Topics

Hallo Rainer und alle anderen mit dem gleichen Problem,

Falls das Forum euch nicht registrieren lässt, schickt uns doch bitte eine Email an

project A_T opnsense D_O_T org

Mit einer Email mit der man euch erreichen kann und einem Forum-Wunsch-Namen.

Wir können leider nicht helfen, wenn keine Senderadresse in der Email konfiguriert ist. :(


Grüße
Franco

Dear users and followers,

This is to inform you of several pfSense-related security advisories that have been made public yesterday that also apply/applied to OPNsense. We did not receive any forward-notice on these and have worked since yesterday to make sure these are/were handled appropriately. All but one have been addressed in 2015 already, with the last one still being active in pfSense despite the communication. We'll fix the service vulnerability in time for 16.1.11. More info and a full time line below.

Topic: Arbitrary Code Execution [1]
Category: pfSense Base System
Module: webgui
Public release date: 15th April 2016 [2]
Credits: Francesco Oddo - Security-Assessment.com

File status_rrd_graph_img.php removed in development branch in October 2015 [3]
Released with OPNsense 15.7.21 in December 2015 [4]

[1] https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
[2] http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
[3] https://github.com/opnsense/core/commit/df81ae81830
[4] https://github.com/opnsense/changelog/blob/master/doc/15.7.21

Topic: Multiple XSS and CSRF Vulnerabilities in the pfSense WebGUI [5]
Category: pfSense Base System
Module: webgui
Public release date: 15th April 2016 [2]
Credits: Francesco Oddo - Security-Assessment.com

"descr" XSS vulnerability in file system_gateway_groups_edit.php fixed in development branch in November 2015 [6]
Released with OPNsense 15.7.21 in December 2015 [7]

File firewall_shaper_vinterface.php removed in development branch in April 2015 [8]
File firewall_shaper_layer7.php removed in development branch in April 2015 [9]
Released with OPNsense 15.1.10 in May 2015 [10]

[5] https://www.pfsense.org/security/advisories/pfSense-SA-16_02.webgui.asc
[6] https://github.com/opnsense/core/commit/7edf57ada3
[7] https://github.com/opnsense/changelog/blob/master/doc/15.7.21
[8] https://github.com/opnsense/core/commit/cd1c36f7af530b
[9] https://github.com/opnsense/core/commit/1ad20825d4a
[10] https://github.com/opnsense/changelog/blob/master/doc/15.1.10

# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery [11]
# Exploit Author: Aatif Shahdad
# Version: 2.2.6 and below.
# Contact: https://twitter.com/61617469665f736

Despite the message that 2.3 was supposed to have been fixed, the exploit is still active in this version! [12]

OPNsense as of 16.1.10 is still vulnerable. A final patch was presented on April 17, 2016. [13]
Released in OPNsense 16.1.11 on April 18, 2016. [14]

A workaround involves logging out of the GUI when not required or using a secondary non-default browser for the sole purpose of interfacing with the GUI.

[11] https://cxsecurity.com/issue/WLB-2016040106
[12] https://twitter.com/61617469665f736/status/721006823705329665
[13] https://github.com/opnsense/core/commit/255dcd2f4
[14] https://github.com/opnsense/changelog/blob/master/doc/16.1.11


Stay safe, stay ahead. :)

Your OPNsense team

Hi everyone,

It has been a quite uneventful week. Suricata and Squid have been upgraded to their latest versions and you can find their individual change logs below. The next part of the Russian translation brings it to number one with a dreamy 83% completed. Otherwise only small fixes and improvements have been made and those will not even require a reboot.

Here is the full list of changes:

o ports: suricata 3.0.1[1], squid 3.5.16[2]
o traffic shaper: added individual tabs to quick navigation
o traffic shaper: fix behaviour on pppoe devices
o openvpn: revive windows installer binaries
o firewall: validate alias url download
o system: improved config history and backup pages layout
o system: increased backup count default from 30 to 60
o system: moved several settings to different pages for better technology alignment
o system: /var /tmp MFS awareness for crash dumps added
o trust: add "IP security IKE intermediate" to server key usage
o firmware: moved reboot, halt and defaults pages to new home
o proxy: add redirection rule creation link for HTTPS proxy (contributed by Fabian Franz)
o pptp: prevent service from printing boot messages due to a stale entry in the default config.xml
o interfaces: show LAGG protocol in overview page
o languages: another large batch of Russian, now 83% complete (contributed by Smart-Soft Ltd.)
o languages: updated French, German and Japanese

Stay safe,
Your OPNsense team

--
[1] https://suricata-ids.org/2016/04/04/suricata-3-0-1-released/
[2] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.16-RELEASENOTES.html

Hi guys,

Just felt like dropping a question here:

What do you think about the banner?

