OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of franco »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - franco

Pages: [1] 2 3 ... 15
1
Announcements / OPNsense 19.1.1 released
« on: February 05, 2019, 03:28:53 pm »
Hello,

This is a security and reliability release: WAN DHCP will no longer trust the server MTU given. Uncoordinated cross site scripting issues have been fixed. And the Python request library was patched due to CVE 2018-18074.

Here are the full patch notes:

o system: address XSS-prone escaping issues[1]
o firewall: add port range validation to shaper inputs
o firewall: drop description validation constraints
o interfaces: DHCP override MTU option (contributed by Team Rebellion)
o interfaces: properly configure SIM PIN on custom modems
o reporting: prevent cleanup from deleting current data when future data exists
o ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
o openvpn: multiple client export fixes
o web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
o plugins: os-acme-client 1.20[2]
o plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
o plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
o plugins: os-nginx 1.7[3]
o plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
o plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
o ports: ca_root_nss 3.42.1
o ports: lighttpd 1.4.53[4]
o ports: py-request 2.21.0[5]


Stay safe,
Your OPNsense team

--
[1] https://packetstormsecurity.com/files/151381/OPNsense-18.7-Cross-Site-Scripting.html
[2] https://github.com/opnsense/plugins/pull/1157
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://www.lighttpd.net/2019/1/27/1.4.53/
[5] https://vuxml.freebsd.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html

2
Announcements / OPNsense 19.1 released
« on: January 31, 2019, 05:40:12 pm »
Hi there,

For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 18.7:

o fully functional firewall alias API
o PIE firewall shaper support
o firewall NAT rule logging support
o 2FA via LDAP-TOTP combination
o WPAD / PAC and parent proxy support in the web proxy
o P12 certificate export with custom passwords
o Dpinger is now the default gateway monitor
o ET Pro Telemetry edition plugin[2]
o extended IPv6 DUID support
o Dnsmasq DNSSEC support
o OpenVPN client export API
o Realtek NIC driver version 1.95
o HardenedBSD 11.2, LibreSSL 2.7
o Unbound 1.8, Suricata 4.1
o Phalcon 3.4, Perl 5.28
o firmware health check extended to cover all OS files, HTTPS mirror default
o updates are browser cache-safe regarding CSS and JavaScript assets
o collapsible side bar menu in the default theme
o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins

Here are the full changes against version 19.1-RC2:

o ipsec: add firewall interface as soon as phase 1 is enabled
o ipsec: phase 1 selection GUI JavaScript compatibility fix
o monit: widget improvements and bug fix (contributed by Frank Brendel)
o ui: fix regression in single host or network subnet select in static pages
o plugins: os-frr 1.7 updates OSFP outbound rules (contributed by Fabian Franz)
o plugins: os-telegraf 1.7.4 fixes packet filter input
o plugins: os-theme-rebellion 1.8.2 adds image colour invert
o plugins: os-vnstat 1.1[3]
o plugins: os-zabbix-agent now uses Zabbix version 4.0
o src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
o src: update sqlite3-3.20.0 to sqlite3-3.26.0[4]
o src: import tzdata 2018h, 2018i[5]
o src: avoid unsynchronized updates to kn_status[6]
o ports: ca_root_nss 3.42
o ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
o ports: sudo patch to fix listpw=never[7]

Migration notes and minor incompatibilities to look out for:

o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
o Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
o Please read the FRR documentation with regard to the required system tunables[8].
o Bhyve UEFI boot may fail as a guest. The problem is being investigated.
o SNMP plugin has been superseded by Net-SNMP plugin.

The public key for the 19.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/manual/etpro_telemetry.html
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:04.tzdata.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:05.kqueue.asc
[7] https://bugzilla.sudo.ws/show_bug.cgi?id=869
[8] https://docs.opnsense.org/manual/dynamic_routing.html

SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = 0a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d
SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528
SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d
SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9

SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a
SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889
SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24
SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6

3
Announcements / OPNsense 19.1-RC2 released
« on: January 23, 2019, 10:45:49 am »
Hi there,

Small online update issued to fix known and subsequently patched issues. If you use Insight and flowd_aggregate service refuses to start go to System: Firmware: Packages and reinstall the "flowd" package.

These are the changes in detail:

o firmware: fix invisible error in health check
o intrusion detection: avoid spurious migration error on factor reset
o monit: fix dashboard widget display and general settings save
o plugins: os-telegraf fixes checkbox for CPU time collect (contributed by chaispaquichui)
o ports: flowd Python bindings runtime fix


Stay safe,
Your OPNsense team

4
Announcements / OPNsense 19.1-RC1 released
« on: January 21, 2019, 02:46:08 pm »
Hi there,

For almost four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

Here are the full changes against version 18.7.10:

