Topics

1

Announcements / OPNsense 23.1.9 released

« on: May 31, 2023, 02:56:58 pm »

Hey,

A small update to improve stability with multiple delegated prefixes from
DHCPv6 connectivity as well as proper "no binding" handling in the DHCPv6
client itself.  Internally, the backend service has been refactored to allow
for future additions, but no visible functionality changes have been done.

Still pretty happy with the IPsec connections MVC pages introduced in 23.1 so
we would like to apply the same approach to OpenVPN for 23.7 and it is going
to land in the next development version most likely for a sneak preview.

Here are the full patch notes:

o system: fix MFC service page with ID-based reload like OpenVPN
o system: fix issue with route add command for far gateway static route (contributed by Daniel Mason)
o system: improve static routes error handling
o system: fix a typo and align "attribute" use in gateway edit page
o system: pluginctl: service mode can now batch-reload services when existing ID is omitted
o firewall: simplify rule edit layout slightly and fix unused element ID
o dhcp: remove ::/64 magic as it uses AdvRouterAddr yes
o interfaces: deal with RENEW and REBIND only reporting partial PDINFO
o ipsec: support the default selector ([dynamic]) when local_ts or remote_ts are left empty in connections
o backend: improved nested command support, reorganise action types, use ActionFactory to offer the requested type
o backend: add "getUtcTime" template helper function
o ports: curl 8.1.1[1]
o ports: dhcp6c 20230530
o ports: lighttpd 1.4.71[2]
o ports: openssh 9.3p1[3]
o ports: sqlite 3.42.0[4]
o ports: syslog-ng 4.2.0[5]


Stay Safe,
Your OPNsense team

--
[1] https://curl.se/changes.html#8_1_1
[2] https://www.lighttpd.net/2023/5/27/1.4.71/
[3] https://www.openssh.com/txt/release-9.3
[4] https://sqlite.org/releaselog/3_42_0.html
[5] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.2.0

2

Announcements / OPNsense 23.1.8 released

« on: May 25, 2023, 02:46:12 pm »

Hi there,

This update improves IPv6 connectivity, extends module support for the axgbe
network driver and fixes a panic with IPv6 refragmentation over policy-based
routes amongst others.

We are currently testing FreeBSD 13.2 for the upcoming OPNsense 23.7 and it
looks promising.  Watch out for roadmap updates over the next few weeks as
more MVC page conversions are being carried out.

Here are the full patch notes:

o system: calling return_down_gateways() depends on default gateway switch setting
o system: open new session if missing to prevent spurious CRSF errors in static pages
o system: add device hint to empty interface address message in case of mismatch during default route attempt
o system: add kernel messages to the general system log
o system: make sure routing log messages all use "ROUTING:" prefix
o system: print warning for duplicated gateway name
o system: prefix API key filename with FQDN of this host
o interfaces: deal with "prefixv6" as an array
o interfaces: improve address cleanup when handling VIP modifications
o interfaces: explicitly report current IP address during renewal avoidance
o interfaces: patch in appropriate rebind/renew DHCPv6 handling
o interfaces: for static "Use IPv4 connectivity" on PPPoE bring up IPv6 routes as well
o interfaces: ifctl: fix typo causing content to be printed while adding it
o interfaces: ifctl: avoid null route on fragile /64 prefix delegation
o interfaces: ifctl: do not flush name server routes
o firewall: add "set debug" and "set keepcounters" options to advanced options
o dhcp: provide run task "static_mapping" to avoid polluting unrelated plugins
o dnsmasq: use new run task "static_mapping" to collect static mappings from DHCP
o firmware: show support tiers in plugin list
o firmware: now that we have a full data model do not overdo cleanup during plugin registration
o intrusion detection: minor performance improvements when parsing metadata from rules
o openvpn: fix a warning by passing a desirable empty input containing a slash
o unbound: fix migration edge case in model version 1.0.3
o unbound: remove DNS blocklist start syshook causing an unnecessary download during bootup
o unbound: when called via GET during override creation encode using URLSearchParams()
o wizard: do not end up duplicating WAN_GW entry
o mvc: add CIDRToMask() to utilities
o mvc: prevent config restore when writer has flushed or partly written the file
o mvc: format BaseModel logger to avoid duplicate timestamps
o plugins: os-crowdsec 1.0.5[1]
o plugins: os-acme-client 3.17[2]
o src: axgbe: fix link issues for gigabit external SFP PHYs and 100/1000 fiber modules
o src: axgbe: apply RRC to miibus attached PHYs and add support for variable bitrate 25G SFP+ DACs
o src: axgbe: properly release resource in error case
o src: ifconfig: improve VLAN identifier parsing
o src: pfsync: hold b_mtx for callout_stop(pd_tmo)
o src: pf: remove pd_refs from pfsync
o src: pf: deal with KPI change bug on stable/13 by redirecting otherwise crashing traffic through ip6_output()
o ports: curl 8.1.0[3]
o ports: dhcp6c 20230523
o ports: lighttpd 1.4.70[4]
o ports: nss 3.89.1[5]
o ports: openvpn 2.6.4[6]
o ports: php 8.1.19[7]
o ports: suricata 6.0.12[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr
[3] https://curl.se/changes.html#8_1_0
[4] https://www.lighttpd.net/2023/5/10/1.4.70/
[5] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_89_1.html
[6] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.4
[7] https://www.php.net/ChangeLog-8.php#8.1.19
[8] https://suricata.io/2023/05/09/suricata-6-0-12-released/

3

Announcements / OPNsense 23.1.7 released

« on: May 04, 2023, 01:58:56 pm »

Hi there,

Today we switch to OpenVPN 2.6 including deferred authentication which we
know some people have been waiting for.  The routing subsystem received a
refactor to integrate default gateway switching into the actual routing
code.

Suricata was finally updated to a newer release since the Netmap (IPS) stall
bug inside their code had been found and fixed while we were still using an
older code base that did not have the error.

Please also note that OpenVPN does no longer support the XOR feature due to
FreeBSD ports blocking these types of out-of-project contributions and OpenVPN
itself was never interested in supporting it natively.  We have been keeping
this alive since 2015, but several alternatives exist now that were not
available back then.

Here are the full patch notes:

o system: restructure routing to carry out default gateway switching and address family specific reconfig
o system: prevent PHP session garbage collection from running early (contributed by lin-xianming)
o system: finish simplifying plugins_run()
o firewall: add missing scrub rules in dependency check for alias use
o firewall: usability improvements and cleanups in scheduler pages (contributed by kuya1284)
o interfaces: ensure single PPP netgraph node has the proper name
o interfaces: reject invalid self-assignments in VLAN parent
o interfaces: migrate trace route page to MVC/API
o interfaces: migrate port probe page to MVC/API
o interfaces: remove indirection in PPP ports handling
o interfaces: exclude a few cases from PPPoEv6 negotiation
o reporting: fix incorrect interface index in NetFlow init (contributed by Nicolas Thumann)
o dhcp: restart radvd on config changes, otherwise keep SIGHUP
o dhcp: when cleaning up static leases do not remove entries where only a MAC address is set
o firmware: update size requirements for major upgrades from command line
o firmware: embed build metadata into package annotations for use in runtime remote queries
o firmware: fix execution of version queries when not possible
o firmware: revoke 22.7 fingerprint
o openvpn: fix two widget display issues
o openvpn: use CARP INIT state the same way as BACKUP state for client start/stop
o openvpn: enable deferred authentication (sponsored by m.a.x. it)
o unbound: minor improvements to handle "Dot" endpoints ambiguity
o web proxy: allow more signs for username and password (contributed by Bi0T1N)
o mvc: change Phalcon logging to omit type and date
o mvc: add strict option to NetworkField
o ui: prevent crashing out when endpoint does not return data for SimpleActionButton
o plugins: os-ddclient 1.13[1]
o plugins: os-stunnel fix for missing OpenSSL CRL functions
o plugins: os-smart fix for highlighting result (contributed by Justin Horton)
o ports: libxml 2.10.4[2]
o ports: openvpn 2.6.3[3]
o ports: sqlite 3.41.2[4]
o ports: suricata 6.0.11[5]
o ports: syslog-ng 4.1.1[6]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr
[2] http://www.xmlsoft.org/news.html
[3] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.3
[4] https://sqlite.org/releaselog/3_41_2.html
[5] https://suricata.io/2023/04/13/suricata-6-0-11-released/
[6] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.1.1