Maybe it's the end of the world, maybe it isn't. There should be more traction for OPNsense with regard to release engineering, feature rollout and overall shininess. Goals like a system-wide API, ASLR (and other HardenedBSD features) and eventually FreeBSD 11 migration. We wish to see all of this become reality. And we would like your support for the long run. :)


Cheers,
Franco

Hi guys,

We expect all of you are doing well? It has been a longer while since the last update so 16.1.9 has got a bit of everything to keep the spirits high. :)

There is tremendous progress in the translations. It just so happens that we now have a comprehensive Russian translation as well which is going to be completed in the upcoming weeks. Many thanks to Smart-Soft Ltd. for making this happen. The contender is Japanese through the work of Chie Taguchi, who did most of the translation that we have had for a year. It is going to be a close race to the finish line for both languages. Then again, the whole translation team is doing an amazing job.

As polarising as it may be, we have added HTTPS support in the proxy server. Another noteworthy item is StrongSwan 5.4.0, which helps to address IPSec status page hangs that some have observed with complex setups. We are looking for feedback for these items, please do write in.

Here are the full patch notes:

o src: tzdata updated to 2016c[1]
o src: prevent kernel panic on ipfw/dummynet module unload
o src: let ng_ether_attach() only attach to supported types to avoid kernel panics
o ports: curl 7.48.0[2], strongswan 5.4.0[3], pcre 8.38 (patched CVE-2016-1283)[4], php 5.6.20[5]
o languages: added Russian to the release, now 60% complete (contributed by Smart-Soft Ltd.)
o languages: updated Japanese, now 70% complete (contributed by Chie Taguchi)
o languages: updated German, now 81% complete
o languages: updated French, now 50% complete
o firewall: allow editing of up to 5000 aliases
o firewall: remove link to associated filter rule edit as edit is not allowed
o firewall: add port range check to aliases edit
o firewall: when alias URL SSL verification is off, do not verify the hostname either
o firewall: condense alias pages into a single view
o firewall: remember scrolling position to return to the previous position after edit
o firewall: alias import now supports type selection (network and host types)
o firmware: added German-based mirror (contributed by Alexander Lauster)
o system: load modules before setting tunables to support settings for modules
o system: fix boot issue that prevented SSH from starting up in some instances
o interface: do not show wireless parents on the assignment page as it cannot be assigned
o ipsec: individual collapse/expand for status page
o dhcp: allow backwards-compatibility with imported configs
o captive portal: fix missing busyTimeout on voucher database access
o openvpn: remember scrolling position to return to the previous position after edit
o proxy: HTTPS support added
o proxy: added ability to change the hostname and admin email (contributed by Frederic Lietart)
o proxy: avoid race condition on cache dir creation (contributed by Frederic Lietart)
o development: allow hiding of menu entries using the Visibility="delete" attribute


Stay safe,
Your OPNsense team

--
[1] http://mm.icann.org/pipermail/tz-announce/2016-March/000037.html
[2] https://curl.haxx.se/changes.html
[3] https://wiki.strongswan.org/projects/strongswan/wiki/Changelog54
[4] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1283
[5] http://php.net/ChangeLog-5.php#5.6.20

Hello again,

The refreshed images for 16.1 (based on 16.1.8) have been pushed to the mirrors just now:

https://opnsense.org/download/

You can find the checksums attached at the end of this announcement.


Stay safe,
Your OPNsense team

--
# SHA256 (OPNsense-16.1.8-OpenSSL-cdrom-amd64.iso.bz2) = 6cdf41e71ad98499bc1c787f03c1e7d055855434c1a7c7917d147a27b18eaecf
# SHA256 (OPNsense-16.1.8-OpenSSL-nano-amd64.img.bz2) = d290d9e4d63b5998573b88b4c5fbcee8a4af8448aaa363476945de075d20efd1
# SHA256 (OPNsense-16.1.8-OpenSSL-serial-amd64.img.bz2) = cbf459c8b0313cbd601af478317f2227e360871e83f60a3891be4b94a4feb948
# SHA256 (OPNsense-16.1.8-OpenSSL-vga-amd64.img.bz2) = 3d75b4e6a24a26e081a267b06b24b71cce15ab965e502cc66575fe6225cb9eb9

