mirror of
https://github.com/opnsense/docs
synced 2024-10-30 21:20:20 +00:00
901 lines
54 KiB
ReStructuredText
901 lines
54 KiB
ReStructuredText
===========================================================================================
|
|
21.1 "Marvelous Meerkat" Series
|
|
===========================================================================================
|
|
|
|
|
|
|
|
For more than 6 years, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
21.1, nicknamed "Marvelous Meerkat", is the relentless continuation of
|
|
open source dedication. The last 6 years were not always easy, but we
|
|
are happy to be where we are now and have the community to thank for it.
|
|
|
|
New and improved are the firewall rules and NAT categories, the traffic
|
|
graphs supporting IPv6 along with a visual refresh, intrusion detection
|
|
rule management by policies, an alias for MAC addresses and NAT over IPsec
|
|
with all phase 2 you could ever want. Last but not least, the serial image
|
|
now supports UEFI as well.
|
|
|
|
For those wondering, the WireGuard plugin has been available since 2019 and
|
|
receives continuous improvements by its maintainer and various users alike.
|
|
And that is unlikey to change in the future. ;)
|
|
|
|
As we continue to deprecate custom configuration inputs for a number of
|
|
reasons, Dnsmasq has been switched to a pluggable file-based approach `[1] <https://docs.opnsense.org/manual/dnsmasq.html>`__
|
|
with Unbound to follow in the upcoming 21.7 series.
|
|
|
|
Download links, an installation guide `[2] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://opnsense.c0urier.net/releases/21.1/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/21.1/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.1/
|
|
* South America: https://mirror.venturasystems.tech/opnsense/releases/21.1/
|
|
* Australia: http://mirror.as24220.net/opnsense/releases/21.1/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.9 (July 27, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
This is the end of life release for the 21.1 series with 21.7 being
|
|
released tomorrow. The upgrade path will be added later on said
|
|
release day as soon as we have confirmed that everything is fine.
|
|
|
|
See you on the other side. ;)
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: prevent excessive config writes on LDAP import
|
|
* system: do not split XMLRPC password into multiple pieces
|
|
* system: fix IPv4 /31 assignment address assignment in shell
|
|
* interfaces: clear PPPoE SLAAC addresses on linkdown
|
|
* firewall: add live log support for new filterlog format
|
|
* dhcp: fix processing domain search list on static IPv6
|
|
* openvpn: fix invalid rules generated by wizard (contributed by kulikov-a)
|
|
* openvpn: validate tunnel prefix to avoid OpenVPN 2.5 start errors (contributed by kulikov-a)
|
|
* mvc: catch all errors including syntax and class not found errors
|
|
* plugins: os-acme-client 2.6 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr>`__
|
|
* plugins: os-freeradius 1.9.15 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr>`__
|
|
* plugins: os-haproxy 3.4 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr>`__
|
|
* plugins: os-zabbix-agent 1.9 `[4] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix-agent/pkg-descr>`__
|
|
* ports: curl 7.78.0 `[5] <https://curl.se/changes.html#7_78_0>`__
|
|
* ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot
|
|
* ports: nss 3.68 `[6] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_68.html>`__
|
|
* ports: php 7.4.21 `[7] <https://www.php.net/ChangeLog-7.php#7.4.21>`__
|
|
* ports: python 3.7.11 `[8] <https://docs.python.org/release/3.7.11/whatsnew/changelog.html>`__
|
|
* ports: syslog-ng 3.33.2 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.33.2>`__
|
|
|
|
A hotfix release was issued as 21.1.9_1:
|
|
|
|
* firmware: enable upgrade path to 21.7
|
|
* firmware: add "-q" option for in-place opnsense-bootstrap run
|
|
* firmware: fix grep call on FreeBSD 13 (contributed by Mariusz Zaborski)
|
|
* firmware: correct return code on type change in opnsense-update
|
|
* firmware: fix opnsense-code pull when ABI configuration is no longer there
|
|
* firmware: fix upgrade with multiple repositories enabled
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.8 (July 07, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
The code moves to PHP 7.4 as previously announced. Shipped alongside
|
|
are a few updates and fixes that still make sense for the 21.1 series.
|
|
|
|
We are happy to note our community contributions regarding the Norwegian
|
|
translation and Fetchmail plugin.
|
|
|
|
Later today, 21.7-RC1 is going to be released as well and you can
|
|
make the upgrade from the development release type where the bulk of
|
|
current improvements is being included.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: Norwegian translation (contributed by Stein-Aksel Basma)
|
|
* system: correctly enforce "Disable writing log files to the local disk" when circular logs are not used
|
|
* system: allow to edit gateway entries with non-conforming names
|
|
* system: add HA sync entry for live log templates
|
|
* system: lock config writes during HA merges
|
|
* interfaces: do not check for existing CARP interfaces midstream
|
|
* interfaces: refactor IP address removal on configure
|
|
* interfaces: remove non-tunnel restriction from address collection
|
|
* interfaces: set tunnel flag for IPv4 tunnel plus cleanups
|
|
* firewall: possibility to filter nat/rdr action in live log
|
|
* firewall: set label for obsolete rule in live log (contributed by kulikov-a)
|
|
* intrusion detection: fix alert reads from eve.json
|
|
* ui: prevent translation line breaks from breaking JS
|
|
* ui: switch firewall category icon for clarity
|
|
* plugins: os-etpro-telemetry 1.5 exclude stale data from telemetry upload
|
|
* plugins: os-fetchmail 1.0 (contributed by Michael Muenz)
|
|
* plugins: os-freeradius 1.9.14 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr>`__
|
|
* plugins: os-maltrail 1.8 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/security/maltrail/pkg-descr>`__
|
|
* plugins: os-nginx Phalcon 4 fixes
|
|
* plugins: os-nut 1.8 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/sysutils/nut/pkg-descr>`__
|
|
* plugins: os-telegraf 1.11.0 `[4] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-tor Phalcon 4 fix
|
|
* plugins: os-zabbix5-proxy is now a plugin variant
|
|
* src: libcasper: fix descriptors numbers `[5] <FREEBSD:EN-21:19.libcasper>`__
|
|
* src: linux: prevent integer overflow in futex_requeue `[6] <FREEBSD:EN-21:22.linux_futex>`__
|
|
* ports: clog 1.0.2 fixes garbage header write on init
|
|
* ports: libxml 2.9.12 `[7] <http://www.xmlsoft.org/news.html>`__
|
|
* ports: nettle 3.7.3
|
|
* ports: nss 3.67 `[8] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_67.html>`__
|
|
* ports: openvpn 2.5.3 `[9] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.3>`__
|
|
* ports: php 7.4.20 `[10] <https://www.php.net/ChangeLog-7.php#7.4.20>`__
|
|
* ports: phpseclib 2.0.32 `[11] <https://github.com/phpseclib/phpseclib/releases/tag/2.0.32>`__
|
|
