New OPNsense Release

OPNsense Business Edition 22.10 released

The OPNsense business edition transitions to this 22.10 release including
the upgrade to FreeBSD 13.1, PHP 8.0, Phalcon 5, MVC/API conversions for IPsec,
Unbound and notifications, firewall alias support for BGP ASN, new APCUPSD and
CrowdSec plugins plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 22.7.6 community version
with additional reliability improvements.

Here are the full patch notes:

o system: changed certificate revocation to use the phpseclib library
o system: performance improvement for set_single_sysctl()
o system: restart syslog fully and only once after all services have been started
o system: new setting for deployment mode to control PHP error flow
o system: /tmp MFS now uses a maximum of 50% of RAM by default and can be adjusted
o system: /var MFS becomes /var/log MFS and uses a maximum of 50% of RAM by default and can be adjusted
o system: previous special /var MFS content is now permanently stored under /var to ensure full operability
o system: protect syslog-ng against out of memory kills
o system: add filter to system log widget (contributed by kulikov-a)
o system: disable RRD and NetFlow shutdown backups by default
o system: render interfaces in convert_config()
o system: move remote backup script to proper file system location
o system: Net_IPv6::compress() should not compress "::" to ""
o system: remove last bits of circular logging (CLOG) support
o system: removed legacy Diffie-Hellman parameter handling
o system: IXR_Library using incorrect constructor format for PHP 8
o system: fix regression in config backup due to timestamp key rename
o system: fix assorted warnings generated by PHP 8
o system: do not reload Unbound/Dnsmasq hosts configuration by default
o system: use proper CRL id-ce-cRLReasons extension keyword 'unspecified'
o system: remove dead code from login form
o system: replace static notices system with a shared one based on MVC/API code
o system: use new _setup script feature where setup.sh exists
o system: PHP 8 issue when ldap_get_entries() returns false
o system: wrong variable in scope addition on manual DNS server via link-local gateway
o system: "passwordarea" support for sensitive backup values
o system: migrate CRL handling to phpseclib 3
o system: run monitor reload inside system_routing_configure()
o system: fix IPv6 link-local HTTP_REFERER check (contributed by Maurice Walker)
o system: fix assorted PHP 8 warnings in the codebase
o system: extend nameservers script return for debugging purposes, i.e. "configctl system list nameservers debug"
o system: lighttpd obsoletion of server listing directive, disabled by default
o system: decode stored CRL data before display (contributed by kulikov-a)
o system: work around phpseclib 3 flagging RSA-PSS as an invalid key alogrithm
o system: check for existing X509 class before doing CRL update
o system: enforce RFC 8446 by requiring TLS_AES_128_GCM_SHA256 for TLS 1.3
o system: consider CRL end dates after 2050 as "lifetime" in GeneralizedTime format
o system: revert the default CRL hashing back to what it was in phpseclib 2
o system: match TLS cipher suites and commands in web GUI settings (contributed by kulikov-a)
o system: improve error message of CRL validation failure (contributed by kulikov-a)
o system: fix phpseclib 3 use for CSR parsing on certificates page
o system: add the default "-c" option to backend pluginctl invokes for consistency
o system: rework console port assignment regarding wireless handling
o system: remove stray installer account from fresh 22.7 installations
o system: only use withPadding() for RSA based public keys in CRL code
o system: remove unnecessary crl_update() calls in CRL code
o system: extend pool options support in gateway groups
o system: move get_searchdomains() to ifctl use and allow FQDN
o system: add replacement hook for rc.resolv_conf_generate script
o system: replace "dns reload" backend call with portable alternative
o system: remove obsolete rc.resolv_conf_generate script
o system: bring back the buttons action in OpenVPN dashboard widget (contributed by kulikov-a)
o system: assorted cleanups for IXR library used for XMLRPC
o system: catch errors in RSS dashboard widget
o system: stop reading product info from global $g variable in system information dashboard widget
o system: structurally improve boot sequence with regard to hosts/resolv.conf generation
o system: add keyUsage extension and follow RFC on basicConstraints in CA config (contributed by kulikov-a)
o system: fix inconsistent is_crl_internal() implementation
o system: make sure we always generate a CRL when saved
o system: sandbox code handling CRL manipulation in the CRL manager page
o system: wrap global product information handling into a singleton
o system: move get_nameservers() to ifctl use
o reporting: traffic graph polling interval selection and UX tweaks
o interfaces: refactored LAGG, wireless and static ARP handling
o interfaces: provide automatic startup of Loopback, IPsec, OpenVPN, VXLAN devices
o interfaces: removed the side effect reliance on /var/run/booting file
o interfaces: add dynamic reload of required devices
o interfaces: add WPA enterprise configuration for infrastructure mode (contributed by Manuel Faux)
o interfaces: auto-detect far gateway requirement for default route
o interfaces: switch to MVC/API variant for DNS lookup page
o interfaces: refactor DHCP and PPPoE scripts to use ifctl exclusively
o interfaces: prevent the removal of default routes in dhclient-script
o interfaces: fix inconsistencies in wireless handling
o interfaces: fix unable to bring up multiple loopback (contributed Johnny S. Lee)
