OPNsense 18.1.8

OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. OPNsense started as a fork of pfSenseยฎ and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project. OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.

Tags network firewalls security
License BSDL-2
State stable

Recent Releases

18.1.822 May 2018 07:24 minor feature: Here are the full patch notes: o system: improve VLAN console assignment handling o system: move backup crypto code to the only page using it o system: improve validation for web GUI related settings o system: split off monitor reload for upcoming dpinger integration o system: default route handler skips an already active default route o system: default route handler purges hint files only when switching to a newer route o system: default gateway switching uses the standard default route handler o system: properly add LDAP picker to ACL o system: properly unset password expired message after password change o interfaces: clear up use IPv4 connectivity and fix several typos o interfaces: parse and report tunnel data o interfaces: move dhclient-script to proper location o interfaces: allow SLAAC to latch on to IPv4 link o reporting: add destination address in Insight detail search o dhcp: fix labels of services to align with menu o dhcp: domain-search-list usage was removed in 2012 o ipsec: rewrite resolve_retry() for its only use case o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano) o ipsec: fix missing disable of DH group setting o router advertisements: correctly merge DNS server arrays o router advertisements: fix DNSSL settings o router advertisements: fix duplicated subnet statements o openssh: also use static interface IP addresses to listen on explicitly o unbound: allow wildcard host entry (contributed by Eugen Mayer) o webgui: also use static interface IP addresses to listen on explicitly o backend: improve escaping of passed parameters o ui: correct heigh of the login title bar o ui: unify the label printing of interfaces o ui: refactor script match for help messages o rc: ZFS boot awareness o plugins: os-cache 1.0 is an optional web server cache for the GUI/API o plugins: os-debug 1.3 now holds its own PHP settings o plugins: os-nut 1.0 (contributed by Michael Muenz) o plugins: os-snmp 1.3 improves handling of interface binding o plugi
18.1.704 May 2018 05:48 minor feature: Here are the full patch notes: o system: validate pfsync peer as IPv4-only o system: flip order of arguments for system_routing_configure() o system: convert cron to mutable model controller o system: convert routing to mutable model controller o system: log table header cleanup o system: more aggressive factory reset and shut down after completion o system: remove duplicate addresses before binding web GUI and OpenSSH o system: fix Framed-Route parsing for RADIUS authentication o system: properly translate save message on user language change o interfaces: PPPoE link down script improvements o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion) o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion) o interfaces: wait for dhcp6c to be stopped by pending apply o interfaces: only reconfigure VLAN interface after edit when necessary o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it o interfaces: remove unused flush argument from various functions o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert) o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert) o interfaces: remove obsolete address requirement for CARP VIPs o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error o interfaces: no more spurious redirection for dhclient invoke o firewall: remove a side effect from filter_delete_states_for_down_gateways() o firewall: adjust maximum table entries for error-free bogonsv6 usage o firewall: add buckets option to traffic shaper o firewall: update help text for port ranges (contributed by Michael Muenz) o power: power off modal to indicate that the GUI is no longer responsive o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14 minor feature: Here are the full patch notes: o system: reverse reload order for gateway switching on OpenVPN o system: implement password policies for local accounts o system: separate web GUI and configd log files o system: add syslog and login service visibility o system: show root as disabled in user manager if disabled o interfaces: no longer restrict VLAN driver capability o firewall: switch back to old NAT auto-outbound behaviour o firewall: reload schedules 1 minute later o firewall: filter descriptions option does no longer exist o firewall: updated anti-lockout link (contributed by Michael Muenz) o firewall: fix help text in shaper masks (contributed by Michael Muenz) o firewall: add delay option to pipe in shaper (contributed by Michael Muenz) o reporting: add insight aggregator to service list o dashboard: large CPU usage widget (contributed by Team Rebellion) o dhcp: fix display of DUID in IPv6 leases o firmware: let opnsense-patch apply chmod even in partially failed patches o firmware: let opnsense-code fetch all remotes as well as prune them o intrusion detection: provide custom.yaml for user edits o web proxy: fix pid file pointer for service status probe o ui: help data-for attribute (contributed by NOYB) o ui: reversed zebra redraw on static page mobile forms o ui: cleanup for unused classes in static pages o mvc: add constraint type for dependent fields o plugins: merge rc.plugins_configure code into pluginctl o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz) o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz) o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox o plugins: os-monit 1.7 fixes compatibility with UI rework o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz) o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz) o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion) o plugins:
