OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of franco »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - franco

Pages: 1 ... 17 18 [19] 20 21 ... 27
271
Announcements / OPNsense 17.1.1 released
« on: February 09, 2017, 11:00:34 am »
Hey there,

This week we are introducing a number of reliability fixes especially with regard to our move to FreeBSD 11.0 and PHP 7.0; most prominently a NAT fix for the shared filter forwarding and repairing the CRL generation. You will also find a few interesting IPsec additions. ;)

In case the shared forwarding is still giving you trouble on 17.1.1, run the following command to use the old behaviour and report back to us:

# sysctl net.pf.share_forward=0

Here are the full patch notes:

o system: LDAP picker CSRF error solved by introducing session-based security tokens
o system: fixed CRL generation inside PHP OpenSSL module
o system: fix a typo with Portuguese (Portugal) in language selector
o system: do not interpret passed values in wizard
o system: fix forum link in message of the day
o firewall: direction "any" was not respected in floating rules
o firewall: fix double encoding of NO NAT for NAT addresses (contributed by djGrrr)
o firewall: improve validation between IPv4 and IPv6 to prevent faulty rule generation
o firmware: opnsense-update utility now unlocks packages before performing major upgrades
o firmware: opnsense-revoke utility now retains the automatic flag
o firmware: revoked the 16.7 update fingerprints
o dhcp: change relay text to make it clear multiple servers are supported (contributed by GurliGebis)
o ipsec: add EAP-RADIUS support (contributed by GurliGebis)
o ipsec: set filtertunnel sysctl values to fix TCP teardown
o ipsec: fix hidden interface rules tab
o ipsec: add AES-GCM support
o openvpn: fixed CRL generation inside PHP OpenSSL module
o openvpn: do not escape advanced options on export
o openvpn: fix hidden interface rules tab
o mvc: multiple tab usage CSRF errors solved by introducing session-based security tokens
o mvc: fix HTTP status codes on CSRF errors
o mvc: soft-fail on missing classes in ModelRelationField (contributed by Frank Wall)
o plugins: os-acme-client 1.1[1] (contributed by Frank Wall)
o plugins: os-haproxy 1.12[2] (contributed by Frank Wall)
o src: pf(4) shared forwarding fix during NAT
o src: pf(4) sysctl switch to disable shared forwarding
o src: fix a panic with stf(4) interfaces
o src: unhide hard disks under Hyper-V
o ports: pkg 1.9.4[3][4]
o ports: pcre 8.40[5]
o ports: libressl 2.4.5[6]
o ports. libevent 2.1.8[7]
o ports: squid 3.5.24[8]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/71
[2] https://github.com/opnsense/plugins/pull/72
[3] https://github.com/freebsd/freebsd-ports/commit/9602cca88
[4] https://github.com/freebsd/freebsd-ports/commit/55c9964f3
[5] http://www.pcre.org/original/changelog.txt
[6] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.5-relnotes.txt
[7] https://raw.githubusercontent.com/libevent/libevent/release-2.1.8-stable/ChangeLog
[8] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.24-RELEASENOTES.html

272
17.1 Legacy Series / 17.1 Migration Notes and Help
« on: February 02, 2017, 11:01:25 pm »
Hi all,

We're putting together this thread with the initial migration notes and updates / workarounds for known problems.

Please keep in mind that changing from a major OS version to another that we do not maintain ourselves is challenging and has occasional surprises in the world of networking. We are in this just as much as you, so let's get through this together. :)

o The integrated authentication framework is now used as a system-wide default including login(1), su(1) and sudo(8).  This means that e.g. when 2FA is enabled for the GUI it will be used for low-level password prompts as well and plain passwords are disabled by default.  If this behaviour is undesired, set the "Disable integrated authentication" option under System: Settings: Administration.

o Disabled Gateway entries are now always honoured instead of being set up as a default gateway.

o The console settings received a non-backwards compatible change.  If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to "Serial" due to a wrong GUI default.

o FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4) as the default.  You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.

o EFI boots may not yield a console anymore, the setting for VGA is wrong now and should be switched to "EFI" under System: Settings: Administration.

o The access privileges for "Lobby: Login / Logout / Dashboard" and "Diagnostics: Backup / Restore" have been remapped internally and need to be reapplied when they have been assigned explicitly.

o The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken.  We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.
o Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability.  Please let us know about these right away.

o The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy.  Their respective configurations will be preserved by the system even if these plugins are not installed.

o The Intel e1000 driver plugin has been removed due to an incompatibility with FreeBSD 11.0.  All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in OPNsense 17.1 and reported to FreeBSD.


