Topics

1

Announcements / OPNsense 22.1.9 released

« on: June 23, 2022, 03:16:28 pm »

Howdy,

Today we are addressing kernel memory leaks that occur when
reading firewall rule information from the system.  It seems
that these leaks even slipped into the FreeBSD 13.1 release
so we are happy to see them fixed now.

22.7 is very much on track.  Our final target is getting ready
for the PHP 8 upgrade but the timing is unclear as we wait for
an official Phalcon 5 release version that supports it.

Other than that please enjoy the summer and hydrate responsibly.

Here are the full patch notes:

o system: improve gateway subnet validation to fix IPv6 edge cases
o system: dpinger support for IPv6 aliases
o system: support 1500000 baudrate selection for ARM
o system: non-functional cleanups for upcoming move to PHP 8
o interfaces: add unique constraint for tag+if on VLANs
o firewall: bring back missing toggle button in aliases
o firewall: exclude internal aliases on import
o firewall: fix alias removal
o captive portal: add missing validation message for empty interface selection
o dhcp: revert back to not adding an IP to static lease creation from leases page
o openvpn: add domain search option to servers and overrides
o unbound: disabling the first DNS override entry invalidates config
o unbound: make blocklist additions/removals dynamic to prevent a restart
o unbound: zero_ttl is no longer a valid statistic (contributed by David Mora)
o plugins: os-ddclient 1.7[1]
o plugins: os-debug 1.5 fixes deprecated xdebug syntax
o plugins: os-frr 1.29[2]
o plugins: os-nginx 1.28[3]
o plugins: os-wireguard 1.11[4]
o src: pf: fix memory leaks in nvlist usage
o src: pf: stop resolving hosts as dns that use ":" modifier
o src: e1000: Increase rx_buffer_size to 32b
o src: igc: Increase rx_buffer_size local variable to 32b
o src: assorted non-functional cleanups and typo corrections
o ports: krb5 1.20[5]
o ports: lighttpd 1.4.65[6]
o ports: nss 3.79[7]
o ports: openvpn 2.5.7[8]
o ports: php 7.4.30[9]
o ports: py-certifi 2022.5.18.1
o ports: sqlite3 3.38.5[10]
o ports: sudo 1.9.11p2[11]
o ports: unbound 1.16.0[12]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/www/nginx/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/wireguard/pkg-descr
[5] https://web.mit.edu/kerberos/krb5-1.20/
[6] https://www.lighttpd.net/2022/6/7/1.4.65/
[7] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.79_release_notes
[8] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.7
[9] https://www.php.net/ChangeLog-7.php#7.4.30
[10] https://sqlite.org/releaselog/3_38_5.html
[11] https://www.sudo.ws/stable.html#1.9.11p2
[12] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0

2

Announcements / OPNsense business edition 22.4.1 released

« on: June 07, 2022, 06:02:42 pm »

This business release is based on the OPNsense 22.1.7 community version
with additional reliability improvements.

Here are the full patch notes:

o system: set up all DNS system routes from system_resolvconf_generate()
o system: tunables without hierarchy are just "environment" variables
o system: use PHP random_bytes() builtin (contributed by oittaa)
o system: support cd9660 file system in opnsense-importer
o system: prevent gateway monitoring from entering a "filter reload" loop
o system: only restore missing or zero size ACL files
o reporting: add ACPI and ARM temperature support to health data
o reporting: do not rely on /var/run/booting test in system health backend code
o reporting: fix validation in NetFlow settings
o interfaces: interface_ppps_configure() remove boot-time side effect
o interfaces: DHCPv6 advanced has a different flag to disable NA
o interfaces: add technical interface ID display to assignments page
o firewall: make rule parsing more consistent as x:any and any:y are valid port options
o captive portal: simplify the voucher generation code (contributed by oittaa)
o dhcp: support supplying iPXE filename
o firmware: exclude revision matching from latest changelog version check
o firmware: list locked packages in health audit
o firmware: bypass cache with timestamp in "upgradestatus" call (contributed by gibwar)
o firmware: lowercase search in plugins/packages
o intrusion detection: fix log file ACL mismatch
o ipsec: squelch spurious errors on stderr for backend status action
o ipsec: mark non-sortable columns
o openvpn: change filetype of export to text/ovpn
o unbound: add custom forwarding and overrides MVC pages
o unbound: add missing alias description
o unbound: change overrides grid label when no results are returned
o unbound: domain override IP may contain port information
o unbound: fix ACL for overrides
o unbound: fix handling of wildcard aliases (contributed by devin122)
o unbound: fix overrides case sort order (contributed by NYOB)
o unbound: properly support "_msdcs" domain override prefix
o unbound: restore duplicate domain behaviour in overrides
o unbound: show combined hostname.domain description in new alias popup
o unbound: updated no coin list (contributed by Luis Nachtigall)
o unbound: disabling the first DNS override entry invalides config
o mvc: Phalcon 5 migration layer to reduce dependencies on Phalcon builtins
o mvc: add generic searchRecordsetBase() to match existing searchBase()
o mvc: safeguard multi_sort in searchRecordsetBase()
o mvc: fix two regressions and deprecate __items
o plugins: os-OPNBEcore 1.0.2 cleans up LDAP sync task
o plugins: os-OPNProxy 1.0.2 fixes newline issue in template
o plugins: os-OPNcentral 1.5[1]
o plugins: os-acme-client 3.10[2]
o plugins: os-bind 1.23[3]
o plugins: os-chrony 1.5[4]
o plugins: os-ddclient 1.5[5]
o plugins: os-dnscrypt-proxy 1.12[6]
o plugins: os-frr 1.28[7]
o plugins: os-relayd 2.7 adds listen address and port range to virtual servers
o plugins: os-zabbix-agent 1.12[8]
o plugins: os-zabbix-proxy 1.8[9]
o src: tcp: rewind erroneous RTO only while performing RTO retransmissions
o src: bnxt: Allow bnxt interfaces to use VLANs
o src: rc: use _pidcmd to determine pid for protect
o ports: curl 7.83.1[10]
o ports: expat 2.4.8[11]
o ports: libxml 2.9.13[12]
o ports: monit 5.32.0[13]
o ports: nss 3.78[14]
o ports: pcre2 10.40[15]
o ports: php 7.4.29[16]
o ports: phpseclib 2.0.37[17]
o ports: pkg 1.17.5[18]
o ports: python 3.8.13[19]
o ports: suricata 6.0.5[20]


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/vendor/deciso/opncentral.html?highlight=opncentral#multi-tenancy-using-host-groups
[2] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/chrony/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/dns/dnscrypt-proxy/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-agent/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-proxy/pkg-descr
[10] https://curl.se/changes.html#7_83_1
[11] https://github.com/libexpat/libexpat/blob/R_2_4_8/expat/Changes
[12] http://www.xmlsoft.org/news.html
[13] https://mmonit.com/monit/changes/
[14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.78_release_notes
[15] https://www.pcre.org/changelog.txt
[16] https://www.php.net/ChangeLog-7.php#7.4.29
[17] https://github.com/phpseclib/phpseclib/releases/tag/2.0.37
[18] https://github.com/freebsd/freebsd-ports/commit/18793d10585f
[19] https://docs.python.org/release/3.8.13/whatsnew/changelog.html
[20] https://forum.suricata.io/t/suricata-6-0-5-and-5-0-9-released/2415

3

22.1 Production Series / [CALL FOR TESTING] FreeBSD 13.1 / 22.7 operating system preview

« on: May 25, 2022, 08:53:28 pm »

Hi all,

Quick kudos to FreeBSD people for smooth managing of 13.1 this time around that also fits our release window nicely. The release notes can be found here:

https://www.freebsd.org/releases/13.1R/relnotes/

Since 22.1 is based on 13-STABLE some changes may already be included as documented therein. Yet the plan for 22.1 was to stay as close to 13.1 as possible so the next phase of the plan goes forward as we adopt the actual 13.1 code base for the upcoming 22.7 release series. We also managed to upstream a few small things so we can get rid of a bit of custom patching in our source code.

As such, the operating system between 22.1 and 22.7 is interchangeable so for anyone wondering about new features or driver changes there now is a public beta test to preview. The command to install is as follows:

# opnsense-update -bkzr 22.7.b
# opnsense-shell reboot

(reboot now or later, but must reboot to load the new OS)

For anyone looking to switch back the firmware upgrade will try to move you back to 22.1.x base/kernel sets unless you lock both packages from the firmware GUI page.

Note of care for kmod users (specifically Realtek and WireGuard within our immediate reach):

Your kernel module was built for an older FreeBSD version and may not work correctly or outright refuse to load upon reboot. Your only choice is to rebuild it from the correct source version or revert back to 22.1.x.