18.1.522 Mar 2018 07:05 minor feature: Here are the full patch notes: o system: optional prefix Google Drive backups with host and domain name o system: also render tunables in loader.conf to obsolete loader.conf.local editing o interfaces: allow /127, /128 and /32 static IP address configurations everywhere o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion) o interfaces: ignore dynamic linkup events for unassigned interfaces o interfaces: hide previously assigned interfaces from bridges o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode o firewall: add VIP gateway option for PPPoE interfaces o firewall: add update interval option to log widget (contributed by NOYB) o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz) o firmware: fix opnsense-code for src.git and ABI probing o firmware: fix opnsense-patch file permission apply for plugins o intrusion detection: support request headers in ruleset metadata o openvpn: switch status to version 3 to avoid wrong parsing of commas o openvpn: parse all states to retrieve all relevant connection status info o captive portal: exclude "I" from simplified voucher character set for clarity o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz) o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel) o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz) o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament) o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens) o ui: update tokenizer to 2.6, visual tweaks and blur-add o ui: buttons for services control in MVC (contributed by Smart-Soft) o src: reinitialize IP header length after checksum calculation 1 o src: fix IPsec validation and use-after-free 2 o src: update timezone database information 3 o src: update file(1) to new version with security update 4 o src: add mitigations for two classes
18.1.412 Mar 2018 07:20 minor feature: Here are the full patch notes: o system: improved default route handling o system: improved gateway switching o system: cleanse username on LDAP import o system: increase maximum size of firmware reports o firewall: shaper backend refactor o interfaces: improved reconfigure phase o reporting: fix sporadic "non-numeric value encountered" error o captive portal: add voucher expiry (contributed by Stephanowicz) o intrusion detection: use latest ET Open rules for Suricata version 4 o intrusion detection: proper syslog with drops, requires log file reset o intrusion detection: backend refactor o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden) o plugins: os-haproxy 2.6 1 (contributed by Frank Wall) o ports: isc-dhcp 4.3.6P1 2 o ports: krb5 1.16 3 o ports: pkg 1.10.5 o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00 minor feature: Here are the full patch notes: o system: account for variable headers in top output o system: move gateway status into main pages o system: slightly reorder routing configuration calls o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha) o system: rework LDAP authentication container selection o interfaces: avoid interaction of overview details with menu items o interfaces: allow "reject leases from" option in DHCP advanced settings o firewall: set alias cron update interval to 1 minute o firewall: align alias cron update with its background call o firewall: URL IP alias type missing in selections o firewall: fix defunct alias target in outbound NAT o firewall: ignore alias case while searching o firewall: move rule category filter to the top of the page o firewall: show IPv6 ports in live log and fix details for TCP o firewall: move general settings to AliasParser and fix Alias constructor to receive them o firewall: if the name of the alias equals its content try to resolve o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion) o dhcp: UEFI 64 network boot using wrong arch type o dhcp: validate maximum interface MTU o dhcp: add validation for DUID fields o ipsec: auto-route disable setting (contributed by Namezero) o network time: inline NMEA checksum calculator (contributed by Fabian Franz) o network time: fix stratum level write o unbound: optimize outgoing-range differently o unbound: local zone setting (contributed by NOYB) o ui: fix cropped dropdown regression o mvc: translate option values (contributed by Alexander Shursha) o mvc: fix access to undefined property translator o mvc: fix typo in getBase() o mvc: improve phpdoc o rc: protect console menu again, but keep shell invoke for rc.d subsystem o rc: fix some typos (contributed by John Eismeier) o rc: proper includes for plugin post-install hook o rc: recover all known shells o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20 minor feature: Here are the full patch notes: o system: avoid default route from disappearing when no manual gateways are set o firewall: fix outbound NAT for OpenVPN interfaces o interfaces: multiple overview page improvements (contributed by NOYB) o firmware: revoke 17.7 update fingerprint o console: check for root invoke in importer, installer and console menu o intrusion detection: always show schedule tab o intrusion detection: log first drop of a flow o intrusion detection: add a log file viewer o unbound: add num-queries-per-thread option values for 4096 and 8192 o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB) o ui: HTML compliance for attribute "type" on script element (contributed by NOYB) o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB) o ui: checkbox and radio button label children tweaks (contributed by NOYB) o ui: break help text on small screens o ui use pluggable locations for theme files o ui: remove table-responsive padding on small screens o ui: user-scalable viewport (contributed by NOYB) o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz) o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz) o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz) o ports: phalcon 3.3.1 o ports: php 7.1.14
18.1.102 Feb 2018 18:19 minor feature: Here are the full patch notes: o firewall: ignore target port alias in port forwards when it equals the destination o firewall: align outbound NAT address output to edit page o firewall: use first region for country in GeoIP category instead of last one o system: improve layout of gateway status labels (contributed by Fabian Franz) o system: improve order of group / user setup as "wheel" was not added correctly on save o dashboard: touch device improvements in widgets (contributed by NOYB) o opendns: always refresh the setting on save o openvpn: open links in a new tab (contributed by Fabian Franz) o ui: system-wide HTML compliance improvements (contributed by NOYB) o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco) o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86) o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz) o plugins: os-openconnect 1.0 (contributed by Michael Muenz) o plugins: os-rfc2136 1.2 improves widget load o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz) o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz) o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan) o ports: curl 7.58.0 1 o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18 minor feature: These are the most prominent changes since version 17.7: o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration o Realtek vendor NIC