# SHA256 (OPNsense-16.1.8-OpenSSL-cdrom-i386.iso.bz2) = a25550ce5468903eb020da5e7a2bda6e306a92eb5c84949604c12cb3ffafa7f8
# SHA256 (OPNsense-16.1.8-OpenSSL-nano-i386.img.bz2) = 3a00cfba7c43fd63114616d3ee8964c953bbb69c53f284d69617b93d61aaa677
# SHA256 (OPNsense-16.1.8-OpenSSL-serial-i386.img.bz2) = 775ec2fc3a74996d1fa9b083799e25f6c4a28943ff0ce4508fbe44e897879748
# SHA256 (OPNsense-16.1.8-OpenSSL-vga-i386.img.bz2) = 919675cbec826ea81076a68985860c0d18da1a7c81d37636207b4f5e14d44c5b

# MD5 (OPNsense-16.1.8-OpenSSL-cdrom-amd64.iso.bz2) = f585005298cc39c3ad6629f71e6102ad
# MD5 (OPNsense-16.1.8-OpenSSL-nano-amd64.img.bz2) = 729f5c34254cdca51ae5ae1c50600ab3
# MD5 (OPNsense-16.1.8-OpenSSL-serial-amd64.img.bz2) = bb62af11eb4c3abe03b4f5fa3187ff1a
# MD5 (OPNsense-16.1.8-OpenSSL-vga-amd64.img.bz2) = f2331360601744806e8f34c03fa8c6f2

# MD5 (OPNsense-16.1.8-OpenSSL-cdrom-i386.iso.bz2) = e9a09094665b1183f49d42b9d5a2b785
# MD5 (OPNsense-16.1.8-OpenSSL-nano-i386.img.bz2) = ecd4c75c1d5aee3189958faa9102c851
# MD5 (OPNsense-16.1.8-OpenSSL-serial-i386.img.bz2) = 8b9429912fd0d7f853e238e5cee4866c
# MD5 (OPNsense-16.1.8-OpenSSL-vga-i386.img.bz2) = 509e381469817ab9c749f7a29956ea94

[This is a call for testing that replaces the kernel. Use with care. The old kernel can still be booted from the early boot menu under option (5), selecting "kernel.old" and then continue the boot with option (1).]

Hello everyone,

With the help of Shawn and Olivér from HardenedBSD we have finally incorporated the first piece of their wonderfully crafted improvements: Address Space Layout Randomization, or short ASLR. This change only affects the kernel and is now open for public testing.

Things to be aware of:

This is a call for testing that replaces the kernel. Use with care. The old kernel can still be booted from the early boot menu under option (5), selecting "kernel.old" and then continue the boot with option (1).

The kernel ABI changes, VMware and XEN plugins may not work at the moment. This problem can only be addressed once the kernel is in place and our packages use the new API. Manually compiled drivers may need to be recompiled against the current master of src.git

The impact of the patch is minimal, the system will boot ok, continue to function normally and ASLR will be enables as "opt-out", which means it will be on by default.

The next firmware upgrade will remove the test kernel and switch back to a vanilla version without ASLR. In those cases, the kernel needs to be reapplied.

To switch to the ASLR kernel:

# opnsense-update -kr 16.1.8-aslr && /usr/local/etc/rc.reboot

To switch back to the standard kernel:

# opnsense-update -k && /usr/local/etc/rc.reboot

I will ask Shawn to explain the impact of the patch a bit more as well as what it means for going forward.

On a more or less related note: consider me totally happy about this CFT :)


Have fun,
Franco

Hi everyone,

It's time to start the list of things we've done since 16.1 was released:

o SSL fingerprinting / blacklisting in the IDS/IPS
o Firewall rules category tags for easy filtering
o CPU temperature graph in system health
o Custom mirror support for firmware upgrades
o OpenVPN client-specific overrides can now be bound to selected servers
o Added RFC 4638 support (MTU > 1492 in PPPoE)
o NTP can now be disabled if required
o New category-based remote ACL support in proxy server
o ICAP configuration aded to proxy server
o Pluggable service infrastructure
o Pluggable syslog infrastructure
o Finished a full sweep of visible GUI pages for improved look and feel
o HTTPS proxy support
o Russian translations 100% completed
o NetFlow export to multiple remote destinations
o NetFlow local reporting frontend
o PPTP, L2TP and PPPoE Servers ported to MPD5
o HAProxy plugin
o Traffic shaping with CoDel / FQ-CoDel
o Firewall alias geolocation support
o Cron GUI and API
o Japanese translations 100% completed
o Dashboard revamp with multi-column support, drag and drop and mini API
o RFC 6238 (TOTP) support for two-factor authentication
o HardenedBSD's ASLR implementation
o High availability page for remote service status and start/stop/restart
o API commands for remote reboot and power off
o Firmware page resume support and cron-based "nightly" updates
o opnsense-patch, the tremendously nifty patching tool
o Traffic graphs frontend has been replaced by a modern alternative
o PPTP, L2TP and PPPoE Servers are now individual plugins no longer found in the default installation
o Pluggable interface infrastructure
o New firewall page for custom scrubbing rules
o No more custom PHP modules
o FreeBSD 10.3
o UEFI/GPT boot media / install
o Suricata 3.1 with Hyperscan support


Cheers,
Franco

Hello there,

This quick 16.1.8 release is not a big update, but it means a lot. We have finished our full sweep of the GUI to update the look and feel of all pages and made the code ready for what is to come now: new features that are on our roadmap for 16.7. The first one will be the HTTPS proxy, but there is also NetFlow and improved statistics / reporting on the shortlist.

