Версия TING 1.5
1.5.1 (11 февраля 2020)
Этот релиз TING основан на OPNsense версии 19.7.10
От команды Smart-Soft в данный релиз вошли следующие изменения:
Проверка почты на вирусы с помощью антивирума Касперского.
Возможность одновременной проверки на вирусы трафика прокси и почты.
На новых установках Тинг по умолчанию включен dnscrypt-proxy.
На новых установках по умолчанию включена аппаратная оптимизация для APU2.
На APU2 при обновлении устанавливается новая прошивка BIOS.
Исправлены обнаруженные ошибки.
1.5.0 (9 сентября 2019)
Этот релиз TING основан на OPNsense версии 19.7.3
От команды Smart-Soft в данный релиз вошли следующие изменения:
Плагин полноценного механизма аутентификации на прокси по IP/MAC.
Плагин os-security-scanner: GoLismero переведён на Python 3.7.
Сохранение резервных копий кофигурационного файла config.xml на Яндекс.Диск.
Обновление интерфейса меню при установке плагина.
Включена возможность выбора темы оформления.
Исправлены обнаруженные ошибки.
Замечания, касающиеся миграции, на которые стоит обратить внимание:
Графики работоспособности шлюза могут нуждаться в ручном сбросе из-за миграции Apinger в Dpinger. Apinger больше не доступен.
Правила обнаружения вторжений GeoIP автоматически деактивируются и должны быть вручную перенесены в псевдоним брандмауэра GeoIP.
Плагин quagga был заменён FRR плагин. Бинарный пакет quagga сохранен на данный момент.
Пожалуйста, ознакомьтесь с документацией FRR в отношении необходимых системных перенастроек [1]
Загрузка Bhyve UEFI может завершиться ошибкой в качестве гостя. Эта проблема изучается.
Плагин SNMP был заменен плагином Net-SNMP.
Привилегия входа через веб-прокси больше не доступна. Вместо этого доступ может быть ограничен селектором группы.
OpenVPN больше не поддерживает прослушивание групп шлюзов. Вместо этого используйте localhost в сочетании с переадресацией портов.
Ниже представлен полный список изменений OPNsense версий 18.7.10 - 19.7.3.
Изменения в OPNsense 19.7.3
system: try all backups for automatic revert when config.xml is damaged
system: do a system reset if all config.xml files are damaged
system: only show tunables reboot hint when applying tunables (contributed by Northguy)
system: use FQDN in system log remote messages
system: add defunct gateways to GUI in disabled state
interfaces: only allow VLAN parents that will work as VLAN parents
interfaces: optionally promote/demote CARP on service status
interfaces: CARP status page report with demotion level to avoid ambiguity
firewall: revert problematic 19.7.2 change «unhide automatic interface-based output rules»
firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
firewall: add logging toggle to rules overview (contributed by johnaheadley)
firewall: DHCPv6 relay would generate rules even if not enabled
firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
firmware: fix base and kernel package listing
intrusion detection: show change message after toggle or save
intrusion detection: rule download fix
monit: add parent devices to interface list (contributed by Frank Brendel)
monit: fix standard configuration migration (contributed by Frank Brendel)
reporting: skip illegal NetFlow records in flow parser
opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
backend: fix exception message string handling in Python 3
backend: add help to pluginctl utility
backend: configctl event handler support
mvc: log API key when authentication failed
ui: more consistent HTML (contributed by gisforgirard)
ui: sidebar bug fix (contributed by Team Rebellion)
ui: fix initFormAdvancedUI() on initial load
plugins: os-acme-client 1.25 [2]
plugins: os-bind 1.7 [3]
plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
plugins: os-haproxy 2.18 [4]
plugins: os-maltrail 1.1 [5]
plugins: os-nginx log rotation fix (contributed by Fabian Franz)
plugins: os-postfix 1.10 [6]
plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL)
plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)
plugins: os-wireguard 1.1 [7]
src: fix incorrect exception handling in libunwind [8]
src: fix multiple vulnerabilities in bzip2 [9]
src: fix ICMPv6 / MLDv2 out-of-bounds memory access [10]
src: fix insufficient message length validation in bsnmp library [11]
src: fix insufficient validation of guest-supplied data (e1000 device) [12]
src: fix IPv6 remote denial of service [13]
src: fix kernel memory disclosure from /dev/midistat [14]
src: fix reference count overflow in mqueuefs [15]
ports: hostapd 2.9 [16]
ports: nghttp2 1.39.2 [17]
ports: openldap 2.4.48 [18]
ports: perl 5.30.0 [19]
ports: php 7.2.21 [20]
ports: py-openssl 19.0.0 [21]
ports: syslog-ng 3.22.1 [22]
ports: wpa_supplicant 2.9 [23]
Изменения в OPNsense 19.7.2
system: missing «<PRI>» in legacy output via Syslog-ng
