mirror of https://github.com/opnsense/docs
Merge branch 'master' into sensei-doc-updates
commit
8ef1ed4da9
@ -0,0 +1,16 @@
|
||||
Stunnel
|
||||
~~~~~~~
|
||||
|
||||
.. csv-table:: Service (ServicesController.php)
|
||||
:header: "Method", "Module", "Controller", "Command", "Parameters"
|
||||
:widths: 4, 15, 15, 30, 40
|
||||
|
||||
"``POST``","stunnel","services","addItem",""
|
||||
"``POST``","stunnel","services","delItem","$uuid"
|
||||
"``GET``","stunnel","services","get",""
|
||||
"``GET``","stunnel","services","getItem","$uuid=null"
|
||||
"``*``","stunnel","services","searchItem",""
|
||||
"``POST``","stunnel","services","setItem","$uuid"
|
||||
"``POST``","stunnel","services","toggleItem","$uuid,$enabled=null"
|
||||
|
||||
"``<<uses>>``", "", "", "", "*model* `Stunnel.xml <https://github.com/opnsense/plugins/blob/master/security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml>`__"
|
@ -0,0 +1,26 @@
|
||||
Udpbroadcastrelay
|
||||
~~~~~~~~~~~~~~~~~
|
||||
|
||||
.. csv-table:: Service (ServiceController.php)
|
||||
:header: "Method", "Module", "Controller", "Command", "Parameters"
|
||||
:widths: 4, 15, 15, 30, 40
|
||||
|
||||
"``POST``","udpbroadcastrelay","service","config",""
|
||||
"``POST``","udpbroadcastrelay","service","reload",""
|
||||
"``POST``","udpbroadcastrelay","service","restart","$uuid"
|
||||
"``POST``","udpbroadcastrelay","service","start","$uuid"
|
||||
"``POST``","udpbroadcastrelay","service","status","$uuid"
|
||||
"``POST``","udpbroadcastrelay","service","stop","$uuid"
|
||||
|
||||
"``<<uses>>``", "", "", "", "*model* `UDPBroadcastRelay.xml <https://github.com/opnsense/plugins/blob/master/net/udpbroadcastrelay/src/opnsense/mvc/app/models/OPNsense/UDPBroadcastRelay/UDPBroadcastRelay.xml>`__"
|
||||
|
||||
.. csv-table:: Resources (SettingsController.php)
|
||||
:header: "Method", "Module", "Controller", "Command", "Parameters"
|
||||
:widths: 4, 15, 15, 30, 40
|
||||
|
||||
"``POST``","udpbroadcastrelay","settings","addRelay",""
|
||||
"``POST``","udpbroadcastrelay","settings","delRelay","$uuid"
|
||||
"``GET``","udpbroadcastrelay","settings","getRelay","$uuid=null"
|
||||
"``GET``","udpbroadcastrelay","settings","searchRelay",""
|
||||
"``POST``","udpbroadcastrelay","settings","setRelay","$uuid"
|
||||
"``POST``","udpbroadcastrelay","settings","toggleRelay","$uuid"
|
@ -0,0 +1,132 @@
|
||||
==============================
|
||||
View construction (and tools)
|
||||
==============================
|
||||
|
||||
Although most of our code base is being processed server side, some things just require interaction on the
|
||||
clients machine for a fluent user experience.
|
||||
|
||||
In this chapter we will try to explain some of the components we use when designing pages and how pages are usually constructed.
|
||||
|
||||
--------------------------
|
||||
Layout
|
||||
--------------------------
|
||||
|
||||
To ease reading of volt templates, we recommend using a fixed layout when creating templates.
|
||||
The base of our rendered page always contains the standard `layout <https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/views/layouts/default.volt>`__
|
||||
which is hooked via our standard frontend controller.
|
||||
|
||||
Below you will find the sections and their order, which we will describe briefly.