o system: console port assignment can now assign OPT without LAN
o system: anti-lockout will use OPT1 if LAN is not present
o system: allow creation of combined client/server SSL certificate
o system: gateway monitoring switches to Dpinger with Apinger removed
o system: detect unassigned gateways in static address setups
o system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)
o system: removal of the old notification system in favour of Monit
o system: only allow syslog remote binding to assigned interfaces
o system: disable IP aliases configured with VHID on temporary disable
o system: remove AHCI MSI disable workaround used in FreeBSD 11.1
o system: default gateway switching moves back to general settings
o system: beep sound notification setting moves to misc. settings
o system: limit log line length in log widget
o interfaces: change 6RD/6to4 interface prefix from internal name to physical device
o interfaces: prohibit tracking on 6RD with /64 upstream prefix
o interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking
o interfaces: clear an apparently faulty system DUID when no manual DUID is set
o interfaces: updated custom dhclient-script used for DHCPv4
o interfaces: VIP support for GRE devices
o interfaces: simplify find_interface_ip* functions
o interfaces: remove get_interface_subnet* functions
o interfaces: remove unused get_possible_listen_ips function
o interfaces: link status indicator on assignments page
o interfaces: unify interface removal code
o firewall: switch GeoIP database download to HTTPS
o firewall: find IP reference tool for aliases
o firewall: improve alias page responsiveness with large number of addresses
o firewall: show system errors when reloading aliases
o firewall: NAT port forward logging option and live view support
o firewall: optionally resolve all host names in live view
o firewall: not all states could be removed in diagnostics page
o firewall: clean up unused NAT rule association code
o reporting: improve handling of empty Insight datasets
o reporting: prepare for Python 3 conversion
o firmware: switch default mirror location to HTTPS
o firmware: health check for base and kernel files including version check
o firmware: support base and kernel file size in packages overview
o firmware: /var MFS compatibility on base installation when reboot is deferred
o firmware: command line core lock feature prevents package upgrades
o firmware: internally remember plugins installed or removed in the GUI
o firmware: show last known update log on page open
o firmware: show untrusted repository error in GUI
o firmware: separate chanelogs tab for clarity
o dhcp: refuse setup of instances that have no associated IP address
o dhcp: fix lease time local vs. UTC display in IPv6 leases
o installer: change communication from TCP to named pipes
o installer: fix sporadic segmentation faults in frontend code
o installer: allow config import from ZFS pools
o installer: allow password reset on ZFS pools
o installer: removed a number of unused modules
o ipsec: generate correct config for "Hybrid-RSA + XAuth" (contributed by Max Weller)
o ipsec: reworked strongswan.conf generation
o ipsec: use new interface subnet retrieval code
o monit: support declaring dependencies (contributed by Alexander Werner)
o monit: add Service/Test type relation (contributed by Frank Brendel)
o monit: add CARP status to standard services
o monit: add gateway alerts to standard services
o monit: backend rework to simplify the service
o intrusion detection: support base ruleset overlays and improve logging
o intrusion detection: GeoIP feature in user-defined rules has been removed
o intrusion detection: obey Content-Disposition header
o openvpn: client export rewrite, new export option for The Green Bow
o unbound: reworked slab calculation
o unbound: added statistics page
o unbound: only bind to interfaces or OpenVPN instances, always bind to loopback
o unbound: fix ACL subnet calculation for OpenVPN instances
o unbound: do not generate host entries for OpenVPN instances
o unbound: improve help text wording and general settings layout
o web proxy: parent proxy support (contributed by Michael Muenz)
o wizard: fix checkbox label styling
o mvc: converted reboot, halt and license page to MVC
o mvc: compared-to-field constraint (contributed by Fabian Franz)
o mvc: external clients which set Authorization header now receive raw JSON responses
o mvc: fix empty value check in grid (contributed by Smart-Soft)
o mvc: globally lock config when multiple items are deleted at once
o mvc: volt template JavaScript cleanups
o ui: updated bootstrap-select to version 1.13.3
o ui: collapsible sidebar support in default theme (contributed by Team Rebellion)
o plugins: os-acme-client 1.19[2]
o plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)
o plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)
o plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)
o plugins: os-frr switches to FRR 5.0.2, please see below
o plugins: os-l2tp 1.8 interface now selects reachable server address
o plugins: os-pptp 1.8 interface now selects reachable server address
o plugins: os-openconnect 1.3.3[3]
o plugins: os-quagga removed, please use os-frr instead
o plugins: os-nginx 1.6[4]
o plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)
o plugins: os-snmp removed, please use os-net-snmp instead
o plugins: os-theme-cicada 1.13
o plugins: os-theme-tukan 1.12
o plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)
o src: HardenedBSD 11.2-RELEASE-p7[5][6][7]
o src: fix missing transmit visibility for BPF-based listeners in native netmap mode
o src: limit the maximum number of fragments per packet in pf
o src: replace rwlock on PF_RULES_LOCK with rmlock in pf
o src: do not discard UDP6 traffic in Hyper-V adaptors
o src: fix state sync during initial bulk update in pfsync
o src: unbreak dhclient(8) option 26 processing
o src: import APU 1-3 LED kernel module
o ports: krb5 1.17[8]
o ports: php 7.1.26[9]
o ports: sudo 1.8.27[10]
o ports: perl 5.28.1[11]
o ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)

Known issues and limitations:

o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.
o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
o Monit general settings do not save. A patch exists[12] to remedy this problem: opnsense-patch a2899594
o Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.
o Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
o Please read the FRR documentation with regard to the required system tunables[13].
o SNMP plugin has been superseded by Net-SNMP plugin.
o ZFS guided installation pending.

The public key for the 19.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1134
[3] https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[5] https://hardenedbsd.org/content/easy-feature-comparison
[6] https://www.freebsd.org/releases/11.2R/relnotes.html
[7] https://www.freebsd.org/releases/11.2R/errata.html
[8] https://web.mit.edu/kerberos/krb5-1.17/
[9] http://php.net/ChangeLog-7.php#7.1.26
[10] https://www.sudo.ws/stable.html#1.8.27
[11] https://metacpan.org/changes/release/SHAY/perl-5.28.1
[12] https://github.com/opnsense/core/commit/a2899594
[13] https://docs.opnsense.org/manual/dynamic_routing.html

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db

5
Announcements / OPNsense 18.7.10 released
« on: January 07, 2019, 01:32:27 pm »
Happy new year everyone,

2019 means 19.1 is almost here. In the meantime accept this small incremental update with goodies such as Suricata 4.1, custom passwords for P12 certificate export as well as fresh fixes in the FreeBSD base.

