New OPNsense Release

Ladies and gentlemen!

Today we present to you the latest stable iteration of the 16.7 series focusing on improved reliability and security in all areas and major feature upgrades.

Big news this week are the inclusion of two new fully-featured plugins for Tinc VPN and FTP proxying, the latter being kindly sponsored by EURO-LOG AG[1]. Together with the community we are continuing the trend towards a comprehensive plugins environment based on top of our distinctive MVC GUI framework, with more plugins already in direct development.

Speaking of such, the MVC framework received fine-grained versioning and constraint support as well as a completely revamped API error handling and plugin-compatible authentication handling.

Last but not least, enclosed within are third-party software updates, most importantly the latest versions of LibreSSL, Bind, Sudo, OpenVPN, Suricata, PHP and Curl.

A reboot is not strictly necessary, but recommended.

There are the full patch notes:

  • system: trigger xmlrpc sync before service action
  • system: header redirection security through url_safe()
  • system: “work in progress” indicator for service controls
  • system: always restart apinger to fix configuration apply
  • system: use Etc/UTC when timezone was removed from tzdata
  • system: fix infinite console menu loop on tty close (contributed by Stephane Lesimple)
  • system: SSH launcher rework
  • firmware: only do console update reboot when update went ok
  • firmware: improved usefulness of several GUI status messages
  • firmware: allow inline use of opnsense-update -t
  • firmware: allow to resolve ABI using opnsense-verify -a
  • interfaces: set txcsum6 and rxcsum6 like their IPv4 counterparts
  • firewall: traffic shaper address lists and inversion support
  • firewall: revamped bogons download and verification
  • firewall: properly set NAT reflection helper for IPv6
  • firewall: allow pluggable rules anchors
  • captive portal: increase the database timeout to 30 seconds
  • captive portal: allow custom values for voucher validity and quantity
  • captive portal: fix spurious error on successful login
  • dynamic dns: fix race in page, reminiscent of previous widget correction
  • dynamic dns: log r53 errors to system log file
  • intrusion detection: fix ET open ruleset content
  • openvpn: missing p2p shared key settings for local subnets
  • universal plug and play: prepare for move into plugins
  • mvc: implemented model constraints and migrations
  • mvc: improved error reporting of API failures (contributed by Per von Zweigbergk)
  • mvc: add spinner for row toggle (contributed by Frank Brendel)
  • mvc: pluggable authentication framework
  • mvc: added update-only field type
  • plugins: first release of FTP Proxy (contributed by Frank Brendel)
  • plugins: first release of Tinc VPN
  • ports: pkg 1.9.3[2][3][4][5]
  • ports: bind 9.10.4P4[6]
  • ports: curl 7.51.0[7]
  • ports: libressl 2.4.4[8]
  • ports: lighttd 1.4.43[9]
  • ports: openvpn 2.3.13[10]
  • ports: pecl-radius 1.4.0b1[11]
  • ports: php 5.6.28[12]
  • ports: sudo 1.8.18p1[13]
  • ports: suricata 3.1.3[14]

Stay safe,
Your OPNsense team