A day after 16.1.7 was out last week, FreeBSD 10.2-RELEASE-p14 was announced. Of the four patches enclosed, the two Hyper-V patches we have already brought to OPNsense over a month ago, the OpenSSH patch does not apply since we only use the port and already had it up-to-date. That leaves us with only one patch that we are shipping now to complete the experience.

Attention to everyone using OpenVPN + cryptodev acceleration: the cryptodev module along with older crypto drivers has been removed from the kernel itself, which means that if you need to keep using it, go to System: Settings: Misc and reconfigure your crypto hardware including an enable of cryptodev usage.

New images based on 16.1.8 will be out early next week.

Here are the full patch notes:

o src: updated tzdata to version 2016b[1]
o src: fix incorrect argument validation in sysarch[2]
o src: fix pfi_table_update: cannot set new addresses
o src: added APU2 temperature sensor support
o ports: unbound 1.5.8[3], sudo 1.8.16[4], pcre 8.38[5]
o proxy: better matching for overlapping URLs
o universal plug and play: refactored pages for improved look and feel
o vpn: refactored L2TP and PPTP pages for improved look and feel
o openvpn: fix missed configure stage for Peer to Peer (TLS/SSL) mode
o system: reworked the behaviour of thermal and crypto modules
o firewall: tweaked a few rule indicator icons to improve clarity
o firewall: improved alias validation on edit
o interfaces: also add previous DHCP override fixes for IPv6
o language: updated French and German


Stay safe,
Your OPNsense team

--
[1] http://mm.icann.org/pipermail/tz-announce/2016-March/000036.html
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:15.sysarch.asc
[3] http://www.unbound.net/download.html
[4] https://www.sudo.ws/stable.html#1.8.16
[5] http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup

Hi everyone,

We've finally gotten around to give the old VPN section a thorough refresh, especially with regard to removing the long deprecated MPD4 daemon in favour of the latest MPD5. Some things have changed, like the listen IP now requires you to select a configured IP (either real or via the Virtual IP functionality).

The iteration is not 100% complete as we still have a bit of kernel rework ahead of us, but we're confident this will be finished in the upcoming weeks. The plan is to move the legacy VPNs away from the base installations in 16.7 so that they can be optionally installed as a plugin if needed. These ideas go back as far as 15.1, when the good m0n0wall folks sparked such ideas and we're finally in a project state where such plugin capability can be easily achieved. :)

The first development version that has these changes is 16.7.a_651 which ships with 16.1.8 and can be installed through the usual method described here:

https://forum.opnsense.org/index.php?topic=917.0


Thank you for testing and inevitable/invaluable feedback,

Franco

Hi guys,

Time for a quick update! We are still polishing our non-MVC GUI pages to match the modern style of the MVC equivalents and fix a few minor bugs along the way. In these matters, we ask for your participation in critically reviewing the changes below in order to catch remaining issues as soon as possible. We expect to finish our full code sweep next week. After that we'll shift focus to work on new features.

The upgrades from 15.7.25 to 16.1.x briefly stalled with 16.1.6 due to a dormant incompatibility in the FreeBSD package management tool after flipping from 10.1 to 10.2, so we went ahead and made it all better. More precaution in our own update tools will hopefully prevent such unwanted breakage in the future, but we understand that these things can slip through. :)

New images are on the way shortly after 16.1.8. We are also introducing the new "opnsense-stable" firmware path and some cool upgrade features for our brave testers. More explanations will follow soon.