Cheers,
Franco on behalf of the OPNsense team

273
Announcements / OPNsense 17.1 released
« on: January 31, 2017, 11:09:16 am »
Hi everyone,

The OPNsense team is proud to announce the final availability of version 17.1, nicknamed "Eclectic Eagle". This major release features FreeBSD 11.0, the SSH remote installer, new languages Italian / Czech / Portuguese, state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for FTP Proxy / Tinc VPN / Let's Encrypt, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to media size to name only a few.

We would like to encourage everyone to supervise this major upgrade physically. As such, it cannot be performed from the GUI. Instead, go to the root console menu, choose option 12 and type "17.1" at the prompt. The process will download a full set of updates and reboot multiple times. All operating system files and packages will be reinstalled as a consequence. This process can also be remotely triggered via SSH.
 
For fresh installations images are provided with OpenSSL for 32 and 64 bit Intel architectures. The new SSH installer feature will be listening on the LAN port 192.168.1.1, give out DHCP leases to clients and can connect using the user "root" (console menu) or "installer" (the installer, of course) with the default password "opnsense". The respective checksums for the images can be found below this announcement and the direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1/ (Europe)
http://mirrors.nycbug.org/pub/opnsense/releases/17.1/ (US East Coast)
http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

Here is the list of major features that have been worked on since 16.7 was released 6 months ago:

o cooperative firewall forwarding to allow traffic shaper/captive portal with multi-WAN
o install media now boots up with SSH for headless remote installation
o HardenedBSD ASLR and PIE compilation for most binaries
o HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
o PHP 7.0 compatibility and general GUI speed improvements
o replaced the CSRF implementation in the non-MVC pages
o integrated authentication using PAM to allow e.g. 2FA (TOTP) over SSH
o system secondary console support with new EFI and Mute options
o Portuguese/Portugal as a release language (contributed by Carlos Meireles)
o Portuguese/Brazil as a release language (contributed by Thiago Basilio)
o Italian as a release language (contributed by Antonio Prado)
o Czech as a release language (contributed by Pavel Borecki)
o improved password security (contributed by OSnet)
o FTP proxy plugin (contributed by Frank Brendel)
o Let's Encrypt Plugin (contributed by Frank Wall)
o Tinc VPN Plugin
o IPsec tunnel isolation mode for interoperability
o micro versioning/migrations for config items
o constraint support for config items
o rewritten Nano images with growfs(8) support
o authentication methods are now fully pluggable
o firewall rules are now fully pluggable
o FreeBSD 11.0 including additional reliability fixes

Minor changes made since 16.7.14/17.1.r1:

o system: always restore native /var layout on boot
o system: make vt/sc configurable
o web proxy: improve validation for SSL bump URL input (contributed by Fabian Franz)
o web proxy: add plugin-capable pre/post authentication directories (contributed by Evgeny Bevz)
o mvc: use empty string instead of "##Unlinked" in missing elements (contributed by Frank Wall)
o www: replace CSRF implementation of static PHP pages
o src: convert result of hash_packet6() into host byte order
o src: correctly initialise subrulenr in pflog
o ports: openssl 1.0.2k[1]
o ports: php 7.0.15[2]

Additionally, these migration caveats should be heeded before upgrading:

o The integrated authentication framework is now used as a system-wide default including login(1), su(1) and sudo(8). This means that e.g. 2FA will be used for low-level password prompts as well and plain passwords are disabled by default. If this behaviour is undesired, set the "Disable integrated authentication" option under System: Settings: Administration.
o The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to "Serial" due to a wrong GUI default.
o FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4) as the default. You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.
o The access privileges for "Lobby: Login / Logout / Dashboard" and "Diagnostics: Backup / Restore" have been remapped internally and need to be reapplied when they have been assigned explicitly.
o The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken. We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.
o Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability. Please let us know about these right away.
o The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy. Their respective configurations will be preserved by the system even if these plugins are not installed.
o The Intel e1000 driver plugin has been removed due to an incompatibility with FreeBSD 11.0. All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in OPNsense 17.1 and reported to FreeBSD.

We would love to hear your feedback! As we want OPNsense the best it can be for you, please do not hesitate to contact us through any of the known channels:

o Twitter: https://twitter.com/opnsense
o Forum: https://forum.opnsense.org/
o GitHub: https://github.com/opnsense
o IRC: Freenode #OPNsense


Stay safe,
Ad, Franco, Jos and Shawn

--
[1] https://www.openssl.org/news/secadv/20170126.txt
[2] http://php.net/ChangeLog-7.php#7.0.15