|
||||
|
||||
.. code-block:: html
|
||||
|
||||
{#
|
||||
{1} Copyright notice
|
||||
#}
|
||||
<script>
|
||||
$( document ).ready(function() {
|
||||
{2} UI code
|
||||
});
|
||||
</script>
|
||||
{3} page html
|
||||
{{ partial("layout_partials/base_dialog",...)}} {4} dialog forms (see getForm())
|
||||
|
||||
|
||||
#. The copyright block, 2 clause BSD with the authors on top
|
||||
#. Javascript code which belongs to this page
|
||||
#. HTML code, usually starts with some :code:`<div>` containers and uses standard Bootstrap 3 layouting
|
||||
#. When forms are used, these are placed last, these will be generated to the client as standard html code
|
||||
|
||||
|
||||
----------------------------
|
||||
ajaxCall
|
||||
----------------------------
|
||||
|
||||
:code:`ajaxCall(url, sendData, callback)` is a wrapper around jQuery's :code:`$.ajax` call preset to a :code:`POST` type
|
||||
request and wrapping the sendData into a json object.
|
||||
The :code:`callback` function will be called with the data and status received from the endpoint.
|
||||
|
||||
|
||||
|
||||
.. code-block:: javascript
|
||||
:name: ajaxCall
|
||||
:caption: example usage
|
||||
|
||||
ajaxCall('/api/monit/status/get/xml', {}, function(data, status) {
|
||||
console.log(data)
|
||||
});
|
||||
|
||||
|
||||
----------------------------
|
||||
ajaxGet
|
||||
----------------------------
|
||||
|
||||
:code:`ajaxGet(url,sendData,callback)` is also a wrapper around jQuery's :code:`$.ajax` call, but for a :code:`GET` type
|
||||
request.
|
||||
|
||||
.. code-block:: javascript
|
||||
:name: ajaxGet
|
||||
:caption: example usage
|
||||
|
||||
ajaxGet('/api/diagnostics/interface/getInterfaceNames', {}, function(data, status) {
|
||||
console.log(data);
|
||||
});
|
||||
|
||||
|
||||
----------------------------
|
||||
mapDataToFormUI
|
||||
----------------------------
|
||||
|
||||
The :code:`mapDataToFormUI(data_get_map, server_params)` can be used to map data retrieved from a controller to a
|
||||
form in the browser.
|
||||
|
||||
This function accepts two parameters, data_get_map contains a mapping between form id's and server endpoints, server_params
|
||||
is optional and can be used to set option in the :code:`GET` type request.
|
||||
|
||||
When the endpoint is successfully called it should return a json type structure containing the path to the item, as an
|
||||
example using :code:`data_get_map = {'myform': '/api/path/to/formdata'};`:
|
||||
|
||||
|
||||
.. code-block:: json
|
||||
|
||||
{
|
||||
"netflow": {
|
||||
"capture": {
|
||||
"interfaces": {
|
||||
"lan": {
|
||||
"value": "LAN",
|
||||
"selected": 1
|
||||
},
|
||||
"wan": {
|
||||
"value": "WAN",
|
||||
"selected": 0
|
||||
}
|
||||
},
|
||||
},
|
||||
"collect": {
|
||||
"enable": "1"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Which maps to the fields in this simplified structure (usually rendered via our volt templates):
|
||||
|
||||
.. code-block:: html
|
||||
|
||||
<form id="myform">
|
||||
<select multiple="multiple" id="netflow.capture.interfaces">
|
||||
</select>
|
||||
<input type="checkbox" id="netflow.collect.enable">
|
||||
</form>
|
||||
|
||||
|
||||
The function returns a :code:`$.Deferred()` which will be resolved when all endpoints are called.
|
||||
|
||||
----------------------------
|
||||
saveFormToEndpoint
|
||||
----------------------------
|
||||
|
||||
:code:`saveFormToEndpoint(url, formid, callback_ok, disable_dialog, callback_fail)` is the opposite of :code:`mapDataToFormUI()`
|
||||
and retrieves the data from the form and sends it to the configured (url) endpoint as json structure.
|
||||
|
||||
The response data looks similar to the example data in mapDataToFormUI, but more condensed since selections will
|
||||
be returned as single (separated) values, such as :code:`lan,wan` if both options where set.
|
@ -0,0 +1,144 @@
|
||||
====================================================
|
||||
Traceability of configuration changes using Git
|
||||
====================================================
|
||||
|
||||
When seeking a solution to keep full traceability of configuration changes made by (various) users on your firewall,
|
||||
the git-backup plugin might be a useful addition to your setup.
|
||||
|
||||
In order to use this feature, one has to install the git-backup plugin first (in :menuselection:`System->Firmware->Plugins` search for os-git-backup).