A lot of cleanups went into this update to make sure there will be a smooth transition to 19.1-RC for you early birds. We expect RC1 in 1-2 weeks and the final 19.1 on January 31.

Here are the full patch notes:

o system: P12 certificate export now allows to specify a password
o system: allow plain IPv6 for LDAP and RADIUS host
o system: properly sort columns with size units in activity page
o system: remove references to "automatic" in HA help texts
o system: add option to only show temperature of one core in widget
o system: speed up isArraySequential()
o system: introduce configdp_run() variant
o system: assorted code cleanups
o interfaces: only show name servers offered by individual link in status page
o interfaces: DUID-LL generator fix (contributed by Team Rebellion)
o interfaces: show disabled and virtual interfaces in groups
o interfaces: change wireless page interface iterators
o interfaces: change LAGG page interface iterators
o interfaces: remove unused get_dns_servers()
o interfaces: assorted code cleanups
o firewall: fix an exception error in alias config read
o firewall: fix typo in outbound NAT destination help text
o firewall: rename "Localhost" to "Loopback" for clarity in virtual IP pages
o firewall: unify anti-lockout behaviour to match rules and GUI display
o firewall: switch to tokenizer for shaper source and destination fields
o firewall: fix alias utility issue when adding into empty alias
o firewall: correct alias name limit to 31 characters
o firewall: bring back auto-complete for nested aliases
o firewall: NAT rules on reflection for port forwards only when address exists on interface
o firewall: lower bogon download retry attempts to 3
o firewall: schedule JS code update
o captive portal: add setting to always send accounting requests
o captive portal: assorted code cleanups
o dhcp: DHCPv6 leases not always correctly displayed (contributed by Team Rebellion)
o dhcp: override IPv6 PD range fix (contributed by Team Rebellion)
o dhcp: switch subnet verification to new network interface retrieval
o firmware: individual error messages during base and kernel installation
o firmware: obsolete set usage has been removed, embedded into base set
o firmware: always recalculate size returned in the GUI and use pkg-style units
o firmware: migrate more scripting to opnsense-version
o firmware: remove defunct dataroute mirror
o importer: make current zpool visible, but immune to import
o installer: find all possible configs and include them for startup
o intrusion detection: change default alert level to notice
o openvpn: allow empty remote subnet in client
o openvpn: use new network interface retrieval
o openvpn:  assorted code cleanups
o unbound: always add global DNS servers in forwarding mode
o unbound: restart when crashed even if request came from unassociated interface
o wizard: sync bogon help text with interfaces GUI counterparts
o wizard: hint at updates after completion
o wizard: assorted code cleanups
o mvc: harden setFormData()
o plugins: os-api-backup 1.0 allows API access to config.xml (contributed by Fabian Franz)
o plugins: os-bind 1.4[1] (contributed by Michael Muenz)
o plugins: os-clamav fixes /var MFS permission mismatch
o plugins: os-dnscrypt-proxy 1.1 allows manual server selection (contributed by Michael Muenz)
o plugins: os-dyndns 1.1 fix for using apex domains with CloudFlare DDNS (contributed by Charles Ulrich)
o plugins: os-frr 1.6 adds OSPF key ID and default route metric, BGP router ID, etc. (contributed by Michael Muenz and Fabian Franz)
o plugins: os-haproxy 2.13[2] (contributed by Frank Wall)
o plugins: os-ntopng fixes HTTPS setup permission
o plugins: os-openconnect 1.3.2 adds non-inter option, groups and client certificates, etc. (contributed by Diego Rivera and Michael Muenz)
o plugins: os-postfix 1.8[3] (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.12 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.11 (contributed by Team Rebellion)
o plugins: os-upnp 1.3 allows up to 8 user permissions
o src: bootpd buffer overflow[4]
o src: kernel panic under load on Intel "Skylake" CPU[5]
o src: ZFS vnode reclaim deadlock[6]
o ports: curl 7.63.0[7]
o ports: libressl 2.7.5[8]
o ports: libxml 2.9.8[9]
o ports: phalcon 3.4.2[10]
o ports: suricata 4.1.2[11][12][13]
o ports: syslogd 11.2
o ports: unbound 1.8.3[14]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/pull/1090
[3] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:15.bootpd.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:17.vm.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:18.zfs.asc
[7] https://curl.haxx.se/mail/lib-2017-02/0109.html
[8] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.5-relnotes.txt
[9] https://mail.gnome.org/archives/xml/2018-March/msg00001.html
[10] https://github.com/phalcon/cphalcon/releases/tag/v3.4.2
[11] https://suricata-ids.org/2018/11/06/suricata-4-1-released/
[12] https://suricata-ids.org/2018/12/17/suricata-4-1-1-available/
[13] https://suricata-ids.org/2018/12/21/suricata-4-1-2-released/
[14] https://nlnetlabs.nl/projects/unbound/download/

6
Announcements / OPNsense 18.7.9 released
« on: December 12, 2018, 03:40:40 pm »
Hello world!

To keep it snappy: enclosed are assorted updates and fixes, a new dnscrypt-proxy plugin as well as security updates from FreeBSD and third parties. Happy patchday!

