Версия TING 1.2

1.2.5 (30 января 2018)

Этот релиз TING основан на OPNsense версии 17.7.12.

Новое от команды Смарт-Софт:

• плагин os-proxy-useracl: привязка правил к серверу аутентификации, возможность работать с группами sms-портала

• плагин os-sms-portal: соответствие требованиям законодательства РФ, группы пользователей, статистика и фильтрация на web-прокси

• плагин os-netpolice: привязка правил к серверу аутентификации, возможность работать с группами sms-портала

• плагин os-security-scanner: интегрирован сканер OpenVAS

• плагин os-ndpi: обновлена библиотека распознавания протоколов до версии 2.2

• web-прокси: локализация шаблонов ответов web-прокси

• обновлён перевод на русский язык

• добавлен перевод описаний плагинов

Изменения в OPNsense 17.7.12:

• system: use correct crypto library to gather GUI SSL ciphers

• system: do not wrap action buttons in tunables page

• system: fix CA serial number decrement on save

• firmware: remove the discontinued hotfix backend support

• firmware: allow dot in package name during package action

• interfaces: make level of detail stick in packet capture

• interfaces: auto-lock problematic interfaces upon assignment

• firewall: make NAT reflection enable less ambiguous

• firewall: fix NAT formatting in states dump page

• network time: fix for valid negative offset in health graph

• network time: OPNsense NTP pool is now available

• network time: fix parsing of overly overlong lines

• web proxy: use PID file instead of daemon name for status probe

• wizard: add unbound to wizard and uncheck DNSSEC by default

• ui: HTML compliance fixes button in link usage (contributed by NOYB)

• mvc: added mutable service controller

• mvc: added sub-tab layout partials

• mvc: do not render empty toggle header

• plugins: acme-client 1.13 [5]

• plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)

• plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)

• plugins: tor 1.4 adds contact info (contributed by Fabian Franz)

• plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)

• ports: libressl 2.6.4 [6]

• ports: php 7.1.13 [7]

1.2.4 (27 декабря 2017)

Этот релиз TING основан на OPNsense версии 17.7.11. В рамках данного обновления осуществлён переход на PHP 7.1.

Новое от команды Смарт-Софт:

• плагин os-proxy-ntlm: NTLM-аутентификация на веб-прокси для тех, у кого нет возможности использовать Kerberos-аутентификацию

• полная поддержка кириллических доменов во всех подсистемах

• добавлена настройка SNMP в веб-прокси

• обновлён перевод на русский язык

Изменения в OPNsense 17.7.11:

• system: numerical sort for «Use» and «MTU» columns in route diagnostics

• system: gateway group edit tier selection issue with jQuery3

• system: minor cleanups in the certificates backend

• firewall: move anti-lockout rule to advanced settings

• interfaces: minor cleanups in the backend

• reporting: rework configuration handling on the settings page

• dnsmasq: minor cleanups in the backend

• firmware: strip the architecture from the base / kernel set version display

• firmware: backend preparations for full base / kernel set lock and reinstall

• firmware: increase crash report file limit to 2 MB

• ipsec: minor cleanups in the backend

• unbound: register DHCP domain name for interface if found

• network time: show full remote address and fix page boxing on status page

• network time: add advanced custom options

• network time: fix leap second save

• network time: minor cleanups in the backend

• wizard: properly redirect on input errors in system wizard

• mvc: ignore client-side anchors in breadcrumb generation

• ui: do not use a CSRF input element ID

• plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz)

• ports: libxml 2.4.7 [1]

• ports: py-ipaddress 1.0.19

Изменения в OPNsense 17.7.10:

• system: allow user-based language setting through Lobby: Password

• system: allow strict interface binding for OpenSSH

• system: prepare for MVC-based routing pages

• firewall: fix a PHP warning when no user rules are installed

• firewall: add refresh button to table diagnostics page

• captive portal: fix chroot regression since lighttpd web server update in 17.7.9