driver version 1.94 o Portable NAT before IPsec support o Local group restriction feature in OpenVPN and IPsec o OpenVPN multi-remote support for clients o Strict interface binding for SSH and web GUI o Improved MVC tabs and general page layout o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour o Easy-to-use update cache support for Linux and Windows in web proxy o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT) o Revamped HAProxy plugin with introduction pages o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status o Alias backend rewrite for future extensibility o Plugin-capable firewall NAT rules o Migration of system routes UI and backend to MVC (also available via API) o Reverse DNS support for insight reporting (also available via API) o Fully rewritten firewall live log in MVC (also available via API) o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18 minor feature: Here are the full patch notes: o system: use correct crypto library to gather GUI SSL ciphers o system: do not wrap action buttons in tunables page o system: fix CA serial number decrement on save o firmware: remove the discontinued hotfix backend support o firmware: allow dot in package name during package action o firmware: remove defunct mirrors o interfaces: make level of detail stick in packet capture o interfaces: auto-lock problematic interfaces upon assignment o firewall: make NAT reflection enable less ambiguous o firewall: fix NAT formatting in states dump page o network time: fix for valid negative offset in health graph o network time: OPNsense NTP pool is now available o network time: fix parsing of overly overlong lines o web proxy: use PID file instead of daemon name for status probe o wizard: add unbound to wizard and uncheck DNSSEC by default o ui: HTML compliance fixes button in link usage (contributed by NOYB) o mvc: added mutable service controller o mvc: added sub-tab layout partials o mvc: do not render empty toggle header o plugins: acme-client 1.13 1 (contributed by Frank Wall) o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB) o plugins: helloworld 1.4 o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB) o plugins: tor 1.4 adds contact info (contributed by Fabian Franz) o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft) o ports: libressl 2.6.4 2 o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12 minor feature: Here are the full patch notes: o system: numerical sort for "Use" and "MTU" columns in route diagnostics o system: gateway group edit tier selection issue with jQuery3 o system: minor cleanups in the certificates backend o firewall: move anti-lockout rule to advanced settings o interfaces: minor cleanups in the backend o reporting: rework configuration handling on the settings page o dnsmasq: minor cleanups in the backend o firmware: strip the architecture from the base / kernel set version display o firmware: backend preparations for full base / kernel set lock and reinstall o firmware: increase crash report file limit to 2 MB o ipsec: minor cleanups in the backend o unbound: register DHCP domain name for interface if found o network time: show full remote address and fix page boxing on status page o network time: add advanced custom options o network time: fix leap second save o network time: minor cleanups in the backend o wizard: properly redirect on input errors in system wizard o mvc: ignore client-side anchors in breadcrumb generation o ui: do not use a CSRF input element ID o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz) o ports: libxml 2.4.7 1 o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56 minor feature: Here are the full patch notes: o system: allow user-based language setting through Lobby: Password o system: allow strict interface binding for OpenSSH o system: prepare for MVC-based routing pages o firmware: prepare for production / development release type selection o firewall: fix a PHP warning when no user rules are installed o firewall: add refresh button to table diagnostics page o captive portal: fix chroot regression since lighttpd web server update in 17.7.9 o interfaces: provide a link-local IPv6 when asking for addresses o intrusion detection: sync port-groups to default template o ipsec: upgrade vici lib to match strongSwan package o network time: fix a PHP warning during NMEA deselect o mvc: do not throw disabled errors in handler o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz) o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz) o src: OpenSSL multiple vulnerabilities 1 2 o ports: hyperscan 4.6.0 3 o ports: openssl 1.0.2n 4 o ports: suricata 4.0.3 5 Two plugin hotfixes have been additionally issued: o plugins: os-quagga 1.4.3_1 fixes service startup regression o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29 minor feature: Here are the full patch notes: o system: fix XSS with crafted certificates in certificate manager 1 o system: removed duplicated firmware privileges o system: fix resolving routes in diagnostics page o system: regenerated DH parameters o dhcp: support stateless DHCPv6 o firmware: kernel and base set visibility and better API session handling o intrusion detection: improve download and install speed of et-open rules o intrusion detection: add TLS and HTTP logging in eve and alert log viewer o openvpn: allow remote network in peer to peer modes o web proxy: better service and API session handling o router advertisements: advertise on VIPs belonging to the same interface o configd: allow template overrides via optional target directory o mvc: prepare for use-based language setting (contributed by Alexander Shursha) o mvc: prepare for auto-generated page titles o mvc: tighten against frame-based attacks o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz) o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz) o ui: make "advanced mode" sticky too o plugins: os-acme-client 1.12 2 (contributed by Frank Wall) o plugins: os-arp-scan (contributed by Giuseppe De Marco) o plugins: os-clamav 1.3 (contributed by Alexander Shursha) o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu) o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz) o plugins: os-haproxy 2.0 3 (contributed by Frank Wall) o plugins: os-relayd 1.2 fixes "check send" directive o plugins: os-tor 1.3 (contributed by Fabian Franz) o plugins: os-zabbix-agent 1.2 fixes service status indicator o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz) o ports: ca_root_nss 3.34.1 o ports: curl 7.57.0 4 o ports: lighttpd 1.4.48 5 o ports: php 7.1.12 6 o ports: pkg 1.10.3 7 o ports: py-Jinja2 2.10 8 o ports: syslogd 11.1