Версия TING 1.0
1.0.3 (15 июня 2017)
Этот релиз TING основан на OPNsense версии 16.7.14. В этот релиз от нашей команды вошли следующие наработки:
Web-прокси: независимая авторизация по нескольким механизмам авторизации.
Интерактивный хелпер в виде чек-листа для настройки SSO на прокси.
Анализатор логов прокси: возможность сохранять и подгружать сохранённые настройки фильтров.
Возможность привязывать ACL на прокси к пользователям, по аналогии с тем, как это делается с группами пользователей.
Port-Forwarding: жёсткая привязка связанного правила с правилом NAT в web-интерфейсе.
Http Antivirus Proxy: вывод вынесен из системного лога в отдельный лог-файл.
Плагин сканера безопасности для сканирования хостов в локальной сети на наличие уязвимостей.
Сертифицированная ФСТЭК версия:
Вывод данных раздела «Reports» -> «Health» нодов в центре управления.
В базовую систему со стороны OPNsense вошли следующие наработки:
Изменения в OPNsense 16.7.14:
traffic shaper: order rules numerically by sequence number
firmware: added opnsense-revert tool for release-based package revert
captive portal: fix downloading files in Chrome
insight: fix downloading files in Chrome
mvc: consistently set locale (contributed by Alexander Shursha)
mvc: do not deliver content twice on API calls
python: downgraded to 2.7.12 in order to fix segmentation faults within insight reporting
libressl: avoid possible side-channel leak of ECDSA private keys when signing[1]
ports: bind 9.10.4-P5
ports: perl5 5.24.1
ports: sqlite3 3.16.2
ports: openssh-portable 7.4p1
ports: sudo 1.8.19p2
ports: lighttpd 1.4.45
ports: php56 5.6.30
Изменения в OPNsense 16.7.13:
system: extended sudo option to allow an additional no-password mode
firmware: the package manager will now always delete modified package files
firmware: allow major upgrades into other flavours from the command line
firmware: do not overwrite /etc/rc.shutdown on base updates
firewall: add a note that ports only apply to TCP and/or UDP (contributed by Andrew Berry)
dns resolver: correctly handle empty DHCP lease sections
dhcp: use regular expressions to optimize static lease reading (contributed by Senol Korkmaz)
web proxy: fix subnet computation
netflow: fix missing check for egress_only
plugins: HAProxy 1.10 with HA sync, custom TCP checks, bugfixes (contributed by Frank Wall)
ports: curl 7.52.1
ports: ca_root_nss 3.28
ports: squid 3.5.23
ports: python 2.7.13
ports: perl 5.24.1-RC5
ports: lighttpd 1.4.44
ports: phalcon 3.0.3
ports: heimdal 7.1.0
Изменения в OPNsense 16.7.12:
system: improve cancel button behaviour
system: change coupled /tmp+/var MFS to /var MFS
system: load AESNI in the default configuration
firmware: list all licenses of packages
firewall: improve cancel button behaviour
traffic shaper: do not error on apply when no configuration is set
interfaces: do not allow VLAN delete when in use
interfaces: improve cancel button behaviour
interfaces: only parse lease sections for ARP entries
interfaces: fix QinQ setup
services: improve cancel button behaviour
ipsec: add clone phase 2 option to ease duplication
openvpn: force rewrite of Viscosity client export files
dns resolver: remove unused EDNS support
dns forwarder: allow to run on non-standard port when resolver is running
lang: updates for Czech, German and Italian
plugins: os-haproxy 1.8 (contributed by Frank Wall)
plugins: compatibility fix for os-pptp, os-pppoe and os-l2tp
ports: openvpn (reverted topology subnet fix)
ports: pkg (license viewer upstream fix)
ports: sudo 1.8.19p1
ports: php 5.6.29
Изменения в OPNsense 16.7.11:
system: improved password hashing (contributed by OSNet)
system: make sure vital kernel modules are always loaded
system: added mute console support and improved tty reconfiguration
system: revived «normal» power state config option for powerd (contributed by Tikimotel)
system: removed description support for ACL entries
system: brought back LDAP scope and authentication containers support
system: separate class for ui/api routing
firmware: pull update sets from ABI-specific directory
firmware: multiple tweaks in opnsense-update workflow
firmware: no longer track UUID in a crash report submission
firmware: pkg-audit to view current FreeBSD vulnerability report
firmware: changelog viewer with all older and newer releases
firmware: more intelligent plugin handling, e.g. detecting orphaned plugins
firmware: simplified update presentation and workflow
firmware: license viewer for installed packages
firewall: added alias selection to missing NAT elements
openvpn: add reneg-sec option to client exports
dnsmasq: fix 16.7.10 regression in host file handling
web proxy: make backend config plugin-friendly
plugins: fix a potential error in MPD5 plugins (contributed by Evgeny Bevz)
src: fix possible login(1) argument injection in telnetd(8)
src: fix link_ntoa(3) buffer overflow in libc
src: fix possible escape from bhyve(8) virtual machine
src: fix extended descriptor regression with netmap(4) on em(4)
src: fix use-after-free bugs in pfsync(4)
src: tzdata updated to version 2016j
ports: openvpn 2.3.14
ports: phalcon 3.0.2
ports: suricata 3.2
Изменения в OPNsense 16.7.10:
system: revamped message of the day on console login
system: validate passed arguments instead of $_POST or $_REQUEST
system: merged VPN servers into get_possible_listen_ips()
system: repair French translation for user manager (contributed by Valentin Deville)
dashboard: do not arbitrarily split descriptions in services
firewall: added maximum fragments setting
dhcp: interface column for leases
ipsec: properly configure syslog output
dns forwarder: use plugin framework
dns forwarder: improve DHCP registration option
dns resolver: use plugin framework
dns resolver: improve DHCP registration option
universal plug and play: fix regression in rules anchor
radvd: mark interface used in case of interface tracking
radvd: do not inject local DNS server when there is no IP
radvd: match service running metric with how it works
captive portal: validate input of voucher validity and quantity
captive portal: add error message on failed validation (contributed by Fabian Franz)
netflow: added service control
