Версия TING 1.4
1.4.1 (15 июля 2019)
Этот релиз TING основан на OPNsense версии 18.7.10.
От команды Smart-Soft в данный релиз вошли следующие изменения:
Плагины os-cms-master, os-cms-node: отдельные лицензии на плагины, сохранение фильтров в отчётах по прокси.
Плагин os-ndpi: выбор интерфейса для мониторинга, обновление библиотеки до 2.8-stable.
Плагин os-gostvpn, реализующий VPN с шифрованием по ГОСТ-алгоритмам.
Плагин os-hotwifi-portal: плагин для Captive Portal, реализующий интеграцию с сервисом аутентификации Hot Wi-Fi (аутентификация по соцсетям, SMS-сообщению, звонку с телефона, с помощью сервиса ГосУслуги и прочие механизмы).
Исправлены обнаруженные ошибки.
Дополнительно для ФСТЭК-версии:
Локальный репозитарий пакетов теперь присутствует изначально.
Удалён плагин os-security-scanner ввиду ограничений сертификации ФСТЭК.
Удалён антивирус ClamAV в связи с ограничениями сертификации ФСТЭК.
Ниже представлен полный список изменений OPNsense версий 18.7.7 - 18.7.10.
Изменения в OPNsense 18.7.10:
system: P12 certificate export now allows to specify a password
system: allow plain IPv6 for LDAP and RADIUS host
system: properly sort columns with size units in activity page
system: remove references to «automatic» in HA help texts
system: add option to only show temperature of one core in widget
system: speed up isArraySequential()
system: introduce configdp_run() variant
system: assorted code cleanups
interfaces: only show name servers offered by individual link in status page
interfaces: DUID-LL generator fix (contributed by Team Rebellion)
interfaces: show disabled and virtual interfaces in groups
interfaces: change wireless page interface iterators
interfaces: change LAGG page interface iterators
interfaces: remove unused get_dns_servers()
interfaces: assorted code cleanups
firewall: fix an exception error in alias config read
firewall: fix typo in outbound NAT destination help text
firewall: rename «Localhost» to «Loopback» for clarity in virtual IP pages
firewall: unify anti-lockout behaviour to match rules and GUI display
firewall: switch to tokenizer for shaper source and destination fields
firewall: fix alias utility issue when adding into empty alias
firewall: correct alias name limit to 31 characters
firewall: bring back auto-complete for nested aliases
firewall: NAT rules on reflection for port forwards only when address exists on interface
firewall: lower bogon download retry attempts to 3
firewall: schedule JS code update
captive portal: add setting to always send accounting requests
captive portal: assorted code cleanups
dhcp: DHCPv6 leases not always correctly displayed (contributed by Team Rebellion)
dhcp: override IPv6 PD range fix (contributed by Team Rebellion)
dhcp: switch subnet verification to new network interface retrieval
firmware: individual error messages during base and kernel installation
firmware: obsolete set usage has been removed, embedded into base set
firmware: always recalculate size returned in the GUI and use pkg-style units
firmware: migrate more scripting to opnsense-version
importer: make current zpool visible, but immune to import
installer: find all possible configs and include them for startup
intrusion detection: change default alert level to notice
openvpn: allow empty remote subnet in client
openvpn: use new network interface retrieval
openvpn: assorted code cleanups
unbound: always add global DNS servers in forwarding mode
unbound: restart when crashed even if request came from unassociated interface
wizard: sync bogon help text with interfaces GUI counterparts
wizard: hint at updates after completion
wizard: assorted code cleanups
mvc: harden setFormData()
plugins: os-api-backup 1.0 allows API access to config.xml (contributed by Fabian Franz)
plugins: os-bind 1.4 (contributed by Michael Muenz)
plugins: os-clamav fixes /var MFS permission mismatch
plugins: os-dnscrypt-proxy 1.1 allows manual server selection (contributed by Michael Muenz)
plugins: os-dyndns 1.1 fix for using apex domains with CloudFlare DDNS (contributed by Charles Ulrich)
plugins: os-frr 1.6 adds OSPF key ID and default route metric, BGP router ID, etc. (contributed by Michael Muenz and Fabian Franz)