4

Announcements / OPNsense business edition 23.4 released

« on: April 25, 2023, 02:37:43 pm »

The OPNsense business edition transitions to this 23.4 release including
Unbound DNS statistics, PHP 8.1, assorted FreeBSD networking updates,
further MVC/API conversions, WireGuard kernel module plugin plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 23.1.5 community version
with additional reliability improvements.

Here are the full patch notes:

o system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
o system: introduced a service boot log
o system: simplify gateway monitoring setup code
o system: add option to skip gateway monitor host route
o system: populate /etc/hosts file with IPv6 addresses too
o system: simplify and guard host route creation
o system: merge system_staticroutes_configure() into system_routing_configure()
o system: do not yield process after calling shutdown command
o system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
o system: show size of ZFS ARC (adaptive replacement cache) in system widget
o system: introduce support tier annotations for core and plugins[2]
o system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
o system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
o system: incorrect link to CARP status page on dashboard widget
o system: replace single exec_command() with new shell_safe() wrapper
o system: fix assorted PHP 8.1 deprecation notes
o system: remove overreaching "Reconfigure a plugin facility" cron job and backend command that has no visible users
o system: use singleton boot detection everywhere
o system: protect against more stray scripts on boot
o system: several shell_safe() conversions
o system: when applying auto-far default route make sure the local address is not empty
o system: refactor system_default_route() to prevent empty $gateway
o system: create system_resolver_configure() and cron job support
o system: add simple script and configd action to list current group membership (configctl auth list groups)
o system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reload
o system: address a number of web GUI startup problems
o system: service handling refactor, tweaks and improvements
o system: rework killbypid()/killbyname() behaviour
o system: use system_resolver_configure() everywhere
o system: timezone parsing issue for zones west of UTC using "-"
o system: migrate services page and widget to MVC/API
o system: move web GUI service definition to correct file
o system: add service_by_filter() service search extension
o system: pin down the auto-far gateway selection and routing log adjustments
o system: prevent applying tunables which are already set
o system: use data attribute to find existing rows in service widget to avoid special character issues (contributed by Alexander O'Mara)
o system: handle empty DNS server gateway (contributed by Nicolas Thumann)
o system: remove /31 subnet restriction in wizard
o reporting: add Unbound DNS statistics frontend including client drill-down
o reporting: make all status mapping colors configurable for themes in the Unbound DNS page
o reporting: simplify state collection for system-states.rrd
o reporting: translate invalid interface name characters for NetFlow/Netgraph use
o interfaces: heavy cleanup of the wireless device integration
o interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
o interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
o interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
o interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
o interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
o interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
o interfaces: simplified get_real_interface() function
o interfaces: removed obsolete "defaultgw" files
o interfaces: simplified rc.linkup script
o interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
o interfaces: converted virtual IPs to MVC/API
o interfaces: add MAC filtering to packet capture
o interfaces: convert ARP/NDP pages to server-side searchable variant
o interfaces: create null route for DHCPv6 delegated prefix
o interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
o interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
o interfaces: protect against empty GIF host route
o interfaces: fix parsing of device names with a dot in packet capture
o interfaces: force newip calls through DHCP/PPP/OVPN on IPv4
o interfaces: force newip calls through DHCP/PPP on IPv6
o interfaces: fix an issue with a batch killbyname() in static ARP case
o interfaces: make sure output buffering is disabled when downloading a packet capture
o interfaces: lock gateway save button while the request is being processed
o interfaces: fix IP alias with VHID validation issue
o interfaces: allow to set PCP value on IPv4 DHCP traffic to address recent Orange FR changes
o firewall: remove deprecated "Dynamic state reset" mechanic
o firewall: invalidate port forward rule entry when no target is specified
o firewall: hide deprecated source OS rule setting under advanced
o firewall: add group option to prevent grouping in interfaces menu
o firewall: safeguard against missing name from the alias API call
o firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
o firewall: do not calculate local port range for alias (contributed by kulikov-a)
o firewall: update validation of alias names to be slightly more restrictive
o firewall: safeguard download_geolite() and log errors
o firewall: fix NAT dropdowns ignoring VIPs
o firewall: show all applicable floating rules when inspecting interface rules
o firewall: prevent networks from being sent to DNS resolver in update_tables.py
o firewall: fix mismatch of options in new automatic listing of floating rules in interface rules
o firewall: refactor alias update scripts
o firewall: fix progress bar default value (contributed by Nicolas Thumann)
o captive portal: enforce a database repair during operation if necessary
o captive portal: remove mod_evasion use which was discontinued by lighttpd
o dhcp: several plumbing improvements in service handling
o dhcp: add missing double quotes in hostname handling
o dnsmasq: add dns_forward_max, cache_size and local_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)
o dnsmasq: remove now unused host configuration and refactor
o firmware: move single-call function to reporter page
o firmware: responsiveness fix (contributed by kulikov-a)
o firmware: move settings handling to full-fledged model
o firmware: add advanced/help toggles, cancel button, subscription errors
o firmware: deal with subscription preset in factory reset
o intrusion detection: keep grid to prevent widgets being removed
o intrusion detection: reload grid after log drop (contributed by kulikov-a)
o intrusion detection: add verbose logging mode selector
o ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
o ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
o ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
o ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
o ipsec: rewrote lease status page in MVC/API
o ipsec: add configurable "unique" setting to phase 1
o ipsec: missing correct phase 1 to collect "Network List" option
o ipsec: missing a bracket for aggressive mode selection
o ipsec: mute a spurious boot warning
o ipsec: myid may be be optional
o ipsec: allow "@" character in eap_id fields for new connections
o ipsec: missing remapping pool UUID to name for new connections
o ipsec: change status column sizing and hide local/remote auth by default
o ipsec: fix username parsing in lease status
o ipsec: refactor widget to use new data format
o ipsec: migrate duplicated cron job
o ipsec: faulty unique constraint in pre-shared keys
o ipsec: fix eap_id placement for eap-mschapv2
o ipsec: reqid should not be provided on mobile sessions
o ipsec: validate pool names on connections page
o ipsec: add connection data to XMLRPC sync
o ipsec: "Dynamic gateway" (rightallowany) option should be translated to 0.0.0.0/0,::/0
o ipsec: "Allow any remote gateway to connect" should suffix all in order to connect to the other end
o ipsec: store proper log values in advanced settings
o ipsec: add a routing hook and execute it for all VTI devices during reconfiguration
o ipsec: replace status call with portable alternative
o monit: support start timeout setting (contributed by spoutin)
o monit: add permanent include statement for custom configuration files (contributed by codiflow)
o network time: remove "disable monitor" to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)
o openvpn: add unique daemon name to each instance
o openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication
o openvpn: rename -cipher option to --data-ciphers-fallback and adjust GUI accordingly
o openvpn: add ovpn_status.py script and configd action to fetch connected clients
o openvpn: reintroduce "cipher" keyword for older clients
o openvpn: fix client output for widget (contributed by kulikov-a)
o openvpn: migrate connection status page and widget to MVC/API
o openvpn: fix typo in widget missing virtual address display
o unbound: add statistics database backend
o unbound: add exact domain blocking
o unbound: simplify logger logic for required queries
o unbound: add SafeSearch option to blocklists
o unbound: match white/blocklist action exactly from reporting page
o unbound: always prioritize whitelists over blocklists
o unbound: various UX improvements in reporting page
o unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
o unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
o unbound: add HTTPS record type to reporting
o unbound: remember reporting page logarithmic setting
o unbound: wait for pipe in logger (contributed by kulikov-a)
o unbound: fix typo in logger and create a pipe early in dnsbl_module.py (contributed by kulikov-a)
o unbound: fix type cast to prevent unnecessary updateBlocklist action
o unbound: add missing blocklist
o unbound: adhere to restart logic during hosts configure and wait for service to start
o unbound: add infra-keep-probing advanced option
o unbound: lowercase domain for case insensitive search in blocklists
o unbound: replace status call with portable alternative
o unbound: bring back missing advanced page ACL entry
o unbound: implement wildcard blocking and refactor DNSBL module
o unbound: account for CNAME redirection in DNSBL module
o unbound: prevent logging SERVFAIL twice in DNSBL module
o unbound: allow scripts to extend blocklist functionality
o unbound: translate empty values to empty strings in DNSBL module
o mvc: call plugins_interfaces() optionally on service reconfigure
o mvc: match UUID for multiple values (contributed by kulikov-a)
o mvc: convert setBase() to an upsert operation
o mvc: add TextField tests (contributed by agh1467)
o mvc: implement required getRealInterface() variant
o mvc: fix PHP warnings and dance around null/0.0.0 ambiguity in migration code
o mvc: add MaskPerItem toggle to allow regex validation per entry in CSVListField
o mvc: add strict option to NetworkField
o ui: assorted improvements in bootgrid and form controls
o ui: switch to pure JSON data in bootgrids
o ui: solve deprecation in PHP via html_safe() wrapper
o ui: add a fail() handler to disable action button spinner
o wizard: unbound hardened DNSSEC setting moved
o plugins: os-OPNBEcore 1.1
o plugins: os OPNcentral 1.0.6
o plugins: os-acme-client 3.16[3]
o plugins: os-api-backup 1.1[4]
o plugins: os-bind 1.25[5]
o plugins: os-crowdsec 1.0.2[6]
o plugins: os-ddclient 1.11[7]
o plugins: os-freeradius 1.9.22[8]
o plugins: os-frr 1.33[9]
o plugins: os-haproxy 4.1[10]
o plugins: os-openconnect 1.4.4[11]
o plugins: os-puppet-agent 1.1[12]
o plugins: os-qemu-guest-agent 1.2[13]
o plugins: os-rfc2136 1.8[14]
o plugins: os-sslh 1.0[15] (contributed by agh1467)
o plugins: os-theme-cicada 1.34 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.27 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.45 (contributed by Team Rebellion)
o plugins: os-upnp 1.5[16]
o plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
o src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
o src: ipsec: clear pad bytes in PF_KEY messages
o src: fib_algo: set vnet when destroying algo instance
o src: if_ipsec: handle situations where there are no policy or SADB entry for if
o src: if_ipsec: protect against user supplying unknown address family
o src: if_me: use dedicated network privilege
o src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
o src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
o src: iflib: Add null check to iflib_stop()
o src: pfctl: rule.label is a two-dimensional array
o src: pf: fix syncookies in conjunction with tcp fast port reuse
o src: pf: fix panic on deferred packets
o src: ipfw: Add missing 'va' code point name
o src: netmap: try to count packet drops in emulated mode
o src: netmap: fix a queue length check in the generic port rx path
o src: netmap: tell the compiler to avoid reloading ring indices
o src: pfsync: support deferring IPv6 packets
o src: pfsync: add missing bucket lock
o src: pfsync: ensure 'error' is always initialised
o src: pfsync: fix pfsync_undefer_state() locking
o src: pfsync: add missing unlock in pfsync_defer_tmo()
o src: epair: merged assorted fixes
o ports: curl 7.88.1[17]
o ports: dnsmasq 2.89[18]
o ports: dpinger 3.3[19]
o ports: filterlog 0.7 fixes unknown TCP option print
o ports: lighttpd 1.4.69[20]
o ports: monit 5.33.0[21]
o ports: nss 3.89[22]
o ports: openldap 2.6.4[23]
o ports: openssh 9.2p1[24]
o ports: openssl fix for CVE-2023-0464
o ports: phalcon 5.2.1[25]
o ports: php 8.1.17[26]
o ports: phpseclib 3.0.19[27]
o ports: py-vici 5.9.10
o ports: radvd fix for SIGHUP behaviour
o ports: sqlite 3.41.0[28]
o ports: squid 5.8[29]
o ports: strongswan 5.9.10[30]
o ports: sudo 1.9.13p3[31]