ntp: use plugin framework
intrusion detection: rotate eve-log every 500 MB
web proxy: add FTP support back to remote ACL fetch
web proxy: performance improvements on ACL parse
web proxy: allow option to disable HTTPS verification
web proxy: enable remote ACL by default when creating it
plugins: allow Tinc to sync via XMLRPC
lang: updates for Czech, French and German
ports: pkg 1.9.3 upstream fetch patch
ports: sqlite 3.15.1
ports: strongswan 5.5.1
ports: ntp 4.2.8p9
ports: squid 3.5.22
ports: flock 2.29
ports: syslogd 11.0
Изменения в OPNsense 16.7.9:
system: prevent spurious error with LDAP authentication
system: call-site support for plugins_configure()
dashboard: firmware update check is now a direct link
insight: use ISO date in details selection
firewall: add a generic service reload button
firewall: move deprecated disablevpnrules option to IPsec settings
router advertisements: removed unused subnet settings
router advertisements: improved CARP usability
dhcp: static IPv6 entry domain support
dns resolver: fixed private address range (contributed by Tikimotel)
dns resolver: improved CARP usability with interface-automatic option
dns resolver: straightened out reload behaviour
dns forwarder: straightened out reload behaviour
web proxy: renamed from «proxy server» to avoid confusion
snmp: prepared move to plugins
igmp proxy: prepared move to plugins
load balancer: prepared move to plugins
upnp: straightened out reload behaviour
plugins: HAproxy «default certificate» parameter and advanced options (contributed by Frank Wall)
plugins: fix a warning in L2TP, PPTP and PPPoE server configure
mvc: allow menu to recognise «#» in URLs by ignoring it
mvc: fix a spurious API error on unused view render
mvc: added copy item command for GUI usage
mvc: fix sorting on array field
1.0.2 (1 февраля 2017)
Этот релиз TING основан на OPNsense версии 16.7.8. В этот релиз от нашей команды вошли следующие наработки:
Перевод системы логирования на syslog-ng. Рефакторинг настроек логирования.
Добавлен функционал привязки к IP/MAC-адресам для пользователей прокси, что позволяет использовать смешанную аутентификацию (например, логин/пароль + IP-адрес). Плагин os-proxy-ipcheck.
Функционал Proxy SSO выделен в отдельный плагин (os-proxy-sso).
Групповые ACL для разных видов аутентификации (LDAP, Local). Теперь ACL, назначенные на группы, действуют независимо от используемого типа аутентификации. Данный функционал выделен в отдельный плагин os-proxy-useracl.
Добавлен плагин os-squid-log и отчет по прокси. Отчет отображает результаты обработки запросов на прокси, статистику посещений по юзерам и доменам.
Осуществлен перевод визардов на русский язык.
В плане подготовки к сертификации ФСТЭК:
Реализован функционал CMS. Central Management System – система централизованного управления распределенной инфрастурктурой сетевых шлюзов Traffic Inspector Next Generation.
Реализована сигнализация об ошибках контрольных сумм файлов Traffic Inspector Next Generation.
В базовую систему со стороны OPNsense вошли следующие наработки:
Изменения в OPNsense 16.7.8:
system: trigger xmlrpc sync before service action
system: header redirection security through url_safe()
system: «work in progress» indicator for service controls
system: always restart apinger to fix configuration apply
system: use Etc/UTC when timezone was removed from tzdata
system: fix infinite console menu loop on tty close (contributed by Stephane Lesimple)
system: SSH launcher rework
firmware: only do console update reboot when update went ok
firmware: improved usefulness of several GUI status messages
firmware: allow inline use of opnsense-update -t
firmware: allow to resolve ABI using opnsense-verify -a
interfaces: set txcsum6 and rxcsum6 like their IPv4 counterparts
firewall: traffic shaper address lists and inversion support
firewall: revamped bogons download and verification
firewall: properly set NAT reflection helper for IPv6
firewall: allow pluggable rules anchors
captive portal: increase the database timeout to 30 seconds
captive portal: allow custom values for voucher validity and quantity
captive portal: fix spurious error on successful login
dynamic dns: fix race in page, reminiscent of previous widget correction
dynamic dns: log r53 errors to system log file
intrusion detection: fix ET open ruleset content
openvpn: missing p2p shared key settings for local subnets
universal plug and play: prepare for move into plugins
mvc: implemented model constraints and migrations
mvc: improved error reporting of API failures (contributed by Per von Zweigbergk)
mvc: add spinner for row toggle (contributed by Frank Brendel)
mvc: pluggable authentication framework
mvc: added update-only field type
plugins: first release of FTP Proxy (contributed by Frank Brendel)
plugins: first release of Tinc VPN
ports: pkg 1.9.3[2][3][4]
ports: bind 9.10.4P4
ports: curl 7.51.0
ports: libressl 2.4.4
ports: lighttd 1.4.43
ports: openvpn 2.3.13
ports: pecl-radius 1.4.0b1
ports: php 5.6.28
ports: sudo 1.8.18p1
ports: suricata 3.1.3
Изменения в OPNsense 16.7.7:
captive portal: add expire voucher option
intrusion detection: added support for compressed rule files
web proxy: basic auth support for remote ACLs
web proxy: fix ICAP config write for MIME-types (contributed by Fabian Franz)
ipsec: fix spacing and type for shared secrets on Windows 7+
ipsec: restart must only restart, not completely reconfigure
ipsec: correctly set 28673 option to «yes»
openvpn: reintroduce zip usage instead of 7z
interfaces: fix performance issues on status page
interfaces: fix ARP and NDP to show all entries
rc: revamp the handling of /boot/loader.conf to be fully pluggable
firmware: opnsense-update can now perform major FreeBSD updates
plugins: multiple fixes for HAProxy plugin (contributed by Frank Wall)
plugins: new PT research rule set intrusion detection plugin
lang: new language Czech at 54% completed (contributed by pavelb)
lang: updates for German and French
ports: libressl 2.4.3
ports: isc-dhcp 4.3.5
ports: php 5.6.27
ports: lighttpd 1.4.42
src: base system now uses position independent executables
src: tzdata updated to version 2016h
