Topics

Hi there,

For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.7/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
o Full mirror list: https://opnsense.org/download/

Here are the full changes against version 19.1.10:

o system: new remote syslog setup via Syslog-ng
o system: gateway handling rewrite
o system: dpinger ported to plugin framework
o system: bring back PHP warning log level
o system: use authentication factory for user import
o interfaces: VLAN, bridge, LAGG, GRE, GIF setup refactor
o interfaces: improve load sequence to allow DHCPv6 on bridges
o interfaces: GIF, GRE, IPsec and OpenVPN will no longer accept IP configuration
o interfaces: speed up get_real_interface() by assuming interfaces exist
o interfaces: sort interface groups and require rules apply if necessary (contributed by Robin Schneider)
o interfaces: background PPPoE connect and disconnect
o interfaces: only IP-address allowed in PPP gateway (contributed by Smart-Soft)
o interfaces: simplified linking VIPs to interfaces
o interfaces: removed interface_has_gateway()
o interfaces: removed interface_has_gatewayv6()
o interfaces: removed get_failover_interface()
o interfaces: removed rc.kill_states
o firewall: ability to view automatic rules
o firewall: rule origin locator in live log and automatic rules listing
o firewall: show statistics for all active rules including automatic ones
o firewall: optional statistics for alias tables
o firewall: fix translation of shaper mask "none" value
o firewall: add ipv6-icmp type selection
o firewall: rule listing layout update
o reporting: new NetFlow reader in Python 3
o reporting: validate that NetFlow WAN interfaces are also added to listening interfaces
o dhcp: ported to plugin framework
o dhcp: added failover split to DHCPv4 (contributed by Wolfgang Pedot)
o dhcp: fix ddnsdomainprimary setting validation
o dhcp: added advanced options for router advertisements
o dhcp: removed remove rasend/ranosend checkbox
o dhcp: simplify DHCPv4 interface lookup on lease page
o dhcp: use AdvDefaultLifetime 0 when default route shall not be advertised
o firmware: support reading package repository and origin
o firmware: warn on third party package installation
o firmware: synchronise update checks to avoid "not responding" errors
o firmware: fix empty update list on release type change
o installer: support password reset in opnsense-importer
o intrusion detection: allow rule action bulk changes
o intrusion detection: minor usability improvements
o intrusion detection: support eve system log output
o openvpn: removed gateway group listening support
o openvpn: no longer restart servers on CARP events
o openvpn: reduced complexity in service handling
o web proxy: replace proxy login privilege "user-proxy-auth" with group selector
o backend: ported remaining scripts to Python 3
o backend: add helpers.glob() to enable template traversal
o backend: new "monitor" hook for rc.syshook
o mvc: do not add "none" in AuthGroupField if multiple select
o mvc: allow sorting JsonKeyValueStoreField by value
o ui: remember previous selected columns and row count on several MVC pages
o ui: apply alert reminders for several MVC pages
o ui: add failed callback to saveFormToEndpoint()
o ui: core theme color update
o ui: fix file size suffix (contributed by Fabian Franz)
o ui: add useRequestHandlerOnGet option
o ui: bootstrap 3.4.1[2]
o ports: squid 4.7[3]
o ports: syslog-ng 3.21.1[4]

Known issues and limitations:

o Filterlog spamming console due to new Syslog-ng integration. Temporary workaround is stopping filterlog via "pkill filterlog".
o OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
o The web proxy login privilege is no longer available. Access may be restricted by a group selector instead.

The public key for the 19.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
+ancHD4lnnHRd+4ybevUft0CAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
[3] http://squid.mirror.colo-serv.net/archive/4/squid-4.0.7-RELEASENOTES.html
[4] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.21.1

SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 5014dba896a425d15fbedcb44f2deec7fb5aee6a1b7c95833b819f8d352de6a1
SHA256 (OPNsense-19.7.r1-OpenSSL-nano-amd64.img.bz2) = b9d6ccbfdcb88f813a6494efb13647d1715500551c7dc51f632766b19189c6bc
SHA256 (OPNsense-19.7.r1-OpenSSL-serial-amd64.img.bz2) = 86050bffa626247cfe0374d28994a52f9e10490b20a81539f5d2784676280c17
SHA256 (OPNsense-19.7.r1-OpenSSL-vga-amd64.img.bz2) = 3a7ae31f6429e519060a717b6248d13620a1e5caba43f44afaf4a7dd4e6634e6

SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-i386.iso.bz2) = 4c0e54982d92279e7273c74cac183290e89219f75b4c1f55a42bad0331bdf321
SHA256 (OPNsense-19.7.r1-OpenSSL-nano-i386.img.bz2) = 5db5dfc0bfb15a593dae689b58e65d556e935c326741729ad37507a952a51426
SHA256 (OPNsense-19.7.r1-OpenSSL-serial-i386.img.bz2) = a20422c81c62c79264aec2cf83cb8734e2e0c954881200e6bc46d372f2432cf9
SHA256 (OPNsense-19.7.r1-OpenSSL-vga-i386.img.bz2) = f6ba92f987c024697e6599b72d905ac9a4fdcfe61c71e3f060dccf1efccd6d82

Hi there,

Some of the important milestones for us,  which were partly shipped in 19.1.x:

o List automatic firewall rules
o Statistics for all firewall rules
o Alias JSON import / export
o Optional statistics for aliases
o Firewall live log and automatic rule locator
o Rewritten gateway handling and switching
o Remote logging via Syslog-ng
o LDAP group sync support
o Support certificate signing requests
o Route-based IPsec support (VTI)
o XMLRPC sync support for alias, VHID, widgets
o Unbound host overrides alias support
o Parent web proxy support
o Web proxy login privilege via group
o Improved reliability and utility of opnsense-patch
o Web proxy and IPsec authentication using PAM
o Dpinger and DHCP servers ported to plugin framework
o Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o Spanish as a new language
o Netdata, WireGuard, Maltrail plugin
o Netmap update for VirtIO, VLAN child and vmxnet support
o Bootstrap 3.4
o LibreSSL 2.9
o Unbound 1.9
o PHP 7.2
o Python 3.7
o Squid 4


Questions, thoughts? Things we've missed?

Best regards,

Ad

[* Save each missing interface configuration under Interfaces: [IF], apply and finally reboot]

Hi All,

With the release of 16.7 we will use this forum post to keep you informed about issues that have been reported and fixes / workarounds.



[1] if IPS is not working, disable it temporarily or switch to IDS mode.
For intel cards there's a temporary fix available, we working on putting it into our standard release.
Please execute:

Code Select Expand

opnsense-update -khr 16.7-em

Then reboot, and after reboot enable IPS again.

[2] some people using imported configurations, experience missing interfaces in the firewall section.
This is caused by a different interpretation of the configuration data underneath it, a fix is simple.
* Save each missing interface configuration under Interfaces: [IF], apply and finally reboot



Stay safe,

Your OPNsense team

Dear all,

It has been a long journey for HardenedBSD and OPNsense, and finally the paths start to merge as the splendid and battle-proven ASLR implementation gets incorporated into the default installation! It is just the beginning as we will start to leverage the extra security by enabling position independent execution in 16.7 and merge more security-related features. We thank again the HardenedBSD team for their continued efforts on making this world a safer place.

In other news, there is a thoroughly revamped dashboard for you to enjoy and a handful of security fixes in FreeBSD and the ports ecosystem. LibreSSL has been updated to the latest production release and the BETA version is progressing nicely as we change our working mode from "rework all the things" to "polish all the things". A release candidate is coming up soon.

Here are the patch notes for 16.1.16:

