OPNsense 18.7.9

OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. OPNsense started as a fork of pfSenseยฎ and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project. OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.

Tags network firewalls security
License BSDL-2
State stable

Recent Releases

18.7.913 Dec 2018 07:45 minor feature: Here are the full patch notes: o system: allow setting alternative names on CSR o system: add link-local routes with correct scope o system: fix LDAP import button for Firefox o system: assorted cleanups in HTML and PHP code o interfaces: add note about CGN addresses included in private range o interfaces: fix checksum disable for IPv6 TX / RX flags o interfaces: multiple type DUID support (contributed by Team Rebellion) o interfaces: properly read and write dhcp6c DUID binary file o interfaces: do not read VLAN capabilities from nonexistent interfaces o interfaces: removal of PEAR.inc from IPv6 address library o interfaces: assorted cleanups in HTML and PHP code o firewall: only suffix subnet alias entry when a network is expected o firewall: default alias protocol to both IPv4 and IPv6 o firewall: fix validation of outbound NAT destination alias o firewall: fix performance regression in get_alias_description() o firewall: repair defunct "no nat proto carp all" rule o firewall: limit type to CARP when checking for VIP VHID reuse o firewall: refactor subnet retrieval in VIP deletion o firewall: display VHID for IP alias in overview o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion) o firewall: ignore empty values in alias migration (contributed by Frank Wall) o firewall: assorted cleanups in HTML and PHP code o captive portal: work around service boot ordering issue o captive portal: change "onestop" to "stop" in backend action o dnsmasq: add DNSSEC option o dnsmasq: assorted cleanups in HTML and PHP code o dhcp: show lease count in page heading o dhcp: refactor IPv6 subnet read o dhcp: fix DDNS IPv6 algorithm use o dhcp: assorted cleanups in HTML and PHP code o firmware: opnsense-version can now handle kernel, base and plugin metadata o firmware: when pkg needs to be updated do not prompt for base and kernel set o firmware: use embedded obso
18.7.823 Nov 2018 06:17 minor feature: Here are the full patch notes: o system: show the actual validation messages for NextCloud backup constraints o system: LDAP import button primary colour and prevent default page submit o system: add LDAP+TOTP authentication variant (2FA) o system: avoid silent fatal error when LDAP OUs could not be retrieved o system: avoid duplicated cookies on login page by not closing session o system: allow to fully disable misc. reboot failsafe backups o system: switch default argument for return_gateways_status() o system: add "Synchronize config to backup" button to HA status page o system: disable help text expand when backup fields have no help text o system: sort user and group lists alphabetically o interfaces: add CARP info to legacy_interfaces_details() o interfaces: removal of find_interface_subnet() and find_interface_subnetv6() o interfaces: introduce find_interface_network() and find_interface_networkv6() o interfaces: refactor find_interface_ip() and find_interface_ipv6() o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll() o firewall: extend outbound NAT address source and destination with networks o firewall: fix save error when alias name contains an underscore o firewall: do not set days or hours when update frequency is empty o firewall: increase resolve() performance for aliases o firmware: change packaging to be able to place files in the root directory o reporting: fix possible division by zero in NetFlow aggregator o dhcp: reorder arguments of function services_dhcpd_configure() o dhcp: consolidate service probe of IPv6 and router advertisement daemons o dhcp: fix clear hook on log file delete o importer: make clear that /conf/config.xml is required for any import to take place o monit: add quotes and timeout to custom program path (contributed by Frank Brendel) o monit: add SSL options to mail server connection (contributed by Frank Brendel) o network time: improve GPS status parsing o openvpn: add remote address as route when s
18.7.708 Nov 2018 19:00 minor feature: Here are the full patch notes: o system: CVE-2018-18958 prevent restore of configuration of read-only user 1 (reported by brainrecursion) o system: prevent related read-only user configuration manipulation for history and defaults pages o system: prevent several creative ways to strip read-only privileges in the user and group manager o system: allow wildcards in certificate subject alternative name o system: avoid direct global access in routing setup o system: do not offer root-only opnsense-shell to non-root users o system: remove FreeBSD 10 password workaround o interfaces: use pure jquery to avoid browser-specific behaviour o interfaces: nonfunctional cleanups in backend and interface GUI configuration o interfaces: clear the correct files IPv6 state files on interface down o interfaces: wait for PPPoE to fully exit on interface down o firewall: fix port alias conversion under new API o firewall: missing filter reload for port alias types o firewall: missing "other" type in VIP network expand o firewall: disabled alias should leave us with an empty one o firewall: category for "United States" moves from Pacific to America o firewall: resolve outbound NAT interface address in kernel o dhcp: only map enabled interfaces in IPv4 leases o dhcp: interface iteration code cleanups o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion) o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner) o firmware: add log file for package manager output o monit: use theme override for widget CSS (contributed by Fabian Franz) o ntp: internal cleanup of function argument order o rc: improvements in service startup scripting o rc: print date and time after successful boot o unbound: disable redirect type until fixed o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno) o shell: stop router adve