plugins: os-haproxy 2.13 (contributed by Frank Wall)
plugins: os-ntopng fixes HTTPS setup permission
plugins: os-openconnect 1.3.2 adds non-inter option, groups and client certificates, etc. (contributed by Diego Rivera and Michael Muenz)
plugins: os-postfix 1.8 (contributed by Michael Muenz)
plugins: os-upnp 1.3 allows up to 8 user permissions
src: bootpd buffer overflow
src: kernel panic under load on Intel «Skylake» CPU
src: ZFS vnode reclaim deadlock
ports: curl 7.63.0
ports: libxml 2.9.8
ports: phalcon 3.4.2
ports: suricata 4.1.2[11][12]
ports: unbound 1.8.3
system: fix adding new route when the list was previously empty
openvpn: flip client remote networks back to multiple
unbound: do not switch off IPv6 when prefer IPv4 is set as Unbound always prefers IPv4
Изменения в OPNsense 18.7.9:
system: allow setting alternative names on CSR
system: add link-local routes with correct scope
system: fix LDAP import button for Firefox
system: assorted cleanups in HTML and PHP code
interfaces: add note about CGN addresses included in private range
interfaces: fix checksum disable for IPv6 TX / RX flags
interfaces: multiple type DUID support (contributed by Team Rebellion)
interfaces: properly read and write dhcp6c DUID binary file
interfaces: do not read VLAN capabilities from nonexistent interfaces
interfaces: removal of PEAR.inc from IPv6 address library
interfaces: assorted cleanups in HTML and PHP code
firewall: only suffix subnet alias entry when a network is expected
firewall: default alias protocol to both IPv4 and IPv6
firewall: fix validation of outbound NAT destination alias
firewall: fix performance regression in get_alias_description()
firewall: repair defunct «no nat proto carp all» rule
firewall: limit type to CARP when checking for VIP VHID reuse
firewall: refactor subnet retrieval in VIP deletion
firewall: display VHID for IP alias in overview
firewall: DHCPv6 outgoing firewall rule changed to «from (self)» to fix static setups
firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
firewall: ignore empty values in alias migration (contributed by Frank Wall)
firewall: assorted cleanups in HTML and PHP code
captive portal: work around service boot ordering issue
captive portal: change «onestop» to «stop» in backend action
dnsmasq: add DNSSEC option
dnsmasq: assorted cleanups in HTML and PHP code
dhcp: show lease count in page heading
dhcp: refactor IPv6 subnet read
dhcp: fix DDNS IPv6 algorithm use
dhcp: assorted cleanups in HTML and PHP code
firmware: opnsense-version can now handle kernel, base and plugin metadata
firmware: when pkg needs to be updated do not prompt for base and kernel set
firmware: use embedded obsolete file list for removal on base set install
intrusion detection: fix daily cron job, was actually monthly
ipsec: assorted cleanups in HTML and PHP code
openvpn: assorted cleanups in HTML and PHP code
unbound: only use IPv6 when enabled and IPv4 is not preferred
unbound: restart after VPN is up
unbound: updated help text for verbosity level (contributed by Northguy)
unbound: assorted cleanups in HTML and PHP code
web proxy: move bump_step1 down (contributed by Michael Muenz)
mvc: missing isset() in routes migration
mvc: Phalcon 3.4.2 scope compatibility fix
mvc: assorted fixes in PHPDoc
mvc: fix advanced field bug in dialogs (contributed by Fabian Franz)
mvc: SetIfConstraint (contributed by Fabian Franz)
mvc: hidden input field (contributed by Fabian Franz)
mvc: json-data access support (contributed by Fabian Franz)
ui: remove markup from user indicator
ui: sidebar fixes (contributed by Team Rebellion)
plugins: os-acme-client 1.18 with GratisDNS and ACME DNS support (contributed by Frank Wall, ricobach, TuEye)
plugins: os-bind 1.3 adds Google and Yahoo safe search (contributed by Michael Muenz)
plugins: os-dnscrypt-proxy 1.0 (contributed by Michael Muenz)
plugins: os-freeradius 1.8.3 makes use of certificates clearer (contributed by Michael Muenz)
plugins: os-haproxy 2.12 HTTP/2 support, http-request before use_backend (contributed by Frank Wall, Mathias Aerts)
plugins: os-net-snmp 1.3 mark device as L3 enabled via SysServices (contributed by Michael Muenz)
