Topics

1

16.7 Legacy Series / Upgrading to 16.7, known issues and workarounds

« on: July 28, 2016, 11:16:33 am »

Hi All,

With the release of 16.7 we will use this forum post to keep you informed about issues that have been reported and fixes / workarounds.


[1] if IPS is not working, disable it temporarily or switch to IDS mode.
For intel cards there's a temporary fix available, we working on putting it into our standard release.
Please execute:

Code: [Select]

opnsense-update -khr 16.7-em
Then reboot, and after reboot enable IPS again.

[2] some people using imported configurations, experience missing interfaces in the firewall section.
This is caused by a different interpretation of the configuration data underneath it, a fix is simple.
* Save each missing interface configuration under Interfaces: [IF], apply and finally reboot


Stay safe,

Your OPNsense team

2

Announcements / OPNsense 16.1.16 released

« on: June 06, 2016, 04:16:38 pm »

Dear all,

It has been a long journey for HardenedBSD and OPNsense, and finally the paths start to merge as the splendid and battle-proven ASLR implementation gets incorporated into the default installation! It is just the beginning as we will start to leverage the extra security by enabling position independent execution in 16.7 and merge more security-related features. We thank again the HardenedBSD team for their continued efforts on making this world a safer place.

In other news, there is a thoroughly revamped dashboard for you to enjoy and a handful of security fixes in FreeBSD and the ports ecosystem. LibreSSL has been updated to the latest production release and the BETA version is progressing nicely as we change our working mode from "rework all the things" to "polish all the things". A release candidate is coming up soon.

Here are the patch notes for 16.1.16:

o src: merged and enabled HardenedBSD's ASLR implementation[1]
o src: kernel stack disclosure in Linux compatibility layer[2]
o src: kernel stack disclosure in 4.3BSD compatibility layer[3]
o src: directory traversal in cpio[4]
o ports: libressl 2.3.5[5], phalcon 2.0.13[6], dnsmasq 2.76[7]
o ports: apinger 0.7[8], curl 7.49[9], bind 9.10.4-p1[10]
o ports: php 5.6.22[11], sqlite 3.13[12], ntp 4.2.8p8[13]
o dashboard: movable widgets, multi-column support and improved look and feel
o system: improved CSRF handling
o system: allow far gateway support for non-subnet gateways
o system: fix null routes add / delete
o system: user/group privilege selection improvements
o system fix missing cron job for GUI lock / expire
o firmware: adds opnsense-patch tool for simple upstream repo patch apply
o dns resolver: fix AAAA record save
o dns forwarder: add custom port option for domain overrides
o firewall: for us bogons do not extend to private networks
o firewall: fix schedule clone when in use
o interfaces: remove explicit ath(4) long distance support
o interfaces: removed SVG traffic graphs in favour of modern replacements
o captive portal: allow to drop all expired vouchers
o cron: fix parameter ignore
o layout: "Stacked-to-horizontal" emulation for mobile view
o layout: consistent tooltip button placement
o layout: fix footer on small screen size
o plugins: fix HAProxy X-Forwarded-For header option

And here is the change log for 16.7 BETA:

o interfaces: interface-based plugin system used by OpenVPN and IPSec
o interfaces: removed complex PPPoE reset handling by optional cron job
o plugins: allow local socket in chroot'ed services
o plugins: removed L2TP, PPTP and PPPoE servers from core
o firmware: allow resume for update page
o firmware: dump / restore package database on shutdown / boot
o firewall: removed proxy NAT reflection mode
o firewall: properly start/stop proxy APR daemons
o firewall: implement flexible scrub / normalisation config pages to zap hidden scrubbing code
o firewall: removed "match" action from floating rules, no FreeBSD support
o firewall: removed negate rules that would magically prevent load-balancing VPN links
o system: migrated new cron handling to do privilege separation where possible
o system: better branding support for boot loader on package install / remove
o system: remove single forward GUI item for RFC 2893, can be set in NAT just as well
o router advertisements: allow to set mode and min / max intervals


