OPNsense 17.1.3

mrt 20, 2017

New OPNsense Release

OPNsense 17.1.3 released


Greetings,

A dozen bug fixes meet several dozen new features and enhancements, literally! This update is about making OPNsense more flexible with the tools that everybody knows: firewall management, DNS services and Let’s Encrypt.

This is also the stepping stone for providing new images based on 17.1 because the Hyper-V disk disappearance was now fixed upstream: a big thank you to Microsoft and FreeBSD for providing updates! The vt(4) console driver migration is still underway, as well as applying SafeStack for the amd64 architecture and chasing down an IPsec regression with FreeBSD 11.0. More on this next time, stay tuned.

Here is the full list of changes:

  • system: allow up to 32 characters in user and group names
  • system: mute cron job output to prevent spurious system mails
  • system: fix scrambled password option on user
  • system: add captive portal session backup
  • system: fix CRL certificate count display
  • firmware: add mirror via Universidad Pontificia Bolivariana (Medellin, CO)[1]
  • firmware: add mirror via DMC Networks (Lincoln NE, US)[2]
  • firewall: add modulate state as an option for state tracking (contributed by Ian Matyssik)
  • firewall: add ruleset optimization option for better performance (contributed by Ian Matyssik)
  • firewall: improved the log widget (contributed by Fabian Franz)
  • firewall: port forwarding enhancements for tag, pool options and target subnet
  • firewall: allow virtual interfaces as interface group members and move to firewall section
  • firewall: allow port alias nesting
  • captive portal: improved ARP parsing
  • dyndns: support Google Domains (contributed by Alasley)
  • intrusion detection: improve ruleset selection indicators
  • openvpn: do not double-encode client auth credentials
  • openvpn: validate IPv4 CIDR more strictly to prevent startup error
  • openvpn: do not offer external CA for selection
  • rfc 2136: allow selection of record type (contributed by Elias Werberich)
  • unbound: option to not register IPv6 link-local addresses (contributed by Ian Matyssik)
  • unbound: do not explicitly register loopback when selected as listening interface
  • unbound: add serve-expired option
  • web proxy: update for non-transparent SSL bumping (contributed by Mikhail Morev)
  • web proxy: add notice to inform the user about the need to download new list
  • lang: Chinese updated to 100% completed (contributed by Tianmo)
  • lang: Portuguese (Portugal) updated to 100% completed (contributed by Carlos Meireles)
  • lang: updates for German, French and Dutch
  • mvc: add boolean type to tables (contributed by Frank Brendel)
  • mvc: handle backend execution error more gracefully
  • mvc: added test for existing API method
  • mvc: send booleans as strings, not integers in API forms
  • mvc: allow dynamic hiding of sections in forms via model
  • plugins: register group interface type for PPTP, L2TP and PPPoE
  • plugins: add lifetime expiry for Universal Plug and Play rules
  • plugins: Let’s Encrypt version 1.2 (contributed by Frank Wall)[3]
  • installer: do not configure console when /dev/ttyv0 is unavailable
  • installer: console settings now support vt(4) instead of syscons(4)
  • src: fix system hang when booting when PCI-express HotPlug is enabled[4]
  • src: fix NIS master updates are not pushed to NIS slave[5]
  • src: fix compatibility with Hyper-V/storage after KB3172614 or KB3179574[6]
  • src: make makewhatis output reproducible[7]
  • src: fix multiple vulnerabilities of OpenSSL[8]
  • src: properly build i386 with netmap(4) device to fix IPS mode
  • src: tzdata updated to version 2017a[9]
  • ports: php 7.0.16[10]
  • ports: phalcon 3.0.4[11]
  • ports: ca_root_nss 3.29.3
  • ports: sqlite 3.17.0[12]
  • ports: curl 7.53.1[13]
  • ports: unbound 1.6.1[14]

Stay safe,
Your OPNsense team


[1] https://www.upb.edu.co/
[2] http://dmcnet.net/
[3] https://github.com/opnsense/plugins/pull/76
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-17:01.pcie.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-17:02.yp.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-17:03.hyperv.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-17:04.mandoc.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-17:02.openssl.asc
[9] http://mm.icann.org/pipermail/tz-announce/2017-February/000045.html
[10] http://php.net/ChangeLog-7.php#7.0.16
[11] https://github.com/phalcon/cphalcon/releases/tag/v3.0.4\
[12] https://www.sqlite.org/changes.html
[13] https://curl.haxx.se/changes.html
[14] http://www.unbound.net/download.html