Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - franco

Pages: [1] 2 3 ... 14

Announcements / OPNsense 18.7.9 released

« on: December 12, 2018, 03:40:40 pm »

Hello world!

To keep it snappy: enclosed are assorted updates and fixes, a new dnscrypt-proxy plugin as well as security updates from FreeBSD and third parties. Happy patchday!

Here are the full patch notes:

o system: allow setting alternative names on CSR
o system: add link-local routes with correct scope
o system: fix LDAP import button for Firefox
o system: assorted cleanups in HTML and PHP code
o interfaces: add note about CGN addresses included in private range
o interfaces: fix checksum disable for IPv6 TX / RX flags
o interfaces: multiple type DUID support (contributed by Team Rebellion)
o interfaces: properly read and write dhcp6c DUID binary file
o interfaces: do not read VLAN capabilities from nonexistent interfaces
o interfaces: removal of PEAR.inc from IPv6 address library
o interfaces: assorted cleanups in HTML and PHP code
o firewall: only suffix subnet alias entry when a network is expected
o firewall: default alias protocol to both IPv4 and IPv6
o firewall: fix validation of outbound NAT destination alias
o firewall: fix performance regression in get_alias_description()
o firewall: repair defunct "no nat proto carp all" rule
o firewall: limit type to CARP when checking for VIP VHID reuse
o firewall: refactor subnet retrieval in VIP deletion
o firewall: display VHID for IP alias in overview
o firewall: DHCPv6 outgoing firewall rule changed to "from (self)" to fix static setups
o firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
o firewall: ignore empty values in alias migration (contributed by Frank Wall)
o firewall: assorted cleanups in HTML and PHP code
o captive portal: work around service boot ordering issue
o captive portal: change "onestop" to "stop" in backend action
o dnsmasq: add DNSSEC option
o dnsmasq: assorted cleanups in HTML and PHP code
o dhcp: show lease count in page heading
o dhcp: refactor IPv6 subnet read
o dhcp: fix DDNS IPv6 algorithm use
o dhcp: assorted cleanups in HTML and PHP code
o firmware: opnsense-version can now handle kernel, base and plugin metadata
o firmware: when pkg needs to be updated do not prompt for base and kernel set
o firmware: use embedded obsolete file list for removal on base set install
o intrusion detection: fix daily cron job, was actually monthly
o ipsec: assorted cleanups in HTML and PHP code
o openvpn: assorted cleanups in HTML and PHP code
o unbound: only use IPv6 when enabled and IPv4 is not preferred
o unbound: restart after VPN is up
o unbound: updated help text for verbosity level (contributed by Northguy)
o unbound: assorted cleanups in HTML and PHP code
o web proxy: move bump_step1 down (contributed by Michael Muenz)
o mvc: missing isset() in routes migration
o mvc: Phalcon 3.4.2 scope compatibility fix
o mvc: assorted fixes in PHPDoc
o mvc: fix advanced field bug in dialogs (contributed by Fabian Franz)
o mvc: SetIfConstraint (contributed by Fabian Franz)
o mvc: hidden input field (contributed by Fabian Franz)
o mvc: json-data access support (contributed by Fabian Franz)
o ui: remove markup from user indicator
o ui: sidebar fixes (contributed by Team Rebellion)
o plugins: os-acme-client 1.18 with GratisDNS and ACME DNS support (contributed by Frank Wall, ricobach, TuEye)
o plugins: os-bind 1.3 adds Google and Yahoo safe search (contributed by Michael Muenz)
o plugins: os-dnscrypt-proxy 1.0 (contributed by Michael Muenz)
o plugins: os-freeradius 1.8.3 makes use of certificates clearer (contributed by Michael Muenz)
o plugins: os-haproxy 2.12 HTTP/2 support, http-request before use_backend (contributed by Frank Wall, Mathias Aerts)
o plugins: os-net-snmp 1.3 mark device as L3 enabled via SysServices (contributed by Michael Muenz)
o plugins: os-nginx 1.5 with lots of new features[1] (contributed by Fabian Franz, Carlos Cesario, Julio Cesar Camargo, fzoske)
o plugins: os-nut 1.4 adds listen directive and more flexible arguments (contributed by Michael Muenz)
o plugins: os-postfix 1.7 adds address rewriting, sender/recipient BCC and domain masquerading (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.11 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.8.1 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.10 (contributed by Team Rebellion)
o src: fix multiple vulnerabilities in NFS server code[2]
o src: fix ICMP buffer underwrite[3]
o src: timezone database information update[4]
o src: fix deferred kernel loading breaks loader password[5]
o src: fix insufficient bounds checking in bhyve(8) device model[6]
o ports: lighttpd 1.4.52[7]
o ports: sqlite 3.26.0[8]
o ports: perl 5.26.3[9]
o ports: php 7.1.25[10]
o ports: hostapd / wpa_supplicant 2.7[11]
o ports: unbound 1.8.2[12]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:13.nfs.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:13.icmp.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:14.tzdata.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:15.loader.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:14.bhyve.asc
[7] https://www.lighttpd.net/2018/11/28/1.4.52/
[8] https://www.sqlite.org/releaselog/3_26_0.html
[9] https://metacpan.org/pod/release/SHAY/perl-5.26.3/pod/perldelta.pod
[10] http://php.net/ChangeLog-7.php#7.1.25
[11] http://lists.infradead.org/pipermail/hostap/2018-December/039069.html
[12] https://nlnetlabs.nl/news/2018/Dec/04/unbound-1.8.2-released/

Announcements / OPNsense 18.7.8 released

« on: November 22, 2018, 03:03:58 pm »

Hi everyone,

This stable update finally brings you the promised LDAP+TOTP authentication, but also renewed language translations and several third party software updates for software such as OpenSSL, OpenSSH and Sudo. A reboot is not required, but recommended.

