Hi guys,
Time for a quick update! We are still polishing our non-MVC GUI pages
to match the modern style of the MVC equivalents and fix a few minor
bugs along the way. In these matters, we ask for your participation in
critically reviewing the changes below in order to catch remaining
issues as
Dear friends and followers,
It pleases us to say that although we ship the latest OpenSSL 1.0.2g today,
we have had both SSv2 and SSv3 support disabled in our installation for a
long while, so older installations are also not affected by yesterday's
announcement. On a slightly related note,
Hi everyone,
How are you doing? We have been doing fine, trying new things, moving
on further... The progress for our upcoming version 16.7 now accumulates
to 3 full months. To that end we are making the transition from ALPHA toi
BETA on the 16.7 development series. And since we have been
Good news everyone,
16.7-RC2 is here and brings major additions to amd64 architectures: Intel's
Hyperscan library to speed up Suricata rule matching and UEFI boot support!
It also brings language packs to their correct 16.7 state, with Japanese
already having been completed by the amazing Chie
Welcome everyone,
It is time for the next major iteration in open-source security! After
6 months and 20 minor releases we hereby declare the general availability
of OPNsense 16.7, nick-named "Dancing Dolphin". The highlights of this
major release include:
o Suricata 3.1.1 with Intel Hyperscan
Hi everyone,
Thanks again for the warm welcome of the 16.7 series! The feedback
has been overwhelming, quite positively so. It was partly addressed
in to be released code, shall be weaved into the upcoming roadmap or
will be further discussed in our forums. Every wee bit counts on our
way to
Hi all,
It is time for a last full stable release before we offer our
16.1.20 end-of-life version, which then can be used to upgrade
to the 16.7 series.
Most changes presented today were either long-running development
additions for 16.7 or small reports that came up during the 16.7-RC
testing
Hello there,
We are pushing out 16.1.20 a little earlier than expected to fix a
GUI regression that can affect users with IPv6. Sorry about that.
Since this is the last 16.1 series release, the firmware page offers
an overview of migration hints for the 16.7 series. We are expecting
to be
Hello everyone,
Before we get on with the release candidate for 16.7, we are proudly
presenting the latest and greatest stable addition to the 16.1 series.
No time to lose, enjoy the summer!
Here are the full patch notes:
o system: properly run fsck on boot if needed
o system: new Cron page
Hi all,
It has been 5 months since 16.1 came out. Since then, over 1500 commits
and 18 stable releases have continuously improved and enhanced the
project. Since then, thousands of new users have joined. And, since
then, our new documentation has been extended and tweaked with numerous
guides,
Hi all,
We are back for one last update of the 16.7 series with a small number
of fixes and security-related package updates. Do not forget that 17.1
is scheduled for next week: the update instructions will be delivered via
the usual firmware update path.
Until then, here are the full patch
Hi everyone,
The wish list for our kernel improvements has been emptied just a
week ago, which makes 17.1-RC1 look like the final 17.1 for all
intents and purposes and already includes the stable upgrade path.
Several features have been moved from the core to the plugins and
may need to be
Hi everyone,
We bring to your attention this update with a batch of enhancements
and the occasional bugfix intertwined. It is interesting to note that
the enhancements vs. bugfix ratio is as high as 5:1. :)
Brand new is the general availability of the Italian translation thanks
to the work of
Dear all,
We are deliberately skipping waiting for OpenSSL to announce their
new version today as the roundtrip time for incorporating patches
and updates into FreeBSD and maybe also LibreSSL will likely delay
an update to next week. We will simply do a 16.7.5 next week as
well and let 16.7.4
Hi everyone,
The release schedule is being stretched bit by bit to see how long we
can go without an update. Well, we did not want wait any longer to
share with you the following bits... so here they are. ;)
FreeBSD incorporated several reliability fixes for Hyper-V and we had
to back out an
Hey everyone,
Now that we got the chance to ship not one, but two OpenSSL bumps at
the same time we barely missed the LibreSSL updates. That is life.
But we still have a few great things to offer this week.
First and foremost, users noted that the captive portal did not work
with the
Dear friends and followers,
With the best wishes for the holiday season attached we hereby humbly present
our 17.1-BETA images and thank everyone for their early input, valid questions
and generally keeping us on our toes throughout the past months. The next major
release features FreeBSD
Dear friends and followers,
The update finally addresses one of the larger issues with IPsec in
17.1 where traffic was not properly tracked by the packet filter and
therefore causing spurious connection drops in TCP sessions. Another
cool addition is the merge of the HardenedBSD SafeStack work
Hello, hello!
