2
0
mirror of https://github.com/opnsense/docs synced 2024-11-09 01:10:33 +00:00
opensense-docs/source/releases/CE_15.1.rst
2021-11-23 17:08:11 +01:00

1354 lines
66 KiB
ReStructuredText

===========================================================================================
15.1 "Ascending Albatross" Series
===========================================================================================
The OPNsense core team is proud to announce that it has released its 15.1
version, nicknamed "Ascending Albatross", of the open source OPNsense
firewall software.
This is the first release by the OPNsense project. Download `[1] <http://opnsense.org/download/>`__ and try it now!
Be sure to visit the project website `[2] <http://www.opnsense.org/>`__ and learn more about us and the
project. The project wants to be a friendly place for users, developers and
partners.
We believe that an open source project should keep its sources and build tools
available for all. OPNsense uses the simple 2-clause BSD license.
Users benefit from the polished installer, rich feature set and modern user
interface. Developers are invited to check out our easy-to-use build tools.
Commercial Support assists in keeping networks fast and secure. The project
welcomes partners to be successful together.
OPNsense(r) is based on FreeBSD 10 and is a fork of pfSense(r) which in its
turn is a fork of m0n0wall(r).
The next major release is 15.7 and is to be released on July 1st 2015. Bug
fixes and security patches will be released when available.
We are looking forward to welcome you in the OPNsense community.
Because Open makes Sense!
The OPNsense core team
--------------------------------------------------------------------------
15.1.12 (June 17, 2015)
--------------------------------------------------------------------------
It's sad but true: 15.1.12 may very well be the last of its kind. 6 months
are almost over and 15.7 is around the corner with a number of changes e.g.
how we do version numbers, release engineering branches and upcoming versions
such as 16.1. As nothing is set in stone, we ask you to participate in the
discussion on the forums:
https://forum.opnsense.org/index.php?topic=705.0
The aftermath of the recent OpenSSL release(s) finally settled so now we are
shipping FreeBSD's security advisory along with the latest releases of
OpenSSL 1.0.2c and LibreSSL 2.2.0. Upgrading PHP 5.6.10 seemed like another
sensible thing to do.
The firmware update side of things received another minor batch of changes
and is now at a point we're satisfied with. Should you find anything odd
or unusual, please let us know.
Here is the full list of changes:
* src: fix OpenSSL multiple vulnerabilities `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:10.openssl.asc>`__
* src: update base system file(1) to 5.22 `[2] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:07.zfs.asc>`__
* src: improve reliability of ZFS `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:06.file.asc>`__
* src: updated to tzdata2015e `[4] <http://mm.icann.org/pipermail/tz-announce/2015-June/000032.html>`__
* ports: openssl 1.0.2c `[5] <https://www.openssl.org/news/openssl-1.0.2-notes.html>`__ , libressl 2.2.0 `[6] <http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.0-relnotes.txt>`__ , php 5.6.10 `[7] <https://php.net/ChangeLog-5.php#5.6.10>`__ ,
dnsmasq 2.73 `[8] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__ , smartmontools 6.4 `[9] <https://www.smartmontools.org/browser/tags/RELEASE_6_4/smartmontools/NEWS>`__
* syslogd: disable unmaintained and unused ZMQ patches
* opnsense-update: gained independent awareness of kernel and
base system version
* opnsense-update: improved the manual page to include all recent changes
* firmware: bring back /etc/shells support to avoid the unknown shell
warning on bootup
* firmware: always schedule next poll while upgrade is running to
accommodate for web server restart delay
* logs: fix DHCP reverse ordering and update layout
* wizard: remove false statement about using "dhcp" for LAN setup
* menu: order interfaces by name
* captive portal: fix database creation query by avoiding SQL injection
syntax that broke due to a recent upstream hardening of the database
adapter underneath
The images can be obtained via any of our mirrors, given a bit of delay
for them to pull in the latest images:
https://opnsense.org/download/
The checksums are:
.. code-block::
# SHA256 (OPNsense-15.1.12_OpenSSL-cdrom-amd64.iso.bz2) = 60664c127e0f35f7ca9150ca31ef56de89b217f34f45959957ddd279d8512007
# SHA256 (OPNsense-15.1.12_OpenSSL-nano-amd64.img.bz2) = 044b144fd892bebb1499a9788e37f43a92ffa2c175b07fc49ea24f3cb21032b7
# SHA256 (OPNsense-15.1.12_OpenSSL-serial-amd64.img.bz2) = 8b450c6aff84cc9bfb7bcae72a50975d965872415f12a04226ef6688c074a3ef
# SHA256 (OPNsense-15.1.12_OpenSSL-vga-amd64.img.bz2) = 6c0d7529ce77b387ab97fc6557987ac68256a2e5cb6e5993ba807be91a08cd45
# SHA256 (OPNsense-15.1.12_OpenSSL-cdrom-i386.iso.bz2) = 95a31bb2d854cb8370b58e95155fae34b824393e1add53a99349e7452e4c7313
# SHA256 (OPNsense-15.1.12_OpenSSL-nano-i386.img.bz2) = 9d86a0ecdf74b28b627672f19fd652c6792e884dda68effe680c495934926e6d
# SHA256 (OPNsense-15.1.12_OpenSSL-serial-i386.img.bz2) = a6b6460b9cb398993f9507c77644fc6ab13ad65786ed33c4bdd16a2d93d58606
# SHA256 (OPNsense-15.1.12_OpenSSL-vga-i386.img.bz2) = aecf58f9f77cf1f4f712bc8deb0ac987b0f060c7f4e9f7163d5767d1c2fbc105
.. code-block::
# MD5 (OPNsense-15.1.12_OpenSSL-cdrom-amd64.iso.bz2) = f7701aa70024bbab8395f808d9695eb0
# MD5 (OPNsense-15.1.12_OpenSSL-nano-amd64.img.bz2) = 2e32ea342755513f87b13db4900cd1b8
# MD5 (OPNsense-15.1.12_OpenSSL-serial-amd64.img.bz2) = 7722c2de2d06b56a32d32f49b28007d6
# MD5 (OPNsense-15.1.12_OpenSSL-vga-amd64.img.bz2) = d2ad9fc3bad8bff348d60f6a879122e6
# MD5 (OPNsense-15.1.12_OpenSSL-cdrom-i386.iso.bz2) = acefe5ce4cefe49e6c601db602af95b2
# MD5 (OPNsense-15.1.12_OpenSSL-nano-i386.img.bz2) = 5f2f3c2c76996284557b2e8e4f9cadf2
# MD5 (OPNsense-15.1.12_OpenSSL-serial-i386.img.bz2) = 6b0745526824badc05c53fee6c5b035c
# MD5 (OPNsense-15.1.12_OpenSSL-vga-i386.img.bz2) = f1c67cac62d621a289dfb8c7384a242f
--------------------------------------------------------------------------
15.1.11.4 (June 12, 2015)
--------------------------------------------------------------------------
Coincidentally, we scheduled 15.1.11.4 for today and have found ourselves in
the middle of an OpenSSL/LibreSSL update. FreeBSD has been really quick and
provided ports updates for both of them. OpenSSL base updates, however,
won't be shipped today. That isn't so bad, because we build all ports against
the newer version by default. The base update will follow next week.
There have been quite a few things happening apart from \*SSL, see the notes
and links to individual updates. Another round of stabilisation for the
firmware GUI will make upgrading a bit more consistent in the future. And,
ironically, if you encounter the update freezing up in the GUI, simply
refresh the page and look for new updates.