Feedback? Questions? Happy testing!


Cheers,
Franco

4

Announcements / OPNsense 22.1.8 released

« on: May 25, 2022, 11:17:04 am »

Good morning,

Small reliability update which also includes a rework for firewall alias
handling and preformance.

Later today we will also publish a call for testing for the upcoming 22.7
operating system base using FreeBSD 13.1.  It is going to be compatible
with this 22.1.x series and existing feedback about it is promising so far.

Here are the full patch notes:

o system: only restore missing or zero size ACL files
o system: support plugin device reconfiguration in pluginctl utility
o system: prevent gateway monitoring from entering a "filter reload" loop
o system: use password_verify() in authenticators (contributed by oittaa)
o system: hide password from command line during config encryption
o interfaces: add technical interface ID display to assignments page
o firewall: various usability and visibility improvements for aliases
o firewall: performance improvement for large numbers of port type aliases
o firewall: simplify sort and add natural sorting in alias diagnostics
o captive portal: add extendedPreAuthData for MAC address retrieval during authentication
o dhcp: refactor IPv4 lease removal and purge static leases before starting service
o dhcp: allow custom configuration from directories
o firmware: bypass cache with timestamp in "upgradestatus" call (contributed by gibwar)
o firmware: lowercase search in plugins/packages
o intrusion detection: fix log file ACL mismatch
o ipsec: squelch spurious errors on stderr for backend status action
o unbound: add custom "destination address" as advanced option for blocklists
o mvc: distinct between HTTP errors 401 and 403 during authentication
o mvc: call microtime(true) only once during config save (contributed by csbyte)
o plugins: os-acme-client 3.11[1]
o plugins: os-nginx 1.27[2]
o plugins: os-postfix 1.22[3]
o src: tcp: rewind erroneous RTO only while performing RTO retransmissions
o src: bnxt: Allow bnxt interfaces to use VLANs
o src: rc: use _pidcmd to determine pid for protect
o ports: curl 7.83.1[4]
o ports: sqlite 3.38.2[5]
o ports: strongswan 5.9.6[6]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/22.1/www/nginx/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/mail/postfix/pkg-descr
[4] https://curl.se/changes.html#7_83_1
[5] https://sqlite.org/releaselog/3_38_2.html
[6] https://github.com/strongswan/strongswan/releases/tag/5.9.6

5

Announcements / OPNsense 22.1.7 released

« on: May 10, 2022, 02:45:09 pm »

Hi there,

This is a small maintenance release which fixes known vulnerabilities in
OpenSSL et al.  Note that we are preparing for upgrade of Phalcon 5 framework
and PHP 8.0 inclusion on our way to 22.7.

Here are the full patch notes:

o system: tunables without hierarchy are just "environment" variables
o system: use PHP random_bytes() builtin (contributed by oittaa)
o system: support cd9660 file system in opnsense-importer
o reporting: fix validation in NetFlow settings
o interfaces: interface_ppps_configure() remove boot-time side effect
o interfaces: include VIPS for primary IPv4 detection
o interfaces: DHCPv6 advanced has a different flag to disable NA
o firewall: add missing range validation to alias host type
o firewall: make rule parsing more consistent as x:any and any:y are valid port options
o captive portal: simplify the voucher generation code (contributed by oittaa)
o firmware: list locked packages in health audit
o ipsec: mark non-sortable columns
o openvpn: change filetype of export to text/ovpn
o unbound: updated no coin list (contributed by Luis Nachtigall)
o unbound: change overrides grid label when no results are returned
o unbound: restore duplicate domain behaviour in overrides
o mvc: safeguard multi_sort in searchRecordsetBase()
o mvc: prevent silent crashes in legacy XML attribute emulation
o mvc: Phalcon 5 migration layer to reduce dependencies on Phalcon builtins
o mvc: fix two regressions and deprecate __items
o plugins: os-acme-client 3.10[1]
o plugins: os-bind 1.23[2]
o plugins: os-dnscrypt-proxy 1.12[3]
o plugins: os-frr 1.28[4]
o plugins: os-relayd 2.7 adds listen address and port range to virtual servers
o plugins: os-zabbix-agent 1.12[5]
o plugins: os-zabbix-proxy 1.8[6]
o ports: curl 7.83.0[7]
o ports: nss 3.78[8]
o ports: openssl 1.1.1o[9]
o ports: pcre2 10.40[10]
o ports: php 7.4.29[11]
o ports: pkg 1.17.5[12]
o ports: suricata 6.0.5[13]


Stay safe,
Your OPNsense team
--

[1] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/dnscrypt-proxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-agent/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-proxy/pkg-descr
[7] https://curl.se/changes.html#7_83_0
[8] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.78_release_notes
[9] https://www.openssl.org/news/openssl-1.1.1-notes.html
[10] https://www.pcre.org/changelog.txt
[11] https://www.php.net/ChangeLog-7.php#7.4.29
[12] https://github.com/freebsd/freebsd-ports/commit/18793d10585f
[13] https://forum.suricata.io/t/suricata-6-0-5-and-5-0-9-released/2415

6

Announcements / OPNsense business edition 22.4 released

« on: April 26, 2022, 04:53:00 pm »

The OPNsense business edition successfully transitions to this 22.4 release
with a new API-capable VLAN interface including QinQ support, FreeBSD 13 and
many other improvements.  Please make sure to read the migration notes before
upgrading.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 22.1.4 community version
with additional reliability improvements.

Here are the full patch notes:

