21.7 “Noble Nightingale” Series¶
For more than 6 and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
21.7, nicknamed “Noble Nightingale”, is one of the largest iterations of code changes in our recent history. It will also be the last release on HardenedBSD 12.1. We are planning to start the work on FreeBSD 13 as soon as next week for the 22.1 series.
The installer was replaced to offer native ZFS installations and prevent glitches in virtual machines using UEFI. Firmware updates were partially redesigned and the UI layout consolidated between static and MVC pages. The live log now contains the actual rule ID to avoid mismatches after adjusting your ruleset and the firewall aliases now also support wildcard netmasks. For a complete list of changes see below.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/21.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.7/
South America: https://mirror.venturasystems.tech/opnsense/releases/21.7/
Australia: http://mirror.as24220.net/opnsense/releases/21.7/
Full mirror list: https://opnsense.org/download/
21.7.8 (January 27, 2022)¶
To improve migration to the next version we are releasing this update back to back with 22.1. There is no immediate need to upgrade so plenty of time to read and prepare.
Suffice to say this will be the last update of the 21.7 series. Thank you and see you on the other side. :)
Here are the full patch notes:
system: remove spurious XML validation that cannot cope with attributes from backup restore
system: prevent syslog-ng from crashing after update due to “syslog-ng-ctl reload” use
reporting: fix display of total in/out traffic values
firewall: removed the $aliastable cache
firewall: correctly handle IPv6 NAT in states view
firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
firewall: support “no scrub” option in normalisation rules
network time: remove PID file use as it can be unreliable
intrusion detection: update to ET-Open to version 6
intrusion detection: prevent config migration from crashing
lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
captive portal: prevent session removal crashing when no IP address was registered
firmware: offer 22.1 upgrade path when supported by mirror
mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
mvc: fix logging of configd errors (contributed by kulikov-a)
plugins: os-acme-client 3.8 [1]
plugins: os-frr 1.26 [2]
plugins: os-openconnect 1.4.2 [3]
plugins: os-postfix 1.21 [4]
plugins: os-telegraf 1.12.4 [5]
plugins: os-wireguard 1.10 [6]
src: axgbe: validate contents of gpio expander
src: incorrect XSAVE state size [7]
src: vPCI compatibility improvements with certain Hyper-V releases [8]
src: vt console buffer overflow [9]
ports: expat 2.4.2 [10]
ports: filterlog 0.6 [11]
ports: flock 2.37.2
ports: hostapd 2.10 [12]
ports: lighttpd 1.4.63 [13]
ports: nss 3.74 [14]
ports: openssl 1.1.1m [15]
ports: openvpn 2.5.5 [16]
ports: php 7.4.27 [17]
ports: sqlite 3.37.2 [18]
ports: syslog-ng 3.35.1 [19]
ports: unbound 1.14.0 [20]
ports: wpa_supplicant 2.10 [21]
21.7.7 (December 15, 2021)¶
End-of-the-year security and reliability update coming right up!
Due to inconclusive reports we are disabling the Netmap API version 14 support in Suricata to get a better understanding of the situation. The plan still is to keep it for the 22.1 upgrade and it has in fact been enabled on the development versions since September without any obvious issues.
The upgrade to 22.1-BETA3 is also included in the bundled development version.
Here are the full patch notes:
system: fix /etc/ssl/cert.pem permission on backend call
firewall: typo in direction for session diagnostics (contributed by kulikov-a)
firewall: fix address direction for states diagnostics (contributed by kulikov-a)
firmware: added generic configuration support via opnsense-update.conf
firmware: modify the launcher to support -r and -s options
firmware: fix upgrade prompt hint
firmware: simplify repo file flush
intrusion detection: update severity of ruleset download skipped log message (contributed by kulikov-a)
intrusion detection: update embedded classification.config
backend: configd profiler call fix
ui: prevent browser auto-fill for username/password (contributed by NOYB)
plugins: os-acme-client 3.6 [1]
plugins: os-fetchmail removed since fetchmail author does not permit LibreSSL on FreeBSD
plugins: os-firewall 1.1 adds “Do not NAT” option
plugins: os-haproxy 3.8 [2]
plugins: os-stunnel is now available for LibreSSL using an embedded OpenSSL build
src: axgbe: fix I2C timeouts by reissuing command on errors
src: axgbe: fix possbile link instabilities
src: axgbe: log GPIO signals on EEPROM read fails
ports: curl 7.80.0 [3]
ports: dnsmasq fixes multiple regressions
ports: nss 3.73 [4]
ports: php 7.4.26 [5]
ports: phpseclib 2.0.35 [6]
ports: suricata disables Netmap API version 14 introduced in 21.7.6
21.7.6 (November 25, 2021)¶
This smallish update introduces Suricata 5-based versions for Emerging Threats rulesets as well as shipping the latest Suricata 6.0.4 with an additional change for the Netmap API version 14. Please do let us know how that impacts your IPS performance numbers via the forum if you notice anything.
The upgrade to 22.1-BETA2 is also included in the bundled development version.