Here is the full list of changes:
* notable ports updates: pcre 8.37_1 `[1] <https://github.com/freebsd/freebsd-ports/commit/030adcf1d>`__ , phalcon 2.0.2 `[2] <https://github.com/phalcon/cphalcon/releases>`__ ,
strongswan 5.3.2 `[3] <https://wiki.strongswan.org/projects/strongswan/wiki/Changelog53>`__ , sqlite 3.8.10.2 `[4] <https://sqlite.org/releaselog/3_8_10_2.html>`__
* more notable ports: openvpn 2.3.7 `[5] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.7>`__ , openssl 1.0.2b `[6] <http://marc.info/?l=openbsd-announce&m=143404058913441>`__ ,
libressl 2.1.7 `[7] <https://github.com/freebsd/freebsd-ports/commit/40365ab880101ee>`__ , pkg 1.5.4 `[8] <https://www.openssl.org/news/secadv_20150611.txt>`__
* opnsense-update: has gained the ability to do package updates as well
* core: removed unused ssh_tunnel_shell and 3gstats utilities, added sudo
to the default utilities
* captiveportal/traffic shaper: better fix for localhost skip
* traffic shaper: added ICMP, IGMP, ESP, AH and GRE protocols to
selectable protocols
* core: fixed a bug that prevented our API from working properly with
Phalcon 2.0.1 and above
* backend: added configctl command utility launcher and improved its
logging capabilities
* backend: worked around a performance degradation bug in Python 2.7
on FreeBSD
* gateways: monitoring via :code:`apinger` is now turned off by default for
all new gateways created (opt-out flipped to opt-in for privacy reasons)
* firmware: refactored firmware code to use opnsense-update's new capabilities
* firmware: fix parsing of packages to be upgraded in fringe cases
* firmware: fix overzealous caching of available package upgrades
* users: user with group admins now have :code:`wheel` group associated with them,
allowing them to use :code:`su` or :code:`sudo` (if configured)
* users: do not copy root's hidden files while creating a new user
home directory
--------------------------------------------------------------------------
15.1.11.3 (June 05, 2015)
--------------------------------------------------------------------------
A tiny batch of fixes comes bundled with today's 15.1.11.3 mainly to
increase stability during WiFi USB attach/detach. It is a work in
progress so please let us know how your experience changes.
Here are the full patch notes:
* config: improved the deletion of backups
* wifi: do not launch FreeBSD's rc scripts on 802.11 attach/detach
* ipfw: always forward traffic coming from localhost
* system: apply PSR2 coding style to GUI pages
* captive portal: apply PSR2 coding style to GUI pages
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.1.11.2 (June 03, 2015)
--------------------------------------------------------------------------
Today's update includes a shiny new rewrite of the traffic shaper
functionality for dummynet, another completed chapter in the ongoing
quest for standardisation towards FreeBSD. The other gem is the first
batch of translations for Simplified Chinese kindly provided by two of
our enthusiastic users from China. We ask for you to try both features
and let us know about limitations and issues through any of the usual
channels. We appreciate likes and don't-likes alike. :)
Security-wise, it has been rather quiet. Enjoy it while it lasts. Here
are the full patch notes:
* notable ports upgrades: pcre 8.37, pkg 1.5.3, ca_root_nss 3.19.1
* aliases: fix javascript error that prevented aliases from woking
* traffic shaper: rewrote the feature using standard components on top
of the new MVC framework/API (see Firewall: Traffic Shaper)
* system: enabled first few hundred translations of Simplified Chinese
to help the community to progress and review said translation
(see System: Settings: General)
* vpn: all GUI files underwent a thorough coding style refresh
* firmware: prevent spurious "Module already loaded" errors while
upgrading PHP packages
The packages for OpenSSL and LibreSSL are up and can be applied via the
GUI or console firmware upgrade.
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.1.11.1 (May 23, 2015)
--------------------------------------------------------------------------
Today it's time for 15.1.11.1 which includes two tweaks for the recent
Logjam vulnerability as well as the images for OPNsense on top of OpenSSL.
The reason for not providing LibreSSL images is that we are going to make
the flavour selectable via the GUI since pkgng does such a great job of
tracking and resolving all the provided and required dependencies.
* crypto: regenerate DH parameters for 1024, 2048 and 4096 bit
* crypto: tweak the web server config to harden against Logjam
Firmware upgrades for LibreSSL and OpenSSL are live. The OpenSSL images
can be found here:
https://opnsense.org/download/
The checksums are as follows:
.. code-block::
# SHA256 (OPNsense-15.1.11.1_OpenSSL-cdrom-amd64.iso.bz2) = 280f02a2da3ff9e9ad1f655a8661c845765493f36e1788b8c852af9886c50316
# SHA256 (OPNsense-15.1.11.1_OpenSSL-nano-amd64.img.bz2) = 2d14d881311ca8b188a41a2d57aee6e0bec66f55066f2844502d4ef17e64935e
# SHA256 (OPNsense-15.1.11.1_OpenSSL-serial-amd64.img.bz2) = e6e3c8c425dfebc33df9d66cc013616898963c72c52df6e0bed388126c2143a1
# SHA256 (OPNsense-15.1.11.1_OpenSSL-vga-amd64.img.bz2) = 64de0201f37cf75c3ba5084f06a1f545eb0a9c4e8248354b584a024322edf488
# SHA256 (OPNsense-15.1.11.1_OpenSSL-cdrom-i386.iso.bz2) = 18f1b40981d243173c524af208f8c4cf10a46d41f676d350baba477f07c2ff9e
# SHA256 (OPNsense-15.1.11.1_OpenSSL-nano-i386.img.bz2) = 2160335ab904fb0f82dc2629ea7c9116c36059928860169bb9eeac87038db5c7
# SHA256 (OPNsense-15.1.11.1_OpenSSL-serial-i386.img.bz2) = a2f7ce128a1ea3ab4942e7ff5accb2901110324d73c516b7bd1a7947b70697cf
# SHA256 (OPNsense-15.1.11.1_OpenSSL-vga-i386.img.bz2) = df112aca62de658518bc3f904336fb9024daf404741880e9bb7b93912a5b2af3
.. code-block::
# MD5 (OPNsense-15.1.11.1_OpenSSL-cdrom-amd64.iso.bz2) = edc4349b7f3b815302724e60c7ddc0cb
# MD5 (OPNsense-15.1.11.1_OpenSSL-nano-amd64.img.bz2) = 1f2cca409ba7e1ab91d6e937627ac275
# MD5 (OPNsense-15.1.11.1_OpenSSL-serial-amd64.img.bz2) = 3dcb482fa561fb46748d18fb07048553
# MD5 (OPNsense-15.1.11.1_OpenSSL-vga-amd64.img.bz2) = e56074166925c14b586dfff68c8d4494
# MD5 (OPNsense-15.1.11.1_OpenSSL-cdrom-i386.iso.bz2) = 3b1904072a4ea48aad6a70cde451cade
# MD5 (OPNsense-15.1.11.1_OpenSSL-nano-i386.img.bz2) = a040f331af20a5025d5cbcea1e57d348
# MD5 (OPNsense-15.1.11.1_OpenSSL-serial-i386.img.bz2) = 0a8f26ff6fab41c699ba03a9805ec6b5
# MD5 (OPNsense-15.1.11.1_OpenSSL-vga-i386.img.bz2) = cf7b4e86a0a856499ca843524d0824bc
Info on how to obtain LibreSSL-based images which are then easily upgraded
to 15.1.11.1 can be found here:
https://forum.opnsense.org/index.php?topic=78.0
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.1.11 (May 22, 2015)
--------------------------------------------------------------------------
As we are nearing the finish line for version 15.7 in July, we sat down on
a single table in the Netherlands this week to review the changes that we've
made over the past 5 months and we saw that only one road map `[1] <https://opnsense.org/about/road-map/>`__ item is
still open: the frequently requested IDS package! We've come a long way
since the initial 15.1 and have seen stability increase, functionality
expand and timely updates being sustained on an almost weekly basis.
Certainly achievements we want to keep whilst going forward.
The initial release of 15.1.11 has been postponed since Tuesday due to a
framework update we've had to exclude as well as polishing the new GUI
firmware feature to finally revive the base system update. If you are
updating from the GUI to this release, you will still have to run the
Console Firmware (Option 12) upgrade to bring your base system up to date
(FreeBSD 10.1-RELEASE-p10). This is the last time, we promise. A reboot
is mandatory.