o system: improved visibility and flexibility of tunables
o system: move multiple sysctl manipulations to tunables framework to allow overriding them
o system: prevent more than one default route by default
o system: sync recovery utility contents with FreeBSD 13
o system: add severity to syslog output and allow to filter for it
o system: create latest.log links for easier log consumption
o system: added opnsense-log utility to inspect logs on the console
o system: removed circular logging support
o system: background all cron backend command invokes
o system: unified cron start between legacy and MVC components
o system: improve the fallback after failing to look up specific IPv4 address match for dpinger
o system: use correct IPv6 interface for dpinger gateway monitoring when using 6RD
o system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
o system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
o system: fix potential issues with "search" syntax in resolv.conf
o system: fix general settings PHP warnings that only appear when validation fails
o system: allow additional search domain (Pierre Fevre)
o system: make /var MFS work when /var directories are mount points, e.g. on ZFS
o system: optionally disconnect PPP interfaces when going into CARP backup mode
o system: fix new PPP CARP hook function call (contributed by Markus Reiter)
o system: separate core and thread count in information widget
o system: MSDOS file system awareness in information widget for new /boot/efi partition
o system: no longer display duplicated mounted partitions on the dashboard
o system: refactor GUI rebind protection and remove its os-dyndns/os-rfc2136 references
o system: allow to configure SSH setting PubkeyAcceptedAlgorithms (contributed by Manuel Faux)
o system: add backward compatibility for reading logs without severity by default (contributed by kulikov-a)
o system: fix typo causing PHP warning on IPv6 login (contributed by ppascher)
o system: add a sysctl cache to improve tuneable overview load time
o system: replace obsolete find_interface_network*() use in GUI
o system: allow severity levels in PHP log messages and mark authentication success messages as notice
o system: Intel QuickAssist Technology (QAT) crypto module selection and support multiple selection
o system: AESNI crypto module is a kernel-builtin since 22.1 and no longer needs to be selected to work
o system: enable library support of PCRE JIT included since 22.1.1
o system: limit rowCount in log viewer (contributed by kulikov-a)
o system: unify system tunables handling and tweak UX of the respective GUI page
o system: no longer default to hw.uart.console use in factory configuration
o system: remove console mute use from boot sequence
o system: fix return code on factory port assignment to prevent configuration loop
o system: remove "all" group handling code forgotten in 2015
o system: prefer configured IP address family use earlier on boot
o system: allow boot to perform generic UFS/ZFS grow using the /.probe.for.growfs marker file
o system: import ZFS pools before mounting ZFS datasets
o system: added the correct content-type for the dashboard plugins feed (contributed by Bo Frederiksen)
o system: obsolete plugins calling missing functions shall not produce fatal errors
o system: properly clear legacy files when clearing log files
o reporting: fill missing insight data with zeros
o reporting: use asynchronous DNS resolver for reverse lookups on traffic page
o interfaces: LAGG support in console port assignment (contributed by sarthurdev)
o interfaces: improve LAGG/VLAN assignments via console option
o interfaces: repair get_interface_list() for console use
o interfaces: aligned the name and use of special /tmp files for internal interface handling
o interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
o interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
o interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
o interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
o interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
o interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
o interfaces: VIPs now support the "no bind" option to exclude them from automatic service use when configured
o interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
o interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
o interfaces: interfaces_scoped_address6() is now being used throughout the code
o interfaces: "tentative" state now leads to the address being ignored during configuration like "deprecated"
o interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
o interfaces: reworked interface creation on boot up
o interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
o interfaces: added permanent promiscuous mode setting
o interfaces: add the interface description via ifconfig to its respective device
o interfaces: stop special treatment of bridge interfaces on linkup
o interfaces: improve validations and fix defaults for bridges
o interfaces: allow bridges to attach to VXLAN on boot
o interfaces: background all interface reconfiguration script hooks
o interfaces: no longer allow and apply media configuration for non-parent devices
o interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
o interfaces: remove defunct link support for GRE
o interfaces: align GIF configuration with base system options
o interfaces: fix default handling for VIP nobind option
o interfaces: allow VIP nobind feature on CARP addresses
o interfaces: stop mpd5 daemon before starting
o interfaces: always show interface in GIF and GRE overview even on VIP use
o interfaces: fix GIF and GRE VIP use loading order in IP alias cases
o interfaces: remove device creation side effect from bridge, LAGG, GIF, GRE and VLAN GUI pages
o interfaces: replace obsolete find_interface_network*() use in GUI
o interfaces: assignments should take OpenVPN into account
o interfaces: only ever store nobind for ipalias/carp
o interfaces: align IPv4 address statistics read with IPv6
o interfaces: simplify device destroy code
o interfaces: avoid use legacy_get_interface_addresses() in MAC address read
o interfaces: remove unused opportunistic interface address functions
o interfaces: resolve device/interface interdependency on boot
o interfaces: do not update VIPs on dynamic address changes
o interfaces: remove unused reference and return value from interface_carp_configure()
o interfaces: remove unused reference from interface_ipalias_configure()
o interfaces: stop IPv6 from reacting to simple stop/detach/down events via rc.linkup
o interfaces: introduce ifctl helper for future use
o interfaces: loopback "lo0" exists for VIPs
o interfaces: only strip addresses on configured IP types
o interfaces: use new ifctl utility for DHCPv6 IP type and add manual page
o interfaces: adjust MTU configuration when parent also requires MTU changes
o interfaces: VLAN MVC conversion with API and QinQ support
o interfaces: cleanup surrounding LAGG function use
o interfaces: bring back strict reordering of VIPs during dynamic address acquire
o interfaces: hint at missing apply when trying to add a new interface in assignment page
o interfaces: VLAN UX changes include better tag and parent visibility and handling
o interfaces: improve VLAN parent selection for batch changes to allow for a single apply
o interfaces: do not assume exclusive use of router file in IPv6 PPPoE case
o interfaces: for symmetry with PPPoE do not reload WAN when address disappears
o firewall: properly kill all connections from and to a WAN IPv4 on an address change
o firewall: display interface descriptions on normalisation rules (contributed by vnxme)
o firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
o firewall: removed obsolete kill states option on gateway failure
o firewall: plain log default logging severity selection is now "informational"
o firewall: improve maximum shaper value validation and add Gbit/s support
o firewall: remove ruleset optimization support which did not work since rule labels are mandatory for live log
o firewall: encode rules names in aliases (contributed by kulikov-a)
o firewall: check state before selecting categories (contributed by kulikov-a)
o firewall: synchronise "disabled" flag on linked firewall rule of port forward
o firewall: local file corruption might prevent alias to be loaded
o firewall: default pass all loopback without state tracking
o firewall: exclude localhost stateless traffic from default logging (contributed by kulikov-a)
o firewall: using port type aliases the "enable" flag was ignored when not enabled
o firewall: add support for SYN cookies
o firewall: allow per-rule adaptive timeouts (contributed by kulikov-a)
o firewall: constrain default CARP allow rules to those defined in RFC 5798
o firewall: make sure that rule use of gateways (route-to) and reply-to are mutually exclusive
o firewall: tighten alias FQDN validation to avoid accepting mistypes such as "192.168.01.1"
o firewall: add missing range validation to alias host type
o firewall: fix sessions page ACL
o firewall: adjust default deny label to include mention of possible state violation
o captive portal: prevent cleansing password field
o dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
o dhcp: allow router advertisements to use a specific link-local VIP alias
o dhcp: avoid use of find_interface_network() et al
o dhcp: change prefix watcher to work without circular logging now that it is gone
o dhcp: fix implode() call (contributed by Clement Moulin)
o dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
o dhcp: replace obsolete find_interface_network*() use in GUI
o dhcp: rework router advertisement "static" mode flags to separate advanced options
o dhcp: stream-read log and leases files for "dhcpd update prefixes" action
o dhcp: added reload action for cron use
o dhcp: give a hint on why an interface was ignored in radvd
o dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
o dnsmasq: no-hosts option (contributed by agh1467)
o firmware: add URL return feature to changelog script
o firmware: add a "status_reboot" variable to API return data to make clear it belongs to the offered minor update or major upgrade
o firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
o firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
o firmware: check repository and plugin state in health audit
o firmware: implement cross-ABI reinstall of all packages for future use
o firmware: improve the connectivity audit
o firmware: independently check for available upgrade sets
o firmware: opnsense-code: support "-z" snapshot mode
o firmware: opnsense-revert: support "-z" snapshot mode
o firmware: opnsense-update: exclude /boot/efi permission reset from base set extract
o firmware: opnsense-update: support version print for sets
o firmware: opnsense-version: support reading lock files operated by opnsense-update
o firmware: patch version / date header in consistently for backend scripts
o firmware: removed obsolete business repository fingerprints and added 22.4 fingerprint
o firmware: return product info for status endpoint even when no firmware check was done
o firmware: revoke the 21.10 fingerprint
o firmware: separate the "needs_reboot" and "upgrade_needs_reboot" check flags
o firmware: use opnsense-update for version info in update checks
o firmware: use isolated directory for database update check
o firmware: cross-version check was not using correct information
o firmware: cross-version update should indicate base/kernel reinstall
o firmware: exclude revision to match release during hotfixes
o installer: add EFI partition as a default mount point
o installer: fix installation of rc.conf keymap setting selected earlier during installation
o installer: improve disk and ZFS pool scan and display
o installer: increase EFI partition size to 260 MB
o intrusion detection: improve row count on alerts page
o ipsec: avoid use of find_interface_network() et al
o ipsec: clean up stale CA certificates on reconfigure
o ipsec: fix mobile property passing when creating a new phase 2 entry
o ipsec: fix mobile switch logic
o ipsec: migrated tunnel settings page to MVC
o ipsec: pass protocol when resolving via ipsec_resolve() (contributed by FloMeyer)
o ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
o ipsec: rename "My Certificate Authority" to "Remote Certificate Authority" to avoid ambiguity
o ipsec: replace obsolete find_interface_network*() use in GUI
o ipsec: update security of default settings when creating new phase 1 and 2
o lang: demote Italian to development-only language due to lowered translation ratio
o monit: move logging to own target
o network time: add "iburst" option and stop using it by default (contributed by Patrick M. Hausen)
o network time: detach "limited" from "kod" option (contributed by Zsolt Zsiros)
o openvpn: avoid use of find_interface_network() et al
o openvpn: improve gateway detection in topology mode
o openvpn: kill by common name when kill by address does not work
o openvpn: stop removing name server-related files never written
o unbound: disable do-not-query-localhost on local address server use
o unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
o update: opnsense-bootstrap: -z snapshot mode
o update: opnsense-bootstrap: improved type detection
o update: opnsense-code: -r for repository removal
o update: opnsense-fetch: emit error message of failed download
o update: opnsense-update: handle kernel debug directory like /boot/kernel
o update: opnsense-update: removed "firmware-upgrade" file support
o update: opnsense-verify: synced shared code with FreeBSD 13
o web proxy: fix a typo in extended logging parser (contributed by kulikov-a)
o backend: consolidate configctl utility into one location and add manual page
o backend: unify use of configctl utility
o console: move console mite calls into port setting function
o images: removed deprecated os-dyndns plugin from default installation
o mvc: add BlankDesc to ModelRelationField (contributed by agh1467)
o mvc: add hint support for text fields (contributed by agh1467)
o mvc: emulation versioning empty nodes for the legacy configuration sections
o mvc: fix logging of configd errors
o mvc: overload __isset() magic method
o mvc: properly root the model mount point to avoid unrelated XML node name overlap
o mvc: refactor and extend HostnameField to add options to validate partial hostnames and root zones
o ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
o ui: move storing jQuery Bootgrid settings in browser from core to bootgrid (contributed by Manuel Faux)
o ui: sidebar 2nd submenu view fix (contributed by Team Rebellion)
o ui: universal striping adjustment for MVC components (contributed by kulikov-a)
o ui: omit total entries display for log grids
o plugins: os-OPNProxy 1.0.1[2]
o plugins: os-bind 1.22[3]
o plugins: os-ddclient 1.4[4] as an eventual replacement for os-dyndns
o plugins: os-dnscrypt-proxy 1.11[5]
o plugins: os-dyndns adds local copy of get_dyndns_ip()
o plugins: os-dyndns menu compatibility with os-ddclient
o plugins: os-freeradius 1.9.19[6]
o plugins: os-frr 1.27[7]
o plugins: os-haproxy 3.10[8]
o plugins: os-mdns-repeater 1.1[9]
o plugins: os-nginx 1.26[10]
o plugins: os-rfc2136 adds local copy of get_dyndns_ip()
o plugins: os-rspamd 1.12[11]
o plugins: os-stunnel 1.0.4 fix connect format for IPv6 (contributed by Johnny S. Lee)
o plugins: os-theme-cicada 1.29
o plugins: os-theme-vicuna 1.41
o plugins: os-wol adds cron support for wake action (contributed by digitalshow)
o plugins: os-zabbix-agent 1.11[12]
o plugins: os-zabbix-proxy 1.7[13]
o src: FreeBSD 13-STABLE as of 4ee9fbcd853
o src: migrated to LUA boot loader (contributed by Kyle Evans)
o src: revert upstream permission change for /root directory
o src: fix kernel build creating wrong linkers.hint file
o src: carp: fix send error demotion recovery
o src: reworked shared forwarding
o src: pf: set_prio was not set after nvlist conversion
o src: if_vtnet: Restore the ability to set promisc mode
o src: hn: disable Hyper-V vSwitch RSC support
o src: stand: add EFI support for MMIO serial consoles
o src: apei: make sure event data fit into the buffer
o src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever[14]
o src: zfs: fix handling of errors from dmu_write_uio_dbuf()[15]
o src: debugnet: remove spurious message on boot
o src: pf(4) tables may fail to load[16]
o src: potential jail escape vulnerabilities in netmap[17]
o src: bhyve e82545 device emulation out-of-bounds write[18]
o src: mpr/mps/mpt driver ioctl heap out-of-bounds write[19]
o src: 802.11 heap buffer overflow[20]
o src: zlib compression out-of-bounds write[21]
o ports: ca_root_nss fix for faulty upstream file linking
o ports: curl 7.81.0[22]
o ports: dnspython 2.2.1[23]
o ports: dpinger 3.2[24]
o ports: expat 2.4.7[25]
o ports: krb5 1.19.3[26]
o ports: lighttpd 1.4.64[27]
o ports: monit 5.30.0[28]
o ports: nss 3.76[29]
o ports: openssh 8.9p1[30]
o ports: openssl 1.1.1n[31]
o ports: openvpn 2.5.6[32]
o ports: pcre / pcre2 enable JIT support
o ports: pecl-psr 1.2.0[33]
o ports: phalcon 4.1.3[34]
o ports: php 7.4.28[35]
o ports: phpseclib 2.0.36[36]
o ports: pkg fixes validation failures on HTTPS fetch in static binary[37]
o ports: sudo 1.9.10[38]
o ports: syslog-ng 3.36.1[39]
o ports: unbound 1.15.0[40]