Here are the full patch notes:

o system: allow setting alternative names on CSR
o system: add link-local routes with correct scope
o system: fix LDAP import button for Firefox
o system: assorted cleanups in HTML and PHP code
o interfaces: add note about CGN addresses included in private range
o interfaces: fix checksum disable for IPv6 TX / RX flags
o interfaces: multiple type DUID support (contributed by Team Rebellion)
o interfaces: properly read and write dhcp6c DUID binary file
o interfaces: do not read VLAN capabilities from nonexistent interfaces
o interfaces: removal of PEAR.inc from IPv6 address library
o interfaces: assorted cleanups in HTML and PHP code
o firewall: only suffix subnet alias entry when a network is expected
o firewall: default alias protocol to both IPv4 and IPv6
o firewall: fix validation of outbound NAT destination alias
o firewall: fix performance regression in get_alias_description()
o firewall: repair defunct "no nat proto carp all" rule
o firewall: limit type to CARP when checking for VIP VHID reuse
o firewall: refactor subnet retrieval in VIP deletion
o firewall: display VHID for IP alias in overview
o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups
o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
o firewall: ignore empty values in alias migration (contributed by Frank Wall)
o firewall: assorted cleanups in HTML and PHP code
o captive portal: work around service boot ordering issue
o captive portal: change "onestop" to "stop" in backend action
o dnsmasq: add DNSSEC option
o dnsmasq: assorted cleanups in HTML and PHP code
o dhcp: show lease count in page heading
o dhcp: refactor IPv6 subnet read
o dhcp: fix DDNS IPv6 algorithm use
o dhcp: assorted cleanups in HTML and PHP code
o firmware: opnsense-version can now handle kernel, base and plugin metadata
o firmware: when pkg needs to be updated do not prompt for base and kernel set
o firmware: use embedded obsolete file list for removal on base set install
o intrusion detection: fix daily cron job, was actually monthly
o ipsec: assorted cleanups in HTML and PHP code
o openvpn: assorted cleanups in HTML and PHP code
o unbound: only use IPv6 when enabled and IPv4 is not preferred
o unbound: restart after VPN is up
o unbound: updated help text for verbosity level (contributed by Northguy)
o unbound: assorted cleanups in HTML and PHP code
o web proxy: move bump_step1 down (contributed by Michael Muenz)
o mvc: missing isset() in routes migration
o mvc: Phalcon 3.4.2 scope compatibility fix
o mvc: assorted fixes in PHPDoc
o mvc: fix advanced field bug in dialogs (contributed by Fabian Franz)
o mvc: SetIfConstraint (contributed by Fabian Franz)
o mvc: hidden input field (contributed by Fabian Franz)
o mvc: json-data access support (contributed by Fabian Franz)
o ui: remove markup from user indicator
o ui: sidebar fixes (contributed by Team Rebellion)
o plugins: os-acme-client 1.18 with GratisDNS and ACME DNS support (contributed by Frank Wall, ricobach, TuEye)
o plugins: os-bind 1.3 adds Google and Yahoo safe search (contributed by Michael Muenz)
o plugins: os-dnscrypt-proxy 1.0 (contributed by Michael Muenz)
o plugins: os-freeradius 1.8.3 makes use of certificates clearer (contributed by Michael Muenz)
o plugins: os-haproxy 2.12 HTTP/2 support, http-request before use_backend (contributed by Frank Wall, Mathias Aerts)
o plugins: os-net-snmp 1.3 mark device as L3 enabled via SysServices (contributed by Michael Muenz)
o plugins: os-nginx 1.5 with lots of new features[1] (contributed by Fabian Franz, Carlos Cesario, Julio Cesar Camargo, fzoske)
o plugins: os-nut 1.4 adds listen directive and more flexible arguments (contributed by Michael Muenz)
o plugins: os-postfix 1.7 adds address rewriting, sender/recipient BCC and domain masquerading (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.11 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.8.1 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.10 (contributed by Team Rebellion)
o src: fix multiple vulnerabilities in NFS server code[2]
o src: fix ICMP buffer underwrite[3]
o src: timezone database information update[4]
o src: fix deferred kernel loading breaks loader password[5]
o src: fix insufficient bounds checking in bhyve(8) device model[6]
o ports: lighttpd 1.4.52[7]
o ports: sqlite 3.26.0[8]
o ports: perl 5.26.3[9]
o ports: php 7.1.25[10]
o ports: hostapd / wpa_supplicant 2.7[11]
o ports: unbound 1.8.2[12]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:13.nfs.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:13.icmp.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:14.tzdata.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:15.loader.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:14.bhyve.asc
[7] https://www.lighttpd.net/2018/11/28/1.4.52/
[8] https://www.sqlite.org/releaselog/3_26_0.html
[9] https://metacpan.org/pod/release/SHAY/perl-5.26.3/pod/perldelta.pod
[10] http://php.net/ChangeLog-7.php#7.1.25
[11] http://lists.infradead.org/pipermail/hostap/2018-December/039069.html
[12] https://nlnetlabs.nl/news/2018/Dec/04/unbound-1.8.2-released/

7
Announcements / OPNsense 18.7.8 released
« on: November 22, 2018, 03:03:58 pm »
Hi everyone,

This stable update finally brings you the promised LDAP+TOTP authentication, but also renewed language translations and several third party software updates for software such as OpenSSL, OpenSSH and Sudo. A reboot is not required, but recommended.