o src: merged and enabled HardenedBSD's ASLR implementation[1]
o src: kernel stack disclosure in Linux compatibility layer[2]
o src: kernel stack disclosure in 4.3BSD compatibility layer[3]
o src: directory traversal in cpio[4]
o ports: libressl 2.3.5[5], phalcon 2.0.13[6], dnsmasq 2.76[7]
o ports: apinger 0.7[8], curl 7.49[9], bind 9.10.4-p1[10]
o ports: php 5.6.22[11], sqlite 3.13[12], ntp 4.2.8p8[13]
o dashboard: movable widgets, multi-column support and improved look and feel
o system: improved CSRF handling
o system: allow far gateway support for non-subnet gateways
o system: fix null routes add / delete
o system: user/group privilege selection improvements
o system fix missing cron job for GUI lock / expire
o firmware: adds opnsense-patch tool for simple upstream repo patch apply
o dns resolver: fix AAAA record save
o dns forwarder: add custom port option for domain overrides
o firewall: for us bogons do not extend to private networks
o firewall: fix schedule clone when in use
o interfaces: remove explicit ath(4) long distance support
o interfaces: removed SVG traffic graphs in favour of modern replacements
o captive portal: allow to drop all expired vouchers
o cron: fix parameter ignore
o layout: "Stacked-to-horizontal" emulation for mobile view
o layout: consistent tooltip button placement
o layout: fix footer on small screen size
o plugins: fix HAProxy X-Forwarded-For header option

And here is the change log for 16.7 BETA:

o interfaces: interface-based plugin system used by OpenVPN and IPSec
o interfaces: removed complex PPPoE reset handling by optional cron job
o plugins: allow local socket in chroot'ed services
o plugins: removed L2TP, PPTP and PPPoE servers from core
o firmware: allow resume for update page
o firmware: dump / restore package database on shutdown / boot
o firewall: removed proxy NAT reflection mode
o firewall: properly start/stop proxy APR daemons
o firewall: implement flexible scrub / normalisation config pages to zap hidden scrubbing code
o firewall: removed "match" action from floating rules, no FreeBSD support
o firewall: removed negate rules that would magically prevent load-balancing VPN links
o system: migrated new cron handling to do privilege separation where possible
o system: better branding support for boot loader on package install / remove
o system: remove single forward GUI item for RFC 2893, can be set in NAT just as well
o router advertisements: allow to set mode and min / max intervals


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/src/commit/e13c0d42ebbd4
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:20.linux.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:21.43bsd.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc
[5] http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.5-relnotes.txt
[6] https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.13
[7] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[8] https://github.com/opnsense/apinger/blob/master/NEWS
[9] https://curl.haxx.se/changes.html
[10] https://kb.isc.org/article/AA-01383/81/BIND-9.10.4-P1-Release-Notes.html
[11] http://php.net/ChangeLog-5.php#5.6.22
[12] http://www.sqlite.org/changes.html
[13] https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable

Hi all,

We are dropping in for a quick update bundling assorted fixes and general improvements in all areas. Not much to add this week, see for yourselves...

Don't forget that ASLR is coming next week.  :)

Here are the full patch notes for 16.1.15:

o system: make authentication fallback configurable
o system: settings cleanup and prettify
o system: added explicit ETC timezone selection
o high availability: add page for remote service control
o high availability: properly enforce authentication
o firmware: reboot and poweroff API actions
o firmware: only kill GUI process, not captive portal
o firmware: show errors in update window
o firmware: keep polling for progress even when GUI restarts
o backend: skip failing templates on bootup
o trust: fix CA certificate count in overview
o trust: allow key size up to 8192 bits
o firewall: fix invalid NPT rule generation
o firewall: speed up filter log pages
o firewall: do not allow to change virtual IP mode after creation
o firewall: moved settings page and rearranged settings accordingly
o interfaces: unhook all but the last custom PHP module functions
o interfaces: moved settings page and rearranged settings accordingly
o dhcp: do not override RA settings after save
o dns: resolver outgoing interface section moved to advanced as it will break setups with dynamic interfaces selected there
o load balancer: sticky mode from firewall / system split off as separate setting
o snmp: do not allow unicode in system location
o intrusion detection: remove deprecated rbn-malvertisers.rules set
o intrusion detection: add promiscuous mode / physical interface selection
o overall: fix menu width on small size screens
o overall: numerous translation fixes (contributed by Frederic Lietart)
o overall: numerous translation fixes (contributed by Fabian Franz)
o plugins: assorted bugfixes for HAProxy (contributed by Frank Wall)
o mvc: fix translations by adding an escaping wrapper