plugins: os-nginx 1.5 with lots of new features (contributed by Fabian Franz, Carlos Cesario, Julio Cesar Camargo, fzoske)
plugins: os-nut 1.4 adds listen directive and more flexible arguments (contributed by Michael Muenz)
plugins: os-postfix 1.7 adds address rewriting, sender/recipient BCC and domain masquerading (contributed by Michael Muenz)
src: fix multiple vulnerabilities in NFS server code
src: fix ICMP buffer underwrite
src: timezone database information update
src: fix deferred kernel loading breaks loader password
src: fix insufficient bounds checking in bhyve(8) device model
ports: lighttpd 1.4.52
ports: sqlite 3.26.0
ports: perl 5.26.3
ports: php 7.1.25
ports: hostapd / wpa_supplicant 2.7
ports: unbound 1.8.2
Изменения в OPNsense 18.7.8:
system: show the actual validation messages for NextCloud backup constraints
system: LDAP import button primary colour and prevent default page submit
system: add LDAP+TOTP authentication variant (2FA)
system: avoid silent fatal error when LDAP OUs could not be retrieved
system: avoid duplicated cookies on login page by not closing session
system: allow to fully disable misc. reboot failsafe backups
system: switch default argument for return_gateways_status()
system: add «Synchronize config to backup» button to HA status page
system: disable help text expand when backup fields have no help text
system: sort user and group lists alphabetically
interfaces: add CARP info to legacy_interfaces_details()
interfaces: removal of find_interface_subnet() and find_interface_subnetv6()
interfaces: introduce find_interface_network() and find_interface_networkv6()
interfaces: refactor find_interface_ip() and find_interface_ipv6()
interfaces: fix and use ipaddr6_ll return value in find_interface_ipv6_ll()
firewall: extend outbound NAT address source and destination with networks
firewall: fix save error when alias name contains an underscore
firewall: do not set days or hours when update frequency is empty
firewall: increase resolve() performance for aliases
firmware: change packaging to be able to place files in the root directory
reporting: fix possible division by zero in NetFlow aggregator
dhcp: reorder arguments of function services_dhcpd_configure()
dhcp: consolidate service probe of IPv6 and router advertisement daemons
dhcp: fix clear hook on log file delete
importer: make clear that /conf/config.xml is required for any import to take place
monit: add quotes and timeout to custom program path (contributed by Frank Brendel)
monit: add SSL options to mail server connection (contributed by Frank Brendel)
network time: improve GPS status parsing
openvpn: add remote address as route when set during linkup
shell: interface banner now only shows enabled interfaces
unbound: do not clear statistics when querying them
lang: updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
mvc: fix toggleBase returning failed result when using $enabled
mvc: fix PortField validation and make well-known ports optional
mvc: fix checking empty string in grid view (contributed by Smart-Soft)
rc: make it more obvious in /boot/loader.conf that system tunables work as well
ui: sidebar performance optimisation (contributed by Team Rebellion)
ui: vertically center current menu item on visible screen when height is too small
plugins: os-haproxy 2.10[27][28] (contributed by Frank Wall)
plugins: os-igmp-proxy forces reinstall due to missing core function
plugins: os-ntopng 1.1 adds HTTPS support (contributed by Michael Muenz)
plugins: os-nut fix for config file generation (contributed by Michael Muenz)
plugins: os-postfix fixes typo (contributed by Michael Muenz)
plugins: os-telegraf 1.7.2 adds validation messages to tags (contributed by Michael Muenz)
plugins: os-upnp removes unused function
plugins: os-zabbix-agent 1.4 (contributed by Frank Wall)
ports: cyrus-sasl 2.1.27
ports: lighttpd 1.4.51
ports: openssh 7.9p1
ports: openssl 1.0.2q
ports: php 7.1.24
ports: pkg minor upstream fixes
ports: sudo 1.8.26
1.4.0 (22 февраля 2019)
Этот релиз TING основан на OPNsense версии 18.7.7.
От команды Smart-Soft в данный релиз вошли следующие изменения:
Плагины os-cms-master, os-cms-node: централизованная система управления несколькими узлами TING.