Here are the full patch notes:

o system: show the actual validation messages for NextCloud backup constraints
o system: LDAP import button primary colour and prevent default page submit
o system: add LDAP+TOTP authentication variant (2FA)
o system: avoid silent fatal error when LDAP OUs could not be retrieved
o system: avoid duplicated cookies on login page by not closing session
o system: allow to fully disable misc. reboot failsafe backups
o system: switch default argument for return_gateways_status()
o system: add "Synchronize config to backup" button to HA status page
o system: disable help text expand when backup fields have no help text
o system: sort user and group lists alphabetically
o interfaces: add CARP info to legacy_interfaces_details()
o interfaces: removal of find_interface_subnet() and find_interface_subnetv6()
o interfaces: introduce find_interface_network() and find_interface_networkv6()
o interfaces: refactor find_interface_ip() and find_interface_ipv6()
o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll()
o firewall: extend outbound NAT address source and destination with networks
o firewall: fix save error when alias name contains an underscore
o firewall: do not set days or hours when update frequency is empty
o firewall: increase resolve() performance for aliases
o firmware: change packaging to be able to place files in the root directory
o reporting: fix possible division by zero in NetFlow aggregator
o dhcp: reorder arguments of function services_dhcpd_configure()
o dhcp: consolidate service probe of IPv6 and router advertisement daemons
o dhcp: fix clear hook on log file delete
o importer: make clear that /conf/config.xml is required for any import to take place
o monit: add quotes and timeout to custom program path (contributed by Frank Brendel)
o monit: add SSL options to mail server connection (contributed by Frank Brendel)
o network time: improve GPS status parsing
o openvpn: add remote address as route when set during linkup
o shell: interface banner now only shows enabled interfaces
o unbound: do not clear statistics when querying them
o lang: updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o mvc: fix toggleBase returning 'failed' result when using $enabled
o mvc: fix PortField validation and make well-known ports optional
o mvc: fix checking empty string in grid view (contributed by Smart-Soft)
o rc: make it more obvious in /boot/loader.conf that system tunables work as well
o ui: sidebar performance optimisation (contributed by Team Rebellion)
o ui: vertically center current menu item on visible screen when height is too small
o plugins: os-haproxy 2.10[1][2][3] (contributed by Frank Wall)
o plugins: os-igmp-proxy forces reinstall due to missing core function
o plugins: os-ntopng 1.1 adds HTTPS support (contributed by Michael Muenz)
o plugins: os-nut fix for config file generation (contributed by Michael Muenz)
o plugins: os-postfix fixes typo (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.2 adds validation messages to tags (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.9 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.8 (contributed by Team Rebellion)
o plugins: os-upnp removes unused function
o plugins: os-zabbix-agent 1.4[4] (contributed by Frank Wall)
o ports: cyrus-sasl 2.1.27[5]
o ports: lighttpd 1.4.51[6]
o ports: openssh 7.9p1[7]
o ports: openssl 1.0.2q[8]
o ports: php 7.1.24[9]
o ports: pkg minor upstream fixes
o ports: sudo 1.8.26[10]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/960
[2] https://github.com/opnsense/plugins/pull/970
[3] https://github.com/opnsense/plugins/pull/1003
[4] https://github.com/opnsense/plugins/pull/998
[5] https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html
[6] https://www.lighttpd.net/2018/10/14/1.4.51/
[7] https://www.openssh.com/txt/release-7.9
[8] https://www.openssl.org/news/cl102.txt
[9] http://php.net/ChangeLog-7.php#7.1.24
[10] https://www.sudo.ws/stable.html#1.8.26

8
Announcements / OPNsense 18.7.7 released
« on: November 08, 2018, 04:26:49 pm »
Dear all,

Today we are addressing CVE-2018-18958 regarding an unenforced "deny config write" privilege. The issue was reported by brainrecursion this Monday and subsequently fixed along with several related issues. The "deny config write" privilege coupled with admin or user and group manager rights are affected combinations. It is an uncommon way to configure access as the "deny config write" privilege is commonly used for role-based access to non-system services, e.g. captive portals.

As we cannot be sure that no further issues of this sort exist please refrain from using the "deny config write" privilege or at least stop giving access to system services or full admin rights to these users or groups. In the midterm we will be looking for replacements of the current privilege for something that is more generic and robust in enforcement.

Additionally, the update to Suricata 4.0.6 addresses the SMTP crash vulnerability CVE-2018-18956. Since the update does not reboot without an operating system update please manually restart the intrusion detection service.

Here are the full patch notes:

o system: CVE-2018-18958 prevent restore of configuration of read-only user[1] (reported by brainrecursion)
o system: prevent related read-only user configuration manipulation for history and defaults pages
o system: prevent several creative ways to strip read-only privileges in the user and group manager
o system: allow wildcards in certificate subject alternative name
o system: avoid direct $global access in routing setup
o system: do not offer root-only opnsense-shell to non-root users
o system: remove FreeBSD 10 password workaround
o interfaces: use pure jquery to avoid browser-specific behaviour
o interfaces: nonfunctional cleanups in backend and interface GUI configuration
o interfaces: clear the correct files IPv6 state files on interface down
o interfaces: wait for PPPoE to fully exit on interface down
o firewall: fix port alias conversion under new API
o firewall: missing filter reload for port alias types
o firewall: missing "other" type in VIP network expand
o firewall: disabled alias should leave us with an empty one
o firewall: category for "United States" moves from Pacific to America
o firewall: resolve outbound NAT interface address in kernel
o dhcp: only map enabled interfaces in IPv4 leases
o dhcp: interface iteration code cleanups
o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
o firmware: add log file for package manager output
o monit: use theme override for widget CSS (contributed by Fabian Franz)
o ntp: internal cleanup of function argument order
o rc: improvements in service startup scripting
o rc: print date and time after successful boot
o unbound: disable redirect type until fixed
o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno)
o shell: stop router advertisement daemon too on console port reassign
o mvc: remove errors in cron and monit API
o plugins: os-freeradius 1.8.2 (contributed by Michael Muenz and Reza Ebrahimi)
o plugins: os-nut 1.3 apcsmart and blazer_usb driver, reworked UI (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.1 adds ZFS input (contributed by Michael Muenz)
o plugins: os-tinc now sets all defined subnets (contributed by QDaniel)
o plugins: os-theme-cicada 1.8 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.8 (contributed by Team Rebellion)
o plugins: os-smart 1.5 standard widget coloring (contributed by Fabian Franz)
o plugins: os-rspamd now uses scan_mime_parts (contributed by Michael Muenz)
o ports: curl 7.62.0[2]
o ports: krb5 1.16.2[3]
o ports: strongswan 5.7.1[4]
o ports: suricata 4.0.6[5]