Here are the full patch notes:

o system: show the actual validation messages for NextCloud backup constraints
o system: LDAP import button primary colour and prevent default page submit
o system: add LDAP+TOTP authentication variant (2FA)
o system: avoid silent fatal error when LDAP OUs could not be retrieved
o system: avoid duplicated cookies on login page by not closing session
o system: allow to fully disable misc. reboot failsafe backups
o system: switch default argument for return_gateways_status()
o system: add "Synchronize config to backup" button to HA status page
o system: disable help text expand when backup fields have no help text
o system: sort user and group lists alphabetically
o interfaces: add CARP info to legacy_interfaces_details()
o interfaces: removal of find_interface_subnet() and find_interface_subnetv6()
o interfaces: introduce find_interface_network() and find_interface_networkv6()
o interfaces: refactor find_interface_ip() and find_interface_ipv6()
o interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll()
o firewall: extend outbound NAT address source and destination with networks
o firewall: fix save error when alias name contains an underscore
o firewall: do not set days or hours when update frequency is empty
o firewall: increase resolve() performance for aliases
o firmware: change packaging to be able to place files in the root directory
o reporting: fix possible division by zero in NetFlow aggregator
o dhcp: reorder arguments of function services_dhcpd_configure()
o dhcp: consolidate service probe of IPv6 and router advertisement daemons
o dhcp: fix clear hook on log file delete
o importer: make clear that /conf/config.xml is required for any import to take place
o monit: add quotes and timeout to custom program path (contributed by Frank Brendel)
o monit: add SSL options to mail server connection (contributed by Frank Brendel)
o network time: improve GPS status parsing
o openvpn: add remote address as route when set during linkup
o shell: interface banner now only shows enabled interfaces
o unbound: do not clear statistics when querying them
o lang: updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o mvc: fix toggleBase returning 'failed' result when using $enabled
o mvc: fix PortField validation and make well-known ports optional
o mvc: fix checking empty string in grid view (contributed by Smart-Soft)
o rc: make it more obvious in /boot/loader.conf that system tunables work as well
o ui: sidebar performance optimisation (contributed by Team Rebellion)
o ui: vertically center current menu item on visible screen when height is too small
o plugins: os-haproxy 2.10[1][2][3] (contributed by Frank Wall)
o plugins: os-igmp-proxy forces reinstall due to missing core function
o plugins: os-ntopng 1.1 adds HTTPS support (contributed by Michael Muenz)
o plugins: os-nut fix for config file generation (contributed by Michael Muenz)
o plugins: os-postfix fixes typo (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.2 adds validation messages to tags (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.9 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.8 (contributed by Team Rebellion)
o plugins: os-upnp removes unused function
o plugins: os-zabbix-agent 1.4[4] (contributed by Frank Wall)
o ports: cyrus-sasl 2.1.27[5]
o ports: lighttpd 1.4.51[6]
o ports: openssh 7.9p1[7]
o ports: openssl 1.0.2q[8]
o ports: php 7.1.24[9]
o ports: pkg minor upstream fixes
o ports: sudo 1.8.26[10]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/960
[2] https://github.com/opnsense/plugins/pull/970
[3] https://github.com/opnsense/plugins/pull/1003
[4] https://github.com/opnsense/plugins/pull/998
[5] https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html
[6] https://www.lighttpd.net/2018/10/14/1.4.51/
[7] https://www.openssh.com/txt/release-7.9
[8] https://www.openssl.org/news/cl102.txt
[9] http://php.net/ChangeLog-7.php#7.1.24
[10] https://www.sudo.ws/stable.html#1.8.26

Announcements / OPNsense 18.7.7 released

« on: November 08, 2018, 04:26:49 pm »

Dear all,

Today we are addressing CVE-2018-18958 regarding an unenforced "deny config write" privilege. The issue was reported by brainrecursion this Monday and subsequently fixed along with several related issues. The "deny config write" privilege coupled with admin or user and group manager rights are affected combinations. It is an uncommon way to configure access as the "deny config write" privilege is commonly used for role-based access to non-system services, e.g. captive portals.

As we cannot be sure that no further issues of this sort exist please refrain from using the "deny config write" privilege or at least stop giving access to system services or full admin rights to these users or groups. In the midterm we will be looking for replacements of the current privilege for something that is more generic and robust in enforcement.

Additionally, the update to Suricata 4.0.6 addresses the SMTP crash vulnerability CVE-2018-18956. Since the update does not reboot without an operating system update please manually restart the intrusion detection service.

Here are the full patch notes:

o system: CVE-2018-18958 prevent restore of configuration of read-only user[1] (reported by brainrecursion)
o system: prevent related read-only user configuration manipulation for history and defaults pages
o system: prevent several creative ways to strip read-only privileges in the user and group manager
o system: allow wildcards in certificate subject alternative name
o system: avoid direct $global access in routing setup
o system: do not offer root-only opnsense-shell to non-root users
o system: remove FreeBSD 10 password workaround
o interfaces: use pure jquery to avoid browser-specific behaviour
o interfaces: nonfunctional cleanups in backend and interface GUI configuration
o interfaces: clear the correct files IPv6 state files on interface down
o interfaces: wait for PPPoE to fully exit on interface down
o firewall: fix port alias conversion under new API
o firewall: missing filter reload for port alias types
o firewall: missing "other" type in VIP network expand
o firewall: disabled alias should leave us with an empty one
o firewall: category for "United States" moves from Pacific to America
o firewall: resolve outbound NAT interface address in kernel
o dhcp: only map enabled interfaces in IPv4 leases
o dhcp: interface iteration code cleanups
o dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
o dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
o dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
o firmware: add log file for package manager output
o monit: use theme override for widget CSS (contributed by Fabian Franz)
o ntp: internal cleanup of function argument order
o rc: improvements in service startup scripting
o rc: print date and time after successful boot
o unbound: disable redirect type until fixed
o web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno)
o shell: stop router advertisement daemon too on console port reassign
o mvc: remove errors in cron and monit API
o plugins: os-freeradius 1.8.2 (contributed by Michael Muenz and Reza Ebrahimi)
o plugins: os-nut 1.3 apcsmart and blazer_usb driver, reworked UI (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.1 adds ZFS input (contributed by Michael Muenz)
o plugins: os-tinc now sets all defined subnets (contributed by QDaniel)
o plugins: os-theme-cicada 1.8 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.8 (contributed by Team Rebellion)
o plugins: os-smart 1.5 standard widget coloring (contributed by Fabian Franz)
o plugins: os-rspamd now uses scan_mime_parts (contributed by Michael Muenz)
o ports: curl 7.62.0[2]
o ports: krb5 1.16.2[3]
o ports: strongswan 5.7.1[4]
o ports: suricata 4.0.6[5]

Stay safe,
Your OPNsense team

--
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18958
[2] https://curl.haxx.se/changes.html
[3] https://web.mit.edu/kerberos/krb5-1.16/
[4] https://wiki.strongswan.org/versions/71
[5] https://suricata-ids.org/2018/11/06/suricata-4-0-6-available/

19.1 Development Series / 19.1-BETA images

« on: November 03, 2018, 05:29:34 pm »

Hi all,

As HardenedBSD has been awesomely delivering their version 11.2 for us and even fixing an issue on i386 while they don't actively support it, it's time to publish a beta test based on this work.

These images are assembled from the latest production release 18.7.6 and will update to 19.1 and later 18.7.x without problems. The key difference is the operating system switch from FreeBSD 11.1 to HardenedBSD 11.2.

BEGIN IMPORTANT NOTE

For this reason, the kernel and base package set are "locked" and MUST NOT be unlocked as this will reinstall the older operating system as OPNsense tries to get back to its latest known version on firmware upgrades. These locks will remove themselves on the final 19.1 transition and update correctly into subsequent 19.1.x.

END IMPORTANT NOTE

You can find a list of feature additions for the upcoming 19.1 here:

https://forum.opnsense.org/index.php?topic=10132.0

Additional features can be inspected in the development version, details here:

https://forum.opnsense.org/index.php?topic=8700.0

Last but not least, images for educational purposes have been published here:

https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/
https://pkg.opnsense.org/FreeBSD:11:i386/snapshots/

All feedback, comments, problem reports and even neutral "meh, works ok" are appreciated.

Thank you,
Franco on behalf of the OPNsense project

19.1 Development Series / 19.1 development milestones

« on: November 03, 2018, 01:47:24 pm »

Hi there,

Important milestones for us, partly shipped in 18.7.x:

* firewall alias API conversion
* collapsible side bar menu in the default theme
* arbitrary ZFS pool importer
* HardenedBSD 11.2
* LibreSSL 2.7
* Unbound 1.8
* Suricata 4.1
* Phalcon 3.4
* Perl 5.28
* Python 3.6 as an optional package for later 2.7 removal
* Realtek NIC driver version 1.95
* multiple DH groups and hash algorithms in IPsec phase 1
* redesigned interface binding for web GUI, Dnsmasq, Unbound, OpenSSH, Syslog export
* firmware health check extended to include kernel and base files
* firmware now embeds version and build information into core package
* firmware package mirror changes to HTTPS by default
* opnsense-version to read base, kernel, core and plugin info
* interface iteration function consolidation / simplification
* special interface address filter selectors moved to kernel-time resolving
* WPAD / PAC support in the web proxy
* updates are browser cache-safe regarding CSS and JavaScript assets
* MVC gained single-select constraint
* captive portan connect API action
* PIE shaper support
* 2FA via LDAP-TOTP combination
* OpenVPN client export API
* Dnsmasq DNSSEC support
* extended IPv6 DUID support
* language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
* RFC 3118 DHCP support (Orange FR et. al.)
* new plugins: os-bind, os-nginx, os-ntopng, os-vnstat, os-dnscrypt-proxy
* rewritten plugins: os-wol

Questions, thoughts? Don't hesitate to ask!

Cheers,
Franco

Announcements / OPNsense 18.7.6 released

« on: October 25, 2018, 03:31:30 pm »

Hello there,

We are back for new features, updates and reliability fixes. Noteworthy are the addition of the PIE shaper option and firewall alias API. Both Unbound and Dnsmasq have been updated to their latest version.

Here are the full patch notes:

