Версия TING 1.1

1.1.2 (28 июля 2017)

Этот релиз TING основан на OPNsense версии 17.1.11. Команда разработчиков TING произвела следующие доработки функциональности:

В анализатор трафика (L7 фильтрация) добавлен алгоритм агрессивного блокирования клиентов временным блокирующим фильтром при активных попытках использования запрещённых протоколов. В основном это касается блокирования торрентов.
В плагине URL-классификатора (os-netpolice) добавлена возможность локально редактировать категории (добавлять и удалять URL).
Исправлены обнаруженные ошибки.

В базовую систему со стороны OPNsense вошли следующие наработки:

Изменения в OPNsense 17.1.11:

firmware: added major GUI upgrade code for upcoming 17.7 release
firmware: added major GUI cron upgrade parameter «ALLOW_RISKY_MAJOR_UPGRADE»
interfaces: dhcp6c can now properly reload without leaking its listening socket to e.g. OpenVPN
rc: allow to optionally prevent launch of configd via rc.conf variable
openvpn: normalise line endings of used certificates
openvpn: fix config handling in GUI pages for PHP 7.1
plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)
ports: perl 5.24.2
ports: strongswan 5.5.3

Изменения в OPNsense 17.1.10:

system: harden GUI by removing TLS_RSA_WITH_3DES_EDE_CBC_SHA
system: harden GUI by improving Secure Attribute cookie usage
system: harden GUI by using DH-4096 parameters
system: allow to reverse password / token order in TOTP authentication
system: add swap file option for SSD operation
interfaces: speed up GUI handling with configurations of more than 150 VLANs
interfaces: stop is_ipaddrv6() from accepting subnets
ipsec: IKEv2 can handle multiple phase 1 with the same IP
ipsec: list non-routed connections
unbound: removed obsolete so-rcvbuf optimisation code
net-mgmt/zabbix-agent: validation fix (contributed by Frank Wall)
net/quagga: version 1.3.1 (contributed by Frabian Franz and Michael Muenz)
layout: update to Font-Awesome 4.7
mvc: add setMultiple() to OptionField
ports: phalcon 3.2.1
ports: php 7.0.21
ports: php70-openssl CRL hotfix
ports: bind 9.11.1-P3
ports: unbound 1.6.4
ports: suricata 3.2.3

1.1.1 (21 июля 2017)

Этот релиз TING основан на OPNsense версии 17.1.9. С нашей стороны функциональность была расширена следующим образом:

В анализаторе трафика (L7 фильтрация) была реализована возможность блокирования запрещённых приложений с помощью правил межсетевого экрана в динамическом режиме. Это значительно улучшило возможности блокировки нежелательного трафика. В основном это касается Skype и Telegram.
В плагине анализатора логов web-прокси добавлена возможность сохранять результаты выборки в CSV-файл. Также переработана структура БД и оптимизированы запросы формирования выборки.
Обновлён языковой пакет, доработан перевод на русский язык.
Оптимизирована работа сервиса сбора сетевой статистики по трафику.
Исправлены обнаруженные ошибки.

В базовую систему со стороны OPNsense вошли следующие наработки:

Изменения в OPNsense 17.1.9:

firewall: move gateway switching from system to firewall advanced settings
firewall: keep category selection when changing tabs
firewall: do not skip gateway switch parsing too early (contributed by Stephane Lesimple)
interfaces: show VLAN description during edit
firmware: opnsense-revert can now handle multiple packages at once
firmware: opnsense-patch can now handle permission changes from patches
dnsmasq: use canned –bogus-priv for no_private_reverse
dnsmasq: separate log file, ACL and menu entries
dynamic dns: fix update for IPv6 (contributed by Alexander Leisentritt)
dynamic dns: remove usage of CURLAUTH_ANY (contributed by Alexander Leisentritt)
intrusion detection: suppress «fast mode available» boot warning in PCAP mode
openvpn: plugin framework adaption
unbound: add local-zone typetransparent for PTR zone (contributed by Davide Gerhard)
unbound: separate log file, ACL and menu entries
wizard: remove HTML from description strings
mvc: group relation to something other than uuid if needed
mvc: rework «item in» for our Volt templates
lang: Czech to 100% translated (contributed by Pavel Borecki)
plugins: zabbix-agent 1.1 (contributed by Frank Wall)
plugins: haproxy 1.16 (contributed by Frank Wall)
plugins: acme-client 1.8 (contributed by Frank Wall)
plugins: tinc fix for switch mode (contributed by Johan Grip)
plugins: monit 1.3 (contributed by Frank Brendel)
src: support dhclient supersede statement for option 54 (contributed by Fabian Kurtz)
src: add Intel Atom Cherryview SOC HSUART support
src: add the ID for the Huawei ME909S LTE modem
src: HardenedBSD Stack Clash mitigations
ports: sqlite 3.19.3
ports: openvpn 2.4.3
ports: sudo 1.8.20p2
ports: dnsmasq 2.77
ports: openldap 2.4.45
ports: php 7.0.20
ports: suricata 3.2.2
ports: squid 3.5.26
ports: ca_root_nss 3.31
ports: bind 9.11.1-P2
ports: unbound 1.6.3
ports: curl 7.54.1