We ship PHP 5.6.9 ahead of FreeBSD, removed numerous unused packages and
two more custom kernel patches bringing us down to 5 custom patches from
previously more than 40. We also have plans for further pruning, probably
running without custom patches when FreeBSD 10.2 hits the shelves,
metaphorically speaking.
We haven't forgotten the recent Logjam Attack `[2] <https://weakdh.org/>`__ , but wanted not to postpone
the current release any further. With that being said, 15.1.11.1 is coming
out tomorrow including wary tweaks related to Logjam.
Here is the full list of changes for 15.1.11:
* core: removed unused package dependencies b42-fwcutter, bwi-firmware-kmod, dmidecode, ifstated, pecl-ssh2
* core: switched back from bind-tools to the latest full bind 9.10 package due to various requests
* src: fix panic in pf(4) in conjunction with ALTQ `[3] <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200222>`__
* src: updated to FreeBSD 10.0-RELEASE-p10 `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:04.freebsd-update.asc>`__ `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:05.ufs.asc>`__
* src: reverted two more custom patches to align with FreeBSD
* ports: updated to ca_root_nss 3.19, sqlite 3.8.10.1, php 5.6.9 `[6] <https://php.net/ChangeLog-5.php#5.6.9>`__ , openssh 6.8p1_7 `[7] <http://www.openwall.com/lists/oss-security/2015/05/16/3>`__
* opnsense-update: exclude /etc/tty from the upgrade
* bsdinstaller: reworked the internals to align to modern port standards
* captive portal: switched rules generation to new template engine
* firmware: reimplement the GUI firmware update using MVC code
* menu: remove collapse/expand inconsistencies
* dashboard: fix disabled widgets dialog
* nat: fixed delete of multiple item
* nat: fix display of disabled rules
* queues: the legacy ALTQ traffic shaper is now found under "Firewall: Queues" to make room for the upcoming traffic shaper reimplementation based on IPFW/dummynet
* core: fix faulty read of /var/log/dmesg.boot
The live upgrades are up for both LibreSSL and OpenSSL. Images will follow
in a later announcement as the testing backlog has gotten larger with more
images and flavours. We are working on a Continuous Integration platform,
but for now we're still doing things manually.
--------------------------------------------------------------------------
15.1.10.2 (May 13, 2015)
--------------------------------------------------------------------------
We are happy to announce OPNsense 15.1.10.2 today following a rather
exciting firmware upgrade bug that prevented the release yesterday.
We are back to normal now thanks to the wonderful people of pkgng, and,
boy, do we have news to share.
First and foremost, it's time to reveal to all of you the Proxy Server
(based on squid) work we've done under the hood for a few months now.
The new MVC framework has been plugged seamlessly into the GUI and can
be inspected under "Services: Proxy Server". This is a sneak preview of
things to come and any help in testing and commenting on the feature is
going to be a huge help as we go forward.
The translation project has been kickstarted for Japanese `[1] <http://dotike.github.io/opnsense.core.ja_JP.UTF8/>`__ and Chinese,
although the translations are not yet available in the GUI due to their
incompleteness. We do, however, think this is a good opportunity to ask
for contributions to the translations and welcome efforts for other
languages as well.
Last but not least HardenedBSD's work `[2] <https://hardenedbsd.org/article/shawn-webb/2015-05-08/hardenedbsd-teams-opnsense>`__ to build OPNsense on top of their
code has been a quick success story and will eventually bring features like
ASLR into the project. The cooperation also sparked a number of build tools
improvements that will make maintaining the project easier in the future.
Changes also help to unify the OpenSSL/LibreSSL release handling so that
with this announcement you will be enjoying your timely LibreSSL firmware
upgrade. ;)
Here is the full list of changes:
* proxy: basic proxy features on top of our new and shiny MVC framework
under "Services: Proxy Server"
* proxy: smart tokens for item lists (copy/paste CSV list into them and
watch the magic happen)
* proxy: help on/off per item or full page
* proxy: hide advanced options and include sane defaults
* proxy: FTP proxy included with same ACL controls as HTTP
* proxy: simple authentication using built-in user database
* openvpn: added Tunnelblick's version of the OpenVPN XOR feature for
protocol obfuscation `[3] <https://code.google.com/p/tunnelblick/wiki/cOpenvpn_xorpatch>`__
* core: fixed config.xml section import regression
* core: stripped numerous dynamic strings from gettext() invokes
* ports: added FreeBSD's 10.1 ifinfo tool to probe for interface statistics
to replace legacy PHP module code
* ports: bsdinstaller 2.3 no longer uses cpdup utility, plus log collection
and SONAME fixes
* ports: updated to pkg 1.5.2, phalcon 2.0.0, dnsmasq 2.72_1 `[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3294>`__
* ports: Perl is now installed by default (5.18)
* development: OpenSSL and LibreSSL branches have been merged for a simpler
build experience and smaller release times
* development: the package sets are now always kept as a single archive that
can be reused and recompiled (even selectively)
* development: stable translation template file is available now `[5] <https://raw.githubusercontent.com/opnsense/core/master/src/share/locale/en_US/LC_MESSAGES/OPNsense.pot>`__
* development: kickstarted Japanese and Chinese translations
* development: language translation files are now automatically compiled
into the core package
* development: added a persistent build config file for setting the version,
crypto flavour and release version tag (if applicable)
The update is available via the firmware upgrade feature only.
--------------------------------------------------------------------------
15.1.10.1 (May 06, 2015)
--------------------------------------------------------------------------
Here comes a quick hotfix for a pressing VLAN regression we've been hearing
about today plus 3 more minor additions. These are the patch notes:
* interfaces: fix interface rename regression that prevented VLANs from
being set up
* firmware: clean up downloaded packages after installation
* logging: prevent spurious pgrep-related messages from being logged
* config: fix Google Drive backup accounting off-by-two
The update available via the GUI or console firmware upgrade. No restarts
necessary, except for those being affected by the VLAN regression. Let us
know whether this brings you back to normal.
Both LibreSSL and OpenSSL are available as of now!
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.1.10 (May 04, 2015)
--------------------------------------------------------------------------
The new release is finally here! Yet before we begin, we'd like to stress
this part: please read the notes enclosed; they are important for the future
of OPNsense.
We are now about two thirds into what is going to be 15.7. On this path,
we've always released cutting edge snapshot releases and 15.1.10 is no
different. However, what is different is the fact that this release marks
a larger departure from what is considered a mere fork: we are leaving
behind numerous kernel patches and two major features to better align with
FreeBSD's code base and to rebuild these features on more maintainable
fundament. In this case we're talking about the layer 7 shaper and
FAIRQ/CODEL support.
But we not only delete all the things. No, we have added NanoBSD images to
the release bundle. Reengineered the process to keep completely in sync with
the FreeBSD ports collection. Replaced the GUI menu and ACL with MVC-based
rewrites. We've switched on the fingerprint verification to finally enforce
the (previously introduced) package repository signing.
It's very likely that most of these additions and removals are not visible
from a usage perspective and we do believe that is a good thing. For some
these changes will spark criticism, but then again they are a chance to
better distinguish between projects and individual requirements. We believe
in choice. We believe in the choices we make for the benefit of our users.
And we intend to keep it that way for a long time. Talk to us and let us
know what we can achieve together. :)
Important notes on the live upgrade:
The recommended way to upgrade is the root shell menu option "12". The box
will require an immediate reboot. No further steps will be necessary.
The GUI firmware upgrade has never been perfect due to wanting to upgrade
itself through running the update. The GUI update is still safe to run, but
it will not let you know when it is finished. The update window will go
blank, which is your queue to refresh the page. The login window will
reappear. After login, the GUI update will already be finished. To wrap
up the full upgrade cycle, drop to the root shell and type:
.. code-block::
# opnsense-update && reboot
But then again, simply use the root shell menu option "12". It works
seamlessly via SSH, too.