And here are the patch notes for 16.7 BETA:

o system: reworked the user / group manager privilege selection
o firewall: IPv6 outbound NAT rework
o interfaces: allow debug mode for DHCPv6 client
o interfaces: remove ath(4) long distance helpers
o dns: add custom port option for domain overrides
o gateways/routes: fix for far gateway setups
o overall: add stacked-to-horizontal feature for input forms


Stay safe,
Your OPNsense team

Hello there,

It is time for something new. How about an update with your new NetFlow remote export. Or your local reporting frontend? Well, you can always use both if you like. Read all about it here:

https://docs.opnsense.org/manual/netflow.html

Furthermore, we have added the brand new AQM CoDel v 0.2.1 to the mix, yesterday's FreeBSD security advisories, released the HAProxy plugin, bundled a full Japanese translation. And two-factor authentication for our components? Yes, we also have that now. :)

There is also a refreshed website for our general viewing pleasure. Let us know what you think or what it is missing.

https://opnsense.org/

And now, here is the full change log for 16.1.14:

o src: tzdata updated to 2014d[1]
o src: dummynet AQM updated to 0.2.1[2]
o src: fix multiple OpenSSL vulnerabilities[3]
o src: fix excessive latency in x86 IPI delivery[4]
o src: fix memory leak in ZFS[5]
o src: fix buffer overflow in keyboard driver[6]
o src: fix incorrect argument handling in sendmsg[7]
o ports: sqlite 3.12.2[8], openvpn 2.3.11[9], squid 3.5.19[10]
o plugins: HAProxy plugin version 1.0 (contributed by Frank Wall)
o lang: Japanese 100% completed
o lang: updates for French and German
o interfaces: removed polling support
o interfaces: allow subnet size of 31 bits
o high availability: can now sync DNS resolver configuration
o cron: reworked job registration
o system: do not unload cryptodev to prevent panics when used by OpenVPN
o system: user expiration date edit now has a fancy date picker
o system: add RFC 6238 (TOTP) support for two-factor authentication
o reporting: added local NetFlow reporting frontend[11]
o reporting: added remote NetFlow exporter for multiple sources[12]
o firewall: fixed schedule cloning
o services: lower intervals for router advertisement messages

And this is the change log for 16.7 BETA:

o firmware: assorted improvements for error reporting and smooth operation
o firmware: partial fix for Nano update issues when RAM is too small
o intrusion detection: promiscuous interface mode for better VLAN operation
o gateways/routes: support for far gateways outside of the interface subnet
o routes: fixed null routes / blackholes
o interfaces: SVG traffic graphs replaced by modern alternative
o dashboard: finished the rework, ready for general testing
o firewall: removed the need for custom kernel patches for schedules
o lang: numerous improvements (contributed by Fabian Franz)


Stay safe,
Your OPNsense team

--
[1] http://mm.icann.org/pipermail/tz-announce/2016-April/000038.html
[2] http://caia.swin.edu.au/freebsd/aqm/patches/ChangeLog-0.2.1.txt
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-16:07.ipi.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-16:08.zfs.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:18.atkbd.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:19.sendmsg.asc
[8] http://www.sqlite.org/changes.html
[9] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11
[10] ftp://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt
[11] https://docs.opnsense.org/manual/how-tos/insight.html
[12] https://docs.opnsense.org/manual/how-tos/netflow_exporter.html

Dear all,

Ever so swiftly we're adopting the OpenSSL and LibreSSL updates and welcome the cooperation between both projects on this one. Way to go guys!

In other news, NTP and Bind were updated to their latest versions. The gateway monitoring tool Apinger can now properly handle NTP taking over time from time to time. Er, anyway, language packs will become pluggable in the long run and the MVC work for the HAProxy plugin is now completely bundled with the release. Plugin release is currently scheduled for 16.1.14.