1.1.0 (28 июня 2017)

Этот релиз TING основан на OPNsense версии 17.1.8 и является переходом на обновлённую базовую систему. Основные изменения включают в себя переход на FreeBSD 11.0, новое ядро и базовая система, HardenedBSD опции безопасности в ядре и исполняемых файлах, PHP 7.0 и многое другое.

В базовую систему со стороны OPNsense вошли следующие наработки:

Изменения в OPNsense 17.1.8:

system: tweak the HTTP_REFERER error message (contributed by Michael Muenz)
system: IPv6 SSL cipher selection fix (contributed by Alexander Graf)
system: only probe gateway monitor when it is running
system: move web GUI to plugin framework
system: improve ssh key newline write
system: allow up to 8 name servers
firewall: add CARP option «Disable preempt»
firewall: move CARP preempt to later boot stage
firewall: allow port ranges in the form of «80-100» in addition to «80:100»
interfaces: track6 edge case requires HUP for either reload or linkup
ipsec: fix widget count after strongSwan 5.5.2 update
intrusion detection: add advanced feature default-packet-size
firmware: new mirror for Dept. of CSE, Yuan Ze University, Taiwan
rc: advertise live mode just above the login prompt
rc: improve the set IP menu option with far gateway selection, DHCP, DNS, track6, etc.
mvc: send forms as type-safe JSON data
mvc: correct multi-value sort in template helper
mvc: fix validation issue when storing a value for the first time
lang: minor updates for Chinese (contributed by Tianmo)
lang: Japanese 100% completed (contributed by Chie and Takeshi Taguchi)
plugins: quagga 1.2 with initial BGP support (contributed by Fabian Franz and Michael Muenz)
plugins: zabbix-agent 1.0 (contributed by Frank Wall)
plugins: haproxy 1.15 (contributed by Fabian Franz and Frank Wall)
ports: enabled SafeStack for applicable amd64 packages, ported over by HardenedBSD
ports: openssl 1.0.2l

Изменения в OPNsense 17.1.7:

system: fix gateway failover edge cases missed in 17.1.6
system: fix default route display in diagnostics page
system: consistent precision display in gateway monitoring loss and RTT
system: correctly restart cron via backend call
system: use the internal RC script name instead file name to load its variables
system: keep WAN DHCPv6 configuration option on console port reassign
system: unify the console yes/no prompts to indicate their default behaviour
system: separate row and unhide button for 2FA OTP QR code display
system: prevent stripping of migrated configuration during factory reset
firmware: opnsense-bootstrap bare-mode addition for installing repository metadata only
firmware: opnsense-bootstrap will never be deleted in case it is required for recovery
firmware: opnsense-revert now always properly reverts the core package
firmware: fix argument parsing in all update and development utilities
firewall: do not save range when end port is empty
firewall: do not automatically reload filter after alias delete
firewall: skip well-known ports for ranges
firewall: fetching bogon files should not use fetch internal auto-retry
interfaces: fix bug that prevented creation of IPv6 cache IP files (contributed by @theq89)
interfaces: defer reload of the filter on IPv6 renewal and keep it local
interfaces: avoid potential configure loops in IPv4 renewal
interfaces: improve diagnostic messages on boot
interfaces: correct usage of interface cache files and properly clear them during boot
ipsec: enable CA field for hybrid and mutual RSA Xauth
dynamic dns: fix prototype declaration (contributed by Evgeny Bevz)
dynamic dns: add support for STRATO
mvc: fix iteration over several config nodes to avoid «Node no longer exists» type warnings
plugins: quagga 1.1.1 fixes reload of BGPv4 tables and modal closing (contributed by Fabian Franz)
plugins: monit 1.1 fixes import sender address and validation (contributed by Frank Brendel)
src: removed duplicate unbound from FreeBSD base system
src: added locales to e.g. allow tmux to start up correctly
src: Xen migration enhancements
src: allow TOS value zero and add extended DSCP support
ports: openvpn 2.3.15
ports: php 7.0.19
ports: squid 3.5.25
ports: sudo 1.8.20