Плагин os-ids-rules: возможность добавлять свои правила.
Плагин os-proxy-useracl: мультиселект для поля групп/юзеров у правила.
Плагин os-proxy-useracl: роутинг пользователей на разные WAN-интерфейсы.
Плагин os-proxy-sso: поддержка нескольких доменов одновременно [1]
Плагин os-ndpi: обновлена библиотека до версии 2.6-stable.
Плагин os-squid-log-pg: PostgreSQL бакенд для хранения логов прокси.
Плагин os-security-scanner: добавлен выбор плагинов сканирования.
Captive-portal: чёрный список MAC-адресов.
Point-to-Point интерфейсы: поддержка опций MSChap, CCP negotiation, MPPC subprotocol, 40/56/128-bit MPPE encryption, MPPC stateless mode.
Web-прокси: ICAP bypass option.
Инсталлятор переведён на русский язык.
Консольное меню переведено на русский язык.
Документация по настройке SMTP-шлюза [2]
Исправлены обнаруженные ошибки.
Замечания, касающиеся миграции, на которые стоит обратить внимание:
SSH доступ теперь привязан к группе «wheel», которая автоматически добавляется к группе «admins», членом которой является «root». «root» единственный пользователь, которому назначен shell по-умолчанию, opnsense-shell, вызывающий консольное меню root.
SSH доступ также может быть назначен выбранной группе в меню Система: Администрирование для не членов группы «admins». Однако, в связи с запросами на форуме уделять больше внимания правам доступа к shell, работать будет только SCP. Если Вы хотите дать пользователю интерактивный доступ по SSH, Вы должны сменить shell «nologin» на предустановленный shell в соответствии с его настройками.
Были усилены алгоритмы шифрования Web GUI HTTPS. Для доступа, пожалуйста, используйте обновлённые версии браузеров.
Резервные способы аутентификации в GUI/систему удалены в связи с возможностью выбора нескольких серверов аутентификации одновременно. Переназначьте ваш резервный способ аутентификации, как основной или используйте несколько способов.
Было решено, что хотя WAN интерфейсам требуется шлюз для нормального функционирования, он необязательно должен быть назначен в single-WAN сценарии для исключения воздействия на обслуживание ответов WAN. Выбор «none» был изменён на «auto-detect» для этого и теперь это рекомендованная настройка если не используется multi-WAN.
Для подготовки к API для работы с псевдонимами межсетевого экрана описания элементов были удалены в связи с поддержкой устаревших типов urltable_ports и url_ports.
В OpenVPN вычисление /31 сети туннеля изменено для использования первого и последнего адреса как адреса сети, а широковещательного адреса не существует. Если это касается ваших настроек, отрегyлируйте ваших клиентов или экспортируйте их конфигурацию заново, она будет содержать нужные изменения. Дополнительно, /32 сети туннеля теперь запрещены.
Ниже представлен полный список изменений OPNsense версий 18.1.13 - 18.7.7.
Изменения в OPNsense 18.7.7:
system: CVE-2018-18958 prevent restore of configuration of read-only user [3]
system: prevent related read-only user configuration manipulation for history and defaults pages
system: prevent several creative ways to strip read-only privileges in the user and group manager
system: allow wildcards in certificate subject alternative name
system: avoid direct $global access in routing setup
system: do not offer root-only opnsense-shell to non-root users
system: remove FreeBSD 10 password workaround
interfaces: use pure jquery to avoid browser-specific behaviour
interfaces: nonfunctional cleanups in backend and interface GUI configuration
interfaces: clear the correct files IPv6 state files on interface down
interfaces: wait for PPPoE to fully exit on interface down
firewall: fix port alias conversion under new API
firewall: missing filter reload for port alias types
firewall: missing «other» type in VIP network expand
firewall: disabled alias should leave us with an empty one
firewall: category for «United States» moves from Pacific to America
firewall: resolve outbound NAT interface address in kernel
dhcp: only map enabled interfaces in IPv4 leases
dhcp: interface iteration code cleanups
dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
firmware: add log file for package manager output
monit: use theme override for widget CSS (contributed by Fabian Franz)
ntp: internal cleanup of function argument order
rc: improvements in service startup scripting