src: revised dummynet patches for NAT, also includes IPv6 support
src: Fix bspatch heap overflow vulnerability
src: Fix multiple libarchive vulnerabilities
src: Fix virtual memory subsystem bugs
src: Fix incorrect argument validation in sysarch(2)
Изменения в OPNsense 16.7.6:
system: add language selection to initial wizard
system: allow disabling the root user
firmware: new mirror in Serbia (contributed by FourDots)
firmware: assorted changes for upcoming major upgrade
interfaces: wait for DHCP6 client to properly exit
firewall: allow route-to to loopback gateways
openvpn: fix download of config file for iOS
ipsec: fix mobile / PSK regression of 16.7.5
intrusion detection: added syslog support
dns: improve forwarder interface listening generation
rc: silence backup warnings about stripped leading slashes
ports: libressl 2.3.8[2], bind 9.10.4-P3
ports: ca_root_nss 3.27.1[4], unbound 1.5.10
1.0.1 (3 октября 2016)
Второй релиз TING. Этот релиз основан на OPNsense версии 16.7.5. За прошедший год команда OPNsense значительно расширила и улучшила базовый функционал платформы OPNsense. Кроме того, команда Смарт-Софт последовательно обновила базовую систему до OPNsense 16.7.5 и со своей стороны предоставила следующие разработки:
Обновлена библиотека анализатора трафика nDPI до последней версии.
Web-proxy SSO (прозрачная Active Directory аутентификация на прокси посредством Kerberos).
Черные/белые списки на прокси по группам AD.
Возможность блокировки кириллических URL на прокси.
Возможность подключаться к VPN-серверам Microsoft по PPTP, L2TP с использованием CHAP и MS-CHAP аутентификации.
Подготовка к процессу сертификации ФСТЭК:
Подсистема проверки контрольных сумм исполняемых файлов системы и конфигурационных файлов.
Запись в системный лог сообщений об изменении конфигурации фаервола.
В базовую систему со стороны OPNsense вошли следующие наработки:
Изменения в OPNsense 16.7.5:
captive portal: handle transparent proxy from within the zone configuration
openvpn: adapt to cipher output changes in OpenVPN 2.3.12
openvpn: improve plugin probing for virtual interface
openvpn: added missing IPv6 tunnel network to overrides
ipsec: human-readable format of authentication method in overview
ipsec: refine behaviour of enable/apply on main page
ipsec: deduplicate leftsubnet/rightsubnet for meshed IKEv2
ipsec: more elegant interface and service plugging
ipsec: added unmeshed «tunnel isolation» mode for IKEv2
ipsec: cleanup pass over backend code
ipsec: allow Camellia for IKEv2
ipsec: allow %any in phase 1
ipsec: allow EAP-MSCHAPV2
system: load if_bridge on boot to correctly set its sysctl values
system: do not explicitly call plugins_interfaces() anymore
services: DNS resolver translation fixes (contributed by Fabian Franz)
services: fix a race in the DynDNS widget display
ports: curl 7.50.3[1], sudo 1.8.18[2], php 5.6.26[3], openssl 1.0.2j[4]
src: Multiple OpenSSL vulnerabilities
src: updated tzdata to 2016f
Изменения в OPNsense 16.7.4:
system: SSH-enabled installer and associated changes
system: deprecate DSA keys as per OpenSSH recommendation
system: reworked config import / export for consistency
system: reboot after config import is now selectable
system: fix improper escape of HTML entities in log file filter
system: handle legal boolean return result from searchUsers() (contributed by Evgeny Bevz)
system: add dynamic DNS update to cron
system: fix race in php.ini setup
system: always keep repository configurations on core package deinstall
system: properly trigger filter reload on HA peer
system: add ordering to rc.syshook scripting facility
system: add missing parameter for LDAPS authentication server
firewall: change CARP to operate using BSD standards to fix several edge cases and reported issues
firewall: fix validation of redirection in NAT
firewall: redirect target IP selection can now use aliases
firewall: simplify empty rules message in interface rules tabs
interfaces: do not attempt to fix the MAC address of a broken NIC
interfaces: adapt validation of PPP to not require idle timeout to be set
interfaces: add missing help toggle to settings page
services: DHCP lease pages show MAC manufacturers without Nmap install
services: improve cleanup of multiple captive portal zones
services: fix writing empty DNS resolver ACL
reporting: automatic database repair added
lang: translation improvements (contributed by Simon Brunet, Antonio Prado and Fabian Franz)
lang: updates for French, German, Italian and Spanish
plugins: add stock Intel e1000 driver version 7.6.2 a «os-intel-em» (requires a reboot)
plugins: lower early start priorities of VMware and Xen plugins
ports: haproxy 1.6.9[1], hyperscan 4.3.1[2], suricata 3.1.2, phalcon 3.0.1[4], samplicator 1.3.8rc1
Изменения в OPNsense 16.7.3:
system: allow selection of secondary console
system: added EFI as a console option
system: fixed status display of tiered gateway groups
system: allow to configure sudo(8) usage for administrators
system: package manager can no longer uninstall the GUI package (marked as «vital»)
system: also beep on factory reset
system: added opnsense-code command line utility
interfaces: do not store packet captures in /root
interfaces: sort interface listings by name only
interfaces: do not prevent configuring an IP used by the PPTP and L2TP plugins
firewall: add normalisation options for source port and direction
firewall: improved parsing of alias input
firewall: fixed nesting of aliases with underscores in their names
openvpn: fix script mismatch on export page
openvpn: added reneg-sec option to server to allow persistent TOTP sessions
openvpn: added option to prevent usage of username-as-common-name
services: fix WOL widget link
services: aligned backend calls of DNS and DHCP
services: fix writing of DNS resolver host entries
services: simplify configuring of DNS resolver listening addresses
services: allow proxy to match against SSL URLs only (contributed by Fabio Mello)
lang: updated Source Sans Pro font to improve the Cyrillic experience
lang: Italian is now a release language (contributed by Antonio Prado)
lang: minor updates for Russian (contributed by Smart-Soft Ltd.)