Here are the full patch notes:
system: move logging remnants of Relayd/HAProxy to plugin code
system: support XMLRPC authentication using API keys
system: escape shell parameters in cron jobs
system: system log widget auto-refresh (contributed by kulikov-a)
interfaces: make is_linklocal() properly detect all link-local addresses (contributed by Per von Zweigbergk)
firewall: properly translate “any” port to upper or lower port bound
firewall: support any-to-X ranges for rules port input (contributed by kulikov-a)
firewall: drop policy based routing validation on interface rules
captive portal: missing tooltip in session window
captive portal: “connected since” malformed due to datetime already being converted
dhcp: add current IPv4 address to static lease creation (contributed by Taneli Leppa)
intrusion detection: switch to ET-Open Suricata 5 rulesets
intrusion detection: support multiple policy property in metadata
ipsec: inline only caller of get_configured_vips_list()
ipsec: avoid VTI device recreation when using hostnames
backend: add configctl “-d” and “-q” options for future use
plugins: os-acme-client 3.5 [1]
plugins: os-dyndns 1.27 [2]
plugins: os-etpro-telemetry 1.6 switches to Suricata 5 rulesets
plugins: os-frr 1.24 [3]
plugins: os-nginx 1.24 [4]
plugins: os-telegraf 1.12.3 [5]
plugins: os-wireguard 1.9 [6]
plugins: os-zabbix-agent 1.10 [7]
plugins: os-zabbix-proxy 1.6 [8]
ports: suricata 6.0.4 [9] with Netmap API version 14 enabled
21.7.5 (November 11, 2021)¶
FreeBSD security advisories and an issue with Intel-based ixgbe driver with “ifconfig -v” stalls keep this release rolling. Also note that OpenSSH was updated to version 8.8 which deprecates ssh-rsa usage which is mainly an issue for client access from the OPNsense system to the outside and can be amended as per the suggestions in the respective release notes.
And as promised the development version includes the upgrade path to the 22.1-BETA1 release. This will be an online-beta with a few iterations over the FreeBSD 13 stable branch and eventually move to FreeBSD 13.1 release as that becomes available.
Highlights for 22.1 already include:
Suricata Netmap version 14 support for multi-gigabit speed in IPS mode with RSS enabled
Separate VLAN MAC spoofing and permanent promiscuous mode setting
Tunable analytics provide automatic descriptions and type
IPsec tunnel overview ported to MVC with pagination
Proofpoint Emerging Threats rules for Suricata 5.0
Removed opportunistic interface address read functions
Console-based LAGG configuration support
Removed state killing on gateway failure feature
Improved firmware update capabilities
No-bind service awareness for virtual IPs
FreeBSD 13 stable branch
RFC 5424 and severity support in logs
Clog support has been removed
And more…
Please note that the beta version will always be available for upgrade when switching to the development version. At this point no stable packages are provided and this includes plugins. These will become available as the release candidate is released in early January 2022.
All feedback is welcome but keep in mind that there are still a number of moving parts ahead. Upgrade responsibly.
Here are the full patch notes for version 21.7.5:
system: remove support for obsolete “local” syslog socket plugin request
system: prevent setup wizard error in WAN-only configuration
system: properly extract keyid string (contributed by kulikov-a)
system: show all threads and correct WCPU in activity (contributed by kulikov-a)
system: fix display and sorting in activity (contributed by kulikov-a)
interfaces: remove obsolete link_interface_to_vlans() function
interfaces: inline legacy_interface_rename() function
interfaces: verbose output on test port (contributed by kulikov-a)
firewall: add live view templates page to respective ACL (contributed by kulikov-a)
firewall: replace pfInfo with statistics page
firewall: add rules to statistics page (contributed by kulikov-a)
firewall: remove defunct “block carp from self” CARP rule
dhcp: automatically set AdvRASrcAddress for link-local CARP address
dhcp: exclude link-local subnet router advertisements
firmware: remove unavailable Hostcentral mirror
firmware: opnsense-update: replace -A before -M and handle single directory -M independently
firmware: opnsense-verify: disable verification for repositories without signatures
firmware: opnsense-verify: let -l option properly discard duplicate repositories
firmware: opnsense-version: support -x effective ABI probing
ipsec: add sha256_96 flag (contributed by Patrick M. Hausen)
monit: add polltime to service settings (contributed by Frank Brendel)
ui: prevent event propagation to avoid click() events being forwarded
plugins: os-bind 1.19 [1]
plugins: os-dnscrypt-proxy 1.10 [2]
plugins: os-dyndns 1.26 [3]
plugins: os-freeradius 1.9.17 [4]
plugins: os-frr 1.23 [5]
plugins: os-haproxy 3.7 [6]
plugins: os-nut 1.8.1 [7]
plugins: os-openconnect 1.4.1 [8]
plugins: os-relayd 2.6 [9]
plugins: os-telegraf 1.12.2 [10]
plugins: os-vnstat 1.3 [11]
plugins: os-wireguard 1.8 [12]
src: axgbe: correctly enable RSS driver support by default
src: ixgbe: prevent subsequent I2C bus read timeouts
src: fix kernel panic in vmci driver initialization [13]
src: timezone database information update [14]
ports: lighttpd 1.4.61 [15]
ports: nss 3.72 [16]
ports: openssh 8.8p1 [17]
ports: pcre2 10.39 [18]
ports: php 7.4.25 [19]
ports: phpseclib 2.0.34 [20]
21.7.4 (October 27, 2021)¶
This update features three new major things: optional receive side scaling (RSS) support in the kernel, asynchronous DNS resolving for aliases and configuration support for advanced LAGG settings.