system: fix writing gateway information for DNS servers
system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
firewall: unhide automatic interface-based output rules
firewall: unhide automatic non-interface-based floating rules
firewall: lift length restriction in NAT rule description
firewall: avoid newlines in rule descriptions
firewall: only show usable addresses in NAT outbound rules
interfaces: fix extended CARP output when parsing interface information
interfaces: add more outputs to overview page to increase usefulness
interfaces: use shared DHCP lease reader for ARP list
captive portal: fix binary read issue in Python 3
dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
firmware: handle file signature verify correctly with multiple fingerprint repositories
firmware: Aivian mirror is no longer active
firmware: Cloudfence mirror in Brazil added
plugins: os-acme-client 1.24 [24]
plugins: os-bind 1.6 (contributed by crazy-max)
plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
plugins: os-grid_example 1.0 [25]
plugins: os-helloworld Python 3 compatibility [26]
plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
plugins: os-sunnyvalley 1.0[27] [28]
src: fix panic from Intel CPU vulnerability mitigation [29]
src: fix multiple telnet client vulnerabilities [30]
src: fix pts write-after-free [31]
src: fix kernel memory disclosure in freebsd32_ioctl [32]
src: fix reference count overflow in mqueuefs [33]
src: fix byhve out-of-bounds read in XHCI device [34]
src: fix file descriptor reference count leak [35]
ports: libevent 2.1.11 [36]
Изменения в OPNsense 19.7.1
system: do not create automatic copies of existing gateways
system: do not translate empty tunables descriptions
system: remove unwanted form action tags
system: do not include Syslog-ng in rc.freebsd handler
system: fix manual system log stop/start/restart
system: scoped IPv6 «%» could confuse mwexecf(), use plain mwexec() instead
system: allow curl-based downloads to use both trusted and local authorities
system: fix group privilege print and correctly redirect after edit
system: use cached address list in referrer check
system: fix Syslog-ng search stats
firewall: HTML-escape dynamic entries to display aliases
firewall: display correct IP version in automatic rules
firewall: fix a warning while reading empty outbound rules configuration
firewall: skip illegal log lines in live log
interfaces: performance improvements for configurations with hundreds of interfaces
reporting: performance improvements for Python 3 NetFlow aggregator rewrite
dhcp: move advanced router advertisement options to correct config section
ipsec: replace global array access with function to ensure side-effect free boot
ipsec: change DPD action on start to «dpdaction = restart»
ipsec: remove already default «dpdaction = none» if not set
ipsec: use interface IP address in local ID when doing NAT before IPsec
web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
plugins: os-acme-client 1.24 [37]
plugins: os-bind 1.6 [38]
plugins: os-dnscrypt-proxy 1.5 [39]
plugins: os-frr now restricts characters BGP prefix-list and route-maps [40]
plugins: os-google-cloud-sdk 1.0 [41]
ports: curl 7.65.3 [42]
ports: monit 5.26.0 [43]
ports: openssh 8.0p1 [44]
ports: php 7.2.20 [45]
ports: python 3.7.4 [46]
ports: sqlite 3.29.0 [47]
ports: squid 4.8 [48]
Изменения в OPNsense 19.7
List automatic firewall rules
Statistics for all firewall rules
Alias JSON import / export
Optional statistics for aliases
Firewall rule locator for live log and automatic rules
Rewritten gateway handling and switching
Remote logging via Syslog-ng
LDAP group sync support
Support certificate signing requests
Route-based IPsec support (VTI)
XMLRPC sync support for alias, VHID, widgets
Unbound host overrides alias support
Web proxy and IPsec authentication using PAM
Parent web proxy support
Web proxy login privilege via group
Improved reliability and utility of opnsense-patch
Dpinger and DHCP servers ported to plugin framework
Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
Spanish as a new language
Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
Netmap update for VirtIO, VLAN child and vmxnet support
Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4:
Изменения в OPNsense 19.1.10:
system: change certificate manager actions to POST
system: fix account removal with missing «-g» option
system: add dashboard widgets to XMLRPC sync
firewall: fix live log rule label mismatch caused by optimisation
firewall: fix alias import with alias references included
firewall: change default sorting of aliases to names
firmware: add homelab.no mirror (contributed by Thomas Jensen)
intrusion detection: when toggling rules keep the current action