o interfaces: fix unable to bring up multiple VXLAN
o interfaces: check if int before passing to convert_seconds_to_hms()
o interfaces: disable IPv6 inside 4in6 and 4in4 GIF tunnels (contributed by Maurice Walker)
o interfaces: ping diagnostics tool must explicitly set IP version (contributed by Maurice Walker)
o interfaces: remove other inconsistencies regarding ping utility changes in FreeBSD 13
o interfaces: correct regex validation for dhcp6c expire statement (contributed by Josh Soref)
o interfaces: fix issues with PPP uptime display in PHP 8
o interfaces: add iwlwiwi(4) to wireless devices
o interfaces: hide nonexistent MAC info on wireless edit page
o interfaces: stop DHCP from calling rc.newwanip when no changes are being done
o interfaces: bring routes back unconditionally after reconfiguring 6to4/6rd IPv6 connectivity
o interfaces: GIF/GRE IPv6 default remote network size selection is now "128" instead of "64"
o interfaces: fix wireless clone assignment regression in 22.7.1
o interfaces: update ifctl utility to latest version
o interfaces: update link-local matching pattern
o interfaces: PPP is an exception, only created after interface configuration
o interfaces: only remove known primary addresses in interface_bring_down()
o interfaces: improve shell banner address return in prefix-only IPv6 case
o interfaces: improve problematic <wireless/> node handling
o interfaces: DHCP does not signal RELEASE
o interfaces: web GUI locale sorts files differently when invoking ifctl
o interfaces: improve legacy_interface_listget()
o interfaces: only parse actual options in legacy_interfaces_details(), not nd6 options
o interfaces: configure all hardware features for present devices
o interfaces: bring up IPv6 device manually since SLAAC will not do that automatically
o interfaces: merge DHCPv4 / DHCPv6 buttons on overview page (contributed by Maurice Walker)
o interfaces: add support for requesting DNS info via stateless DHCPv6 (contributed by Maurice Walker)
o interfaces: migrate wireless creation to legacy_interface_listget()
o interfaces: port 6RD/6to4 to ifctl use
o interfaces: optionally use reverse DNS resolution for ARP table hostnames (contributed by soif)
o interfaces: allow user-configurable VLAN device names with certain restrictions[2]
o interfaces: small cleanup on get_real_interface()
o firewall: improved port alias performance
o firewall: obsoleted notices inside the synchronization code
o firewall: support logging in NPT rules
o firewall: append missing link-local to inet6 :network selector
o firewall: move inspect action into its own async API action to prevent long page loads
o firewall: performance improvement for reading live log
o firewall: add general firewall log for alias and filter system log messages
o firewall: do not emit link-local address on IPv6 network outbound NAT
o firewall: add BGP ASN type to aliases[3]
o firewall: implement a router file read fallback for new ifctl :slaac suffix
o firewall: stick-address only in effect with pool option and multiple routers
o firewall: remove dead pptpd server code
o firewall: support TOS/DSCP matching in firewall rules
o firewall: add os-firewall alias paths in getAliasSource() to prevent removal when being used
o firewall: get lockout interface from get_primary_interface_from_list()
o firewall: fix PHP 8 error in port forwarding page
o firewall: fix PHP 8 error in aliases (contributed by kulikov-a)
o firewall: parse pftop internal data conversion (contributed by kulikov-a)
o firewall: simplify port forward rule logic for delete and toggle and make sure to toggle firewall rule as well
o firewall: various performance and usability improvements in live log
o firewall: extend all firewall rules with a UUID to align with MVC code upon edit
o captive portal: lighttpd deprecation of legacy SSL options, disabled by default
o dhcp: no longer automatically add a link-local address to bridges if IPv6 service is running on it
o dhcp: allow running relay service on bridges
o dhcp: clean up IPv6 prefixes script
o dhcp: include ddns-hostname and other cleanups (contributed by Sascha Buxhofer)
o dhcp: remove duplicated ddnsupdate static mapping switch
o dhcp: remove print_content_box() use
o dhcp: switch to shell-based DHCPv6 lease watcher
o dhcp: rewrite prefix merge for dynamic IPv6 tracking to support bitwise selection
o dhcp: do not advertise DNS domain when DNS router advertisements are disabled (contributed by Patrick M. Hausen)
o dhcp: extend search list pull from DHCPv6 in router advertisements DNS option
o dhcp: improve UI for disabling DNS part of router advertisements (contributed by Patrick M. Hausen)
o dhcp: pushed wrong server to zone definition on local DNS selection
o dhcp: allow rapid-commit message exchange in IPv6 server (contributed by Maurice Walker)
o dnsmasq: switch to a Python-based DHCP lease watcher
o dnsmasq: restart during "newwanip" event
o firmware: console script can now show changelog using "less" before update
o firmware: disable crash reporter in development deployment mode
o firmware: limit changelog-based update check on dashboard to release version
o firmware: provide an upgrade log audit
o firmware: opnsense-patch: only remove ".sh" suffix for installer and update repos
o firmware: opnsense-update: only set packages marker after successful upgrade
o firmware: opnsense-bootstrap: set correct packages marker
o firmware: revoke 22.1 fingerprint
o firmware: major upgrade "pkgs" set was still unknown to plugin sync
o firmware: opnsense-update: return subscription key via -K if it exists
o firmware: display license validity when applicable in business edition