• interfaces: provide a link-local IPv6 when asking for addresses

• intrusion detection: sync port-groups to default template

• ipsec: upgrade vici lib to match strongSwan package

• network time: fix a PHP warning during NMEA deselect

• mvc: do not throw disabled errors in handler

• plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing

• plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz)

• plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz)

• plugins: os-quagga 1.4.3_1 fixes service startup regression

• plugins: os-rfc2136 1.1_1 fixes edit button in IE 11

• src: OpenSSL multiple vulnerabilities[2] [3]

• ports: hyperscan 4.6.0 [4]

• ports: openssl 1.0.2n [5]

• ports: suricata 4.0.3 [6]

Изменения в OPNsense 17.7.9:

• system: fix XSS with crafted certificates in certificate manager [7]

• system: removed duplicated firmware privileges

• system: fix resolving routes in diagnostics page

• system: regenerated DH parameters

• dhcp: support stateless DHCPv6

• firmware: kernel and base set visibility and better API session handling

• intrusion detection: improve download and install speed of et-open rules

• intrusion detection: add TLS and HTTP logging in eve and alert log viewer

• openvpn: allow remote network in peer to peer modes

• web proxy: better service and API session handling

• router advertisements: advertise on VIPs belonging to the same interface

• configd: allow template overrides via optional target directory

• mvc: prepare for user-based language setting (contributed by Alexander Shursha)

• mvc: prepare for auto-generated page titles

• mvc: tighten against frame-based attacks

• mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)

• ui: fix for deactivated storage in sticky «help all» toggle (contributed by Fabian Franz)

• ui: make «advanced mode» sticky too

• plugins: os-acme-client 1.12 [8]

• plugins: os-arp-scan (contributed by Giuseppe De Marco)

• plugins: os-clamav 1.3 (contributed by Alexander Shursha)

• plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)

• plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)

• plugins: os-haproxy 2.0 [9]

• plugins: os-relayd 1.2 fixes «check send» directive

• plugins: os-tor 1.3 (contributed by Fabian Franz)

• plugins: os-zabbix-agent 1.2 fixes service status indicator

• plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)

• ports: ca_root_nss 3.34.1

• ports: curl 7.57.0 [10]

• ports: lighttpd 1.4.48 [11]

• ports: php 7.1.12 [12]

• ports: pkg 1.10.3 [13]

• ports: py-Jinja2 2.10 [14]

A hotfix release was issued as 17.7.9_8:

• system: correctly populate logging settings after clearing all logs

• firewall: fix 2 PHP 7.1 warnings

• ipsec: fix 2 PHP 7.1 warnings and one runtime error

• interfaces: fix a PHP 7.1 warning

• intrusion detection: add protocol display to alert dialog

• plugins: os-haproxy 2.1 fixes HSTS usage [15]

Another hotfix release was issued as 17.7.9_9:

• system: fix a PHP 7.1 runtime error in certificate generation

• plugins: os-haproxy 2.2 fixes rules parameters [16]

Изменения в OPNsense 17.7.8:

• firewall: when CARP is disabled it should enable the «Block CARP traffic»

• firewall: isAlias() should return false when an empty name is provided

• firewall: support non-whitespace field separators for URL table alias (contributed by shonjir)

• firewall: table plugin support (contributed by Evgeny Bevz)

• firewall: properly skip L2TP and PPTP interfaces in IPFW

• firmware: add mirror courtesy of Ventura Systems, Columbia

• firmware: crash report file size limit for upload

• interfaces: prevent reconfigure of wireless device on rc.linkup

• reporting: clear tooltip in health graphs

• intrusion detection: prevent UI lockups by closing server sessions early

• intrusion detection: add advanced payload log option

• intrusion detection: improved alert inspection dialog

• ipsec: add passthrough networks support

• ipsec: add support for elliptical curve DH groups

• router advertisements: fix DHCPv6 start in «unmanaged» mode

• web proxy: add update cache support for Linux and Windows (contributed by Fabian Franz)