intrusion detection: suppress mystery PHP 7.2+ warning in API
intrusion detection: show SID in alert view
web proxy: add cache reset button
web proxy: correct syslog export
plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
plugins: os-etpro-telemetry Python 3 support
plugins: os-frr 1.11 [49]
plugins: os-nginx 1.14 [50]
plugins: os-rspamd 1.7 [51]
plugins: os-tinc Python 3 support
ports: ca_root_nss 3.44.1
ports: curl 7.65.1 [52]
ports: libevent 2.1.10 [53]
ports: libxml 2.9.9 [54]
ports: libressl 2.9.2[55] [56]
ports: phalcon 3.4.4 [57]
ports: strongswan 5.8.0 [58]
ports: unbound 1.9.2 [59]
Изменения в OPNsense 19.1.9:
system: add LDAP group synchronisation feature
system: allow an arbitrary group for sudo like ssh login
system: stop using a lock around resolv.conf handling
system: rename a number of service-related functions
system: login not using cache-safe image yet
system: add pluginctl -s support
system: restyle config backup page
system: fix log split view regression of 19.1.8
interfaces: remove DHCPv6 on delete and clear config on IPsec assignment
interfaces: small VIP restructure and IPv6 alias to IPv6 device
interfaces: subtle changes in IPv6 and variable naming
interfaces: add missing does_interface_exist() checks
firewall: support multiple interfaces per NAT port forward rule
captive portal: use «onestop» to stop service
intrusion detection: missing header ID in alerts tab
ipsec: remove remnants of gateway group interface selection
ipsec: use indirect plugin calls in interface code
openvpn: add live-search to longer lists in server page
openvpn: support –cryptoapicert export (sponsored by m.a.x it)
opnevpn: correctly check for translation in get_carp_interface_status()
openvpn: use waitforpid() to properly wait for instanes to come up
openvpn: translate GUI error values when returning them
openvpn: revamp status page
unbound: leases watcher file rotation issue
web proxy: squid log in readable date format (contributed by nhirokinet)
web proxy: fix non-local authentication regression of 19.1.7
plugins: os-bind 1.5 [60]
plugins: os-clamav 1.7 [61]
plugins: os-dnscrypt-proxy 1.4 [62]
plugins: os-dyndns clouldflare wildcard domain support
plugins: os-nginx 1.13 [63]
plugins: os-openconnect 1.4.0 [64]
plugins: os-redis 1.1 [65]
plugins: os-rspamd 1.6 [66]
plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)
ports: curl 7.65.0 [67]
ports: lighttpd 1.4.54 [68]
ports: python 3.7.3 [69]
ports: openssl 1.0.2s [70]
ports: php 7.2.19 [71]
Изменения в OPNsense 19.1.8:
system: address CVE-2019-11816 privilege escalation bugs [72]
system: /etc/hosts generation without interface_has_gateway()
system: show correct timestamp in config restore save message (contributed by nhirokinet)
system: list the commands for the pluginctl utility when no argument is given
system: introduce and use userIsAdmin() helper function instead of checking for „page-all“ privilege directly
system: use absolute path in widget ACLs (reported by Netgate)
system: RRD-related cleanups for less code exposure
interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
interfaces: replace legacy_getall_interface_addresses() usage
firewall: fix port validation in aliases with leading / trailing spaces
firewall: fix outbound NAT translation display in overview page
firewall: prevent CARP outgoing packets from using the configured gateway
firewall: use CARP net.inet.carp.demotion to control current demotion in status page
firewall: stop live log poller on error result
dhcpd: change rule priority to 1 to avoid bogon clash
dnsmasq: only admins may edit custom options field
firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
firmware: add optional device support for base and kernel sets
firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
ipsec: always reset rightallowany to default when writing configuration
lang: say «hola» to Spanish as the newest available GUI language
lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
network time: only admins may edit custom options field
openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
openvpn: remove custom options field from wizard
unbound: only admins may edit custom options field
wizard: translate typehint as well
plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
plugins: os-nginx 1.12 [73]
plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
src: timezone database information update [74]
src: install(1) broken with partially matching relative paths [75]
src: microarchitectural Data Sampling (MDS) mitigation [76]
ports: ca_root_nss 3.44
ports: php 7.2.18 [77]
ports: sqlite 3.28.0 [78]
ports: strongswan custom XAuth generic patch removed
Изменения в OPNsense 19.1.7:
system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
system: support for syncing alias and VHID to the slave