The full change log of 15.1.10 is as follows:
* kernel: cleaned up the custom legacy patches to move the underlying
FreeBSD back to more standard behaviour
* kernel: removed dysfunctional dummynet patches and traffic shaper / limiter
GUI feature (ETA for a replacement is 15.7)
* kernel: stripped FAIRQ and CODELQ disciplines as they are no longer
supported by FreeBSD
* kernel: isolated MPD (Multi-link PPP daemon) alteration patches
(will be dropped in a future release)
* kernel: fixed IPSec dropping connections in some scenarios
* images: a new NanoBSD-based image has been added to the release
bundle (directly written to SD or HD)
* notable ports updates: curl 7.42.1, ca_root_nss: 3.18.1
* installer: omit swap and add noatime to root partition in quick/easy
install when available space is under 30GB, fixed faulty exit on
importer cancel
* development: the ports tree is now kept fully in sync with FreeBSD
* development: improved the ports build script in terms of error reporting
and rebuilding speed
* development: simplified file system path handling in most files to make
the code easier to maintain
* development: fixed a bug that prevented extracting our packages on ZFS
* core: replaced most of the legacy PHP module usage with more portable
(and maintainable) scripting code
* dashboard: fixed the main link to always land on the dashboard to not
confuse a restricted ACL setup
* traffic shaper: layer 7 filter removed as the project has been abandoned
(ETA for a replacement is 16.1)
* system/settings: added an FTP proxy feature for clients trying to do
active transfers
* menu: replaced the old one with the new MVC equivalent plus assorted
improvements
* ACL: replaced the old one with the new MVC equivalent
* login: polished the login screen behaviour
* backend: don't try to send a signal to non-existing process
* user: can now change the password via "User: Change Password" from the menu
* firmware: enforce signed packages on upgrade for our mirrors
* rrd: fixed directory create-after-use
The images can be acquired from here:
https://opnsense.org/download/
Last but not least, checksums are:
.. code-block::
# SHA256 (OPNsense-15.1.10-cdrom-amd64.iso.bz2) = 27deac90b9e2e43fa71ff68c30b5fb28d3afcfb12483e01ff52ea40e8ca6f4a8
# SHA256 (OPNsense-15.1.10-nano-amd64.img.bz2) = e61007bd2a735cdc8301d90431b6bb23dc425dfe3d7cdae162b16bd6f0dfd4a3
# SHA256 (OPNsense-15.1.10-serial-amd64.img.bz2) = c7a412b1cc74331ebf13c8e95316c4c11ee56a331d7992a3bb27e80e0ce9a127
# SHA256 (OPNsense-15.1.10-vga-amd64.img.bz2) = 1d9449b6bc61904995189cf264ec9c071a7effb4c203579778c827262bb88654
# SHA256 (OPNsense-15.1.10-cdrom-i386.iso.bz2) = f6e7e4953cdb155490136134393892e92414e3a70baf419ba6c5319e58d45620
# SHA256 (OPNsense-15.1.10-nano-i386.img.bz2) = 4e85700f4c491529f8ec60da09283674f29bfdbede83e372a95fc3719f20a661
# SHA256 (OPNsense-15.1.10-serial-i386.img.bz2) = 786a5d831e37ac4d55618b5fc1ae0af1a5bfde52b048f185c5ce16f4f18821b9
# SHA256 (OPNsense-15.1.10-vga-i386.img.bz2) = 6cf6c88bfa910da402e96a883bef7766570b9500941d7c5549e050bc8d74818c
.. code-block::
# MD5 (OPNsense-15.1.10-cdrom-amd64.iso.bz2) = d6f9f4736c911157067b47b8e1793a0e
# MD5 (OPNsense-15.1.10-nano-amd64.img.bz2) = a4a6ed4a51cf501d5a27041f9255694a
# MD5 (OPNsense-15.1.10-serial-amd64.img.bz2) = 719665d9b5e9e8d48f88b8e2b6cf177b
# MD5 (OPNsense-15.1.10-vga-amd64.img.bz2) = 4f1f9a2d5fdc176e7516660ea34c6564
# MD5 (OPNsense-15.1.10-cdrom-i386.iso.bz2) = 7a7bbabc27d596b0da8874ca4e31714d
# MD5 (OPNsense-15.1.10-nano-i386.img.bz2) = a3a6d4d96217e6c86e430e9766971049
# MD5 (OPNsense-15.1.10-serial-i386.img.bz2) = 6d3a5c3dbe02d6012d50219aaab4b7c6
# MD5 (OPNsense-15.1.10-vga-i386.img.bz2) = 5ec2c602a8e3f31ad78c2f63c2d266b9
May the force be with you,
Your OPNsense team
--------------------------------------------------------------------------
15.1.9.2 (April 22, 2015)
--------------------------------------------------------------------------
Another week, another stable release. :) While we are busy working on
extensive kernel cleanups to bring OPNsense closer to FreeBSD, we decided
to ship a minor update today with a number of third-party software refreshes
and assorted fixes across the board before we make the leap to 15.1.10.
We'd like to mention the extensive translation groundwork being done by
Isaac Levy, which will enable others to start working on specific language
support now that there's an official English translation in the system. A
Japanese translation is being discussed already -- if you'd like to contribute
other language translations let us know through the usual channels. We'd be
more than happy to include them into a future release.
Here is the full change log of 15.1.9.2:
* captive portal: fixed rule generation on empty IP
* gui: print current user in upper right corner along with the hostname
* user manager: fixed empty password error when creating a new user
* high availability: don't trigger sync when not configured
* interfaces: added the hn(4) interfaces as ALTQ capable
* configuration: do not overwrite the default configuration on firmware
updates
* ipsec: fixed road warrior authentication
* openvpn: fixed client edit link
* ports: sqlite 3.8.9 `[1] <https://sqlite.org/releaselog/3_8_9.html>`__
* ports: strongswan fix for xauth (road warrior-related)
* ports: PHP 5.6.8 `[2] <https://php.net/ChangeLog-5.php#5.6.8>`__
* ports: pkg 1.5.1 `[3] <https://lists.freebsd.org/pipermail/freebsd-stable/2015-April/082234.html>`__
* development: kickstarted language support via English
translation (.pot file)
* development: further progress on the proxy feature/MVC framework
* development: improved the live mount to propagate the mounted version
into the dashboard
The update is not available via install media, but you can just as well
download 15.1.9 from a mirror and upgrade with a few simple clicks:
https://opnsense.org/download/
--------------------------------------------------------------------------
15.1.9.1 (April 16, 2015)
--------------------------------------------------------------------------
Today we present you a quiet stable update with a hand full of assorted
features, tweaks and bug fixes. Most notably, we've integrated DNS filtering
via OpenDNS and tested / reworked the IPSec reporting.
As far as we know there have been no security-related fixes of bundled
third-party software since 15.1.9.
Update through the GUI via "System: Firmware" or the root console option
"12) Upgrade from console". A reboot is not strictly required, but
recommended to trigger the automatic enable of soft updates and TRIM
(if applicable to your disk).
Here is the full change log of 15.1.9.1:
* firmware: show a warning on pending system updates that need to be executed
from the console
* system: "General Setup" and "Advanced" items have been merged into "Settings"
* system: "Certificate Manager" is now known as "Certificates", default tab
changed as well
* services: introduce OpenDNS-based DNS filtering
* services: fixed start button layout when service is offline
* ports: fixed StrongSwan SMP socket bind on FreeBSD
* ipsec: brought back tunnel status reporting
* ipsec: fixed "Do not install LAN SPD" setting
* user manager: fixed group permission and privilege read bugs
* wake on lan: fixed "Cannot create references to/from string offsets nor
overloaded objects" error
* openvpn: fixed server restart regression
* core: automatically enable TRIM on boot if available
The update is not available via install media, but you can just as well
download 15.1.9 from a mirror and upgrade with a few simple clicks:
https://opnsense.org/download/
Stay safe out there,
Your OPNsense team
--------------------------------------------------------------------------
15.1.9 (April 10, 2015)
--------------------------------------------------------------------------
Although we have already released 15.1.8.4 early this week, we're pushing out
15.1.9 for two important reasons: security updates, kernel panic fixes and
clean images as we've had a couple of things that needed addressing following
the configuration system rewrite in 15.1.8. That's three important reasons
really. ;)
The recommended upgrade method is the root console option 12 to properly
update both the packages and the base system to the latest available
releases. Please verify that the system information widget on the dashboard
presents you with the following and new version information (will show
"i386" as opposed to "amd64" if you use the 32 bit version):
.. code-block::
# OPNsense 15.1.9-amd64
# FreeBSD 10.1-RELEASE-p9
# OpenSSL 1.0.1m 19 Mar 2015
Alternatively, you can choose to boot a fresh install media and do a clean
config import followed by an immediate installation to retain your full setup.