18.7.629 Oct 2018 08:20 minor feature: Here are the full patch notes: o firewall: resolve interface address ":0" for port forwarding in kernel o firewall: list action corrections (contributed by Thomas Bandixen) o firewall: add support for the PIE shaper (contributed by Michael Muenz) o firewall: migrate to new alias API including a new failsafe o firewall: repair log widget for plugin themes o interfaces: do not remove CARP addresses on link-down o interfaces: get pfsync MTU from actual CARP interface o interfaces: add backend call returning all interface data o interfaces: partially rewrite ping, port and traceroute tools o interfaces: improve IPv6 merging in make_ipv6_64_address() o interfaces: use correct IPv6 interface where appropriate o interfaces: replace get_configured_interface_list() usage o interfaces: small refactoring around interface up and down code o system: cleanups in utility and config functions o captive portal: added connect action in API (contributed by zvs44) o firmware: move build-time version information to core version file o firmware: rename backend script "audit" to "security" for clarity o ipsec: bring back service widget lost back in 2016 o monit: change status page to support easier CSS styling o unbound: set up a full chroot including local log socket o unbound: replace custom msort() function with standard function o unbound: use correct IPv4 or IPv6 interface for address lookups o webgui: use interfaces_addresses() for interface binding o mvc: show an error message on failed model migrations o mvc: refactor __items access via iterateItems() o mvc: accept style keyword on all input types o mvc: improved menu API endpoint integration o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz) o plugins: os-dyndns validates custom updates solely for URL input o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz) o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.7 (contributed
18.7.519 Oct 2018 06:51 minor feature: o system: add (de)select all option in LDAP importer o firewall: keep previous content for URL alias on fetch error o firewall: make schedule icon reflect current schedule state (contributed by framer99) o firewall: toggle and migration fix for upcoming alias API o firewall: round-robin limitation is for host alias outbound NAT only o firewall: resolve network addresses in kernel for static routes bypass option o firewall: do not clean up visible records when limit was not reached o firewall: do not hardcode live log pass / block colours o firewall: add live log direction icons o firmware: shorten shaper name and assorted cleanups o firmware: fix upgrade compatibility with FreeBSD 11.2 o firmware: use opnsense-version where appropriate o firmware: correctly translate GUI buttons (contributed by Smart-Soft) o dnsmasq: use more robust approach to interface binding o ipsec: more secure phase 1 default settings (contributed by Michael Muenz) o ipsec: support for multiple phase 1 DH groups and hashes o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina) o unbound: fix usage of the remote control backend calls o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option o web proxy: several corrections for PAC template o backend: fix CPU hogging when reading on already disconnected streams o mvc: speed up parsing very large config files o mvc: add single select constraint o mvc: add UUID field to the result of addBase (contributed by CJ) o ui: sidebar UX improvements (contributed by Team Rebellion) o ui: use single guillemets for previous/next page o plugins: os-acme-client /var MFS awareness o plugins: os-cicada 1.5 (contributed by Team Rebellion) o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz) o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich) o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz) o plugin
18.7.428 Sep 2018 05:40 minor feature: Here are the full patch notes: o system: correctly unset DNS override allow setting when saving o system: remove unused / default arguments from get_possible_listen_ips() o system: note that HA disable preempt requires reboot (contributed by Michael Muenz) o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion) o interfaces: lower MTU via tracked IPv6 interface MTU o interfaces: 6RD IPv4 prefix override is now prefix-only o firewall: also show scheduler info in shaper status (contributed by Michael Muenz) o firmware: introduce opnsense-version utility and fully template build metadata o firmware: annotate HTTP(S) status in mirrors in descriptions o firmware: avoid base upgrade error when /proc is mounted o monit: change mail format field for alerts to text area (contributed by Frank Brendel) o openssh: further tweak new interface bind approach introduced in 18.7.3 o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder) o web proxy: support WPAD / PAC (contributed by Fabian Franz) o ui: minified sidebar improvements (contributed by Team Rebellion) o ui: introduce cache_safe() to invalidate browser cache after updates o plugins: os-dyndns wildcard support for Namecheap o plugins: os-ntopng 1.0 (contributed by Michael Muenz) o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz) o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel) o plugins: os-snmp compatibility fixes for version detection and listen interface core changes o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion) o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz) o plugins: os-upnp compatibility fixes for version detection core changes o src: fix out-of-bounds read vulnerability in libarchive o src: update