lang: minor updates for German and French
ports: haproxy 1.6.8[1], php 5.6.25[2], sqlite 3.14.1
ports: openvpn 2.3.12[4], libxml 2.9.4
Изменения в OPNsense 16.7.2:
src: revert fix ICMP translation in pf
src: better handle unknown options received from a DHCP server
src: void using spin locks for channel message locks
src: enable INQUIRY result check only on Windows 10 host systems
src: register time counter early enough for TSC freq calibration
src: disable incorrect callout in hv_storvsc(4)
src: better handle the GPADL setup failure in Hyper-V
src: fix SCSI INQUIRY checks and error handling
ports: lighttpd 1.4.41[9], strongswan 5.5.0[10], curl 7.50.1
ports: ca_root_nss 3.26, openssh 7.3p1
ports: enabled LDAP SASL bindings
system: remove source maps to prevent further Chrome breakage during API calls
system: switch to individual registration of PHP extensions
system: added UO field to CSR
interfaces: properly remove PPPoE server from list of firewall interfaces when deactivated
interfaces: extended logging for 4G modems
interfaces: correct download of large packet captures
interfaces: add lacp_fast_timeout flag support for LAGG
interfaces: fix clearing the DHCP config file when override file is gone
interfaces: improve dmesg probe on interface listing (contributed by Per von Zweigbergk)
firewall: double-check file availability after alias URL download
services: corrected DNS forwarder settings save in mobile layout
dashboard: fix gateway widget status text update
plugins: corrected firewall interface usage for multi-point VPNs
vpn: removed the stale OpenVPN windows installer binaries
vpn: default to IPsec main mode
lang: assorted translation fixes (contributed by Fabian Franz and Antonio Prado)
lang: translation updates for Chinese, French, German and Japanese
Изменения в OPNsense 16.7.1:
system: default config now disables hardware offloading features
system: prevent carp demotion on sender and pfsync failures
firewall: removed obsolete reflection timeout value
firewall: added logging option for outbound NAT
firewall: fix interface address IPv6 outbound NAT
firewall: fix one-to-one copy feature
firewall: execute custom scrub rules before auto-generated rules
firmware: fixed race on base / kernel fetch
firmware: revoke the obsoleted 16.1 update fingerprint
interfaces: allow default route on multi-WAN PPPoE
interfaces: allow to set txpower for WiFi adapters
interfaces: allow backwards-compatible interface enable
vpn: fix faulty IPSec authenticator selection in phase 1
mvc: add missing CRL type in certificates cache
mvc: set robots meta to nofollow, noindex
mvc: always show logout button in menu
src: fix bspatch heap overflow vulnerability
src: fix ICMP translation in pf
src: revert extended descriptor format for em(4)
src: lower spurious log notice to debug in rtsold
plugins: os-haproxy 1.4 (contributed by Frank Wall)
ports: libressl 2.3.7
Изменения в OPNsense 16.7:
installer: fix UI glitch with overlong disk name selections
installer: warn on low RAM as install phase can fail
ports: suricata 3.1.1[1], php 5.6.24
system: Etc/UTC is now the default time zone
system: prevent user from deleting itself
interfaces: register groups in the system immediately
firmware: add subscription option for private repositories
firmware: work around API POST problem on Chrome by deleting css source map pointer
firewall: allow cron to set arbitrary syslog times for alias updates
proxy: add syslog target for access_log
reporting: can now individually flush health reports
reporting: can now flush insight and NetFlow data
reporting: translate interface names on health page
reporting: shut down insight service on backup to prevent database corruption
lang: Russian is now 97% completed (contributed by Smart-Soft Ltd.)