RSS is disabled by default but may be switched on by adding a tunable “net.inet.rss.enabled” with value “1” and rebooting the system. While RSS can improve performance for certain hardware it should be used with care at this point and is not generally recommended yet! The Suricata version bundled with the development release offers the upcoming API bindings to take advantage of the RSS-based multithreading. Also please note that PPPoE cannot take advantage of RSS.
On the side we are almost ready for our 22.1-BETA preview with rolling releases for the development release type which is something new to look forward to also.
Here are the full patch notes:
system: prevent expired or intermediate CA certificates from being added to trust store by default
system: prevent XSS in LDAP attribute return in authentication tester (reported by Orange CERT-CC)
system: add product title to auth pages
system: fix log search ignoring first character
system: add xc0 entry video console entry if node exists
system: add automatic outbound NAT logging option
interfaces: let guess_interface_from_ip() find the best match on overlapping subnets (contributed by Jason Crowley)
interfaces: improve configurability with LAGG devices
firewall: fix non-sticky rule association in port forward
firewall: switch failover peer address acquire away from deprecated function
firewall: specify overload table on maximum new connections
firewall: add loaded item count and last update to aliases page
firewall: refactor getInterfaceGateway() to eliminate edge cases with IPsec route-to behaviour
firewall: allow alias to skip entry on EmptyLabel (contributed by James Golovich)
firewall: improve resolve performance by implementing asynchronous DNS lookups
dhcp: show static leases without IP address assignments in the lease pages
firmware: do not remove obsolete base files on major upgrades
firmware: support ABI hints in the file “firmware-upgrade”
firmware: opnsense-code utility now supports “-u” mode for automatic upgrade after fetch
firmware: opnsense-code utility fix for “-d” option (contributed by Patrick M. Hausen)
firmware: opnsense-update utility is now able to bootstrap its own configuration in “-d” mode
firmware: opnsense-update utility now supports “-ct package-name” check for type change
firmware: opnsense-update utility no longer assumes “-bkp” by default
firmware: opnsense-update utility adds separate clean option for obsolete base files
firmware: opnsense-update utility assorted cleanups
ipsec: add charon.max_ikev1_exchanges parameter
ipsec: add closeaction parameter (contributed by Patrick M. Hausen)
ipsec: rewrite netmask calculation for VTI tunnel setup
monit: add link event to alert settings (contributed by Frank Brendel)
openvpn: remove obsolete remnants of tun-ipv6
unbound: add Abuse.ch ThreatFox list
unbound: make so-reuseport conditional upon RSS status
backend: static parameters ignored when no dynamic ones exist
mvc: replace __toString() calls with string casts
plugins: os-acme-client 3.4 [1]
plugins: os-c-icap log file fix (contributed by Michael Muenz)
plugins: os-dyndns 1.25 [2]
plugins: os-haproxy 3.6 [3]
plugins: os-lldpd will now identify itself as Network Connectivity Device (contributed by Xeroxxx)
plugins: os-puppet-agent 1.0 [4]
plugins: os-qemu-guest-agent 1.1 [5]
plugins: os-theme-rebellion 1.8.8 (contributed by Team Rebellion)
src: include RSS kernel support defaulting to off
src: axgbe: properly multiplex on reading module signals
src: libnetmap: reset errno in nmreq_register_decode()
src: pf: remove side effect from nat logging patch
src: dummynet: fix mbuf tag allocation failure handling
src: aesni: avoid a potential out-of-bounds load in aes_encrypt_icm()
ports: curl 7.79.1 [6]
ports: dnspython 2.1.0 [7]
ports: jinja 3.0.1 [8]
ports: libressl 3.3.5 [9]
ports: lighttpd 1.4.60 [10]
ports: nss 3.71 [11]
ports: openvpn 2.5.4 [12]
ports: php 7.4.24 [13]
ports: strongswan 5.9.4 [14]
ports: sudo 1.9.8p2 [15]
21.7.3 (September 22, 2021)¶
This release finally brings in Suricata version 6 as well as OpenVPN tls-crypt support, automatic user creation on LDAP-based logins and more.
As a general note the Realtek vendor driver currently bundled with the base system will be moved to a plugin-based kernel module in version 22.1 and the original re(4) driver inside FreeBSD 13 will be restored. To ease migration and because the version maintained in FreeBSD ports actually offers additional fixes we have included the new plugin into this build.