18.7.319 Sep 2018 07:27 minor feature: Here are the full patch notes: o system: gateways widget show/hide feature (contributed by Team Rebellion) o system: select correct IPv6 default route when underlying IPv6 interface differs o system: extended meta-matching for special characters in ACL patterns o system: show last diff by default in configuration history page o system: refactor password logic in user manager for clarity o system: link-local listen IPv6 requires reading underlying IPv6 interface o interfaces: avoid boot mismatch on several virtual plugin devices o interfaces: list widget show/hide feature (contributed by Team Rebellion) o interfaces: stats widget show/hide feature (contributed by Team Rebellion) o interfaces: stop wireless software before bringing down the interfaces o interfaces: fix selection issue for DHCPv6 PD "none" value o interfaces: make "64" the page default for DHCPv6 PD o interfaces: allow IPv4 address override in 6RD o interfaces: fix 18.7.2 gateway read regression in 6RD o interfaces: give each 6RD tracker a different IPv6 address o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss) o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion) o dhcp: do not show lease actions if interface cannot be found o dhcp: unhide DHCPv6 service when not using automatic PD o dnsmasq: annotate that "all" is the recommended interface binding option o importer: list all available ZFS pools (contributed by Smart-Soft) o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;) o importer: ZFS pools are now addressed as e.g. "zfs/zroot" o importer: always loop until exit or successful import o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz) o ipsec: change hash checkboxes in phase 2 to selectpicker o openssh: change interface bind logic to only bind to currently available addresses o openvpn: align status columns for client and P2P case (contributed by Andy Binde
18.7.207 Sep 2018 07:11 minor feature: Here are the full patch notes: o system: select correct network interface in case of IPv6 gateway lookups o system: tighten system wizard ACL and menu registration o system: do not wrap first column of log viewer (contributed by Alexander Graf) o firewall: return alias types to repair its outbound NAT rule edit o firewall: hide NAT redirect target port when port is not applicable o firewall: alias API is now live on the development version and will migrate your aliases to the new format o interfaces: allow explicit MTU to reach the 6RD device o interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion) o interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion) o interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer) o interfaces: remove incorrect display of prefix ID in help text for tracking configuration o interfaces: add groups to interface details output o interfaces: remove unused code and other nonfunctional cleanups o interfaces: use "x" in the list widget for no carrier o interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix o dhcp: remove unused inputs from static mapping page o dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra) o ipsec: add automatic key exchange option o openvpn: fix /32 host validation logic o openvpn: clean up control sockets prior to startup o openvpn: align user authentication to use common_name as username o mvc: add iterateItems() method to base field type to simplify call flow o mvc: fix configd asList helper (contributed by Fabian Franz) o mvc: add configd XML attributes to template parser o ui: allow version query to match on main.css probing o ui: footer cleanups and static page repairs where boxing was not correct o ui: no minified version for tokenize2 o ui: fix table headers in dialogs (contributed by Fabian Franz) o plugins: os-bind 1.1 add
18.7.122 Aug 2018 08:28 minor feature: Here are the full patch notes: o system: hide web server info from server tag o system: fix group privileges edit menu hint o system: add text area field to backup framework (contributed by Joao Vilaca) o interfaces: use NIC preference for VLAN hardware filtering in default config o interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion) o interfaces: fix PD when using DHCPv6 override on tracked interface o firewall: toggle filter and NAT rules using checkboxes o firewall: add state-policy if-bound option o firewall: added logging for tracing internal rule generator o firewall: fix ordering issue in port validation and disable o firewall: fix disabled reject action icon display (contributed by framer99) o captive portal: fix usage of vouchers and group with spaces in their names o captive portal: hide web server info from server tag o dnsmasq: fix listening behaviour on empty but set interface selection o firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback o firmware: do not show development version changelogs in releases o intrusion detection: reworked rule selection o ipsec: use selectpicker in mobile page o ipsec: add Brainpool EC groups o openvpn: do not remove client specific override files on disconnect o openvpn: do not create v6 gateway if disabled o shell: omit ":" from SSL fingerprint display o unbound: fix menu access for overrides o wizard: fix root password input o backend: call shutdown before close in background daemon o mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong) o mvc: minor glich in getFormData() we should ignore empty id fields o mvc: do not offer internal interfaces in generic interface selector o mvc: handle validations better by removing duplicate messages o mvc: fix two glitches in new tokenize field handling o mvc: add numeric field type o rc: update php.ini include paths (contributed by Joao Vilaca) o ui: fix spacing of containers in sta