Stay safe,
Your OPNsense team

--
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18958
[2] https://curl.haxx.se/changes.html
[3] https://web.mit.edu/kerberos/krb5-1.16/
[4] https://wiki.strongswan.org/versions/71
[5] https://suricata-ids.org/2018/11/06/suricata-4-0-6-available/

9
19.1 Production Series / 19.1-BETA images
« on: November 03, 2018, 05:29:34 pm »
Hi all,

As HardenedBSD has been awesomely delivering their version 11.2 for us and even fixing an issue on i386 while they don't actively support it, it's time to publish a beta test based on this work.

These images are assembled from the latest production release 18.7.6 and will update to 19.1 and later 18.7.x without problems. The key difference is the operating system switch from FreeBSD 11.1 to HardenedBSD 11.2.

BEGIN IMPORTANT NOTE

For this reason, the kernel and base package set are "locked" and MUST NOT be unlocked as this will reinstall the older operating system as OPNsense tries to get back to its latest known version on firmware upgrades. These locks will remove themselves on the final 19.1 transition and update correctly into subsequent 19.1.x.

END IMPORTANT NOTE

You can find a list of feature additions for the upcoming 19.1 here:

https://forum.opnsense.org/index.php?topic=10132.0

Additional features can be inspected in the development version, details here:

https://forum.opnsense.org/index.php?topic=8700.0

Last but not least, images for educational purposes have been published here:

https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/
https://pkg.opnsense.org/FreeBSD:11:i386/snapshots/

All feedback, comments, problem reports and even neutral "meh, works ok" are appreciated. :)


Thank you,
Franco on behalf of the OPNsense project

10
19.1 Production Series / 19.1 development milestones
« on: November 03, 2018, 01:47:24 pm »
Hi there,

Important milestones for us, partly shipped in 18.7.x:

* firewall alias API conversion
* collapsible side bar menu in the default theme
* arbitrary ZFS pool importer
* HardenedBSD 11.2
* LibreSSL 2.7
* Unbound 1.8
* Suricata 4.1
* Phalcon 3.4
* Perl 5.28
* Python 3.6 as an optional package for later 2.7 removal
* Realtek NIC driver version 1.95
* multiple DH groups and hash algorithms in IPsec phase 1
* redesigned interface binding for web GUI, Dnsmasq, Unbound, OpenSSH, Syslog export
* firmware health check extended to include kernel and base files
* firmware now embeds version and build information into core package
* firmware package mirror changes to HTTPS by default
* firmware obsolete base set removal, embedded into base set
* opnsense-version to read base, kernel, core and plugin info
* interface iteration function consolidation / simplification
* special interface address filter selectors moved to kernel-time resolving
* WPAD / PAC support in the web proxy
* updates are browser cache-safe regarding CSS and JavaScript assets
* MVC gained single-select, set-if-constraint and compared-to constraints
* captive portal connect API action
* PIE shaper support
* 2FA via LDAP-TOTP combination
* OpenVPN client export API
* Dnsmasq DNSSEC support
* extended IPv6 DUID support
* language updates for  Chinese, Czech, French, German, Japanese, Portuguese and Russian
* P12 certificate export with custom passwords
* Unified and improved anti-lockout behaviour
* web proxy parent proxy support
* Dpinger is now the default gateway monitor with Apinger being removed
* system notifications have been removed in favour of Monit service
* discontinued intrusion detection GeoIP support has been removed (use firewall aliases instead)
* Unbound statistics page
* console menu port configuration now allows to skip LAN and configure additional OPT interfaces (anti-lockout moves to OPT1 in this case)
* GRE IP alias support
* firewall NAT rule log support
* new plugins: os-api-backup, os-bind, os-dmidecode, os-nginx, os-ntopng, os-vnstat, os-dnscrypt-proxy
* rewritten plugins: os-wol

Questions, thoughts? Don't hesitate to ask!


Cheers,
Franco

11
Announcements / OPNsense 18.7.6 released
« on: October 25, 2018, 03:31:30 pm »
Hello there,

We are back for new features, updates and reliability fixes. Noteworthy are the addition of the PIE shaper option and firewall alias API. Both Unbound and Dnsmasq have been updated to their latest version.