lang: minor updates in all other languages
Изменения в OPNsense 16.1.20:
ports: suricata 3.0.2[1], squid 3.5.20[1], expat 2.2.0, haproxy 1.6.7[4], bind 9.10.4-P2[5]
firewall: hide previously selected nested aliases from the autocompletion on alias edit
firewall: fix log view to properly render all of its html
firewall: fix link to IPv6 disable setting on rules screen
firewall: remove CARP restriction of matching interface subnet
interfaces: fix IPv6 subnet bits count on interface status
interfaces: traffic graphs now show more device types
gateways: prevent spurious dynamic default gateways from showing up
gateways: change the creation order of dynamic gateways to allow overriding their settings correctly
firmware: refine ignore of temporary error 500 in GUI during upgrades
firmware: default config has been adapted to set up new style dashboard entries during e.g. factory reset
firmware: validate source and destination entries in NPT
firmware: audited mirror list and disabled non-working entries
services: do not show disabled DHCPv6 server when prefix delegation is not used
services: do not run boot-up routines for proxy server and intrusion detection when disabled
services: fix router advertisements subnet bits save
intrusion detection: improved alert browsing with action filter
proxy server: ACL setup can now include manual pre and post hooks
wizard: fixed alignment of page titles and contents
captive portal: ignore incomplete MAC entries to avoid premature logout of active user
openvpn: fix display of selected CRL in server settings
Изменения в OPNsense 16.1.19:
ports: suricata 3.0.2[1], squid 3.5.20[1], expat 2.2.0, haproxy 1.6.7[4], bind 9.10.4-P2[5]
firewall: hide previously selected nested aliases from the autocompletion on alias edit
firewall: fix log view to properly render all of its html
firewall: fix link to IPv6 disable setting on rules screen
firewall: remove CARP restriction of matching interface subnet
interfaces: fix IPv6 subnet bits count on interface status
interfaces: traffic graphs now show more device types
gateways: prevent spurious dynamic default gateways from showing up
gateways: change the creation order of dynamic gateways to allow overriding their settings correctly
firmware: refine ignore of temporary error 500 in GUI during upgrades
firmware: default config has been adapted to set up new style dashboard entries during e.g. factory reset
firmware: validate source and destination entries in NPT
firmware: audited mirror list and disabled non-working entries
services: do not show disabled DHCPv6 server when prefix delegation is not used
services: do not run boot-up routines for proxy server and intrusion detection when disabled
services: fix router advertisements subnet bits save
intrusion detection: improved alert browsing with action filter
proxy server: ACL setup can now include manual pre and post hooks
wizard: fixed alignment of page titles and contents
captive portal: ignore incomplete MAC entries to avoid premature logout of active user
openvpn: fix display of selected CRL in server settings
Изменения в OPNsense 16.1.18:
system: properly run fsck on boot if needed
system: new Cron page and API now available for general use
system: QR codes are now generated locally in the browser (contributed by Fabian Franz)
system: harden serial config write against power failures
system: allow serial config to attach to all available ttys
system: added missing ACL entry for LDAP user import page
system: reworked log page layout and dependencies
firmware: detach / reattach support for upgrade page
firmware: mirror and flavour selection moved to respective page
interfaces: improvements for 4G devices (sponsored by OSNet.eu)
interfaces: debug mode and logging for rtsold in DHCPv6 mode
dhcp: separate pages for router advertisements and service control
dhcp: IPv6 server as a stand-alone process for service control
dhcp: fixed and improved writing of dynamic DNS configuration
ports: python 2.7.11_3[2], unbound 1.5.9[3], curl 7.49.1, openssl 1.0.2_14[5], sudo 1.8.17p1[6], php 5.6.23[7], pcre 8.39[8], haproxy 1.6.6[9]
src: tzdata updated to 2016e
src: fix pf fragement timeout
Изменения в OPNsense 16.1.17:
ports: isc-dhcp-server 4.3.4[1], syslogd 10.3, libressl 2.3.6, openssl 1.0.2_13[3]
system: fix OTP QR code link to amend the first request
system: allow to override TRIM apply at boot time via /etc/fstab
dashboard: fix OpenVPN test data display
dashboard: gateway widget style updated
interfaces: allow debug option for dhcp6 client
interfaces: allow to delete WAN as well
interfaces: properly restart the respective proxy ARP daemon
firewall: fixed HTML errors in NAT edit page
services: fixed unbound custom option handling
services: allow RA send behaviour to be configured
services: show correct dynamic DNS type when editing an existing entry
openvpn: bring back authentication method selector
openvpn: create interfaces at boot time and even when disabled
power: separate menu for power off and reboot functions
intrusion detection: allow to drop/reset log files
plugins: can now create local logging sockets for chroot environments
plugins: new HAProxy version 1.3 with assorted fixes (contributed by Frank Wall and Manus Freedom)
lang: major updates for Russian (contributed by Smart-Soft Ltd.)
lang: assorted translation fixes (contributed by Fabian Franz)
lang: minor updates to Chinese, German and French
Изменения в OPNsense 16.1.16:
src: merged and enabled HardenedBSD’s ASLR implementation
src: kernel stack disclosure in Linux compatibility layer
src: kernel stack disclosure in 4.3BSD compatibility layer
src: directory traversal in cpio
ports: libressl 2.3.5[5], phalcon 2.0.13[6], dnsmasq 2.76
ports: apinger 0.7[8], curl 7.49[9], bind 9.10.4-p1
ports: php 5.6.22[11], sqlite 3.13[12], ntp 4.2.8p8
dashboard: movable widgets, multi-column support and improved look and feel
system: improved CSRF handling
system: allow far gateway support for non-subnet gateways
system: fix null routes add / delete
system: user/group privilege selection improvements
system fix missing cron job for GUI lock / expire
firmware: adds opnsense-patch tool for simple upstream repo patch apply
dns resolver: fix AAAA record save
dns forwarder: add custom port option for domain overrides
firewall: for us bogons do not extend to private networks
firewall: fix schedule clone when in use
interfaces: remove explicit ath(4) long distance support
interfaces: removed SVG traffic graphs in favour of modern replacements
captive portal: allow to drop all expired vouchers
cron: fix parameter ignore
layout: «Stacked-to-horizontal» emulation for mobile view
layout: consistent tooltip button placement
layout: fix footer on small screen size
plugins: fix HAProxy X-Forwarded-For header option
