpHIapeAmbtCokaLaXxf4lgQxyUsy077aeNRptDpGG3D5ZQgtIjaYeE
# h3u51PaVTL5OY/2uvcTnxR/ZrrHpppkIutUGzGJo9KK0gfrXLi31r9e+xtBJYBdC
# FtdefujlV3Cfw1OFpUY/Y1p921xgHftNnrVDk+C9kl+FKf3qvFeyGCbd9V2k1JM2
# uXHDwbsjZNPhbxbqtCoCDMbsUjBsfWyAOIoZfXOSmqJQt3jBUvwXKwLKncVh4Tvu
# wxJGXNZXk/OCHVQYlx/uzwf5/ly/ApIwMKqr66E7mo0OVkPaME0uCCUJolugu9lI
# tW8TJVZryBCQMQ4XhPZkcny22I2oRI5nCu7baRrFNJ8gB8UYUnrIPTIJIhrjrVOg
# pFOxSb/tZAqtutFOE8F5+KwcgGlOBOKXPaNrdQ79X4kH7egChPrhm283rfW1oEG6
# 8rHzvP45S09L8o7OXUddo8UCAwEAAQ==
# -----END PUBLIC KEY-----

As always with our pre-releases, only OpenSSL is provided at this point, but can be switched for LibreSSL as soon as the release is available. This release candidate does update directly into the 18.7 stable track and subsequent release candidates. Please let us know about your experience!

# SHA256 (OPNsense-18.7.r1-OpenSSL-dvd-amd64.iso.bz2) = c5ca07eefde68d16d0fc060fd2fa0be12d77752d5376b5483103c8d1901975ca
# SHA256 (OPNsense-18.7.r1-OpenSSL-nano-amd64.img.bz2) = c2252d379c10936f98ed02044dc61eda13b8b3ffe08c0e9e7f0a70a462fcb005
# SHA256 (OPNsense-18.7.r1-OpenSSL-serial-amd64.img.bz2) = f48a065e8e6d0ed8f38737d46d991df4c231ef5ce60f022eb2252a41e55842fe
# SHA256 (OPNsense-18.7.r1-OpenSSL-vga-amd64.img.bz2) = 4d6237590df8cb918fff580f7cf6fed08a9b1fbd224061870bf7e4cf4e394c18

# SHA256 (OPNsense-18.7.r1-OpenSSL-dvd-i386.iso.bz2) = 3fc4405619763cdcf08620a029a1d5270271b2e796af7e4b8869995e28ad4f68
# SHA256 (OPNsense-18.7.r1-OpenSSL-nano-i386.img.bz2) = 1efc4695be64cfee87603cea77d6e89b8b09c33fa1a491d15f0b652234c1f21a
# SHA256 (OPNsense-18.7.r1-OpenSSL-serial-i386.img.bz2) = f010ca0d33addeb94f436a551a61418f95fde9bd7511c88b75a7131ca65b162f
# SHA256 (OPNsense-18.7.r1-OpenSSL-vga-i386.img.bz2) = aba557b88ae27ecd5d301fa32f3910a7e5499491b8263e21a722976c0da714fc