Migration notes, known issues and limitations:

o StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases.
o The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf.  Legacy tunnel settings cannot be managed from the API and are not migrated.
o Rate limiting was removed from the captive portal which was set to 250 connections by the same IP to the captive portal itself.  This can be easily replaced by a manual firewall rule with advanced options set, e.g.  "Max established" set to 250 with destination "This Firewall".


The public key for the 23.4 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-business-23.4-dvd-amd64.iso.bz2) = 7136d0d78e643b59bbee8866f7aa1498325bd5513af30a9ace6005aeb1638707
SHA256 (OPNsense-business-23.4-nano-amd64.img.bz2) = 84b4a5ede947aae38273c4b57ddea2122764508e5309d3e1bbb816128097ce35
SHA256 (OPNsense-business-23.4-serial-amd64.img.bz2) = 9da2a93f6ad246c2f02655a1d5468755b1af6b500ff2e1846c0506c956c8f84b
SHA256 (OPNsense-business-23.4-vga-amd64.img.bz2) = 982a47835be03787f0a8d408aff0e117a3a5bccd810aa510808c4804abab66c4

[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/support.html
[3] https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/api-backup/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/23.1/security/openconnect/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/puppet-agent/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr
[14] https://github.com/opnsense/plugins/blob/stable/23.1/dns/rfc2136/pkg-descr
[15] https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr
[16] https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr
[17] https://curl.se/changes.html#7_88_1
[18] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[19] https://github.com/dennypage/dpinger/releases/tag/v3.3
[20] https://www.lighttpd.net/2023/2/10/1.4.69/
[21] https://mmonit.com/monit/changes/
[22] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_89.html
[23] https://www.openldap.org/software/release/changes.html
[24] https://www.openssh.com/txt/release-9.2
[25] https://github.com/phalcon/cphalcon/releases/tag/v5.2.1
[26] https://www.php.net/ChangeLog-8.php#8.1.17
[27] https://github.com/phpseclib/phpseclib/releases/tag/3.0.19
[28] https://sqlite.org/releaselog/3_41_0.html
[29] http://www.squid-cache.org/Versions/v5/squid-5.8-RELEASENOTES.html
[30] https://github.com/strongswan/strongswan/releases/tag/5.9.10
[31] https://www.sudo.ws/stable.html#1.9.13p3

5

Announcements / OPNsense 23.1.6 released

« on: April 20, 2023, 11:59:05 am »

Howdy,

Two major improvements being shipped today are standalone core DNS
support for Bind and Dnscrypt-Proxy plugins as well as OpenVPN group
firewall alias type.  The latter makes it easier to manage distinct
policies for connected VPN users.  For more details please refer to
the documentation listed below.