Here are the full patch notes:

o ports: pecl-radius 1.3.0[1], bind 9.10.3-P4[2], bsnmp-ucd 0.4.2[3], openssh-portable 7.2p2[4], sqlite 3.11.1[5]
o captive portal: add session timeout to status info
o firewall: fix non-report of errors when filter reload errors couldn't be parsed
o pppoe server: make service control buttons work with multiple instances
o wake on lan: reworked pages for a polished look and feel
o load balancer: reworked pages for a polished look and feel
o dashboard: better colouring for widget status bars
o dns filter: reworked page for a polished look and feel
o dns rfc2136: reworked pages for a polished look and feel
o igmp proxy: reworked pages for a polished look and feel
o system: routes diagnostics page ported to MVC
o proxy: adjust category visibility as not all of them were shown before
o firmware: fix an overzealous upgrade run when the package tool only changes options
o firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD's package tool
o network time: reworked pages for a polished look and feel
o system: removed NTP settings from general settings
o snmp: refactored page for a polished look and feel
o access: let only root access status.php as it leaks too much info
o development: remove the automount features
o development: added in-place package upgrades using the upstream repository
o development: addition of "opnsense-stable" package on our way to nightly builds
o development: opnsense-update can now install locally available base and kernel sets


Stay safe,
Your OPNsense team

--
[1] https://pecl.php.net/package-changelog.php?package=radius
[2] https://kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html
[3] https://github.com/trociny/bsnmp-ucd/blob/master/CHANGELOG
[4] http://www.openssh.com/txt/release-7.2p2
[5] https://www.sqlite.org/releaselog/3_11_1.html

Dear friends and followers,

It pleases us to say that although we ship the latest OpenSSL 1.0.2g today, we have had both SSLv2 and SSLv3 support disabled in our installation for a long while, so older installations are also not affected by yesterday's announcement. On a slightly related note, LibreSSL was not affected at all.

With that out of the way, we also happily let you know that we are shipping RFC 4638 support with this stable release. We also push a fix for an upstream bug in Unbound and update Squid to the latest version... again. ;)

We have also announced the roadmap for 16.7. Take a look at our upcoming milestones:

https://opnsense.org/about/road-map/

And now, here are the full patch notes:

o ports: squid 3.5.15[1], unbound 1.5.7 hotfix[2], pkg 1.6.4 hotfix[3], openssl 1.0.2g[4]
o services: infrastructure rework for plugin additions
o openvpn: added copy/move to client-specific overrides
o openvpn: allow binding client-specific overrides to specific server(s)
o openvpn: service on/off toggle via overview pages
o openvpn: fix problem with service status display
o openvpn: when services are disabled, make sure a reconfigure will always stop the associated process
o vpn: transform PPTP, L2TP and PPPoE servers to plugin addition to be removed from base install for 16.7
o vpn: add proper service probing for PPTP, L2TP and PPPoE servers
o interfaces: added RFC 4638 support (MTU > 1492 in PPPoE)
o ntp: disable when no servers are set
o language: updates for Chinese, French and German


Stay safe,
Your OPNsense team
--
[1] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.15-RELEASENOTES.html
[2] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=729
[3] https://github.com/freebsd/pkg/issues/1394
[4] https://www.openssl.org/news/secadv/20160301.txt

Hi everyone,

This may be of interest to some of you, the first version of the SQM support in FreeBSD has been announced/released:

https://lists.freebsd.org/pipermail/freebsd-ipfw/2016-February/006026.html

There is a patch for FreeBSD 10.x so we took the liberty of building a test kernel for amd64 if anyone wants to try the command line setup. Instructions can be found in the feature ticket on GitHub:

https://github.com/opnsense/core/issues/505


Cheers,
Franco

Hi everyone,

All DHCP pages and their respective configuration generation code have been reworked, if you can please give the development version a try to see if your configs are still working as expected or whether there are any GUI areas that still need attention.

Furthermore, DNS Forwarder (dnsmasq) and Resolver (unbound) pages have been reworked and numerous bugs in conjunction with DHCP lease registration have been fixed. From our tests, static and dynamic leases are now pushed to both services correctly.

These changes are on opnsense-devel version 16.7.a_419.

See this guide on how to switch your running system to the development version:

https://forum.opnsense.org/index.php?topic=917.0


Thanks,
Franco

Hello there,

We pop in for a short stable update, namely 16.1.4. Squid has been updated to 3.5.14 and received a GUI entry for maximum_object_size to define since the default has been reported as a wee bit too small.

In other news, the final roadmap for 16.7 will be unveiled later this week after much internal discussion. Our main goals are to finish a full code audit, further alignment with FreeBSD and a few tiny surprises. :)

Here are the full patch notes:

o ports: squid 3.5.14[1]
o dhcp: fix menu expand with IPv6 configuration
o captive portal: fix database timeout lock message
o interfaces: fix expand/collapse on status page for Edge
o proxy: add maximum_object_size setting for squid
o load balancer: improve filter reload to prevent traffic lockout (contributed by Frank Wall)
o layout: fix searchable dropdown truncation with IE
o firewall: fix action buttons on alias edit
o menu: updated help menu entries


Stay safe,
Your OPNsense team

--
[1] http://www.squid-cache.org/Versions/v3/3.5/changesets/SQUID_3_5_14.html

Hi guys,

The latest development version finally offers GUI support for RFC 4638, we appreciate any help in testing this so it can be merged into 16.1.4 or 16.1.5 for general availability.