* ports: sudo 1.9.7p1 `[12] <https://www.sudo.ws/stable.html#1.9.7p1>`__
|
|
* ports: suricata 5.0.7 `[13] <https://redmine.openinfosecfoundation.org/versions/166>`__
|
|
|
|
A hotfix release was issued as 21.1.8_1:
|
|
|
|
* system: fix PHP 7.4 deprecated warning in IPv6 library
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.7 (June 16, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Today we move to Phalcon version 4 along with new FreeBSD security
|
|
advisories and fixes for firewall live log as well as new features
|
|
such as shell timeout and TLS remote syslog.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: add shell inactivity timeout feature for csh/tcsh
|
|
* system: add Syslog-ng TLS transport options
|
|
* system: remove unrelated service restarts from filter_configure_xmlrpc()
|
|
* system: rotate interface statistics widget (contributed by FingerlessGloves)
|
|
* system: delete previous route when changed
|
|
* system: make web GUI restart action usable in cron jobs (contributed by Frank Wall)
|
|
* interfaces: interface_configure() checks for enabled already
|
|
* interfaces: system match for primary address only works with compressed IPv6
|
|
* interfaces: disable legacy CSRF output buffering when downloading a packet capture
|
|
* interfaces: execute OpenVPN device creation earlier during boot
|
|
* firewall: change live log address/port group matcher to correctly flip logic
|
|
* firewall: explicit default for filter rule association in NAT port forwards
|
|
* firewall: prevent controls overlap in live log (contributed by kulikov-a)
|
|
* firewall: let live log use the newly provided rule log label instead of guessing it
|
|
* firewall: calculate wildcard netmasks in aliases
|
|
* captive portal: fix GUI drop session issue
|
|
* dhcp: support ignore-client-uids in DHCPv4 (contributed by Kacper Why)
|
|
* firmware: push automatic flags to firmware frontend
|
|
* firmware: show update pending hint in system widget
|
|
* firmware: allow manual development override on business subscription
|
|
* intrusion detection: add YAML tag to custom.yaml.sample
|
|
* openvpn: return "result" instead of "status" in export
|
|
* unbound: honour space as "domainsearchlist" separator
|
|
* lang: updated available translations
|
|
* mvc: migrated framework to Phalcon 4
|
|
* mvc: return UUID in ApiMutableModelControllerBase::validateAndSave() if applicable
|
|
* rc: unconditionally configure routing on rc.syshook start facility
|
|
* ui: change service restart icons to fa-repeat
|
|
* plugins: added variants support to share plugin code over different third-party software versions
|
|
* plugins: added NO_ABI marker to themes
|
|
* plugins: remove the use of $main_buttons in relevant code
|
|
* plugins: compatibility fixes with Phalcon 4
|
|
* plugins: os-nginx 1.23 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr>`__
|
|
* plugins: os-wireguard 1.7 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr>`__
|
|
* plugins: os-zabbix4-proxy is now a plugin variant
|
|
* src: SMAP bypass `[3] <FREEBSD:FreeBSD-SA-21:11.smap>`__
|
|
* src: missing message validation in libradius `[4] <FREEBSD:FreeBSD-SA-21:12.libradius>`__ `[5] <FREEBSD:FreeBSD-EN-21:17.libradius>`__
|
|
* src: pms data corruption `[6] <FREEBSD:FreeBSD-EN-21:14.pms>`__
|
|
* ports: curl 7.77.0 `[7] <https://curl.se/changes.html#7_77_0>`__
|
|
* ports: isc-dhcp 4.4.2-P1 `[8] <https://downloads.isc.org/isc/dhcp/4.4.2-P1/dhcp-4.4.2-P1-RELNOTES>`__
|
|
* ports: nss 3.66 `[9] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_66.html>`__
|
|
* ports: openldap 2.4.59 `[10] <https://www.openldap.org/software/release/changes.html>`__
|
|
* ports: pcre2 10.37 `[11] <https://www.pcre.org/changelog.txt>`__
|
|
* ports: phalcon 4.1.2 `[12] <https://github.com/phalcon/cphalcon/releases/tag/v4.1.2>`__
|
|
* ports: py-certifi 2021.5.30
|
|
* ports: py-yaml 5.4.1
|
|
* ports: squid 4.15 `[13] <http://www.squid-cache.org/Versions/v4/squid-4.15-RELEASENOTES.html>`__
|
|
|
|
A hotfix release was issued as 21.1.7_1:
|
|
|
|
* mvc: rename 3 API actions to fix their compatibility with Phalcon 4
|
|
* plugins: os-freeradius 1.9.13 `[14] <https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.6 (May 27, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
With a bit of delay we bring to you the usual mix of security and
|
|
reliability updates. It is of note that the OpenVPN advisory tracked
|
|
as CVE-2020-15078 does not affect the provided version 2.4.11, but the
|
|
security audit will falsely flag it as vulnerable because the source
|
|
of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.
|
|
|
|
Plans for upcoming 21.1.x versions include a swift Phalcon 4 migration as
|
|
well as Python 3.8 and PHP 7.4 updates.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: add audit log target and move related syslog messages there
|
|
* system: set HSTS max-age to 1 year (contributed by Maurice Walker)
|
|
* system: fix restore copy in console recovery
|
|
* interfaces: revise approach to clear states when WAN address changes
|
|
* interfaces: add policy-based routing support for "dynamic" interface gateways
|
|
* interfaces: return scoped link-local in get_configured_ip_addresses()
|
|
* firewall: NPTv6 configuration clean-up (contributed by Maurice Walker)
|
|
* firewall: remove redundant NPTv6 binat rule (contributed by Maurice Walker)
|
|
* firewall: live log widget multiple interfaces and inspect feature (contributed by kulikov-a)
|
|
* firewall: add live log filter templates feature (contributed by kulikov-a)
|
|
* dhcp: compress expanded IPv6 lease addresses for clean match with system
|
|
* dhcp: on the GUI pages avoid the use of dhcpd_dhcp_configure()
|
|
* dnsmasq: use dhcpd_staticmap() for lease registration
|
|
* firmware: opnsense-patch now also invalidates the menu cache
|
|
* ipsec: add "keyingtries" phase 1 configuration option
|
|
* ipsec: automatic outbound NAT rules missed mobile clients
|
|
* ipsec: fix typo in autogenerated rules for virtual IP use
|
|
* openvpn: fix wizard regression after certificate changes in 21.1.5
|
|
* openvpn: remove now defunct OpenSSL engine support
|
|
* unbound: cleanse blacklist domain input
|
|
* unbound: match whole entry in blacklists (contributed by kulikov-a)
|
|
* unbound: use dhcpd_staticmap() for lease registration
|
|
* ui: upgrade chart.js to 2.9.4
|
|
* ui: update chartjs-plugin-streaming to 1.9.0
|
|
* ui: order interfaces in groups
|
|
* ui: sidebar menu fix for long listings (contributed by Team Rebellion)
|
|
* plugins: os-acme-client 2.5 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr>`__
|
|
* plugins: os-chrony 1.3 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/net/chrony/pkg-descr>`__
|
|
* plugins: os-dyndns 1.24 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/dns/dyndns/pkg-descr>`__
|
|
* plugins: os-freeradius 1.9.12 `[4] <https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr>`__
|
|
* plugins: os-haproxy 3.3 `[5] <https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr>`__
|
|
* plugins: os-intrusion-detection-content-et-open 1.0.1 adds emerging-inappropriate ruleset
|
|
* plugins: os-nginx expected MIME type fix (contributed by Kimotu Bates)