rc: print date and time after successful boot
unbound: disable redirect type until fixed
web proxy: fix typo in description of upload caps (contributed by Juan Manuel Carrillo Moreno)
shell: stop router advertisement daemon too on console port reassign
mvc: remove errors in cron and monit API
plugins: os-freeradius 1.8.2 (contributed by Michael Muenz and Reza Ebrahimi)
plugins: os-nut 1.3 apcsmart and blazer_usb driver, reworked UI (contributed by Michael Muenz)
plugins: os-telegraf 1.7.1 adds ZFS input (contributed by Michael Muenz)
plugins: os-tinc now sets all defined subnets (contributed by QDaniel)
plugins: os-smart 1.5 standard widget coloring (contributed by Fabian Franz)
plugins: os-rspamd now uses scan_mime_parts (contributed by Michael Muenz)
ports: curl 7.62.0 [4]
ports: strongswan 5.7.1 [5]
ports: suricata 4.0.6 [6]
Изменения в OPNsense 18.7.6:
firewall: resolve interface address «:0» for port forwarding in kernel
firewall: list action corrections (contributed by Thomas Bandixen)
firewall: add support for the PIE shaper (contributed by Michael Muenz)
firewall: migrate to new alias API including a new failsafe
firewall: repair log widget for plugin themes
interfaces: do not remove CARP addresses on link-down
interfaces: get pfsync MTU from actual CARP interface
interfaces: add backend call returning all interface data
interfaces: partially rewrite ping, port and traceroute tools
interfaces: improve IPv6 merging in make_ipv6_64_address()
interfaces: use correct IPv6 interface where appropriate
interfaces: replace get_configured_interface_list() usage
interfaces: small refactoring around interface up and down code
system: cleanups in utility and config functions
captive portal: added connect action in API (contributed by zvs44)
firmware: move build-time version information to core version file
firmware: rename backend script «audit» to «security» for clarity
ipsec: bring back service widget lost back in 2016
monit: change status page to support easier CSS styling
unbound: set up a full chroot including local log socket
unbound: replace custom msort() function with standard function
unbound: use correct IPv4 or IPv6 interface for address lookups
webgui: use interfaces_addresses() for interface binding
mvc: show an error message on failed model migrations
mvc: refactor __items access via iterateItems()
mvc: accept style keyword on all input types
mvc: improved menu API endpoint integration
plugins: os-bind adds 4 new blacklist providers (contributed by Michael Muenz)
plugins: os-dyndns validates custom updates solely for URL input
plugins: os-nginx 1.3 correctly sets upstream headers (contributed by Fabian Franz)
plugins: os-zerotier reorders VPN menu entry (contributed by Michael Muenz)
src: fix regression in IPv6 fragment reassembly [7]
src: fix NULL pointer dereference in freebsd4_getfsstat [8]
src: fix DoS in listen syscall over IPv6 socket [9]
src: fix small kernel memory disclosures [10]
ports: unbound 1.8.1 [11]
ports: dnsmasq 2.80 [12]
Изменения в OPNsense 18.7.5:
system: add (de)select all option in LDAP importer
firewall: keep previous content for URL alias on fetch error
firewall: make schedule icon reflect current schedule state (contributed by framer99)
firewall: toggle and migration fix for upcoming alias API
firewall: round-robin limitation is for host alias outbound NAT only
firewall: resolve network addresses in kernel for static routes bypass option
firewall: do not clean up visible records when limit was not reached
firewall: do not hardcode live log pass / block colours
firewall: add live log direction icons
firmware: shorten shaper name and assorted cleanups
firmware: fix upgrade compatibility with FreeBSD 11.2
firmware: use opnsense-version where appropriate
firmware: correctly translate GUI buttons (contributed by Smart-Soft)
dnsmasq: use more robust approach to interface binding
ipsec: more secure phase 1 default settings (contributed by Michael Muenz)
ipsec: support for multiple phase 1 DH groups and hashes
openvpn: option to match CSO against common_name or login (contributed by Fabio Prina)
unbound: fix usage of the remote control backend calls
unbound: remove faulty «DHCP» label hint for IPv6 link-local registration option
web proxy: several corrections for PAC template