Изменения в OPNsense 16.1.15:
system: make authentication fallback configurable
system: settings cleanup and prettify
system: added explicit ETC timezone selection
high availability: add page for remote service control
high availability: properly enforce authentication
firmware: reboot and poweroff API actions
firmware: only kill GUI process, not captive portal
firmware: show errors in update window
firmware: keep polling for progress even when GUI restarts
backend: skip failing templates on bootup
trust: fix CA certificate count in overview
trust: allow key size up to 8192 bits
firewall: fix invalid NPT rule generation
firewall: speed up filter log pages
firewall: do not allow to change virtual IP mode after creation
firewall: moved settings page and rearranged settings accordingly
interfaces: unhook all but the last custom PHP module functions
interfaces: moved settings page and rearranged settings accordingly
dhcp: do not override RA settings after save
dns: resolver outgoing interface section moved to advanced as it will break setups with dynamic interfaces selected there
load balancer: sticky mode from firewall / system split off as separate setting
snmp: do not allow unicode in system location
intrusion detection: remove deprecated rbn-malvertisers.rules set
intrusion detection: add promiscuous mode / physical interface selection
overall: fix menu width on small size screens
overall: numerous translation fixes (contributed by Frederic Lietart)
overall: numerous translation fixes (contributed by Fabian Franz)
plugins: assorted bugfixes for HAProxy (contributed by Frank Wall)
mvc: fix translations by adding an escaping wrapper
Изменения в OPNsense 16.1.14:
src: tzdata updated to 2014d
src: dummynet AQM updated to 0.2.1
src: fix multiple OpenSSL vulnerabilities
src: fix excessive latency in x86 IPI delivery
src: fix memory leak in ZFS
src: fix buffer overflow in keyboard driver
src: fix incorrect argument handling in sendmsg
ports: sqlite 3.12.2[8], openvpn 2.3.11[9], squid 3.5.19
plugins: HAProxy plugin version 1.0 (contributed by Frank Wall)
lang: Japanese 100% completed
lang: updates for French and German
interfaces: removed polling support
interfaces: allow subnet size of 31 bits
high availability: can now sync DNS resolver configuration
cron: reworked job registration
system: do not unload cryptodev to prevent panics when used by OpenVPN
system: user expiration date edit now has a fancy date picker
system: add RFC 6238 (TOTP) support for two-factor authentication
reporting: added local NetFlow reporting frontend
reporting: added remote NetFlow exporter for multiple sources
firewall: fixed schedule cloning
services: lower intervals for router advertisement messages
Изменения в OPNsense 16.1.13:
ports: ntp 4.2.8p7[1], bind 9.10.4[2], php 5.6.21, libressl 2.2.7[4], openssl 1.0.2h[5]
languages: newly packaged translations with latest updates
gateways: apinger monitoring quality is no longer affected by NTP operation
backend: lowered configd connection timeout for better response time when unavailable
backend: plugged numerous minor crash reports caused by configd
backup: reworked backup strategies for RRD and DHCP leases
interfaces: allow bridges with at least one member
rc: defer recover for packages to avoid database duplication
intrusion detection: added an eicar test ruleset
intrusion detection: fixed sort order of rulesets
captive portal: properly catch exception for accounting background job
firewall: annotate deprecated ICMP types in rule filter selection
firewall: direction arrows in rule overview now have different colours for easier distinction
gui: correct HTML escaping in MVC between client-side JavaScript and server-side API
gui: various improvements in MVC components required for upcoming HAProxy plugin
gui: enable tooltips in MVC base template
gui: set HTTP-only cookie
Изменения в OPNsense 16.1.12:
ports: pkg 1.7.2[1][2][3], sqlite 3.12.1[4], squid 3.5.17
firewall: skip anti-lockout WAN rule when only LAN is connected
firewall: clean up unused alias tabes
firewall: improve alias usage validation
firewall: validate / transform url content before save
traffic shaper: add Codel / FQ-CoDel support
firmware: changed «halt» to «power off»
firmware: advertise current product and os version in API
firmware: kernel and base fetch will now advertise download progress
interfaces: translation fixes (contributed by Fabian Franz)
system: fix RRD boot error for CPU temperature graph
gateways: code modernisation for the trusty apinger utility
ipsec: added service control to log page
captive portal: cleanse cert output before write
proxy: cleanse cert output before write
proxy: do not stop authenticating after an empty string
proxy: added log page to ACL
proxy: remove auth local database as default
smart: removed from base, can be installed as plugin «os-smart»
Изменения в OPNsense 16.1.11:
services: fix CSRF vulnerability in status_services.php
www: strengthen CSRF secret generation for legacy pages
dhcp: bring back usage of the authoritative directive
system: allow periodic backups of RRD and DHCP for non-MFS
openvpn: status page would not show the correct process status
captive portal: add option for less secure passwords, password and username length
firewall: add GeoIP aliases feature
languages: completed Russian translation (contributed by Smart-Soft Ltd.)
languages: updated French
Изменения в OPNsense 16.1.10:
ports: suricata 3.0.1[1], squid 3.5.16
traffic shaper: added individual tabs to quick navigation
traffic shaper: fix behaviour on pppoe devices
openvpn: revive windows installer binaries
firewall: validate alias url download
system: improved config history and backup pages layout
system: increased backup count default from 30 to 60
system: moved several settings to different pages for better technology alignment
system: /var /tmp MFS awareness for crash dumps added
trust: add «IP security IKE intermediate» to server key usage
firmware: moved reboot, halt and defaults pages to new home
proxy: add redirection rule creation link for HTTPS proxy (contributed by Fabian Franz)
pptp: prevent service from printing boot messages due to a stale entry in the default config.xml
interfaces: show LAGG protocol in overview page
languages: another large batch of Russian, now 83% complete (contributed by Smart-Soft Ltd.)
languages: updated French, German and Japanese
Изменения в OPNsense 16.1.9:
src: tzdata updated to 2016c
src: prevent kernel panic on ipfw/dummynet module unload
src: let ng_ether_attach() only attach to supported types to avoid kernel panics
ports: curl 7.48.0[2], strongswan 5.4.0, pcre 8.38 (patched CVE-2016-1283)[4], php 5.6.20[5]
languages: added Russian to the release, now 60% complete (contributed by Smart-Soft Ltd.)