The other honorable mention is the netmap work we have been doing
with Zenarmor and Klara on the FreeBSD kernel side which brings
bridge device support as well as a considerable improvement to the
emulated mode where several packet stalls and mbuf leaks have been
identified and subsequently fixed.  This should have an operational
impact on Suricata (IPS mode) and Zenarmor.  The state is much better
now but please do not hesitate to contact us about issues that you
might still be having with netmap-based packet flows as the topic is
a rather complex one.

Orange FR users be aware that your ISP now requires strict VLAN PCP
on all DHCPv4 requests so please do set 'Use VLAN priority' interface
setting for both DHCPv4 and DHCPv6.  The 'Option Modifiers' override
for "vlan-pcp" in DHCPv4 can be removed and the documentation was
updated accordingly.

Here are the full patch notes:

o system: register DNS service ports for unified use across core and plugins
o system: serialize deferred requests for web GUI restart
o system: relocate API messages to backend log target as they currently end up in captive portal logs
o system: remove /31 subnet restriction in wizard
o system: use data attribute to find existing rows in service widget to avoid special character issues (contributed by Alexander O'Mara)
o system: allow non-system group delete after faulty PHP 8 warning fix (contributed by kulikov-a)
o system: handle empty DNS server gateway (contributed by Nicolas Thumann)
o reporting: translate invalid interface name characters for NetFlow/Netgraph use
o reporting: sort interfaces by description in health graphs
o interfaces: ping diagnostic tool was rewritten using MVC/API
o interfaces: allow to set PCP value on IPv4 DHCP traffic to address recent Orange FR changes
o firewall: allow to create aliases for logged-in OpenVPN users[1]
o firewall: leave out fractional seconds from timestamps in aliases
o firewall: fix progress bar default value (contributed by Nicolas Thumann)
o dhcp: fix too many addresses issue in radvd RDNSS setting
o dhcp: add missing double quotes in hostname handling
o firmware: remove flavouring support from update tools
o ipsec: pull data for dashboard widget exclusively from backend
o ipsec: move XAuth out of "IKE Extensions" block
o ipsec: add connection child as option for manual SPDs
o ipsec: another small GUI fix for basic log option in advanced settings
o openvpn: fix dashboard widget and add missing byte data to status call
o plugins: os-bind 1.26[2]
o plugins: os-crowdsec 1.0.4[3]
o plugins: os-ddclient 1.12[4]
o plugins: os-dnscrypt-proxy 1.13[5]
o plugins: os-nginx 1.32[6]
o plugins: os-upnp now allows subnet mask 0 in rules (contributed by Reiko Asakura)
o src: bridge: add support for emulated netmap mode[7]
o src: epair: also remove vlan metadata from mbufs
o src: ifconfig: fix configuring if_bridge with additional operating parameters
o src: netmap: fix queue stalls with generic interfaces[8]
o src: netmap: assorted upstream stable patches
o src: sched_ule: assorted fixes to address issues on newer AMD platforms
o ports: curl 8.0.1[9]
o ports: ifinfo now also prints interface index (contributed by Nicolas Thumann)
o ports: php 8.1.18[10]


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/aliases.html#openvpn-group
[2] https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/23.1/dns/dnscrypt-proxy/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/23.1/www/nginx/pkg-descr
[7] https://github.com/opnsense/src/commit/eebd4b140f
[8] https://github.com/opnsense/src/commit/cc92d78fa5
[9] https://curl.se/changes.html#8_0_1
[10] https://www.php.net/ChangeLog-8.php#8.1.18

6

Announcements / OPNsense 23.1.5 released

« on: March 29, 2023, 02:06:22 pm »

Hi there,

This moves MVC/API migration a bit further and fixes the radvd restart
behaviour using SIGHUP which caused issues with the initial 23.1.4.
Unbound gained wildcard domain blocking and its backend was further
refactored and improved upon.

Here are the full patch notes:

o system: timezone parsing issue for zones west of UTC using "-"
o system: migrate services page and widget to MVC/API
o system: move web GUI service definition to correct file
o system: add service_by_filter() service search extension
o system: pin down the auto-far gateway selection and routing log adjustments
o system: prevent applying tunables which are already set
o firewall: refactor alias update scripts
o dhcp: bring back the SIGHUP handling of radvd due to fix upstream
o ipsec: replace status call with portable alternative
o network time: migrate service status to PID file
o openvpn: fix client output for widget (contributed by kulikov-a)
o openvpn: migrate connection status page and widget to MVC/API
o unbound: replace status call with portable alternative
o unbound: bring back missing advanced page ACL entry
o unbound: implement wildcard blocking and refactor DNSBL module
o unbound: account for CNAME redirection in DNSBL module
o unbound: prevent logging SERVFAIL twice in DNSBL module
o unbound: allow scripts to extend blocklist functionality
o mvc: add MaskPerItem toggle to allow regex validation per entry in CSVListField
o ui: add a fail() handler to disable action button spinner
o plugins: os-frr 1.33[1]
o src: pfsync: fix pfsync_undefer_state() locking
o src: pfsync: add missing unlock in pfsync_defer_tmo()
o src: epair: merged assorted fixes
o ports: openssl fix for CVE-2023-0464
o ports: radvd fix for SIGHUP behaviour


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr

7

Announcements / OPNsense 23.1.4 released

« on: March 21, 2023, 01:43:09 pm »

Good news everyone,

Another stable update to fix a StrongSwan regression and two OpenVPN
incompatibilities introduced prior.  We have also improved the service
handling code in multiple areas, fixed issues like the VIP migration
problem with IP alias on a CARP VIP and improved/simplified the firmware
settings now that cryptography flavours no longer exist.

Here are the full patch notes:

o system: address a number of web GUI startup problems
o system: service handling refactor, tweaks and improvements
o system: rework killbypid()/killbyname() behaviour
o system: use system_resolver_configure() everywhere
o reporting: simplify state collection for system-states.rrd
o interfaces: fix an issue with a batch killbyname() in static ARP case
o interfaces: make sure output buffering is disabled when downloading a packet capture
o interfaces: lock gateway save button while the request is being processed
o interfaces: fix IP alias with VHID validation issue
o dhcp: several plumbing improvements in service handling
o dnsmasq: remove now unused host configuration and refactor
o firmware: responsiveness fix (contributed by kulikov-a)
o firmware: move settings handling to full-fledged model
o firmware: add advanced/help toggles, cancel button, subscription errors
o monit: add permanent include statement for custom configuration files (contributed by codiflow)
o openvpn: add ovpn_status.py script and configd action to fetch connected clients
o openvpn: reintroduce "cipher" keyword for older clients
o openvpn: add missing static-challenge parsing for auth framework introduced in 23.1.3
o unbound: adhere to restart logic during hosts configure and wait for service to start
o unbound: add infra-keep-probing advanced option
o unbound: lowercase domain for case insensitive search in blocklists
o mvc: fix PHP warnings and dance around null/0.0.0 ambiguity in migration code
o plugins: os-api-backup 1.1[1]
o plugins: os-theme-cicada 1.34 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.27 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.45 (contributed by Team Rebellion)
o ports: curl 7.88.1[2]
o ports: nss 3.89[3]
o ports: php 8.1.17[4]
o ports: py-vici 5.9.10
o ports: squid 5.8[5]
o ports: strongswan EAP-TLS upstream fix[6]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/api-backup/pkg-descr
[2] https://curl.se/changes.html#7_88_1
[3] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_89.html
[4] https://www.php.net/ChangeLog-8.php#8.1.17
[5] http://www.squid-cache.org/Versions/v5/squid-5.8-RELEASENOTES.html
[6] https://github.com/opnsense/core/issues/6415

8

Announcements / OPNsense 23.1.3 released

« on: March 09, 2023, 10:53:46 pm »

Hello again,

This update was not planned as such, but an Sqlite compile change in FreeBSD
ports required a clean rebuild so instead of a hotfix we are shipping this tiny
stable update.