|
|
* plugins: os-qemu-guest-agent 1.0 (contributed by Frank Wall)
|
|
* plugins: os-relayd 2.5 `[6] <https://github.com/opnsense/plugins/issues/2232>`__ (sponsored by Modirum)
|
|
* plugins: os-telegraf 1.10.1 `[7] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-zabbix4-proxy 1.3 `[8] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix4-proxy/pkg-descr>`__
|
|
* plugins: os-zabbix5-proxy 1.5 `[9] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr>`__
|
|
* src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
|
|
* src: axgbe: add 1000BASE-BX SFP support
|
|
* src: race condition in aesni(4) encrypt-then-auth operations `[10] <FREEBSD:FreeBSD-EN-21:11.aesni>`__
|
|
* ports: curl 7.76.1 `[11] <https://curl.se/changes.html#7_76_1>`__
|
|
* ports: expat 2.4.1
|
|
* ports: filterlog 0.4 adds label support to output if applicable
|
|
* ports: libressl 3.3.3 `[12] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.3-relnotes.txt>`__
|
|
* ports: libxml fix for CVE-2021-3541
|
|
* ports: nss 3.65 `[13] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_65.html>`__
|
|
* ports: openssh 8.6p1 `[14] <https://www.openssh.com/txt/release-8.6>`__
|
|
* ports: openvpn 2.4.11 `[15] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.11>`__
|
|
* ports: php 7.3.28 `[16] <https://www.php.net/ChangeLog-7.php#7.3.28>`__
|
|
* ports: sqlite 3.35.5 `[17] <https://sqlite.org/releaselog/3_35_5.html>`__
|
|
* ports: sudo 1.9.7 `[18] <https://www.sudo.ws/stable.html#1.9.7>`__
|
|
* ports: syslog-ng 3.32.1 `[19] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.32.1>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.5 (April 21, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
This is mainly a security and reliablility update. There are several FreeBSD
|
|
security advisories and updates for third party tools such as curl.
|
|
|
|
The historic bsdinstaller has been replaced by a scriptable alternative
|
|
based on the readily available bsdinstall bundled with the base system.
|
|
And, yes, this brings ZFS installer support into the upcoming 21.7 release.
|
|
|
|
On the development side the migration to Phalcon 4 framework is now underway
|
|
and brings improved UI/API responsiveness. One of the remaining road map
|
|
goals is the migration to PHP 7.4 which can be carried out after said
|
|
framework update is complete and released.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: return authentication errors for RADIUS also
|
|
* system: better logic for serial console options -h and -D
|
|
* system: reorder loader.conf settings to let tunables override all
|
|
* system: lighttpd include directory for configuration (contributed by Greelan)
|
|
* system: remove /dev/crypto GUI support
|
|
* system: add route address family return on dynamic gateway
|
|
* system: allow CPU temperature display in Fahrenheit in widget (contributed by Team Rebellion)
|
|
* system: performance enhancement for local_sync_accounts()
|
|
* system: move extensions out of a certificate DN (contributed by kulikov-a)
|
|
* interfaces: treat deprecated addresses as non-primary
|
|
* interfaces: improve guess_interface_from_ip() (contributed by vnxme)
|
|
* firewall: resolve IP addresses in kernel for force gateway rule
|
|
* firewall: use tables in the shaper to avoid breaking ipfw with too many addresses
|
|
* firewall: clarify help text for firewall rules traffic direction (contributed by Greelan)
|
|
* firewall: sticky filter-rule-association setting for none/pass on copied items
|
|
* firewall: copy and paste for alias content (contributed by kulikov-a)
|
|
* firewall: improve loopack visibility
|
|
* reporting: format 24 hour timestamps in traffic graphs and widget
|
|
* dhcp: add dhcpd_staticmap() and fix DHCPv6 leases page with it
|
|
* dhcp: add "none" option to gateway setting of static mappings
|
|
* firmware: fix bug with subscription read from mirror URL
|
|
* firmware: separate update error for "forbidden"
|
|
* firmware: update error if upstream core package is missing yet installed
|
|
* installer: migrate to scripted solution using bsdinstall
|
|
* ipsec: validation to prevent saving of route-based tunnels with "install policy" set
|
|
* unbound: prefer domain list over host file format (contributed by Gareth Owen)
|
|
* rc: attempt to create /tmp if it does not exist
|
|
* rc: add opensolaris module load for ZFS
|
|
* rc: reverse list on stop action
|
|
* ui: prevent autocomplete in the quick navigation
|
|
* plugins: os-bind 1.17 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/dns/bind/pkg-descr>`__
|
|
* plugins: os-chrony 1.2 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/net/chrony/pkg-descr>`__
|
|
* plugins: os-debug 1.4 changes debugging profile to new version
|
|
* plugins: os-freeradius 1.9.11 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr>`__
|
|
* plugins: os-haproxy 3.2 `[4] <https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr>`__
|
|
* plugins: os-intrusion-detection-content-et-open 1.0
|
|
* plugins: os-maltrail 1.7 `[5] <https://github.com/opnsense/plugins/blob/stable/21.1/security/maltrail/pkg-descr>`__
|
|
* plugins: os-netdata 1.1 `[6] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/netdata/pkg-descr>`__
|
|
* plugins: os-nginx 1.22 `[7] <https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr>`__
|
|
* plugins: os-smart 2.2 JSON conversion (contributed by Arnav Singh)
|
|
* plugins: os-telegraf 1.10.0 `[8] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-theme-rebellion 1.8.7 (contributed by Team Rebellion)
|
|
* plugins: os-wireguard 1.6 `[9] <https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr>`__
|
|
* plugins: os-zabbix5-proxy 1.4 `[10] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr>`__
|
|
* src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses
|
|
* src: accept_filter: fix filter parameter handling `[11] <FREEBSD:FreeBSD-SA-21:09.accept_filter>`__
|
|
* src: vm_fault: shoot down multiply mapped COW source page mappings `[12] <FREEBSD:FreeBSD-SA-21:08.vm>`__
|
|
* src: mount: disallow mounting over a jail root `[13] <FREEBSD:FreeBSD-SA-21:10.jail_mount>`__
|
|
* src: em: add support for Intel I219 V10 device
|
|
* src: em: fix a null de-reference in em_free_pci_resources
|
|
* src: bsdinstall: switch to OPNsense branding
|
|
* ports: curl 7.76.0 `[14] <https://curl.se/changes.html#7_76_0>`__
|
|
* ports: dnsmasq 2.85 `[15] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
|
* ports: expat 2.3.0
|
|
* ports: hyperscan 5.4.0 `[16] <https://github.com/intel/hyperscan/releases/tag/v5.4.0>`__
|
|
* ports: monit 5.28.0 `[17] <https://mmonit.com/monit/changes/>`__
|
|
* ports: nettle 3.7.2
|
|
* ports: phpseclib 2.0.31 `[18] <https://github.com/phpseclib/phpseclib/releases/tag/2.0.31>`__
|
|
* ports: pkg 1.16.3
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.4 (March 30, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
The third party crypto libraries need patching so here we go! The number of
|
|
user contributions and interaction regarding stability fixes and improvements
|
|
from the OPNsense side seems to be picking up as well and that is great to see.