Here are the full patch notes:
system: allow automatic user creation on LDAP-based logins
interfaces: add and use unified function is_interface_assigned() to prevent deleting assigned interfaces
interfaces: sync firewall groups after internal create/destroy operations
interfaces: add netstat tree search and improve page layout
interfaces: replace opportunistic diagnostics IP address lookups with more robust variants
firewall: clarify match/set priority in rules
firewall: improve alias description/preview
firewall: aliases maximum entries progress bar
dhcp: add shared dhcpd_leases() reader and use it in both lease pages
openvpn: use is_interface_assigned() to prevent deletion of assigned instances
openvpn: CARP status read cleanups (contributed by vnxme)
openvpn: tls-crypt support (contributed by vnxme)
openvpn: do not create empty router file
router advertisements: remove AdvRDNSSLifetime / AdvDNSSLLifetime bounds (contributed by Maurice Walker)
unbound: register DHCP leases with their matching IP range configured DHCP domain
plugins: os-acme-client 3.1 [1]
plugins: os-chrony 1.4 [2]
plugins: os-collectd 1.4 [3]
plugins: os-fetchmail 1.1 [4]
plugins: os-freeradius 1.9.16 [5]
plugins: os-realtek-re 1.0 adds Realtek vendor NIC driver module
plugins: os-telegraf 1.12.1 [6]
ports: dnsmasq 2.86 [7]
ports: filterlog 0.5 removes unused IPv6 options support
ports: nss 3.70 [8]
ports: pcre 8.45 [9]
ports: python 3.8.12 [10]
ports: sudo 1.9.8p1 [11]
ports: suricata 6.0.3 [12]
ports: syslog-ng 3.34.1 [13]
A hotfix release was issued as 21.7.3_1:
openvpn: properly save new tls-crypt configuation
A hotfix release was issued as 21.7.3_3:
openvpn: fix validation for /30 subnet in peer to peer mode (contributed by kulikov-a)
backend: catch broken pipe on event handler (contributed by kulikov-a)
plugins: os-acme-client 3.2 [1]
21.7.2 (September 07, 2021)¶
Today the following CVEs are being addressed:
CVE-2021-3711, CVE-2021-3712, CVE-2021-23840, CVE-2021-23841
Please note that the Let’s Encrypt client plugin is now called ACME client since acme.sh version 3 does support multiple providers.
Apart from the usual batch of fixes the work on RSS (receive side scaling) is progressing and groundwork has already made it to the kernel along with the libnetmap library for allowing better scaling in netmap mode along with it. At this point, however, RSS is not yet enabled and there is no impact on existing setups. That will likely change with one of the next stable versions in this series.
On the other hand, the work for FreeBSD 13 migration in 22.1 is ongoing as well to be able to test this rather sooner than later. In this iteration we will take the time to look at shared forwarding edge cases and have already upstreamed a number of patches that have been accumulated over the last couple of years to keep our code base light and tidy.
Here are the full patch notes:
system: default RSS widget feed to forum announcements
system: add missing ACL for Syslog targets page
system: fix unescaped source field used for password in backup plugins
system: reload FreeBSD services when reloading all services from console
interfaces: use -M option in rtsold invoke in preparation for 22.1
interfaces: correct indent in dhclient configuration
firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)
firewall: fix long comment preventing IPFW reload (contributed by Robin Schneider)
firewall: fix compare interfaces (contributed by Smart-Soft)
firmware: opnsense-patch can now patch installer and updater files
firmware: opnsense-update -c option now honours the -f option
firmware: opnsense-update improvements for mirror manipulation options
firmware: undo masking vulnerability URLs in FreeBSD due to UUID use
firmware: also check plugins sync for up to date core package
firmware: fix visibility issue on console when syncing plugins
firmware: replace php version_compare() call with pkg-version shell command
firmware: correctly announce major upgrade reboot in status return
firmware: do not fetch GeoIP database from business mirrors without a subscription
firmware: backend now supports reinstall like opnsense-bootstrap -q
intrusion detection: skip ruleset empty metadata (contributed by kulikov-a)
ipsec: fix a regression in rightsubnets for non-mobile phase 2
ipsec: fix a regression in VTI handling
ipsec: identity quoting for ASN1DN and FQDN types with “#” characters
ipsec: add auto type for identities
openvpn: fix client-config-dir regression
openvpn: check IPv4 tunnel prefix (contributed by kulikov-a)
openvpn: simplify CIDR validation and remove trim() usage
web proxy: adding additional memory cache options (contributed by Xeroxxx)
plugins: os-acme-client 3.0 [1]
plugins: os-haproxy 3.5 [2]
src: runtime RSS code preparations and assorted related upstream patches
src: axgbe: remove unneccesary packet length check
src: iflib: fix partial length accounting error in netmap mode
src: lib: add libnetmap and related patches
src: dhclient: skip_to_semi() consumes semicolon already
src: rtsold: slightly change address read
src: fix missing error handling in bhyve(8) device models [3]
src: fix remote code execution in ggatec(8) [4]
src: fix libfetch out of bounds read [5]
ports: ifinfo 13.0
ports: libressl 3.3.4 [8]
ports: nss 3.69 [9]
ports: monit 5.29.0 [10]
ports: mpd5 adds L2TP interoperability fix from upstream
ports: openssl 1.1.1l [11]
ports: php 7.4.23 [12]
ports: strongswan 5.9.3 [13]
ports: sudo 1.9.7p2 [14]
ports: unbound 1.13.2 [15]
A hotfix release was issued as 21.7.2_1:
firewall: remove reordering patch due to unintended behavioural changes
21.7.1 (August 04, 2021)¶
After some initial trouble with particular Intel network card instability and two installer shortcomings this brings the first round of stable updates, general improvements and even new features.
The OpenVPN integration required a few more changes for the 2.5 series and Unbound would stall when the new cache restore feature was caching an empty response.
Images have been reissued based on this version as well.