Here are the full patch notes:

o firewall: fix mismatch of options in new automatic listing of floating rules in interface rules
o ipsec: "Allow any remote gateway to connect" should suffix all in order to connect to the other end
o ipsec: store proper log values in advanced settings
o ipsec: add a routing hook and execute it for all VTI devices during reconfiguration
o ports: phpseclib 3.0.19[1]
o ports: sqlite backs out disabling DQS option which broke software on multiple ends
o ports: sudo 1.9.13p3[2]


Stay safe,
Your OPNsense team

--
[1] https://github.com/phpseclib/phpseclib/releases/tag/3.0.19
[2] https://www.sudo.ws/stable.html#1.9.13p3

9

Announcements / OPNsense 23.1.2 released

« on: March 07, 2023, 04:19:44 pm »

Hello,

This is mainly a reliability update with fixes in assorted subsystems.
Of note is the OpenVPN authentication framework rewrite in order to take
advantage of the upcoming OpenVPN 2.6 deferred authentication feature and
the fix for DHCP renew behaviour that was reported on 23.1.

The roadmap for 23.7 was published, but at this point mainly consists of
MVC/API porting efforts for existing static pages.  While the rewrite is
not strictly necessary from a user perspective it will move us a lot closer
to our mission goal to introduce privilege separation and to provide an API
for all components.

Here are the full patch notes:

o system: use singleton boot detection everywhere
o system: protect against more stray scripts on boot
o system: several shell_safe() conversions
o system: when applying auto-far default route make sure the local address is not empty
o system: refactor system_default_route() to prevent empty $gateway
o system: create system_resolver_configure() and cron job support
o system: add simple script and configd action to list current group membership (configctl auth list groups)
o system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reload
o interfaces: protect against empty GIF host route
o interfaces: fix parsing of device names with a dot in packet capture
o interfaces: force newip calls through DHCP/PPP/OVPN on IPv4
o interfaces: force newip calls through DHCP/PPP on IPv6
o firewall: fix NAT dropdowns ignoring VIPs
o firewall: fix validation of alias names such as "A_BC"
o fIrewall: show all applicable floating rules when inspecting interface rules
o firewall: prevent networks from being sent to DNS resolver in update_tables.py
o reporting: make all status mapping colors configurable for themes in the Unbound DNS page
o dnsmasq: add dns_forward_max, cache_size and local_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)
o firmware: remove retired LibreSSL flavour handling and annotations
o ipsec: reqid should not be provided on mobile sessions
o ipsec: validate pool names on connections page
o ipsec: allow "@" character in all other eap_id fields for new connections
o ipsec: add connection data to XMLRPC sync
o ipsec: "Dynamic gateway" (rightallowany) option should be translated to 0.0.0.0/0,::/0
o network time: remove "disable monitor" to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)
o openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication
o openvpn: rename -cipher option to --data-ciphers-fallback and adjust GUI accordingly
o unbound: fix typo in logger and create a pipe early in dnsbl_module.py (contributed by kulikov-a)
o unbound: fix type cast to prevent unnecessary updateBlocklist action
o unbound: add missing blocklist
o ui: solve deprecation in PHP via html_safe() wrapper
o wizard: unbound hardened DNSSEC setting moved
o plugins: os-acme-client 3.16[1]
o plugins: os-crowdsec 1.0.2[2]
o plugins: os-rfc2136 1.8[3]
o plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)
o plugins: os-theme-tucan 1.26 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)
o src: fix multiple OpenSSL vulnerabilities[4]
o src: pfsync: support deferring IPv6 packets
o src: pfsync: add missing bucket lock
o src: pfsync: ensure 'error' is always initialised
o ports: filterlog 0.7 fixes unknown TCP option print
o ports: lighttpd 1.4.69[5]
o ports: monit 5.33.0[6]
o ports: nss 3.88.1[7]
o ports: openldap 2.6.4[8]
o ports: openssh 9.2p1[9]
o ports: php 8.1.16[10]
o ports: phalcon 5.2.1[11]
o ports: sqlite 3.41.0[12]
o ports: strongswan 5.9.10[13]
o ports: sudo 1.9.13p2[14]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/23.1/dns/rfc2136/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:03.openssl.asc
[5] https://www.lighttpd.net/2023/2/10/1.4.69/
[6] https://mmonit.com/monit/changes/
[7] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_88_1.html
[8] https://www.openldap.org/software/release/changes.html
[9] https://www.openssh.com/txt/release-9.2
[10] https://www.php.net/ChangeLog-8.php#8.1.16
[11] https://github.com/phalcon/cphalcon/releases/tag/v5.2.1
[12] https://sqlite.org/releaselog/3_41_0.html
[13] https://github.com/strongswan/strongswan/releases/tag/5.9.10
[14] https://www.sudo.ws/stable.html#1.9.13p2

10

Announcements / OPNsense business edition 22.10.2 released

« on: February 20, 2023, 03:57:13 pm »

This business release is based on the OPNsense 22.7.11 community version
with additional reliability improvements.

Here are the full patch notes:

o interfaces: fix VLAN missing a config lock on delete
o firewall: do not switch gateway on bootup
o intrusion detection: properly reset metadata response when no metadata is found
o unbound: missing global so that cache is never flushed when requested
o mvc: cleanse $record input in searchRecordsetBase() before usage
o src: fix multiple OpenSSL vulnerabilities[1]
o src: geli: split the initalization of HMAC[2]
o src: fix ena driver crash after reset in 7th gen AWS instance types[3]
o src: fix sdhci broken write-protect settings[4]
o src: import tzdata 2022g[5]
o src: x86: ignore stepping for APL30 errata
o ports: openssl 1.1.1t[6]


Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:03.openssl.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc
[6] https://www.openssl.org/news/openssl-1.1.1-notes.html

11

Announcements / OPNsense 23.1.1 released

« on: February 15, 2023, 12:41:57 pm »

Hello,

Apart from security updates for operating system and third party software
this mainly fixes issues with the initial 23.1 release.  IPsec and Unbound
components in particular receive a number of improvements being the more
prominent areas of work for this series.  Unbound also gained a SafeSearch
option and the new reporting database CPU usage should be much lower and
easier to use.

Overall we are happy with how the major release turned out and look forward
to further fixes in e.g. Netmap framework including Suricata changes for
multi-threading support which has been in the works for a long time.  OpenVPN
2.6 update and related changes are also pending at the moment.

The roadmap for 23.7 will be published soon and will again include a number
of MVC/API conversions for static components.  Statistics do indicate that we
are over 60% done with converting the code base to a modern framework as
compared to early 2015 which is now already over 8 years ago!

