OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: franco on August 03, 2016, 08:34:06 am

Title: 17.1 development milestones
Post by: franco on August 03, 2016, 08:34:06 am
Hi there,

Here is the (gradually growing) list of important changes we've done for the 17.1 series during its development cycle:

o OpenVPN client exporter windows binaries have been removed
o top GUI package is now marked "vital" to make sure it's not being uninstalled (new feature of pkg 1.8)
o authentication methods are now fully pluggable
o secondary console can now be specified individually in serial mode under System: Settings: Administration
o installer now boots up with SSH for headless remote installation
o Italian as a release language (contributed by Antonio Prado)
o individual MVC config models now have their own versioning/migration system
o config.xml import / export consistency rework
o phalcon MVC 3.0
o PAM authentication for far-reaching 2FA usage
o reverting CARP usage back to BSD standards
o IPsec tunnel isolation mode for interoperability (one tunnel per phase 2 entry)
o pluggable boot loader settings
o sanitisation of header redirects using url_safe()
o firmware updates can now perform major system upgrades (e.g. FreeBSD 10.3 to 11.0)
o FTP proxy plugin (contributed by Frank Brendel)
o all system branding moved to the core package
o Czech as a release language (contributed by Pavel Borecki)
o FreeBSD 11-RELEASE with ASLR and PIE additions from HardenedBSD
o first public test build of OPNsense on armv6
o firewall rules are now fully pluggable
o secure fetching of bogons files as a single set
o HardenedBSD's SEGVGUARD
o configuration model constraints
o Tinc VPN Plugin
o selectable domain override for DNS Forwarder/Resolver
o captive portal custom voucher quantity and validity
o rewritten Nano images with growfs support (3G)
o improved password security (blowfish+salt)
o Mute + EFI console support
o PHP 7.0 compatibility and general GUI speed improvements
o improved firmware update user experience with audits, changelogs, licenses, plugins
o exported several base features to plugins (os-snmp, os-igmp-proxy, os-wol, os-upnp, os-relayd)
o added translation for Portuguese/Portugal (contributed by Carlos Meireles)
o added translation for Portuguese/Brazil (contributed by Thiago Basilio)
o fixed link state interrupt stuck on e1000 82574 chipsets broken in FreeBSD 10.3 and up
o cooperative firewall forwarding rework to fix traffic shaper/captive portal + multi-wan
o fixed emulated IPS (netmap) mode broken in FreeBSD 11.0
o replaced the CSRF implementation in the non-MVC pages


Cheers,
Franco
Title: Re: 17.1 development milestones
Post by: franco on December 05, 2016, 08:08:19 pm
Lots of updates on this now. If there are questions please don't hesitate. :)


Cheers,
Franco
Title: Re: 17.1 development milestones
Post by: tillsense on December 06, 2016, 07:41:19 pm
...new feature of pkg 1.8 ???

cheers till
Title: Re: 17.1 development milestones
Post by: franco on December 06, 2016, 09:36:04 pm
Yeah... pkg 1.8 added the "vital" flag which can prevent accidental removal of the GUI package, which could happen either due to pkg resolver bugs during challenging LibreSSL/OpenSSL transitions, or due to manual errors during a package switch.

The "vital" flag is actually going to be used for FreeBSD's base pkg support where base and kernel components really should not be uninstalled under any circumstances. Base pkg was originally scheduled for 11.0, then rescheduled for 11.1, but maybe we won't see it before 12.0.

But long story short, it's a very useful feature in OPNsense already although one can't appreciate it because it will prevent bad things from happening in the first place. :)


Cheers,
Franco
Title: Re: 17.1 development milestones
Post by: nikkon on January 04, 2017, 07:10:41 am
any possibility to see pfblokerNG in this major release?
Title: Re: 17.1 development milestones
Post by: franco on January 04, 2017, 07:55:58 am
Not without the direct involvement of the author of the software. I don't think it is likely.
Title: Re: 17.1 development milestones
Post by: cg on January 06, 2017, 06:08:27 pm
"OpenVPN client exporter windows binaries have been removed" <- I'm sorry to read that, since I'd have some windows clients running, exporting ready-to-use packages for Windows would be nice.
Using that feature on an Astaro (now Sophops) ASG already.

