OPNsense 18.1.4

OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. OPNsense started as a fork of pfSenseĀ® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project. OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.

Tags network firewalls security
License BSDL-2
State stable

Recent Releases

18.1.412 Mar 2018 07:20 minor feature: Here are the full patch notes: o system: improved default route handling o system: improved gateway switching o system: cleanse username on LDAP import o system: increase maximum size of firmware reports o firewall: shaper backend refactor o interfaces: improved reconfigure phase o reporting: fix sporadic "non-numeric value encountered" error o captive portal: add voucher expiry (contributed by Stephanowicz) o intrusion detection: use latest ET Open rules for Suricata version 4 o intrusion detection: proper syslog with drops, requires log file reset o intrusion detection: backend refactor o plugins: os-frr 1.2 adds OSPF interface type (contributed by Marius Halden) o plugins: os-haproxy 2.6 1 (contributed by Frank Wall) o ports: isc-dhcp 4.3.6P1 2 o ports: krb5 1.16 3 o ports: pkg 1.10.5 o ports: strongswan 5.6.2 4
18.1.305 Mar 2018 12:00 minor feature: Here are the full patch notes: o system: account for variable headers in top output o system: move gateway status into main pages o system: slightly reorder routing configuration calls o system: optimize reading of SSL crypto library version string (contributed by Alexander Shursha) o system: rework LDAP authentication container selection o interfaces: avoid interaction of overview details with menu items o interfaces: allow "reject leases from" option in DHCP advanced settings o firewall: set alias cron update interval to 1 minute o firewall: align alias cron update with its background call o firewall: URL IP alias type missing in selections o firewall: fix defunct alias target in outbound NAT o firewall: ignore alias case while searching o firewall: move rule category filter to the top of the page o firewall: show IPv6 ports in live log and fix details for TCP o firewall: move general settings to AliasParser and fix Alias constructor to receive them o firewall: if the name of the alias equals its content try to resolve o dhcp: advertisement problem on PPPoE link without public IPv6 address (contributed by Team Rebellion) o dhcp: UEFI 64 network boot using wrong arch type o dhcp: validate maximum interface MTU o dhcp: add validation for DUID fields o ipsec: auto-route disable setting (contributed by Namezero) o network time: inline NMEA checksum calculator (contributed by Fabian Franz) o network time: fix stratum level write o unbound: optimize outgoing-range differently o unbound: local zone setting (contributed by NOYB) o ui: fix cropped dropdown regression o mvc: translate option values (contributed by Alexander Shursha) o mvc: fix access to undefined property translator o mvc: fix typo in getBase() o mvc: improve phpdoc o rc: protect console menu again, but keep shell invoke for rc.d subsystem o rc: fix some typos (contributed by John Eismeier) o rc: proper includes for plugin post-install hook o rc: recover all known shells o plugins: os-clamav 1.5 fixes log
18.1.208 Feb 2018 18:20 minor feature: Here are the full patch notes: o system: avoid default route from disappearing when no manual gateways are set o firewall: fix outbound NAT for OpenVPN interfaces o interfaces: multiple overview page improvements (contributed by NOYB) o firmware: revoke 17.7 update fingerprint o console: check for root invoke in importer, installer and console menu o intrusion detection: always show schedule tab o intrusion detection: log first drop of a flow o intrusion detection: add a log file viewer o unbound: add num-queries-per-thread option values for 4096 and 8192 o ui: remove chrome=1 from X-UA-Compatible meta element (contributed by NOYB) o ui: HTML compliance for attribute "type" on script element (contributed by NOYB) o ui: HTML compliance for "navigation" "role" on nav element (contributed by NOYB) o ui: checkbox and radio button label children tweaks (contributed by NOYB) o ui: break help text on small screens o ui use pluggable locations for theme files o ui: remove table-responsive padding on small screens o ui: user-scalable viewport (contributed by NOYB) o mvc: CRUD functions for mutable model controller (contributed by Fabian Franz) o plugins: os-frr 1.0 with CRUD refactor (contributed by Fabian Franz) o plugins: os-tor 1.5 with CRUD refactor (contributed by Fabian Franz) o ports: phalcon 3.3.1 o ports: php 7.1.14