• web proxy: add support UTF-8 domain names (contributed by Alexander Shursha)

• web proxy: improved IPv6 alias support

• ui: make «full help» state sticky in client session

• lang: Japanese updates (contributed by Chie and Takeshi Taguchi)

• lang: German updates (contributed by Fabian Franz)

• lang: Russian updates (contributed by Smart-Soft)

• lang: Czech updates (contributed by Pavel Borecki)

• plugins: os-siproxd 1.2.1 with fix for RTP high port (contributed by mrpace2)

• plugins: os-smart 1.2 now indicates if no devices have been found (contributed by Larry Meaney)

• plugins: os-telegraf 1.1 adds network input setting (contributed by nycaleksey)

• plugins: os-tor 1.2 adds hidden service onion service client support (contributed by Fabian Franz)

• plugins: os-web-proxy-sso 2.1 makes Kerberos hostname configurable (contributed by Evgeny Bevz)

• src: properly bzero kldstat structure to prevent information leak [17]

• src: fix kernel data leak via ptrace(PT_LWPINFO) [18]

• src: only refresh bsnmpd device table on a device add or remove event

• src: unclog reply-to to avoid default route in shared forwarding

• src: update timezone database information

• ports: phalcon 3.2.4 [19]

• ports: php 7.0.25 [20]

• ports: sqlite 3.21.0 [21]

• ports: openssl 1.0.2m [22]

• ports: ca_root_nss 3.34

• ports: sudo 1.8.21p2_1 [23]

1.2.3 (9 ноября 2017)

Этот релиз TING основан на OPNsense версии 17.7.7. В этом релизе OpenSSH обновлён до версии 7.6 и в связи с этим более не поддерживается протокол SSH версии 1 и RSA-ключи длиной менее 1024 бит. Обратите внимание на это перед обновлением. Новое от команды Смарт-Софт:

• обновлён плагин os-netpolice: выборочное включение фильтрации сайтов по категориям для пользователей и групп, добавлена возможность применения фильтра для сайтов, которые не попали не в одну из категорий [1]

• обновлён плагин os-c-icap: добавлен просмотр логов сервиса и доступа

• добавлен плагин os-proxy-ntlm: NTLM-аутентификация на прокси

• обновлён перевод на русский язык

Изменения в OPNsense 17.7.7:

• firewall: GeoIP alias edit UX rework

• reporting: increase database timeout to 60 seconds

• firmware: base / kernel lock API

• firmware: details dialog for plugins

• firmware: assorted minor UI tweaks

• dhcp: improve sorting of DHCP leases (contributed by Larry Meaney)

• ipsec: add rightsourceip = %radius for eap-radius

• ipsec: moved firewall rule generation to plugin code

• web proxy: remove default value of visible_hostname

• mvc: translate navigation tabs (contributed by Alexander Shursha)

• mvc: prevent faulty child node removal in serializeToConfig()

• plugins: os-freeradius 1.2.0 adds EAP-TLS support (contributed by Michael Muenz)

• plugins: os-intrusion-detection-content-snort-vrt 1.0 (contributed by shonjir)

• plugins: os-telegraf 1.0 for amd64 only (contributed by Michael Muenz)

• plugins: os-tor 1.1 fixes VIP usage and initial setup

• ports: curl 7.56.1 [2]

• ports: openssh 7.6p1 [3]

• ports: suricata 4.0.1 [4]

1.2.2 (26 октября 2017)

Этот релиз TING основан на OPNsense версии 17.7.6, в который включены фиксы, закрывающие уязвимость KRACK (Key Reinstallation Attacks) в WPA2 в пакетах hostapd и wpa_supplicant. Новое от команды Смарт-Софт:

• плагин os-sms-portal: плагин к Captive Portal, реализующий SMS-аутентификацию на портале; документация по ссылке [1]

• плагин os-ndpi: доработан веб-интерфейс, отображение статистики по блокировкам на фаерволе, настройки блокировки на фаерволе, IP-адреса для исключения из правил, блокировка с использованием таблицы IP-адресов, документация по ссылке [2]