Here are the full patch notes:

o firewall: resolve interface address ":0" for port forwarding in kernel
o firewall: list action corrections (contributed by Thomas Bandixen)
o firewall: add support for the PIE shaper (contributed by Michael Muenz)
o firewall: migrate to new alias API including a new failsafe
o firewall: repair log widget for plugin themes
o interfaces: do not remove CARP addresses on link-down
o interfaces: get pfsync MTU from actual CARP interface
o interfaces: add backend call returning all interface data
o interfaces: partially rewrite ping, port and traceroute tools
o interfaces: improve IPv6 merging in make_ipv6_64_address()
o interfaces: use correct IPv6 interface where appropriate
o interfaces: replace get_configured_interface_list() usage
o interfaces: small refactoring around interface up and down code
o system: cleanups in utility and config functions
o captive portal: added connect action in API (contributed by zvs44)
o firmware: move build-time version information to core version file
o firmware: rename backend script "audit" to "security" for clarity
o ipsec: bring back service widget lost back in 2016
o monit: change status page to support easier CSS styling
o unbound: set up a full chroot including local log socket
o unbound: replace custom msort() function with standard function
o unbound: use correct IPv4 or IPv6 interface for address lookups
o webgui: use interfaces_addresses() for interface binding
o mvc: show an error message on failed model migrations
o mvc: refactor __items access via iterateItems()
o mvc: accept style keyword on all input types
o mvc: improved menu API endpoint integration
o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz)
o plugins: os-dyndns validates custom updates solely for URL input
o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz)
o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.7 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.5 (contributed by Team Rebellion)
o plugins: os-zerotier reorders VPN menu entry (contributed by Michael Muenz)
o src: fix regression in IPv6 fragment reassembly[1]
o src: fix NULL pointer dereference in freebsd4_getfsstat[2]
o src: fix DoS in listen syscall over IPv6 socket[3]
o src: fix small kernel memory disclosures[4]
o ports: unbound 1.8.1[5]
o ports: dnsmasq 2.80[6]


Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:09.ip.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:10.syscall.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:11.listen.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:12.mem.asc
[5] https://nlnetlabs.nl/projects/unbound/download/
[6] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

12
Announcements / OPNsense 18.7.5 released
« on: October 17, 2018, 04:37:00 pm »
Hi folks,

While the HardenedBSD 11.2 adoption is almost finished behind the scenes, this release merely revolves around minor corrections and additions that make your life easier. We are also confident that 18.7.6 finally ships the firewall alias API.

Of worthy mention are also the IPsec phase 1 changes that allow multiple DH groups and hashes to be selected simultaneously to tackle interoperability between different mobile client requirements. Also check out the Nginx plugin which has again extended its utility belt to include limiting, permanent bans, caching and more.

Here are the full patch notes:

o system: add (de)select all option in LDAP importer
o firewall: keep previous content for URL alias on fetch error
o firewall: make schedule icon reflect current schedule state (contributed by framer99)
o firewall: toggle and migration fix for upcoming alias API
o firewall: round-robin limitation is for host alias outbound NAT only
o firewall: resolve network addresses in kernel for static routes bypass option
o firewall: do not clean up visible records when limit was not reached
o firewall: do not hardcode live log pass / block colours
o firewall: add live log direction icons
o firmware: shorten shaper name and assorted cleanups
o firmware: fix upgrade compatibility with FreeBSD 11.2
o firmware: use opnsense-version where appropriate
o firmware: correctly translate GUI buttons (contributed by Smart-Soft)
o dnsmasq: use more robust approach to interface binding
o ipsec: more secure phase 1 default settings (contributed by Michael Muenz)
o ipsec: support for multiple phase 1 DH groups and hashes
o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina)
o unbound: fix usage of the remote control backend calls
o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option
o web proxy: several corrections for PAC template
o backend: fix CPU hogging when reading on already disconnected streams
o mvc: speed up parsing very large config files
o mvc: add single select constraint
o mvc: add UUID field to the result of addBase (contributed by CJ)
o ui: sidebar UX improvements (contributed by Team Rebellion)
o ui: use single guillemets for previous/next page
o plugins: os-acme-client /var MFS awareness
o plugins: os-cicada 1.5 (contributed by Team Rebellion)
o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz)
o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich)
o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz)
o plugins: os-nginx 1.2[1] (contributed by Fabian Franz)
o plugins: os-ntopng hides interface selection under advanced (contributed by Michael Muenz)
o plugins: os-openconnect allows uppercase usernames (contributed by Michael Muenz)
o plugins: os-postfix 1.6 adds port field (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.0 adds global tags, HAProxy input, prometheus output, fixes logging (contributed by Michael Muenz)
o plugins: os-tukan 1.4 (contributed by Team Rebellion)
o plugins: os-vnstat 1.0 (contributed by Michael Muenz)
o plugins: os-zerotier fixes status table (contributed by Christoph Engelbert)
o ports: mpd5 upstream MTU fix[2]
o ports: PHP 7.1.23[3]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/commit/6776a5a17
[2] https://github.com/freebsd/freebsd-ports/commit/7d765cc2f
[3] http://php.net/ChangeLog-7.php#7.1.23

13
Announcements / OPNsense 18.7.4 released
« on: September 27, 2018, 04:02:41 pm »
Dear all,

This update reboots into the latest and greatest Realtek driver version 1.95. Also included is a web proxy implementation of the WPAD protocol. Furthermore LibreSSL was moved from version 2.6 to 2.7.

Originally planned was the release of the firewall alias API, but this will have to way a while longer. Thank you for your understanding and support!