18.701 Aug 2018 07:33 major feature: These are the most prominent changes since version 18.1: o improved WAN DHCPv6 and SLAAC connectivity and tracking o functional IPv6 Rapid Deployment (6RD) support o improved default route handling and gateway switching o OpenVPN default setup improvements for IPv6 and RADIUS attribute support o Dpinger gateway monitoring integration o password policies for local authentication and coupled TOTP o Monit core integration to eventually replace the legacy notifications o OpenSSH access via group and shell selection instead of privilege o pluggable backup framework with new Nextcloud option o sytem tunables are now also used as loader tunables o unrestricted VLAN usage for e.g. Xen o QinQ interface removal o firmware GUI speedup, improved error parsing and console reboot hint o ZFS on root boot support (installer support is pending, but opnsense-bootstrap works) o ZFS and MSDOS config import support o ISC DHCP version moves from 4.3 to 4.4 o RRDtool version moves from 1.2 to 1.7 o rework rc.syshook facility to use drop-in directories instead of suffixes o backports of FreeBSD 11.2 Intel NIC drivers o stand-alone frontend UI development tools o language updates for Czech, French, German, Portuguese (Brazil) o UI header security and SSL cipher hardening o extensive UI cleanups and menu consolidation o new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp, os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada, os-theme-rebellion, os-theme-tukan, os-wol 2.0
18.1.1326 Jul 2018 14:40 minor feature: Here are the full patch notes: o system: restart syslog when interface bind addresses may have changed o system: remove unused action_disable setting in gateway monitoring o firmware: new mirror Dataroute (Dusseldorf, DE) o ntp: typo in SiRF selection o openvpn: translate validated field names o rc: unset rcvar before evaluation (contributed by Nicholas de Jong) o installer: give basic tip that GUI IP can be set in console after install (contributed by stilez) o plugins: os-theme-cicada 1.2 (contributed by Team Rebellion) o plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.1 (contributed by Team Rebellion) o ports: suricata 4.0.5 1
18.1.1219 Jul 2018 05:50 minor feature: Here is the full list of changes: o system: improve local account expire cron job to also flush passwords and SSH keys o system: show fingerprint in certificate details (contributed by Robin Schneider) o system: fix NextCloud file name format (contributed by Fabian Franz) o system: allow remote backup via cron command o interfaces: allow /0 to /32 in 6rd and align prefix length calculation with effective prefix used o firewall: do not trigger rules scheduling if scheduled rule is disabled o firewall: allow to select external aliases o firewall: ignore namelookup when no nameservers are configured o dashboard: remove tooltips from CPU widgets (contributed by Team Rebellion) o dashboard: add date to large CPU widget data o firmware: add Aalborg University mirror o intrusion detection: add missing classification category o ipsec: add mutual RSA and EAP-MSCHAPv2 support o wizard: make clear that "admin password" means "root password" o ui: when JQuery Bootgrid rowselect is enabled the click event is triggered twice o mvc: switch from the default _GET '_url' to _SERVER 'REQUEST_URI' and let Phalcon handle the routing o mvc: dynamic urls regardless if you have a trailing slash or not (contributed by Max Orelus) o mvc: multiselect may allow empty option, no need to give blank item too o mvc: add support for application specific field types o ui: top level menu item link pivots and security improvements (contributed by Max Orelus) o plugins: os-net-snmp 1.0 (contributed by Michael Muenz) o plugins: os-openconnect 1.1 (contributed by Michael Muenz) o plugins: os-web-proxy-sso UI fixes (contributed by Smart-Soft)
18.1.1103 Jul 2018 08:29 minor feature: Here are the full patch notes: o system: enforce full password policy check for local passwords including TOTP o system: add RFC 7919 DH parameter files for upcoming 18.7 feature o system: add 3072-bit RSA key length options to certificates (contributed by Justin Coffman) o system: move auto-cron jobs to plugin files o interfaces: refactor reload handling around interfaces_configure() o interfaces: allow private addresses in 6RD o interfaces: check existence of "status" (contributed by Tian Yunhao) o reporting: add NetFlow/Insight database force repair function o dhcp: update from ISC version 4.3 to 4.4 o importer: allow ZFS import for upcoming 18.7 ZFS installer feature o importer: allow import from simple MSDOS USB drives o intrusion detection: add app detect rules (contributed by Michael Muenz) o rc: suppress message of service not enabled on NetFlow backup o rc: use exec in /etc/rc and /etc/rc.shutdown hooks o rc: rework rc.syshook facility to be driven by directories and not suffixes o unbound: remove defunct unbound_statistics() function o plugins: os-postfix 1.4 advanced force recipient check (contributed by Michael Muenz) o plugins: service start corrections for accompanying rc.syshook changes o src: incorrect TLB shootdown for Xen-based guests 1 o src: lazy FPU state restore information disclosure 2 o src: enable usage of locate(1) utility o ports: isc-dhcp 4.4.1 3 o ports: php 7.1.19 4 o ports: unbound 1.7.3 5