Here are the full patch notes:

o system: replace single exec_command() with new shell_safe() wrapper
o system: fix assorted PHP 8.2 deprecation notes
o system: remove overreaching "Reconfigure a plugin facility" cron job and backend command that has no visible users
o interfaces: fix VLAN rename after protocol addition in 23.1
o interfaces: fix VLAN missing a config lock on delete
o interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
o interfaces: allow VHID reuse as it was before 23.1
o firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
o firewall: do not calculate local port range for alias (contributed by kulikov-a)
o firewall: update validation of alias names to be slightly more restrictive
o firewall: safeguard download_geolite() and log errors
o firewall: do not switch gateway on bootup
o captive portal: enforce a database repair during operation if necessary
o firmware: move single-call function reporter page
o intrusion detection: properly reset metadata response when no metadata is found
o ipsec: allow "@" character in eap_id fields for new connections
o ipsec: missing remapping pool UUID to name for new connections
o ipsec: change status column sizing and hide local/remote auth by default
o ipsec: fix username parsing in lease status
o ipsec: refactor widget to use new data format
o ipsec: migrate duplicated cron job
o ipsec: faulty unique constraint in pre-shared keys
o ipsec: fix eap_id placement for eap-mschapv2
o unbound: simplify logger logic for required queries
o unbound: add SafeSearch option to blocklists
o unbound: match white/blocklist action exactly from reporting page
o unbound: always prioritize whitelists over blocklists
o unbound: various UX improvements in reporting page
o unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
o unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
o unbound: add HTTPS record type to reporting
o unbound: remember reporting page logarithmic setting
o unbound: missing global so that cache is never flushed when requested
o mvc: cleanse $record input in searchRecordsetBase() before usage
o plugins: os-haproxy 4.1[1]
o plugins: os-openconnect 1.4.4[2]
o plugins: os-qemu-guest-agent 1.2[3]
o plugins: os-tayga fixes MVC interface registration
o plugins: os-wireguard fixes MVC interface registration
o src: geli: split the initalization of HMAC[4]
o src: fix ena driver crash after reset in 7th gen AWS instance types[5]
o src: fix sdhci broken write-protect settings[6]
o src: import tzdata 2022g[7]
o src: ipsec: clear pad bytes in PF_KEY messages
o src: fib_algo: set vnet when destroying algo instance
o src: if_ipsec: handle situations where there are no policy or SADB entry for if
o src: if_ipsec: protect against user supplying unknown address family
o src: if_me: use dedicated network privilege
o src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
o src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
o src: iflib: Add null check to iflib_stop()
o src: x86: ignore stepping for APL30 errata
o src: pfctl: rule.label is a two-dimensional array
o src: pf: fix syncookies in conjunction with tcp fast port reuse
o src: pf: fix panic on deferred packets
o src: ipfw: Add missing 'va' code point name
o src: netmap: try to count packet drops in emulated mode
o src: netmap: fix a queue length check in the generic port rx path
o src: netmap: tell the compiler to avoid reloading ring indices
o ports: remove GnuTLS workarounds from ports previously required for LibreSSL
o ports: dnsmasq 2.89[8]
o ports: dpinger 3.3[9]
o ports: lighttpd 1.4.68[10]
o ports: openssh-portable 9.1p1[11]
o ports: openssl 1.1.1t[12]
o ports: php 8.1.15[13]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/23.1/security/openconnect/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc
[8] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[9] https://github.com/dennypage/dpinger/releases/tag/v3.3
[10] https://www.lighttpd.net/2023/1/3/1.4.68/
[11] https://www.openssh.com/txt/release-9.1
[12] https://www.openssl.org/news/openssl-1.1.1-notes.html
[13] https://www.php.net/ChangeLog-8.php#8.1.15

12

Announcements / OPNsense business edition 22.10.1 released

« on: February 01, 2023, 04:43:48 pm »

This business release is based on the OPNsense 22.7.11 community version
with additional reliability improvements.

Here are the full patch notes:

o system: fix getOID() call for phpseclib 3 while processing CSR
o system: avoid error on installer user creation
o system: show booting banner on dashboard
o system: add statistics tree view containing vmstat memory characteristics
o system: explicitly reopen main log file in case another log file was used and closed
o system: tweak log_msg() to prepare log level adjustments migration away from log_error()
o system: enforce config reload to fetch group membership in authentication tester
o system: separate interface type icon from name column in interface widget
o system: change system log default to "Notice"
o system: UX tweaks on activity page
o system: revised backend daemon startup delay
o system: drop empty plugins_run() result
o system: fix internal CRL check (contributed by kulikov-a)
o system: add group (class) sync and user creation for RADIUS authentication
o system: show and search ACL endpoints in privilege selector
o system: replace a number of log_error() calls with log_msg() equivalent
o system: improve SSH lockout behaviour
o system: fix a few minor Coverity Scan reports in PHP and Python[1]
o interfaces: show attached interface for VLAN device in overview
o interfaces: packet capture MVC/API replacement
o interfaces: fix ARP table name resolve backend issue (contributed by soif)
o interfaces: migrate main clearing of interface data to ifctl
o interfaces: fix display of special HTML characters in packet capture
o interfaces: retain existing PPP settings on saving interface settings
o interfaces: delete the correct lock of PPP device
o interfaces: fix variable use in interface_proxyarp_configure()
o interfaces: use get_interface_list() to identify hardware devices
o interfaces: fix single ACL use for MVC/API interface pages
o firewall: off-by-one in regex for target port range parse
o firewall: support Maxmind unclassified "EU" as selectable country
o firewall: fix possible race condition when changing limit in live log
o firewall: fix sorting bug in aliases list
o firewall: allow the use of "dynamic" interface types in shaper, e.g. IPsec devices
o firewall: wrap user rule registration in new function filter_core_rules_user()
o firewall: simplify rule lookup by using filter_core_rules_user()
o firewall: allow external dynamic address in NPT
o firewall: remove extended VIP expansion from NAT rules
o firewall: fix live view hostname lookup may result in HTTP 431 error
o firewall: add category selection to aliases
o firewall: sates page performance improvements and better address parsing in search
o firewall: reuse "hostid" on filter reload events
o firewall: show automated "port 0" rule as actual port "0" on PHP 8
o reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
o reporting: bail DNS resolve in traffic graphs when resolver is not configured
o captive portal: for static MAC assignments make sure that the IP address actually changed before updating it
o dnsmasq: remove expired root trust anchor (contributed by Johnny S. Lee)
o firmware: always fetch the signature file to avoid signature issues after upgrades
o firmware: use effective ABI in changelog fetch
o firmware: ignore automatic business plugin and license hint
o ipsec: missing return in controller
o ipsec: remove side effect host route removal from Phase 1 page
o ipsec: allow to search all phase 2 entries via API call
o ipsec: default log should be set to "basic" but PHP 8 disagreed
o openvpn: use ifctl in link up/down scripts
o openvpn: remove unused "pool_enable" attribute
o unbound: move the removal of pluggable files above the configuration check
o unbound: remove 127/8 from private-address block when rebind protection is enabled
o unbound: make the default private-address items configurable via the advanced page
o unbound: fix possible error while opening DoT page
o unbound: do not stop on potential errors in start script
o unbound: rework DNSBL implementation to Python module
o unbound: fix blocklist use with DNS64 mode (contributed by kulikov-a)
o unbound: change working directory before checking configuration
o unbound: introduce blocklist module changes for upcoming 23.1
o unbound: fix log message blocklist item count (contributed by kulikov-a)
o unbound: also change working dir for unbound-checkconf in start script (contributed by kulikov-a)
o unbound: fix missing query_reply property leading to an AttributeError
o unbound: safeguard retrieval of blocklist shortcode
o web proxy: fix broken "Google GSuite restricted" option
o backend: wait 1 second for configd socket to become available
o backend: clean up scripts/systemheath location
o backend: moved log format definitions to new location for core and several plugins
o mvc: when multiple validation messages are returned wrap each message in a div tag
o mvc: translate a base field error
o mvc: change default sorting to case-insensitive
o mvc: move JavaScript and CSS imports to base controller
o mvc: make sure HostnameField with ZoneRootAllowed accepts "@." prefix
o mvc: fix IntegerField minimum value (contributed by xbb)
o rc: remove obsolete NAME_var_script and NAME_var_mfs support
o ui: unicode content for tokenizer (contributed by kulikov-a)
o plugins: migrate all plugins to NAME_setup script use
o plugins: $verbose argument in plugins_run() is spurious
o plugins: os-acme-client 3.15[2]
o plugins: os-apcupsd 1.1[3]
o plugins: os-clamav 1.8[4]
o plugins: os-ddclient IPv6 parsing fix[5]
o plugins: os-freeradius is no longer available for LibreSSL to allow updates of FreeRADIUS software
o plugins: os-frr 1.31[6]
o plugins: os-haproxy 3.12[7]
o plugins: os-maltrail 1.10[8]
o plugins: os-nginx 1.31[9]
o plugins: os-openconnect 1.4.3[10]
o plugins: os-rfc2136 1.7 fixes key format issue with latest bind-tools update
o plugins: os-stunnel fixes missing include in certificate script
o plugins: os-telegraf 1.12.7[11]
o plugins: os-theme-cicada 1.31 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.43 (contributed by Team Rebellion)
o plugins: os-tor 1.9 enables hardware acceleration (contributed by haarp)
o plugins: os-wireguard 1.13[12]
o ports: curl 7.87.0[13]
o ports: dnsmasq 2.88[14]
o ports: expat 2.5.0[15]
o ports: krb5 1.20.1[16]
o ports: libxml 2.10.3[17]
o ports: nss 3.87[18]
o ports: openssl 1.1.1s[19]
o ports: openvpn 2.5.8[20]
o ports: pcre 10.42[21]
o ports: phalcon 5.1.4[22]
o ports: php 8.0.27[23]
o ports: phpseclib 3.0.18[24]
o ports: python 3.9.16[25]
o ports: sqlite 3.40.1[26]
o ports: strongswan 5.9.9[27]
o ports: suricata 6.0.9[28]
o ports: unbound 1.17.1[29]