Изменения в OPNsense 17.1.6:

system: proper autofill of imported CA fields
system: fix off by one and add validation for next serial in CA import
system: new global product info file and associated cleanups
system: prompt for new root password on console reset rather than using the factory default
system: remove PHP version specific code to automatically support newer versions such as PHP 7.1
system: raise PHP memory limit by 50%
firmware: show downgrades in update list as well
firmware: update pkg alongside other packages if it does not need an explicit upgrade
firmware: add plugin list to crash report if plugins are installed
interfaces: do not hide the save button when all interfaces have been assigned
firewall: support tag/tagged for manual outbound NAT
firewall: exclude IPv6 extension headers
firewall: disable filter association when no-rdr port forward option is selected
firewall: do not endlessly try to fetch bogons on systems with no connectivity
captive portal: fix autocomplete, autocapitalize and autocorrect (contributed by Johann Richard)
dhcp: fix static leases issue with loading settings into form
dhcp: add interface-mtu option
ipsec: move to plugin code framework
openvpn: fix possible start failure of servers using udp6 or tcp6
router advertisements: force restart of daemon to adapt to time zone change
unbound: statistics API (contributed by Fabian Franz)
web proxy: reorder pre-auth plugins and local auth settings (contributed by Evgeny Bevz)
mvc: set locale in APIControllerBase (contributed by Alexander Shursha)
mvc: dialog translations (contributed by Fabian Franz)
mvc: escape @ in menu entry to avoid error on mailto: url
plugins: igmp-proxy 1.1 renames internal service reload endpoint
plugins: quagga 1.1.0 adds BGP support and assorted fixes (contributed by Fabian Franz and Michael Muenz)
plugins: relayd 1.1 adds session timeout configuration (contributed by Frank Brendel)
plugins: snmp 1.1 renames internal service reload endpoint
ports: ca_root_nss 3.30.2
ports: phalcon 3.1.2
ports: unbound 1.6.2

Изменения в OPNsense 17.1.5:

system: show save message in correct language after language switch
firmware: remove obsoleted packages after a successful major update
firmware: flip the menu order of plugins and packages
firmware: switch to new embedded kernel/base set version
firewall: improve alias cleanup
firewall: new «select all» feature in firewall rules listings
firewall: add priority setting to advanced rules (contributed by djGrrr)
firewall: cleanup of gateway handling
firewall: cleanup of rule generation and fix for missing rules for group interface network (contributed by Ian Matyssik)
firewall: improve alias validation messages
dhcp: add route features to router advertisements
dhcp: add missing server pool loop counter
unbound: fix DHCP watcher using wrong timezone
unbound: improve DHCP watcher MAC address read
intrusion detection: use «auto» hostmode setting
web proxy: decode content when downloading ACL
web proxy: add all virtual IPs to listening configuration
web proxy: add extended file logging option
openssh: migrated to plugin framework code
openvpn: correctly export renegotiate time of zero
openvpn: reenable the XOR patch support
dynamic dns: multiple fixes and migrated to plugin framework code
rfc2136: multiple fixes and migrated to plugin framework code
rfc2136: separated code from dynamic DNS
rfc2136: added dashboard widget
lang: updates for Chinese, Czech, Japanese
lang: German translation hits 100% completed
plugins: gracefully deal with fatal parse errors in plugin code
plugins: acme-client 1.7 (contributed by Frank Wall)
plugins: haproxy 1.14 (contributed by Frank Wall)
plugins: monit 1.0 (contributed by Frank Brendel)
plugins: quagga 1.0.0 with OSPF and RIP support (contributed by Fabian Franz)
ports: pkg 1.10.1[1]
ports: sqlite 3.18.0
ports: curl 7.54
ports: openssh 7.5p1
ports: hyperscan 4.4.1
ports: dhcp6 20080615.2
ports: ca_root_nss 3.30.1
ports: bind 9.11.1
ports: strongswan 5.5.2
ports: php 7.0.18