# SHA256 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = 6cbd83204366c366b603a36f5586424dd779d84c2b34f2e2ba3d66137d28fe97
# SHA256 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = fc91680ad6933f4151afbd869b136d2d84348112dfd8f4837a1e8e0880aec1ec
# SHA256 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = 4ba88dc98733e38ffc7681f862ad7197b866a4b7fffb858d64403d32b42fee3f
# SHA256 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = de46b29fe8aa79bd9bab6d68c24b80759efd6ef59c235b296eb59adbe408d055
# SHA256 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = 29ee7759e7834d9fc162623af0172899a3cd79e25c5205ee935c5131a51e8777
# SHA256 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = a89c3b15e3689693f8ed0610d4bc8a03ef779c7576b0a6bf5ae16b8080ac8c4c
# SHA256 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 3314d0cdafa17900beda91a9a03a2325f164948f1e17421387532f4efdb9e9c4
# SHA256 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 6a63746d021095fc72ca20303b46c4994dea85cafd9bdfca948fa17afb28f80e

# MD5 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = b39a8440377b6a2aae5832e3caea23d7
# MD5 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = 583c7d4a4c4263d51e0fa153f8c021e4
# MD5 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = d4da49aa8f4d24ab0dc8ed7f025b7b46
# MD5 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = 5ea6b7771a35fbdd97abc99ca4da1b4c
# MD5 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = c8b63d4018ab072f9a2370e1040381d8
# MD5 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = 3989eb61efcc7057166e64662d26714a
# MD5 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 4ca5a146a050e46deffdac001e7b3f0d
# MD5 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 888f3b23a381d93600596f86c0f94cd4

274
Announcements / OPNsense 16.7.14 released
« on: January 25, 2017, 03:11:14 pm »
Hi all,

We are back for one last update of the 16.7 series with a small number of fixes and security-related package updates. Do not forget that 17.1 is scheduled for next week: the update instructions will be delivered via the usual firmware update path.

Until then, here are the full patch notes:

o traffic shaper: order rules numerically by sequence number
o firmware: added opnsense-revert tool for release-based package revert
o captive portal: fix downloading files in Chrome
o insight: fix downloading files in Chrome
o mvc: consistently set locale (contributed by Alexander Shursha)
o mvc: do not deliver content twice on API calls
o python: downgraded to 2.7.12 in order to fix segmentation faults within insight reporting
o libressl: avoid possible side-channel leak of ECDSA private keys when signing[1]
o ports: bind 9.10.4-P5[2]
o ports: perl5 5.24.1[3]
o ports: sqlite3 3.16.2[4]
o ports: openssh-portable 7.4p1[5]
o ports: sudo 1.8.19p2[6]
o ports: lighttpd 1.4.45[7]
o ports: php56 5.6.30[8]


Stay safe,
Your OPNsense team

--
[1] https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig
[2] https://deepthought.isc.org/article/AA-01447/0/BIND-9.10.4-P5-Release-Notes.html
[3] http://search.cpan.org/dist/perl-5.24.1/pod/perldelta.pod
[4] https://sqlite.org/releaselog/3_16_2.html
[5] https://www.openssh.com/txt/release-7.4
[6] https://www.sudo.ws/stable.html#1.8.19p2
[7] https://www.lighttpd.net/2017/1/14/1.4.45/
[8] http://php.net/ChangeLog-5.php#5.6.30

275
Announcements / OPNsense 17.1-RC1 released
« on: January 20, 2017, 08:28:02 am »
Hi everyone,

The wish list for our kernel improvements has been emptied just a week ago, which makes 17.1-RC1 look like the final 17.1 for all intents and purposes and already includes the stable upgrade path. Several features have been moved from the core to the plugins and may need to be reinstalled, namely Load Balancer, Wake on LAN, SNMP, IGMP Proxy and Universal Plug and Play. More details are listed below.

A special thank you goes to Carlos Meireles and Thiago Basilio, who brought to you Portuguese as a language choice (Portugal and Brazil, respectively). Awesome work!

Direct download links from our capable mirror providers (checksums below this announcement) are as follows:
   
https://opnsense.c0urier.net/releases/17.1.r1/ (Europe)
http://mirrors.nycbug.org/pub/opnsense/releases/17.1.r1/ (US East Coast)
http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.r1/ (US West Coast)
   
https://opnsense.org/download/ (full mirror list)

If you have been running 17.1-BETA and want to switch to the stable upgrade path simply upgrade to 17.1-RC1 and run the following from the shell:

# opnsense-update -t opnsense

Here is the full list of changes since 17.1-BETA:

o core: default to integrated authentication (PAM) for su, login et al
o core: lock down UNIX accounts for active integrated authentication
o core: console option 11 now reloads all instead of only the web GUI
o core: removed unused translations from console features
o core: load AESNI by default
o core: remove restrictions to not run DNS resolver and forwarder in parallel
o core: use the sc console driver instead of vt
o core: consolidate anti-lockout behaviour
o core: optionally limit ciphers for web GUI
o core: move individual XMLRPC sync options to their respective services
o core: use rc.shutdown hook for graceful ACPI shutdown
o core: fix locale setting in MVC (contributed by Alexander Shursha)
o core: add translations to the wizard (contributed by Alexander Shursha)
o core: fix several crash reports
o core: use the ddb.conf that FreeBSD already provides
o core: configure ddb even if no dump device was found 
o core: move bogon rules to fix DHCPv6 WAN scenarios
o web proxy: allow to disable caching by zeroing cache_mem
o plugins: the os-intel-em driver has been removed
o plugins: configuration additions for os-tinc
o plugins: exported several base features to plugins (os-snmp, os-igmp-proxy, os-wol, os-upnp, os-relayd)
o lang: added Portuguese/Portugal (contributed by Carlos Meireles)
o lang: added Portuguese/Brazil (contributed by Thiago Basilio)
o src: wireless firmware now only available via kernel modules
o src: the EM_MULTIQUEUE kernel option has been removed
o src: HardenedBSD SEGVGUARD improvements
o src: HardenedBSD force -fPIC when building PIEs
o src: do not initialize the adapter on MTU change when ix status is down
o src fix panic during lagg destruction with simultaneous status check
o src: restore link state probing for e1000 82574 chipsets
o src: IP cooperative forwarding rework, fixes IPv4 in pf
o src: avoid deadlocks during lagg configuration
o src: multiple fixes for netmap to repair emulation panics

Known issues in this version:

o The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The impact on 6rd setups is currently unknown.
o Fundamental WiFi stack changes in FreeBDS 11.0 could still affect operability.
o Insight and Health statistics import from the early installer may not work.
o Due to a Python 2.7.13 incompatibility the NetFlow connector may not work. A workaround is to revert to the Python 2.7.12 release. See the forum for details[1].
o The LibreSSL version will not be available until the final release.
o The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to Serial due to a wrong GUI default.

Any help in making 17.1 the best it could possibly be for its final release January 31 is highly appreciated.  Please do not hesitate to contact us through any of the known channels:
   
o Twitter: https://twitter.com/opnsense
o Forum: https://forum.opnsense.org/
o GitHub: https://github.com/opnsense
o IRC: Freenode #OPNsense


Stay safe,
Your OPNsense team

--
[1] https://forum.opnsense.org/index.php?topic=4235.0

# SHA256 (OPNsense-17.1.r1-OpenSSL-cdrom-amd64.iso.bz2) = 96bc814644c89128baa8afc7a4f057bd02b364ada4c33ac1d98129a0a2f2dd50
# SHA256 (OPNsense-17.1.r1-OpenSSL-nano-amd64.img.bz2) = c777f3adea1621253a846bbd78c82993801e40085d1c9cab03a71d01e5c6d0a8
# SHA256 (OPNsense-17.1.r1-OpenSSL-serial-amd64.img.bz2) = 0e87555296c58a51e905e4fac97ea6fac397d748b1369bab9f4c108d6adf9993
# SHA256 (OPNsense-17.1.r1-OpenSSL-vga-amd64.img.bz2) = 08af040390230bffc2ac6e4eceb884c390e0058a0b8027f003eeaf601b38b909
# SHA256 (OPNsense-17.1.r1-OpenSSL-cdrom-i386.iso.bz2) = 3ef78129e57414cd765cfbe903b747e6efa1222f799cc1d2e8331a68279a7c87
# SHA256 (OPNsense-17.1.r1-OpenSSL-nano-i386.img.bz2) = 6a8040bf3b8a9c2bc9bb49b214c6a7612dca5235fa0314b474524e2ccdf38caf
# SHA256 (OPNsense-17.1.r1-OpenSSL-serial-i386.img.bz2) = 442b774948ae14428a8c76489139644e49c935db61e32055508974fe76686fc0
# SHA256 (OPNsense-17.1.r1-OpenSSL-vga-i386.img.bz2) = 27149d372ded7d069aec3e5aeab7708e53bf3ca8166193480863ace768a333d5

# MD5 (OPNsense-17.1.r1-OpenSSL-cdrom-amd64.iso.bz2) = 680161da68fee3c03904970e7aa89c94
# MD5 (OPNsense-17.1.r1-OpenSSL-nano-amd64.img.bz2) = 989bc7056ebaf08ff3ba06a5b56b2488
# MD5 (OPNsense-17.1.r1-OpenSSL-serial-amd64.img.bz2) = 00d92a840c6180fb87d59b2f6728f10f
# MD5 (OPNsense-17.1.r1-OpenSSL-vga-amd64.img.bz2) = 1574e871a3d64147e1a904074a4ff4b2
# MD5 (OPNsense-17.1.r1-OpenSSL-cdrom-i386.iso.bz2) = 0e409d30009af857b23e67e97451cc81
# MD5 (OPNsense-17.1.r1-OpenSSL-nano-i386.img.bz2) = 051a1072559982fce88fb39ef78aca77
# MD5 (OPNsense-17.1.r1-OpenSSL-serial-i386.img.bz2) = c32106dc7070ae462200e15fa707e19c
# MD5 (OPNsense-17.1.r1-OpenSSL-vga-i386.img.bz2) = 5ec394d7c2b331390d92baec41e3aece

276
Documentation and Translation / Translation server downtime January 30 - 31
« on: January 14, 2017, 10:09:09 am »
Hi guys,

We need to take the translation server offline for our final template switch just before releasing 17.1.