For more than two and a half years now, OPNsense is driving innovation
through modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
Hi all,
Quick update, nothing overly fancy this week. :)
Here are the full patch notes:
o system: harden GUI by removing TLS_RSA_WITH_3DES_EDE_CBC_SHA
o system: harden GUI by improving Secure Attribute cookie usage
o system: harden GUI by using DH-4096 parameters
o system: allow to reverse
Hello, hello!
For more than two and a half years now, OPNsense is driving innovation
through modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
Hi all,
After a brief timeout due to a super happy image release, 17.1.5 brings to
you several longterm improvements for the firewall handling, dynamic DNS
and several plugin updates, with Quagga and Monit as two brand new additions
to the pool. As an especially longterm improvement, the German
Hi there,
OpenVPN released version 2.4.2 and also 2.3.15 which come with two high
profile fixes addressing CVE-2017-7479 and CVE-2017-7478. While we still
aim for OpenVPN 2.4 adoption during the 17.1 series, we have deferred
updating the release version from 2.3 to 2.4 at this point to be able
Hi there,
We have the tiniest update today just to keep things fresh and moving
forward. :)
Here are the full patch notes:
o interfaces: IPv6 tracking now configures DNS to exclusively use local
service or global settings
o interfaces: fix provider selection for PPP
o intrusion detection:
Hello,
This update includes a larger number of security-related updates in third
party software recently published. We do recommend a reboot to ensure
all services are restarted correctly.
Here are the full patch notes:
o system: always return unique list of active DNS servers
o system: remove
Hi all,
We are happy to announce the immediate availability of the renewed
OPNsense 17.7 images based on version 17.7.5. Apart from the
numerous improvements since the initial release, the images contain
an addition for single interfaces SSH installer scenarios as well
as an PPPoE multi-AP
Dear all,
Another week, another update. Most notably, the Tor plugin has been
officially released.
New images finally follow in 17.7.5 and we are happy to report that
the shared forwarding additions are already up and running on the
FreeBSD 11.1 kernel with two major improvements: IPv6 support
Hi all,
Today a XSS vulnerability in the certificate manager is being fixed
that is based on a crafted certificate being imported into the system.
PHP was finally updated from 7.0 to 7.1 which should make things a bit
faster. Last but not least, the HAProxy plugin by Frank Wall receives
a major
Dear all,
A tiny update to round up the year. An amazing one it has been.
We wish everyone happy holidays and see you again next year!
Here are the full patch notes:
o system: numerical sort for "Use" and "MTU" columns in route diagnostics
o system: gateway group edit tier selection issue with
Hi there,
This update to 18.1.8 contains several improvements, kernel security
patches and third-party software updates.
Highlights include boot support on an otherwise installed ZFS. The
default route handling was improved to minimise issues with unstable
links. A NUT plugin is now available
Good day to all,
This update is going forward with a larger batch of firmware update
improvements that are important for 18.7 and beyond, addressing the
former lack of error handling, check for update speed and API check
capabilities for major upgrades.
Intrusion detection syslog behaviour
Good morning,
This update ships with the optional gateway monitoring tool dpinger and a
new config backup option onto Nextcloud. SSL crypto libraries have been
updated to address CVE-2018-0732 along with other updates to assorted third
party software.
Here are the full patch notes:
o system:
Hello, hello, hello!
It has been a while and judging by the extensive list of changes below
one can easily see why. The impact footprint of this update, however,
is relatively small. With this update we are also moving into the
18.7-BETA phase where avid users are invited to flip their release
Dear all,
What a KRACKing week it has been! In order to move past the WPA2 attacks
we have updated hostapd and wpa_supplicant to their latest version 2.6
including the released security fixes. If you use wireless devices you
are advised to reboot to properly reload all wireless services.
In
Hi there,
OpenSSH is being updated to version 7.6, which means this change breaks
compatibility with SSH protocol version 1 and refuses RSA keys smaller
than 1024 bits. Ideally, none of this should matter in a security-aware
deployment, but it is safer to double-check before the upgrade.
A new
Hello there,
As 18.1 is drawing near this stable update for the 17.7 series could be
the last one. So whether there will be a hotfix to enable the update path
or a full 17.7.13 remains to be seen, but we will keep you informed either
way. The targeted release date for 18.1 is January 29.
For
Hello good folks of the Internet,
For more than 3 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as
Hi everyone,
18.1.1 addresses issues in the previous release, while also updating
the packages and plugins. Most notably, a Python library change made
intrusion detection rules fetch fail previously and we fixed GUI and
backend behaviour for two special NAT cases.