18.1.102 Feb 2018 18:19 minor feature: Here are the full patch notes: o firewall: ignore target port alias in port forwards when it equals the destination o firewall: align outbound NAT address output to edit page o firewall: use first region for country in GeoIP category instead of last one o system: improve layout of gateway status labels (contributed by Fabian Franz) o system: improve order of group / user setup as "wheel" was not added correctly on save o dashboard: touch device improvements in widgets (contributed by NOYB) o opendns: always refresh the setting on save o openvpn: open links in a new tab (contributed by Fabian Franz) o ui: system-wide HTML compliance improvements (contributed by NOYB) o plugins: arp-scan 1.1 improves interface search (contributed by Giuseppe De Marco) o plugins: os-dyndns 1.6 fixes Route 53 IPv6 usage (contributed by theq86) o plugins: os-freebsd 1.5.2 clarifies certificate validation (contributed by Michael Muenz) o plugins: os-openconnect 1.0 (contributed by Michael Muenz) o plugins: os-rfc2136 1.2 improves widget load o plugins: os-telegraf 1.3.1 adds ping hosts and graphite validation fix (contributed by Michael Muenz) o plugins: os-rspamd 1.1 fixes typos (contributed by Fabian Franz) o plugins: os-zerotier 1.3.1 makes database persist on /var MFS (contributed by David Harrigan) o ports: curl 7.58.0 1 o ports: py27-cryptography 2.1.4
18.102 Feb 2018 18:18 minor feature: These are the most prominent changes since version 17.7: o FreeBSD 11.1, PHP 7.1 and jQuery 3 migration o Realtek vendor NIC driver version 1.94 o Portable NAT before IPsec support o Local group restriction feature in OpenVPN and IPsec o OpenVPN multi-remote support for clients o Strict interface binding for SSH and web GUI o Improved MVC tabs and general page layout o Shared forwarding now works on IPv6, in conjunction with "try-forwarding" and improved reply-to multi-WAN behaviour o Easy-to-use update cache support for Linux and Windows in web proxy o Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT) o Revamped HAProxy plugin with introduction pages o Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status o Alias backend rewrite for future extensibility o Plugin-capable firewall NAT rules o Migration of system routes UI and backend to MVC (also available via API) o Reverse DNS support for insight reporting (also available via API) o Fully rewritten firewall live log in MVC (also available via API) o New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter
17.7.1219 Jan 2018 06:18 minor feature: Here are the full patch notes: o system: use correct crypto library to gather GUI SSL ciphers o system: do not wrap action buttons in tunables page o system: fix CA serial number decrement on save o firmware: remove the discontinued hotfix backend support o firmware: allow dot in package name during package action o firmware: remove defunct mirrors o interfaces: make level of detail stick in packet capture o interfaces: auto-lock problematic interfaces upon assignment o firewall: make NAT reflection enable less ambiguous o firewall: fix NAT formatting in states dump page o network time: fix for valid negative offset in health graph o network time: OPNsense NTP pool is now available o network time: fix parsing of overly overlong lines o web proxy: use PID file instead of daemon name for status probe o wizard: add unbound to wizard and uncheck DNSSEC by default o ui: HTML compliance fixes button in link usage (contributed by NOYB) o mvc: added mutable service controller o mvc: added sub-tab layout partials o mvc: do not render empty toggle header o plugins: acme-client 1.13 1 (contributed by Frank Wall) o plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB) o plugins: helloworld 1.4 o plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB) o plugins: tor 1.4 adds contact info (contributed by Fabian Franz) o plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft) o ports: libressl 2.6.4 2 o ports: php 7.1.13 3