|
|
|
|
The development version includes an update of Suricata to version 6.0.2
|
|
in case any of you want to try it out. Also, improvements in the DHCP
|
|
static mapping can now deal with IPv6 prefix merge for such deployments
|
|
using Unbound and Dnsmasq host registration.
|
|
|
|
In the past 3 months we have also been working on a business edition relaunch
|
|
and now feel obligated to quickly present the results of these efforts:
|
|
|
|
The upcoming release of the business edition will be versioned as 21.4 in
|
|
order to decouple it from the community release cycle. To that end--and
|
|
to stay true to open source--we have published the release engineering core
|
|
branch for said business release `[1] <https://github.com/opnsense/core/commits/stable/21.4>`__ .
|
|
|
|
You will see more distinction between "community" and "business" in
|
|
communication, but the basic approach of a more conservative release
|
|
cycle in volume and timing for the business edition remains the same.
|
|
On top of this, the business edition also offers additional plugins,
|
|
e.g. for central management tasks.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: add assorted missing configuration sections for high availability sync
|
|
* system: restart web GUI with delay from services to prevent session disconnect
|
|
* system: improve error reporting in LDAP authentication (contributed by kulikov-a)
|
|
* system: changed USB serial option to use "on" instead of problematic "onifconsole"
|
|
* system: ignore garbled data in log lines
|
|
* system: fix single core activity display
|
|
* interfaces: immediately enable SLAAC during IPv6 initiation
|
|
* interfaces: fix a typo in the GIF setup code
|
|
* firewall: allow to select rules with no category set
|
|
* firewall: sort pfTable results before slice (contributed by kulikov-a)
|
|
* firewall: make categories work with numbers only (contributed kulikov-a)
|
|
* reporting: skip damaged NetFlow records
|
|
* dhcp: correct help text for IPv6 ranges (contributed by Team Rebellion)
|
|
* dhcp: remove obsolete subnet validation for static entries
|
|
* firmware: refine missing/invalid signature message during health check (contributed by Erik Inge Bolso)
|
|
* firmware: zap changelog remove description (contributed by Jacek Tomasiak)
|
|
* firmware: make status API endpoint synchronous when using POST
|
|
* openvpn: remove checks for NTP servers 3 and 4 (contributed by Christian Brueffer)
|
|
* unbound: Fix PTR records for DHCP endpoints (contributed by Gareth Owen)
|
|
* ui: use HTTPS everywhere (contributed by Robin Schneider)
|
|
* ui: bootgrid translation compatibility with Internet Explorer 11 (contributed by kulikov-a)
|
|
* plugins: add service annotations to supported plugins
|
|
* plugins: os-freeradius 1.9.10 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr>`__
|
|
* plugins: os-haproxy 3.1 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr>`__
|
|
* plugins: os-stunnel 1.0.3 adds client mode (contributed by Nicola Bonavita)
|
|
* plugins: os-telegraf 1.9.0 `[4] <https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-theme-cicada 1.28 (contributed by Team Rebellion)
|
|
* plugins: os-theme-tukan 1.25 (contributed by Team Rebellion)
|
|
* plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion)
|
|
* plugins: os-wireguard 1.5 `[5] <https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr>`__
|
|
* plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a)
|
|
* src: fix multiple OpenSSL vulnerabilities `[6] <FREEBSD:FreeBSD-SA-21:07.openssl>`__
|
|
* ports: ca_root_nss / nss 3.63 `[7] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_63.html>`__
|
|
* ports: libressl 3.2.5 `[8] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt>`__
|
|
* ports: openldap 2.4.58 `[9] <https://www.openldap.org/software/release/changes.html>`__
|
|
* ports: openssh fix for double free in ssh-agent `[10] <https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig>`__
|
|
* ports: openssl 1.1.1k `[11] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
|
* ports: sudo 1.9.6p1 `[12] <https://www.sudo.ws/stable.html#1.9.6p1>`__
|
|
* ports: suricata 5.0.6 `[13] <https://suricata-ids.org/2021/03/02/suricata-6-0-2-and-5-0-6-released/>`__
|
|
* ports: syslog-ng 3.31.2 `[14] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.31.2>`__
|
|
* ports: wpa_supplicant p2p vulnerability `[15] <https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt>`__
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.3 (March 10, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Today we move ahead with the firmware UI and API rework as we are happy
|
|
with the new user experience. You will also notice the new plugin conflict
|
|
dialog which will report that plugins have been installed previously but
|
|
not registered in the configuration. This can be easily amended by reseting
|
|
the local conflicts, which essentially accepts the current plugin
|
|
configuration as the new default. This necessary change introduces API
|
|
incompatibilities with existing external tools.
|
|
|
|
The HAProxy plugin was updated to version 3.0. This release marks the
|
|
switch to the HAProxy 2.2 release series, which may result in incompatible
|
|
changes for some users. Many new features were also added, including the
|
|
possibility to update SSL certificates in runtime. These features should
|
|
be considered experimental. We encourage everyone to install this version
|
|
in a test environment before using it in production. As usual, please have
|
|
a look at the plugin changes `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr>`__ and report bugs on GitHub.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: prevent duplicate dashboard traffic pollers mangling with the graphs
|
|
* system: added cron job "HA update and reconfigure backup"
|
|
* system: unify HA sync sections and remove legacy blocks
|
|
* system: adapt lighttpd ssl.privkey approach
|
|
* system: correctly remove routing entries directly connected to an interface
|
|
* interfaces: correct dhcp6c configuration issue on PPPoE link down (contributed by Team Rebellion)
|
|
* interfaces: better primary IPv6 address detection in diagnostic tools
|
|
* interfaces: handle disabled interfaces in overview
|
|
* interfaces: drop early return in PPPoE link down
|
|
* interfaces: remove unused global definitions
|
|
* firewall: typo in outbound alias use (contributed by kulikov-a)
