Happy new year everyone,

We’re back, and we have a lot of neat changes and security updates for you. Most notably, the firewall pages received a lot of subtle tweaks to improve user experience. Secondly, the firmware pages gained the plugins management feature. And last but not least, the kernel and base upgrade gained better signature support[1] that ties right into FreeBSD’s pkg verification mechanism, how cool is that!

We’d like to use this opportunity to thank four of our regular contributors who’ve helped us to advance further than we could have dreamed. A big thank you to Manuel Faux, Fabian Franz, Frank Wall and Andreas Martin! And no, we do not make these up as we go. šŸ˜‰

Here are the full patch notes:

  • ports: suricata 2.0.11[2], dhcp6 20080615_5[3], lighttpd 1.4.39[4]
  • ports: syslogd 10.2, mpd 5.8[5], ca_root_nss 3.21, dnsmasq 2.75_1[6]
  • ports: ntp 4.2.8p5[7], php 5.6.17[8], python 2.7.11_1[9]
  • ports: miniupnpd 1.9.20151212, openvpn 2.3.10[10]
  • opnsense-update: add opnsense-verify and opnsense-sign
  • opnsense-update: improve verification of signatures of kernel and base upgrades
  • menu: bring back dashboard entry due to popular demand
  • menu: fix interface listing error when its description is empty
  • menu: moved license file to lobby section for visibility
  • menu: order VPN services for icon adjustment (contributed by Fabian Franz)
  • menu: renamed “config manager” to “configuration” and “certificate manager” to “trust”
  • language: multiple translation improvements (contributed by Fabian Franz and Andreas Martin)
  • language: fix behaviour of numerous apply buttons when using a non-English translation
  • dashboard: don’t display widget headers when the actual widgets are no longer installed
  • backend: fix issue when configd target pattern cannot be found
  • carp: fix support for OpenVPN clients
  • system: remove the old FTP proxy implementation (use proxy server service instead)
  • system: pin down listbox size to unhide the search field
  • health: tidy up the layout by removing visual blockers and general bumpiness
  • access: fix setting of default values for new users
  • access: fix padding on user listing page
  • access: adjusted file type of API credentials to fix Chrome’s download blues (contributed by Fabian Franz)
  • configuration: fix replay of configuration backups
  • interfaces: fix redirect after applying an interface’s configuration
  • trust: properly set certificate digest algorithm in form after creation error
  • gateways: bring back display of descriptions (contributed by Frank Wall)
  • load balancer: bring back display of descriptions (contributed by Frank Wall)
  • ipsec: fix RSA authentication method check
  • ipsec: finally brought back lease display in widgets and status page
  • proxy: add configurable cache_mem setting
  • unbound: honour the “register DHCP leases in DNS” option (contributed by Manuel Faux)
  • unbound: reorder advanced features inclusion
  • dynamic dns: allow custom entries to set hostname to be used in e.g. OpenVPN exports
  • dynamic dns: updated cloudflare service binding
  • firewall: fix saving of zero values on virtual IP page
  • firewall: fix label for option source/invert in rules edit page (contributed by Frank Wall)
  • firewall: show warning banner on related pages when firewall is globally disabled (contributed by Manuel Faux)
  • firewall: add interface groups to firewall rules and port forwarding
  • firewall: add matching behaviour indicator for floating rules (contributed by Fabian Franz)
  • firewall: make quick matching behaviour the default for floating rules
  • firewall: fix spurious error when migrating alias from one interface to the next
  • firewall: sort alias listing for better overview
  • firewall: fix header alignment for schedule repeat section
  • firmware: added display of major announcements on the firmware page
  • firmware: added reinstall / (un)lock buttons for installed packages
  • firmware: added plugin listing to page with install / remove buttons
  • firmware: restructured the backend and improved its resilience
  • firmware: show the download size of the pending update in the update check response
  • firmware: added update verification signature for the upcoming 16.1 release series
  • captive portal (devel): fix text of two help messages (contributed by Fabian Franz)

Stay safe,
Your OPNsense team


[1] https://github.com/opnsense/update#opnsense-sign–opnsense-verify
[2] http://suricata-ids.org/2015/12/21/suricata-2-0-11-available/
[3] https://github.com/freebsd/freebsd-ports/commit/7f6883d1dd
[4] https://www.lighttpd.net/2016/1/2/1.4.39/
[5] http://mpd.sourceforge.net/doc5/mpd4.html#4
[6] https://reviews.freebsd.org/D4813
[7] http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
[8] http://www.php.net/ChangeLog-5.php#5.6.17
[9] https://bugs.python.org/issue20397
[10] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.10