|
||||
|
||||
.. Warning:
|
||||
|
||||
Since backups using git are stored unecrypted and contain sensitive data, we generally advise not to use public cloud
|
||||
providers to store this data. Only use this option if you can guarantee the security of your git backup server.
|
||||
|
||||
--------------------------
|
||||
Concept
|
||||
--------------------------
|
||||
|
||||
Since git backup is a little bit different than the standard backup options available, we will explain briefly how it works using
|
||||
the diagram below.
|
||||
|
||||
.. blockdiag::
|
||||
:scale: 100%
|
||||
|
||||
blockdiag {
|
||||
default_fontsize = 9;
|
||||
node_width = 200;
|
||||
node_height = 80;
|
||||
default_group_color = "#def7ff";
|
||||
config_changed [shape = box, label="Event:\nconfig changed"];
|
||||
syslog_ng [shape = beginpoint, label="syslog-ng\nevent handler"];
|
||||
configd [shape = endpoint, label="configd\nlistener"];
|
||||
git_action [shape = box, label = "git add+commit\nchanged config.xml"];
|
||||
|
||||
config_changed -> syslog_ng;
|
||||
syslog_ng -> configd [label = "loosely coupled"];
|
||||
configd -> git_action;
|
||||
|
||||
group {
|
||||
orientation = portrait
|
||||
syslog_ng;
|
||||
configd;
|
||||
}
|
||||
}
|
||||
|
||||
When :code:`config.xml` changes happen due to user or api interaction, an event is triggered to which handlers can subscribe
|
||||
(using :doc:`syshook </development/backend/autorun>`).
|
||||
Our git-backup plugin subscribes to these events in order to add the received backups and commits these with
|
||||
information extracted from the received xml file. To prevent the system to lock during backups,
|
||||
we choose this loosely coupled method. Events which are yet unprocessed are being left in the (existing) backup directory.
|
||||
|
||||
.. Note::
|
||||
|
||||
Events are processed from the moment the initial backup is configured, when disabling backups, the (local) changelog itself
|
||||
remains active.
|
||||
|
||||
On periodic intervals (the standard ones from the backup scheduler), the collected commits are pushed to the configured
|
||||
upstream repository. The regular backup procedure (which is also being triggered using the test button in the user interface)
|
||||
is responsible for initialising the empty local repository and configuring the upstream target.
|
||||
|
||||
.. Note::
|
||||
|
||||
One can always change the upstream target, as long as the newly configured one is either "bare" (empty) or containing the
|
||||
exact same content (/change history) as the one used on this firewall.
|
||||
|
||||
--------------------------
|
||||
Initial setup
|
||||
--------------------------
|
||||
|
||||
The configuration part of this plugin is quite basic and offers two types of transport modes, https using a username and
|
||||
password combination or ssh using public key infrastructure.
|
||||
|
||||
=====================================================================================================================
|
||||
|
||||
==================================== ===============================================================================
|
||||
Enable Enable backup to the upstream target
|
||||
URL Target location, which defined transport protocol,
|
||||
options as ssh://server/project.git or https://server/project.git are allowed here.
|
||||
Branch The branch to push your commits to on the configured url
|
||||
SSH private key When using ssh, make sure to add a private key here
|
||||
User Name Username, when using gitlab and ssh, the default is :code:`git` here
|
||||
(most of these providers use a single user and identify the user by it's key)
|
||||
password When using https authentication, choose a password here.
|
||||
==================================== ===============================================================================
|
||||
|
||||
Make sure to push to a "bare" upstream repository, when pressing "Setup/Test Git" the initial commits should be send to
|
||||
your git server.
|
||||
|
||||
|
||||
--------------------------
|
||||
Conflict resolution
|
||||
--------------------------
|
||||
|
||||
From the user interface no conflict resolution is offered, you need to configure an upstream repository and stick
|
||||
to it for the lifetime of the firewall. When for some reason a backup needs to be restored and one would like to
|
||||
stick to the same git repository, manual conflict resolution might be an option. Support on these scenario's is
|
||||
not offered.
|
||||
|
||||
The repository is available on the OPNsense machine in the following directory :code:`/conf/backup/git`.
|
||||
|
||||
|
||||
.. Note::
|
||||
|
||||
Conflict resolution can complicate the solution a lot (merging, fast-forward, ....), for this reason we will not
|
||||
accept feature requests trying to push to existing (used) repositories.