o firewall: resolve interface address ":0" for port forwarding in kernel
o firewall: list action corrections (contributed by Thomas Bandixen)
o firewall: add support for the PIE shaper (contributed by Michael Muenz)
o firewall: migrate to new alias API including a new failsafe
o firewall: repair log widget for plugin themes
o interfaces: do not remove CARP addresses on link-down
o interfaces: get pfsync MTU from actual CARP interface
o interfaces: add backend call returning all interface data
o interfaces: partially rewrite ping, port and traceroute tools
o interfaces: improve IPv6 merging in make_ipv6_64_address()
o interfaces: use correct IPv6 interface where appropriate
o interfaces: replace get_configured_interface_list() usage
o interfaces: small refactoring around interface up and down code
o system: cleanups in utility and config functions
o captive portal: added connect action in API (contributed by zvs44)
o firmware: move build-time version information to core version file
o firmware: rename backend script "audit" to "security" for clarity
o ipsec: bring back service widget lost back in 2016
o monit: change status page to support easier CSS styling
o unbound: set up a full chroot including local log socket
o unbound: replace custom msort() function with standard function
o unbound: use correct IPv4 or IPv6 interface for address lookups
o webgui: use interfaces_addresses() for interface binding
o mvc: show an error message on failed model migrations
o mvc: refactor __items access via iterateItems()
o mvc: accept style keyword on all input types
o mvc: improved menu API endpoint integration
o plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz)
o plugins: os-dyndns validates custom updates solely for URL input
o plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz)
o plugins: os-theme-cicada 1.6 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.7 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.5 (contributed by Team Rebellion)
o plugins: os-zerotier reorders VPN menu entry (contributed by Michael Muenz)
o src: fix regression in IPv6 fragment reassembly[1]
o src: fix NULL pointer dereference in freebsd4_getfsstat[2]
o src: fix DoS in listen syscall over IPv6 socket[3]
o src: fix small kernel memory disclosures[4]
o ports: unbound 1.8.1[5]
o ports: dnsmasq 2.80[6]

Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:09.ip.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:10.syscall.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:11.listen.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:12.mem.asc
[5] https://nlnetlabs.nl/projects/unbound/download/
[6] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

Announcements / OPNsense 18.7.5 released

« on: October 17, 2018, 04:37:00 pm »

Hi folks,

While the HardenedBSD 11.2 adoption is almost finished behind the scenes, this release merely revolves around minor corrections and additions that make your life easier. We are also confident that 18.7.6 finally ships the firewall alias API.

Of worthy mention are also the IPsec phase 1 changes that allow multiple DH groups and hashes to be selected simultaneously to tackle interoperability between different mobile client requirements. Also check out the Nginx plugin which has again extended its utility belt to include limiting, permanent bans, caching and more.

Here are the full patch notes:

o system: add (de)select all option in LDAP importer
o firewall: keep previous content for URL alias on fetch error
o firewall: make schedule icon reflect current schedule state (contributed by framer99)
o firewall: toggle and migration fix for upcoming alias API
o firewall: round-robin limitation is for host alias outbound NAT only
o firewall: resolve network addresses in kernel for static routes bypass option
o firewall: do not clean up visible records when limit was not reached
o firewall: do not hardcode live log pass / block colours
o firewall: add live log direction icons
o firmware: shorten shaper name and assorted cleanups
o firmware: fix upgrade compatibility with FreeBSD 11.2
o firmware: use opnsense-version where appropriate
o firmware: correctly translate GUI buttons (contributed by Smart-Soft)
o dnsmasq: use more robust approach to interface binding
o ipsec: more secure phase 1 default settings (contributed by Michael Muenz)
o ipsec: support for multiple phase 1 DH groups and hashes
o openvpn: option to match CSO against common_name or login (contributed by Fabio Prina)
o unbound: fix usage of the remote control backend calls
o unbound: remove faulty "DHCP" label hint for IPv6 link-local registration option
o web proxy: several corrections for PAC template
o backend: fix CPU hogging when reading on already disconnected streams
o mvc: speed up parsing very large config files
o mvc: add single select constraint
o mvc: add UUID field to the result of addBase (contributed by CJ)
o ui: sidebar UX improvements (contributed by Team Rebellion)
o ui: use single guillemets for previous/next page
o plugins: os-acme-client /var MFS awareness
o plugins: os-cicada 1.5 (contributed by Team Rebellion)
o plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz)
o plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich)
o plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz)
o plugins: os-nginx 1.2[1] (contributed by Fabian Franz)
o plugins: os-ntopng hides interface selection under advanced (contributed by Michael Muenz)
o plugins: os-openconnect allows uppercase usernames (contributed by Michael Muenz)
o plugins: os-postfix 1.6 adds port field (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.0 adds global tags, HAProxy input, prometheus output, fixes logging (contributed by Michael Muenz)
o plugins: os-tukan 1.4 (contributed by Team Rebellion)
o plugins: os-vnstat 1.0 (contributed by Michael Muenz)
o plugins: os-zerotier fixes status table (contributed by Christoph Engelbert)
o ports: mpd5 upstream MTU fix[2]
o ports: PHP 7.1.23[3]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/commit/6776a5a17
[2] https://github.com/freebsd/freebsd-ports/commit/7d765cc2f
[3] http://php.net/ChangeLog-7.php#7.1.23

Announcements / OPNsense 18.7.4 released

« on: September 27, 2018, 04:02:41 pm »

Dear all,

This update reboots into the latest and greatest Realtek driver version 1.95. Also included is a web proxy implementation of the WPAD protocol. Furthermore LibreSSL was moved from version 2.6 to 2.7.

Originally planned was the release of the firewall alias API, but this will have to way a while longer. Thank you for your understanding and support!

Here are the full patch notes:

o system: correctly unset DNS override allow setting when saving
o system: remove unused / default arguments from get_possible_listen_ips()
o system: note that HA disable preempt requires reboot (contributed by Michael Muenz)
o interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion)
o interfaces: lower MTU via tracked IPv6 interface MTU
o interfaces: 6RD IPv4 prefix override is now prefix-only
o firewall: also show scheduler info in shaper status (contributed by Michael Muenz)
o firmware: introduce opnsense-version utility and fully template build metadata
o firmware: annotate HTTP(S) status in mirrors in descriptions
o firmware: avoid base upgrade error when /proc is mounted
o monit: change mail format field for alerts to text area (contributed by Frank Brendel)
o openssh: further tweak new interface bind approach introduced in 18.7.3
o openvpn: change abbreviated column title to "Bytes Received" (contributed by Andy Binder)
o web proxy: support WPAD / PAC (contributed by Fabian Franz)
o ui: minified sidebar improvements (contributed by Team Rebellion)
o ui: introduce cache_safe() to invalidate browser cache after updates
o plugins: os-dyndns wildcard support for Namecheap
o plugins: os-ntopng 1.0 (contributed by Michael Muenz)
o plugins: os-openconnect 1.2 allows "@" in username (contributed by Michael Muenz)
o plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel)
o plugins: os-snmp compatibility fixes for version detection and listen interface core changes
o plugins: os-theme-cidada 1.4 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.6 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.3 (contributed by Team Rebellion)
o plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz)
o plugins: os-upnp compatibility fixes for version detection core changes
o src: fix out-of-bounds read vulnerability in libarchive
o src: update re(4) driver to upstream version 1.95
o ports: libressl 2.7.4[1]
o ports: php 7.1.22[2]
o ports: sqlite 3.25.1[3]
o ports: squid 3.5.28[4]

Stay safe,
Your OPNsense team

--
[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.4-relnotes.txt
[2] http://php.net/ChangeLog-7.php#7.1.22
[3] https://www.sqlite.org/releaselog/3_25_1.html
[4] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.28-RELEASENOTES.html

Announcements / OPNsense 18.7.3 released

« on: September 18, 2018, 06:07:57 pm »

Hi there,

Long-term IPv6 efforts continue in the form of further 6RD feature comfort and a few edge-case fixes in IPv6 interface selection. Please note there is a reboot necessary due to a security advisory amendment and errata patch.

Progress was made on the importer that blocked further efforts in ZFS installation originally planned for 18.7. You can now list available ZFS pool and import from any of those if you so wish. Props to Smart-Soft for the contribution.

On the plugin side development for the upcoming WireGuard VPN, ntopng and vnStat plugins continues. Check the forum for further updates.

Here are the full patch notes:

o system: gateways widget show/hide feature (contributed by Team Rebellion)
o system: select correct IPv6 default route when underlying IPv6 interface differs
o system: extended meta-matching for special characters in ACL patterns
o system: show last diff by default in configuration history page
o system: refactor password logic in user manager for clarity
o system: link-local listen IPv6 requires reading underlying IPv6 interface
o interfaces: avoid boot mismatch on several virtual plugin devices
o interfaces: list widget show/hide feature (contributed by Team Rebellion)
o interfaces: stats widget show/hide feature (contributed by Team Rebellion)
o interfaces: stop wireless software before bringing down the interfaces
o interfaces: fix selection issue for DHCPv6 PD "none" value
o interfaces: make "64" the page default for DHCPv6 PD
o interfaces: allow IPv4 address override in 6RD
o interfaces: fix 18.7.2 gateway read regression in 6RD
o interfaces: give each 6RD tracker a different IPv6 address
o dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss)
o dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion)
o dhcp: do not show lease actions if interface cannot be found
o dhcp: unhide DHCPv6 service when not using automatic PD
o dnsmasq: annotate that "all" is the recommended interface binding option
o importer: list all available ZFS pools (contributed by Smart-Soft)
o importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway

o importer: ZFS pools are now addressed as e.g. "zfs/zroot"
o importer: always loop until exit or successful import
o intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz)
o ipsec: change hash checkboxes in phase 2 to selectpicker
o openssh: change interface bind logic to only bind to currently available addresses
o openvpn: align status columns for client and P2P case (contributed by Andy Binder)
o shell: change banner and setaddr interface iteration
o unbound: swap stub-zone for forward-zone in overrides (contributed by John Keates)
o static: interface iteration conversions in system, firewall and interfaces pages
o ui: fix firmware-product file access when using ui_devtools
o plugins: os-bind 1.2 log file viewer and oversized list removal (contributed by Michael Muenz)
o plugins: os-c-icap 1.6 (contributed by Michael Muenz)
o plugins: os-dyndns 1.9 allow plus sign in username (contributed by Charles Ulrich)
o plugins: os-haproxy 2.9 backend HTTP reuse option (contributed by andrewheberle)
o plugins: os-net-snmp 1.1 IPv6 compatibility (contributed by MrXermon)
o plugins: os-rfc2136 1.4 widget style tweaks
o plugins: os-theme-rebellion 1.5 style update (contributed by Team Rebellion)
o plugins: os-tinc 1.4 log facility fix
o src: fix print of stf(4) interface information
o src: fix regression in Lazy FPU remediation[1]
o src: fix improper ELF header parsing[2]
o ports: curl 7.61.1[3]
o ports: lighttpd 1.4.50[4]
o ports: sudo 1.8.25p1[5]

Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:08.lazyfpu.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:12.elf.asc
[3] https://curl.haxx.se/changes.html
[4] https://www.lighttpd.net/2018/8/13/1.4.50/
[5] https://www.sudo.ws/stable.html#1.8.25p1

General Discussion / Modern Gateway Monitoring

« on: September 13, 2018, 04:58:01 pm »

Hi everyone,

As you may have noticed Dpinger was added to help with the troubles that Apinger seems to have had over the years. Now that we have two monitoring tools there are a few questions for everybody using gateway monitoring that would help shape the direction of the feature set in the future.

1. Do you use (it for) Multi-WAN?
2. Do you use Apinger or Dpinger?
3. Would you prefer Dpinger to be the default in e.g. 19.1?
4. Would you prefer Apinger to be removed in e.g. 19.7?
5. And bonus question: What keeps you from using Dpinger? What do you miss about Apinger?

Here are my answers for my setups...