As always, back up your configuration to an external location prior to
upgrading.
LibreSSL images and updates are expected later today. Please watch out for
the announcement on Twitter, IRC, the forum or elsewhere. LibreSSL is still
an experimental release despite the fact we keep it up to date and mix
LibreSSL updates into the shared patch notes.
Here is the change log for 15.1.9:
* tools: install media live images now use the more flexible tmpfs(5)
* tools: cxgbe(4) is now compiled into the kernel
* ports: strongswan 5.3.0 `[1] <https://www.strongswan.org/blog/2015/03/30/strongswan-5.3.0-released.html>`__ , openssh 6.8p1 `[2] <http://www.openssh.com/txt/release-6.8>`__ , ntp 4.2.8p2 `[3] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__
* src: reverted inconsistent carp(4) and pfsync(4) patches to retain standard FreeBSD behaviour
* src: fix multiple vulnerabilities of ntp `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc>`__
* src: fix denial of service with IPv6 router advertisements `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc>`__
* core: console upgrade now also triggers the unused package removal
* core: fix regression that caused a faulty config.xml when applying limiter settings
* core: refactored the configd command structure for clarity
* core: fix for SMTP notifications that broke due to PHP 5.6's new default SSL behaviour
* core: thorough unused java script purge under the hood
* upnp: fix redeclaration error on main page shortcut click
* user manager: consolidated the labels of all privileges, especially OpenVPN
* development: opnsense-update can selectively upgrade base/kernel for testing
* development: new chunk of progress on the new proxy feature and MVC structure
The images can be found on a mirror of your choosing:
https://opnsense.org/download/
The checksums are:
.. code-block::
# SHA256 (OPNsense-15.1.9-cdrom-amd64.iso.bz2) = d159a791cbc373435f25c74f433cc6b419fd8d6df8940d854fec6cd07545acd4
# SHA256 (OPNsense-15.1.9-serial-amd64.img.bz2) = 0584fa5092c40af9f8523be527408af57eac2ca71c9522e8167f7ae7f08e0586
# SHA256 (OPNsense-15.1.9-vga-amd64.img.bz2) = ccd550b471aa6b13d9a8921aa9461d5eddedaeb9c375e97261ff4e54ebd881d2
# SHA256 (OPNsense-15.1.9-cdrom-i386.iso.bz2) = dd3816e0b9c166009de0bde47adce28472bcc639918de91813db4b0ad3bd863e
# SHA256 (OPNsense-15.1.9-serial-i386.img.bz2) = 6b39d3a3ede80f6996c589eeeb39b0777b3ae878f79101b85f9b7af3dad771d3
# SHA256 (OPNsense-15.1.9-vga-i386.img.bz2) = 56b401719811d233cfd476f49501c436e0f3f02422a1bbc711aa70c0a1a4e340
.. code-block::
# MD5 (OPNsense-15.1.9-cdrom-amd64.iso.bz2) = 82b9575e8070248d52b01baae9d31544
# MD5 (OPNsense-15.1.9-serial-amd64.img.bz2) = 3f516cfb088d13f747bc68a0725b955d
# MD5 (OPNsense-15.1.9-vga-amd64.img.bz2) = 14f035f45c89f5fd404881baac93528f
# MD5 (OPNsense-15.1.9-cdrom-i386.iso.bz2) = 09e724a1313f5ebbbfcbf61c62e0803d
# MD5 (OPNsense-15.1.9-serial-i386.img.bz2) = 736069fb503de87599b0f866a47fdb02
# MD5 (OPNsense-15.1.9-vga-i386.img.bz2) = c79f0c9fe2a0fcb4d8f4ff18146fe340
--------------------------------------------------------------------------
15.1.8.4 (April 07, 2015)
--------------------------------------------------------------------------
We hereby proudly announce our latest and greatest stable update 15.1.8.4.
This is almost completely GUI-oriented (frontend and backend) due to numerous
cleanups we've done in pursuit of the 15.1.8 release and its new config
subsystem. A huge thank you goes to everybody who submitted bugs over the
course of the last week.
The firmware upgrade is online-only, so either go through the GUI or the
console. A bit of bumpiness may be present in the GUI upgrade. After PHP
packages have been removed you can safely steer away from the page and
recheck for firmware updates to make sure the firmware has been upgraded
correctly.
Here is the full list of changes:
* core: removed numerous unused function from the code base
* core: fixed numerous :code:`Illegal string offset` warnings
* core: fixed numerous `Cannot create references to/from string offsets
nor overloaded objects' errors related to 15.1.8's config system switch
* captive portal: properly redirect to original page after entering a
valid voucher
* xmlrcp: replaced the whole legacy implementation due to issues with the
latest PHP version to unbreak the feature
* core: fixed an ancient background execution bug that prevented the spawned
process from fully detaching from its parent
* firmware: completely detached the firmware upgrade from the GUI to make
it more reliable and hide empty update tables
* dashboard: polish the version information print and also show
OpenSSL/LibreSSL version for better awareness
* xmlrpc: removed dangerous PHP and shell execution hooks
* core: removed the backwards compatibility code for base OpenSSL as we
don't want to use it anymore
* core: fixed unstable GUI and console factory reset
* system settings: finally flipped the SSH key only checkbox to properly
align with the underlying settings name of :code:`PasswordAuthentication`
* core: removed usage of numerous legacy PHP plugins in favour of more
portable approaches
* logs: captive portal logs now have the proper layout
* logs: fixed firewall log parsing to unhide log entries for IP protocols
that were not TCP/UDP/ICMP
* crash reporter: revamp the crash report layout and add appropriate feedback
messages (note that the send button isn't enabled but we'll get there)
* interfaces: fixed WAN PPPOE edit
* configd: do not emit an error on shutdown
* configd: gained a background execution feature
* development: added hooks for running custom rc scripts
* development: enable PHP warnings for core.git mount
If you do not possess a running installation, the images for 15.1.8 are
available through at least one of our shiny new our mirrors. Make sure
you upgrade to 15.8.1.4 as soon as you installed 15.1.8 to avoid all
unnecessary hiccups:
https://opnsense.org/download/
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.1.8.3 (March 30, 2015)
--------------------------------------------------------------------------
The new config system had a number of issues, but thanks to your help we've
ironed them out in the two days following the release. The trend continues
with this small stable update fixing the last batch of visible issues while
also pulling in PHP 5.6.7, which isn't currently available in FreeBSD ports.
Here is the full change log:
* ports: PHP was updated to 5.6.7 addressing CVE-2015-0231,
CVE-2015-2305, etc. `[1] <https://php.net/ChangeLog-5.php#5.6.7>`__
* captive portal: service now restarts correctly when triggered from the GUI
* ipsec: multiple config system replacement regression fixes
* dhcp: fixed the flushing of v6 settings while applying them
* user manager: fixed a bug that would remove groups
* firewall rules: prevent delete rule from deleting all rules
* core: ignore empty tags in configs generated by frontend code
* The update is available for both of the crypto flavours OpenSSL and
LibreSSL through the System/Firmware section of the GUI. If you are
upgrading from pre-15.1.7.1 don't forget to run "opnsense-update && reboot"
on a root shell to bring in the latest base fixes afterwards as well.