Known issues and limitations:

o This release contains a new major operating system version and should be carried out with the necessary care.  Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.  Except for ZFS boot environments rollbacks between major operating system versions are extremely fragile and a reinstall of an older version should be attempted in the worst case.  For more information please consult the FreeBSD 13.0 release notes[41].
o IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream.  If you are using MD5, Blowfish, DES, 3DES, or CAST128 in your phase 2 please move to more secure settings prior to the upgrade.  Note that phase 1 settings are unaffected, but insecure settings should still be avoided.  For more information see the FreeBSD commit in question[42].
o The Realtek vendor driver is no longer bundled with the updated FreeBSD kernel.  If unsure whether FreeBSD 13 supports your Realtek NIC please install the os-realtek-re plugin prior to upgrading to retain operability of your NICs.
o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface.  This can introduce unwanted configuration due to previous side effects in the code.  Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC or simply spoof the MAC on the parent and leave the VLAN sibling settings empty to let them follow the parent MAC automatically.  If in doubt the parent interface can be set into promiscuous mode now to allow for mixed MAC address use across VLANs too.
o Media and hardware offload settings are no longer shown for non-parent interfaces and need to be set individually on the parent interface to take effect.  This can introduce unwanted configuration due to previous side effects in the code.  If the parent interface was not previously assigned please assign it to reapply the required settings.
o NTPD defaults changed to exclude the "iburst" option by default.  "limited" setting was detached from "kod" option.  In both cases configuration adjustments can achieve previous behaviour if required.
o Rebind checks through os-dyndns or os-rfc2136 will no longer work due to the deprecation of both plugins.  Please add your rebind hosts manually or disable rebind protection prior to the upgrade.
o GRE link1 support has been removed and needs a static route to function now.
o Circular logging support has been removed.  No user interaction is required.

The public key for the 22.4 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-business-22.4-OpenSSL-dvd-amd64.iso.bz2) = df1ccf00677249fcbe237244016cf5cd9e1a9c0cf998cfa45a579f51e0e97844
SHA256 (OPNsense-business-22.4-OpenSSL-nano-amd64.img.bz2) = 1e9532ff8efcb1c89b9c71f4a3ccf59233078eab64fbfcd06ba2838b5c1e9484
SHA256 (OPNsense-business-22.4-OpenSSL-serial-amd64.img.bz2) = dd4506d3c8a0ad7153153f862cfc88d6503554b1575fb7c4866036bcebde3a33
SHA256 (OPNsense-business-22.4-OpenSSL-vga-amd64.img.bz2) = 88065b0e7fa514867df8e4438626f25c7278b75af91842242aacf4c9ece21531

[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/vendor/deciso/opnproxy.html#authentication-options
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/dns/dnscrypt-proxy/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/net/freeradius/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/22.1/net/haproxy/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.1/net/mdns-repeater/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/22.1/www/nginx/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/22.1/mail/rspamd/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-agent/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-proxy/pkg-descr
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:03.openssl.asc
[15] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:10.zfs.asc
[16] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:15.pf.asc
[17] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:04.netmap.asc
[18] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:05.bhyve.asc
[19] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:06.ioctl.asc
[20] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc
[21] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:08.zlib.asc
[22] https://curl.se/changes.html#7_81_0
[23] https://dnspython.readthedocs.io/en/stable/whatsnew.html
[24] https://github.com/dennypage/dpinger/releases/tag/v3.2
[25] https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes
[26] https://web.mit.edu/kerberos/krb5-1.19/
[27] https://www.lighttpd.net/2022/1/19/1.4.64/
[28] https://mmonit.com/monit/changes/
[29] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.76_release_notes
[30] https://www.openssh.com/txt/release-8.9
[31] https://www.openssl.org/news/openssl-1.1.1-notes.html
[32] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.6
[33] https://pecl.php.net/package-changelog.php?package=psr&release=1.2.0
[34] https://github.com/phalcon/cphalcon/releases/tag/v4.1.3
[35] https://www.php.net/ChangeLog-7.php#7.4.28
[36] https://github.com/phpseclib/phpseclib/releases/tag/2.0.36
[37] https://cgit.freebsd.org/ports/commit/?id=08342c9812d
[38] https://www.sudo.ws/stable.html#1.9.10
[39] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.36.1
[40] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0
[41] https://www.freebsd.org/releases/13.0R/relnotes/
[42] https://github.com/opnsense/src/commit/16aabb761c0a

7

Announcements / OPNsense 22.1.6 released

« on: April 13, 2022, 03:35:54 pm »

Hi,

Since the Unbound migration for overrides surfaced a number of issues
in the new code this is a follow-up release to ensure interoperability.
Thank you for the honest feedback, bug reports and code submissions.