Изменения в OPNsense 17.1.4:

system: early installer switched for simpler config importer
system: no longer set shell privileges on password reset
system: avoid misinterpreting obsoleted options use_mfs_tmp_size and use_mfs_var_size
system: do not prompt for password on user edit
system: modernise console/tty settings
interfaces: always wait for dhclient exit
firewall: handle scheduled restarts via new plugin_cron() facility
traffic shaper: exclude IP address when using 3G/4G modems
dnsmasq: configure exclusively via plugin calls
ipsec: remove filtertunnel workaround in light of bundled kernel fix
ipsec: fix missing CA selection for mutual RSA
ipsec: require authentication header as first file
ipsec: include path consolidation
openvpn: allow tunnel network overrides to contain host addresses
openvpn: take client IP for topology subnet in CSC
openvpn: include patch consolidation
unbound: configure exclusively via plugin calls
web proxy: harden SSL ciphers (contributed by Fabian Franz)
mvc: fix multiple scoping issues in base volt templates
lang: updates for Chinese, Czech, French, German, Portuguese
plugins: Let’s Encrypt 1.4[1] (contributed by Felix Kling and Frank Wall)
plugins: HAproxy 1.13 (contributed by Frank Wall)
src: tzdata version 2017b
src: HardenedBSD SafeStack for base applications
src: fix IPsec skip parameter handling in IPv4
src: discard 3072 bytes in arc4_stir() (contributed by Codarren Velvindron)
ports: ca_root_nss 3.30
ports: php 7.0.17
ports: libarchive 3.3.1
ports: ntp 4.2.8p10

Изменения в OPNsense 17.1.3:

system: allow up to 32 characters in user and group names
system: mute cron job output to prevent spurious system mails
system: fix scrambled password option on user add
system: add captive portal session backup
system: fix CRL certificate count display
firmware: add mirror via Universidad Pontificia Bolivariana (Medellin, CO)[1]
firmware: add mirror via DMC Networks (Lincoln NE, US)
firewall: add modulate state as an option for state tracking (contributed by Ian Matyssik)
firewall: add ruleset optimization option for better performance (contributed by Ian Matyssik)
firewall: improved the log widget (contributed by Fabian Franz)
firewall: port forwarding enhancements for tag, pool options and target subnet
firewall: allow virtual interfaces as interface group members and move to firewall section
firewall: allow port alias nesting
captive portal: improved ARP parsing
dyndns: support Google Domains (contributed by Alasley)
intrusion detection: improve ruleset selection indicators
openvpn: do not double-encode client auth credentials
openvpn: validate IPv4 CIDR more strictly to prevent startup error
openvpn: do not offer external CA for selection
rfc 2136: allow selection of record type (contributed by Elias Werberich)
unbound: option to not register IPv6 link-local addresses (contributed by Ian Matyssik)
unbound: do not explicitly register loopback when selected as listening interface
unbound: add serve-expired option
web proxy: update for non-transparent SSL bumping (contributed by Mikhail Morev)
web proxy: add notice to inform the user about the need to download new list
lang: Chinese updated to 100% completed (contributed by Tianmo)
lang: Portuguese (Portugal) updated to 100% completed (contributed by Carlos Meireles)
lang: updates for German, French and Dutch
mvc: add boolean type to tables (contributed by Frank Brendel)
mvc: handle backend execution error more gracefully
mvc: added test for existing API method
mvc: send booleans as strings, not integers in API forms
mvc: allow dynamic hiding of sections in forms via model
plugins: register group interface type for PPTP, L2TP and PPPoE
plugins: add lifetime expiry for Universal Plug and Play rules
plugins: Let’s Encrypt version 1.2 (contributed by Frank Wall)
installer: do not configure console when /dev/ttyv0 is unavailable
installer: console settings now support vt(4) instead of syscons(4)
src: fix system hang when booting when PCI-express HotPlug is enabled
src: fix NIS master updates are not pushed to NIS slave
src: fix compatibility with Hyper-V/storage after KB3172614 or KB3179574
src: make makewhatis output reproducible
src: fix multiple vulnerabilities of OpenSSL
src: properly build i386 with netmap(4) device to fix IPS mode
src: tzdata updated to version 2017a
ports: php 7.0.16
ports: phalcon 3.0.4
ports: ca_root_nss 3.29.3
ports: sqlite 3.17.0
ports: curl 7.53.1
ports: unbound 1.6.1