1. No.
2. Dpinger
3. Yes.
4. 19.1.

5. I don't use any special settings.

Thanks,
Franco

18.7 Production Series / 16.1 and 16.7 update sets have been removed

« on: September 13, 2018, 02:09:13 pm »

Hi all,

We have 4 major releases out in the wild so we discontinue online update support for the 16.1 and 16.7 versions effective immediately.

If you are stuck on a 16.x system now please use an image to import your config and install a recent version, e.g.:

https://pkg.opnsense.org/releases/mirror/

Cheers,
Franco

Announcements / OPNsense 18.7.2 released

« on: September 06, 2018, 07:29:52 pm »

Good day folks,

Lots of third party security updates, plugin updates and minor enhancements in overall system reliability.

In other news the firewall alias API has been finished in the development version. If you use the development version you cannot go back to the production version until the API has been released there as well, which is probably 18.7.3 so not too far away. We are happy about all reports of the new alias pages and API usability.

We will soon begin the migration work for FreeBSD 11.2 for 19.1, but please keep in mind that we will be issuing security advisories to 11.1 when they arise even beyond the original end of life policy.

Here are the full patch notes:

o system: select correct network interface in case of IPv6 gateway lookups
o system: tighten system wizard ACL and menu registration
o system: do not wrap first column of log viewer (contributed by Alexander Graf)
o firewall: return alias types to repair its outbound NAT rule edit
o firewall: hide NAT redirect target port when port is not applicable
o firewall: alias API is now live on the development version and will migrate your aliases to the new format
o interfaces: allow explicit MTU to reach the 6RD device
o interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion)
o interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion)
o interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer)
o interfaces: remove incorrect display of prefix ID in help text for tracking configuration
o interfaces: add groups to interface details output
o interfaces: remove unused code and other nonfunctional cleanups
o interfaces: use "x" in the list widget for no carrier
o interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix
o dhcp: remove unused inputs from static mapping page
o dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra)
o ipsec: add automatic key exchange option
o openvpn: fix /32 host validation logic
o openvpn: clean up control sockets prior to startup
o openvpn: align user authentication to use common_name as username
o mvc: add iterateItems() method to base field type to simplify call flow
o mvc: fix configd asList helper (contributed by Fabian Franz)
o mvc: add configd XML attributes to template parser
o ui: allow version query to match on main.css probing
o ui: footer cleanups and static page repairs where boxing was not correct
o ui: no minified version for tokenize2
o ui: fix table headers in dialogs (contributed by Fabian Franz)
o plugins: os-bind 1.1 adds 3 DNSBL providers (contributed by Michael Muenz)
o plugins: os-freeradius 1.8.0 adds basic SQLite support (contributed by Michael Muenz)
o plugins: os-haproxy 2.8[1] (contributed by Frank Wall)
o plugins: os-nginx 1.0 (contributed by Fabian Franz)
o plugins: os-postfix 1.5 allow empty destination in transport (contributed by Michael Muenz)
o plugins: os-telegraf 1.5.1 adds ElasticSearch output and disk ignore fix (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.4 style fixes
o src: L1 terminal fault (L1TF) kernel information disclosure[2]
o src: resource exhaustion in IP fragment reassembly[3]
o ports: ntp 4.2.8p12[4]
o ports: openssl 1.0.2p[5]
o ports: phalcon 3.4.1[6]
o ports: php 7.1.21[7]
o ports: sudo 1.8.24[8]
o ports: wpa_supplicant security updates[9]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/772
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:09.l1tf.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:10.ip.asc
[4] http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
[5] https://www.openssl.org/news/cl102.txt
[6] https://github.com/phalcon/cphalcon/releases/tag/v3.4.1
[7] http://php.net/ChangeLog-7.php#7.1.21
[8] https://www.sudo.ws/stable.html
[9] https://w1.fi/security/2018-1/

Announcements / OPNsense 18.7.1 released

« on: August 14, 2018, 01:44:42 pm »

Hi everyone,

This is the first stable update and includes security updates for several third party software and FreeBSD. A Bind plugin was released with DNSBL support and the reported problems with the HAProxy plugin have been sorted out thanks to enthusiastic reporters and testers.

Here are the full patch notes:

o system: hide web server info from server tag
o system: fix group privileges edit menu hint
o system: add text area field to backup framework (contributed by Joao Vilaca)
o interfaces: use NIC preference for VLAN hardware filtering in default config
o interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion)
o interfaces: fix PD when using DHCPv6 override on tracked interface
o firewall: toggle filter and NAT rules using checkboxes
o firewall: add state-policy if-bound option
o firewall: added logging for tracing internal rule generator
o firewall: fix ordering issue in port validation and disable
o firewall: fix disabled reject action icon display (contributed by framer99)
o captive portal: fix usage of vouchers and group with spaces in their names
o captive portal: hide web server info from server tag
o dnsmasq: fix listening behaviour on empty but set interface selection
o firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback
o firmware: do not show development version changelogs in releases
o intrusion detection: reworked rule selection
o ipsec: use selectpicker in mobile page
o ipsec: add Brainpool EC groups
o openvpn: do not remove client specific override files on disconnect
o openvpn: do not create v6 gateway if disabled
o shell: omit ":" from SSL fingerprint display
o unbound: fix menu access for overrides
o wizard: fix root password input
o backend: call shutdown before close in background daemon
o mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong)
o mvc: minor glich in getFormData() we should ignore empty id fields
o mvc: do not offer internal interfaces in generic interface selector
o mvc: handle validations better by removing duplicate messages
o mvc: fix two glitches in new tokenize field handling
o mvc: add numeric field type
o rc: update php.ini include paths (contributed by Joao Vilaca)
o ui: fix spacing of containers in static pages
o ui: fix sidebar collapse in MVC pages for supported themes
o ui: blank problem advanced button (contributed by Team Rebellion)
o ui: store preference for sidebar toggle and remember the current setting on resize
o plugins: os-acme-client 1.16 adds several DNS providers, ECC renewal fix and OSCP must staple (contributed by Omar Khalil)
o plugins: os-bind 1.0 with blacklist (DNSBL) support (contributed by Michael Muenz)
o plugins: os-smart 1.4 with style fixes (contributed by Fabian Franz)
o plugins: os-wol 2.0 fixes ACL pattern and interface selection
o plugins: os-theme-cicada 1.3 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.2 (contributed by Team Rebellion)
o src: resource exhaustion in TCP reassembly[1]
o ports: curl 7.61.0[2]
o ports: hyperscan 4.7.0[3]
o ports: mpd5 upstream fixes[4][5]
o ports: py-cryptography 2.3[6]
o ports: py-idna 2.7[7]

