19.1 development milestones

[franco]

Hi there,

Important milestones for us, partly shipped in 18.7.x:

* firewall alias API conversion
* collapsible side bar menu in the default theme
* arbitrary ZFS pool importer
* HardenedBSD 11.2
* LibreSSL 2.7
* Unbound 1.8
* Suricata 4.1
* Phalcon 3.4
* Perl 5.28
* Python 3.6 as an optional package for later 2.7 removal
* Realtek NIC driver version 1.95
* multiple DH groups and hash algorithms in IPsec phase 1
* redesigned interface binding for web GUI, Dnsmasq, Unbound, OpenSSH, Syslog export
* firmware health check extended to include kernel and base files
* firmware now embeds version and build information into core package
* firmware package mirror changes to HTTPS by default
* firmware obsolete base set removal, embedded into base set
* opnsense-version to read base, kernel, core and plugin info
* interface iteration function consolidation / simplification
* special interface address filter selectors moved to kernel-time resolving
* WPAD / PAC support in the web proxy
* updates are browser cache-safe regarding CSS and JavaScript assets
* MVC gained single-select, set-if-constraint and compared-to constraints
* captive portal connect API action
* PIE shaper support
* 2FA via LDAP-TOTP combination
* OpenVPN client export API
* Dnsmasq DNSSEC support
* extended IPv6 DUID support
* language updates for  Chinese, Czech, French, German, Japanese, Portuguese and Russian
* P12 certificate export with custom passwords
* Unified and improved anti-lockout behaviour
* web proxy parent proxy support
* Dpinger is now the default gateway monitor with Apinger being removed
* system notifications have been removed in favour of Monit service
* discontinued intrusion detection GeoIP support has been removed (use firewall aliases instead)
* Unbound statistics page
* console menu port configuration now allows to skip LAN and configure additional OPT interfaces (anti-lockout moves to OPT1 in this case)
* GRE IP alias support
* firewall NAT rule log support
* new plugins: os-api-backup, os-bind, os-dmidecode, os-nginx, os-ntopng, os-vnstat, os-dnscrypt-proxy
* rewritten plugins: os-wol

Questions, thoughts? Don't hesitate to ask!


Cheers,
Franco

[fabian]

* nginx plugin
* ntopng plugin
* alias API

[miroco]

How about ad-blocking, is it on the 19.1 roadmap?

[mimugmail]

It's in Bind Plugin already and I'll add Dome stuff to a new dnscrypt-proxy. Unbound may follow, but no idea before 19.1

[fabian]

How about ad-blocking, is it on the 19.1 roadmap?

that is already supported at multiple places (web proxy, bind plugin, ...). Somebody has started his own plugin but nothing happened since (https://github.com/opnsense/plugins/pull/808)

[franco]

Updated the list with things already shipped in 18.7.1 - 18.7.6 and 19.1-BETA.

[l0rdraiden]

More pfblockerng features and better integrated by default.
Sensei as an official plugin
The ability to create allow block or temporary rules from a log entry
And something similar to SELKS in terms of reporting would be fantastic, maybe integrating it from plugins or creating something similar dedicated to opnsense
The ability to introduce range of IPs like 192.168.1.25-192.168.1.12. In alias
The ability to add more lines in a rule to introduce several IP ranges por port ranges
Alias creation should be something similar to pfsense with is better in this area

[mimugmail]

More pfblockerng features and better integrated by default.

Will never happen, pfblocker is also a plugin. The logic of pfblocker is not philosophy of OPN. All plugins a modular and can be combined, this makes more sense than putting all in one plugin and double the work.
Also, 90% of the features are already possible, but not in one location, but this project is not here to be a replica of another :)

Sensei as an official plugin

It' a commercial plugin and it's not stable (1.0). Let's wait what happens ..

The ability to create allow block or temporary rules from a log entry

Good idea, feature requests only on github please.

The ability to add more lines in a rule to introduce several IP ranges por port ranges

You can mix host and port aliases in one rule to fit all ..

Alias creation should be something similar to pfsense with is better in this area

In the long term it will all be done via API, so no need to put extra work for an interim solution.




I'm not sure if this thread is meant as a wishlist, it's more for reporting :)

[Drinyth]

Any idea if:

https://github.com/opnsense/core/issues/1494

Will be resolved in 19.1 still? I have in the past used that logging feature for debugging and for seeing who is connecting to various open ports on the firewall (outside of the individual service logs for each running service). Hopefully it'll get introduced soon?

Thanks for your continued work on opnsense!

[bob@afrinet.eu]

Still the same boot problem... when reaching the mmc0 :

Code Select Expand

No compatible cards found on the device.


This is well supported in FreeBSD 11.2 so I guess there is a problem with the driver for mmc and supported devices compiled in the Kernel (probably).

[SiD67]

Would it be possible to integrate pihole or something similar directly into opnsense? I´m running my pihole on a vm at the moment...

[mimugmail]

Would it be possible to integrate pihole or something similar directly into opnsense? I´m running my pihole on a vm at the moment...

BIND plugin ...

[Nekromantik]

I use stubby and getdns via freebsd ports.
will I still be able to compile this via ports on 19.1?

[franco]

Precompiled getdns package is provided since 18.7.7.

Building a proper plugin around it is pending. Until then, it could still break or revert its configuration on updates (like what happened with our Unbound bump).


Cheers,
Franco

[Nekromantik]

Precompiled getdns package is provided since 18.7.7.

Building a proper plugin around it is pending. Until then, it could still break or revert its configuration on updates (like what happened with our Unbound bump).


Cheers,
Franco

ok thanks