languages: updated Japanese, now 70% complete (contributed by Chie Taguchi)
languages: updated German, now 81% complete
languages: updated French, now 50% complete
firewall: allow editing of up to 5000 aliases
firewall: remove link to associated filter rule edit as edit is not allowed
firewall: add port range check to aliases edit
firewall: when alias URL SSL verification is off, do not verify the hostname either
firewall: condense alias pages into a single view
firewall: remember scrolling position to return to the previous position after edit
firewall: alias import now supports type selection (network and host types)
firmware: added German-based mirror (contributed by Alexander Lauster)
system: load modules before setting tunables to support settings for modules
system: fix boot issue that prevented SSH from starting up in some instances
interface: do not show wireless parents on the assignment page as it cannot be assigned
ipsec: individual collapse/expand for status page
dhcp: allow backwards-compatibility with imported configs
captive portal: fix missing busyTimeout on voucher database access
openvpn: remember scrolling position to return to the previous position after edit
proxy: HTTPS support added
proxy: added ability to change the hostname and admin email (contributed by Frederic Lietart)
proxy: avoid race condition on cache dir creation (contributed by Frederic Lietart)
development: allow hiding of menu entries using the Visibility=»delete» attribute
Изменения в OPNsense 16.1.8:
src: updated tzdata to version 2016b
src: fix incorrect argument validation in sysarch
src: fix pfi_table_update: cannot set new addresses
src: added APU2 temperature sensor support
ports: unbound 1.5.8[3], sudo 1.8.16[4], pcre 8.38
proxy: better matching for overlapping URLs
universal plug and play: refactored pages for improved look and feel
vpn: refactored L2TP and PPTP pages for improved look and feel
openvpn: fix missed configure stage for Peer to Peer (TLS/SSL) mode
system: reworked the behaviour of thermal and crypto modules
firewall: tweaked a few rule indicator icons to improve clarity
firewall: improved alias validation on edit
interfaces: also add previous DHCP override fixes for IPv6
language: updated French and German
Изменения в OPNsense 16.1.7:
ports: pecl-radius 1.3.0[1], bind 9.10.3-P4[2], bsnmp-ucd 0.4.2, openssh-portable 7.2p2[4], sqlite 3.11.1[5]
captive portal: add session timeout to status info
firewall: fix non-report of errors when filter reload errors could not be parsed
pppoe server: make service control buttons work with multiple instances
wake on lan: reworked pages for a polished look and feel
load balancer: reworked pages for a polished look and feel
dashboard: better colouring for widget status bars
dns filter: reworked page for a polished look and feel
dns rfc2136: reworked pages for a polished look and feel
igmp proxy: reworked pages for a polished look and feel
system: routes diagnostics page ported to MVC
proxy: adjust category visibility as not all of them were shown before
firmware: fix an overzealous upgrade run when the package tool only changes options
firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD’s package tool
network time: reworked pages for a polished look and feel
system: removed NTP settings from general settings
snmp: refactored page for a polished look and feel
access: let only root access status.php as it leaks too much info
development: remove the automount features
development: added in-place package upgrades using the upstream repository
development: addition of «opnsense-stable» package on our way to nightly builds
development: opnsense-update can now install locally available base and kernel sets
Изменения в OPNsense 16.1.6:
src: Fix multiple vulnerabilities of OpenSSL
src: update tzdata to 2016a
ports: openssh-portable 7.2p1[3], isc-dhcp-43 4.3.3P1_1, php56 5.6.19[5], curl 7.41.1[6]
firmware: mirror selection has been widened to include kernel/base upgrades
firmware: bootstrap utility can now directly install e.g. the development version
dhcp: all GUI pages have been reworked for a polished look and feel
proxy: added category-based remote file support if compressed file contains multiple files
proxy: added ICAP support (contributed by Fabian Franz)
proxy: hook up the transparent FTP proxy
proxy: add intercept on IPv6 for FTP and HTTP proxy options
logging: syslog facilities, like services, are now fully pluggable
vpn: stripped an invalid PPTP server configuration from the standard configuration
vpn: converted to pluggable syslog, menu and ACL
dyndns: all GUI pages have been reworked for a polished look and feel
dyndns: widget now shows IPv6 entries too
dns forwarder: all GUI pages have been reworked for a polished look and feel
dns resolver: all GUI pages have been reworked for a polished look and feel
dns resolver: rewrote the dhcp lease registration hooks
dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well
firewall: hide outbound nat rule input for «interface address» option and toggle bitmask correctly
interfaces: fix problem when VLAN tags weren’t generated properly
interfaces: improve interface capability reconfigure
ipsec: fix service restart behaviour from GUI
captive portal: add missing chain in certificate generation
configd: improve recovery and reload behaviour
load balancer: reordered menu entries for clarity
ntp: reordered menu entries for clarity
traffic shaper: fix mismatch for direction + dual interfaces setup
languages: updated German and French
Изменения в OPNsense 16.1.5:
ports: squid 3.5.15[1], unbound 1.5.7 hotfix[2], pkg 1.6.4 hotfix, openssl 1.0.2g[4]
services: infrastructure rework for plugin additions
openvpn: added copy/move to client-specific overrides
openvpn: allow binding client-specific overrides to specific server(s)
openvpn: service on/off toggle via overview pages
openvpn: fix problem with service status display
openvpn: when services are disabled, make sure a reconfigure will always stop the associated process
vpn: transform PPTP, L2TP and PPPoE servers to plugin addition to be removed from base install for 16.7
vpn: add proper service probing for PPTP, L2TP and PPPoE servers
interfaces: added RFC 4638 support (MTU > 1492 in PPPoE)
ntp: disable when no servers are set
language: updates for Chinese, French and German
Изменения в OPNsense 16.1.4:
ports: squid 3.5.14
dhcp: fix menu expand with IPv6 configuration
captive portal: fix database timeout lock message
interfaces: fix expand/collapse on status page for Edge
proxy: add maximum_object_size setting for squid
load balancer: improve filter reload to prevent traffic lockout (contributed by Frank Wall)
layout: fix searchable dropdown truncation with IE
firewall: fix action buttons on alias edit
menu: updated help menu entries
Изменения в OPNsense 16.1.3:
src: hyperv/kvp: wake up the daemon if it is sleeping due to poll()
src: Use correct src/dst ports when removing states in pf
src: finish the boot loader branding by adding a shiny logo
ports: unbound 1.5.7[3], openldap 2.4.44, ca_root_nss 3.22, php 5.7.18[5], phalcon 2.0.10[6], pkg 1.6.4[7][8]
interfaces: collapsible overview for each interface
shaper: fix issue with model when not able to save an old config
health: added pages to ACL for configurable user access
health: record system CPU temperature in additional graph
firmware: add UK-based mirror (contributed by Will Jones)
access: force a visible and non-critical page on non-access redirect
access: make sure «/» is handled like «/index.php»
configuration: add a number of previously missing config sections for selection on restore/backup
firewall: bring back alias nesting
dhcp: add missing DNS resolver awareness
dhcp: fix multiple minor crash reports
radvd: add missing DNS resolver awareness
captive portal: ensure MAC address is saved in lowercase and improve validation
captive portal: fix unicode issue in template generation
captive portal: correct syslog redirection regression
crash reporter: limit log size upload to 1MB
cron: fix validation of hour value
intrusion detection: show origin link of rule sets in details
services: add background daemon to known services for easy reload
services: add captive portal to known services for easy reload
services: improve redirect on service reload in diagnostics page
Изменения в OPNsense 16.1.2:
src: OpenSSL SSLv2 ciphersuite downgrade vulnerability
src: Fix packet forwarding in Hyper-V netvsc driver
src: Honour disabled pf(4) log flag on dropped packets with IP options
ports: curl 7.47.0[4], nettle 3.2
wizard: fix certificate generation for OpenVPN
firewall: fix interface selection on post issues in floating rules
firewall: make category filter multi-select for maximum convenience
firewall: do not hide gateways from the gateway selection
firewall: added null routes to the gateway selection
firewall: rather than hiding associated nat rules, remove their edit and clone buttons so they can still be deleted manually
dns resolver: fix $numprocs setting in config according to manual
dns resolver: do not render illegal output for empty IPv6 addresses
dhcp: applying static mappings with DNS resolver enabled no longer seems stuck in apply step
search: resize box on focus and also propagate proxy server tabs
system: fix inversion bug of the default pass logging setting
captive portal: properly log messages to associated log file
intrusion detection: can now add user rules based on SSL fingerprints and IP geolocation
Изменения в OPNsense 16.1.1:
ports: libressl 2.2.6[1], openssl 1.0.2f
intrusion prevention: add SSL fingerprint blacklist and other abuse lists (courtesy of abuse.ch[3])
captive portal: limit the max vouchers per call
captive portal: change voucher download filename to match group name
captive portal: strip bad characters from group name
captive portal: fix multiple voucher generation
firewall: add rule categorisation tag field
search: tweak padding to align with right visual boarder
console: fix halt script to show product name again
firmware: revoked the old 15.7 update fingerprint
interfaces: fix VLAN edit page to show the correct page name
squid: fix authentication script permission regression
dashboard: remove non-authoriative hardware crypto probing
system: do not accept an authentication server with an empty name
system: added hint that device polling setting needs reboot (contributed by Olivier Paroz)
system: assorted translation fixes (contributed by Fabian Franz)
logging: unhide IGMP packets from firewall log view (contributed by Isaac Levy)
Изменения в OPNsense 16.1:
src: FreeBSD 10.2-RELEASE-p11
bootstrap: can now update from any available FreeBSD 10 release
ports: libarchive 3.1.2_6[5], Suricata 3.0[6], squid 3.5.13, bind 9.10.3P3[8], sqlite 3.10.2[9], ntp 4.2.8p6[10]
firewall: lock source / destination port settings when neither TCP nor UDP is selected
firewall: simplify the outbound page to hide unwanted items and zap complicated explanations (contributed by Manuel Faux)
firewall: do not leak floating rules into other interface tabs
firewall: add clear button to all log file types
firewall: hide NAT rules from normal rules screen
firewall: removed the unsupported dscp rule option
firewall: display alias descriptions as tooltips (contributed by Manuel Faux)
universal plug and play: switch to secure mode as the new default
unbound: add MX entries to host overrides (contributed by Manuel Faux)
gateways: always safe the monitor IP regardless of monitoring being on or off
gateways: properly add and remove routes for monitors on toggle
backend: fix harmless error message caused by a sample template
high availability: allow specification of a different port for synchronisation
high availability: special characters are now being properly preserved
high availability: added new captive portal and traffic shaper as sync options
high availability: reworked and pruned the client synchronisation
firmware: optional php extensions now peacefully coexist with preinstalled extensions
firmware: update plugin list on refresh to reveal available plugin list
intrusion detection: adds intrusion prevention mode for netmap(4) devices (must disable Hardware CRC manually)
captive portal: completely rewritten on top of our new components
proxy: hook up remote ACL settings to translation engine (contributed by Fabian Franz)
proxy: add support for compressed ACLs (.gz, .tar.gz, .tgz, .zip)
proxy: fix toggle for storage log
ipsec: improve display of tunnel overview
openvpn: provide full ca chain on client export (contributed by Manuel Faux)
openvpn: fix engine detection for LibreSSL
layout: all tooltips and icons of action buttons have been updated for proper look and feel (contributed by Manuel Faux)
layout: added the infamous quick navigation feature
layout: consolidated the display of the upper right corner as «user@host.domain »
interfaces: reworked all the pages for proper look and feel
interfaces: ARP and NDP tables have been rewritten and now properly show vendor info
login: improved look and feel
dashboard: rss widget has been reworked and its library has been updated to a new version
config: recover last backup automatically on broken xml
menu: properly aligned submenu icons
system: removed XDebug package from the default installation
1.0.0 (14 октября 2015)
Первый релиз TING, основанный на OPNsense версии 15.7. В этот релиз вошли следующие наработки:
Упрощенный интерфейс
Локализация на русский язык
Упрощенная первичная настройка
Автоматическое создание ключей и сертификатов для WEB-интерфейса и OpenVPN при старте системы
Анализатор трафика на уровне приложений (плагин os-ndpi)
HTTP antivirus proxy (плагин os-havp) + антивирусный пакет ClamAV