Here are the full patch notes:

o system: obsolete plugins calling missing functions shall not produce fatal errors
o system: added the correct content-type for the dashboard plugins feed (contributed by Bo Frederiksen)
o reporting: do not rely on /var/run/booting test in system health backend code
o firewall: adjust default deny label to include mention of possible state violation
o firewall: fix sessions page ACL
o interfaces: bring back strict reordering of VIPs during dynamic address acquire
o dhcp: added reload action for cron use
o dhcp: support supplying iPXE filename
o firmware: use isolated directory for database update check
o firmware: cross-version check was not using correct information
o firmware: cross-version update should indicate base/kernel reinstall
o unbound: domain override IP may contain port information
o unbound: show combined hostname.domain description in new alias popup
o unbound: properly support "_msdcs" domain override prefix
o unbound: add missing alias description
o unbound: fix overrides case sort order (contributed by NYOB)
o unbound: fix ACL for overrides
o unbound: fix handling of wildcard aliases (contributed by devin122)
o mvc: add generic searchRecordsetBase() to match existing searchBase()
o ports: phpseclib 2.0.37[1]


Stay safe,
Your OPNsense team

--
[1] https://github.com/phpseclib/phpseclib/releases/tag/2.0.37

8

Announcements / OPNsense 22.1.5 released

« on: April 07, 2022, 02:42:44 pm »

Hi there,

Due to popular demand the user experience for the revamped VLAN handling
was improved in several areas.  Also incuded are a larger Unbound MVC
rework and DNS system route apply changes from one single spot.  Last but
not least the zlib vulnerability was fixed in FreeBSD amongst others.

Here are the full patch notes:

o system: set up all DNS system routes from system_resolvconf_generate()
o system: properly clear legacy files when clearing log files
o reporting: add ACPI and ARM temperature support to health data
o interfaces: do not assume exclusive use of router file in IPv6 PPPoE case
o interfaces: for symmetry with PPPoE do not reload WAN when address disappears
o interfaces: VLAN UX changes include better tag and parent visibility and handling
o interfaces: improve VLAN parent selection for batch changes to allow for a single apply
o interfaces: hint at missing apply when trying to add a new interface in assignment page
o captive portal: prevent cleansing password field
o dhcp: give a hint on why an interface was ignored in radvd
o firmware: exclude revision matching from latest changelog version check
o unbound: add custom forwarding and overrides MVC pages
o ui: omit total entries display for log grids
o plugins: os-acme-client 3.9[1]
o plugins: os-chrony 1.5[2]
o plugins: os-ddclient 1.5[3]
o src: pf(4) tables may fail to load[4]
o src: potential jail escape vulnerabilities in netmap[5]
o src: bhyve e82545 device emulation out-of-bounds write[6]
o src: mpr/mps/mpt driver ioctl heap out-of-bounds write[7]
o src: 802.11 heap buffer overflow[8]
o src: zlib compression out-of-bounds write[9]
o ports: curl 7.82.0[10]
o ports: expat 2.4.8[11]
o ports libxml 2.9.13[12]
o ports: monit 5.32.0[13]
o ports: nss 3.77[14]
o ports: python 3.8.13[15]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/22.1/net/chrony/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:15.pf.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:04.netmap.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:05.bhyve.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:06.ioctl.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:08.zlib.asc
[10] https://curl.se/changes.html#7_82_0
[11] https://github.com/libexpat/libexpat/blob/R_2_4_8/expat/Changes
[12] http://www.xmlsoft.org/news.html
[13] https://mmonit.com/monit/changes/
[14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.77_release_notes
[15] https://docs.python.org/release/3.8.13/whatsnew/changelog.html

9

Announcements / OPNsense 22.1.4 released

« on: March 24, 2022, 02:09:33 pm »

Howdy-hello there,

QinQ support based on the FreeBSD 13 VLAN base functionality is finally
here!  To make the best use of it a MVC conversion of the GUI pages was
carried out meaning these are now fully API-enabled as well.  Two bugs
in the previous GIF/GRE rework have also been reported and fixed.

Note while this does fix CVE-2022-0778 even for LibreSSL the security
audit database by FreeBSD will falsely flag the 3.3.6 release as vulnerable
when in fact it is not.  Since build issues arise on LibreSSL 3.4 that involve
plugin dependencies in all likelihood we will be refraining from updating to
version 3.4 altogether and do not have much hope for the upcoming 3.5 either.

Here are the full patch notes:

o system: prefer configured IP address family use earlier on boot
o system: allow boot to perform generic UFS/ZFS grow using the /.probe.for.growfs marker file
o system: import ZFS pools before mounting ZFS datasets
o reporting: use asynchronous DNS resolver for reverse lookups on traffic page
o interfaces: loopback "lo0" exists for VIPs
o interfaces: only strip addresses on configured IP types
o interfaces: use new ifctl utility for DHCPv6 IP type and add manual page
o interfaces: adjust MTU configuration when parent also requires MTU changes
o interfaces: VLAN MVC conversion with API and QinQ support
o interfaces: cleanup surrounding LAGG function use
o firewall: constrain default CARP allow rules to those defined in RFC 5798
o firewall: make sure that rule use of gateways (route-to) and reply-to are mutually exclusive
o firewall: tighten alias FQDN validation to avoid accepting mistypes such as "192.168.01.1"
o firmware: revoke the 21.7 fingerprint
o intrusion detection: improve row count on alerts page
o backend: consolidate configctl utility into one location and add manual page
o plugins: os-ddclient 1.4[1]
o plugins: os-theme-cicada 1.29
o plugins: os-theme-vicuna 1.41
o src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever[2]
o src: zfs: fix handling of errors from dmu_write_uio_dbuf()[3]
o src: debugnet: remove spurious message on boot
o ports: ca_root_nss fix for faulty upstream file linking
o ports: libressl 3.3.6[4]
o ports: openssl 1.1.1n[5]
o ports: openvpn 2.5.6[6]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:03.openssl.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:10.zfs.asc
[4] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.6-relnotes.txt
[5] https://www.openssl.org/news/openssl-1.1.1-notes.html
[6] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.6

10

Announcements / OPNsense 22.1.3 released

« on: March 17, 2022, 12:41:35 pm »

Hi all,

This update includes groundwork for interface handling improvements
making the boot more flexible in complex interface assignment scenarios
involving GIF, GRE and bridge devices.

Please note this update does not include the current OpenSSL security
advisory due to overlapping time schedules.  22.1.4 will include these
and will likely be released next week.

Here are the full patch notes:

o system: remove "all" group handling code forgotten in 2015
o interfaces: resolve device/interface interdependency on boot
o interfaces: do not update VIPs on dynamic address changes
o interfaces: remove unused reference and return value from interface_carp_configure()
o interfaces: remove unused reference from interface_ipalias_configure()
o interfaces: stop IPv6 from reacting to simple stop/detach/down events via rc.linkup
o interfaces: introduce ifctl helper for future use
o firewall: allow per-rule adaptive timeouts (contributed by kulikov-a)
o dhcp: stream-read log and leases files for "dhcpd update prefixes" action
o firmware: use opnsense-update for version info in update checks
o firmware: independently check for available upgrade sets
o firmware: separate the "needs_reboot" and "upgrade_needs_reboot" check flags
o firmware: add URL return feature to changelog script
o firmware: improve the connectivity audit
o ipsec: clean up stale CA certificates on reconfigure
o plugins: os-ddclient 1.3[1]
o plugins: os-freeradius templating generation fix
o ports: dnspython 2.2.1[2]
o ports: dpinger 3.2[3]
o ports: expat 2.4.7[4]
o ports: krb5 1.19.3[5]
o ports: nss 3.76[6]
o ports: openssh 8.9p1[7]
o ports: sudo 1.9.10[8]
o ports: syslog-ng 3.36.1[9]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[2] https://dnspython.readthedocs.io/en/stable/whatsnew.html
[3] https://github.com/dennypage/dpinger/releases/tag/v3.2
[4] https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes
[5] https://web.mit.edu/kerberos/krb5-1.19/
[6] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.76_release_notes
[7] https://www.openssh.com/txt/release-8.9
[8] https://www.sudo.ws/stable.html#1.9.10
[9] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.36.1

11

Announcements / OPNsense 22.1.2 released

« on: March 01, 2022, 02:12:34 pm »

Hello,

This release adds GUI support for Intel QuickAssist Technology (QAT) and
SYN cookies as per virtue of the FreeBSD 13 operating system.  The work
to modernise the interfaces subsystem and improve the new ddclient dynamic
DNS plugin are also progressing.

Due to signs of decay in the build infrastructure, license nitpicking
in FreeBSD ports and the upcoming OpenSSL 3 release (which will complicate
things most likely) we have decided to discontinue LibreSSL at the end of
this year meaning there will be no more LibreSSL flavour starting with
version 23.1.  Non-essential software will no longer be manually fixed and
provided as binary packages if broken by upstream from this point on.

Since 2015 we have been working on functional LibreSSL support with steady
means, but 7 years later and OpenSSL making an effort through numerous
ways we are sad to give up this alternative since we do not see LibreSSL
being used and properly integrated in software projects as often anymore.
It has been a slow but steady decline for the past 2 years that also has
to do with a LibreSSL release cycle tailored for OpenBSD in particular and
OpenSSL library integration quality, which is almost impossible to improve
upon in complex third-party software projects.  We simply cannot afford the
time for it any longer.