Here are the full patch notes:
system: relax server certificate check for web GUI validation
system: use ifinfo counters instead of pfctl in interface widget
interfaces: packet capture quick select for all interfaces
firewall: make sure net.pf.request_maxcount and table-entries are always aligned
firewall: only set state options on rules when state is being tracked
firmware: fix opnsense-code pull when ABI configuration is no longer there
firmware: fix upgrade with multiple repositories enabled
firmware: sync plugins in console update
firmware: revoke 21.1 fingerprint
installer: fix possible hang when scanning for disks
installer: fix multiple disk selection
openvpn: fix genkey format on 2.5
openvpn: improve the cipher parsing
openvpn: untie server-ipv6 from server directive
openvpn: return empty list when /api/openvpn/export/accounts/ is called without parameters
unbound: reject invalid cache data
unbound: automatically add “do-not-query-localhost: no” on DoT when needed
unbound: support insecure-domain directive
mvc: bring back bind_textdomain_codeset() to fix possible faulty page rendering
ui: fix regression in subnet selector
plugins: os-bind 1.18 [1]
plugins: os-dnscrypt-proxy 1.9 [2]
plugins: os-postfix 1.20 [3]
plugins: os-telegraf 1.12.0 [4]
src: revert upstream commit “e1000: Rework em_msi_link interrupt filter”
ports: switched to FreeBSD ports tree
ports: filterlog print “0” instead of “(null)” label
ports: krb5 1.19.2 [5]
ports: php 7.4.22 [6]
# SHA256 (OPNsense-21.7.1-OpenSSL-dvd-amd64.iso.bz2) = d9062d76a944792577d32cdb35dd9eb9cec3d3ed756e3cfaa0bf25506c72a67b
# SHA256 (OPNsense-21.7.1-OpenSSL-nano-amd64.img.bz2) = 106b483993f252e27dfd5064f57b2800e68274cf036445a97308107144e601f9
# SHA256 (OPNsense-21.7.1-OpenSSL-serial-amd64.img.bz2) = 04abcd825dacbecda3eff90c8d086527b49b5d61c284442ef5d5bdd89b625004
# SHA256 (OPNsense-21.7.1-OpenSSL-vga-amd64.img.bz2) = 44068ee9369bc12a0226ee2e1f13a1409038953ee829e0de97abe359affbde0d
21.7 (July 28, 2021)¶
For more than 6 and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
21.7, nicknamed “Noble Nightingale”, is one of the largest iterations of code changes in our recent history. It will also be the last release on HardenedBSD 12.1. We are planning to start the work on FreeBSD 13 as soon as next week for the 22.1 series.
The installer was replaced to offer native ZFS installations and prevent glitches in virtual machines using UEFI. Firmware updates were partially redesigned and the UI layout consolidated between static and MVC pages. The live log now contains the actual rule ID to avoid mismatches after adjusting your ruleset and the firewall aliases now also support wildcard netmasks. For a complete list of changes see below.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/21.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.7/
South America: https://mirror.venturasystems.tech/opnsense/releases/21.7/
Australia: http://mirror.as24220.net/opnsense/releases/21.7/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes:
system: Norwegian translation (contributed by Stein-Aksel Basma)
system: correctly enforce “Disable writing log files to the local disk” when circular logs are not used
system: allow to edit gateway entries with non-conforming names
system: add HA sync entry for live log templates
system: lock config writes during HA merges
system: raised PHP memory limit to 1G
system: raised encryption standard for encrypted config.xml export
system: removed NextCloud backup from core functionality
system: allow more characters in the certificate/authority organization fields (contributed by Jan De Luyck)
system: default gateway failure state killing is now disabled by default
system: circular logs are now disabled by default
system: removed unused traffic API dashboard feed
system: prevent use of client certificates in web GUI
system: hide far gateway option for IPv6
system: isvalidpid() is not required for a single killbypid()
system: fix PHP 7.4 deprecated warning in IPv6 library
system: do not split XMLRPC password into multiple pieces
system: enable group sync for LDAP servers that do not return memberOf (contributed by rdd2)
system: prevent excessive config writes on LDAP import
system: allow cron-based restarts of all “restart” action providers
interfaces: improve GRE/GIF configuration handling and dynamic reload behaviour
interfaces: remove duplicated handling of PPP IPv6 interface detection
interfaces: refactored address removal into interfaces_addresses_flush()
interfaces: flush IPv6 addresses on the correct IPv6 interface when it differs from the IPv4 interface
interfaces: do not check for existing CARP interfaces midstream
interfaces: remove non-tunnel restriction from address collection
interfaces: set tunnel flag for IPv4 tunnel plus cleanups
interfaces: allow interface-based overrides of hardware checksum settings
interfaces: refactor DNS lookup and add PTR to output (contributed by Maurice Walker)
interfaces: deprecate SLAAC addresses on linkdown