These templates won't be updated for the next 4-5 months and some things came in last minute as well as a problem with the current template for Portuguese (pt_PT).

EDIT: Postponed the update window by a full week.


Cheers,
Franco

277
Announcements / OPNsense 16.7.13 released
« on: January 06, 2017, 09:52:22 am »
Hello everyone,

This update ships with the latest version of Squid, an enhanced version of the HAProxy plugin and other assorted reliability improvements.

As 17.1 inevitably approaches, we have set the release date to January 31. If all goes well, the upcoming 16.7.14 will be the EOL release for the 16.7 series.

Here are the full patch notes:

o system: extended sudo option to allow an additional no-password mode
o firmware: the package manager will now always delete modified package files
o firmware: allow major upgrades into other flavours from the command line
o firmware: do not overwrite /etc/rc.shutdown on base updates
o firewall: add a note that ports only apply to TCP and/or UDP (contributed by Andrew Berry)
o dns resolver: correctly handle empty DHCP lease sections
o dhcp: use regular expressions to optimize static lease reading (contributed by Senol Korkmaz)
o web proxy: fix subnet computation
o netflow: fix missing check for egress_only
o plugins: HAProxy 1.10 with HA sync, custom TCP checks, bugfixes (contributed by Frank Wall)
o ports: curl 7.52.1[1]
o ports: ca_root_nss 3.28
o ports: squid 3.5.23[2]
o ports: python 2.7.13[3]
o ports: perl 5.24.1-RC5[4]
o ports: lighttpd 1.4.44[5]
o ports: phalcon 3.0.3[6]
o ports: heimdal 7.1.0[7]


Stay safe and a happy new year,
Your OPNsense team

--
[1] https://curl.haxx.se/changes.html
[2] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.23-RELEASENOTES.html
[3] https://hg.python.org/cpython/raw-file/v2.7.13/Misc/NEWS
[4] http://search.cpan.org/~shay/perl-5.24.1-RC5/
[5] https://www.lighttpd.net/2016/12/24/1.4.44/
[6] https://github.com/phalcon/cphalcon/releases/tag/v3.0.3
[7] https://www.h5l.org/releases.html?show=7.1

278
17.1 Legacy Series / [CALL FOR TESTING] Cooperative IPv4 forwarding for IPFW/PF
« on: December 30, 2016, 06:05:02 pm »
Hi all,

As you know we've had multiple reports of the following problems:

1. Captive Portal and Multi-WAN (Policy Routing) do not work at the same time.

2. Traffic Shaping and Multi-WAN (Policy Routing) do not work at the same time.

This has possibly been the longest journey for us in terms of a bug report itself, where to fix it and how to bring it to FreeBSD eventually. One of the biggest issues was that the bug was the status quo of how IPFW and PF work together in FreeBSD for many years: mostly fine, but not fully supported. Since pfSense shifted this paradigm, circumventing the issue with patches not in FreeBSD, we got to the bottom and are putting the pieces back together now.

The technical details can be found in the following code review, which is only a start of what is actually needed to make sure the problem will be properly addressed in FreeBSD 12:

https://reviews.freebsd.org/D8877

The test kernel with a fixed IPv4 handling is available for OPNsense 17.1.b (amd64 only for now), easily installed by invoking the following from the command line:

# opnsense-update -kr 17.1.b-route
# /usr/local/etc/rc.reboot

With the help of you all and a little bit of luck this will make it into 17.1-RC to allow for a better 17.1 as promised quite a few months ago. :)


Thank you,
Franco

279
Announcements / OPNsense 16.7.12 released
« on: December 29, 2016, 02:11:26 pm »
Hi all,

This is a minor reliability update. We were investigating a possible OpenVPN regression and have therefore reverted an upstream patch. The results are currently inconclusive and we will be holding off on the newly released version 2.4 for OPNsense 17.1 for further testing.