• плагин os-havp снимается с поддержки, его функционал заменяется плагинами os-c-icap и os-clamav, требуется настройка ICAP в web-прокси, дополнительная информация по ссылке [3]

• плагины os-c-icap и os-clamav для антивирусной проверки web-трафика: вывод в web-интерфейс информации об актуальности баз сигнатур, вывод логов сервисов, усовершенствован механизм запуска служб, вывод имени пользователя в лог ICAP; документация по ссылке [4]

• исключения в настройках ICAP

• подсистема логирования: усовершенствована процедура применения фильтра к логу, снято ограничение на максимальный размер информации, получаемой из лога

• обновлён перевод на русский язык

Изменения в OPNsense 17.7.6:

• interfaces: mitigate KRACK attacks by using patched hostapd and wpa_supplicant from ports

• interfaces: added ARP flush to diagnostics page (contributed by Giuseppe De Marco)

• firmware: opnsense-revert man page examples (contributed by Marco Woitschitzky)

• firmware: opnsense-update provides locks for the kernel and base sets

• firmware: opnsense-update provides remote size of kernel and base sets

• firmware: new mirror in Switzerland via HiHo.ch (contributed by Fabian Abplanalp)

• firmware: preparations for upcoming page and user-facing feature improvements

• reporting: traffic mini-graphs switch places with their plain throughput values

• reporting: return empty file when parameters are missing from insight data export

• captive portal: improved column header texts in session view

• ipsec: hide mode selection in phase 1 under IKEv2

• openvpn: multi-remote support for clients

• web proxy: allow plugin reload through pluginctl

• ui: bootgrid tweaks (contributed by Fabian Franz)

• ui: info command addition to bootgrid (contributed by David Harrigan)

• rc: pluggable /var MFS support and micromanaging of boot tasks

• configd: parameter handling rework

• plugins: os-c-icap 1.3 adds server log view (contributed by Michael Muenz)

• plugins: os-clamav 1.1 adds version info display and /var MFS support (contributed by Alexander Shursha)

• plugins: os-freeradius 1.1 (contributed by Michael Muenz)

• plugins: os-monit 1.4 M/Monit support and fixes (contributed by Frank Brendel)

• plugins: os-siproxd: 1.0 (contributed by Michael Muenz)

• plugins: os-web-proxy-sso 2.0 (contributed by Smart-Soft)

• plugins: os-zerotier 1.3 adds remote network info and local.conf setting (contributed by David Harrigan)

• ports: curl 7.56.0

• ports: hostapd 2.6_1

• ports: phalcon 3.2.3

• ports: unbound 1.6.7

• ports: wpa_supplicant 2.6_2

Изменения в OPNsense 17.7.5:

• system: always return unique list of active DNS servers

• system: remove obsolete fast forwarding sysctl usage

• gateways: appropriate use of link local scope gateway targets

• interfaces: start rtsold in directly send SOLICIT case as well

• firewall: improve virtual IP VHID edit handling

• firmware: prevent submit of empty crash reports

• web proxy: fix ICAP username header usage (contributed by Alexander Shursha)

• plugins: os-c-icap 1.2 local squid authentication (contributed by Alexander Shursha)

• plugins: os-collectd 1.1 graphite post and prefix (contributed by Michael Muenz)

• plugins: os-intrusion-detection-content-et-pro 1.0

• plugins: os-quagga 1.4.2 OSPF router ID support (contributed by Fabian Franz)

• ports: dnsmasq 2.78

• ports: kerberos 1.15.2

• ports: openvpn 2.4.4

• ports: perl 5.24.3

• ports: php 7.0.24

• ports: python 2.7.14

Изменения в OPNsense 17.7.4:

• system: remove revoked certificates from list of certificates to revoke

• firewall: add advanced setting to disable interface gateway rules

• firewall: ignore gateway weight of zero

• firewall: add reply-to specific gateway in pluggable rules

• firewall: support anchor quick keyword in pluggable rules

• intrusion detection: do not allow interface group in selection

• openvpn: ns-cert-type becomes remote-cert-tls in client export

• web proxy: ICAP exclude list (contributed by Alexander Shursha)