18.1.1026 Jun 2018 06:21 minor feature: Here are the full patch notes: o system: provide default for user language o system: do not allow spaces in group names o system: dpinger gateway monitor option (contributed by Team Rebellion) o system: prepare for upcoming DH parameter regeneration feature o system: Nextcloud backup support (contributed by Fabian Franz) o system: userid 0 has trouble with s in redirects, use d instead o system: QR code quiet zone support 1 o system: add selectpicker style where previously missing o firmware: allow both origin.conf and OPNsense.conf to be used for repository setup o firmware: exclude password database files from base update as it breaks sudo o interfaces: clean up reload structure for single interfaces o interfaces: remove unused interface reload script o interfaces: simplify semantics of link_interface_to_track6() o interfaces: assorted cleanups in the code o firewall: add enable flag to shaper rules o firewall: improve parsing speed of firewall log o firewall: fix wrong alias reference in outbound rules o firewall: generate ipfw comments for debugging (contributed by Robin Schneider) o firewall: move color settings from schedules to theme (contributed by Fabian Franz) o intrusion detection: correct typo in CSS o openvpn: raise default DH parameter to 2048 bit o console: pass output of stop scripts to user during halt/reboot o console: clarify that installer is for installing when SSH is off also o rc: change NetFlow backup to only stop/start when needed o rc: backup and restore via XML files again o rc: slightly refactor halt/reboot/shutdown o rc: break out config stop script o rc: simplify configctl plumbing o ui: add country flags for upcoming changes in GeoIP handling o ui: trigger onChange event to support custom hooks in form post o ui: change multi-select default from tokenizer to selectpicker o ui: add support for custom separators in select items o plugins: test for template scripts before executing them o plugins: os-acme-client fixes password field
18.1.901 Jun 2018 14:29 minor feature: Here is the full list of changes: o firewall: advanced option to reset states on IPv4 change o interfaces: rename wancfg to lancfg in tracking code o interfaces: further simplifications for dhclient usage o reporting: add logging to database repair stage o reporting: Insight click event issue o system: use uppercase gateway names for compatibility o system: gateway alert script always returns true o system: align static ACL check with MVC variant o system: pluggable backup support o system: configurable user landing pages o system: safety belt for password policy check o wizard: add missing element IDs to fix scripting issues o firmware: parse and return to be removed packages for update summary o firmware: release type change properly updates the repository and summary o firmware: extended settings can now be registered via XML files o firmware: return repository errors in greater detail (4 new error types) o firmware: make returned backend JSON a bit more human-readable o firmware: fix leak of base/kernel update info on package manager updates o firmware: refactor package manager update summary parsing for speed o firmware: add and use API for major upgrades o dhcp: fix unwanted name-server write in v6 o dhcp: ldap-server does not exist in v6 o intrusion detection: update classification.config o intrusion detection: optional fast log to syslog o ipsec: set ignore_acquire_ts to allow ASA compatibility o ipsec: add ike_name to syslog output o openvpn: improve validation between TCP, TCP4, TCP6, UDP, UDP4 and UDP6 o console: manual pages for opnsense-importer and opnsense-installer o console: let opnsense-installer set up an early runtime environment o console: show firmware reboot hint prior to update when applicable o console: longer timeout for opnsense-importer invoke on first boot o console: proper return values for opnsense-importer in edge cases o mvc: support multiple directories for detached UI development o mvc: add AddressFamily option to NetworkField o
18.1.822 May 2018 07:24 minor feature: Here are the full patch notes: o system: improve VLAN console assignment handling o system: move backup crypto code to the only page using it o system: improve validation for web GUI related settings o system: split off monitor reload for upcoming dpinger integration o system: default route handler skips an already active default route o system: default route handler purges hint files only when switching to a newer route o system: default gateway switching uses the standard default route handler o system: properly add LDAP picker to ACL o system: properly unset password expired message after password change o interfaces: clear up use IPv4 connectivity and fix several typos o interfaces: parse and report tunnel data o interfaces: move dhclient-script to proper location o interfaces: allow SLAAC to latch on to IPv4 link o reporting: add destination address in Insight detail search o dhcp: fix labels of services to align with menu o dhcp: domain-search-list usage was removed in 2012 o ipsec: rewrite resolve_retry() for its only use case o ipsec: improve RADIUS secret escaping (contributed by Rafael Cano) o ipsec: fix missing disable of DH group setting o router advertisements: correctly merge DNS server arrays o router advertisements: fix DNSSL settings o router advertisements: fix duplicated subnet statements o openssh: also use static interface IP addresses to listen on explicitly o unbound: allow wildcard host entry (contributed by Eugen Mayer) o webgui: also use static interface IP addresses to listen on explicitly o backend: improve escaping of passed parameters o ui: correct heigh of the login title bar o ui: unify the label printing of interfaces o ui: refactor script match for help messages o rc: ZFS boot awareness o plugins: os-cache 1.0 is an optional web server cache for the GUI/API o plugins: os-debug 1.3 now holds its own PHP settings o plugins: os-nut 1.0 (contributed by Michael Muenz) o plugins: os-snmp 1.3 improves handling of interface binding o plugi