Here are the full patch notes:

o system: improve cancel button behaviour
o system: change coupled /tmp+/var MFS to /var MFS
o system: load AESNI in the default configuration
o firmware: list all licenses of packages
o firewall: improve cancel button behaviour
o traffic shaper: don't error on apply when no configuration is set
o interfaces: don't allow VLAN delete when in use
o interfaces: improve cancel button behaviour
o interfaces: only parse lease sections for ARP entries
o interfaces: fix QinQ setup
o services: improve cancel button behaviour
o ipsec: add clone phase 2 option to ease duplication
o openvpn: force rewrite of Viscosity client export files
o dns resolver: remove unused EDNS support
o dns forwarder: allow to run on non-standard port when resolver is running
o lang: updates for Czech, German and Italian
o plugins: os-haproxy 1.8 (contributed by Frank Wall)
o plugins: compatibility fix for os-pptp, os-pppoe and os-l2tp
o ports: openvpn[1] (reverted topology subnet fix)
o ports: pkg (license viewer upstream fix)
o ports: sudo 1.8.19p1[2]
o ports: php 5.6.29[3]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/core/issues/1314
[2] https://www.sudo.ws/stable.html#1.8.18p1
[3] http://php.net/ChangeLog-5.php#5.6.29

280
Announcements / OPNsense 17.1-BETA images
« on: December 16, 2016, 01:39:50 pm »
Dear friends and followers,

With the best wishes for the holiday season attached we hereby humbly present our 17.1-BETA images and thank everyone for their early input, valid questions and generally keeping us on our toes throughout the past months. The next major release features FreeBSD 11.0, the SSH remote installer, new languages Italian and Czech, state-of-the-art HardenedBSD security features, PHP 7.0, native PAM authentication against e.g. 2FA (TOTP), as well a rewritten Nano-style card images that adapt to the media size to name only a few.

These will be the only beta images. They are not suitable for production environments. Release candidate builds will start in January in order to provide production-ready images. Checksums can be found below this announcement. Direct download links from our capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1.b/ (Europe)
http://mirrors.nycbug.org/pub/opnsense/releases/17.1.b/ (US East Coast)
http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.b/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

Here is a list of hand-picked major features that were worked on since 16.7:

o system secondary console support with new EFI and Mute options
o installer now boots up with SSH for headless remote installation
o Italian as a release language (contributed by Antonio Prado)
o Czech as a release language (contributed by Pavel Borecki)
o HardenedBSD ASLR and PIE compilation for most binaries
o HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
o PHP 7.0 compatibility and general GUI speed improvements
o improved password security (contributed by OSnet)
o FTP proxy plugin (contributed by Frank Brendel)
o PAM authentication module, e.g. 2FA on SSH
o IPsec tunnel isolation mode for interoperability
o Intel em(4) driver version 7.6.2 as a plugin
o micro versioning/migrations for config items
o constraint support for config items
o rewritten Nano images with growfs(8) support
o authentication methods are now fully pluggable
o firewall rules are now fully pluggable
o Tinc VPN Plugin
o FreeBSD 11.0

Known issues in this version:

o The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The impact on 6rd setups is currently unknown.
o The installer character set is not entirely correct due to the default console switch to vt(4).
o Fundamental WiFi stack changes in FreeBDS 11.0 may still affect overall operability.
o Insight and Health statistics import from the early installer do not work.
o The LibreSSL version will not be available until the final release.

Any help in making 17.1 the best it could possibly be for its final release at the end of January 2017 is highly appreciated. Please do not hesitate to contact us through any of the known channels:

o Twitter: https://twitter.com/opnsense
o Forum: https://forum.opnsense.org/
o GitHub: https://github.com/opnsense
o IRC: Freenode #OPNsense


Stay safe and merry,
Ad, Franco, Jos and Shawn

--

# SHA256 (OPNsense-17.1.b-OpenSSL-cdrom-amd64.iso.bz2) = 6ed4e335757f5f58e34f3f59984a06183612ed0cffd5a9238f85b1a156a56039
# SHA256 (OPNsense-17.1.b-OpenSSL-nano-amd64.img.bz2) = 70b89467d6dc9cadaa7c855764a8bb91f0fe118bba60074ab1d8f41362a7042a
# SHA256 (OPNsense-17.1.b-OpenSSL-serial-amd64.img.bz2) = affae7605fde77827e975597de5280db746f85c1ed38794ce647a6ad7c2f945d
# SHA256 (OPNsense-17.1.b-OpenSSL-vga-amd64.img.bz2) = 6f99cc3d0ef8d328eb43985b8d01cffe2e7f65e886015c65c84c062e33f15fbb
# SHA256 (OPNsense-17.1.b-OpenSSL-cdrom-i386.iso.bz2) = b799f8260ae1a55848c126d7be52c51e92ae3d11c0eaf347a506e7e59c92fd9c
# SHA256 (OPNsense-17.1.b-OpenSSL-nano-i386.img.bz2) = 86186e5b5af8be2818385497f8bdf5c3128c7864e502502676424193bcce9461
# SHA256 (OPNsense-17.1.b-OpenSSL-serial-i386.img.bz2) = 7b20afc07fc2ca45b6cee66c855d2576170a04684dae0cb65243a8abaa9be684
# SHA256 (OPNsense-17.1.b-OpenSSL-vga-i386.img.bz2) = 1fc58fade2e15a30afec82b3fff553344557e6903b69c2f48e20976373543d1e

