New OPNsense Release

OPNsense 16.1.16 New Dashboard


It has been a long journey for HardenedBSD and OPNsense, and finally the paths start to merge as the splendid and battle-proven ASLR implementation gets incorporated into the default installation! It is just the beginning as we will start to leverage the extra security by enabling position independent execution in 16.7 and merge more security-related features. We thank again the HardenedBSD team for their continued efforts on making this world a safer place.


In other news, there is a thoroughly revamped dashboard for you to enjoy and a handful of security fixes in FreeBSD and the ports ecosystem. LibreSSL has been updated to the latest production release and the BETA version is progressing nicely as we change our working mode from “rework all the things” to “polish all the things”. A release candidate is coming up soon.

Here are the patch notes for 16.1.16:

  • src: merged and enabled HardenedBSD’s ASLR implementation[1]
  • src: kernel stack disclosure in Linux compatibility layer[2]
  • src: kernel stack disclosure in 4.3BSD compatibility layer[3]
  • src: directory traversal in cpio[4]
  • ports: libressl 2.3.5[5], phalcon 2.0.13[6], dnsmasq 2.76[7]
  • ports: apinger 0.7[8], curl 7.49[9], bind 9.10.4-p1[10]
  • ports: php 5.6.22[11], sqlite 3.13[12], ntp 4.2.8p8[13]
  • dashboard: movable widgets, multi-column support and improved look and feel
  • system: improved CSRF handling
  • system: allow far gateway support for non-subnet gateways
  • system: fix null routes add / delete
  • system: user/group privilege selection improvements
  • system fix missing cron job for GUI lock / expire
  • firmware: adds opnsense-patch tool for simple upstream repo patch apply
  • dns resolver: fix AAAA record save
  • dns forwarder: add custom port option for domain overrides
  • firewall: for us bogons do not extend to private networks
  • firewall: fix schedule clone when in use
  • interfaces: remove explicit ath(4) long distance support
  • interfaces: removed SVG traffic graphs in favour of modern replacements
  • captive portal: allow to drop all expired vouchers
  • cron: fix parameter ignore
  • layout: “Stacked-to-horizontal” emulation for mobile view
  • layout: consistent tooltip button placement
  • layout: fix footer on small screen size
  • plugins: fix HAProxy X-Forwarded-For header option

And here is the change log for 16.7 BETA:

  • interfaces: interface-based plugin system used by OpenVPN and IPSec
  • interfaces: removed complex PPPoE reset handling by optional cron job
  • plugins: allow local socket in chroot’ed services
  • plugins: removed L2TP, PPTP and PPPoE servers from core
  • firmware: allow resume for update page
  • firmware: dump / restore package database on shutdown / boot
  • firewall: removed proxy NAT reflection mode
  • firewall: properly start/stop proxy APR daemons
  • firewall: implement flexible scrub / normalisation config pages to zap hidden scrubbing code
  • firewall: removed “match” action from floating rules, no FreeBSD support
  • firewall: removed negate rules that would magically prevent load-balancing VPN links
  • system: migrated new cron handling to do privilege separation where possible
  • system: better branding support for boot loader on package install / remove
  • system: remove single forward GUI item for RFC 2893, can be set in NAT just as well
  • router advertisements: allow to set mode and min / max intervals

Stay safe,
Your OPNsense team