|
||||
|
||||
|
||||
--------------------------
|
||||
Error handling
|
||||
--------------------------
|
||||
|
||||
When errors occur these will be written to the normal system logging, search for :code:`git-backup` in the general
|
||||
system logging (:menuselection:`System -> Log Files -> General`).
|
||||
|
||||
Some standard errors might be returned via the test button, which should provide a clear direction, known ones are:
|
||||
|
||||
* **authentication failure** -> username/password combination is not valid or the provided ssh key doesn't match the expected one
|
||||
* **ssh hostkey changed** -> it looks like a man-in-the-middle attack is happening, if that's not the case and the remote identification
|
||||
changed for valid reasons, manual intervention is required (remove the offensive key from :code:`/root/.ssh/known_hosts`)
|
||||
* **git out of sync** -> unable to synchronize, see "Conflict resolution" for additional info.
|
||||
|
||||
|
||||
--------------------------
|
||||
Cleanup
|
||||
--------------------------
|
||||
|
||||
The repository is saved locally on the firewall in :code:`/conf/backup/git`, if for some reason one would like to remove the
|
||||
collected history and start over from scratch, one can safetly remove this directory.
|
||||
|
||||
Login using a (ssh) console and remove the git directory in that case (:code:`rm -rf /conf/backup/git`)
|
||||
|
||||
|
||||
.. Note::
|
||||
|
||||
As long as the plugin is installed and /conf/backup/git contains a git repository, the changes will be captured
|
||||
(also without an upstream). One could use this knowledge as well to keep a local (only) repository by creating
|
||||
a repository without assigning an upstream and leave the backup option disabled.
|
||||
|
||||
.. Tip::
|
||||
|
||||
The firewall contains a local backup of the most recent changes (configured in :menuselection:`System -> Configuration -> History`)
|
||||
which the config changed event handler uses to feed to the consumers. If after a cleanup one would like to flush
|
||||
the collected changes again to the upstream provider, the :code:`/conf/event_config_changed.json` could be removed
|
||||
to "forget" about the already handled config events (in which case all backups will be signaled again to all config syshook handlers)
|
Binary file not shown.
After Width: | Height: | Size: 14 KiB |
Binary file not shown.
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 14 KiB |
@ -0,0 +1,111 @@
|
||||
==================
|
||||
Tayga NAT64 how-to
|
||||
==================
|
||||
|
||||
------------
|
||||
Introduction
|
||||
------------
|
||||
IPv6-only networks are less complex to plan, configure, maintain and troubleshoot than dual-stack networks. But many services on the Internet
|
||||
are still IPv4-only. NAT64 preserves access to these services by performing IPv6-to-IPv4 translation. The NAT64 implementation currently
|
||||
available for OPNsense is the Tayga plugin.
|
||||
|
||||
.. Note::
|
||||
This how-to focuses on providing IPv6-only LANs with access to IPv4-only services. However, this is not the only use case for NAT64.
|
||||
|
||||
-------------
|
||||
Prerequisites
|
||||
-------------
|
||||
OPNsense should be configured with working dual-stack Internet access and at least one IPv6-only LAN.
|
||||
|
||||
--------------------------------
|
||||
Installing and configuring Tayga
|
||||
--------------------------------
|
||||
Go to :menuselection:`System --> Firmware --> Plugins` and install the `os-tayga` plugin. Then go to :menuselection:`Services --> Tayga`.
|
||||
|
||||
Tick `Enable` and configure all prefixes and addresses:
|
||||
|
||||
:IPv6 Prefix:
|
||||
The IPv6 prefix which Tayga uses to translate IPv4 addresses. You can use the default well-known prefix 64:ff9b::/96 or an unused /96 from
|
||||
your site's GUA prefix.
|
||||
|
||||
.. Warning::
|
||||
When using the well-known prefix 64:ff9b::/96, Tayga will prohibit IPv6 hosts from contacting IPv4 hosts that have private (RFC1918)
|
||||
addresses. This is not relevant when using NAT64 for accessing IPv4 services on the Internet. However, if access to local services with
|
||||
private IPv4 addresses is required, a GUA /96 prefix must be used.
|
||||
|
||||
.. Note::
|
||||
While technically possible, using a ULA prefix for NAT64 is not recommended. This can cause issues with certain hosts, especially those
|
||||
which support 464XLAT.