firewall: set label for obsolete rule in live log (contributed by kulikov-a)
firewall: MVC rewrite of the states diagnostics pages under “States”
firewall: MVC rewrite of the pfTop diagnostics pages under “Sessions”
firewall: renamed “pfTables” diagnostics to “Aliases”
firewall: add quick link to states counter from firewall rule inspection
firewall: add manual reply-to configuration to rules
firewall: delete related rules when an interface group is removed
firewall: rename source/destination networks when group name changes
firewall: possibility to filter nat/rdr action in live log
firewall: use permanent promiscuous mode for pflog0
firewall: add live log support for new filterlog format
dhcp: remove ::/0 route from router advertisements (contributed by Maurice Walker)
dhcp: always deprecate prefixes in automatic router advertisements
dhcp: fix table header sorting in lease pages (contributed by vnxme)
dhcp: lock access to settings pages when interface is not suitable for running a DHCP server
dhcp: assorted improvements surrounding dhcpd_staticmap() for real world operation
firmware: introduced connectivity check
firmware: confirm plugin removal dialog
firmware: static template for firmware upgrade message
firmware: add version/date header into check script as well
firmware: mask subscription in GUI output
firmware: add “-q” option for in-place opnsense-bootstrap run
firmware: fix grep call on FreeBSD 13 (contributed by Mariusz Zaborski)
firmware: correct return code on type change in opnsense-update
installer: assorted wording improvements
intrusion detection: fix alert reads from eve.json
ipsec: adhere to system defaults for route-to and reply-to when creating automatic VPN rules
ipsec: switched to explicit type selection for identities
network time: added NTPD client mode
openvpn: offer the ability to export a user without a certificate
openvpn: increase consistency between export types
openvpn: fix invalid rules generated by wizard (contributed by kulikov-a)
unbound: fix domain overrides for private address reverse lookup zones (contributed by Maurice Walker)
unbound: add “unbound check” backend action
unbound: allow to retain cache on service reload
unbound: fix /var MFS dilemma for DNSBL after boot
unbound: remove deprecated custom options setting
unbound: switch model to integrate full DNS over TLS support
unbound: add qname-minimisation-strict option
unbound: renamed “blacklist” to “blocklist” for clarity
console: throw error when opnsense-importer encounters an encrypted config.xml
mvc: allow to unset attribute via setAttributeValue()
mvc: catch all errors including syntax and class not found errors
mvc: reduce differentials in config.xml when saving models
rc: opnsense-beep melody database directory
shell: fix IPv4 /31 assignment
ui: improved JS hook_ipv4v6() to jump to /64 on IPv6 and back to /32 on IPv4
ui: inject default tooltips into bootgrid formatters
ui: prevent translation line breaks from breaking JS
ui: removed $main_buttons magic handler
ui: switch firewall category icon for clarity
ui: work on unification of add buttons by minifying them and adding primary color markup
plugins: os-acme-client 2.6 [2]
plugins: os-etpro-telemetry 1.5 exclude stale data from telemetry upload
plugins: os-fetchmail 1.0 (contributed by Michael Muenz)
plugins: os-freeradius 1.9.15 [3]
plugins: os-frr 1.22 [4]
plugins: os-haproxy 3.4 [5]
plugins: os-maltrail 1.8 [6]
plugins: os-net-snmp 1.5 [7]
plugins: os-nextcloud-backup 1.0
plugins: os-nut 1.8 [8]
plugins: os-postfix 1.9 [9]
plugins: os-radsecproxy 1.0 (contributed by Tobias Boehnert)
plugins: os-telegraf 1.11.0 [10]
plugins: os-tftp 1.0 (contributed by Michael Muenz)
plugins: os-zabbix-agent 1.9 [11]
src: dhclient support for VLAN 0 decapsulation
src: FreeBSD updates for the pf(4) and iflib(4) subsystems
src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers
src: compatibility shim for upcoming rtsold “-M” command line option
src: separately log NAT and firewall rules in pf(4)
src: libcasper: fix descriptors numbers [12]
src: linux: prevent integer overflow in futex_requeue [13]
src: axgbe: make sure driver works on V1000 platform and remove unnecessary reset
ports: drop hardening options to ease migration to FreeBSD ports tree
ports: clog 1.0.2 fixes garbage header write on init
ports: curl 7.78.0 [14]
ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot
ports: libxml 2.9.12 [15]
ports: nettle 3.7.3
ports: nss 3.68 [16]
ports: openvpn 2.5.3 [17]
ports: php 7.4.21 [18]
ports: phpseclib 2.0.32 [19]
ports: python 3.8.10 [20]
ports: sudo 1.9.7p1 [21]
ports: suricata 5.0.7 [22]
ports: syslog-ng 3.33.2 [23]
Known issues and limitations:
NextCloud backup feature moved from core to plugins. Please reinstall if needed.
IPsec identities are now set using their explicit type. See StrongSwan documentation [24] for the old automatic defaults.
Unbound custom options setting has been discontinued. Local override directory /usr/local/etc/unbound.opnsense.d exists.