# MD5 (OPNsense-17.1.b-OpenSSL-cdrom-amd64.iso.bz2) = 221b6b63642051518cd190b63775d5a5
# MD5 (OPNsense-17.1.b-OpenSSL-nano-amd64.img.bz2) = 67ff68890113bb2b4223a2336cfc5d01
# MD5 (OPNsense-17.1.b-OpenSSL-serial-amd64.img.bz2) = e757bef2fcb5e444cad8b7d8991314fe
# MD5 (OPNsense-17.1.b-OpenSSL-vga-amd64.img.bz2) = c2c56a542856fd0b84f299d7dd783b17
# MD5 (OPNsense-17.1.b-OpenSSL-cdrom-i386.iso.bz2) = c210c342a6d618e7c1ebcdefdf1e3f9d
# MD5 (OPNsense-17.1.b-OpenSSL-nano-i386.img.bz2) = 1c036f6707f9922c40748be44592462a
# MD5 (OPNsense-17.1.b-OpenSSL-serial-i386.img.bz2) = ff07d0d4f9e62a99896de8228ceba41b
# MD5 (OPNsense-17.1.b-OpenSSL-vga-i386.img.bz2) = 3f67a06ca99137d135d1fc9713912aff

281
Announcements / OPNsense 16.7.11 released
« on: December 14, 2016, 01:40:44 pm »
Hi all,

The builds for 17.1-BETA are rolling as we write this and we are mighty proud of having come so far! Almost two years ago we started with a simple vision and have been staying true to our goal of providing stable licensing, swift updates and modern features. But that story is not for today. :)

In the meantime, this 16.7.11 update receives newer versions of OpenVPN and Suricata, improved password hashing and two DNS forwarder fixes. Furthermore, the firmware feature received an extensive user experience boost, including, but not limited to, being able to read pending release notes.

Here is the full list of changes:

o system: improved password hashing[1] (contributed by OSNet)
o system: make sure vital kernel modules are always loaded
o system: added mute console support and improved tty reconfiguration
o system: revived "normal" power state config option for powerd (contributed by Tikimotel)
o system: removed description support for ACL entries
o system: brought back LDAP scope and authentication containers support
o system: separate class for ui/api routing
o firmware: pull update sets from ABI-specific directory
o firmware: multiple tweaks in opnsense-update workflow
o firmware: no longer track UUID in a crash report submission
o firmware: pkg-audit to view current FreeBSD vulnerability report
o firmware: changelog viewer with all older and newer releases
o firmware: more intelligent plugin handling, e.g. detecting orphaned plugins
o firmware: simplified update presentation and workflow
o firmware: license viewer for installed packages
o firewall: added alias selection to missing NAT elements
o openvpn: add reneg-sec option to client exports
o dnsmasq: fix 16.7.10 regression in host file handling
o web proxy: make backend config plugin-friendly
o plugins: fix a potential error in MPD5 plugins (contributed by Evgeny Bevz)
o src: fix possible login(1) argument injection in telnetd(8)[2]
o src: fix link_ntoa(3) buffer overflow in libc[3]
o src: fix possible escape from bhyve(8) virtual machine[4]
o src: fix extended descriptor regression with netmap(4) on em(4)
o src: fix use-after-free bugs in pfsync(4)
o src: tzdata updated to version 2016j
o ports: openvpn 2.3.14[5]
o ports: phalcon 3.0.2[6]
o ports: suricata 3.2[7]


Stay safe,
Your OPNsense team

--
[1] https://www.osnet.eu/en/content/tutoriels/passwords-opnsense
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:36.telnetd.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:37.libc.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:38.bhyve.asc
[5] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
[6] https://github.com/phalcon/cphalcon/releases/tag/v3.0.2
[7] https://suricata-ids.org/2016/12/01/suricata-3-2-available/

282
Documentation and Translation / [COMPLETED] Translation server downtime December 12 - 14
« on: December 11, 2016, 11:22:19 am »
Hi all,

We will be refreshing the translation templates in the next few days. For that reason the Pootle translation server will not be available to prevent a loss of translations during the transition period.