All users are able to update to the OpenSSL flavour without issues now or
at any later given point.

Here are the full patch notes:

o system: Intel QuickAssist Technology (QAT) crypto module selection and support multiple selection
o system: AESNI crypto module is a kernel-builtin since 22.1 and no longer needs to be selected to work
o system: enable library support of PCRE JIT included since 21.1.1
o system: limit rowCount in log viewer (contributed by kulikov-a)
o system: unify system tunables handling and tweak UX of the respective GUI page
o system: no longer default to hw.uart.console use in factory configuration
o system: remove console mute use from boot sequence
o reporting: fill missing insight data with zeros
o interfaces: assignments should take OpenVPN into account
o interfaces: only ever store nobind for ipalias/carp
o interfaces: align IPv4 address statistics read with IPv6
o interfaces: simplify device destroy code
o interfaces: avoid use legacy_get_interface_addresses() in MAC address read
o interfaces: remove unused opportunistic interface address functions
o firewall: exclude localhost stateless traffic from default logging (contributed by kulikov-a)
o firewall: using port type aliases the "enable" flag was ignored when not enabled
o firewall: add support for SYN cookies
o firmware: opnsense-code: support "-z" snapshot mode
o firmware: opnsense-revert: support "-z" snapshot mode
o firmware: opnsense-update: support version print for sets
o firmware: check repository and plugin state in health audit
o ipsec: pass protocol when resolving via ipsec_resolve() (contributed by FloMeyer)
o ipsec: fix mobile property passing when creating a new phase 2 entry
o ipsec: rename "My Certificate Authority" to "Remote Certificate Authority" to avoid ambiguity
o openvpn: avoid use of find_interface_network() et al
o openvpn: stop removing name server-related files never written
o openvpn: improve gateway detection in topology mode
o ipsec: avoid use of find_interface_network() et al
o dhcp: avoid use of find_interface_network() et al
o console: move console mite calls into port setting function
o ui: sidebar 2nd submenu view fix (contributed by Team Rebellion)
o mvc: refactor and extend HostnameField to add options to validate partial hostnames and root zones
o plugins: os-bind 1.22[1]
o plugins: os-ddclient 1.2[2]
o plugins: os-freeradius 1.9.19[3]
o plugins: os-stunnel 1.0.4 fix connect format for IPv6 (contributed by Johnny S. Lee)
o src: stand: add EFI support for MMIO serial consoles
o src: apei: make sure event data fit into the buffer
o ports: php 7.4.28[4]
o ports: unbound 1.15.0[5]


Stay safe especially in darker times,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/net/freeradius/pkg-descr
[4] https://www.php.net/ChangeLog-7.php#7.4.28
[5] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-15-0

12

Announcements / OPNsense 22.1.1 released

« on: February 16, 2022, 01:06:24 pm »

Good morning/afternoon/evening,

The first stable release brings in minor fixes from FreeBSD and instant
log file visibility for files without severity written which can happen
for individual plugins.

We have also gone ahead to restructure the interface code further to resolve
dependencies between configured devices and interfaces automatically and
the bundled development version is worth a try for everyone having issues
with GIF/GRE not coming up after boot.

Here are the full patch notes:

o system: changing interface gateway was ignored during route reconfiguration
o system: allow to configure SSH setting PubkeyAcceptedAlgorithms (contributed by Manuel Faux)
o system: add backward compatibility for reading logs without severity by default (contributed by kulikov-a)
o system: fix typo causing PHP warning on IPv6 login (contributed by ppascher)
o system: cron command drop down size was extending below screen
o system: add a sysctl cache to improve tuneable overview load time
o system: replace obsolete find_interface_network*() use in GUI
o system: allow severity levels in PHP log messages and mark authentication success messages as notice
o interfaces: fix default handling for VIP nobind option
o interfaces: allow VIP nobind feature on CARP addresses
o interfaces: stop mpd5 daemon before starting
o interfaces: always show interface in GIF and GRE overview even on VIP use
o interfaces: fix GIF and GRE VIP use loading order in IP alias cases
o interfaces: remove device creation side effect from bridge, LAGG, GIF, GRE and VLAN GUI pages
o interfaces: prevent DHCP from installing name servers when not allowed
o interfaces: get_interface_list() must exclude OpenVPN
o interfaces: replace obsolete find_interface_network*() use in GUI
o firewall: remove ruleset optimization support which did not work since rule labels are mandatory for live log
o firewall: exclude external alias for nesting
o firewall: encode rules names in aliases (contributed by kulikov-a)
o firewall: check state before selecting categories (contributed by kulikov-a)
o firewall: synchronise "disabled" flag on linked firewall rule of port forward
o firewall: local file corruption might prevent alias to be loaded
o firewall: default pass all loopback without state tracking
o dhcp: change prefix watcher to work without circular logging now that it is gone
o dhcp: replace obsolete find_interface_network*() use in GUI
o dhcp: fix implode() call (contributed by Clement Moulin)
o ipsec: replace obsolete find_interface_network*() use in GUI
o firmware: opnsense-version: support reading lock files operated by opnsense-update
o firmware: patch version / date header in consistently for backend scripts
o mvc: overload __isset() magic method
o plugins: os-bind 1.21[1]
o plugins: os-ddclient 1.1[2]
o plugins: os-dnscrypt-proxy 1.11[3]
o plugins: os-dyndns menu compatibility with os-ddclient
o plugins: os-frr 1.27[4]
o plugins: os-mdns-repeater 1.1[5]
o plugins: os-rspamd 1.12[6]
o plugins: os-zabbix-agent 1.11[7]
o src: pf: set_prio was not set after nvlist conversion
o src: if_vtnet: Restore the ability to set promisc mode
o src: hn: disable Hyper-V vSwitch RSC support
o ports: curl 7.81.0[8]
o ports: expat 2.4.4[9]
o ports: lighttpd 1.4.64[10]
o ports: monit 5.30.0[11]
o ports: nss 3.75[12]
o ports: pcre / pcre2 enable JIT support
o ports: phpseclib 2.0.36[13]
o ports: strongswan 5.9.5[14]
o ports: sudo 1.9.9[15]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/22.1/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/dnscrypt-proxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/net/mdns-repeater/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/mail/rspamd/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-agent/pkg-descr
[8] https://curl.se/changes.html#7_81_0
[9] https://github.com/libexpat/libexpat/blob/R_2_4_4/expat/Changes
[10] https://www.lighttpd.net/2022/1/19/1.4.64/
[11] https://mmonit.com/monit/changes/
[12] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.75_release_notes
[13] https://github.com/phpseclib/phpseclib/releases/tag/2.0.36
[14] https://github.com/strongswan/strongswan/releases/tag/5.9.5
[15] https://www.sudo.ws/stable.html#1.9.9

13

Announcements / OPNsense business edition 21.10.3 released

« on: February 10, 2022, 12:25:44 pm »

This business release is based on the OPNsense 21.7.8 community version
with additional reliability improvements.

Here are the full patch notes:

o system: remove spurious XML validation that cannot cope with attributes from backup restore
o system: prevent syslog-ng from crashing after update due to "syslog-ng-ctl reload" use
o system: changing interface gateway was ignored during route reconfiguration
o system: cron command drop down size was extending below screen
o reporting: fix display of total in/out traffic values
o firewall: removed the $aliastable cache
o firewall: correctly handle IPv6 NAT in states view
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: support "no scrub" option in normalisation rules
o firewall: exclude external alias for nesting
o network time: remove PID file use as it can be unreliable
o intrusion detection: update to ET-Open to version 6
o intrusion detection: prevent config migration from crashing
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o captive portal: prevent session removal crashing when no IP address was registered
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: fix logging of configd errors (contributed by kulikov-a)
o plugins: os-acme-client 3.8[1]
o plugins: os-frr 1.26[2]
o plugins: os-openconnect 1.4.2[3]
o plugins: os-postfix 1.21[4]
o plugins: os-telegraf 1.12.4[5]
o plugins: os-wireguard 1.10[6]
o src: axgbe: validate contents of gpio expander
o src: incorrect XSAVE state size[7]
o src: vPCI compatibility improvements with certain Hyper-V releases[8]
o src: vt console buffer overflow[9]
o ports: expat 2.4.2[10]
o ports: filterlog 0.6[11]
o ports: flock 2.37.2
o ports: hostapd 2.10[12]
o ports: lighttpd 1.4.63[13]
o ports: nss 3.74[14]
o ports: openssl 1.1.1m[15]
o ports: openvpn 2.5.5[16]
o ports: php 7.4.27[17]
o ports: sqlite 3.37.2[18]
o ports: strongswan 5.9.5[19]
o ports: syslog-ng 3.35.1[20]
o ports: unbound 1.14.0[21]
o ports: wpa_supplicant 2.10[22]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.7/security/openconnect/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.7/mail/postfix/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:02.xsave.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:03.hyperv.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:01.vt.asc
[10] https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes
[11] https://github.com/opnsense/ports/commit/2e27655d84
[12] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[13] https://www.lighttpd.net/2021/12/4/1.4.63/
[14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.74_release_notes
[15] https://www.openssl.org/news/openssl-1.1.1-notes.html
[16] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.5
[17] https://www.php.net/ChangeLog-7.php#7.4.27
[18] https://sqlite.org/releaselog/3_37_2.html
[19] https://github.com/strongswan/strongswan/releases/tag/5.9.5
[20] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.35.1
[21] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-14-0
[22] https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

14

Announcements / OPNsense 21.7.8 released

« on: January 27, 2022, 03:36:08 pm »

Hello everyone,

To improve migration to the next version we are releasing this update
back to back with 22.1.  There is no immediate need to upgrade so plenty
of time to read and prepare.