o firmware: remove faulty changelog to force a clean refetch
o intrusion detection: fix enable rule button and present active detail overwrite if present
o intrusion detection: missing OPNsense categories
o ipsec: add "IPv4+6" protocol for mobile phase 1 entries (contributed by vnxme)
o ipsec: mobile property boolean duplication in phase 2
o ipsec: remember phase 1 setting for next action
o ipsec: switch to MVC/API variants of SPD, SAD and connection pages
o ipsec: small UX tweaks in status page
o ipsec: fixed widget link (contributed by Patrik Kernstock)
o ipsec: allow to set rightca in mobile phase 1 with EAP-TLS
o ipsec: fix multiple phase 2 IP addresses on the same interface (contributed by Wagner Sartori Junior)
o ipsec: ACL fix for sessions users
o openvpn: pinned Diffie-Hellman parameter to RFC 7919 4096 bit key
o unbound: do not start DHCP watcher immediately after daemonizing Unbound itself
o unbound: improve FQDN handling when address is moving in DHCP watcher
o unbound: prevent DNS rebinding check and DNSSEC validation on explicit forwarded domains
o unbound: restrict creation of PTR records for both the system domain and host overrides
o unbound: add AAAA-only mode (contributed by Maurice Walker)
o unbound: account for hostname during PTR creation
o unbound: maintain a consistent dnsbl cache state
o unbound: reduce blocklist read timeout (contributed by kulikov-a)
o unbound: support setting type value for DNS over TLS/Query Forwarding API (contributed by kulikov-a)
o unbound: convert advanced settings to MVC/API
o web proxy: update pattern to zst for the Arch packages (contributed by gacekjk)
o console: store UUID for VLAN device
o lang: bring back Italian and update all languages to latest available translations
o lang: fix reported issues with Italian and French translations
o lang: fix syntax errors in French translation (contributed by kulikov-a)
o mvc: bugfix search and sort issues for searchRecordsetBase()
o mvc: add support for non-persistent (memory) models
o mvc: throw when no mount found in model (contributed by agh1467)
o mvc: store configuration changes only when actual changes exist
o mvc: remove stray error_reporting(E_ALL) calls
o mvc: remove "clear all", "copy" and "paste" options when only a single entry is allowed
o mvc: fix typo in searchRecordsetBase()
o mvc: prevent UserExceptions to end up in the crash reporter
o ui: removed Internet Explorer support
o ui: boostrap-select ignored header height
o ui: merge option objects instead of replacing them in bootgrid (contributed by agh1467)
o ui: correct required API for command-info in bootgrid (contributed by agh1467)
o ui: add catch undefined TypeError in SimpleActionButton (contributed by agh1467)
o ui: fix assorted typos in the code base (contributed by Josh Soref)
o ui: handle HTTP 500 error gracefully in MVC pages
o ui: fix type cast issue in Bootgrid
o plugins: os-acme-client 3.13[4]
o plugins: os-apcupsd 1.0[5] (contributed by David Berry, Dan Lundqvist and Nicola Pellegrini)
o plugins: os-bind 1.24[6]
o plugins: os-boot-delay is no longer available[7]
o plugins: os-crowdsec 1.0.1[8]
o plugins: os-ddclient 1.9[9]
o plugins: os-freeradius 1.9.21[10]
o plugins: os-frr 1.30[11]
o plugins: os-git-backup fixes git binary variable use and hides SSH keys by default
o plugins: os-haproxy fixes deprecation notes in PHP 8 (contributed by Gavin Chappell)
o plugins: os-haproxy 3.11[12]
o plugins: os-maltrail 1.9[13]
o plugins: os-munin-node 1.1[14]
o plugins: os-netdata 1.2[15]
o plugins: os-nginx 1.30[16]
o plugins: os-postfix disables GSSAPI for the time being[17]
o plugins: os-tayga 1.2[18]
o plugins: os-web-proxy-useracl is no longer available, no updates since 2017
o plugins: os-wireguard 1.12[19]
o plugins: os-zabbix-agent 1.13[20]
o plugins: os-zabbix-proxy 1.9[21]
o src: axgbe: also validate configuration register in GPIO expander
o src: pf: ensure that pfiio_name is always nul terminated
o src: pf: make sure that pfi_update_status() always zeros counters
o src: igc: change default duplex setting
o src: lib9p: remove potential buffer overwrite in l9p_puqids()[22]
o src: vm_fault: shoot down shared mappings in vm_fault_copy_entry()[23]
o src: elf_note_prpsinfo: handle more failures from proc_getargv()[24]
o src: pam_exec: fix segfault when authtok is null[25]
o src: kevent: fix an off-by-one in filt_timerexpire_l()[26]
o src: cam: leep periph_links when restoring CCB in camperiphdone()[27]
o src: pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash
o src: restrict default /root permissions to 750
o src: rc: add ${name}_setup script support
o src: zlib: fix a bug when getting a gzip header extra field with inflate()[28]
o src: tzdata: import tzdata 2022b and 2022c[29]
o src: FreeBSD 13.1-RELEASE[30]
o src: ifconfig: print interface name on SIOCIFCREATE2 error
o src: igc: do not start in promiscuous mode by default
o src: tcp: correctly compute the retransmit length for all 64-bit platforms
o src: tcp: fix cwnd restricted SACK retransmission loop
o src: tcp: fix computation of offset
o src: tcp: send ACKs when requested
o ports: curl 7.85.0[31]
o ports: dnsmasq 2.87[32]
o ports: expat 2.4.9[33]
o ports: isc-dhcp 4.4.3P1[34]
o ports: ldns 1.8.3[35]
o ports: liblz4 1.9.4
o ports: libxml 2.10.2[36]
o ports: lighttpd 1.4.67[37]
o ports: nss 3.83[38]
o ports: phalcon 5.0.3[39]
o ports: php 8.0.24[40]
o ports: phpseclib 3.0.16[41]
o ports: python 3.9.15[42]
o ports: rrdtool 1.8.0[43]
o ports: sqlite 3.39.3[44]
o ports: squid 5.7[45]
o ports: strongswan 5.9.8[46]
o ports: sudo 1.9.12p1[47]
o ports: suricata 6.0.8[48]
o ports: syslog-ng 3.38.1[49]
o ports: unbound 1.16.3[50]