The public key for the 21.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1Cc2Mw+t6NAgU5Ts8feU
# +vJSn4N8Ex1afuZ/tyXnRwxQ7w0+Hr0Bs8Ygy2X67KQi/7pi5FQ/hIJyEnf5Tm/7
# 7sS6O6XPvu2fg7UN1RBi5VgFJh4vajwhVGUg+EpuMNIgZw7AkWNlULvQSLBHOX7S
# FAthJQQ957OU2RARQA+LVT3wyiLpEhQp0S9h/YAO1tITQKlsPjlU4+0Iv58JZuAG
# lek+FaZyBLqCUF4ItLxGjqO3L4cx5iy3yD7qIOR3dN7tncdEYxQweut8cA80hFUe
# Wy8DgPUKVZRRZnVWSZp9QXzoo9ACLebAv6DOzN17DrVdO0iH6iYr6s/7tDoxtN0G
# +r6huk0tTKQ0UJX7O9l5GAQe+HWFH1WxTU37Pb79BbxXW+9LCUtAZ35HKLmIaQyb
# 6t3Jr0FTX+LtJBMUpWtYIAYjQIH2dlBGbwFRbljsibbSTsi/E+1WW3ob1r5O5fML
# b734CktIXm3HFvQ0qZ4DyIQDZS0J8zoVO2wHjlh9MsxCJdDvDXe6Dbj/Y93SBXVr
# Az8T8YrEwjK0fPt8dB1p+Ue49eYXPs5lJPmB5iaiXlp1VTqUwH2Lm3BZG5bUKded
# zOjHavmTeTXuSKWEYh/UP7mLGeY1FQF0o7VHJfdiJLt/4s2ybM9DNUssjSDBqBRV
# CPvKwujGiI0N2BPJHP21g1ECAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-21.7-OpenSSL-dvd-amd64.iso.bz2) = 34f9b5dee78cb4ded515393bd17c248d5a06b5cbc7c3cca9a58a919dc5e0fd65
# SHA256 (OPNsense-21.7-OpenSSL-nano-amd64.img.bz2) = e29ddb1749798d3f4403e44c9ee259a00826814a9cb71e0918fc3a6cb75df7db
# SHA256 (OPNsense-21.7-OpenSSL-serial-amd64.img.bz2) = b79e8f3b2dcdc1b13ff27d4aec435662a4f8b11201dff22c538cb2fd11c655f8
# SHA256 (OPNsense-21.7-OpenSSL-vga-amd64.img.bz2) = 03333348f3dbd42445986221cebaf753ebe5e4549d02dbb870f651b6399327d8
21.7.r2 (July 14, 2021)¶
For more than 6 and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Here are the full patch notes:
system: prevent use of client certificates in web GUI
system: hide far gateway option for IPv6
system: isvalidpid() is not required for a single killbypid()
system: fix PHP 7.4 deprecated warning in IPv6 library
system: do not split XMLRPC password into multiple pieces
system: enable group sync for LDAP servers that do not return memberOf (contributed by rdd2)
interfaces: deprecate SLAAC addresses on linkdown
firewall: possibility to filter nat/rdr action in live log
firewall: use permanent promiscuous mode for pflog0
dhcp: assorted improvements surrounding dhcpd_staticmap() for real world operation
firmware: static template for firmware upgrade message
installer: assorted wording improvements
shell: fix IPv4 /31 assignment
unbound: add “unbound check” backend action
unbound: allow to retain cache on service reload
unbound: fix /var MFS dilemma for DNSBL after boot
unbound: remove deprecated custom options setting
rc: opnsense-beep melody database directory
plugins: os-acme-client 2.6 [1]
plugins: os-freeradius 1.9.15 [2]
plugins: os-haproxy 3.4 [3]
plugins: os-nextcloud-backup 1.0
plugins: os-nginx Phalcon 4 fixes
plugins: os-radsecproxy 1.0 (contributed by Tobias Boehnert)
plugins: os-tor Phalcon 4 fix
plugins: os-zabbix-agent 1.9 [4]
src: separately log NAT and firewall rules in pf(4)
src: libcasper: fix descriptors numbers [5]
src: linux: prevent integer overflow in futex_requeue [6]
ports: clog 1.0.2 fixes garbage header write on init
ports: php 7.4.21 [7]
ports: suricata 5.0.7 [8]
Known issues and limitations:
NextCloud backup feature moved from core to plugins. Please reinstall if needed.
IPsec identities are now set using their explicit type. See StrongSwan documentation [9] for the old automatic defaults.
Unbound custom options setting has been discontinued. Local override directory /usr/local/etc/unbound.opnsense.d exists.
Please let us know about your experience!
21.7.r1 (July 07, 2021)¶
For more than 6 and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/21.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.7/
South America: https://mirror.venturasystems.tech/opnsense/releases/21.7/
Australia: http://mirror.as24220.net/opnsense/releases/21.7/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 21.1.7:
system: Norwegian translation (contributed by Stein-Aksel Basma)
system: correctly enforce “Disable writing log files to the local disk” when circular logs are not used
system: allow to edit gateway entries with non-conforming names
system: add HA sync entry for live log templates
system: lock config writes during HA merges
system: raised PHP memory limit to 1G
system: raised encryption standard for encrypted config.xml export
system: removed NextCloud backup from core functionality
system: allow more characters in the certificate/authority organization fields (contributed by Jan De Luyck)
system: default gateway failure state killing is now disabled by default
system: circular logs are now disabled by default
system: removed unused traffic API dashboard feed
interfaces: improve GRE/GIF configuration handling and dynamic reload behaviour
interfaces: remove duplicated handling of PPP IPv6 interface detection
interfaces: refactored address removal into interfaces_addresses_flush()
interfaces: flush IPv6 addresses on the correct IPv6 interface when it differs from the IPv4 interface