Installations of 15.1.7.1 and higher can use the console firmware upgrade
option 12 to run an adaptive update cycle (depending on how much needs to
be updated the system may reboot).
As always, please back up your config and let us know if you run into any
trouble. :)
https://opnsense.org/support-overview/mailing-list
https://twitter.com/opnsense
https://github.com/opnsense
https://forum.opnsense.org
--------------------------------------------------------------------------
15.1.8.2 (March 25, 2015)
--------------------------------------------------------------------------
After an extended low profile period we are back in business with the latest
and greatest 15.1.8. You'll notice that we have incorporated the recent
OpenSSL security advisories along with a larger number of fixes and cleanups.
But there's more. We have pushed the bulk load of our new configuration
handling code which is intended to bridge the gap between the old and the
new front-end code. And since we don't like to stop there just yet, we've
also added support for backing up your configs on your private Google Drive.
We encourage our users running 15.1.7.1 or later to try the root console menu
option "12" for a fully automatic system upgrade. Otherwise, it's either
installing from scratch using install media and the installer's config import
feature, or running the GUI firmware update and dropping to a root shell to
run :code:`opnsense-update && reboot` to fully benefit from the base system
security updates. Please let us know about your upgrade experience. We are
still adding and tweaking code to complement and simplify the upgrade process.
Users of the install media are encouraged to update their firmware via the GUI
from 15.1.8 to 15.1.8.2 as soon as possible due to a few important config
system hotfixes.
Here is the full list of changes:
* src: applied FreeBSD-SA-15:06.openssl `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:06.openssl.asc>`__
* src: updated to tzdata2015b `[2] <http://mm.icann.org/pipermail/tz-announce/2015-March/000029.html>`__
* src: add missing max-packets parsing for pf(4)
* src: OPNsense branding for boot loader
* bsdinstaller: speed up SD card writes using async mode and assorted cleanups
* opnsense-update: don't trigger a spurious update after a fresh install when
invoked for the first time
* notable port updates: isc-dhcp42 4.2.8, libressl 2.1.6 (hopefully builds
will be available on Friday), openssl 1.0.1m, ca_root_nss 3.18
* core: removed obsolete conf_mount_ro() and conf_mount_rw() usage
* core: removed platform awareness with a more appropriate probe for install
media
* core: removed all remnants of the old firmware update code
* core: completely rewrote the config.xml handling to unify old and new GUI
components
* core: added support for config backup to Google Drive `[3] <https://wiki.opnsense.org/index.php/Manual:Backup_to_Google_Drive>`__
* core: fixed a few config handling issues with the new system via 15.1.8.1
* core: fixed missing aliases in new config system via 15.1.8.2
* core: removed php-fpm remnants that would e.g. prevent automatic IP
assignment in DHCP mode via 15.1.8.2
* packages: removed the legacy package system
* upnp: transformed the preinstalled package into a standard feature
* openvpn: added the client export package as a standard feature
* dyndns: minor follow-ups for Duck DNS support
* firewall log: fix bug that would prevent the filter from working correctly
* ntp: added numerous config form tweaks and fixed daemon startup
* igmpproxy: fixed daemon startup
* dns: properly regenerate hosts file on reload
* ssh: fix sshd reload on save in system admin access page
* src: avoid invoke of FreeBSD's rc system on halt and reboot
* dhcp: improve compatibility with IPv6 deployments
The install media images can be found here:
https://sourceforge.net/projects/opnsense/files/15.1.8/
The checksums are:
.. code-block::
# SHA256 (OPNsense-15.1.8-cdrom-amd64.iso.bz2) = c8cb295cd711f880e6406ab8d84c84a31cdc678c40e4d3be4c3fe9546614bdcc
# SHA256 (OPNsense-15.1.8-serial-amd64.img.bz2) = 1d51a7d229a145eb92517211a96d9c9bcb0e3585c21931406463368349129997
# SHA256 (OPNsense-15.1.8-vga-amd64.img.bz2) = 9a9777af215e66dfa4032d2052f320234c32809816094c1a58d2ebe5c81bdd1a
# SHA256 (OPNsense-15.1.8-cdrom-i386.iso.bz2) = e1d1b11ac23a043ab0bdff2a923a8a920814f72e79b852f39e66f185963f8cc4
# SHA256 (OPNsense-15.1.8-serial-i386.img.bz2) = fe078471b8409a2102f216252db4f59580853a0182c33d39d4b2c676a1f9e3b7
# SHA256 (OPNsense-15.1.8-vga-i386.img.bz2) = df7ca44649f7283df774acddc2df7e06961d80033e959cde01ebce664bf6f488
.. code-block::
# MD5 (OPNsense-15.1.8-cdrom-amd64.iso.bz2) = 79eff753cdb749dacb9e106a1781ce64
# MD5 (OPNsense-15.1.8-serial-amd64.img.bz2) = 8e643edf6d6cee72535bd8913cf4176e
# MD5 (OPNsense-15.1.8-vga-amd64.img.bz2) = c20fee3989a786e12ba0ec3f0e565660
# MD5 (OPNsense-15.1.8-cdrom-i386.iso.bz2) = 8b8459017333d654c8b1a7f246a4e250
# MD5 (OPNsense-15.1.8-serial-i386.img.bz2) = 6f2e9656a02f32cebf18c9b31b5439f2
# MD5 (OPNsense-15.1.8-vga-i386.img.bz2) = 4cbbebe46142d1e954c76383340f61e6
--------------------------------------------------------------------------
15.1.7.2 (March 13, 2015)
--------------------------------------------------------------------------
This week has been really quiet just like last week so we give you another
tiny stable update in the style of "click-click-click-done". Most notably,
we've tracked down two issues with the package database being unavailable,
resulting in "no updates available" situations. Thanks again to everyone
who helped to debug and test this with us!
We are not aware of any security issues at this point. Our LibreSSL efforts
continue with 15.1.7.2-LibreSSL later today and it seems to be an extended
work in progress as we uncover just how deep OpenSSL is tied into the FreeBSD
ecosystem. Needless to say it shouldn't be this way, but we're getting there
step by step.
For everybody running 15.1.7.1 that might be a good opportunity to try the
root console menu option 12 to update in one single go (including available
base updates). It can also be invoked via SSH if you are into that sort of
headless/remote workflow.
Here is the full list of changes:
* bsdinstaller: fixed the package database wipe on custom install
* bsdinstaller: install progress bar is now more responsive with regard to
individual directories in /usr
* firmware: removed obsoleted upgrade code and tools following our
pkgng/opnsense-update approach
* miniupnpd: now properly links to the OpenSSL/LibreSSL port
* ipmitool: now properly links to the OpenSSL/LibreSSL port
* core: extensive cleanups for PHP shebang usage, wiped numerous unused
scripts and unreachable web pages, removed PBI remnants, removed 'tmp_path'
softcoding to improve readability and git-grep(1) experience, removed stale
debug statement that were only marginally useful while bumping the
statements to default that indicate real errors
* console: fixed halt script permissions and switched to synchronous mode
* sysctl: added net.inet6.ip6.rfc6204w3 to improve the DHCPv6 experience
* nat: remove target IP hardcoding in automatic rules (props to pfSense for
pointing that out to us)
* rc: fixed missing package database when using the MFS option for /var
* configd: added a standard rc.d script for easy daemon control
* mvc: a lot of new code to support general infrastructure for upcoming
porting of features, e.g. proxy feature
* help: adjusted links in the help menu to use HTTPS and improved targeting
If you are new to OPNsense, the 15.1.7 images can be found here and are easily
updated through the GUI after installation:
https://sourceforge.net/projects/opnsense/files/15.1.7/
Stay safe,
The OPNsense team
--------------------------------------------------------------------------
15.1.7.1 (March 07, 2015)
--------------------------------------------------------------------------
As things mature and confidence grows we are trying something new today: a
lightweight and online-only stable update that addresses numerous GUI bugs
uncovered by our users. We hope to continue this trend and thus keep asking
for all kinds of feedback through the usual communication channels. Let's
build a better OPNsense together.