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/src/commit/e13c0d42ebbd4
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:20.linux.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:21.43bsd.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:22.libarchive.asc
[5] http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.5-relnotes.txt
[6] https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.13
[7] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[8] https://github.com/opnsense/apinger/blob/master/NEWS
[9] https://curl.haxx.se/changes.html
[10] https://kb.isc.org/article/AA-01383/81/BIND-9.10.4-P1-Release-Notes.html
[11] http://php.net/ChangeLog-5.php#5.6.22
[12] http://www.sqlite.org/changes.html
[13] https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable

3

Announcements / OPNsense 16.1.15 released

« on: May 25, 2016, 03:57:05 pm »

Hi all,

We are dropping in for a quick update bundling assorted fixes and general improvements in all areas. Not much to add this week, see for yourselves...

Don't forget that ASLR is coming next week. 

Here are the full patch notes for 16.1.15:
 
o system: make authentication fallback configurable
o system: settings cleanup and prettify
o system: added explicit ETC timezone selection
o high availability: add page for remote service control
o high availability: properly enforce authentication
o firmware: reboot and poweroff API actions
o firmware: only kill GUI process, not captive portal
o firmware: show errors in update window
o firmware: keep polling for progress even when GUI restarts
o backend: skip failing templates on bootup
o trust: fix CA certificate count in overview
o trust: allow key size up to 8192 bits
o firewall: fix invalid NPT rule generation
o firewall: speed up filter log pages
o firewall: do not allow to change virtual IP mode after creation
o firewall: moved settings page and rearranged settings accordingly
o interfaces: unhook all but the last custom PHP module functions
o interfaces: moved settings page and rearranged settings accordingly
o dhcp: do not override RA settings after save
o dns: resolver outgoing interface section moved to advanced as it will break setups with dynamic interfaces selected there
o load balancer: sticky mode from firewall / system split off as separate setting
o snmp: do not allow unicode in system location
o intrusion detection: remove deprecated rbn-malvertisers.rules set
o intrusion detection: add promiscuous mode / physical interface selection
o overall: fix menu width on small size screens
o overall: numerous translation fixes (contributed by Frederic Lietart)
o overall: numerous translation fixes (contributed by Fabian Franz)
o plugins: assorted bugfixes for HAProxy (contributed by Frank Wall)
o mvc: fix translations by adding an escaping wrapper

And here are the patch notes for 16.7 BETA:

o system: reworked the user / group manager privilege selection
o firewall: IPv6 outbound NAT rework
o interfaces: allow debug mode for DHCPv6 client
o interfaces: remove ath(4) long distance helpers
o dns: add custom port option for domain overrides
o gateways/routes: fix for far gateway setups
o overall: add stacked-to-horizontal feature for input forms


Stay safe,
Your OPNsense team

4

Announcements / OPNsense 16.1.14 released

« on: May 18, 2016, 04:01:49 pm »

Hello there,

It is time for something new. How about an update with your new NetFlow remote export. Or your local reporting frontend? Well, you can always use both if you like. Read all about it here:

https://docs.opnsense.org/manual/netflow.html

Furthermore, we have added the brand new AQM CoDel v 0.2.1 to the mix, yesterday's FreeBSD security advisories, released the HAProxy plugin, bundled a full Japanese translation. And two-factor authentication for our components? Yes, we also have that now.