|
|
* firewall: rules icon color after toggle fix (contributed by kulikov-a)
|
|
* reporting: prevent crash when NetFlow attributes are missing
|
|
* reporting: aggregate iftop results for traffic graphs
|
|
* firmware: opnsense-bootstrap shellcheck audit (contributed by Michael Adams)
|
|
* firmware: revamp the UI and API
|
|
* firmware: revoke old business key
|
|
* intrusion detection: add new Abuse.ch feed ThreatFox to detect indicators of compromise
|
|
* intrusion detection: make manual rule status boolean for policies (contributed by kulikov-a)
|
|
* ipsec: calculate netmask for provided tunnel addresses when using VTI
|
|
* ipsec: do not pin reqid in case of mobile connections
|
|
* openvpn: extend compression options (contributed by vnxme)
|
|
* unbound: handle DHCP client expiring and returning (contributed by Gareth Owen)
|
|
* ui: refactor bootgrid usage in ARP, NDP, captive portal session, system activity and routes
|
|
* ui: align layouts of select_multiple and dropdown types
|
|
* plugins: os-haproxy 3.0 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr>`__
|
|
* plugins: os-nginx 1.21 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr>`__
|
|
* plugins: os-node_exporter 1.1 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/sysutils/node_exporter/pkg-descr>`__
|
|
* src: jail: Handle a possible race between jail_remove(2) and fork(2) `[4] <FREEBSD:FreeBSD-SA-21:04.jail_remove>`__
|
|
* src: jail: Change both root and working directories in jail_attach(2) `[5] <FREEBSD:FreeBSD-SA-21:05.jail_chdir>`__
|
|
* src: x86: free microcode memory later `[6] <FREEBSD:FreeBSD-EN-21:06.microcode>`__
|
|
* src: xen-blkback: fix leak of grant maps on ring setup failure `[7] <FREEBSD:FreeBSD-SA-21:06.xen>`__
|
|
* src: rtsold: auto-probe point to point interfaces
|
|
* src: growfs: update check-hash when doing large filesystem expansions
|
|
* src: axgbe: change default parameters to prevent manual tunable settings
|
|
* src: arp: avoid segfaulting due to out-of-bounds memory access
|
|
* ports: cpdup 1.22 `[8] <https://github.com/DragonFlyBSD/cpdup/releases/tag/v1.22>`__
|
|
* ports: krb5 1.19.1 `[9] <https://web.mit.edu/kerberos/krb5-1.19/>`__
|
|
* ports: nss 3.62 `[10] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_62.html>`__
|
|
* ports: pkg now provides fallback for version mismatch on pkg-add
|
|
* ports: python 3.7.10 `[11] <https://docs.python.org/release/3.7.10/whatsnew/changelog.html>`__
|
|
* ports: syslog-ng 3.31.1 `[12] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.31.1>`__
|
|
|
|
A hotfix release was issued as 21.1.3_3:
|
|
|
|
* system: fix dashboard traffic widget load behaviour (contributed by kulikov-a)
|
|
* system: fix dashboard widget title regression
|
|
* firmware: fix compatibility regression with IE 11
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.2 (February 23, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Please do enjoy this round of timely crypto library updates and
|
|
other reliability fixes.
|
|
|
|
Work has so far been focused on the firmware update process to ensure
|
|
its safety around edge cases and recovery methods for the worst case.
|
|
To that end 21.1.3 will likely receive the full revamp including API and
|
|
GUI changes for a swift transition after thorough testing of the changes
|
|
now available in the development package of this release.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: do not trim string fields in upstream XMLRPC library
|
|
* system: fix export API keys reload issue on Safari
|
|
* system: retain index after tunables sorting in 21.1.1
|
|
* system: fix firewall log widget update on small fixed number of entries
|
|
* system: replace traffic graphs in widget using chart.js
|
|
* system: make StartTLS work when retrieving LDAP authentication containers (contributed by Christian Brueffer)
|
|
* system: fix IPv6 route deletion on status page
|
|
* interfaces: work around slow manufacturer lookups in py-netaddr 0.8.0
|
|
* firewall: fix off-by-one error in alias utility listing
|
|
* firewall: fix live log matching with "or" and empty filter (contributed by kulikov-a)
|
|
* reporting: prevent NetFlow crash when interface number is missing
|
|
* firmware: opnsense-update -t option executes after -p making it possible to run them at once
|
|
* firmware: opnsense-update -t option now also uses recovery code introduced recently for -p
|
|
* firmware: opnsense-update -vR no longer emits "unknown" if no version was found
|
|
* firmware: opnsense-verify -l option lists enabled package repositories
|
|
* firmware: add crypto package to health check
|
|
* firmware: fix two JS tracker bugs
|
|
* firmware: assorted non-breaking changes for upcoming firmware revamp
|
|
* intrusion detection: prevent flowbits:noalert from being dropped
|
|
* intrusion detection: fix policies not matching categories
|
|
* ipsec: phase2 local/remote network check does not apply on VTI interfaces
|
|
* web proxy: fix ownership issue on template directory
|
|
* rc: opnsense-beep utility wrapper including manual page
|
|
* plugins: increase revision number for all plugins to force installation of metadata added in 21.1.1
|
|
* plugins: os-acme-client 2.4 `[1] <https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr>`__
|
|
* plugins: os-postfix 1.18 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/mail/postfix/pkg-descr>`__
|
|
* plugins: os-rspamd 1.11 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/mail/rspamd/pkg-descr>`__
|
|
* plugins: os-theme-cicada 1.27 (contributed by Team Rebellion)
|
|
* plugins: os-theme-tukan 1.24 (contributed by Team Rebellion)
|
|
* plugins: os-theme-vicuna 1.3 (contributed by Team Rebellion)
|
|
* ports: curl 7.75.0 `[4] <https://curl.se/changes.html#7_75_0>`__
|
|
* ports: libressl 3.2.4 `[5] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.4-relnotes.txt>`__
|
|
* ports: openssl 1.1.1j `[6] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
|
* ports: php 7.3.27 `[7] <https://www.php.net/ChangeLog-7.php#7.3.27>`__
|
|
* ports: squid 4.14 `[8] <http://www.squid-cache.org/Versions/v4/squid-4.14-RELEASENOTES.html>`__
|
|
* ports: unbound 1.13.1 `[9] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-1>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.1 (February 09, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
The 21.1 series debut looks pretty good so far. Thanks again for your
|
|
input and comments!