Here are the full patch notes:
Dear friends and followers,
For 3 and a half years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
Hi everyone,
This is the first stable update and includes security updates for
several third party software and FreeBSD. A Bind plugin was released
with DNSBL support and the reported problems with the HAProxy plugin
have been sorted out thanks to enthusiastic reporters and testers.
Here are
What up!
So far so good. Here is another batch of changes for the upcoming 18.7
release from assorted areas. Also included is the latest Suricata 4.0.5.
We have bundled the firewall alias API progress under the hood, but
it looks like we will miss our initial 18.7 target. Sorry about that.
Dear all,
It is that time of the year again: this update is the last one in the
18.1 series and 18.7, nicknamed "Happy Hippo", will be released next week!
The transition will be seamless when heeding the upgrade notes to be
published with the 18.7 images on July 31. All 18.7-RC users will be
Dear friends and followers,
For 3 and a half years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
Hello all,
This small update swiftly follows 18.1.3 with security updates for DHCP and
strongSwan and assorted fixes including multi-WAN failover cases.
Here are the full patch notes:
o system: improved default route handling
o system: improved gateway switching
o system: cleanse username on
Howdy partners,
With Meltdown and Spectre just behind us here comes another round of
security advisories and assorted changes.
Three mentionable changes are included: We are switching back to
single-source NAT on the primary IP instead of using all additional
VIPs on the interface. The
Dear friends and followers,
For more than 3 years now, OPNsense is driving innovation through modularising
and hardening the code base, quick and reliable firmware upgrades,
multi-language
support, fast adoption of upstream software updates as well as clear and stable
2-Clause BSD licensing.
We
Hello there,
We are back for new features, updates and reliability fixes. Noteworthy
are the addition of the PIE shaper option and firewall alias API. Both
Unbound and Dnsmasq have been updated to their latest version.
Here are the full patch notes:
o firewall: resolve interface address ":0"
Hello world!
To keep it snappy: enclosed are assorted updates and fixes, a new
dnscrypt-proxy plugin as well as security updates from FreeBSD and
third parties. Happy patchday!
Here are the full patch notes:
o system: allow setting alternative names on CSR
o system: add link-local routes with
Dear friends and followers,
For more than four years now, OPNsense is driving innovation through
modularising and hardening the code base, quick and reliable firmware
upgrades, multi-language support, fast adoption of upstream software
updates as well as clear and stable 2-Clause BSD licensing.
Hello,
This is a security and reliability release: WAN DHCP will no longer trust
the server MTU given. Uncoordinated cross site scripting issues have been
fixed. And the Python request library was patched due to CVE 2018-18074.
Here are the full patch notes:
o system: address XSS-prone
Hi there,
This update brings a smaller number of fixes and improvements as well as
the latest PHP version update.
With a heavy heart we disable E_WARNING messages in the PHP error reporting.
It was been implemented in 2015 to improve code quality and it did just that,
but with the latest PHP 7.2
Hi there,
Small 19.1 series update mainly focusing on LDAP group synchronisation
and assorted OpenVPN improvements. Two regressions of previous versions
have been fixed as well.
Here are the full patch notes:
o system: add LDAP group synchronisation feature
o system: allow an arbitrary group
Good day to you all,
This update addresses several privilege escalation issues in the access
control implementation and new memory disclosure issues in Intel CPUs.
We would like to thank Arnaud Cordier and Bill Marquette for the top-notch
reports and coordination.
Here are the full patch notes:
Hello, hello!
This update features a number of improvements such as link-local support
for bridges, HA sync consolidation, adding local CAs to the trusted SSL
certificates for most of the system download capabilities, plugin-based
PAM authentication rework for IPsec and the web proxy as well as
Hello,
Please enjoy this release with improved CARP utility and a number of
smaller fixes and updates for the operating system and third party tools.
You can now also toggle logging directly from the rule overview to make
debugging easier.
Here is the full list of changes:
o system: try all
A good day to you all,
A wee bit of updates for you... nothing overly exciting. On the other
hand, we have updated the roadmap page to include 20.1 if you want to
take a closer look[1]. More exciting for sure. :)
Here are the full patch notes:
o system: fix legacy remote logging with custom
Hi there,
This update ships the latest FreeBSD security advisories along with several
smaller improvements and fixes. Sunny Valley Networks is the first vendor
to introduce additional software to the plugin framework in the form of the
Sensei plugin.
Here are the full patch notes:
o system:
Hi there,
For four and a half years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
and stable
Hello from Suricon!
