New Release Candidate

OPNsense 19.1-RC1 released

Hi there,

For almost four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

Here are the full changes against version 18.7.10:

o system: console port assignment can now assign OPT without LAN
o system: anti-lockout will use OPT1 if LAN is not present
o system: allow creation of combined client/server SSL certificate
o system: gateway monitoring switches to Dpinger with Apinger removed
o system: detect unassigned gateways in static address setups
o system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)
o system: removal of the old notification system in favour of Monit
o system: only allow syslog remote binding to assigned interfaces
o system: disable IP aliases configured with VHID on temporary disable
o system: remove AHCI MSI disable workaround used in FreeBSD 11.1
o system: default gateway switching moves back to general settings
o system: beep sound notification setting moves to misc. settings
o system: limit log line length in log widget
o interfaces: change 6RD/6to4 interface prefix from internal name to physical device
o interfaces: prohibit tracking on 6RD with /64 upstream prefix
o interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking
o interfaces: clear an apparently faulty system DUID when no manual DUID is set
o interfaces: updated custom dhclient-script used for DHCPv4
o interfaces: VIP support for GRE devices
o interfaces: simplify find_interface_ip* functions
o interfaces: remove get_interface_subnet* functions
o interfaces: remove unused get_possible_listen_ips function
o interfaces: link status indicator on assignments page
o interfaces: unify interface removal code
o firewall: switch GeoIP database download to HTTPS
o firewall: find IP reference tool for aliases
o firewall: improve alias page responsiveness with large number of addresses
o firewall: show system errors when reloading aliases
o firewall: NAT port forward logging option and live view support
o firewall: optionally resolve all host names in live view
o firewall: not all states could be removed in diagnostics page
o firewall: clean up unused NAT rule association code
o reporting: improve handling of empty Insight datasets
o reporting: prepare for Python 3 conversion
o firmware: switch default mirror location to HTTPS
o firmware: health check for base and kernel files including version check
o firmware: support base and kernel file size in packages overview
o firmware: /var MFS compatibility on base installation when reboot is deferred
o firmware: command line core lock feature prevents package upgrades
o firmware: internally remember plugins installed or removed in the GUI
o firmware: show last known update log on page open
o firmware: show untrusted repository error in GUI
o firmware: separate chanelogs tab for clarity
o dhcp: refuse setup of instances that have no associated IP address
o dhcp: fix lease time local vs. UTC display in IPv6 leases
o installer: change communication from TCP to named pipes
o installer: fix sporadic segmentation faults in frontend code
o installer: allow config import from ZFS pools
o installer: allow password reset on ZFS pools
o installer: removed a number of unused modules
o ipsec: generate correct config for "Hybrid-RSA + XAuth" (contributed by Max Weller)
o ipsec: reworked strongswan.conf generation
o ipsec: use new interface subnet retrieval code
o monit: support declaring dependencies (contributed by Alexander Werner)
o monit: add Service/Test type relation (contributed by Frank Brendel)
o monit: add CARP status to standard services
o monit: add gateway alerts to standard services
o monit: backend rework to simplify the service
o intrusion detection: support base ruleset overlays and improve logging
o intrusion detection: GeoIP feature in user-defined rules has been removed
o intrusion detection: obey Content-Disposition header
o openvpn: client export rewrite, new export option for The Green Bow
o unbound: reworked slab calculation
o unbound: added statistics page
o unbound: only bind to interfaces or OpenVPN instances, always bind to loopback
o unbound: fix ACL subnet calculation for OpenVPN instances
o unbound: do not generate host entries for OpenVPN instances
o unbound: improve help text wording and general settings layout
o web proxy: parent proxy support (contributed by Michael Muenz)
o wizard: fix checkbox label styling
o mvc: converted reboot, halt and license page to MVC
o mvc: compared-to-field constraint (contributed by Fabian Franz)
o mvc: external clients which set Authorization header now receive raw JSON responses
o mvc: fix empty value check in grid (contributed by Smart-Soft)
o mvc: globally lock config when multiple items are deleted at once
o mvc: volt template JavaScript cleanups
o ui: updated bootstrap-select to version 1.13.3
o ui: collapsible sidebar support in default theme (contributed by Team Rebellion)
o plugins: os-acme-client 1.19[2]
o plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)
o plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)
o plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)
o plugins: os-frr switches to FRR 5.0.2, please see below
o plugins: os-l2tp 1.8 interface now selects reachable server address
o plugins: os-pptp 1.8 interface now selects reachable server address
o plugins: os-openconnect 1.3.3[3]
o plugins: os-quagga removed, please use os-frr instead
o plugins: os-nginx 1.6[4]
o plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)
o plugins: os-snmp removed, please use os-net-snmp instead
o plugins: os-theme-cicada 1.13
o plugins: os-theme-tukan 1.12
o plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)
o src: HardenedBSD 11.2-RELEASE-p7[5][6][7]
o src: fix missing transmit visibility for BPF-based listeners in native netmap mode
o src: limit the maximum number of fragments per packet in pf
o src: replace rwlock on PF_RULES_LOCK with rmlock in pf
o src: do not discard UDP6 traffic in Hyper-V adaptors
o src: fix state sync during initial bulk update in pfsync
o src: unbreak dhclient(8) option 26 processing
o src: import APU 1-3 LED kernel module
o ports: krb5 1.17[8]
o ports: php 7.1.26[9]
o ports: sudo 1.8.27[10]
o ports: perl 5.28.1[11]
o ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)