|
|
|
|
We will be spending a lot of time this year improving and adapting the
|
|
code base. As a first glimpse, the changes of this stable update are a
|
|
mix of security and reliability updates coupled with preparations for the
|
|
update framework revamp we have planned for 21.7. The roadmap is still
|
|
not final, but will likely contain long-yearned-for features. Stay tuned.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* firewall: change order of shaper delay parameter to prevent parser errors
|
|
* firewall: fix multiple PHP warnings regarding category additions
|
|
* firewall: fix icon toggle for block and reject (contributed by ElJeffe)
|
|
* interfaces: unhide primary IPv6 in overview page
|
|
* interfaces: fix IPv6 misalignment in get_interfaces_info()
|
|
* reporting: fix sidebar menu collapse for NetFlow link (contributed by Maurice Walker)
|
|
* captive portal: validate that static IP address exists when writing the configuration
|
|
* firmware: add product status backend for upcoming firmware page redesign
|
|
* firmware: opnsense-code will now check out the default release branch
|
|
* firmware: opnsense-update adds "-R" option for major release selection
|
|
* firmware: opnsense-update will now update repositories if out of sync
|
|
* firmware: opnsense-update will attempt to recover from fatal pkg behaviour
|
|
* firmware: opnsense-update now correctly redirects stderr on major upgrades
|
|
* firmware: opnsense-update now retains vital flag on faulty release type transition
|
|
* intrusion detection: clean up rule based additions to prevent collisions with the new policies
|
|
* monit: minor bugfixes and UI changes (contributed by Manuel Faux)
|
|
* unbound: update documentation URL (contributed by xorbital)
|
|
* ui: format packet count with toLocaleString() in interface statistics widget (contributed by bleetsheep)
|
|
* ui: add compatibility for JS replaceAll() function
|
|
* rc: support reading JSON metadata from plugin version files
|
|
* plugins: provide JSON metadata in plugin version files
|
|
* plugins: os-dyndns GratisDNS apex domain fix (contributed by Fredrik Rambris)
|
|
* plugins: os-nginx upstream TLS verification fix (contributed by kulikov-a)
|
|
* plugins: os-theme-cicada 1.26 (contributed by Team Rebellion)
|
|
* plugins: os-theme-vicuna 1.2 (contributed by Team Rebellion)
|
|
* src: panic when destroying VNET and epair simultaneously `[1] <FREEBSD:FreeBSD-EN-21:03.vnet>`__
|
|
* src: uninitialized file system kernel stack leaks `[2] <FREEBSD:FreeBSD-SA-21:01.fsdisclosure>`__
|
|
* src: Xen guest-triggered out of memory `[3] <FREEBSD:FreeBSD-SA-21:02.xenoom>`__
|
|
* src: update timezone database information `[4] <FREEBSD:FreeBSD-EN-21:01.tzdata>`__
|
|
* ports: dnsmasq 2.84 `[5] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
|
* ports: lighttpd 1.4.59 `[6] <http://www.lighttpd.net/2021/2/2/1.4.59/>`__
|
|
* ports: krb5 1.19 `[7] <https://web.mit.edu/kerberos/krb5-1.19/>`__
|
|
* ports: monit 5.27.2 `[8] <https://mmonit.com/monit/changes/>`__
|
|
* ports: perl 5.32.1 `[9] <https://perldoc.perl.org/5.32.1/perldelta>`__
|
|
* ports: sqlite 3.34.1 `[10] <https://sqlite.org/releaselog/3_34_1.html>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1 (January 28, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
For more than 6 years, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
21.1, nicknamed "Marvelous Meerkat", is the relentless continuation of
|
|
open source dedication. The last 6 years were not always easy, but we
|
|
are happy to be where we are now and have the community to thank for it.
|
|
|
|
New and improved are the firewall rules and NAT categories, the traffic
|
|
graphs supporting IPv6 along with a visual refresh, intrusion detection
|
|
rule management by policies, an alias for MAC addresses and NAT over IPsec
|
|
with all phase 2 you could ever want. Last but not least, the serial image
|
|
now supports UEFI as well.
|
|
|
|
For those wondering, the WireGuard plugin has been available since 2019 and
|
|
receives continuous improvements by its maintainer and various users alike.
|
|
And that is unlikey to change in the future. ;)
|
|
|
|
As we continue to deprecate custom configuration inputs for a number of
|
|
reasons, Dnsmasq has been switched to a pluggable file-based approach `[1] <https://docs.opnsense.org/manual/dnsmasq.html>`__
|
|
with Unbound to follow in the upcoming 21.7 series.
|
|
|
|
Download links, an installation guide `[2] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://opnsense.c0urier.net/releases/21.1/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/21.1/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.1/
|
|
* South America: https://mirror.venturasystems.tech/opnsense/releases/21.1/
|
|
* Australia: http://mirror.as24220.net/opnsense/releases/21.1/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
Here are the full patch notes against 20.7.8:
|
|
|
|
* system: use authentication factory for web GUI login
|
|
* system: allow case-insensitive matching for LDAP user authentication
|
|
* system: removed unused gateway API dashboard feed
|
|
* system: removed spurious comma from certificate subject print and unified underlying code
|
|
* system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
|
|
* system: generate a better self-signed certificate for web GUI default
|
|
* system: allow self-signed renew for web GUI default (using "configctl webgui restart renew")
|
|
* system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
|
|
* system: first backup is same as current so ignore it on GUI and console
|
|
* system: optionally allow TOTP users to regenerate a token from the password page
|
|
* system: set hw.uart.console appropriately
|
|
* system: reconfigure routes on bootup
|
|
* system: relax gateway name validation
|
|
* system: ignore disabled gateways in dpinger services
|
|
* system: choose a better bind candidate for IPv4 in dpinger
|
|
* interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
|
|
* interfaces: no longer assume configuration-less interfaces can reach static setup code
|
|
* interfaces: fix PPP links not linking to its advanced configuration page
|
|
* interfaces: read deprecated flag, allow family spec in (-)alias calls
|
|
* interfaces: fix address removal in IPv6 CARP case
|
|
* interfaces: pick proper route for 6RD and 6to4 tunnels
|
|