system: cleanly rewrite CA root files and add local trusted CAs as well
system: disable backup cron job when no backup is enabled
system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
system: migrate health graph scripts to Python 3.6
interfaces: properly add and remove IPv6 trackers after interface apply
interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
interfaces: display «0x» in prefix ID field so that it is clear that value is in hex
interfaces: fix passing VLAN name in interface_virtual_create()
interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
interfaces: allow link-local address on bridges via optional setting
interfaces: PPP-related code cleanups
firewall: prevent double-escaping of text in rules page
firewall: handle IDNA encode failures in aliases
firewall: alias import / export option
captive portal: update to bootstrap 3.4.1
captive portal: fix a race in directory creation and listClients()
dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
dhcp: merge static mac addresses with leases
dhcp: prevent double-escaping of text in leases page
firmware: add private log file for major upgrade package install step
firmware: use a safer major upgrade package install mode
firmware: retain /etc/motd on base updates
ipsec: implemented wildcard includes (contributed by Mark Plomer)
ipsec: only apply mobile PFS to mobile phase 2
ipsec: restyle mobile settings a little
ipsec: switch XAuth to PAM
ipsec: partial fix for static routes on routed tunnels during boot
network time: reload RRD since NTP has a setting for it
web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)
web proxy: switch authentication to PAM
backend: treat non existing key as empty string in sortDictList()
mvc: pluggable PAM-based authentication framework
mvc: add filter closure to searchBase()
plugins: introduce plugins_run() for collecting structured data from plugins
plugins: os-clamav 1.6 [79]
plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)
plugins: os-frr 1.10 [80]
plugins: os-netdata 1.0 (contributed by Michael Muenz)
plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)
plugins: os-rfc2136 1.5 removes unused gateway group related code
src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()
src: ensure that IP addresses match in ICMP error packets in pf(4)
src: add bsdinstall utility for upcoming 19.7 installer replacement
ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78)
ports: hostapd / wpa_supplicant 2.8 [81]
ports: perl 5.28.2 [82]
ports: py-yaml 5.1 [83]
ports: suricata 4.1.4 [84]
ports: sqlite 3.27.2 [85]
Изменения в OPNsense 19.1.6:
system: let dashboard only accept its own POST requests
system: remove obsolete symlink to opnsense-auth
system: skip PHP E_WARNING log level until 19.7
system: numerous PHP 7.2 warning fixes
dhcp: DHCPD server check in relay only if interface is active
dnsmasq: skip empty custom options
intrusion prevention: do not drop flowbits:noalert rules
unbound: add ACL entries for OpenVPN by default
mvc: controller cleanups in firewall shaper, web proxy and captive portal
plugins: numerous PHP 7.2 warning fixes
plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
plugins: os-nginx 1.11 [86]
ports: php 7.2.17 [87]
ports: py-certifi 2019.3.9 [88]
Изменения в OPNsense 19.1.5:
system: improve gateway status return when monitoring is off
system: warn user about future deprecation of «user-config-readonly» privilege
system: support certificate signing requests (contributed by nhirokinet)
system: syslog does not need to do a background startup since it backgrounds itself
system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
interfaces: move mpd.script to new location (may require interface reconfigure)
firewall: proper locking of aliases before config action on delete
firewall: correctly set outbound NAT destination as network
firewall: add support for DSCP in shaper (contributed by Michael Muenz)
firewall: add support for IDN in aliases (contributed by Smart-Soft)
captive portal: allow access to this host (contributed by Fredrik Ronnvall)
firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
firmware: add University of Kent to the firmware mirrors
ipsec: only use explicit reqid when using route-based interfaces
ipsec: correctly set install policy option on newly created phase 1 entries
ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
ipsec: properly quote UNITY_BANNER for multi-line support
ipsec: support for dynamic remote gateways
monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
monit: added missing «not on» label
openvpn: support static-challenge formatted password
openvpn: properly load custom config field in exporter
openvpn: cleanups in listening address handling