backend: fix CPU hogging when reading on already disconnected streams
mvc: speed up parsing very large config files
mvc: add single select constraint
mvc: add UUID field to the result of addBase (contributed by CJ)
ui: sidebar UX improvements (contributed by Team Rebellion)
ui: use single guillemets for previous/next page
plugins: os-acme-client /var MFS awareness
plugins: os-collectd 1.2 makes hostname override optional (contributed by Michael Muenz)
plugins: os-dyndns 1.10 adds CloudFlare IPv6 support (contributed by Charles Ulrich)
plugins: os-net-snmp 1.2 adds write access for users (contributed by Michael Muenz)
plugins: os-nginx 1.2 [13]
plugins: os-ntopng hides interface selection under advanced (contributed by Michael Muenz)
plugins: os-openconnect allows uppercase usernames (contributed by Michael Muenz)
plugins: os-postfix 1.6 adds port field (contributed by Michael Muenz)
plugins: os-telegraf 1.7.0 adds global tags, HAProxy input, prometheus output, fixes logging (contributed by Michael Muenz)
plugins: os-vnstat 1.0 (contributed by Michael Muenz)
plugins: os-zerotier fixes status table (contributed by Christoph Engelbert)
ports: mpd5 upstream MTU fix [14]
ports: PHP 7.1.23 [15]
mvc: do not speed up parsing very large config files until fixed
Изменения в OPNsense 18.7.4:
system: correctly unset DNS override allow setting when saving
system: remove unused / default arguments from get_possible_listen_ips()
system: note that HA disable preempt requires reboot (contributed by Michael Muenz)
interfaces: add static IPv6 correctly when on top of PPPoE (contributed by Team Rebellion)
interfaces: lower MTU via tracked IPv6 interface MTU
interfaces: 6RD IPv4 prefix override is now prefix-only
firewall: also show scheduler info in shaper status (contributed by Michael Muenz)
firmware: introduce opnsense-version utility and fully template build metadata
firmware: annotate HTTP(S) status in mirrors in descriptions
firmware: avoid base upgrade error when /proc is mounted
monit: change mail format field for alerts to text area (contributed by Frank Brendel)
openssh: further tweak new interface bind approach introduced in 18.7.3
openvpn: change abbreviated column title to «Bytes Received» (contributed by Andy Binder)
web proxy: support WPAD / PAC (contributed by Fabian Franz)
ui: minified sidebar improvements (contributed by Team Rebellion)
ui: introduce cache_safe() to invalidate browser cache after updates
plugins: os-dyndns wildcard support for Namecheap
plugins: os-ntopng 1.0 (contributed by Michael Muenz)
plugins: os-openconnect 1.2 allows «@» in username (contributed by Michael Muenz)
plugins: os-relayd 2.3 fixes stuck scheduler value (contributed by Frank Brendel)
plugins: os-snmp compatibility fixes for version detection and listen interface core changes
plugins: os-tor 1.7 allows to enable directory page (contributed by Fabian Franz)
plugins: os-upnp compatibility fixes for version detection core changes
src: fix out-of-bounds read vulnerability in libarchive
src: update re(4) driver to upstream version 1.95
ports: libressl 2.7.4 [16]
ports: php 7.1.22 [17]
ports: sqlite 3.25.1 [18]
Изменения в OPNsense 18.7.3:
system: gateways widget show/hide feature (contributed by Team Rebellion)
system: select correct IPv6 default route when underlying IPv6 interface differs
system: extended meta-matching for special characters in ACL patterns
system: show last diff by default in configuration history page
system: refactor password logic in user manager for clarity
system: link-local listen IPv6 requires reading underlying IPv6 interface
interfaces: avoid boot mismatch on several virtual plugin devices
interfaces: list widget show/hide feature (contributed by Team Rebellion)
interfaces: stats widget show/hide feature (contributed by Team Rebellion)
interfaces: stop wireless software before bringing down the interfaces
interfaces: fix selection issue for DHCPv6 PD «none» value
interfaces: make «64» the page default for DHCPv6 PD
interfaces: allow IPv4 address override in 6RD
interfaces: fix 18.7.2 gateway read regression in 6RD
interfaces: give each 6RD tracker a different IPv6 address
dhcp: add DHCP Dynamic DNS key algorithm selection (contributed by Ingo Theiss)
dhcp: correctly load DHCPv6 settings in manual tracking (contributed by Team Rebellion)