* interfaces: support 6RD with single /64 prefix (contributed by Marcel Hofer)
|
|
* firewall: support category filters for firewall and NAT rules `[3] <https://github.com/opnsense/core/issues/4587>`__ (sponsored by Modirum)
|
|
* firewall: add live log "host", "port" and "not" filters
|
|
* firewall: create an appropriate max-mss scrub rule for IPv6
|
|
* firewall: fix anti-spoof option for separate bridge interfaces
|
|
* firewall: display zeros and sort columns in pfTables (contributed by kulikov-a)
|
|
* firewall: relax schedule name validation
|
|
* reporting: prevent calling top talkers when no interfaces are selected
|
|
* reporting: cleanup deselected interface rows in top talkers
|
|
* dhcp: hostname validation now includes domain
|
|
* dhcp: use same logic as menu figuring out if DHCPv6 page is reachable from leases
|
|
* dhcp: correct DHCPv6 custom options unsigned integer field (contributed by Team Rebellion)
|
|
* dhcp: added toggle for disabling RDNSS in router advertisements (contributed by Team Rebellion)
|
|
* dhcp: removed the need for a static IPv4 being outside of the pool (contributed by Gauss23)
|
|
* dhcp: add min-secs option for each subnet (contributed by vnxme)
|
|
* dnsmasq: remove advanced configuration in favour of plugin directory
|
|
* dnsmasq: use domain override for static hosts
|
|
* firmware: disable autoscroll if client position differs
|
|
* firmware: remove spurious \*.pkgsave files and offload post install bits to rc.syshook
|
|
* firmware: repair display of removed packages during release type transition
|
|
* firmware: add ability to run audits from the console
|
|
* firmware: show repository in package and plugin overviews
|
|
* intrusion detection: replace file-based policy changes with detailed filters
|
|
* ipsec: NAT with multiple phase 2 `[4] <https://github.com/opnsense/core/issues/4460>`__ (sponsored by m.a.x. it)
|
|
* ipsec: prevent VTI interface to hit spurious 32768 limit
|
|
* ipsec: allow mixed IPv4/IPv6 for VTI
|
|
* openvpn: added toggle for block-outside-dns (contributed by Julio Camargo)
|
|
* openvpn: hide "openvpn_add_dhcpopts" fields when not parsed via the backend
|
|
* unbound: allow /0 in ACL network
|
|
* unbound: default to SO_REUSEPORT
|
|
* web proxy: add GSuite and YouTube filtering (contributed by Julio Camargo)
|
|
* mvc: do not discard valid application/json content type headers
|
|
* mvc: make sure isArraySequential() is only true on array input
|
|
* mvc: speed up processing time when over 2000 users are selected in a group
|
|
* mvc: add locking in JsonKeyValueStoreField type
|
|
* mvc: change LOG_LOCAL4 to LOG_LOCAL2 in base model
|
|
* images: use UFS2 as the default for nano, serial and vga
|
|
* images: support UEFI boot in serial image
|
|
* ui: add tooltips for service control widget
|
|
* ui: move sidebar stage from session to local storage
|
|
* ui: upgrade Tokenize2 to v1.3.3
|
|
* plugins: os-acme-client 2.3 `[5] <https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr>`__
|
|
* plugins: os-bind 1.16 `[6] <https://github.com/opnsense/plugins/blob/stable/21.1/dns/bind/pkg-descr>`__
|
|
* plugins: os-frr 1.21 `[7] <https://github.com/opnsense/plugins/blob/stable/21.1/net/frr/pkg-descr>`__
|
|
* plugins: os-maltrail 1.6 `[8] <https://github.com/opnsense/plugins/blob/stable/21.1/security/maltrail/pkg-descr>`__ (contributed by jkellerer)
|
|
* plugins: os-smart adds cron jobs for useful actions (contributed by Jacek Tomasiak)
|
|
* plugins: os-telegraf 1.8.3 adds ping6 ability (contributed by DasSkelett)
|
|
* src: fix AES-CCM requests with an AAD size smaller than a single block
|
|
* src: introduce HARDEN_KLD to ensure DTrace functionality
|
|
* src: refine pf_route\* behaviour in PF_DUPTO case for shared forwarding
|
|
* src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
|
|
* src: netmap tun(4) support adds pseudo addresses to ethernet header emulation (contributed by Sunny Valley Networks)
|
|
* src: add a manual page for axp(4) / AMD 10G Ethernet driver
|
|
* src: fix traffic graph not showing bandwidth when IPS is enabled
|
|
* ports: dnsmasq 2.83 `[9] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
|
* ports: igmpproxy 0.3 `[10] <https://github.com/pali/igmpproxy/releases/tag/0.3>`__
|
|
* ports: nss 3.61 `[11] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_61.html>`__
|
|
* ports: openldap 2.4.57 `[12] <https://www.openldap.org/software/release/changes.html>`__
|
|
* ports: py-netaddr 0.8.0 `[13] <https://pypi.org/project/netaddr/0.8.0/>`__
|
|
* ports: sudo 1.9.5p2 `[14] <https://www.sudo.ws/stable.html#1.9.5p2>`__
|
|
|
|
The public key for the 21.1 series is:
|
|
|
|
.. code-block::
|
|
|
|
# -----BEGIN PUBLIC KEY-----
|
|
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtiv4C8TPBnVAxUS+xW3W
|
|
# uYhAOuLCZPA6F22Qatit4PVHI7AzfLbGjCQFZqjO+HRPVCmeiyggQWE4ZBOQrhbq
|
|
# Em/NqmnDVos2rdGfEvp5miY4fstebtHI9CPv26QswgO7bsoJuCUoSmtGTbgNXyaF
|
|
# ueNYTSXNEpWu35tQS830NCLW5Y6elfK99gxmNChlGdlz0wchaSA+myR6xH+TUw8L
|
|
# D+87Tny/R2guC9Q0XnsKpKeOMxkNh0X3H0GsmcWmyV0rGAiMh6GuJXIN/yhNMkaD
|
|
# wuHomqxd1OAyGLz9BjDNRKZ+b+y0iVpEx3qsDWlradtf8sUKZHJ96lf0jCRhEPvl
|
|
# v1+QkAOzsauWBr3UtFbkKfHONpuwb5XVNgAJzFIRrnGhmWRXD7liiShOP4O+KBP1
|
|
# Dzxs/X0plXgX2hOgzMbtgCMj4M1sV5HhKUrwiyqBpoe5nESJVrQ/DxETwEZIFoHy
|
|
# hwQxd/DDp7uJmZlCkveuZeUAo7pfTUVchDpe2GB54bHEhIn3OES93PURMQtQxB12
|
|
# mubV52vcfvzLnbv5FL5lMK/cgl64ip2bRu1jcB3wsKrKcGyUbtYJQDnHpowWrs5h
|
|
# RdMHSfLyaC8ROMKhZmJTe141wr5p8d+NmgjlDblnNmUJ0jHVJeP0+RO/OcY/o3Zt
|
|
# 2MxL1Yp2cUu2l1HEmyrCsIcCAwEAAQ==
|
|
# -----END PUBLIC KEY-----
|
|
|
|
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-21.1-OpenSSL-dvd-amd64.iso.bz2) = 936301cb53c7c3474171a076594bb00a29827b4aa1c9aa8dac7519e447f7ec81
|
|
# SHA256 (OPNsense-21.1-OpenSSL-nano-amd64.img.bz2) = e5116c5037f4b4bbc68708e8f14ce023508ccf585164b778d6c158f170ea202f
|
|
# SHA256 (OPNsense-21.1-OpenSSL-serial-amd64.img.bz2) = 472c8568d8c4a54743b3a2b1bc720e83c04cc2c63d68df1376c207f25b98ae20
|
|
# SHA256 (OPNsense-21.1-OpenSSL-vga-amd64.img.bz2) = 44a930151472954626c237a1255712e6e7c542d7ac3c5317a74618d08ce36bbf
|
|
|
|
--------------------------------------------------------------------------
|
|
21.1.r1 (January 13, 2021)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
For more than 6 years, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
We thank all of you for helping test, shape and contribute to the project!