There is also a refreshed website for our general viewing pleasure. Let us know what you think or what it is missing.

https://opnsense.org/

And now, here is the full change log for 16.1.14:

o src: tzdata updated to 2014d[1]
o src: dummynet AQM updated to 0.2.1[2]
o src: fix multiple OpenSSL vulnerabilities[3]
o src: fix excessive latency in x86 IPI delivery[4]
o src: fix memory leak in ZFS[5]
o src: fix buffer overflow in keyboard driver[6]
o src: fix incorrect argument handling in sendmsg[7]
o ports: sqlite 3.12.2[8], openvpn 2.3.11[9], squid 3.5.19[10]
o plugins: HAProxy plugin version 1.0 (contributed by Frank Wall)
o lang: Japanese 100% completed
o lang: updates for French and German
o interfaces: removed polling support
o interfaces: allow subnet size of 31 bits
o high availability: can now sync DNS resolver configuration
o cron: reworked job registration
o system: do not unload cryptodev to prevent panics when used by OpenVPN
o system: user expiration date edit now has a fancy date picker
o system: add RFC 6238 (TOTP) support for two-factor authentication
o reporting: added local NetFlow reporting frontend[11]
o reporting: added remote NetFlow exporter for multiple sources[12]
o firewall: fixed schedule cloning
o services: lower intervals for router advertisement messages

And this is the change log for 16.7 BETA:

o firmware: assorted improvements for error reporting and smooth operation
o firmware: partial fix for Nano update issues when RAM is too small
o intrusion detection: promiscuous interface mode for better VLAN operation
o gateways/routes: support for far gateways outside of the interface subnet
o routes: fixed null routes / blackholes
o interfaces: SVG traffic graphs replaced by modern alternative
o dashboard: finished the rework, ready for general testing
o firewall: removed the need for custom kernel patches for schedules
o lang: numerous improvements (contributed by Fabian Franz)


Stay safe,
Your OPNsense team

--
[1] http://mm.icann.org/pipermail/tz-announce/2016-April/000038.html
[2] http://caia.swin.edu.au/freebsd/aqm/patches/ChangeLog-0.2.1.txt
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-16:07.ipi.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-16:08.zfs.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:18.atkbd.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:19.sendmsg.asc
[8] http://www.sqlite.org/changes.html
[9] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11
[10] ftp://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt
[11] https://docs.opnsense.org/manual/how-tos/insight.html
[12] https://docs.opnsense.org/manual/how-tos/netflow_exporter.html

5

Announcements / OPNsense 16.1.13 released

« on: May 04, 2016, 02:09:11 pm »

Dear all,

Ever so swiftly we're adopting the OpenSSL and LibreSSL updates and welcome the cooperation between both projects on this one. Way to go guys!

In other news, NTP and Bind were updated to their latest versions. The gateway monitoring tool Apinger can now properly handle NTP taking over time from time to time. Er, anyway, language packs will become pluggable in the long run and the MVC work for the HAProxy plugin is now completely bundled with the release. Plugin release is currently scheduled for 16.1.14.

Here is the full change log for 16.1.13:

o ports: ntp 4.2.8p7[1], bind 9.10.4[2], php 5.6.21[3], libressl 2.2.7[4], openssl 1.0.2h[5]
o languages: newly packaged translations with latest updates
o gateways: apinger monitoring quality is no longer affected by NTP operation
o backend: lowered configd connection timeout for better response time when unavailable
o backend: plugged numerous minor crash reports caused by configd
o backup: reworked backup strategies for RRD and DHCP leases
o interfaces: allow bridges with at least one member
o rc: defer recover for packages to avoid database duplication
o intrusion detection: added an eicar test ruleset
o intrusion detection: fixed sort order of rulesets
o captive portal: properly catch exception for accounting background job
o firewall: annotate deprecated ICMP types in rule filter selection
o firewall: direction arrows in rule overview now have different colours for easier distinction
o gui: correct HTML escaping in MVC between client-side JavaScript and server-side API
o gui: various improvements in MVC components required for upcoming HAProxy plugin
o gui: enable tooltips in MVC base template
o gui: set HTTP-only cookie

And here is what changed in 16.7 Beta:

o dashboard: selectable multi-column count
o dashboard: half-way through widget modernisation
o dashboard: brought back drag and drop for widget reordering
o dashboard: new pluggable API backend for widgets
o languages: added first steps for Turkish
o backend: removed legacy PHP module for interface information collection
o gui: improve and streamline CSRF protection
o netflow: fixed bug with reporting frontend in Safari