dhcp: do not show lease actions if interface cannot be found
dhcp: unhide DHCPv6 service when not using automatic PD
dnsmasq: annotate that «all» is the recommended interface binding option
importer: list all available ZFS pools (contributed by Smart-Soft)
importer: do not try to unload ZFS on ZFS boot, sanely rejected anyway ;)
importer: ZFS pools are now addressed as e.g. «zfs/zroot»
importer: always loop until exit or successful import
intrusion detection: source, destination, pass support in user rules (contributed by Michael Muenz)
ipsec: change hash checkboxes in phase 2 to selectpicker
openssh: change interface bind logic to only bind to currently available addresses
openvpn: align status columns for client and P2P case (contributed by Andy Binder)
shell: change banner and setaddr interface iteration
unbound: swap stub-zone for forward-zone in overrides (contributed by John Keates)
static: interface iteration conversions in system, firewall and interfaces pages
ui: fix firmware-product file access when using ui_devtools
plugins: os-bind 1.2 log file viewer and oversized list removal (contributed by Michael Muenz)
plugins: os-c-icap 1.6 (contributed by Michael Muenz)
plugins: os-dyndns 1.9 allow plus sign in username (contributed by Charles Ulrich)
plugins: os-haproxy 2.9 backend HTTP reuse option (contributed by andrewheberle)
plugins: os-net-snmp 1.1 IPv6 compatibility (contributed by MrXermon)
plugins: os-rfc2136 1.4 widget style tweaks
plugins: os-tinc 1.4 log facility fix
src: fix print of stf(4) interface information
src: fix regression in Lazy FPU remediation [19]
src: fix improper ELF header parsing [20]
ports: curl 7.61.1 [21]
ports: lighttpd 1.4.50 [22]
ports: sudo 1.8.25p1 [23]
Изменения в OPNsense 18.7.2:
system: select correct network interface in case of IPv6 gateway lookups
system: tighten system wizard ACL and menu registration
system: do not wrap first column of log viewer (contributed by Alexander Graf)
firewall: return alias types to repair its outbound NAT rule edit
firewall: hide NAT redirect target port when port is not applicable
firewall: alias API is now live on the development version and will migrate your aliases to the new format
interfaces: allow explicit MTU to reach the 6RD device
interfaces: remove use of adv_dhcp6_prefix_interface_statement_sla_id (contributed by Team Rebellion)
interfaces: fix for DHCPv6 not being restarted for tracked interfaces (contributed by Team Rebellion)
interfaces: fix adding interfaces LAN bug of translated web GUI (contributed by Werner Fischer)
interfaces: remove incorrect display of prefix ID in help text for tracking configuration
interfaces: add groups to interface details output
interfaces: remove unused code and other nonfunctional cleanups
interfaces: use «x» in the list widget for no carrier
interfaces: hide global IPv6 address in list widget if DHCPv6 is set to use only a prefix
dhcp: remove unused inputs from static mapping page
dhcp: treat EFI BC the same as EFI x86-64 (contributed by andi-makandra)
ipsec: add automatic key exchange option
openvpn: fix /32 host validation logic
openvpn: clean up control sockets prior to startup
openvpn: align user authentication to use common_name as username
mvc: add iterateItems() method to base field type to simplify call flow
mvc: fix configd asList helper (contributed by Fabian Franz)
mvc: add configd XML attributes to template parser
ui: allow version query to match on main.css probing
ui: footer cleanups and static page repairs where boxing was not correct
ui: no minified version for tokenize2
ui: fix table headers in dialogs (contributed by Fabian Franz)
plugins: os-bind 1.1 adds 3 DNSBL providers (contributed by Michael Muenz)
plugins: os-freeradius 1.8.0 adds basic SQLite support (contributed by Michael Muenz)
plugins: os-haproxy 2.8 [24]
plugins: os-nginx 1.0 (contributed by Fabian Franz)
plugins: os-postfix 1.5 allow empty destination in transport (contributed by Michael Muenz)
plugins: os-telegraf 1.5.1 adds ElasticSearch output and disk ignore fix (contributed by Michael Muenz)
src: L1 terminal fault (L1TF) kernel information disclosure [25]
src: resource exhaustion in IP fragment reassembly [26]
ports: ntp 4.2.8p12 [27]
ports: openssl 1.0.2p [28]
ports: phalcon 3.4.1 [29]