Here is the full change log for 16.1.13:

o ports: ntp 4.2.8p7[1], bind 9.10.4[2], php 5.6.21[3], libressl 2.2.7[4], openssl 1.0.2h[5]
o languages: newly packaged translations with latest updates
o gateways: apinger monitoring quality is no longer affected by NTP operation
o backend: lowered configd connection timeout for better response time when unavailable
o backend: plugged numerous minor crash reports caused by configd
o backup: reworked backup strategies for RRD and DHCP leases
o interfaces: allow bridges with at least one member
o rc: defer recover for packages to avoid database duplication
o intrusion detection: added an eicar test ruleset
o intrusion detection: fixed sort order of rulesets
o captive portal: properly catch exception for accounting background job
o firewall: annotate deprecated ICMP types in rule filter selection
o firewall: direction arrows in rule overview now have different colours for easier distinction
o gui: correct HTML escaping in MVC between client-side JavaScript and server-side API
o gui: various improvements in MVC components required for upcoming HAProxy plugin
o gui: enable tooltips in MVC base template
o gui: set HTTP-only cookie

And here is what changed in 16.7 Beta:

o dashboard: selectable multi-column count
o dashboard: half-way through widget modernisation
o dashboard: brought back drag and drop for widget reordering
o dashboard: new pluggable API backend for widgets
o languages: added first steps for Turkish
o backend: removed legacy PHP module for interface information collection
o gui: improve and streamline CSRF protection
o netflow: fixed bug with reporting frontend in Safari


Stay safe,
Your OPNsense team

--
[1] http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
[2] https://ftp.isc.org/isc/bind/9.10.4/RELEASE-NOTES-bind-9.10.4.html
[3] http://php.net/ChangeLog-5.php#5.6.21
[4] http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.7-relnotes.txt
[5] https://mta.openssl.org/pipermail/openssl-announce/2016-May/000072.html

Hi everyone,

We are skipping a bit ahead with 16.1.11 to address a CSRF vulnerability, which shows us the good path we have been on since we started[1] and we will surely continue this security-aware trend.

In other news, this update includes native GeoIP alias support, captive portal voucher customisations requested by many and the last batch of Russian, effectively bringing it to 100% completed. Wow!

Here is the full change log:

o services: fix CSRF vulnerability in status_services.php[2]
o www: strengthen CSRF secret generation for legacy pages
o dhcp: bring back usage of the authoritative directive
o system: allow periodic backups of RRD and DHCP for non-MFS
o captive portal: add option for less secure passwords, password and username length
o firewall: add GeoIP aliases feature
o openvpn: status page would not show the correct process status
o languages: completed Russian translation (contributed by Smart-Soft Ltd.)
o languages: updated French

Stay safe,
Your OPNsense team

--
[1] https://forum.opnsense.org/index.php?topic=2837.0
[2] https://cxsecurity.com/issue/WLB-2016040106

Hi guys,

It is update time! This time around, DHCP and DNS have been freshened up thoroughly, removing both potential and real problems from the GUI and underneath. Additionally, the proxy server gained ICAP support and a category-based remote block list selection.

Our firmware mirror support has finally been extended so that it is now possible to pull all updates from a single mirror, which will very soon make it possible to run a local mirror for your internal installations. We are also shipping the original FreeBSD OpenSSL patch, although the security issues cannot not surface on OPNsense. We just like to be thorough.

Here are the full patch notes:

o src: Fix multiple vulnerabilities of OpenSSL[1]
o src: update tzdata to 2016a[2]
o ports: openssh-portable 7.2p1[3], isc-dhcp-43 4.3.3P1_1[4], php56 5.6.19[5], curl 7.41.1[6]
o firmware: mirror selection has been widened to include kernel/base upgrades
o firmware: bootstrap utility can now directly install e.g. the development version
o dhcp: all GUI pages have been reworked for a polished look and feel
o proxy: added category-based remote file support if compressed file contains multiple files
o proxy: added ICAP support (contributed by Fabian Franz)
o proxy: hook up the transparent FTP proxy
o proxy: add intercept on IPv6 for FTP and HTTP proxy options
o logging: syslog facilities, like services, are now fully pluggable
o vpn: stripped an invalid PPTP server configuration from the standard configuration
o vpn: converted to pluggable syslog, menu and ACL
o dyndns: all GUI pages have been reworked for a polished look and feel
o dyndns: widget now shows IPv6 entries too
o dns forwarder: all GUI pages have been reworked for a polished look and feel
o dns resolver: all GUI pages have been reworked for a polished look and feel
o dns resolver: rewrote the dhcp lease registration hooks
o dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well
o firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly
o interfaces: fix problem when VLAN tags weren't generated properly
o interfaces: improve interface capability reconfigure
o ipsec: fix service restart behaviour from GUI
o captive portal: add missing chain in certificate generation
o configd: improve recovery and reload behaviour
o load balancer: reordered menu entries for clarity
o ntp: reordered menu entries for clarity
o traffic shaper: fix mismatch for direction + dual interfaces setup
o languages: updated German and French