The feature ticket is here: https://github.com/opnsense/core/issues/572

The RFC for the avid reader can be found here: https://tools.ietf.org/html/rfc4638


Cheers,
Franco

Hi guys,

It is time for a swift update for our dear Hyper-V users.  There is a packet forwarding regression in FreeBSD 10.2 that has not been added as errata yet so we had to pin it down with the help of three brave testers.  If you happen to want to run Hyper-V without going through the issue, install from an older 15.7 image and upgrade directly to avoid the bad version.

To improve upon Suricata 3.0 and the SSL fingerprint lists we are now enabling users to add user-defined rules for adding and enforcing their own fingerprints.  But wait, that is not all.  On top of that the IP geolocation feature was added as well while at it.  :)

Otherwise, only smaller bugs have been addressed to make 16.1 look even shinier.  The FreeBSD security advisory for OpenSSL got integrated too, but is not of much concern since we consistently use the ports version for our components.  The important fixes have been shipped with 16.1.1 back on Monday.

Here are the full patch notes:

o src: OpenSSL SSLv2 ciphersuite downgrade vulnerability[1]
o src: Fix packet forwarding in Hyper-V netvsc driver[2]
o src: Honour disabled pf(4) log flag on dropped packets with IP options[3]
o ports: curl 7.47.0[4], nettle 3.2[5]
o wizard: fix certificate generation for OpenVPN
o firewall: fix interface selection on post issues in floating rules
o firewall: make category filter multi-select for maximum convenience
o firewall: do not hide gateways from the gateway selection
o firewall: added null routes to the gateway selection
o firewall: rather than hiding associated nat rules, remove their edit and clone buttons so they can still be deleted manually
o dns resolver: fix $numprocs setting in config according to manual
o dns resolver: do not render illegal output for empty IPv6 addresses
o dhcp: applying static mappings with DNS resolver enabled no longer seems stuck in apply step
o search: resize box on focus and also propagate proxy server tabs
o system: fix inversion bug of the default pass logging setting
o captive portal: properly log messages to associated log file
o intrusion detection: can now add user rules based on SSL fingerprints and IP geolocation


Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:11.openssl.asc
[2] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203630
[3] https://reviews.freebsd.org/D3222
[4] https://curl.haxx.se/changes.html
[5] https://fossies.org/diffs/nettle/3.1.1_vs_3.2/ChangeLog-diff.html

Hi guys,

Today we are following up on the OpenSSL advisories. LibreSSL wasn't affected (surprise, surprise), but received a tiny fix to sync up with the deprecation of the high-severity SSL_OP_SINGLE_DH_USE option of its sibling.

In other news we are adding a few minor fixes along with all-new SSL-centric rulesets for the intrusion prevention courtesy of abuse.ch[3]. Protect your assets, they are worth it!

Without fuzz, here are the full patch notes:

o ports: libressl 2.2.6[1], openssl 1.0.2f[2]
o intrusion prevention: add SSL fingerprint blacklist and other abuse lists (courtesy of abuse.ch[3])
o captive portal: limit the max vouchers per call
o captive portal: change voucher download filename to match group name
o captive portal: strip bad characters from group name
o captive portal: fix multiple voucher generation
o firewall: add rule categorisation tag field
o search: tweak padding to align with right visual boarder
o console: fix halt script to show product name again
o firmware: revoked the old 15.7 update fingerprint
o interfaces: fix VLAN edit page to show the correct page name
o squid: fix authentication script permission regression
o dashboard: remove non-authoriative hardware crypto probing
o system: do not accept an authentication server with an empty name
o system: added hint that device polling setting needs reboot (contributed by Olivier Paroz)
o system: assorted translation fixes (contributed by Fabian Franz)
o logging: unhide IGMP packets from firewall log view (contributed by Isaac Levy)


Stay safe,
Your OPNsense team

--
[1] http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.6-relnotes.txt
[2] https://www.openssl.org/news/secadv/20160128.txt
[3] https://www.abuse.ch/

Welcome back!

No, we would not say it was easy getting here, but booting into 16.1 for the first time sure is as relieving (and exciting) as it could get for our project growing beyond what we had ever imagined. It has been more than a year since OPNsense first came out. Back then it was FreeBSD 10.0. Not even two months after, 10.1 was introduced along with the opnsense-update utility. Today is the day for FreeBSD 10.2, the latest and greatest release currently available for broader driver support and stability improvements.