Here are the full patch notes:

o system: correctly unset DNS override allow setting when saving
o system: remove unused / default arguments from get_possible_listen_ips()
o system: note that HA disable preempt requires reboot (contributed by Michael Muenz)
o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion)
o interfaces: lower MTU via tracked IPv6 interface MTU
o interfaces: 6RD IPv4 prefix override is now prefix-only
o firewall: also show scheduler info in shaper status (contributed by Michael Muenz)
o firmware: introduce opnsense-version utility and fully template build metadata
o firmware: annotate HTTP(S) status in mirrors in descriptions
o firmware: avoid base upgrade error when /proc is mounted
o monit: change mail format field for alerts to text area (contributed by Frank Brendel)
o openssh: further tweak new interface bind approach introduced in 18.7.3
o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder)
o web proxy: support WPAD / PAC (contributed by Fabian Franz)
o ui: minified sidebar improvements (contributed by Team Rebellion)
o ui: introduce cache_safe() to invalidate browser cache after updates
o plugins: os-dyndns wildcard support for Namecheap
o plugins: os-ntopng 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz)
o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel)
o plugins: os-snmp compatibility fixes for version detection and listen interface core changes
o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion)
o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz)
o plugins: os-upnp compatibility fixes for version detection core changes
o src: fix out-of-bounds read vulnerability in libarchive
o src: update re(4) driver to upstream version 1.95
o ports: libressl 2.7.4[1]
o ports: php 7.1.22[2]
o ports: sqlite 3.25.1[3]
o ports: squid 3.5.28[4]


Stay safe,
Your OPNsense team

--
[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.4-relnotes.txt
[2] http://php.net/ChangeLog-7.php#7.1.22
[3] https://www.sqlite.org/releaselog/3_25_1.html
[4] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.28-RELEASENOTES.html

14
Announcements / OPNsense 18.7.3 released
« on: September 18, 2018, 06:07:57 pm »
Hi there,

Long-term IPv6 efforts continue in the form of further 6RD feature comfort and a few edge-case fixes in IPv6 interface selection. Please note there is a reboot necessary due to a security advisory amendment and errata patch.

Progress was made on the importer that blocked further efforts in ZFS installation originally planned for 18.7. You can now list available ZFS pool and import from any of those if you so wish. Props to Smart-Soft for the contribution.

On the plugin side development for the upcoming WireGuard VPN, ntopng and vnStat plugins continues. Check the forum for further updates.

Here are the full patch notes:

o system: gateways widget show/hide feature (contributed by Team Rebellion)
o system: select correct IPv6 default route when underlying IPv6 interface differs
o system: extended meta-matching for special characters in ACL patterns
o system: show last diff by default in configuration history page
o system: refactor password logic in user manager for clarity
o system: link-local listen IPv6 requires reading underlying IPv6 interface
o interfaces: avoid boot mismatch on several virtual plugin devices
o interfaces: list widget show/hide feature (contributed by Team Rebellion)
o interfaces: stats widget show/hide feature (contributed by Team Rebellion)
o interfaces: stop wireless software before bringing down the interfaces
o interfaces: fix selection issue for DHCPv6 PD "none" value
o interfaces: make "64" the page default for DHCPv6 PD
o interfaces: allow IPv4 address override in 6RD
o interfaces: fix 18.7.2 gateway read regression in 6RD
o interfaces: give each 6RD tracker a different IPv6 address
o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss)
o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion)
o dhcp: do not show lease actions if interface cannot be found
o dhcp: unhide DHCPv6 service when not using automatic PD
o dnsmasq: annotate that "all" is the recommended interface binding option
o importer: list all available ZFS pools (contributed by Smart-Soft)
o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;)
o importer: ZFS pools are now addressed as e.g. "zfs/zroot"
o importer: always loop until exit or successful import
o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz)
o ipsec: change hash checkboxes in phase 2 to selectpicker
o openssh: change interface bind logic to only bind to currently available addresses
o openvpn: align status columns for client and P2P case (contributed by Andy Binder)
o shell: change banner and setaddr interface iteration
o unbound: swap stub-zone for forward-zone in overrides (contributed by John Keates)
o static: interface iteration conversions in system, firewall and interfaces pages
o ui: fix firmware-product file access when using ui_devtools
o plugins: os-bind 1.2 log file viewer and oversized list removal (contributed by Michael Muenz)
o plugins: os-c-icap 1.6 (contributed by Michael Muenz)
o plugins: os-dyndns 1.9 allow plus sign in username (contributed by Charles Ulrich)
o plugins: os-haproxy 2.9 backend HTTP reuse option (contributed by andrewheberle)
o plugins: os-net-snmp 1.1 IPv6 compatibility (contributed by MrXermon)
o plugins: os-rfc2136 1.4 widget style tweaks
o plugins: os-theme-rebellion 1.5 style update (contributed by Team Rebellion)
o plugins: os-tinc 1.4 log facility fix
o src: fix print of stf(4) interface information
o src: fix regression in Lazy FPU remediation[1]
o src: fix improper ELF header parsing[2]
o ports: curl 7.61.1[3]
o ports: lighttpd 1.4.50[4]
o ports: sudo 1.8.25p1[5]


Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:12.elf.asc
[3] https://curl.haxx.se/changes.html
[4] https://www.lighttpd.net/2018/8/13/1.4.50/
[5] https://www.sudo.ws/stable.html#1.8.25p1

15
General Discussion / Modern Gateway Monitoring
« on: September 13, 2018, 04:58:01 pm »
Hi everyone,

As you may have noticed Dpinger was added to help with the troubles that Apinger seems to have had over the years. Now that we have two monitoring tools there are a few questions for everybody using gateway monitoring that would help shape the direction of the feature set in the future.

1. Do you use (it for) Multi-WAN?
2. Do you use Apinger or Dpinger?
3. Would you prefer Dpinger to be the default in e.g. 19.1?
4. Would you prefer Apinger to be removed in e.g. 19.7?
5. And bonus question: What keeps you from using Dpinger? What do you miss about Apinger?

Here are my answers for my setups...

1. No.
2. Dpinger
3. Yes.
4. 19.1. :P
5. I don't use any special settings.


Thanks,
Franco

Pages: [1] 2 3 ... 15
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2