Known issues and limitations:

o The DH parameter is no longer available in OpenVPN server configuration and now fixed to the RFC 7919 4096 bit key.  The only downside may be lower performance on older machines.
o The infamous /var MFS feature was reduced to the /var/log scope in order to avoid future issues with plugins requiring persistent storage under /var.  In practice people who used /var MFS had no benefit over it with software that required persistent storage under /var to operate in the first place.  Periodic configuration file writes to /var are negligible on SSD-based systems.
o The os-dyndns plugin is still available due to the fact that ddclient did not release a non-development release so far since we started os-ddclient.  Availability thereof might change later in 22.7.x.
o The console firmware update will now display text-based changelogs for the update to be installed if available.  Use the arrow keys to scroll the changelog and type "q" to resume the update process.
o The manual DHCPv6 tracking mode now requires a proper prefix range given like its counterpart with a static address.  If a previous prefix ID type input is detected only setting the lower 64 bits of an IPv6 address, a warning is emitted and the ID is treated as the upper 64 bits of an IPv6 address instead.  If your DHCPv6 server does not start please properly fix the given range.
o Empty CRLs (System: Trust: Revocation) created prior to this version were not stored correctly.  This leads to non-working OpenVPN servers when these CLRs are used starting with this version.  To fix this prior to upgrading remove the empty CRL from OpenVPN, or add a dummy certificate to it to populate the CRL properly, or add and remove a random existing certificate to correct the empty CRL.