16.1 is nick-named "Crafty Coyote" in honour of our beloved childhood TV sessions. It is the accumulation of 6 months of work, having had our focus on reengineering the captive portal, native intrusion prevention, plugin support, and transforming the reporting frontend into something more modern and flexible just to name a few[1]. Apart from the recently published security advisories (see patch notes below), we have included a quick navigation feature which can be activated by pressing (TAB) followed by search keywords and hitting (ENTER) to go to the desired page. Last but not least, a larger batch of improvements and fixes went into assorted sections of the GUI that certainly help to get your work done without ending up dazed and confused.

Speaking of clearing things up, there is more... While Ad, Franco and a couple of amazing external contributors have been busy writing and reviewing code, Jos worked in the shadows to bring to you a fully revised set of project documentation in the form of an online handbook[2]. More content will follow as we slow down development speed a bit in order to catch up. We will have to see how that works out. ;)

Another thing we have noticed is that translations are hard! We have planned to finish a translation for this iteration, but the sheer amount of work overwhelmed even the sizeable German translation team. The German translation is now at 77% percent completed with Japanese, Chinese and French chasing tails. If you want to help drop us a line at project@opnsense.org for details on how to contribute.

All images have been pushed as well, although may take a bit more time to reach a mirror near you. You can find the checksums attached at the end of this announcement.

https://opnsense.org/download/

Finally, here are the full patch notes:

o src: FreeBSD 10.2-RELEASE-p11[4]
o bootstrap: can now update from any available FreeBSD 10 release
o ports: libarchive 3.1.2_6[5], Suricata 3.0[6], squid 3.5.13[7], bind 9.10.3P3[8], sqlite 3.10.2[9], ntp 4.2.8p6[10]
o firewall: lock source / destination port settings when neither TCP nor UDP is selected
o firewall: simplify the outbound page to hide unwanted items and zap complicated explanations (contributed by Manuel Faux)
o firewall: do not leak floating rules into other interface tabs
o firewall: add clear button to all log file types
o firewall: hide NAT rules from normal rules screen
o firewall: removed the unsupported dscp rule option
o firewall: display alias descriptions as tooltips (contributed by Manuel Faux)
o universal plug and play: switch to secure mode as the new default
o unbound: add MX entries to host overrides (contributed by Manuel Faux)
o gateways: always safe the monitor IP regardless of monitoring being on or off
o gateways: properly add and remove routes for monitors on toggle
o backend: fix harmless error message caused by a sample template
o high availability: allow specification of a different port for synchronisation
o high availability: special characters are now being properly preserved
o high availability: added new captive portal and traffic shaper as sync options
o high availability: reworked and pruned the client synchronisation
o firmware: optional php extensions now peacefully coexist with preinstalled extensions
o firmware: update plugin list on refresh to reveal available plugin list
o intrusion detection: adds intrusion prevention mode for netmap(4) devices (must disable Hardware CRC manually)
o captive portal: completely rewritten on top of our new components
o proxy: hook up remote ACL settings to translation engine (contributed by Fabian Franz)
o proxy: add support for compressed ACLs (.gz, .tar.gz, .tgz, .zip)
o proxy: fix toggle for storage log
o ipsec: improve display of tunnel overview
o openvpn: provide full ca chain on client export (contributed by Manuel Faux)
o openvpn: fix engine detection for LibreSSL
o layout: all tooltips and icons of action buttons have been updated for proper look and feel (contributed by Manuel Faux)
o layout: added the infamous quick navigation feature
o layout: consolidated the display of the upper right corner (user@host.domain)
o interfaces: reworked all the pages for proper look and feel
o interfaces: ARP and NDP tables have been rewritten and now properly show vendor info
o login: improved look and feel
o dashboard: rss widget has been reworked and its library has been updated to a new version
o config: recover last backup automatically on broken xml
o menu: properly aligned submenu icons
o system: removed XDebug package from the default installation

We thank all our contributors and users for their ongoing love and support. <3


Cheers,
Ad, Franco and Jos

--
[1] https://opnsense.org/about/road-map/
[2] https://docs.opnsense.org/
[3] https://pkg.opnsense.org/releases/mirror/README
[4] https://www.freebsd.org/releases/10.2R/announce.html
[5] https://vuxml.freebsd.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html
[6] http://suricata-ids.org/2016/01/27/suricata-3-0-available/
[7] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.13-RELEASENOTES.html
[8] https://kb.isc.org/article/AA-01346/81/BIND-9.10.3-P3-Release-Notes.html
[9] http://www.sqlite.org/changes.html
[10] http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