18.1.704 May 2018 05:48 minor feature: Here are the full patch notes: o system: validate pfsync peer as IPv4-only o system: flip order of arguments for system_routing_configure() o system: convert cron to mutable model controller o system: convert routing to mutable model controller o system: log table header cleanup o system: more aggressive factory reset and shut down after completion o system: remove duplicate addresses before binding web GUI and OpenSSH o system: fix Framed-Route parsing for RADIUS authentication o system: properly translate save message on user language change o interfaces: PPPoE link down script improvements o interfaces: emit prefix-interface for trackers in advanced DHCPv6 configurations o interfaces: DHCPv6 configuration creation breakout (contributed by Team Rebellion) o interfaces: SIGHUP reload for dhcp6c (contributed by Team Rebellion) o interfaces: wait for dhcp6c to be stopped by pending apply o interfaces: only reconfigure VLAN interface after edit when necessary o interfaces: create IPv4 and IPv6 tunnel gateways for GIF/GRE when the setup allows it o interfaces: remove unused flush argument from various functions o interfaces: fixed creation of GIF/GRE tunnel with an outer IPv6 remote address (contributed by Christoph Engelbert) o interfaces: fixed router advertisement setup of former static but now tracking interface (contributed by Christoph Engelbert) o interfaces: remove obsolete address requirement for CARP VIPs o interfaces: back out get_dyndns_ip() IPv6 online detection and properly propagate a lookup error o interfaces: no more spurious redirection for dhclient invoke o firewall: remove a side effect from filter_delete_states_for_down_gateways() o firewall: adjust maximum table entries for error-free bogonsv6 usage o firewall: add buckets option to traffic shaper o firewall: update help text for port ranges (contributed by Michael Muenz) o power: power off modal to indicate that the GUI is no longer responsive o captive portal: add traffic data and IP address
18.1.610 Apr 2018 07:14 minor feature: Here are the full patch notes: o system: reverse reload order for gateway switching on OpenVPN o system: implement password policies for local accounts o system: separate web GUI and configd log files o system: add syslog and login service visibility o system: show root as disabled in user manager if disabled o interfaces: no longer restrict VLAN driver capability o firewall: switch back to old NAT auto-outbound behaviour o firewall: reload schedules 1 minute later o firewall: filter descriptions option does no longer exist o firewall: updated anti-lockout link (contributed by Michael Muenz) o firewall: fix help text in shaper masks (contributed by Michael Muenz) o firewall: add delay option to pipe in shaper (contributed by Michael Muenz) o reporting: add insight aggregator to service list o dashboard: large CPU usage widget (contributed by Team Rebellion) o dhcp: fix display of DUID in IPv6 leases o firmware: let opnsense-patch apply chmod even in partially failed patches o firmware: let opnsense-code fetch all remotes as well as prune them o intrusion detection: provide custom.yaml for user edits o web proxy: fix pid file pointer for service status probe o ui: help data-for attribute (contributed by NOYB) o ui: reversed zebra redraw on static page mobile forms o ui: cleanup for unused classes in static pages o mvc: add constraint type for dependent fields o plugins: merge rc.plugins_configure code into pluginctl o plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz) o plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz) o plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox o plugins: os-monit 1.7 fixes compatibility with UI rework o plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz) o plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz) o plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion) o plugins:
18.1.522 Mar 2018 07:05 minor feature: Here are the full patch notes: o system: optional prefix Google Drive backups with host and domain name o system: also render tunables in loader.conf to obsolete loader.conf.local editing o interfaces: allow /127, /128 and /32 static IP address configurations everywhere o interfaces: improve logging and assorted cleanups (contributed by Team Rebellion) o interfaces: ignore dynamic linkup events for unassigned interfaces o interfaces: hide previously assigned interfaces from bridges o interfaces: allow all IPv6 prefixes from 48 to 64 for DHCPv6 mode o firewall: add VIP gateway option for PPPoE interfaces o firewall: add update interval option to log widget (contributed by NOYB) o firewall: respect mask in traffic shaper queue config (contributed by Michael Muenz) o firmware: fix opnsense-code for src.git and ABI probing o firmware: fix opnsense-patch file permission apply for plugins o intrusion detection: support request headers in ruleset metadata o openvpn: switch status to version 3 to avoid wrong parsing of commas o openvpn: parse all states to retrieve all relevant connection status info o captive portal: exclude "I" from simplified voucher character set for clarity o plugins: os-lldpd 1.1 adds interface selection (contributed by Michael Muenz) o plugins: os-monit 1.6 fixes file path validation (contributed by Frank Brendel) o plugins: os-postfix 1.1 adds smart host and SMTP authentication (contributed by Michael Muenz) o plugins: os-tinc 1.3 corrects host port usage (contributed by DasTestament) o plugins: os-tor 1.6 adds IPv6 and exit settings (contributed by Gijs Peskens) o ui: update tokenizer to 2.6, visual tweaks and blur-add o ui: buttons for services control in MVC (contributed by Smart-Soft) o src: reinitialize IP header length after checksum calculation 1 o src: fix IPsec validation and use-after-free 2 o src: update timezone database information 3 o src: update file(1) to new version with security update 4 o src: add mitigations for two classes