Stay safe,
Your OPNsense team

--
[1] http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
[2] https://ftp.isc.org/isc/bind/9.10.4/RELEASE-NOTES-bind-9.10.4.html
[3] http://php.net/ChangeLog-5.php#5.6.21
[4] http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.7-relnotes.txt
[5] https://mta.openssl.org/pipermail/openssl-announce/2016-May/000072.html

6

Announcements / OPNsense 16.1.11 released

« on: April 18, 2016, 01:50:35 pm »

Hi everyone,

We are skipping a bit ahead with 16.1.11 to address a CSRF vulnerability, which shows us the good path we have been on since we started[1] and we will surely continue this security-aware trend.

In other news, this update includes native GeoIP alias support, captive portal voucher customisations requested by many and the last batch of Russian, effectively bringing it to 100% completed. Wow!

Here is the full change log:

o services: fix CSRF vulnerability in status_services.php[2]
o www: strengthen CSRF secret generation for legacy pages
o dhcp: bring back usage of the authoritative directive
o system: allow periodic backups of RRD and DHCP for non-MFS
o captive portal: add option for less secure passwords, password and username length
o firewall: add GeoIP aliases feature
o openvpn: status page would not show the correct process status
o languages: completed Russian translation (contributed by Smart-Soft Ltd.)
o languages: updated French

Stay safe,
Your OPNsense team

--
[1] https://forum.opnsense.org/index.php?topic=2837.0
[2] https://cxsecurity.com/issue/WLB-2016040106

7

Announcements / OPNsense 16.1.6 released

« on: March 09, 2016, 02:04:55 pm »

Hi guys,

It is update time! This time around, DHCP and DNS have been freshened up thoroughly, removing both potential and real problems from the GUI and underneath. Additionally, the proxy server gained ICAP support and a category-based remote block list selection.

Our firmware mirror support has finally been extended so that it is now possible to pull all updates from a single mirror, which will very soon make it possible to run a local mirror for your internal installations. We are also shipping the original FreeBSD OpenSSL patch, although the security issues cannot not surface on OPNsense. We just like to be thorough.

Here are the full patch notes:

o src: Fix multiple vulnerabilities of OpenSSL[1]
o src: update tzdata to 2016a[2]
o ports: openssh-portable 7.2p1[3], isc-dhcp-43 4.3.3P1_1[4], php56 5.6.19[5], curl 7.41.1[6]
o firmware: mirror selection has been widened to include kernel/base upgrades
o firmware: bootstrap utility can now directly install e.g. the development version
o dhcp: all GUI pages have been reworked for a polished look and feel
o proxy: added category-based remote file support if compressed file contains multiple files
o proxy: added ICAP support (contributed by Fabian Franz)
o proxy: hook up the transparent FTP proxy
o proxy: add intercept on IPv6 for FTP and HTTP proxy options
o logging: syslog facilities, like services, are now fully pluggable
o vpn: stripped an invalid PPTP server configuration from the standard configuration
o vpn: converted to pluggable syslog, menu and ACL
o dyndns: all GUI pages have been reworked for a polished look and feel
o dyndns: widget now shows IPv6 entries too
o dns forwarder: all GUI pages have been reworked for a polished look and feel
o dns resolver: all GUI pages have been reworked for a polished look and feel
o dns resolver: rewrote the dhcp lease registration hooks
o dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well
o firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly
o interfaces: fix problem when VLAN tags weren't generated properly
o interfaces: improve interface capability reconfigure
o ipsec: fix service restart behaviour from GUI
o captive portal: add missing chain in certificate generation
o configd: improve recovery and reload behaviour
o load balancer: reordered menu entries for clarity
o ntp: reordered menu entries for clarity
o traffic shaper: fix mismatch for direction + dual interfaces setup
o languages: updated German and French