web proxy: IP address not available when address set to none
web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)
web proxy: add dash to allowed characters in description (contributed by Fabian Franz)
backend: python 2->3 iteritems() conversion in core templates
mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft)
mvc: controller cleanups in cron, intrusion detection, routes
mvc: obey «user-config-readonly» privilege in mutable controllers
mvc: support overlays in setBase() / addBase()
ui: remove jquery-bootgrid converters which are now included in the library
plugins: os-acmle-client 1.23[89][90] [91]
plugins: os-dyndns 1.14 supports wildcards for Google Domains
plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization
plugins: os-freeradius 19.1.0 [92]
plugins: os-frr 1.9 [93]
plugins: os-nginx 1.10 [94]
plugins: os-postfix 1.9 [95]
plugins: os-rspamd 1.5 [96]
plugins: os-telegraf 1.7.5 [97]
plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)
plugins: os-zabbix-agent 1.5 [98]
ports: ca_root_nss 3.43
ports: curl 7.64.1
ports: libucl 0.8.1
ports: pcre 8.43
ports: php 7.2.16
ports: py-cryptography 2.6.1
ports: phpseclib 2.0.15
ports: python 2.7.16
ports: unbound 1.9.1
Изменения в OPNsense 19.1.4
src: revert upstream commit «protect the kernel text, data, and BSS» to fix certain UEFI boots
installer: revert to use network connection to allow CTRL+C and resume
interfaces: 6RD interface naming 18.7 behaviour
interfaces: DHCP override MTU option
system: remove erroneously translated hostname example (contributed by nhirokinet)
firewall: fix validation regression in outbound NAT introduced in 19.1.3
firewall: mock labels for NAT rules in live log as pf does not offer label support
interfaces: do not background LAGG ifconfig destroy
installer: revert to use network connection to allow CTRL+C and resume
ipsec: added Virtual Tunnel Interface (VTI) support
unbound: fix nested statistics items read
mvc: remove old Phalcon volt template workarounds from when scopes were broken
mvc: fix bug in model relation field values merge
plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
plugins: os-telegraf missed invoke of setup.sh
plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
plugins: os-nginx 1.9 [99]
src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
src: revert upstream commit «protect the kernel text, data, and BSS» to fix certain UEFI boots
ports: monit 5.25.3 [100]
ports: ntp 4.2.8p13 [101]
ports: php 7.1.27 [102]
ports: suricata 4.1.3 [103]
Изменения в OPNsense 19.1.3
system: improve LDAPS mode and related authentication cleanups
system: move enable checkbox to the top in remote logging settings
system: allow reset of tunables to to factory defaults
system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
interfaces: probe media before applying new settings
interfaces: correctly compare MAC addresses
dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
firmware: move duty to return the correct set name / ID to opnsense-version
firmware: finally revoke 18.7 fingerprint
intrusion detection: minor template cleanups using helpers.empty()
ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
monit: add validation for test type (contributed by Frank Brendel)
openvpn: add auth-nocache option in exporter
openvpn: validate certificate type for servers
unbound: add host overrides alias support
web proxy: add auth to parent proxy (contributed by Michael Muenz)
backend: add helpers.empty() in configd
mvc: simplify save / close / cancel button labels
mvc: add sorting for field list types
rc: move all template generation to early stage
ui: improve escaping of displayed data in static pages
ui: escape button values in static pages
ui: avoid short PHP tags
plugins: os-dnscrypt-proxy 1.3 [104]
plugins: os-frr brings in missing area range code [105]
plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
plugins: os-vnstat /var MFS fix [106]
plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
ports: openssl 1.0.2r [107]
ports: pam_opnsense 19.1.3 uses setuid for privilege separation
ports: phalcon 3.4.3 [108]
Изменения в OPNsense 19.1.2
system: move session files into their own directory (forces the current sessions to expire)
system: add validation check for time period for Dpinger (contributed by Team Rebellion)
system: hide «show certificate info» button of pending CSR (contributed by nhirokinet)
system: move opnsense-auth to libexec, but keep a symlink in sbin directory
system: escaping issue in gateway edit page
system: fix ACL for halt and reboot pages
firewall: fix alias entry replacement in utility page
firewall: prevent new alias creation when adding an address
firewall: capture «nat» traffic like we do for «rdr» in live log