18.1.412 Mar 2018 07:20 minor feature: Here are the full patch notes: o system: improved default route handling o system: improved gateway switching o system: cleanse username on LDAP import o system: increase maximum size of firmware reports o firewall: shaper backend refactor o interfaces: improved reconfigure phase o reporting: fix sporadic "non-numeric value encountered" error o captive portal: add voucher expiry (contributed by Stephanowicz) o intrusion detection: use latest ET Open rules for Suricata version 4 o intrusion detection: proper syslog with drops, requires log file reset o intrusion detection: backend refactor o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden) o plugins: os-haproxy 2.6 1 (contributed by Frank Wall) o ports: isc-dhcp 4.3.6P1 2 o ports: krb5 1.16 3 o ports: pkg 1.10.5 o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00 minor feature: Here are the full patch notes: o system: account for variable headers in top output o system: move gateway status into main pages o system: slightly reorder routing configuration calls o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha) o system: rework LDAP authentication container selection o interfaces: avoid interaction of overview details with menu items o interfaces: allow "reject leases from" option in DHCP advanced settings o firewall: set alias cron update interval to 1 minute o firewall: align alias cron update with its background call o firewall: URL IP alias type missing in selections o firewall: fix defunct alias target in outbound NAT o firewall: ignore alias case while searching o firewall: move rule category filter to the top of the page o firewall: show IPv6 ports in live log and fix details for TCP o firewall: move general settings to AliasParser and fix Alias constructor to receive them o firewall: if the name of the alias equals its content try to resolve o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion) o dhcp: UEFI 64 network boot using wrong arch type o dhcp: validate maximum interface MTU o dhcp: add validation for DUID fields o ipsec: auto-route disable setting (contributed by Namezero) o network time: inline NMEA checksum calculator (contributed by Fabian Franz) o network time: fix stratum level write o unbound: optimize outgoing-range differently o unbound: local zone setting (contributed by NOYB) o ui: fix cropped dropdown regression o mvc: translate option values (contributed by Alexander Shursha) o mvc: fix access to undefined property translator o mvc: fix typo in getBase() o mvc: improve phpdoc o rc: protect console menu again, but keep shell invoke for rc.d subsystem o rc: fix some typos (contributed by John Eismeier) o rc: proper includes for plugin post-install hook o rc: recover all known shells o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20 minor feature: Here are the full patch notes: o system: avoid default route from disappearing when no manual gateways are set o firewall: fix outbound NAT for OpenVPN interfaces o interfaces: multiple overview page improvements (contributed by NOYB) o firmware: revoke 17.7 update fingerprint o console: check for root invoke in importer, installer and console menu o intrusion detection: always show schedule tab o intrusion detection: log first drop of a flow o intrusion detection: add a log file viewer o unbound: add num-queries-per-thread option values for 4096 and 8192 o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB) o ui: HTML compliance for attribute "type" on script element (contributed by NOYB) o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB) o ui: checkbox and radio button label children tweaks (contributed by NOYB) o ui: break help text on small screens o ui use pluggable locations for theme files o ui: remove table-responsive padding on small screens o ui: user-scalable viewport (contributed by NOYB) o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz) o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz) o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz) o ports: phalcon 3.3.1 o ports: php 7.1.14
18.1.102 Feb 2018 18:19 minor feature: Here are the full patch notes: o firewall: ignore target port alias in port forwards when it equals the destination o firewall: align outbound NAT address output to edit page o firewall: use first region for country in GeoIP category instead of last one o system: improve layout of gateway status labels (contributed by Fabian Franz) o system: improve order of group / user setup as "wheel" was not added correctly on save o dashboard: touch device improvements in widgets (contributed by NOYB) o opendns: always refresh the setting on save o openvpn: open links in a new tab (contributed by Fabian Franz) o ui: system-wide HTML compliance improvements (contributed by NOYB) o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco) o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86) o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz) o plugins: os-openconnect 1.0 (contributed by Michael Muenz) o plugins: os-rfc2136 1.2 improves widget load o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz) o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz) o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan) o ports: curl 7.58.0 1 o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18 minor feature: These are the most prominent changes since version 17.7: o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration o Realtek vendor NIC driver version 1.94 o Portable NAT before IPsec support o Local group restriction feature in OpenVPN and IPsec o OpenVPN multi-remote support for clients o Strict interface binding for SSH and web GUI o Improved MVC tabs and general page layout o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour o Easy-to-use update cache support for Linux and Windows in web proxy o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT) o Revamped HAProxy plugin with introduction pages o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status o Alias backend rewrite for future extensibility o Plugin-capable firewall NAT rules o Migration of system routes UI and backend to MVC (also available via API) o Reverse DNS support for insight reporting (also