A big thanks to everyone who participates! It will be back in no time so the 17.1 translation effort can begin. :)


Cheers,
Franco

283
16.7 Legacy Series / [CALL FOR TESTING] Suricata 3.2
« on: December 03, 2016, 08:50:03 pm »
Hi all,

The new Suricata came out two days ago:

https://suricata-ids.org/2016/12/01/suricata-3-2-available/

For anyone who wants to help test, we have put up preview packages to be used on top of 16.7.10:

(for amd64)

# pkg add -f https://pkg.opnsense.org/snapshots/amd64/suricata-3.2.txz

(for i386)

# pkg add -f https://pkg.opnsense.org/snapshots/i386/suricata-3.2.txz

You can always reinstall the original Suricata package using

# pkg install -f suricata

Any comments, even if it's a simple "works for me on amd64" is of help!

I'm currently running it with Hyperscan on amd64 in IPS mode. Works fine so far. :)


Cheers,
Franco

284
Announcements / OPNsense 16.7.10 released
« on: December 01, 2016, 01:38:57 pm »
Dear friends and followers,

Another week, another update. We are addressing two regressions caught by our users and update the ports to their latest versions including NTP, Squid, and strongSwan. As always, thank you for your support!

This update also enables console upgrades for the development version into the upcoming 17.1-BETA, which will be published right after we finish the WiFi configuration and the last known trouble with PHP 7.0 in the GUI pages. Please make sure you understand the implications of upgrading to BETA. Release notes will be published along with it as soon as it is out.

Here are the full patch notes:

o system: revamped message of the day on console login
o system: validate passed arguments instead of $_POST or $_REQUEST
o system: merged VPN servers into get_possible_listen_ips()
o system: repair French translation for user manager (contributed by Valentin Deville)
o dashboard: do not arbitrarily split descriptions in services
o firewall: added maximum fragments setting
o dhcp: interface column for leases
o ipsec: properly configure syslog output
o dns forwarder: use plugin framework
o dns forwarder: improve DHCP registration option
o dns resolver: use plugin framework
o dns resolver: improve DHCP registration option
o universal plug and play: fix regression in rules anchor
o radvd: mark interface used in case of interface tracking
o radvd: do not inject local DNS server when there is no IP
o radvd: match service running metric with how it works
o captive portal: validate input of voucher validity and quantity
o captive portal: add error message on failed validation (contributed by Fabian Franz)
o netflow: added service control
o ntp: use plugin framework
o intrusion detection: rotate eve-log every 500 MB
o web proxy: add FTP support back
o web proxy: performance improvements on ACL parse
o web proxy: allow option to disable HTTPS verification
o web proxy: enable remote ACL by default when creating it
o plugins: allow Tinc to sync via XMLRPC
o lang: updates for Czech, French and German
o ports: pkg 1.9.3 upstream fetch patch[1]
o ports: sqlite 3.15.1[2]
o ports: strongswan 5.5.1[3]
o ports: ntp 4.2.8p9[4]
o ports: squid 3.5.22[5]
o ports: flock 2.29
o ports: syslogd 11.0


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/ports/commit/3249295dd
[2] https://sqlite.org/releaselog/3_15_1.html
[3] https://wiki.strongswan.org/versions/63
[4] https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable
[5] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.22-RELEASENOTES.html

285
Announcements / OPNsense 16.7.9 released
« on: November 22, 2016, 01:14:03 pm »
Hi all,

This weeks update is a pure maintenance release in preparation for the upcoming 17.1-BETA.  A reboot is not necessary.

Here are the full patch notes:
 
o system: prevent spurious error with LDAP authentication
o system: call-site support for plugins_configure()
o dashboard: firmware update check is now a direct link
o insight: use ISO date in details selection
o firewall: add a generic service reload button
o firewall: move deprecated disablevpnrules option to IPsec settings
o router advertisements: removed unused subnet settings
o router advertisements: improved CARP usability
o dhcp: static IPv6 entry domain support
o dns resolver: fixed private address range (contributed by Tikimotel)
o dns resolver: improved CARP usability with interface-automatic option
o dns resolver: straightened out reload behaviour
o dns forwarder: straightened out reload behaviour
o web proxy: renamed from "proxy server" to avoid confusion
o snmp: prepared move to plugins
o igmp proxy: prepared move to plugins
o load balancer: prepared move to plugins
o upnp: straightened out reload behaviour
o plugins: HAproxy "default certificate" parameter and advanced options (contributed by Frank Wall)
o plugins: fix a warning in L2TP, PPTP and PPPoE server configure
o mvc: allow menu to recognise "#" in URLs by ignoring it
o mvc: fix a spurious API error on unused view render
o mvc: added copy item command for GUI usage
o mvc: fix sorting on array field


Stay safe,
Your OPNsense team

Pages: 1 ... 17 18 [19] 20 21 ... 27
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2