17.7.1122 Dec 2017 10:12 minor feature: Here are the full patch notes: o system: numerical sort for "Use" and "MTU" columns in route diagnostics o system: gateway group edit tier selection issue with jQuery3 o system: minor cleanups in the certificates backend o firewall: move anti-lockout rule to advanced settings o interfaces: minor cleanups in the backend o reporting: rework configuration handling on the settings page o dnsmasq: minor cleanups in the backend o firmware: strip the architecture from the base / kernel set version display o firmware: backend preparations for full base / kernel set lock and reinstall o firmware: increase crash report file limit to 2 MB o ipsec: minor cleanups in the backend o unbound: register DHCP domain name for interface if found o network time: show full remote address and fix page boxing on status page o network time: add advanced custom options o network time: fix leap second save o network time: minor cleanups in the backend o wizard: properly redirect on input errors in system wizard o mvc: ignore client-side anchors in breadcrumb generation o ui: do not use a CSRF input element ID o plugins: os-freeradius 1.4.1 fixes a warning in clients (contributed by Michael Muenz) o ports: libxml 2.4.7 1 o ports: py-ipaddress 1.0.19
17.7.1018 Dec 2017 10:56 minor feature: Here are the full patch notes: o system: allow user-based language setting through Lobby: Password o system: allow strict interface binding for OpenSSH o system: prepare for MVC-based routing pages o firmware: prepare for production / development release type selection o firewall: fix a PHP warning when no user rules are installed o firewall: add refresh button to table diagnostics page o captive portal: fix chroot regression since lighttpd web server update in 17.7.9 o interfaces: provide a link-local IPv6 when asking for addresses o intrusion detection: sync port-groups to default template o ipsec: upgrade vici lib to match strongSwan package o network time: fix a PHP warning during NMEA deselect o mvc: do not throw disabled errors in handler o plugins: os-dyndns 1.4_1 fixes issue with Namecheap error parsing o plugins: os-freeradius 1.4.0 adds log viewer and fixes users write (contributed by Michael Muenz) o plugins: os-quagga 1.4.3 adds OSPF firewall rule and spinners for save (contributed by Fabian Franz) o src: OpenSSL multiple vulnerabilities 1 2 o ports: hyperscan 4.6.0 3 o ports: openssl 1.0.2n 4 o ports: suricata 4.0.3 5 Two plugin hotfixes have been additionally issued: o plugins: os-quagga 1.4.3_1 fixes service startup regression o plugins: os-rfc2136 1.1_1 fixes edit button in IE 11
17.7.907 Dec 2017 16:29 minor feature: Here are the full patch notes: o system: fix XSS with crafted certificates in certificate manager 1 o system: removed duplicated firmware privileges o system: fix resolving routes in diagnostics page o system: regenerated DH parameters o dhcp: support stateless DHCPv6 o firmware: kernel and base set visibility and better API session handling o intrusion detection: improve download and install speed of et-open rules o intrusion detection: add TLS and HTTP logging in eve and alert log viewer o openvpn: allow remote network in peer to peer modes o web proxy: better service and API session handling o router advertisements: advertise on VIPs belonging to the same interface o configd: allow template overrides via optional target directory o mvc: prepare for use-based language setting (contributed by Alexander Shursha) o mvc: prepare for auto-generated page titles o mvc: tighten against frame-based attacks o mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz) o ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz) o ui: make "advanced mode" sticky too o plugins: os-acme-client 1.12 2 (contributed by Frank Wall) o plugins: os-arp-scan (contributed by Giuseppe De Marco) o plugins: os-clamav 1.3 (contributed by Alexander Shursha) o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu) o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz) o plugins: os-haproxy 2.0 3 (contributed by Frank Wall) o plugins: os-relayd 1.2 fixes "check send" directive o plugins: os-tor 1.3 (contributed by Fabian Franz) o plugins: os-zabbix-agent 1.2 fixes service status indicator o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz) o ports: ca_root_nss 3.34.1 o ports: curl 7.57.0 4 o ports: lighttpd 1.4.48 5 o ports: php 7.1.12 6 o ports: pkg 1.10.3 7 o ports: py-Jinja2 2.10 8 o ports: syslogd 11.1