Suffice to say this will be the last update of the 21.7 series.  Thank
you and see you on the other side. 

Here are the full patch notes:

o system: remove spurious XML validation that cannot cope with attributes from backup restore
o system: prevent syslog-ng from crashing after update due to "syslog-ng-ctl reload" use
o reporting: fix display of total in/out traffic values
o firewall: removed the $aliastable cache
o firewall: correctly handle IPv6 NAT in states view
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: support "no scrub" option in normalisation rules
o network time: remove PID file use as it can be unreliable
o intrusion detection: update to ET-Open to version 6
o intrusion detection: prevent config migration from crashing
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o captive portal: prevent session removal crashing when no IP address was registered
o firmware: offer 22.1 upgrade path when supported by mirror
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: fix logging of configd errors (contributed by kulikov-a)
o plugins: os-acme-client 3.8[1]
o plugins: os-frr 1.26[2]
o plugins: os-openconnect 1.4.2[3]
o plugins: os-postfix 1.21[4]
o plugins: os-telegraf 1.12.4[5]
o plugins: os-wireguard 1.10[6]
o src: axgbe: validate contents of gpio expander
o src: incorrect XSAVE state size[7]
o src: vPCI compatibility improvements with certain Hyper-V releases[8]
o src: vt console buffer overflow[9]
o ports: expat 2.4.2[10]
o ports: filterlog 0.6[11]
o ports: flock 2.37.2
o ports: hostapd 2.10[12]
o ports: lighttpd 1.4.63[13]
o ports: nss 3.74[14]
o ports: openssl 1.1.1m[15]
o ports: openvpn 2.5.5[16]
o ports: php 7.4.27[17]
o ports: sqlite 3.37.2[18]
o ports: syslog-ng 3.35.1[19]
o ports: unbound 1.14.0[20]
o ports: wpa_supplicant 2.10[21]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.7/security/openconnect/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.7/mail/postfix/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:02.xsave.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:03.hyperv.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:01.vt.asc
[10] https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes
[11] https://github.com/opnsense/ports/commit/2e27655d84
[12] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[13] https://www.lighttpd.net/2021/12/4/1.4.63/
[14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.74_release_notes
[15] https://www.openssl.org/news/openssl-1.1.1-notes.html
[16] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.5
[17] https://www.php.net/ChangeLog-7.php#7.4.27
[18] https://sqlite.org/releaselog/3_37_2.html
[19] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.35.1
[20] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-14-0
[21] https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

15

Announcements / OPNsense 22.1 released

« on: January 27, 2022, 11:10:21 am »

Hi there,

For more than 7 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

22.1, nicknamed "Observant Owl", features the upgrade to FreeBSD 13,
switch to logging supporting RFC 5424 with severity filtering, improved
tunable sysctl value integration, faster boot sequence and interface
initiation and dynamic IPv6 host alias support amongst others.

On the flip side major operating system changes bear risk for regression
and feature removal, e.g. no longer supporting insecure cryptography in
the kernel for IPsec and switching the Realtek vendor driver back to its
FreeBSD counterpart which does not yet support the newer 2.5G models.
Circular logging support has also been removed.  Make sure to read the
known issues and limitations below before attempting to upgrade.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/22.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/22.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/22.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/22.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 21.7.7:

o system: improved visibility and flexibility of tunables
o system: move multiple sysctl manipulations to tunables framework to allow overriding them
o system: prevent more than one default route by default
o system: sync recovery utility contents with FreeBSD 13
o system: prevent syslog-ng from crashing after update due to "syslog-ng-ctl reload" use
o system: add severity to syslog output and allow to filter for it
o system: create latest.log links for easier log consumption
o system: added opnsense-log utility to inspect logs on the console
o system: removed circular logging support
o system: background all cron backend command invokes
o system: unified cron start between legacy and MVC components
o system: improve the fallback after failing to look up specific IPv4 address match for dpinger
o system: use correct IPv6 interface for dpinger gateway monitoring when using 6RD
o system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
o system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
o system: fix potential issues with "search" syntax in resolv.conf
o system: fix general settings PHP warnings that only appear when validation fails
o system: allow additional search domain (Pierre Fevre)
o system: make /var MFS work when /var directories are mount points, e.g. on ZFS
o system: optionally disconnect PPP interfaces when going into CARP backup mode
o system: fix new PPP CARP hook function call (contributed by Markus Reiter)
o system: separate core and thread count in information widget
o system: MSDOS file system awareness in information widget for new /boot/efi partition
o system: no longer display duplicated mounted partitions on the dashboard
o system: remove spurious XML validation that cannot cope with attributes from backup restore
o system: refactor GUI rebind protection and remove its os-dyndns/os-rfc2136 references
o reporting: fix display of total in/out traffic values
o interfaces: LAGG support in console port assignment (contributed by sarthurdev)
o interfaces: improve LAGG/VLAN assignments via console option
o interfaces: repair get_interface_list() for console use
o interfaces: aligned the name and use of special /tmp files for internal interface handling
o interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
o interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
o interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
o interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
o interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
o interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
o interfaces: VIPs now support the "no bind" option to exclude them from automatic service use when configured
o interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
o interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
o interfaces: interfaces_scoped_address6() is now being used throughout the code
o interfaces: "tentative" state now leads to the address being ignored during configuration like "deprecated"
o interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
o interfaces: reworked interface creation on boot up
o interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
o interfaces: added permanent promiscuous mode setting
o interfaces: add the interface description via ifconfig to its respective device
o interfaces: stop special treatment of bridge interfaces on linkup
o interfaces: improve validations and fix defaults for bridges
o interfaces: allow bridges to attach to VXLAN on boot
o interfaces: background all interface reconfiguration script hooks
o interfaces: no longer allow and apply media configuration for non-parent devices
o interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
o interfaces: remove defunct link support for GRE
o interfaces: align GIF configuration with base system options
o firewall: properly kill all connections from and to a WAN IPv4 on an address change
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: display interface descriptions on normalisation rules (contributed by vnxme)
o firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
o firewall: removed obsolete kill states option on gateway failure
o firewall: removed the $aliastable cache
o firewall: support "no scrub" option in normalisation rules
o firewall: correctly handle IPv6 NAT in states view
o firewall: plain log default logging severity selection is now "informational"
o firewall: improve maximum shaper value validation and add Gbit/s support
o captive portal: prevent session removal crashing when no IP address was registered
o dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
o dhcp: allow router advertisements to use a specific link-local VIP alias
o dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
o dhcp: rework router advertisement "static" mode flags to separate advanced options
o dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
o dnsmasq: no-hosts option (contributed by agh1467)
o firmware: add a "status_reboot" variable to API return data to make clear it belongs to the offered minor update or major upgrade
o firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
o firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
o firmware: implement cross-ABI reinstall of all packages for future use
o firmware: opnsense-update: exclude /boot/efi permission reset from base set extract
o firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
o firmware: return product info for status endpoint even when no firmware check was done
o installer: fix installation of rc.conf keymap setting selected earlier during installation
o installer: add EFI partition as a default mount point
o installer: increase EFI partition size to 260 MB
o installer: improve disk and ZFS pool scan and display
o intrusion detection: prevent config migration from crashing
o intrusion detection: update to ET-Open to version 6
o ipsec: update security of default settings when creating new phase 1 and 2
o ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
o ipsec: migrated tunnel settings page to MVC
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o lang: demote Italian to development-only language due to lowered translation ratio
o monit: move logging to own target
o network time: add "iburst" option and stop using it by default (contributed by Patrick M. Hausen)
o network time: detach "limited" from "kod" option (contributed by Zsolt Zsiros)
o network time: remove PID file use as it can be unreliable
o openvpn: kill by common name when kill by address does not work
o unbound: disable do-not-query-localhost on local address server use
o unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
o update: opnsense-bootstrap: -z snapshot mode
o update: opnsense-bootstrap: improved type detection
o update: opnsense-code: -r for repository removal
o update: opnsense-fetch: emit error message of failed download
o update: opnsense-update: handle kernel debug directory like /boot/kernel
o update: opnsense-update: removed "firmware-upgrade" file support
o update: opnsense-verify: synced shared code with FreeBSD 13
o backend: unify use of configctl utility
o images: removed deprecated os-dyndns plugin from default installation
o mvc: fix logging of configd errors
o mvc: Add BlankDesc to ModelRelationField (contributed by agh1467)
o mvc: emulation versioning empty nodes for the legacy configuration sections
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: add hint support for text fields (contributed by agh1467)
o ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
o ui: universal striping adjustment for MVC components (contributed by kulikov-a)
o ui: move storing jQuery Bootgrid settings in browser from core to bootgrid (contributed by Manuel Faux)
o src: FreeBSD 13-STABLE as of 4ee9fbcd853
o src: migrated to LUA boot loader (contributed by Kyle Evans)
o src: revert upstream permission change for /root directory
o src: fix kernel build creating wrong linkers.hint file
o src: carp: fix send error demotion recovery
o src: ixgbe: prevent subsequent I2C bus read timeouts
o src: reworked shared forwarding
o plugins: os-acme-client 3.8[2]
o plugins: os-bind 1.20[3]
o plugins: os-ddclient 1.0 as an eventual replacement for os-dyndns
o plugins: os-dyndns adds local copy of get_dyndns_ip()
o plugins: os-freeradius 1.9.18[4]
o plugins: os-frr 1.26[5]
o plugins: os-haproxy 3.10[6]
o plugins: os-nginx 1.26[7]
o plugins: os-openconnect 1.4.2[8]
o plugins: os-postfix 1.21[9]
o plugins: os-rfc2136 adds local copy of get_dyndns_ip()
o plugins: os-telegraf 1.12.4[10]
o plugins: os-wireguard 1.10[11]
o plugins: os-wol adds cron support for wake action (contributed by digitalshow)
o plugins: os-zabbix-proxy 1.7[12]
o ports: expat 2.4.2[13]
o ports: filterlog 0.6[14]
o ports: flock 2.37.2
o ports: hostapd 2.10[15]
o ports: lighttpd 1.4.63[16]
o ports: nss 3.74[17]
o ports: openssl 1.1.1m[18]
o ports: openvpn 2.5.5[19]
o ports: pecl-psr 1.2.0[20]
o ports: phalcon 4.1.3[21]
o ports: php 7.4.27[22]
o ports: pkg fixes validation failures on HTTPS fetch in static binary[23]
o ports: sqlite 3.37.2[24]
o ports: syslog-ng 3.35.1[25]
o ports: unbound 1.14.0[26]
o ports: wpa_supplicant 2.10[27]