# SHA256 (OPNsense-16.1-OpenSSL-cdrom-amd64.iso.bz2) = bd94c4bf304fa99d7fb426061cf17f45fa2e427cef3ab089704e14b2b570b261
# SHA256 (OPNsense-16.1-OpenSSL-nano-amd64.img.bz2) = abd0c9beb843ad8232f9fc5f0b6c68318993b55529bc06a8c331587863a6c13f
# SHA256 (OPNsense-16.1-OpenSSL-serial-amd64.img.bz2) = 9a5faaebc6cba481199bbc2ae5395877c8acf0dfa225e643ec5c3258e5014c4f
# SHA256 (OPNsense-16.1-OpenSSL-vga-amd64.img.bz2) = 85e3c4275460758565cb0eced8c69afd13a26eb8b9116d86db80be098b6d3e4b

# SHA256 (OPNsense-16.1-OpenSSL-cdrom-i386.iso.bz2) = 8346db1a23563895f071a51ea86be00f7e405e5df709943b26435c13f1c898f1
# SHA256 (OPNsense-16.1-OpenSSL-nano-i386.img.bz2) = 380819194a3c5a508b161153cc532e8c1caaba31b08bdb01643493438634d2ab
# SHA256 (OPNsense-16.1-OpenSSL-serial-i386.img.bz2) = 1a413fb0563cc63e1b80278df303b092b219d6d58a87f841b7389a1a4939734a
# SHA256 (OPNsense-16.1-OpenSSL-vga-i386.img.bz2) = 16a360b05d3fd325499baa6bd38fcd19090ac1d5c3d8ba2a8fa3e763137e87fc

# MD5 (OPNsense-16.1-OpenSSL-cdrom-amd64.iso.bz2) = 941e9cd797e4189868398fcd057a428e
# MD5 (OPNsense-16.1-OpenSSL-nano-amd64.img.bz2) = ededf0767412daafcb8209a3fbf85714
# MD5 (OPNsense-16.1-OpenSSL-serial-amd64.img.bz2) = 0094c6275128a35e6f8bf965178245eb
# MD5 (OPNsense-16.1-OpenSSL-vga-amd64.img.bz2) = ddaae54fe90634ca8223f483cebebaa2

# MD5 (OPNsense-16.1-OpenSSL-cdrom-i386.iso.bz2) = d1a216d5eed3534d7f33a6a4482851e2
# MD5 (OPNsense-16.1-OpenSSL-nano-i386.img.bz2) = 871f23a40d3eee49350fe06cadb37884
# MD5 (OPNsense-16.1-OpenSSL-serial-i386.img.bz2) = be04acd8c51347711c4a5f58b711da8e
# MD5 (OPNsense-16.1-OpenSSL-vga-i386.img.bz2) = 549267467adbf194505c6daaae589ee8

[Alpha (17.1.a)]

Good day everyone,

TLDR: While the stable release is being maintained each stable release also bundles a development version which can be accessed from the GUI using System: Firmware: Settings: Release type "Development". We encourage everyone who can spare a helping hand to review the development release with us to produce better community releases.

We're trying something new for 17.1 with regard to ongoing 17.1 development period during what is also known as the 16.1 production period (February 2016 - July 2016).

While the release version will continue with the known versioning scheme 16.1.x, the development version is made up of three different phases prior to becoming 17.1 (and 17.1.x after that):

Alpha (17.1.a): The first phase of development, which is carried out in the first 3 months of our development cycle. In this phase, larger reworks are carried out that may need a few weeks to stabilise and may not be suited for production environments just yet. A typical change would be a FreeBSD version switch or rework of a crucial subsystem like the configuration management backend (config.xml) or 16.1's captive portal switch. Basically anything that may remove or replace original code without backwards compatibility. We focus on achieving a seamless binary upgrade path, but do not provide official images.

Beta (17.1.b): The second phase of our development cycle, which may or may not be the middle two months depending on the alpha phase. In this phase, we look for wider testing and stabilisation. Bigger feature additions are still being done in this phase depending on roadmap progress and scope, but removals are kept to a minimum. Beta images may be provided publicly, by no means intended to be complete or flawless. This helps us to gather feedback early on topics that include installation or hardware compatibility.

Release Candidate (17.1.r): The third and last phase of our development cycle, which is carried out in the last month prior to the real release. In this phase, only small reworks and bugfixes are allowed. The translations are being frozen to enable translators to prepare the final release. Several image sets are provided in this phase. Everyone is encouraged to preview and/or run the next version in a production environment to make the actual release transition as smooth as humanly possible.

We are aware that this is nothing new and don't want anyone to think that. In fact, we're using this generally accepted system to provide more transparency for the upcoming version. Also note that these phases are meant as general guidelines and may be subject to change over time.

Questions? Just ask. :)


Cheers,
Franco