The public key for the 22.10 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs9U1NFG2420gDDQO97iU
S72sRdCaYCMoY2K8PpjrPGOkgDFN79YB+BYyUDZiO6aHJvy07yuDwhJcTiMWzuyF
Ub6BqdB2ehjP0+/Sh2z9eOWecI6s7rDxJVwaZRSagA3f5pDYj2LKtAqIPnv3Avs1
GTSHUZPR+V09UzUq/j0gRCNA+5hJrRwbyebaUGcp8QetUirmewAU5ArfXIBXvhn9
L9i8+r0/M/QbueSA7mOA4v2BDZVMAo1X72O6GZmpt+SY6A2fA9uvgYU/19hlCJQY
6eL16U4TG2Z1tyR6TIsjGZ973UDAFdZqDO4nqPeW/Dm20fnY/X6ZJcU1McbeDftZ
10lquuZBrFgxVDB6zBYX5319p1ASeYnSdhvFlK02P8a6OJS6JWmCx5j1VRAU8Zh1
W5xZRJJi6HmbX2b1ef2cy3ijtT/jviSNXEPR9V2otz9B+lc0g8P/hPwd7hpmdYj0
+KYcPaa1kmR4/xf++hb5XbOLt2Wc4mbyBph4VPeXiLYUfYlpYNwfvuP56zdylk+p
Mzw3XM1M36vA9oMXM9hLrrG67/UH6s4td//w4zdFPQ+A/rlVeF8EHsHICi6Salki
Z+R9FCNM61wU9HdAPOSpDn1aPQdW3HPNVmeI0iHPg42jIT1n1T0720XgHRTfntyh
E2+jioeukrqqEg1fzmszseMCAwEAAQ==
-----END PUBLIC KEY-----

Stay safe,
Your OPNsense team

[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/core/issues/6038
[3] https://docs.opnsense.org/manual/aliases.html#bgp-asn
[4] https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/22.7/sysutils/apcupsd/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/22.7/dns/bind/pkg-descr
[7] https://github.com/opnsense/plugins/blob/b31bcb92106/sysutils/boot-delay/Makefile#L6
[8] https://github.com/opnsense/plugins/blob/stable/22.7/security/crowdsec/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/22.7/dns/ddclient/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/22.7/net/freeradius/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/22.7/net/frr/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/22.7/net/haproxy/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/22.7/security/maltrail/pkg-descr
[14] https://github.com/opnsense/plugins/blob/stable/22.7/sysutils/munin-node/pkg-descr
[15] https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/netdata/pkg-descr
[16] https://github.com/opnsense/plugins/blob/stable/22.7/www/nginx/pkg-descr
[17] https://github.com/opnsense/plugins/blob/stable/22.7/mail/postfix/pkg-descr
[18] https://github.com/opnsense/plugins/blob/stable/22.7/net/tayga/pkg-descr
[19] https://github.com/opnsense/plugins/blob/stable/22.7/net/wireguard/pkg-descr
[20] https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/zabbix-agent/pkg-descr
[21] https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/zabbix-proxy/pkg-descr
[22] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:12.lib9p.asc
[23] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:11.vm.asc
[24] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:09.elf.asc
[25] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:19.pam_exec.asc
[26] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:16.kqueue.asc
[27] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:17.cam.asc
[28] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:13.zlib.asc
[29] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:20.tzdata.asc
[30] https://www.freebsd.org/releases/13.1R/relnotes/
[31] https://curl.se/changes.html#7_85_0
[32] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[33] https://github.com/libexpat/libexpat/blob/R_2_4_9/expat/Changes
[34] https://downloads.isc.org/isc/dhcp/4.4.3-P1/dhcp-4.4.3-P1-RELNOTES
[35] https://raw.githubusercontent.com/NLnetLabs/ldns/1.8.3/Changelog
[36] http://www.xmlsoft.org/news.html
[37] https://www.lighttpd.net/2022/9/17/1.4.67/
[38] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_83.html
[39] https://github.com/phalcon/cphalcon/releases/tag/v5.0.3
[40] https://www.php.net/ChangeLog-8.php#8.0.24
[41] https://github.com/phpseclib/phpseclib/releases/tag/3.0.16
[42] https://docs.python.org/release/3.9.15/whatsnew/changelog.html
[43] https://github.com/oetiker/rrdtool-1.x/blob/master/CHANGES
[44] https://sqlite.org/releaselog/3_39_3.html
[45] http://www.squid-cache.org/Versions/v5/squid-5.7-RELEASENOTES.html
[46] https://github.com/strongswan/strongswan/releases/tag/5.9.8
[47] https://www.sudo.ws/stable.html#1.9.12p1
[48] https://suricata.io/2022/09/27/suricata-6-0-7-released/
[49] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.38.1
[50] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-3