ports: php 7.1.21 [30]
ports: sudo 1.8.24 [31]
ports: wpa_supplicant security updates [32]
Изменения в OPNsense 18.7.1:
system: hide web server info from server tag
system: fix group privileges edit menu hint
system: add text area field to backup framework (contributed by Joao Vilaca)
interfaces: use NIC preference for VLAN hardware filtering in default config
interfaces: router advertisement and DHCPv6 configure fix (contributed by Team Rebellion)
interfaces: fix PD when using DHCPv6 override on tracked interface
firewall: toggle filter and NAT rules using checkboxes
firewall: add state-policy if-bound option
firewall: added logging for tracing internal rule generator
firewall: fix ordering issue in port validation and disable
firewall: fix disabled reject action icon display (contributed by framer99)
captive portal: fix usage of vouchers and group with spaces in their names
captive portal: hide web server info from server tag
dnsmasq: fix listening behaviour on empty but set interface selection
firmware: remove the 18.1 update fingerprint and pre-18.7 config file fallback
firmware: do not show development version changelogs in releases
intrusion detection: reworked rule selection
ipsec: use selectpicker in mobile page
ipsec: add Brainpool EC groups
openvpn: do not remove client specific override files on disconnect
openvpn: do not create v6 gateway if disabled
shell: omit «:» from SSL fingerprint display
unbound: fix menu access for overrides
wizard: fix root password input
backend: call shutdown before close in background daemon
mvc: cause data from callback_ok to be passed through (contributed by Nicholas de Jong)
mvc: minor glich in getFormData() we should ignore empty id fields
mvc: do not offer internal interfaces in generic interface selector
mvc: handle validations better by removing duplicate messages
mvc: fix two glitches in new tokenize field handling
mvc: add numeric field type
rc: update php.ini include paths (contributed by Joao Vilaca)
ui: fix spacing of containers in static pages
ui: fix sidebar collapse in MVC pages for supported themes
ui: blank problem advanced button (contributed by Team Rebellion)
ui: store preference for sidebar toggle and remember the current setting on resize
plugins: os-acme-client 1.16 adds several DNS providers, ECC renewal fix and OSCP must staple (contributed by Omar Khalil)
plugins: os-bind 1.0 with blacklist (DNSBL) support (contributed by Michael Muenz)
plugins: os-smart 1.4 with style fixes (contributed by Fabian Franz)
plugins: os-wol 2.0 fixes ACL pattern and interface selection
src: resource exhaustion in TCP reassembly [33]
ports: curl 7.61.0 [34]
ports: hyperscan 4.7.0 [35]
ports: mpd5 upstream fixes[36] [37]
ports: py-cryptography 2.3 [38]
ports: py-idna 2.7 [39]
system: fix policy check on empty password save
captive portal: fix duplicated server tag
openvpn: address P2P TLS /30 network client-connect validation quirk
plugins: os-acme-client 1.17 [40]
Изменения в OPNsense 18.7:
improved WAN DHCPv6 and SLAAC connectivity and tracking
functional IPv6 Rapid Deployment (6RD) support
improved default route handling and gateway switching
OpenVPN default setup improvements for IPv6 and RADIUS attribute support
Dpinger gateway monitoring integration
password policies for local authentication and coupled TOTP
Monit core integration to eventually replace the legacy notifications
OpenSSH access via group and shell selection instead of privilege
pluggable backup framework with new Nextcloud option
sytem tunables are now also used as loader tunables
unrestricted VLAN usage for e.g. Xen
QinQ interface removal
firmware GUI speedup, improved error parsing and console reboot hint
ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
ZFS and MSDOS config import support
ISC DHCP version moves from 4.3 to 4.4
RRDtool version moves from 1.2 to 1.7
rework rc.syshook facility to use drop-in directories instead of suffixes
backports of FreeBSD 11.2 Intel NIC drivers
stand-alone frontend UI development tools
language updates for Czech, French, German, Portuguese (Brazil)
UI header security and SSL cipher hardening
extensive UI cleanups and menu consolidation
new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp, os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-wol 2.0