A hotfix release was issued as 18.7.1_3:

o system: fix policy check on empty password save
o captive portal: fix duplicated server tag
o openvpn: address P2P TLS /30 network client-connect validation quirk

Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:08.tcp.asc
[2] https://curl.haxx.se/changes.html
[3] https://github.com/intel/hyperscan/releases/tag/v4.7.0
[4] https://github.com/freebsd/freebsd-ports/commit/67bbe6317
[5] https://github.com/freebsd/freebsd-ports/commit/052b84f3ec
[6] https://cryptography.io/en/latest/changelog/#v2-3
[7] https://github.com/kjd/idna/releases/tag/v2.7

Announcements / OPNsense 18.7 released

« on: July 31, 2018, 02:11:28 pm »

Dear friends and followers,

For 3 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

Another 6 months passed by ever so quickly! The main goal for 18.7, nicknamed "Happy Hippo", is stability so we have not yet begun to adopt FreeBSD 11.2, but there are several of its Intel NIC driver updates included to bridge the gap until 19.1 comes out. The upgrade also includes a tremendous amount of IPv6 improvements including 6RD support as well as authentication and backup framework consolidation. Please also take note that QinQ is no longer included in this release.

These are the most prominent changes since version 18.1:

o improved WAN DHCPv6 and SLAAC connectivity and tracking
o functional IPv6 Rapid Deployment (6RD) support
o improved default route handling and gateway switching
o OpenVPN default setup improvements for IPv6 and RADIUS attribute support
o Dpinger gateway monitoring integration
o password policies for local authentication and coupled TOTP
o Monit core integration to eventually replace the legacy notifications
o OpenSSH access via group and shell selection instead of privilege
o pluggable backup framework with new Nextcloud option
o sytem tunables are now also used as loader tunables
o unrestricted VLAN usage for e.g. Xen
o QinQ interface removal
o firmware GUI speedup, improved error parsing and console reboot hint
o ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
o ZFS and MSDOS config import support
o ISC DHCP version moves from 4.3 to 4.4
o RRDtool version moves from 1.2 to 1.7
o rework rc.syshook facility to use drop-in directories instead of suffixes
o backports of FreeBSD 11.2 Intel NIC drivers
o stand-alone frontend UI development tools
o language updates for Czech, French, German, Portuguese (Brazil)
o UI header security and SSL cipher hardening
o extensive UI cleanups and menu consolidation
o new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp,
os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada,
os-theme-rebellion, os-theme-tukan, os-wol 2.0

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/18.7/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/18.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/18.7/
o South America: http://mirror.upb.edu.co/opnsense/releases/18.7/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/18.7/
o Full mirror list: https://opnsense.org/download/

Here are the full changes against version 18.7-RC2:

o system: clarify help for preventing local nameserver usage in general settings
o system: deal with ACL trailing slash wildcards due to its removal from menu links
o system: allow LDAP user import even when multiple authentications servers are set
o system: merge duplicated encrypt() and decrypt() config backup implementations
o system: extend encrypt() and decrypt() with optional header, footer and attribute usage
o system: optional encryption of Nextcloud backup through user-specified password (contributed by Fabian Franz)
o interfaces: do not yield IPv6 tunnel addresses via legacy_getall_interface_addresses()
o firewall: rules alias preview on hover when no description was provided
o firewall: transitional code for upcoming alias API usage
o firewall: remove alias types urltable_ports and url_ports
o firewall: revert only binding to first interface address due to ambiguity in IPv6 local-link setups
o dnsmasq: unconditionally listen on loopback device but avoid binding more than 127.0.0.1 in IPv4
o installer: properly accept cancel on guided install
o installer: removed unused mail log feature
o ipsec: remove validation to support for IPv6 over IPv4 tunnel and vice versa
o web proxy: more elaborate fix of IDNA encode with leading dots
o mvc: always use std_bootgrid_reload() for bootgrid reloads
o ui: sidebar menu support for optional themes (contributed by Team Rebellion)
o plugins: os-dyndns 1.8 fixes Eurodns support
o plugins: os-theme-rebellion 1.3 (contributed by Team Rebellion)
o plugins: os-relayd 2.2 (contributed by Frank Brendel)
o plugins: os-siproxd 1.3 (contributed by Michael Muenz)
o ports: dhcp6c v20180720 with fix for raw support (contributed by Team Rebellion)
o ports: php 7.1.20[2]