interfaces: do not check for existing CARP interfaces midstream
interfaces: remove non-tunnel restriction from address collection
interfaces: set tunnel flag for IPv4 tunnel plus cleanups
interfaces: allow interface-based overrides of hardware checksum settings
interfaces: refactor DNS lookup and add PTR to output (contributed by Maurice Walker)
firewall: set label for obsolete rule in live log (contributed by kulikov-a)
firewall: MVC rewrite of the states diagnostics pages under “States”
firewall: renamed “pfTables” diagnostics to “Aliases”
firewall: add quick link to states counter from firewall rule inspection
firewall: add manual reply-to configuration to rules
firewall: delete related rules when an interface group is removed
firewall: rename source/destination networks when group name changes
dhcp: remove ::/0 route from router advertisements (contributed by Maurice Walker)
dhcp: always deprecate prefixes in automatic router advertisements
dhcp: fix table header sorting in lease pages (contributed by vnxme)
dhcp: lock access to settings pages when interface is not suitable for running a DHCP server
firmware: introduced connectivity check
firmware: confirm plugin removal dialog
intrusion detection: fix alert reads from eve.json
ipsec: adhere to system defaults for route-to and reply-to when creating automatic VPN rules
ipsec: switched to explicit type selection for identities
network time: added NTPD client mode
openvpn: offer the ability to export a user without a certificate
openvpn: increase consistency between export types
unbound: fix domain overrides for private address reverse lookup zones (contributed by Maurice Walker)
console: throw error when opnsense-importer encounters an encrypted config.xml
mvc: reduce differentials in config.xml when saving models
ui: work on unification of add buttons by minifying them and adding primary color markup
ui: prevent translation line breaks from breaking JS
ui: switch firewall category icon for clarity
ui: inject default tooltips into bootgrid formatters
ui: removed $main_buttons magic handler
ui: improved JS hook_ipv4v6() to jump to /64 on IPv6 and back to /32 on IPv4
plugins: os-etpro-telemetry 1.5 exclude stale data from telemetry upload
plugins: os-fetchmail 1.0 (contributed by Michael Muenz)
plugins: os-freeradius 1.9.14 [2]
plugins: os-maltrail 1.8 [3]
plugins: os-nut 1.8 [4]
plugins: os-telegraf 1.11.0 [5]
plugins: os-zabbix5-proxy is now a plugin variant
plugins: os-postfix 1.9
plugins: os-net-snmp 1.5
plugins: os-frr 1.22
src: dhclient support for VLAN 0 decapsulation
src: FreeBSD updates for the pf(4) and iflib(4) subsystems
src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers
src: compatibility shim for upcoming rtsold “-M” command line option
ports: drop hardening options to ease migration to FreeBSD ports tree
ports: libxml 2.9.12 [6]
ports: nettle 3.7.3
ports: nss 3.67 [7]
ports: openvpn 2.5.3 [8]
ports: php 7.4.20 [9]
ports: phpseclib 2.0.32 [10]
ports: python 3.8.10 [11]
ports: sudo 1.9.7p1 [12]
Known issues and limitations:
NextCloud backup plugin removed from core, but not yet available as stable plugin via GUI. Install manually from console as follows: pkg install os-nextcloud-backup-devel
IPsec identities are now set using their explicit type. See StrongSwan documentation [13] for the old automatic defaults.
CLOG creating garbage logs when used. Fix scheduled for 21.7-RC2.
Unbound advanced configuration not yet replaced.
The public key for the 21.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1Cc2Mw+t6NAgU5Ts8feU
# +vJSn4N8Ex1afuZ/tyXnRwxQ7w0+Hr0Bs8Ygy2X67KQi/7pi5FQ/hIJyEnf5Tm/7
# 7sS6O6XPvu2fg7UN1RBi5VgFJh4vajwhVGUg+EpuMNIgZw7AkWNlULvQSLBHOX7S
# FAthJQQ957OU2RARQA+LVT3wyiLpEhQp0S9h/YAO1tITQKlsPjlU4+0Iv58JZuAG
# lek+FaZyBLqCUF4ItLxGjqO3L4cx5iy3yD7qIOR3dN7tncdEYxQweut8cA80hFUe
# Wy8DgPUKVZRRZnVWSZp9QXzoo9ACLebAv6DOzN17DrVdO0iH6iYr6s/7tDoxtN0G
# +r6huk0tTKQ0UJX7O9l5GAQe+HWFH1WxTU37Pb79BbxXW+9LCUtAZ35HKLmIaQyb
# 6t3Jr0FTX+LtJBMUpWtYIAYjQIH2dlBGbwFRbljsibbSTsi/E+1WW3ob1r5O5fML
# b734CktIXm3HFvQ0qZ4DyIQDZS0J8zoVO2wHjlh9MsxCJdDvDXe6Dbj/Y93SBXVr
# Az8T8YrEwjK0fPt8dB1p+Ue49eYXPs5lJPmB5iaiXlp1VTqUwH2Lm3BZG5bUKded
# zOjHavmTeTXuSKWEYh/UP7mLGeY1FQF0o7VHJfdiJLt/4s2ybM9DNUssjSDBqBRV
# CPvKwujGiI0N2BPJHP21g1ECAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-21.7.r1-OpenSSL-dvd-amd64.iso.bz2) = e1a9cd3296352a99f8a5ac7c7edd5f7161361fde4688115186292bed91252a1Gc
# SHA256 (OPNsense-21.7.r1-OpenSSL-nano-amd64.img.bz2) = 94478b919bca3850f3afd213b15df6ad08904ac505e3ecc3d979b9cd33276afc
# SHA256 (OPNsense-21.7.r1-OpenSSL-serial-amd64.img.bz2) = a72ef31a6e97644db8091cb9fa5cd7c785671da88c587ebbe417ac2fcb180202
# SHA256 (OPNsense-21.7.r1-OpenSSL-vga-amd64.img.bz2) = bc7f9a3b36cf4b52b630ee5ff28b31044db4aabfdcb73f54177307d6fc5623ba