|
||||
|
||||
:IPv4 Pool:
|
||||
The virtual IPv4 addresses which Tayga maps to LAN IPv6 addresses. Can be left to its default value unless this overlaps with existing
|
||||
subnets in your network. Must be sufficiently large to fit all devices in your IPv6-only LAN(s).
|
||||
|
||||
Tayga is a hop in the path, so it needs its own IP addresses for ICMP:
|
||||
|
||||
:IPv4 Address:
|
||||
Will show up in traceroutes from the IPv4 side to the IPv6 side. Can be left to its default value unless you changed the `IPv4 Pool`.
|
||||
Should be located in the `IPv4 Pool` subnet.
|
||||
|
||||
:IPv6 Address:
|
||||
Will show up in traceroutes from the IPv6 side to the IPv4 side. Should be left empty in most cases. It will then get automatically
|
||||
created by Tayga.
|
||||
|
||||
.. Note::
|
||||
Unless manually configured, Tayga generates its `IPv6 Address` by mapping its `IPv4 Address` into its `IPv6 Prefix`. For example, if
|
||||
the default `IPv6 Prefix` 64:ff9b::/96 and `IPv4 Address` 192.168.255.1 are being used, Tayga's `IPv6 Address` will be
|
||||
64:ff9b::192.168.255.1 (64:ff9b::c0a8:ff01).
|
||||
|
||||
Tayga behaves like an external device connected to OPNsense via a point-to-point interface. This interface requires IP addresses for ICMP:
|
||||
|
||||
:IPv4 NAT64 Interface Address:
|
||||
Can be left to its default value unless this conflicts with your network. Must not be located in the `IPv4 Pool` subnet. For simplicity,
|
||||
you may reuse an address of another OPNsense interface.
|
||||
|
||||
:IPv6 NAT64 Interface Address:
|
||||
Must not be located in the `IPv6 Prefix` subnet. For simplicity, you may reuse an address of another OPNsense interface.
|
||||
|
||||
.. Warning::
|
||||
The default value must not be used since 2001:db8::/32 is a documentation-only prefix.
|
||||
|
||||
Save. Tayga should now be running.
|
||||
|
||||
---------------------
|
||||
Adding firewall rules
|
||||
---------------------
|
||||
Tayga uses a tunnel interface for packet exchange with the system. Rules are required to prevent the firewall from blocking these packets.
|
||||
Additionally, an outbound NAT rule is required for IPv4 Internet access.
|
||||
|
||||
Go to :menuselection:`Firewall --> Rules --> Tayga`, add a new rule, set the `TCP/IP Version` to `IPv4+IPv6`, leave all other settings to
|
||||
their default values and save.
|
||||
|
||||
.. Note::
|
||||
If you just enabled Tayga and can't find :menuselection:`Firewall --> Rules --> Tayga`, go to :menuselection:`Interfaces --> Assignments`,
|
||||
click `Save` and reload the page.
|
||||
|
||||
Go to :menuselection:`Firewall --> Settings --> Normalization`, add a new rule, set the `Interface` to `Tayga`, leave all other settings to
|
||||
their default values and save.
|
||||
|
||||
.. Note::
|
||||
This rule is required for proper handling of fragmented packets.
|
||||
|
||||
Go to :menuselection:`Firewall --> NAT --> Outbound`, add a new rule, set `Source address` to `Single host or network`, enter your Tayga
|
||||
`IPv4 Pool`, leave all other settings to their default values and save.
|
||||
|
||||
Apply the firewall changes. NAT64 should now be fully operational.
|
||||
|
||||
-----------------
|
||||
Configuring DNS64
|
||||
-----------------
|
||||
In most scenarios, NAT64 also requires DNS64. If you use OPNsense's :doc:`/manual/unbound` DNS resolver, DNS64 can be enabled by going to
|
||||
:menuselection:`Services --> Unbound DNS --> General` and ticking `Enable DNS64 Support`. If you don't use the default 64:ff9b::/96 prefix,
|
||||
you also have to enter your /96 prefix there.
|
||||
|
||||
.. Note::
|
||||
You may also use any other DNS64 capable DNS server. If you use the default 64:ff9b::/96 prefix, using a service like `Google's Public
|
||||
DNS64 <https://developers.google.com/speed/public-dns/docs/dns64>` is possible, too.
|
||||
|
||||
-------
|
||||
Testing
|
||||
-------
|
||||
You can use a service like https://internet.nl/connection/ to verify that devices in your IPv6-only LAN have IPv6 and IP4 Internet access.
|
Binary file not shown.