As we are experiencing the Suricata community first hand in Amsterdam
we though to release this version a bit earlier than planned. Included
is the latest Suricata 5.0.0 release in the development version. That
means later this November we will releasing version 5 to the
Hi there,
Lots of small improvements. Of note are Eve JSON payload syslog export now
works for 4 kb payload blobs. The outdated Google API PHP client was replaced.
LibreSSL is now at version 3.0.2. Plus another Intel SA advisory via FreeBSD.
Here are the full patch notes:
o system: generate
Hello friends and followers,
Lots of plugin and ports updates this time with a few minor improvements
in all core areas.
Behind the scenes we are starting to migrate the base system to version
12.1 which is supposed to hit the next 20.1 release. Stay tuned for more
infos in the next month or
Ho ho ho,
A number of updates including security and reliability fixes inside. Of
note is the new elliptic curve certificate creation support and better
firmware health check and recovery methods.
We are almost at the point of a 20.1-BETA release with an isolated images
for early bird testing
Hi there,
For over 5 years now, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD
Hey hey,
As Thursday nears the last preparations for 20.1 are underway. As a quick
relief here is the End-Of-Life release of the 19.7 series with a tiny number
of updates.
Remember that when 20.1 is available it will take up to a day before we
release the hotfix with the major upgrade path
Hi again,
As 20.1 nears we will be making adjustments to the scope of the release
with an announcement following shortly.
For now, this update brings you a GeoIP database configuration page for
aliases which is now required due to upstream database policy changes and
a number of prominent
Hello everyone,
It almost looks like business as usual. But we all know it is not.
We will get through this together.
Here are the full patch notes:
o system: add missing strtolower() in LDAP sync response
o system: fix /var/run/legacy_log socket creation race with Syslog-ng
o system: add info
Hi all,
Quick update as planned. Here are the full patch notes:
o system: add data length option to gateway monitor settings
o firewall: avoid greedy matching with live log parsing regression from 20.1.5
o firmware: detect runtime defaults when using "make upgrade" with core.git
o firmware:
Hi there,
Today ships the first release version of the supplemental firewall rule
API via plugin, a new firewall shaper statistics GUI and API and the usual
number of improvements and third party updates.
Note that this version does not ship OpenSSL 1.1.1g as at this point our
release decision
Hi all,
Quick reliability release for all of you out there doing the impossible
providing VPN for road warriors and what not. Keep it up! :)
Here are the full patch notes:
o system: match group CN case-insensitive
o system: added pluggable log format parsing facility
o system: update nsComment
Hi there,
Today we move to PHP 7.3 in order to be able to complete testing for the
20.7-BETA online upgrades. Also included is a patch for the packet filter
kernel code which could crash with shared forwarding when interfaces
disappeared due to use after free in the default network stack path.
Dear all,
While we are still looking closer at netmap/iflib performance on 12.1 we
are rolling out a kernel with Intel em/igb updates that should avoid bad
packet counts in the default installation. Syslog-ng received a workaround
for the diagnosed startup issue and alias now supports MAC
Hi there,
For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable
Dear all,
Small update here with security advisories, multicast fixes and logging
reliability patches amongst others.
Overall, the jump to HardenedBSD 12.1 is looking promising from our end.
From the reported issues we still have more logging quirks to investigate
and especially Netmap support
A good day everyone!
Sorry about the delay while we chased a race condition in the updates back
to an issue with the latest FreeBSD package manager updates. For now we
reverted to our current version but all relevant third party packages have
been updated as updates became available over the
Hi there,
For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable
Dear all,
This update brings the usual mix of reliability fixes, plugin and third party
software updates: FreeBSD, HardenedBSD, PHP, OpenSSH, StrongSwan, Suricata and
Syslog-ng amongst others.
Please note that Let's Encrypt users need to reissue their certificates
manually after upgrading to
Howdy,
Important security updates inside. Also: happy holidays!
Here are the full patch notes:
o reporting: fix traffic graph widget link issue
o system: simplify log format parsing
o interfaces: fix DUID LL description (contributed by Gabriel Mazzocato)
o unbound: fix dnsbl not reloading
What's up!
We return briefly for a small patch set and plan to pin the 20.1 upgrade
path to this particular version to avoid unnecessary stepping stones. We
wish you all a healthy Friday. And of course: patch responsibly!
Here are the full patch notes:
o system: syslog-ng related fixes during
Good evening everyone,
This release finally wraps up the recent Netmap kernel changes and tests.
The Realtek vendor driver was updated as well as third party software cURL,
libxml2, OpenSSL, PHP, Suricata, Syslog-ng and Unbound just to name a couple
of them.
We would like to thank Sunny Valley
79 matches
Mail list logo