There are no security issues we are aware of. The LibreSSL version will
likely be available tomorrow.
Here are the full patch notes:
* bsdinstaller: work towards embedded installations, e.g. Quick/Easy disk
selection
* opnsense-update: added command line switches and a manual page for
usability's sake
* opnsense-update: will now remember that the base system is up to date
* ports: updated to LibreSSL 2.1.4 (for our experimental LibreSSL flavour only)
* directory layout: collapsed the /conf -> /cf/conf magic into a simple /conf
directory (needs a reboot to take effect)
* certificates: consistently lowered the default lifetime to 1 year
* captive portal: fixed an issue that prevented traffic forwarding in some
cases
* nat: do not resolve aliases on display to stay consistent with rules page
* console menu: rebuilt the firmware upgrade option 12 to work on top of our
new pkgng/opnsense-update system
* crash reporter: can now be found under Diagnostics and was extended to show
all parsing errors. The send button is currently disabled but feel free to
copy+paste the messages to push them through the usual channels.
* rc: fixed numerous parse errors in files previously missed by the regression
test
* rc: DHCP lease and RRD graph persistency after reboot, halt and config
import (reinstall)
* upnp: the shortcuts menu has been reintroduced
* login: redirect after login now brings up the previously selected page
* dynamic dns: fixed validation for custom entries that do not require a
hostname
* dynamic dns: added support for Duck DNS
* firewall log widget: fixed multiple bugs and updated style
* pptp: brought back missing PHP includes
* core: removed thousands of lines of unused code, style consolidation and
path unwinding
* core: multiple image to glyphicon conversions
* development: moved pkgng config files out of the src/ directory to avoid
tainting the system on core.git live mount
* development: steady progress on the first MVC framework implementation of
the upcoming proxy support
If you are new to the show, you want to grab the latest image from Sourceforge
and apply this update afterwards using the firmware update in the GUI:
https://sourceforge.net/projects/opnsense/
Stay safe,
The OPNsense team
--------------------------------------------------------------------------
15.1.7 (February 28, 2015)
--------------------------------------------------------------------------
We are saddened by the news of Leonard Nimoy passing away. He has been an
inspiration for many of us ever since Star Trek first flickered over the TV
screens and all the years thereafter. What a strange world we'd live in if
it weren't for him? Thank you, Leonard, 15.1.7 is being released in your
honour.
As we move forward, we've found that 15.1.6.1's new tool opnsense-update
works really well for everybody and thus we are very happy with the new
live upgrade path. To show you that we are super serious we are shipping
the latest FreeBSD 10.1 release engineering and security advisories and
encourage you to try it out. We also have numerous tweaks with regard to
tightening security in Bind, OpenSSL, StrongSwan, OpenSSH as well as needed
GUI fixes thanks to the steady stream of incoming reports. If you encounter
an issue or even a slight hiccup, please let us know through any of the
available channels.
The images can be found here:
https://sourceforge.net/projects/opnsense/files/15.1.7/
How to upgrade:
Always backup your config. Do not try to go from the LibreSSL snapshot to
OpenSSL. The parallel LibreSSL snapshot will be out by tomorrow.
Do a clean install using the desired install media. You can always import
the old configuration from the installer if you already have an older
installation.
Alternatively and experimentally, upgrade using the firmware update, then
drop to a root shell and issue the following commands.
.. code-block::
# opnsense-update && reboot
At this point, using any of the two methods, you should be on OPNsense
15.1.7-78bdb9aef FreeBSD 10.1-RELEASE-p6.
This is the official change log:
* Fix integer overflow in IGMP protocol `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc>`__
* Fix vt(4) crash with improper ioctl parameters `[2] <https://security.freebsd.org/advisories/FreeBSD-EN-15:01.vt.asc>`__
* Updated base system OpenSSL to 1.0.1l `[3] <https://security.freebsd.org/advisories/FreeBSD-EN-15:02.openssl.asc>`__
* Fix freebsd-update libraries update ordering issue `[4] <https://security.freebsd.org/advisories/FreeBSD-EN-15:03.freebsd-update.asc>`__
* Disabled OpenSSH's High Performance SSH/SCP and None-Cipher extensions to
follow up on several security-related discussions.
* Switched from a heavy Bind installation to a lightweight one to reduce
attack surface.
* Removed and replaced the legacy :code:`check_reload_status` daemon with a
Python-based rewrite.
* Fixed the auto-login console lockout regression introduced in 15.1.6.1.
* Fixed a problem associated with OpenVPN not being able to read passwords
from files.
* Notable ports upgrades: bind-tools 9.10.2, strongswan 5.2.2_1, curl 7.41
plus our LibreSSL fixes for mpd4/mpd5/libpdel.
* Removed PHP-FPM remnants from IPv6 and OpenVPN scripts.
* Fixed several OpenSSL invokes to use the latest port version as opposed
to the base version.
* Improved memory/disc/swap usage on the dashboard.
* Properly set DNS Resolver Advanced defaults.
* Fixed append of custom Unbound scrips.
* Modified the root menu shell to pass through to a real shell when arguments
are given.
* Zapped the spurious "Array" prefix in user-defined aliases.
* Moved the bogons files fetch location to a local mirror.
* The core.git development boot hook has been improved to properly include
/usr/local/etc/rc changes.
* All of our packages are now annotated as coming from our mirror as well as
additional safeguards potentially allowing you to use additional FreeBSD
packages on top of OPNsense.
--------------------------------------------------------------------------
15.1.6.1 (February 21, 2015)
--------------------------------------------------------------------------
QUICK UPDATE: A regression sneaked into the release that renders the console
unusable when "System: Advanced: Admin Access: Console menu protection" is
being disabled. As far as we can see, this does not effect anything but the
console login so you should be able to log back in and recheck the option to
get it back (even though you will have to type the username/password).
What an intense week. The m0n0wall EoL announcement `[1] <http://m0n0.ch/wall/end_announcement.php>`__ leaves us with a long
TODO list that goes as far as realigning the project, especially in terms of
lowering hardware requirements. We're slowly getting there, but it has only
been a week for us compared to m0n0wall's 12 year track record. We ask for a
little more time and for you to keep discussing challenges and opportunities
through the available communication channels.
Speaking of track records, today we bring you 15.1.6.1, the extra one meaning
we've caught 3 issues during the release process tests and had to essentially
redo the whole thing. No idea if we keep this numbering trick or not, consider
it a little experiment.
The highlights (TL;DR): We now run FreeBSD 10.1 with lots of driver updates
and security patches on top, addressed two CVEs, introduce our base upgrade
tool opnsense-update, new naming scheme for install images and IKEv1 for IPsec.
Acquiring the release:
https://sourceforge.net/projects/opnsense/files/15.1.6.1/
Explaining the naming scheme:
* cdrom: ISO installer image with live system capabilities running in
VGA-only mode
* vga: USB installer image with live system capabilities running in
VGA-only mode
* serial: USB installer image with live system capabilities running in
serial console (115200) mode with secondary VGA support (no kernel
messages there though)
Explaining (experimental) base upgrades:
The preferred method for upgrades is still booting install media, importing
the config through the installer and reinstalling as it is a clean fallback.
Nevertheless, we've pushed a new tool that can be invoked manually on the
command line after the firmware upgrade to 15.1.6.1 has been completed.
To upgrade the base system, as root type
.. code-block::
# opnsense-update
# reboot
The immediate reboot is mandatory, but you are in charge. Again, this is
still experimental, so please report any bugs or strange behaviour running
an older release that has been upgraded in this way. If all hell breaks
loose, the config can still be recovered using the preferred upgrade method
even when the system is broken during the upgrade. And you should always
keep a backup of your config somewhere else...