Known issues and limitations:

o This release contains a new major operating system version and should be carried out with the necessary care.  Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.  Except for ZFS boot environments rollbacks between major operating system versions are extremely fragile and a reinstall of an older version should be attempted in the worst case.  For more information please consult the FreeBSD 13.0 release notes[28].

o IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream.  If you are using MD5, Blowfish, DES, 3DES, or CAST128 in your phase 2 please move to more secure settings prior to the upgrade.  Note that phase 1 settings are unaffected, but insecure settings should still be avoided.  For more information see the FreeBSD commit in question[29].

o The Realtek vendor driver is no longer bundled with the updated FreeBSD kernel.  If unsure whether FreeBSD 13 supports your Realtek NIC please install the os-realtek-re plugin prior to upgrading to retain operability of your NICs.

o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface.  This can introduce unwanted configuration due to previous side effects in the code.  Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC or simply spoof the MAC on the parent and leave the VLAN sibling settings empty to let them follow the parent MAC automatically.  If in doubt the parent interface can be set into promiscuous mode now to allow for mixed MAC address use across VLANs too.

o Media and hardware offload settings are no longer shown for non-parent interfaces and need to be set individually on the parent interface to take effect.  This can introduce unwanted configuration due to previous side effects in the code.  If the parent interface was not previously assigned please assign it to reapply the required settings.

o NTPD defaults changed to exclude the "iburst" option by default.  "limited" setting was detached from "kod" option.  In both cases configuration adjustments can achieve previous behaviour if required.

o Rebind checks through os-dyndns or os-rfc2136 will no longer work due to the deprecation of both plugins.  Please add your rebind hosts manually or disable rebind protection prior to the upgrade.

o GRE link1 support has been removed and needs a static route to function now.

o Circular logging support has been removed.  No user interaction is required.

The public key for the 22.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1o1Bk31AcX5xsqgVAoWQ
1fTDznz22ojsK+qCkhW7MKSWlCyEZYEueUtq7hOt/gqttc3qT0WgHjhjI/WE2RQ4
53yfSw/2DDdt3v2WRoupaMzu2Px6I0A+dzo/DM0UWHHsjUaa1HnTvrC14W2vy9wY
rdotDpp6vSA3WoBmpz+6cpAOlOMTboJouaZy2gSAAcFUmnmP6KDE+lQEqudENTpr
wb/tIILTE3s6HMBrnmyTNz3Oyy77qH0Xq4mU0r+GS3If0LN+zIr3evt/hhS80otG
4WA2ifFeoZVUC//ArAqRiuOJKWvDe5455W1tOuoLkVKVwWMUd1YjaLq8/SRNtTVT
jRWO6znUHJa7LKtwY7SJvJ8bl8kR8QnrEBRLqT3IA+FcRH+8RaeCivPV7oS1tMiV
7hUmu4yXkiMU9c/RrUj7UGZfPKa6K1yP2p3pRvHwCpMclhlVdaiAGNQ8X1GmUAmg
3hsoay1ximpj0Yzs+ynDdT1WPkjx8+mDWI08qTuVX+KN3xiohzjxUyD6kBbw2N4z
EkKTu36KLxo+Hs2iHh4iPWV+EZ5pBn/BseUeHha+V76xM/fPU3H2htwF6/lAz3KH
J6cevsMenCaYBAqpUsQMBjxhDgMmpCcjiZRPijFpe5zsNSUD1NJ8QMpecBZCE6Vt
YHWiWxZTN13z4mPqA4uebakCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/22.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.1/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.1/net/frr/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.1/net/haproxy/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.1/www/nginx/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/22.1/security/openconnect/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.1/mail/postfix/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/telegraf/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/22.1/net/wireguard/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/22.1/net-mgmt/zabbix-proxy/pkg-descr
[13] https://github.com/libexpat/libexpat/blob/R_2_4_2/expat/Changes
[14] https://github.com/opnsense/ports/commit/2e27655d84
[15] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[16] https://www.lighttpd.net/2021/12/4/1.4.63/
[17] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.74_release_notes
[18] https://www.openssl.org/news/openssl-1.1.1-notes.html
[19] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.5
[20] https://pecl.php.net/package-changelog.php?package=psr&release=1.2.0
[21] https://github.com/phalcon/cphalcon/releases/tag/v4.1.3
[22] https://www.php.net/ChangeLog-7.php#7.4.27
[23] https://cgit.freebsd.org/ports/commit/?id=08342c9812d
[24] https://sqlite.org/releaselog/3_37_2.html
[25] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.35.1
[26] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-14-0
[27] https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
[28] https://www.freebsd.org/releases/13.0R/relnotes/
[29] https://github.com/opnsense/src/commit/16aabb761c0a

SHA256 (OPNsense-22.1-OpenSSL-dvd-amd64.iso.bz2) = 72146dd3a8e57774ad12dbaa503c19111e5f1c43db63a32ad2dab6b3ea6f12f1
SHA256 (OPNsense-22.1-OpenSSL-nano-amd64.img.bz2) = ec3b3c5fafc39e9d67c500a31d6c0be99566a130a158a2ae60904e6a6854bf1f
SHA256 (OPNsense-22.1-OpenSSL-serial-amd64.img.bz2) = 418e4abc233a89c11e296f7e510e2074242dc2a285a042592171d45b257c4857
SHA256 (OPNsense-22.1-OpenSSL-vga-amd64.img.bz2) = f791e9024888f5f668175a78cbbcd9eb96b36ba523f38d00cad9dd4d64243b4f