Stay safe,
Your OPNsense team

--
[1] https://github.com/freebsd/freebsd/commit/7d8d4cb5
[2] http://mm.icann.org/pipermail/tz-announce/2016-January/000035.html
[3] http://www.openssh.com/txt/release-7.2
[4] https://www.isc.org/blogs/isc-dhcp-4-3-0-is-live/
[5] http://php.net/ChangeLog-5.php#5.6.19
[6] https://curl.haxx.se/changes.html

8

Announcements / OPNsense 16.1.3 released

« on: February 17, 2016, 06:33:55 pm »

Good news everyone,

It is time for a smaller update to 16.1.3. There is another fix for our Hyper-V users, the health section finally received its CPU temperature graph and a few ports have been updated to their latest version. Nothing of particular interest happened, no issues with glibc from our side today.

A number of assorted issues have been flushed from the code thanks to good use of the crash reporter. A special thank you goes to those of you who submit email addresses and a brief description along with the report. For us it is tremendously useful to get as many details as possible and to verify that our fixed work reliably in a particular use cases before shipping them.

Enough with the announcing already, here are the full patch notes:

o src: hyperv/kvp: wake up the daemon if it is sleeping due to poll()[1]
o src: Use correct src/dst ports when removing states in pf[2]
o src: finish the boot loader branding by adding a shiny logo
o ports: unbound 1.5.7[3], openldap 2.4.44[4], ca_root_nss 3.22, php 5.7.18[5], phalcon 2.0.10[6], pkg 1.6.4[7][8]
o interfaces: collapsible overview for each interface
o shaper: fix issue with model when not able to save an old config
o health: added pages to ACL for configurable user access
o health: record system CPU temperature in additional graph
o firmware: add UK-based mirror (contributed by Will Jones)
o access: force a visible and non-critical page on non-access redirect
o access: make sure "/" is handled like "/index.php"
o configuration: add a number of previously missing config sections for selection on restore/backup
o firewall: bring back alias nesting
o dhcp: add missing DNS resolver awareness
o dhcp: fix multiple minor crash reports
o radvd: add missing DNS resolver awareness
o captive portal: ensure MAC address is saved in lowercase and improve validation
o captive portal: fix unicode issue in template generation
o captive portal: correct syslog redirection regression
o crash reporter: limit log size upload to 1MB
o cron: fix validation of hour value
o intrusion detection: show origin link of rule sets in details
o services: add background daemon to known services for easy reload
o services: add captive portal to known services for easy reload
o services: improve redirect on service reload in diagnostics page


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/core/issues/748
[2] https://github.com/opnsense/src/pull/9
[3] http://www.unbound.net/download.html
[4] http://www.openldap.org/software/release/changes.html
[5] http://php.net/ChangeLog-5.php#5.6.18
[6] https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.10
[7] https://github.com/freebsd/freebsd-ports/commit/364bf01c846
[8] https://github.com/freebsd/freebsd-ports/commit/69fe3e55ff5

9

Development and Code Review / HelloWorld module / application

« on: September 02, 2015, 02:35:25 pm »

I've just created a wiki page on how to build modules using the OPNsense framework including building of pkgng plugins.

For anyone who is interested, you can find it here:

https://wiki.opnsense.org/index.php/Develop:Creating_the_hello_world_module

10

Forum Rules / Forum Rules

« on: January 02, 2015, 11:18:03 am »

The rules for the forum are essentially the same as for the mailing list:

    before you post a question:
        search the forum and mailing list archives – spend at least 5 minutes searching!
        read the FAQ

    if a thread already exists for the topic that you wish to discuss, use it – don't start a new one!
        use the forum search to find similar threads

    make sure you choose the proper board for your topic
    when posting , give all details that could be relevant to your problem (configuration, log messages, etc.)
    treat other forum members as you wish to be treated
        stay polite


Posts in the non-international section should be in English.