After Width: | Height: | Size: 48 KiB |
@ -0,0 +1,318 @@
|
||||
===========================================================================================
|
||||
20.7 "Legendary Lion" Series
|
||||
===========================================================================================
|
||||
|
||||
|
||||
|
||||
For five and a half years, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
|
||||
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
|
||||
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
|
||||
basic firewall API support (via plugin) and extended live log filtering amongst
|
||||
others.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
||||
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
||||
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.2 (September 02, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
While we are still looking closer at netmap/iflib performance on 12.1 we
|
||||
are rolling out a kernel with Intel em/igb updates that should avoid bad
|
||||
packet counts in the default installation. Syslog-ng received a workaround
|
||||
for the diagnosed startup issue and alias now supports MAC address content
|
||||
similar to how host content works.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: set REQUESTS_CA_BUNDLE in environments
|
||||
* system: improve parsing for temperature sensors
|
||||
* system: add "new-password" hint for Chrome on login form
|
||||
* system: rename syslog services description and hide legacy mode when not enabled
|
||||
* system: force syslog-ng restart after boot sequence
|
||||
* system: properly read new style logging directories
|
||||
* reporting: replace line endings when sending traceback to syslog in flowd_aggregate
|
||||
* reporting: dd traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
|
||||
* firewall: add MAC address alias type
|
||||
* firewall: be more verbose when fetching alias remote content
|
||||
* firewall: prevent pfctl error messages from being suppressed
|
||||
* firewall: exclude all reserved pf.conf keywords from alias name
|
||||
* firewall: bogons not loaded on initial load
|
||||
* firewall: reset damaged bogons files on startup
|
||||
* interfaces: add listen-queue-sizes in socket diagnostics
|
||||
* firmware: properly report an unsigned repository
|
||||
* firmware: revoke 20.1 fingerprint
|
||||
* intrusion detection: rule cache parse error on invalid metadata
|
||||
* intrusion detection: allow search for status enabled/disabled
|
||||
* web proxy: correct template replacement during build time
|
||||
* web proxy: bugfix in JSON access log
|
||||
* unbound: updated project block lists links (contributed by gap579137)
|
||||
* backend: add regex_replace template support
|
||||
* plugins: os-acme-client 1.36 `[1] <https://github.com/opnsense/plugins/pull/1974>`__
|
||||
* plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
|
||||
* plugins: os-haproxy 2.24 `[2] <https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr>`__
|
||||
* plugins: os-stunnel 1.0.1 includes performance tweaks
|
||||
* plugins: os-telegraf 1.8.2 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-tinc fixes cipher parsing on 20.7
|
||||
* src: remove ACPI workaround for serial console on AMD EPYC
|
||||
* src: Make pf.conf ':0' ignore link-local v6 addresses too
|
||||
* src: default "show bad packets" tunable to off in e100 driver
|
||||
* src: fix unsolicited promisc mode in e1000 driver
|
||||
* src: add valectl to the system commands
|
||||
* ports: ca_root_nss/nss 3.56 `[4] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes>`__
|
||||
* ports: curl 7.72.0 `[5] <https://curl.haxx.se/changes.html#7_72_0>`__
|
||||
* ports: libressl 3.1.4 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt>`__
|
||||
* ports: openldap 2.4.51 `[7] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: php 7.3.21 `[8] <https://www.php.net/ChangeLog-7.php#7.3.21>`__
|
||||
* ports: python 3.7.9 `[9] <https://www.python.org/downloads/release/python-379/>`__
|
||||
* ports: sqlite 3.33.0 `[10] <https://sqlite.org/changes.html>`__
|
||||
* ports: squid 4.13 `[11] <http://www.squid-cache.org/Versions/v4/squid-4.13-RELEASENOTES.html>`__
|
||||
* ports: syslog-ng dlsym() workaround
|
||||
* ports: unbound 1.11.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.1 (August 13, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Small update here with security advisories, multicast fixes and logging
|
||||
reliability patches amongst others.
|
||||
|
||||
Overall, the jump to HardenedBSD 12.1 is looking promising from our end.