• mvc: support value attribute for model option data

• installer: UEFI partition size increased to 200 MB

• installer: always error on password mismatch

• plugins: os-acme-client 1.11 (contributed by Frank Wall)

• plugins: os-c-icap 1.1 logging and virus scan settings (contributed by Michael Muenz)

• plugins: os-tor 1.0 (contributed by Fabian Franz)

• plugins: os-zerotier 1.2.0 allows local.conf settings (contributed by David Harrigan)

• ports: libnghttp2 1.26

• ports: unbound 1.6.6

• ports: hyperscan 4.5.2

• ports: py-openssl 17.3.0

• ports: py-cryptography 2.03

Изменения в OPNsense 17.7.3:

• interfaces: IPv6 tracking now configures DNS to exclusively use local service or global settings

• interfaces: fix provider selection for PPP

• intrusion detection: fix changing the action of rules prefixed with «#alert»

• ipsec: fix access to the shared key edit page

• web proxy: adjust default URLs for ICAP (contributed by Fabian Franz)

• plugins: os-dyndns 1.3 fixes Namecheap updates

• plugins: os-quagga 1.4.1 adds logging (contributed by Fabian Franz)

• ports: sudo 1.8.21p2 [22]

1.2.1 (18 сентября 2017)

Этот релиз TING основан на OPNsense версии 17.7.2. Кроме наработок OPNsense в данный релиз включён обновлённый пакет перевода на русский язык.

Изменения в OPNsense 17.7.2:

• system: make log file views adapt to log format to fix date display

• system: removed m0n0wall/pfSense config migration code

• reporting: traffic graph mini-graph additions (contributed by Jeffrey Gentes)

• firewall: align NAT target port to destination port when creating a new entry

• firewall: remove spurious filter reload page

• firewall: wrong double-encode in schedule descriptions

• firewall: naturally order settings menu

• firmware: fix ALLOW_RISKY_MAJOR_UPGRADE cron job parameter

• firmware: add new trusted fingerprint key for upcoming rotation

• firmware: ABI auto-append on custom flavour entry without multiple directories

• captive portal: small UX tweaks for dialogs and spacing

• intrusion detection: selectable home networks as advanced option

• intrusion detection: missing gzip decode on download

• unbound: restart on new WAN IP if explicit interface matches

• web proxy: log name now starts with a module name

• rc: clear /var/run contents on bootup

• ui: improved PHP 7.1 compatibility for static pages

• ui: updated nvd3 to version 1.8.5-dev

• ui: allow runtime bootgrid translation (contributed by Fabian Franz)

• plugins: migrate plugin models on install

• plugins: only restart configd once on reinstall

• plugins: os-acme-client 1.10 (contributed by Frank Wall)

• plugins: os-clamav 1.0 (contributed by Michael Muenz)

• plugins: os-c-icap 1.0 (contributed by Michael Muenz)

• plugins: os-dyndns fix for Cloudflare proxy status (contributed by sll552)

• plugins: os-mdns-repeater 1.0 (contributed by Fabian Franz)

• plugins: os-zerotier 1.1.0 (contributed by David Harrigan)

• ports: mpd 5.8_2[5]

• ports: php 7.0.23

• ports: sudo 1.8.21p1

Изменения в OPNsense 17.7.1:

• system: add email and comment field to users

• system: do not set LC_ALL locale

• firewall: fix floating rules default for quick parameter (contributed by Frank Wall)

• firewall: support outbound NAT source invert

• firewall: allow SSH installer anti-lockout on setups with only one interface

• firewall: add back interface gateway pinning when the protocol is assigned

• firewall: add optional VHID to support alias IP on CARP

• firewall: use privilege separation to fetch diagnostic states

• firmware: revoke 17.1 fingerprint

• interfaces: better labels for DHCPv6 extended settings (contributed by Fabian Franz)