available via API) o Fully rewritten firewall live log in MVC (also available via API) o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18 minor feature: Here are the full patch notes: o system: use correct crypto library to gather GUI SSL ciphers o system: do not wrap action buttons in tunables page o system: fix CA serial number decrement on save o firmware: remove the discontinued hotfix backend support o firmware: allow dot in package name during package action o firmware: remove defunct mirrors o interfaces: make level of detail stick in packet capture o interfaces: auto-lock problematic interfaces upon assignment o firewall: make NAT reflection enable less ambiguous o firewall: fix NAT formatting in states dump page o network time: fix for valid negative offset in health graph o network time: OPNsense NTP pool is now available o network time: fix parsing of overly overlong lines o web proxy: use PID file instead of daemon name for status probe o wizard: add unbound to wizard and uncheck DNSSEC by default o ui: HTML compliance fixes button in link usage (contributed by NOYB) o mvc: added mutable service controller o mvc: added sub-tab layout partials o mvc: do not render empty toggle header o plugins: acme-client 1.13 1 (contributed by Frank Wall) o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB) o plugins: helloworld 1.4 o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB) o plugins: tor 1.4 adds contact info (contributed by Fabian Franz) o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft) o ports: libressl 2.6.4 2 o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12 minor feature: Here are the full patch notes: o system: numerical sort for "Use" and "MTU" columns in route diagnostics o system: gateway group edit tier selection issue with jQuery3 o system: minor cleanups in the certificates backend o firewall: move anti-lockout rule to advanced settings o interfaces: minor cleanups in the backend o reporting: rework configuration handling on the settings page o dnsmasq: minor cleanups in the backend o firmware: strip the architecture from the base / kernel set version display o firmware: backend preparations for full base / kernel set lock and reinstall o firmware: increase crash report file limit to 2 MB o ipsec: minor cleanups in the backend o unbound: register DHCP domain name for interface if found o network time: show full remote address and fix page boxing on status page o network time: add advanced custom options o network time: fix leap second save o network time: minor cleanups in the backend o wizard: properly redirect on input errors in system wizard o mvc: ignore client-side anchors in breadcrumb generation o ui: do not use a CSRF input element ID o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz) o ports: libxml 2.4.7 1 o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56 minor feature: Here are the full patch notes: o system: allow user-based language setting through Lobby: Password o system: allow strict interface binding for OpenSSH o system: prepare for MVC-based routing pages o firmware: prepare for production / development release type selection o firewall: fix a PHP warning when no user rules are installed o firewall: add refresh button to table diagnostics page o captive portal: fix chroot regression since lighttpd web server update in 17.7.9 o interfaces: provide a link-local IPv6 when asking for addresses o intrusion detection: sync port-groups to default template o ipsec: upgrade vici lib to match strongSwan package o network time: fix a PHP warning during NMEA deselect o mvc: do not throw disabled errors in handler o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz) o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz) o src: OpenSSL multiple vulnerabilities 1 2 o ports: hyperscan 4.6.0 3 o ports: openssl 1.0.2n 4 o ports: suricata 4.0.3 5 Two plugin hotfixes have been additionally issued: o plugins: os-quagga 1.4.3_1 fixes service startup regression o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29 minor feature: Here are the full patch notes: o system: fix XSS with crafted certificates in certificate manager 1 o system: removed duplicated firmware privileges o system: fix resolving routes in diagnostics page o system: regenerated DH parameters o dhcp: support stateless DHCPv6 o firmware: kernel and base set visibility and better API session handling o intrusion detection: improve download and install speed of et-open rules o intrusion detection: add TLS and HTTP logging in eve and alert log viewer o openvpn: allow remote network in peer to peer modes o web proxy: better service and API session handling o router advertisements: advertise on VIPs belonging to the same interface o configd: allow template overrides via optional target directory o mvc: prepare for use-based language setting (contributed by Alexander Shursha) o mvc: prepare for auto-generated page titles o mvc: tighten against frame-based attacks o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz) o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz) o ui: make "advanced mode" sticky too o plugins: os-acme-client 1.12 2 (contributed by Frank Wall) o plugins: os-arp-scan (contributed by Giuseppe De Marco) o plugins: os-clamav 1.3 (contributed by Alexander Shursha) o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu) o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz) o plugins: os-haproxy 2.0 3 (contributed by Frank Wall) o plugins: os-relayd 1.2 fixes "check send" directive o plugins: os-tor 1.3 (contributed by Fabian Franz) o plugins: os-zabbix-agent 1.2 fixes service status indicator o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz) o ports: ca_root_nss 3.34.1 o ports: curl 7.57.0 4 o ports: lighttpd 1.4.48 5 o ports: php 7.1.12 6 o ports: pkg 1.10.3 7 o ports: py-Jinja2 2.10 8 o ports: syslogd 11.1