Изменения в OPNsense 17.1.2:

system: allow to issue reboots via cron
system: allow to change password for imported users
firmware: run autoremove on minor operations
firmware: plugin detection via configd
wizard: rework modelling and UX
interfaces: fix wlan probe to not yield an empty interface
interfaces: fix bug in subnet matching on tun interfaces on FreeBSD 11.0 (contributed by djGrrr)
interfaces: add VLAN Priority (PCP) setting to VLAN config (contributed by djGrrr)
firewall: shared forwarding is off by default, added advanced config option
captive portal: redirect using HTTP code 302
captive portal: add group enforcement
captive portal: fix transparent web proxy mode on FreeBSD 11.0
dhcp: do not link to WOL page if plugin is not installed (contributed by Frank Wall)
ipsec: add mobike switch, change leftsendcert to always, etc.
unbound: provide link local interface selection
lang: Chinese to 65% completed (contributed by Tianmo)
lang: Czech to 86% completed (contributed by Pavel Borecki)
lang: Portuguese (Brazil) to 100% completed (contributed by Thiago Basilio)
lang: Portuguese (Portugal) to 69% completed (contributed by Carlos Meireles)
lang: minor updates to French and German
src: net.pf.share_forward now off by default
src: HardenedBSD procfs hardening
src: HardenedBSD disable unprivileged process debugging
src: replace Realtek re(4) driver with vendor version 1.93
src: add AE3000 and AE6000 to supported run(4) devices
src: revert a crash candidate micro-optimisation in rwlock
plugins: introduce development plugin variants
plugins: os-tinc 1.2 with network mode selection
ports: switch to MIT Kerberos version 5 release 1.14.4
ports: open-vm-tools integrated authentication fix
ports: bind 9.11.0-P3
ports: unbound 1.6.0
ports: tinc 1.0.31
ports: suricata 3.2.1
ports: hyperscan 4.4.0
ports: ca_root_nss 3.29

Изменения в OPNsense 17.1.1:

system: LDAP picker CSRF error solved by introducing session-based security tokens
system: fixed CRL generation inside PHP OpenSSL module
system: fix a typo with Portuguese (Portugal) in language selector
system: do not interpret passed values in wizard
system: fix forum link in message of the day
firewall: direction «any» was not respected in floating rules
firewall: fix double encoding of NO NAT for NAT addresses (contributed by djGrrr)
firewall: improve validation between IPv4 and IPv6 to prevent faulty rule generation
firmware: opnsense-update utility now unlocks packages before performing major upgrades
firmware: opnsense-revert utility now retains the automatic flag
firmware: revoked the 16.7 update fingerprints
dhcp: change relay text to make it clear multiple servers are supported (contributed by GurliGebis)
ipsec: add EAP-RADIUS support (contributed by GurliGebis)
ipsec: set filtertunnel sysctl values to fix TCP teardown
ipsec: fix hidden interface rules tab
ipsec: add AES-GCM support
openvpn: fixed CRL generation inside PHP OpenSSL module
openvpn: do not escape advanced options on export
openvpn: fix hidden interface rules tab
mvc: multiple tab usage CSRF errors solved by introducing session-based security tokens
mvc: fix HTTP status codes on CSRF errors
mvc: soft-fail on missing classes in ModelRelationField (contributed by Frank Wall)
plugins: os-acme-client 1.1 (contributed by Frank Wall)
plugins: os-haproxy 1.12 (contributed by Frank Wall)
src: pf(4) shared forwarding fix during NAT
src: pf(4) sysctl switch to disable shared forwarding
src: fix a panic with stf(4) interfaces
src: unhide hard disks under Hyper-V
ports: pkg 1.9.4[3]
ports: pcre 8.40
ports: libressl 2.4.5
ports. libevent 2.1.8
ports: squid 3.5.24

Изменения в OPNsense 17.1:

cooperative firewall forwarding to allow traffic shaper/captive portal with multi-WAN
install media now boots up with SSH for headless remote installation
HardenedBSD ASLR and PIE compilation for most binaries
HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
PHP 7.0 compatibility and general GUI speed improvements
replaced the CSRF implementation in the non-MVC pages
integrated authentication using PAM to allow e.g. 2FA (TOTP) over SSH
system secondary console support with new EFI and Mute options
Portuguese/Portugal as a release language (contributed by Carlos Meireles)
Portuguese/Brazil as a release language (contributed by Thiago Basilio)
Italian as a release language (contributed by Antonio Prado)
Czech as a release language (contributed by Pavel Borecki)
improved password security (contributed by OSnet)
FTP proxy plugin (contributed by Frank Brendel)
Let’s Encrypt Plugin (contributed by Frank Wall)
Tinc VPN Plugin
IPsec tunnel isolation mode for interoperability
micro versioning/migrations for config items
constraint support for config items
rewritten Nano images with growfs(8) support
authentication methods are now fully pluggable
firewall rules are now fully pluggable
FreeBSD 11.0 including additional reliability fixes