firewall: escaping issues in schedule edit page
interfaces: push dhclient and dhcp6c log messages to system log
interfaces: write all nameservers via dhclient-script in multi WAN scenarios
interfaces: check for valid alias IP in dhclient-script
interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
interfaces: avoid reading empty interface configurations
firmware: bootstrap rework for HTTPS repository URL
firmware: patch cache and assorted improvements
firmware: minor update utility cleanups
firmware: remove compatibility stubs for pre-19.1 version reads
firmware: show revoked package mirror error in GUI if applicable
firmware: bump RageNetwork mirror to HTTPS
firmware: be more careful about parsing version info
dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression [109]
intrusion detection: support required rules/files in metadata package
intrusion detection: less extensive logging
ipsec: fix escaping issue in mobile page
monit: fix address validation
openvpn: obey verify-x509-name for remote access (user auth)
openvpn: proper daemonize instead of background job
openvpn: extract full CA chain for setup
openvpn: missing «port» in protocol export
mvc: fix port validation on whitespace input
mvc: fix compare constraint (contributed by Fabian Franz)
mvc: fix read-only access on config.xml during locked runs
mvc: prevent UserException from being pushed to PHP error log
ui: legacy browsers accommodation (contributed by NOYB)
ui: update to Tokenize2 1.3 plus additional escaping patches
ui: add support for Tokenize2 sortable tag
ui: hardening of gettext() invokes in HTML tags
ui: fix setFormData() HTML decode
plugins: os-bind safe search google domain updates (contributed by Michael Muenz)
plugins: os-dnscrypt-proxy 1.2 [110]
plugins: os-dyndns 1.13 IPv6 device lookup fix
plugins: os-etpro-telemetry 1.2 reduces telemetry data collection
plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz)
plugins: os-haproxy 2.15[111] [112]
plugins: os-nginx 1.8 [113]
plugins: os-ntopng 1.2 [114]
src: clear callee-preserved registers on amd64 syscall exit [115]
ports: cpdup 1.20
ports: curl 7.64.0 [116]
ports: libressl 2.8.3 [117]
ports: openvpn 2.4.7 [118]
ports: pam_opnsense manual page addition
ports: sqlite 3.27.1 [119]
ports: squid forgery check avoidance [120]
ports: strongswan 5.7.2 [121]
ports: unbound 1.9.0 [122]
Изменения в OPNsense 19.1.1
system: address XSS-prone escaping issues [123]
firewall: add port range validation to shaper inputs
firewall: drop description validation constraints
interfaces: DHCP override MTU option (contributed by Team Rebellion)
interfaces: properly configure SIM PIN on custom modems
reporting: prevent cleanup from deleting current data when future data exists
ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
openvpn: multiple client export fixes
web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
plugins: os-acme-client 1.20 [124]
plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
plugins: os-nginx 1.7 [125]
plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
ports: ca_root_nss 3.42.1
ports: lighttpd 1.4.53 [126]
ports: py-request 2.21.0 [127]
Изменения в OPNsense 19.1
fully functional firewall alias API
PIE firewall shaper support
firewall NAT rule logging support
2FA via LDAP-TOTP combination
WPAD / PAC and parent proxy support in the web proxy
P12 certificate export with custom passwords
Dpinger is now the default gateway monitor
ET Pro Telemetry edition plugin [128]
extended IPv6 DUID support
Dnsmasq DNSSEC support
OpenVPN client export API
Realtek NIC driver version 1.95
HardenedBSD 11.2, LibreSSL 2.7
Unbound 1.8, Suricata 4.1
Phalcon 3.4, Perl 5.28
firmware health check extended to cover all OS files, HTTPS mirror default
updates are browser cache-safe regarding CSS and JavaScript assets
collapsible side bar menu in the default theme
language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins
ipsec: add firewall interface as soon as phase 1 is enabled
ipsec: phase 1 selection GUI JavaScript compatibility fix
monit: widget improvements and bug fix (contributed by Frank Brendel)
ui: fix regression in single host or network subnet select in static pages
plugins: os-frr 1.7 updates OSFP outbound rules (contributed by Fabian Franz)
plugins: os-telegraf 1.7.4 fixes packet filter input
plugins: os-theme-rebellion 1.8.2 adds image colour invert
plugins: os-vnstat 1.1 [129]
plugins: os-zabbix-agent now uses Zabbix version 4.0
src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
src: update sqlite3-3.20.0 to sqlite3-3.26.0 [130]
src: import tzdata 2018h, 2018i [131]
src: avoid unsynchronized updates to kn_status [132]
ports: ca_root_nss 3.42
ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
ports: sudo patch to fix listpw=never [133]