|
|
We know it would not be the same without you. <3
|
|
|
|
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://opnsense.c0urier.net/releases/21.1/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/21.1/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.1/
|
|
* South America: https://mirror.venturasystems.tech/opnsense/releases/21.1/
|
|
* Australia: http://mirror.as24220.net/opnsense/releases/21.1/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
Here are the full patch notes against 20.7.7_1:
|
|
|
|
* system: use authentication factory for web GUI login
|
|
* system: allow case-insensitive matching for LDAP user authentication
|
|
* system: removed unused gateway API dashboard feed
|
|
* system: removed spurious comma from certificate subject print and unified underlying code
|
|
* system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
|
|
* system: generate a better self-signed certificate for web GUI default
|
|
* system: allow self-signed renew for web GUI default (using "configctl webgui restart renew")
|
|
* system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
|
|
* system: optionally allow TOTP users to regenerate a token from the password page
|
|
* system: set default certificate lifetime to 397 days
|
|
* system: relax gateway name validation
|
|
* system: display destination port number in firewall log widget (contributed by Team Rebellion)
|
|
* system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
|
|
* interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
|
|
* interfaces: no longer assume configuration-less interfaces can reach static setup code
|
|
* interfaces: fix PPP links not linking to linked advanced configuration
|
|
* firewall: add live log "host", "port" and "not" filters
|
|
* firewall: add manual refresh button to live log
|
|
* firewall: create an appropriate max-mss scrub rule for IPv6
|
|
* firewall: fix anti-spoof option for separate bridge interfaces
|
|
* firewall: relax schedule name validation
|
|
* firewall: fix typo in ICMPv6 validation
|
|
* firewall: add type 128 to outgoing IPv6 RFC4890 requirements
|
|
* firewall: fix minor regression in maintaining target alias file
|
|
* firewall: category selector missing caption
|
|
* firewall: fix all state value in pfTop (contributed by Lucas Held)
|
|
* firewall: remove duplicated destination field in live log
|
|
* firewall: add read-only actions to aliases permission (contributed by Manuel Faux)
|
|
* reporting: add top talkers to revamped traffic graphs page
|
|
* dhcp: hostname validation now includes domain
|
|
* dhcp: correct DHCPv6 custom options unsigned integer field (contributed by Team Rebellion)
|
|
* dhcp: removed the need for a static IPv4 being outside of the pool (contributed by Gauss23)
|
|
* dhcp: add min-secs option for each subnet (contributed by vnxme)
|
|
* dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
|
|
* dnsmasq: remove advanced configuration in favour of plugin directory
|
|
* dnsmasq: use domain override for static hosts
|
|
* firmware: opnsense-code now updates the current directory if nothing was specified
|
|
* firmware: opnsense-code now uses flexible make.conf target from tools.git
|
|
* firmware: opnsense-update now supports snapshot access via -z option
|
|
* firmware: opnsense-update now fixes missing dependencies on the fly
|
|
* firmware: repair display of removed packages during release type transition
|
|
* firmware: fix some issues with missing repository on server
|
|
* firmware: add version output and date to audit logs
|
|
* intrusion detection: replace file-based policy changes with detailed filters
|
|
* ipsec: NAT with multiple phase 2 (sponsored by m.a.x. it)
|
|
* ipsec: prevent VTI interface to hit spurious 32768 limit
|
|
* ipsec: allow mixed IPv4/IPv6 for VTI
|
|
* ipsec: display remote host in status overview (contributed by garlic17)
|
|
* openssh: honour MAX_LISTEN_SOCKS to prevent startup failure
|
|
* openvpn: added toggle for block-outside-dns (contributed by Julio Camargo)
|
|
* openvpn: hide "openvpn_add_dhcpopts" fields when not parsed via the backend
|
|
* openvpn: set default certificate lifetime to 397 days in wizard
|
|
* unbound: default to SO_REUSEPORT
|
|
* web proxy: add GSuite and YouTube filtering (contributed by Julio Camargo)
|
|
* web proxy: lock ACL download to prevent duplicate execution
|
|
* mvc: make sure isArraySequential() is only true on array input
|
|
* mvc: speed up processing time when over 2000 users are selected in a group
|
|
* mvc: allow underscore in filter string (contributed by kulikov-a)
|
|
* images: use UFS2 as the default for nano, serial and vga
|
|
* images: support UEFI boot in serial image
|
|
* ui: add tooltips for service control widget
|
|
* ui: move sidebar stage from session to local storage
|
|
* plugins: os-bind 1.15 `[2] <https://github.com/opnsense/plugins/blob/stable/21.1/dns/bind/pkg-descr>`__
|
|
* plugins: os-frr 1.21 `[3] <https://github.com/opnsense/plugins/blob/stable/21.1/net/frr/pkg-descr>`__
|
|
* src: fix OpenSSL NULL pointer de-reference `[4] <FREEBSD:FreeBSD-SA-20:33.openssl>`__
|
|
* src: fix AES-CCM requests with an AAD size smaller than a single block
|
|
* src: introduce HARDEN_KLD to ensure DTrace functionality
|
|
* src: fix partial scrub of multicast packages
|
|
* src: refine pf_route\* behaviour in PF_DUPTO case for shared forwarding
|
|
* src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
|
|
* ports: libressl 3.2.3 `[5] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2-relnotes.txt>`__ `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt>`__
|
|
* ports: nss 3.60.1
|
|
* ports: pkg fix for shell keyword by opening root file descriptor
|
|
* ports: radvd 2.19 `[7] <https://radvd.litech.org/CHANGES.txt>`__
|
|
* ports: sudo 1.9.4p2 `[8] <https://www.sudo.ws/stable.html#1.9.4p2>`__
|
|
|
|
Known issues and limitations:
|
|
|
|
* Installer currently advertises 20.7
|
|
|
|
The public key for the 21.1 series is:
|
|
|
|
.. code-block::
|
|
|
|
# -----BEGIN PUBLIC KEY-----
|
|
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtiv4C8TPBnVAxUS+xW3W
|
|
# uYhAOuLCZPA6F22Qatit4PVHI7AzfLbGjCQFZqjO+HRPVCmeiyggQWE4ZBOQrhbq
|
|
# Em/NqmnDVos2rdGfEvp5miY4fstebtHI9CPv26QswgO7bsoJuCUoSmtGTbgNXyaF
|
|
# ueNYTSXNEpWu35tQS830NCLW5Y6elfK99gxmNChlGdlz0wchaSA+myR6xH+TUw8L
|
|
# D+87Tny/R2guC9Q0XnsKpKeOMxkNh0X3H0GsmcWmyV0rGAiMh6GuJXIN/yhNMkaD
|
|
# wuHomqxd1OAyGLz9BjDNRKZ+b+y0iVpEx3qsDWlradtf8sUKZHJ96lf0jCRhEPvl
|
|
# v1+QkAOzsauWBr3UtFbkKfHONpuwb5XVNgAJzFIRrnGhmWRXD7liiShOP4O+KBP1
|
|
# Dzxs/X0plXgX2hOgzMbtgCMj4M1sV5HhKUrwiyqBpoe5nESJVrQ/DxETwEZIFoHy
|
|
# hwQxd/DDp7uJmZlCkveuZeUAo7pfTUVchDpe2GB54bHEhIn3OES93PURMQtQxB12
|
|
# mubV52vcfvzLnbv5FL5lMK/cgl64ip2bRu1jcB3wsKrKcGyUbtYJQDnHpowWrs5h
|
|
# RdMHSfLyaC8ROMKhZmJTe141wr5p8d+NmgjlDblnNmUJ0jHVJeP0+RO/OcY/o3Zt
|
|
# 2MxL1Yp2cUu2l1HEmyrCsIcCAwEAAQ==
|
|
# -----END PUBLIC KEY-----
|
|
|
|
Please let us know about your experience!
|
|
|
|
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-21.1.r1-OpenSSL-dvd-amd64.iso.bz2) = c6cfdd88227bb58c94634dca01e9108647a83278a4549291a4b772094342c81a
|
|
# SHA256 (OPNsense-21.1.r1-OpenSSL-nano-amd64.img.bz2) = a60c3cb077b56202d3b02637054607f6180121b7da9faaf870f73a814dcfc2c7
|
|
# SHA256 (OPNsense-21.1.r1-OpenSSL-serial-amd64.img.bz2) = cba8578d7acbb323fd1fa6fe93d648c5d227010e1169ccbdf1111980d73fa447
|
|
# SHA256 (OPNsense-21.1.r1-OpenSSL-vga-amd64.img.bz2) = 1fce48c99e5c46d92fca7a00805873154832357c7de71f5035a01ca8047041dc
|