New OPNsense Release

Dear all,

We are deliberately skipping waiting for OpenSSL to announce their new version today as the roundtrip time for incorporating patches and updates into FreeBSD and maybe also LibreSSL will likely delay an update to next week. We will simply do a 16.7.5 next week as well and let 16.7.4 stand on its own feet.

The prominent theme of this update is CARP. We have identified a number of issues with the way it was being set up and reverted the process back to what BSD standards recommend. We have a shiny new test lab to preview and scrutinise these changes in a larger environment. The tests were promising. Let us know what you think!

Another thing is the introduction of the Intel Gigabit driver plugin based on the stock driver code version 7.6.2 as multiple reports popped up regarding driver reliability. If you are having trouble with CARP or intrusion detection IPS mode with your em(4) driver, try installing the new plugin and reboot to activate.

The full list of changes is a follows:

  • system: SSH-enabled installer and associated changes
  • system: deprecate DSA keys as per OpenSSH recommendation
  • system: reworked config import / export for consistency
  • system: reboot after config import is now selectable
  • system: fix improper escape of HTML entities in log file filter
  • system: handle legal boolean return result from searchUsers() (contributed by Evgeny Bevz)
  • system: add dynamic DNS update to cron
  • system: fix race in php.ini setup
  • system: always keep repository configurations on core package deinstall
  • system: properly trigger filter reload on HA peer
  • system: add ordering to rc.syshook scripting facility
  • system: add missing parameter for LDAPS authentication server
  • firewall: change CARP to operate using BSD standards to fix several edge cases and reported issues
  • firewall: fix validation of redirection in NAT
  • firewall: redirect target IP selection can now use aliases
  • firewall: simplify empty rules message in interface rules tabs
  • interfaces: do not attempt to fix the MAC address of a broken NIC
  • interfaces: adapt validation of PPP to not require idle timeout to be set
  • interfaces: add missing help toggle to settings page
  • services: DHCP lease pages show MAC manufacturers without Nmap install
  • services: improve cleanup of multiple captive portal zones
  • services: fix writing empty DNS resolver ACL
  • reporting: automatic database repair added
  • lang: translation improvements (contributed by Simon Brunet, Antonio Prado and Fabian Franz)
  • lang: updates for French, German, Italian and Spanish
  • plugins: add stock Intel e1000 driver version 7.6.2 as “os-intel-em” (requires a reboot)
  • plugins: lower early start priorities of VMware and Xen plugins
  • ports: haproxy 1.6.9[1], hyperscan 4.3.1[2], suricata 3.1.2[3], phalcon 3.0.1[4], samplicator 1.3.8rc1

Stay safe,
Your OPNsense team


[1] http://www.haproxy.org/download/1.6/src/CHANGELOG
[2] https://github.com/01org/hyperscan/blob/master/CHANGELOG.md
[3] https://suricata-ids.org/2016/09/07/suricata-3-1-2-released/
[4] https://github.com/phalcon/cphalcon/releases