• interfaces: fix display of validation error from gateway addition request

• interfaces: do not write defunct advanced settings

• interfaces: add ability to lock vital interfaces to prevent reboot network recovery

• interfaces: split device create and rename ifconfig calls as a single call can be unstable

• interfaces: probe VLAN hardware settings before changing

• reporting: better insight database corruption detection and repair

• captive portal: better login database corruption detection and repair

• captive portal: fix startup after unclean shutdown

• dhcp: fix string offset warnings in leases page (contributed by Elias Werberich)

• intrusion detection: fix startup after config import if no remote files have been downloaded yet

• ipsec: portable NAT before IPsec support

• openvpn: fix Tunnelblick link on export page (contributed by Stefan Husch)

• openvpn: fix connected timestamp and bytes up/down display

• openvpn: write proxy auth file in shared key export

• openvpn: minor display tweaks in widget and configuration pages

• openvpn: local group restriction feature

• update: rename bootstrap „-V“ argument to „-r“ for consistency

• update: fix code bug for /etc/make.conf link rewrite on upgrade

• update: support „-S“ argument to probe remote set size

• update: support loading kernel debug sets via „-g“ option

• mvc: add standard dialog helper (contributed by Frank Wall)

• mvc: simplify language selection code (contributed by Alexander Shursha)

• mvc: allow to run targeted model migration if requested

• mvc: ensure backend-cached JSON data is valid

• lang: small updates to Chinese and German

• lang: Japanese back at 100% (contributed by Chie and Takeshi Taguchi)

• plugins: several updates for PHP 7.1 compatibility

• plugins: os-acme-client 1.9 (contributed by Frank Wall)

• plugins: os-collectd 1.0 (contributed by Michael Muenz)

• plugins: os-freeradius 1.0.1 (contributed by Micheal Muenz)

• plugins: os-dyndns 1.1 removes legacy notification support and adds regfish IPv4 and IPv6 as a provider

• plugins: os-haproxy 1.17 adds hard stop feature to avoid shutdown stalls (contributed by Frank Wall)

• plugins: os-rfc2136 1.2 removes legacy notification support

• plugins: os-zerotier 1.0 (contributed by David Harrigan)

• src: fix panic in PPPoE session lookup (contributed by Alex Dupre)

• src: add new USB ID for Sierra LTE modem

• src: fix VNET kernel panic with asynchronous I/O

• ports: curl 7.55.1

• ports: isc-dhcp 4.3.6

• ports: libressl 2.5.5

• ports: phalcon 3.2.2

• ports: php 7.0.22

• ports: sqlite 3.20.1

• ports: strongswan 5.6.0

• ports: suricata 4.0.0

• ports: unbound 1.6.5

1.2.0 (5 сентября 2017)

Этот релиз TING основан на OPNsense версии 17.7. Команда разработчиков TING произвела следующие доработки функциональности:

• Добавлены интерактивные консольные инструменты для системного администратора: trafshow и htop. Устанавливаются плагином os-console-tools.

• Плагин os-useracl: настройка приоритетов срабатывания правил (настраиваемый порядок применения правил).

• Плагин отчётности на прокси os-squid-log: добавлен тип отчёта «Хронологический», отображающий запросы в том порядке, в каком они поступили, без группировок.

• Доработан перевод на русский язык.

• Исправлены обнаруженные ошибки.

Базовая система OPNsense с данным релизом претерпела значительные изменения. Уже более двух с половиной лет OPNsense внедряет инновации в брэндмауэр с открытым исходным кодом путём распределения функционала на отдельные модули, организации простых и надёжных обновлений прошивки, реализации многоязыковой поддержки, поддержки безопасности HardenedBSD, быстрой адаптации обновлений системного программного обеспечения а также чёткого лицензирования по лицензии 2-Clause BSD License.