Migration notes and minor incomatibilities to look out for:

o SSH access is now bound to the "wheel" group which is automatically added to "admins" group, which "root" is a member of. "root" is the only user that has a default shell, namely opnsense-shell, which is the root console menu.
o SSH access can be set for an arbitrary group as well under System: Administration for non-members of "admins" group. However, in both cases only SCP works due to a request in the forum to be more proactive regarding yielding of shell access rights. If you want a user to gain true SSH access you need to change their shell from "nologin" to an installed shell in their respective settings.
o Web GUI HTTPS ciphers have been hardened. To gain access please use a recent browser.
o The authentication fallback for the GUI/system has been removed in favour of selecting multiple authentication servers at once. Reassign your fallback as a primary authentication method or now use more than two methods.
o It has been found that although WAN interfaces require gateways to function, they do not necessarily have to be assigned in single-WAN scenarios to avoid interfering with WAN reply behaviour. The "none" selection was therefore changed to "auto-detect" to reflect this and now is the recommended setting unless multi-WAN is used.
o In preparation for the firewall alias API the per-item descriptions have been removed along with support for the deprecated types urltable_ports and url_ports.
o OpenVPN /31 tunnel network calculation changed to use the first and last address as network address and broadcast address do not exist. If you are affected, adjust your clients or export their configuration again which includes the configuration fix. Additionally, /32 tunnel networks are now prohibited.

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvkEFA2+DAhWXfucsgdvZ
8xxkuzNt0nYttTmbRtLVJRKREysOj3/nqBcFWtvLr3ooVhkbxVY7HPLEoicqFdG/
+m5lLR2kI7hnZ2mpkl+/NKSixJaZkqXi5cQCp8KUlE7oOu3d6O5ZtTg4g40Ms8Dp
bQw8oZo3NpBrQK3gEEEzNYgChkZwTrEZ1Y8v8+/3zggh44sqg4vA1j5g9jq3Ldms
3KnulBgettpHIapeAmbtCokaLaXxf4lgQxyUsy077aeNRptDpGG3D5ZQgtIjaYeE
h3u51PaVTL5OY/2uvcTnxR/ZrrHpppkIutUGzGJo9KK0gfrXLi31r9e+xtBJYBdC
FtdefujlV3Cfw1OFpUY/Y1p921xgHftNnrVDk+C9kl+FKf3qvFeyGCbd9V2k1JM2
uXHDwbsjZNPhbxbqtCoCDMbsUjBsfWyAOIoZfXOSmqJQt3jBUvwXKwLKncVh4Tvu
wxJGXNZXk/OCHVQYlx/uzwf5/ly/ApIwMKqr66E7mo0OVkPaME0uCCUJolugu9lI
tW8TJVZryBCQMQ4XhPZkcny22I2oRI5nCu7baRrFNJ8gB8UYUnrIPTIJIhrjrVOg
pFOxSb/tZAqtutFOE8F5+KwcgGlOBOKXPaNrdQ79X4kH7egChPrhm283rfW1oEG6
8rHzvP45S09L8o7OXUddo8UCAwEAAQ==
-----END PUBLIC KEY-----

Stay safe and happy,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] http://php.net/ChangeLog-7.php#7.1.20

# SHA256 (OPNsense-18.7-OpenSSL-dvd-amd64.iso.bz2) = 6b3528f8dea8de5c96de5547636fd51c40382c245b30eb215608acbd04fb7e91
# SHA256 (OPNsense-18.7-OpenSSL-nano-amd64.img.bz2) = cb0272f0bd945ea8070d9a40af2cd47a3b68e9bd389395b285bb9ab4128d1f00
# SHA256 (OPNsense-18.7-OpenSSL-serial-amd64.img.bz2) = a4556080532d22e9ab296e2c6e163b3d65d5fe54a642253e1c01a22721afa850
# SHA256 (OPNsense-18.7-OpenSSL-vga-amd64.img.bz2) = 4408840fba4177d44503968fce44d8ca7180003728660fd9c0a2e6920346008c

# SHA256 (OPNsense-18.7-OpenSSL-dvd-i386.iso.bz2) = 8ea49dcb512365a1e92e94fb38f1b4a85463ffacfb98c055e84e6340a6321ecf
# SHA256 (OPNsense-18.7-OpenSSL-nano-i386.img.bz2) = bdd753a63367944452d2d5d1e73e4aa9f3d607012d10c4274420d23867a4fbad
# SHA256 (OPNsense-18.7-OpenSSL-serial-i386.img.bz2) = f74f5fd1c24cc54002fa9b99a0c10b4402b3f748a315ff302126acb154cd2633
# SHA256 (OPNsense-18.7-OpenSSL-vga-i386.img.bz2) = 52208b57f9e89d235411df33faac71b8d9872d50947ff4c0dca6f552424a4d95

Announcements / OPNsense 18.1.13 released

« on: July 24, 2018, 05:58:03 pm »

Dear all,

It is that time of the year again: this update is the last one in the 18.1 series and 18.7, nicknamed "Happy Hippo", will be released next week!

The transition will be seamless when heeding the upgrade notes to be published with the 18.7 images on July 31. All 18.7-RC users will be able to upgrade right away. After a number of hours we will enable the upgrade path with a small hotfix to 18.1.13. This process may take up to 24 hours so please do not be alarmed about delays.

Here are the full patch notes:

o system: restart syslog when interface bind addresses may have changed
o system: remove unused action_disable setting in gateway monitoring
o firmware: new mirror Dataroute (Dusseldorf, DE)
o ntp: typo in SiRF selection
o openvpn: translate validated field names
o rc: unset rcvar before evaluation (contributed by Nicholas de Jong)
o installer: give basic tip that GUI IP can be set in console after install (contributed by stilez)
o plugins: os-theme-cicada 1.2 (contributed by Team Rebellion)
o plugins: os-theme-rebellion 1.2 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.1 (contributed by Team Rebellion)
o ports: suricata 4.0.5[1]

Stay safe,
Your OPNsense team

--
[1] https://suricata-ids.org/2018/07/18/suricata-4-0-5-available/

Pages: [1] 2 3 ... 14