Change Log 15.1.6:
* Migrated FreeBSD 10.1-RELEASE-p5 plus required custom patches
* Two additional kernel security fixes (thanks to Oliver Pinter/HardenedBSD)
* New naming scheme for installer images: cdrom, serial, vga
* New opnsense-update tool for base system upgrades
* Notable port updates: pkg 1.4.12, bind 9.9.6-P2 `[2] <https://kb.isc.org/article/AA-01235>`__ (CVE-2015-1349),
php 5.6.6 `[3] <https://php.net/ChangeLog-5.php#5.6.6>`__ (CVE-2015-0273), syslogd 10.1
* Fixed wizard default settings and reload/redirect
* DNS forwarder now properly reloads on host overrides updates
* IPFW ruleset reload fix after start/restart of captive portal
* Page contents upload and MIME type for svg images fix in captive portal
* IPsec/Strongswan now supports IKEv1
* Basic plumbing for the MVC framework has been completed
* Fix Copy my MAC address in DHCP service editor
* Removed IPv6 fcgi-fpm leftovers
* Assorted fixes regarding menus, page titles and links
Change Log 15.1.6.1:
* Don't clobber user and group settings when running opnsense-update.
Caused e.g. dhcpd to refuse operation.
* Fix a regression that would prevent e.g. sshd from starting.
* Install opnsense-update by default.
--------------------------------------------------------------------------
15.1.5 (February 10, 2015)
--------------------------------------------------------------------------
We shifted the release back a couple of days to discuss current progress and
the feedback we've gotten and directly review the release process -- it seems
to be "clean enough". ;)
We've updated the bug trackers, added a couple of wiki pages and related
articles with more on roadmap refinement on the way in a day or two. Thank
you for all the responses and kind mentions.
This is a typical maintenance release with ports stable updates and various
core fixes. On the other hand, we are putting a new MVC-based framework in
place to slowly replace the current front end scripting (yep, this is a
request for comments). Here is the full list of changes:
* Removed a spurious user-agent check to restore mobile device support.
* Fixed pop-up window handling for LDAP configuration.
* Fixed several minor GUI bugs in firewall rules and system pages.
* Grab the correct OpenSSL from the system for encrypting/decrypting the
configuration files.
* Message of the day now shows the correct system version.
* Fixed sorting and button for deleting selected rules in NAT pages.
* Notable ports updates: pkg 1.4.10, gettext 0.19.4, libzmq 4.0.5,
ntp 4.2.8p1, ca_root_nss 3.17.4, libsodium 1.0.2
* Groundwork on the MVC-based GUI replacement including examples. This does
not affect the current GUI.
All upgrade methods are viable. The images can be found here:
https://sourceforge.net/projects/opnsense/files/15.1.5/
Upgrade responsibly (swiftly that is),
The OPNsense team
--------------------------------------------------------------------------
15.1.4 (January 31, 2015)
--------------------------------------------------------------------------
So this has been January: an interview on BSDnow, amd64 and i386 images,
+150 followers on Twitter, +3000 downloads and five releases. Yes, five.
We proudly announce our next stable cut: It has been quite calm on the ports
side of things, but there have been many commits in the core adding up to an
incentive to upgrade as soon as possible. And, yes, there are patches
addressing CVEs in FreeBSD. Here is the change log:
* FreeBSD-SA-15:02.kmem `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:02.kmem.asc>`__ (CVE-2014-8612)
* FreeBSD-SA-15:03.sctp `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:03.sctp.asc>`__ (CVE-2014-8613)
* time zone data updated to 2015a `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:03.sctp.asc>`__
* sshd now uses the correct OpenSSH version
* fixed SSL certificate generation issue
* interfaces, unbound, certificates and NAT GUI fixes
* captive portal voucher key regeneration and OpenSSL usage fixed
The images can be found here:
https://sourceforge.net/projects/opnsense/files/15.1.4/
The advised upgrade method is to boot from install media, recover your
device configuration using the import configuration option, then do a
quick/easy install (or a custom one if you did that previously).
Please note that the current firmware upgrade does \*not\* update the kernel and
base system to fix the FreeBSD security advisories. We are actively working on
a solution which also includes discussing using pkgng as the system for such
tasks in the future.
--------------------------------------------------------------------------
15.1.3 (January 24, 2015)
--------------------------------------------------------------------------
This week we took PHP's stable update `[1] <https://php.net/ChangeLog-5.php#5.6.5>`__ as a subtle hint to release another
stable cut. Here are the most prominent changes:
* notable package upgrades: php 5.6.5 and friends, pkg 1.4.7
* added a dropdown searchbox for interfaces in rules screen
* fixed the missing theme issue when importing older configurations
* fixed a bug with the user manager
* firmware upgrades stabilisation pass
* various bootstrap enhancements
Firmware upgrade via the GUI is feasible, images can be found here as well:
https://sourceforge.net/projects/opnsense/files/
We are actively looking for feedback of your upgrade experiences.
--------------------------------------------------------------------------
15.1.2 (January 18, 2015)
--------------------------------------------------------------------------
Some of you have been wondering; now wonder no more: the next stable release
is here. From the changelog:
* firmware upgrade experience improvements
* FreeBSD SA-15:01 with multiple OpenSSL fixes
* OpenSSL from ports now brings you the latest and greatest 1.0.1l
* pkg 1.4.6 hot off the press
The images can be found here: https://sourceforge.net/projects/opnsense/files/
This is mostly motivated by the latest OpenSSL issues, although I must say we
work on giving LibreSSL a chance soon and make a final decision about the
library that we are going to stick to from 15.7 on. Any help here is
appreciated. :)
Recommended ways of upgrade:
Upgrade via the GUI, make sure you restart the box so that no service will
run on vulnerable binaries. The base OpenSSL will \*not\* be updated at this
point, so if you don't fully trust the port just yet try the second method.
Or:
Take your favourite image, boot up the device or VM with the new install
image. In the installer, choose "Import Configuration" and if all is well,
continue with the Easy/Quick install. This way makes sure all of the base
system is replaced.
--------------------------------------------------------------------------
15.1.1 (January 12, 2015)
--------------------------------------------------------------------------
First of all we are grateful for the successful launch of OPNsense. Thank
you all for the enthusiastic reactions and support! We appreciate your
feedback and if you want to help out with testing, coding or documentation
you are invited to do so. Let's make OPNsense the best open source firewall
together.
To fix some bugs we release the OPNsense version 15.1.1 as an intermediate
patch release. Here is the full changelog:
* i386 images added
* added architecture awareness to the build system
* ports updated: pkg 1.4.4, strongswan 5.2.2, libssh2 1.4.3_5,2,
libffi 3.2.1, libevent2 2.0.22, freetype2 2.5.5, curl 7.40.0,
bind99 9.9.6P1_3
* Added template engine for new features
* Several bug fixes and enhancements `[2] <https://github.com/opnsense/core/issues>`__ (#6, #7, #8, #9, #17, #19, #20, #21,
#22, #23)
Download `[1] <http://opnsense.org/download/>`__ and use it now!
Because Open makes Sense!
--------------------------------------------------------------------------
15.1 (January 02, 2015)
--------------------------------------------------------------------------
The OPNsense core team is proud to announce that it has released its 15.1
version, nicknamed "Ascending Albatross", of the open source OPNsense
firewall software.
This is the first release by the OPNsense project. Download `[1] <http://opnsense.org/download/>`__ and try it now!
Be sure to visit the project website `[2] <http://www.opnsense.org/>`__ and learn more about us and the
project. The project wants to be a friendly place for users, developers and
partners.
We believe that an open source project should keep its sources and build tools
available for all. OPNsense uses the simple 2-clause BSD license.
Users benefit from the polished installer, rich feature set and modern user
interface. Developers are invited to check out our easy-to-use build tools.
Commercial Support assists in keeping networks fast and secure. The project
welcomes partners to be successful together.
OPNsense(r) is based on FreeBSD 10 and is a fork of pfSense(r) which in its
turn is a fork of m0n0wall(r).
The next major release is 15.7 and is to be released on July 1st 2015. Bug
fixes and security patches will be released when available.
We are looking forward to welcome you in the OPNsense community.
Because Open makes Sense!