Stay safe,
Your OPNsense team

--
[1] https://scan.coverity.com/projects/opnsense-core
[2] https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.7/sysutils/apcupsd/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.7/security/clamav/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.7/dns/ddclient/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.7/net/frr/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/22.7/net/haproxy/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/22.7/security/maltrail/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.7/www/nginx/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/22.7/security/openconnect/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/telegraf/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/22.7/net/wireguard/pkg-descr
[13] https://curl.se/changes.html#7_87_0
[14] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[15] https://github.com/libexpat/libexpat/blob/R_2_5_0/expat/Changes
[16] https://web.mit.edu/kerberos/krb5-1.20/
[17] http://www.xmlsoft.org/news.html
[18] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
[19] https://www.openssl.org/news/openssl-1.1.1-notes.html
[20] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.8
[21] https://www.pcre.org/changelog.txt
[22] https://github.com/phalcon/cphalcon/releases/tag/v5.1.4
[23] https://www.php.net/ChangeLog-8.php#8.0.27
[24] https://github.com/phpseclib/phpseclib/releases/tag/3.0.18
[25] https://docs.python.org/release/3.9.16/whatsnew/changelog.html
[26] https://sqlite.org/releaselog/3_40_1.html
[27] https://github.com/strongswan/strongswan/releases/tag/5.9.9
[28] https://suricata.io/2022/11/29/suricata-6-0-9-released/
[29] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1

13

23.1 Production Series / [CALL FOR TESTING] Netmap generic mode queue stall fixes

« on: January 27, 2023, 11:38:45 am »

Hi!

Zenarmor and OPNsense have been working with Klara to bring netmap improvements to FreeBSD, some of which have already landed in the development branch for upcoming FreeBSD 14.

One of the goals in the project was to find and remove bugs from netmap. One of those bugs has been network traffic becoming unresponsive on generic mode, which means the driver itself doesn't support netmap, but can be made to interact with netmap wrapping around it...

It's easy to spot these on your system, e.g.:

# dmesg | grep generic_netmap_register
442.167865 [ 320] generic_netmap_register   Emulated adapter for gif1 activated

If you see log messages here then you might be affected and perhaps saw the behaviour before: suricata/zenarmor needs to be restarted in order to continue packet flow.

The change in question is: https://github.com/opnsense/src/commit/0c47d02eefec

And the kernel can be installed on 23.1 easily:

# opnsense-update -zkr 23.1.2-netmap
# opnsense-shell reboot

We would hope some of you could try this one out and see if problems disappear (or perhaps cause another dropout as we've solved internally already with an earlier version of the patch).

The patch does have implications on reliability in generic mode (which was always and will always be less reliable than native netmap mode), but we will explain these at a later time.


Cheers,
Franco

14

Announcements / OPNsense 23.1 released

« on: January 26, 2023, 02:03:55 pm »

Hi there,

For more than 8 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

23.1, nicknamed "Quintessential Quail", features Unbound DNS statistics with
a blocklist rewrite in Python, improved WAN SLAAC operability, firewall
alias BGP ASN type support, PHP 8.1, assorted FreeBSD networking updates,
MVC/API pages for packet capture/virtual IPs/IPsec connection management,
IPsec configuration file migration to swanctl.conf, new sslh plugin, ddclient
custom backend support (including Azure), WireGuard kernel module plugin
variant as the new default plus much more.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/23.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/23.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 22.7.11:

o system: replaced log_error() use with log_msg() and adjusted logging levels accordingly
o system: introduced a service boot log
o system: the LibreSSL flavour has been discontinued
o system: simplify gateway monitoring setup code
o system: add option to skip gateway monitor host route
o system: populate /etc/hosts file with IPv6 addresses too
o system: simplify and guard host route creation
o system: merge system_staticroutes_configure() into system_routing_configure()
o system: do not yield process after calling shutdown command
o system: apply tunables during late boot in case a module was loaded depending on them to be set to a specific value
o system: show size of ZFS ARC (adaptive replacement cache) in system widget
o system: introduce support tier annotations for core and plugins[2]
o system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
o system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
o reporting: add Unbound DNS statistics frontend including client drill-down
o interfaces: heavy cleanup of the wireless device integration
o interfaces: use 802.1ad protocol for stacked VLAN parent (QinQ)
o interfaces: GIF and GRE now support subnet-based IPv6 configurations instead of always falling back to a point-to-point (/128) setup
o interfaces: GIF and GRE now disable IPv6 on IPv4 tunnels (contributed by Maurice Walker)
o interfaces: add isolated PPPoEv6 mode to selectively enable IPv6 CP negotiation and turn it off when no IPv6 mode is set
o interfaces: add support for SLAAC WAN interfaces without DHCPv6 (contributed by Maurice Walker)
o interfaces: register LAGG, PPP, VLAN and wireless devices as plugins
o interfaces: simplified get_real_interface() function
o interfaces: removed obsolete "defaultgw" files
o interfaces: simplified rc.linkup script
o interfaces: improve IP address cache behaviour in rc.newwanip(v6) scripts
o interfaces: converted virtual IPs to MVC/API
o interfaces: add MAC filtering to packet capture
o interfaces: convert ARP/NDP pages to server-side searchable variant
o interfaces: create null route for DHCPv6 delegated prefix
o interfaces: tighten the concept of hardware interfaces and pull supported plugin devices into assignments page automatically
o firewall: remove deprecated "Dynamic state reset" mechanic
o firewall: invalidate port forward rule entry when no target is specified
o firewall: hide deprecated source OS rule setting under advanced
o firewall: add group option to prevent grouping in interfaces menu
o firewall: safeguard against missing name from the alias API call
o intrusion detection: keep grid to prevent widgets being removed
o intrusion detection: reload grid after log drop (contributed by kulikov-a)
o intrusion detection: add verbose logging mode selector
o ipsec: disable charon.install_routes completely in case upstream would implement it for FreeBSD later on
o ipsec: move user PSK (pre-shared key) and static PSK items to new MVC/API implementation
o ipsec: migrate existing configuration from ipsec.conf to swanctl.conf
o ipsec: add a new independent connections MVC/API component to manage IPsec in a layout matching swanctl.conf syntax more closely
o ipsec: rewrote lease status page in MVC/API
o ipsec: add configurable "unique" setting to phase 1
o ipsec: missing correct phase 1 to collect "Network List" option
o monit: support start timeout setting (contributed by spoutin)
o openvpn: add unique daemon name to each instance
o unbound: add statistics database backend
o unbound: add exact domain blocking
o mvc: call plugins_interfaces() optionally on service reconfigure
o mvc: match UUID for multiple values (contributed by kulikov-a)
o mvc: convert setBase() to an upsert operation
o mvc: change default sorting to case-insensitive
o mvc: add TextField tests (contributed by agh1467)
o mvc: implement required getRealInterface() variant
o ui: assorted improvements in bootgrid and form controls
o ui: switch to pure JSON data in bootgrids
o plugins: os-bind 1.25[3]
o plugins: os-ddclient 1.11[4]
o plugins: os-dyndns end of life note moves to 23.7
o plugins: os-freeradius 1.9.22[5]
o plugins: os-frr 1.32[6]
o plugins: os-haproxy 4.0[7]
o plugins: os-puppet-agent 1.1[8]
o plugins: os-sslh 1.0[9] (contributed by agh1467)
o plugins: os-theme-cicada 1.32 (contributed by Team Rebellion)
o plugins: os-upnp 1.5[10]
o plugins: os-wireguard switches to kernel module with a separate os-wireguard-go variant available for installation to keep the old behaviour
o src: assorted FreeBSD 13 stable fixes for e.g. bpf, bridge, bsdinstall ifconfig, iflib, ipfw, ipsec, lagg, netmap, pf, route and vlan components
o ports: php 8.1.14[11]
o ports: sudo 1.9.12p2[12]

Migration notes, known issues and limitations:

o LibreSSL flavour has been discontinued.  Switch to OpenSSL flavour to proceed with the upgrade.
o StrongSwan IPsec configuration now uses the preferred swanctl.conf instead of the deprecated ipsec.conf which could lead to connectivity issues in ambiguous cases.  Subtle bugs cannot be ruled out as well so please raise an issue on GitHub to be able to investigate each case.
o The new IPsec connections pages and API create an independent set of connections following the design of swanctl.conf.  Legacy tunnel settings cannot be managed from the API and are not migrated.

The public key for the 23.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4J0k7cPtunUYiR4vbRof
AiNTnkkByaWpjTeKneR/CBAaImUxpED5EnFprwM0mm4BX3Vqkf1KYQtRSawNxeXz
NiPT5Ykv0Vus0tYafBzIPsOCdUz/gtuJmtjih0uNvFSdwDRNE42MpX2RFeTm652H
fNE5Rxv23liLYdm3RNDFcM7tJEMs+zr01Lrn3McDv4OUACl3YTwFKS1BJGkBqpDI
gX1HsJMz934zNItrLxj6B2tDIR4oGrqowzW+1owT4+a8EoaimY48RAb8AUWezAZu
tQcGQ0wuZ8qy2WClYvrogsmAEUpfv1Y0YcSfpdxopOx4KyE0KEzAooRF95iFLu94
PODk1oPTr0N9qXn7XsLkpaufk+EpNecZSvbqrj3IWMyCLEBO60YuFpcFFI6SVJBC
i5OG7JVQaE8hu4CY50tMOO0M54umM8lPIOW8AuIH2PlmQWJ4tPb7j8HHnV1cM1Sf
Ha/EAJQlKEEyj4hbzSb6aKATv++qvh4jwgADsTsDtbCrtxrcBV7i+iLUM7DdxrPZ
QnLELdJPjyFxtClzi4Tf1svrF5K6NGd/nJQ1pLSkM64dKPA0iTiMMzjQMHnN8++G
UdhRzswRZ/BtB8ha1ZRRvnEHe+tcEtsXFZZSTgcR60lXlZzPY/0h+xfbgOApYlqq
MIMJsdvZkuxYrGQ5eL2nk0UCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/support.html
[3] https://github.com/opnsense/plugins/blob/stable/23.1/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/23.1/dns/ddclient/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/23.1/net/freeradius/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/23.1/net/frr/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/23.1/sysutils/puppet-agent/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/23.1/net/sslh/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/23.1/net/upnp/pkg-descr
[11] https://www.php.net/ChangeLog-8.php#8.1.14
[12] https://www.sudo.ws/stable.html#1.9.12p2

SHA256 (OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2) = f25c10113ef1ea13c031fc6102f8e6caf73a7296b12bcc287670026cab29c7c7
SHA256 (OPNsense-23.1-OpenSSL-nano-amd64.img.bz2) = 74ec824288adde409074f6855cb0110b860d0b28c33fbd6a30f12473a5e97d54
SHA256 (OPNsense-23.1-OpenSSL-serial-amd64.img.bz2) = 2b0ea23de4d09eed952f074e561d55b06b5d323bf9d68a2eae34c3118c304318
SHA256 (OPNsense-23.1-OpenSSL-vga-amd64.img.bz2) = 13b9f31651aa165862965566238eaecf66563a3b037fb7f8912a6d0440170bdb

15

Announcements / OPNsense 23.1-RC2 released

« on: January 19, 2023, 12:27:58 pm »

Hi!

Only a small number of fixes and the usual third party updates.

Still on track for January 26.  See you then...

Here are the full patch notes:

o system: introduce support tier annotations for core and plugins
o system: add cron tasks for scrubbing and trimming ZFS pools (contributed by Iain Henderson)
o system: fix 6rd/6to4 gateway interface detection (contributed by Frans J Elliott)
o interfaces: further simplify get_real_interface()
o interfaces: correct PPPoEv6 device lookup
o reporting: add Unbound DNS drill-down for client graph
o mvc: implement required getRealInterface() variant
o plugins: os-haproxy 4.0[1]
o ports: curl 7.87.0[2]
o ports: nss 3.87[3]
o ports: pcre 10.42[4]
o ports: phalcon 5.1.4[5]
o ports: php 8.1.14[6]
o ports: strongswan 5.9.9[7]
o ports: unbound 1.17.1[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr
[2] https://curl.se/changes.html#7_87_0
[3] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
[4] https://www.pcre.org/changelog.txt
[5] https://github.com/phalcon/cphalcon/releases/tag/v5.1.4
[6] https://www.php.net/ChangeLog-8.php#8.1.14
[7] https://github.com/strongswan/strongswan/releases/tag/5.9.9
[8] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1