Данная версия включает в себя такие основные моменты, как SafeStack application hardening, Realtek re драйвер для повышения стабильности работы оборудования, плагин Quagga с поддержкой протокола динамической маршрутизации и пакет Unbound в качестве нового резолвера по-умолчанию. Дополнительно, переводы на чешский, китайский, японский, португальский и немецкий были завершены впервые в течение данного цикла разработки.

Фокус OPNsense сместился на совершенствование и оптимизацию его различных систем и обеспечение непрерывных обновлений, что насчитывает более 300 индивидуальных изменений, внесённых с версии 17.1. Инфраструктура плагинов расширена благодаря разработчикам Frank Wall, Frank Brendel, Fabian Franz и Michael Muenz. И последнее, но важное, проведена большая работа с HardenedBSD.

Ниже представлен полный список наработок OPNsense от версии к версии.

Изменения в OPNsense 17.7:

• interfaces: dhcp6c can now properly reload without leaking its listening socket to e.g. OpenVPN

• interfaces: correctly write Host-Uniq string in PPPoE configuration (contributed by Paolo Velati)

• firmware: fix JavaScript typo in the GUI that would prevent an update with a pending reboot

• firmware: zap spurious newlines in end-of-life message

• rc: allow to optionally prevent launch of configd via rc.conf variable

• rc: print root file system when boot is completed

• lang: Chinese 91% completed (contributed by Tianmo)

• lang: Czech 94% completed (contributed by Pavel Borecki)

• lang: German 100% completed (contributed by Fabian Franz et al)

• lang: Japanese 92% completed (contributed by Chie and Takeshi Taguchi)

• lang: Russian 89% completed (contributed by SmartSoft)

• plugins: os-freeradius 1.0.0 (contributed by Michael Muenz)

• plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)

• src: do not update the LAGG link layer address when destroying a LAGG clone

• src pull the next header as well to restore filtering on incoming IPsec NAT-T traffic

• ports: haproxy 1.7.8

• ports: strongswan 5.5.3

Изменения в OPNsense 17.7.r2:

• system: harden GUI by removing TLS_RSA_WITH_3DES_EDE_CBC_SHA

• system: harden GUI by improving Secure Attribute cookie usage

• system: harden GUI by using DH-4096 parameters

• system: regenerate Diffie-Hellman parameters

• system: allow to reverse password / token order in TOTP authentication

• system: added major GUI firmware upgrade code

• interfaces: fix WLAN device clone creation

• interfaces: improve LAGG MTU handling and reconfigure

• interfaces: Host-Uniq configuration option for PPPoE connections

• ipsec: IKEv2 can handle multiple phase 1 with the same IP

• installer: request password change after installation

• installer: now properly advertises itself as version 17.7

• rc: batch-run bootup command before starting services

• openvpn: normalise line endings like web GUI does

• openvpn: fix config read/write on PHP 7.1

• mvc: squelch a PHP notice on an undefined element in forms (contributed by Evgeny Bevz)

• lang: update Chinese, Czech, German, Japanese

• plugins: enable stable plugins for 17.7

• plugins: os-dyndns 1.1 fixes menu entry visibility

• plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)

• ports: php 7.0.21

• ports: perl 5.24.2

• ports: suricata 3.2.3

• ports: unbound 1.6.4

Изменения в OPNsense 17.7.r1:

• system: added swap file option for SSD deployments

• system: bring back crash reports for all types of kernel crashes

• system: LDAP server StartTLS connection mode (contributed by Eugen Mayer)

• system: prevent anonymous binds to AD by rejecting empty passwords

• console: rewrote the backup restore to fix a possible licensing issue

• interfaces: instead of renaming new interfaces create them with the target name

• interfaces: the IP renewal was redesigned to prevent spurious reloads

• firewall: gateway code refactored

• firewall: rule generation code refactored

• dynamic dns: removed from core, installable as plugin

• rfc 2136: removed from core, installable as plugin

• ipsec: removed stale BINAT configuration items

• proxy: hardened the SSL configuration (contributed by Fabian Franz)

• src: netgraph/pppoe: user-supplied Host-Uniq tag and PADM messages