|
||||
From the reported issues we still have more logging quirks to investigate
|
||||
and especially Netmap support (used in IPS and Sensei) is lacking in some
|
||||
areas that were previously working. Patches are being worked on already
|
||||
so we shall get there soon enough. Stay tuned.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: split log process name into separate column
|
||||
* system: filter new style log directories accordingly
|
||||
* system: add delay to improve syslog-ng startup
|
||||
* system: properly switch login page to latest jQuery 3.5.1
|
||||
* firewall: add select boxes for static filters in live log
|
||||
* firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
|
||||
* firmware: bring back Chinese Aivian mirror
|
||||
* firmware: remove defunct opn.sense.nz and RageNetwork mirrors
|
||||
* web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
|
||||
* backend: cap log messages to 4000 characters to prevent longer messages from vanishing
|
||||
* plugins: os-acme-client 1.35 `[1] <https://github.com/opnsense/plugins/pull/1950>`__
|
||||
* plugins: os-frr 1.15 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-postfix 1.15 `[3] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
|
||||
* src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
|
||||
* src: assorted multicast group join/leave corrections
|
||||
* src: fix vmx driver packet loss and degraded performance `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc>`__
|
||||
* src: fix memory corruption in USB network device driver `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc>`__
|
||||
* src: fix multiple vulnerabilities in sqlite3 `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc>`__
|
||||
* src: fix sendmsg(2) privilege escalation `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc>`__
|
||||
* ports: perl 5.32.0 `[8] <https://metacpan.org/changes/release/XSAWYERX/perl-5.32.0>`__
|
||||
* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7 (July 30, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For five and a half years, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
|
||||
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
|
||||
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
|
||||
basic firewall API support (via plugin) and extended live log filtering amongst
|
||||
others.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
||||
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
||||
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against version 20.7-RC1:
|
||||
|
||||
* system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
|
||||
* installer: welcome users as genuine 20.7 installer
|
||||
* web proxy: do not try to force cachemanager access to use ICAP
|
||||
* plugins: os-collectd 1.3 `[2] <https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr>`__
|
||||
* plugins: os-zabbix5-proxy 1.3 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix5-proxy/pkg-descr>`__
|
||||
* src: prevent netgraph page fault for LTE usage
|
||||
* ports: dnsmasq 2.82 `[4] <http://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
||||
* ports: monit 5.27.0 `[5] <https://mmonit.com/monit/changes/>`__
|
||||
* ports: nss 3.55 `[6] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes>`__
|
||||
* ports: sudo 1.9.2 `[7] <https://www.sudo.ws/stable.html#1.9.2>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available
|
||||
* i386 architecture builds are no longer available
|
||||
|
||||
The public key for the 20.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
|
||||
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
|
||||
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
|
||||
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
|
||||
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
|
||||
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
|
||||
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
|
||||
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
|
||||
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
|
||||
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
|
||||
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
|
||||
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.r1 (July 21, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For five and a half years, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
We thank all of you for helping test, shape and contribute to the project!
|
||||
We know it would not be the same without you. <3
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
||||
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
||||
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against 20.1.8_1:
|
||||
|
||||
* system: allow to optionally disable legacy logging (clog)
|
||||
* system: do not allow login redirects to visit external pages
|
||||
* system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
|
||||
* system: adapt to 3wire serial console setting
|
||||
* system: figure out which sysctls are writeable before attempting to write them
|
||||
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
|
||||
* system: disable PCRE JIT in PHP config
|
||||
* system: clean up start / stop beep handler
|
||||
* interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
|
||||
* interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion)
|
||||
* interfaces: show delegated prefix in overview (contributed by Team Rebellion)
|
||||
* interfaces: DHCPv4 no-release and debug options moved to global interface settings
|
||||
* interfaces: automatically register loopback device lo0
|
||||
* firewall: handle new net.pf.request_maxcount system limit accordingly
|
||||
* firewall: properly evaluate and execute gateway monitoring kill states feature