Stay safe,
Your OPNsense team

--
[1] https://github.com/freebsd/freebsd/commit/7d8d4cb5
[2] http://mm.icann.org/pipermail/tz-announce/2016-January/000035.html
[3] http://www.openssh.com/txt/release-7.2
[4] https://www.isc.org/blogs/isc-dhcp-4-3-0-is-live/
[5] http://php.net/ChangeLog-5.php#5.6.19
[6] https://curl.haxx.se/changes.html

Good news everyone,

It is time for a smaller update to 16.1.3. There is another fix for our Hyper-V users, the health section finally received its CPU temperature graph and a few ports have been updated to their latest version. Nothing of particular interest happened, no issues with glibc from our side today. :)

A number of assorted issues have been flushed from the code thanks to good use of the crash reporter. A special thank you goes to those of you who submit email addresses and a brief description along with the report. For us it is tremendously useful to get as many details as possible and to verify that our fixed work reliably in a particular use cases before shipping them.

Enough with the announcing already, here are the full patch notes:

o src: hyperv/kvp: wake up the daemon if it is sleeping due to poll()[1]
o src: Use correct src/dst ports when removing states in pf[2]
o src: finish the boot loader branding by adding a shiny logo
o ports: unbound 1.5.7[3], openldap 2.4.44[4], ca_root_nss 3.22, php 5.7.18[5], phalcon 2.0.10[6], pkg 1.6.4[7][8]
o interfaces: collapsible overview for each interface
o shaper: fix issue with model when not able to save an old config
o health: added pages to ACL for configurable user access
o health: record system CPU temperature in additional graph
o firmware: add UK-based mirror (contributed by Will Jones)
o access: force a visible and non-critical page on non-access redirect
o access: make sure "/" is handled like "/index.php"
o configuration: add a number of previously missing config sections for selection on restore/backup
o firewall: bring back alias nesting
o dhcp: add missing DNS resolver awareness
o dhcp: fix multiple minor crash reports
o radvd: add missing DNS resolver awareness
o captive portal: ensure MAC address is saved in lowercase and improve validation
o captive portal: fix unicode issue in template generation
o captive portal: correct syslog redirection regression
o crash reporter: limit log size upload to 1MB
o cron: fix validation of hour value
o intrusion detection: show origin link of rule sets in details
o services: add background daemon to known services for easy reload
o services: add captive portal to known services for easy reload
o services: improve redirect on service reload in diagnostics page


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/core/issues/748
[2] https://github.com/opnsense/src/pull/9
[3] http://www.unbound.net/download.html
[4] http://www.openldap.org/software/release/changes.html
[5] http://php.net/ChangeLog-5.php#5.6.18
[6] https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.10
[7] https://github.com/freebsd/freebsd-ports/commit/364bf01c846
[8] https://github.com/freebsd/freebsd-ports/commit/69fe3e55ff5

I've just created a wiki page on how to build modules using the OPNsense framework including building of pkgng plugins.

For anyone who is interested, you can find it here:

https://docs.opnsense.org/development/examples/helloworld.html

The rules for the forum are essentially the same as for the mailing list:
    before you post a question:
        search the forum and mailing list archives – spend at least 5 minutes searching!
        read the FAQ

    if a thread already exists for the topic that you wish to discuss, use it – don't start a new one!
        use the forum search to find similar threads

    make sure you choose the proper board for your topic
    when posting , give all details that could be relevant to your problem (configuration, log messages, etc.)
    treat other forum members as you wish to be treated
        stay polite

    In case the issue or question is resolved, we kindly ask the author to mark his thread with "[SOLVED]" so other
    people have insights into the status of the request or issue.

Posts in the non-international section should be in English.