Is there a special reason to remove it?
Title: Re: 17.1 development milestones
Post by: franco on January 06, 2017, 06:15:15 pm
Hi cg,

The way it was bundled/distributed by OpenVPN, regenerating binaries for every point release. Split between different architectures at that. I hear 2.4 has reduced the binary pool.

This can be put back in using a more clever "grab binaries from remote using embedded hashes to confirm their authenticity", the former state wasn't maintainable from a "shipped by default" perspective, putting large binary blobs into our repositories. Not to mention that we do not have a dedicated maintainer for OpenVPN export.

The pressure to resolve this "impossible" state by removing the binaries was high so we did it for a consistent experience. Note that client files can still be exported.

I'm picking up OpenVPN 2.4 after 17.1 is out. Much of this is gentle but frequent user feedback and incentive to provide testing. :)


Hope that helps,
Franco
Title: Re: 17.1 development milestones
Post by: cg on January 06, 2017, 06:24:45 pm
Thx, perfectly cleared up the reason and 'current state'.
I wish every support answer (in general) would be like that.

Regards
 - Christof
Title: Re: 17.1 development milestones
Post by: tillsense on January 07, 2017, 08:21:07 pm
Hi Franco,

when do you think you can publish the first rc installation packages (amd64)?

cheers till

-------------------------------------
OPNsense 17.1.b_97-amd64
FreeBSD 11.0-RELEASE-p6
OpenSSL 1.0.2j 26 Sep 2016
Title: Re: 17.1 development milestones
Post by: franco on January 08, 2017, 10:03:53 am
Hi Till,

There is one issue to track down for the following bug:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=211219

Without it we cannot go forward with 17.1. Whether this is a requirement for 17.1-RC is still being evaluated.

My plan was 17.1-RC within the next two weeks.

I will likely update the experimental packages for both versions early next week to "make up for it".


Cheers,
Franco
Title: Re: 17.1 development milestones
Post by: snakeaj on January 25, 2017, 07:08:26 pm
Multi-WAN and Squid is still not working.

Both up and running but no website reachable.

ping on google is ok.
nslookup works too.

but webbrowser cant open a site.
do i need an other NAT rule for multi-wan squid setup?
Title: Re: 17.1 development milestones
Post by: franco on January 25, 2017, 07:19:15 pm
You will need to post your current version and setup details. Multi-WAN and Squid is a broad subject. :)


Cheers,
Franco
Title: Re: 17.1 development milestones
Post by: Redyr on March 27, 2017, 01:35:55 am
Not without the direct involvement of the author of the software. I don't think it is likely.

Hello Franco,

Users are banned for less, what do you think it will happen with BBcan if J. finds out he helps OPNsense? So I don't think he will agree.

But besides that, maybe something like pfblockerNG can be created by OPNsense.

I'm interested because Suricata (or Snort) and pfblockerNG are the most used packages(IMHO) in that other project. These two I'm using myself too.
For Suricata I wan't to thank you that you keep it updated in comparison with that other project.
Title: Re: 17.1 development milestones
Post by: franco on March 27, 2017, 07:34:54 am
Hi Redyr,

I would hope he would help out, though I don't see any reason why that would happen. As long as something works, why fix it / rebuild it somewhere else. If anything, he should continue to provide top notch pfBlockerNG updates. :)

We did, however, implement similar functionality, but it's not as condensed as the original package. Aliases have received GeoIP support, it makes their use a bit more flexible. The web proxy received fine-grained remote blacklist support. Probably more, I don't remember all.

I believe there are simple knobs missing for "block bad reputation, block the top x things" etc. We need to identify and separate those to find a way for a streamlined integration. Taking a small requirement is often way quicker and easier and also more aligned with the code that we have now than trying to mimic all at once.

It's true that it's harder for someone expecting the same features to be presented in the same way, but also think of the larger body of new users who've never seem something like pfBlockerNG and naturally find the GeoIP blocking in the aliases. We should build the features for them too. :)


Cheers,
Franco