|
||||
* firewall: add the iplen option to shaper rules (contributed by Maxfield Allison)
|
||||
* firewall: show partial alias content in tooltip
|
||||
* firewall: translated static log overview page to MVC
|
||||
* firewall: aliases now show internal aliases
|
||||
* firewall: validate if NAT destination contains a port
|
||||
* firewall: prevent config_read_array() from adding an empty lo0
|
||||
* firmware: added fingerprint for 20.7 series
|
||||
* firmware: hint at missing plugins and request to install or dismiss
|
||||
* intrusion detection: extend rule search with metadata and show results on rule info
|
||||
* intrusion detection: updated pattern options (contributed by @Xeroxxx)
|
||||
* intrusion detection: synchronize suricata.yaml with default template
|
||||
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
|
||||
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
|
||||
* unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
|
||||
* web proxy: support for custom error pages (sponsored by Incenter Technology)
|
||||
* web proxy: add connect_timeout (contributed by Michael Muenz)
|
||||
* web proxy: allow PURGE on cache (contributed by @sazb)
|
||||
* web proxy: add missing IPv6 listener
|
||||
* mvc: add "S" option for AllowDynamic in InterfaceField type
|
||||
* mvc: LegacyLinkField not allowed to return null in __toString()
|
||||
* backend: add safeguard for illegal configd settings leading to overrides on the same command leaf
|
||||
* backend: emove undocumented and unused alias support
|
||||
* mvc: support virtual nodes in model instances
|
||||
* rc: implement inline variables for skip and defer service start
|
||||
* ui: unify edit dialog and add onBeforeRenderDialog event deferrable
|
||||
* ui: use firewall groups to group interfaces menu accordingly
|
||||
* ui: moved virtual IP menu entry to interfaces
|
||||
* ui: jQuery 3.5.1
|
||||
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__
|
||||
* plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules
|
||||
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
|
||||
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__
|
||||
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__
|
||||
* src: HardenedBSD 12.1-p7
|
||||
* ports: ca_root_nss 3.54
|
||||
* ports: curl 7.71.1 `[6] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: php 7.3.20 `[7] <https://www.php.net/ChangeLog-7.php#7.3.20>`__
|
||||
* ports: python 3.7.8 `[8] <https://www.python.org/downloads/release/python-378/>`__
|
||||
* ports: sqlite 3.32.3 `[9] <https://www.sqlite.org/changes.html>`__
|
||||
* ports: suricata 5.0.3 `[10] <https://suricata-ids.org/2020/04/28/suricata-5-0-3-released/>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available
|
||||
* i386 architecture builds will no longer be available
|
||||
* Installer still advertises 20.1
|
||||
|
||||
The public key for the 20.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
|
||||
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
|
||||
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
|
||||
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
|
||||
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
|
||||
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
|
||||
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
|
||||
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
|
||||
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
|
||||
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
|
||||
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
|
||||
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d
|
@ -0,0 +1,33 @@
|
||||
====================================
|
||||
Network
|
||||
====================================
|
||||
|
||||
|
||||
---------------------------------
|
||||
netmap (IPS, Sensei, ...)
|
||||
---------------------------------
|
||||
|
||||
Netmap is a technology which enables fast packet processing while minimizing overhead, there are however some pittfals
|
||||
which may turn your network interface unreachable.
|
||||
|
||||
Before using this technology, always make sure you have access via another interface (or console) to your firewall
|
||||
in case connectivity is dropped.
|
||||
|
||||
In order for netmap to function properly it is imperative that all sorts of driver / hardware acceleration is disabled
|
||||
(:menuselection:`Interfaces -> Settings`), this include :code:`VLAN Hardware Filtering` as well (which wasn't disabled pre 20.7).
|
||||
|
||||
Some drivers have may have additional tunables, which enable hardware acceleration, make sure to disable them as well
|
||||
(.e.g intel ixl has :code:`hw.ixl.enable_head_writeback`, which we disable by default)
|
||||
|
||||
Below you will find a list of tunables which are know to be (partial) incompatible with netmap.
|
||||
|
||||
=========================================== =================================================================================
|
||||
Tunable Description
|
||||
=========================================== =================================================================================
|
||||
hw.ixl.enable_head_writeback Intel :code:`ixl(4)` tunable for increased tx performance,
|
||||
OPNsense standard value is disabled.
|
||||
|
||||
net.bpf.zerocopy_enable Use zero-copy for :code:`bpf(4)` for faster processing, when not set (the default)
|
||||
packets will not be seen by bpf, which influences the traffic graphs for example.
|
||||
|
||||
=========================================== =================================================================================
|
Binary file not shown.
After Width: | Height: | Size: 47 KiB |
Loading…
Reference in New Issue