Known issues and limitations:

o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.
o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
o Monit general settings do not save. A patch exists[12] to remedy this problem: opnsense-patch a2899594
o Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.
o Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
o Please read the FRR documentation with regard to the required system tunables[13].
o SNMP plugin has been superseded by Net-SNMP plugin.
o ZFS guided installation pending.

The public key for the 19.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvkEFA2+DAhWXfucsgdvZ
8xxkuzNt0nYttTmbRtLVJRKREysOj3/nqBcFWtvLr3ooVhkbxVY7HPLEoicqFdG/
+m5lLR2kI7hnZ2mpkl+/NKSixJaZkqXi5cQCp8KUlE7oOu3d6O5ZtTg4g40Ms8Dp
bQw8oZo3NpBrQK3gEEEzNYgChkZwTrEZ1Y8v8+/3zggh44sqg4vA1j5g9jq3Ldms
3KnulBgettpHIapeAmbtCokaLaXxf4lgQxyUsy077aeNRptDpGG3D5ZQgtIjaYeE
h3u51PaVTL5OY/2uvcTnxR/ZrrHpppkIutUGzGJo9KK0gfrXLi31r9e+xtBJYBdC
FtdefujlV3Cfw1OFpUY/Y1p921xgHftNnrVDk+C9kl+FKf3qvFeyGCbd9V2k1JM2
uXHDwbsjZNPhbxbqtCoCDMbsUjBsfWyAOIoZfXOSmqJQt3jBUvwXKwLKncVh4Tvu
wxJGXNZXk/OCHVQYlx/uzwf5/ly/ApIwMKqr66E7mo0OVkPaME0uCCUJolugu9lI
tW8TJVZryBCQMQ4XhPZkcny22I2oRI5nCu7baRrFNJ8gB8UYUnrIPTIJIhrjrVOg
pFOxSb/tZAqtutFOE8F5+KwcgGlOBOKXPaNrdQ79X4kH7egChPrhm283rfW1oEG6
8rHzvP45S09L8o7OXUddo8UCAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1134
[3] https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[5] https://hardenedbsd.org/content/easy-feature-comparison
[6] https://www.freebsd.org/releases/11.2R/relnotes.html
[7] https://www.freebsd.org/releases/11.2R/errata.html
[8] https://web.mit.edu/kerberos/krb5-1.17/
[9] http://php.net/ChangeLog-7.php#7.1.26
[10] https://www.sudo.ws/stable.html#1.8.27
[11] https://metacpan.org/changes/release/SHAY/perl-5.28.1
[12] https://github.com/opnsense/core/commit/a2899594
[13] https://docs.opnsense.org/manual/dynamic_routing.html

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db