OPNsense 17.1  “Eclectic Eagle” Released

? More Secure   ? Better Language Support   ? More Features

Hi everyone,

The OPNsense team is proud to announce the final availability of version
17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0,
the SSH remote installer, new languages Italian / Czech / Portuguese,
state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for
FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g.
2FA (TOTP), as well a rewritten Nano-style card images that adapt to media
size to name only a few.

We would like to encourage everyone to supervise this major upgrade
physically. As such, it cannot be performed from the GUI. Instead, go
to the root console menu, choose option 12 and type “17.1” at the prompt.
The process will download a full set of updates and reboot multiple.
All operating system files and packages will be reinstalled as a consequence.
This process can also be remotely triggered via SSH.

For fresh installations, images are provided with OpenSSL for 32 and 64 bit Intel architectures. The new SSH installer feature will be listening on the LAN port 192.168.1.1, give out DHCP leases to clients and can connect using the user “root” (console menu) or “installer” (the installer, of course) with the default password “opnsense”.

Mirrors

The respective checksums for the images can be found below this announcement and the direct download links from our capable mirror providers are as follows:

Major Features

Here is the list of major features that have been worked on since 16.7 was released 6 months ago:

• cooperative firewall forwarding to allow traffic shaper/captive portal with multi-WAN
• install media now boots up with SSH for headless remote installation
• HardenedBSD ASLR and PIE compilation for most binaries
• HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
• PHP 7.0 compatibility and general GUI speed improvements
• replaced the CSRF implementation in the non-MVC pages
• integrated authentication using PAM to allow e.g. 2FA (TOTP) over SSH
• system secondary console support with new EFI and Mute options
• Portuguese/Portugal as a release language (contributed by Carlos Meireles)
• Portuguese/Brazil as a release language (contributed by Thiago Basilio)
• Italian as a release language (contributed by Antonio Prado)
• Czech as a release language (contributed by Pavel Borecki)
• improved password security (contributed by OSnet)
• FTP proxy plugin (contributed by Frank Brendel)
• Let’s Encrypt Plugin (contributed by Frank Wall)
• Tinc VPN Plugin
• IPsec tunnel isolation mode for interoperability
• micro versioning/migrations for config items
• constraint support for config items
• rewritten Nano images with growfs(8) support
• authentication methods are now fully pluggable
• firewall rules are now fully pluggable
• FreeBSD 11.0 including additional reliability fixes

Minor Changes

Minor changes made since 16.7.14/17.1.r1:

• system: always restore native /var layout on boot
• system: make vt/sc configurable
• web proxy: improve validation for SSL bump URL input (contributed by Fabian Franz)
• web proxy: add plugin-capable pre/post authentication directories (contributed by Evgeny Bevz)
• mvc: use empty string instead of “##Unlinked” in missing elements (contributed by Frank Wall)
• www: replace CSRF implementation of static PHP pages
• src: convert result of hash_packet6() into host byte order
• src: correctly initialise subrulenr in pflog
• ports: openssl 1.0.2k[1]
• ports: php 7.0.15[2]

Migration Considerations

Additionally, these migration caveats should be heeded before upgrading:

• The integrated authentication framework is now used as a system-wide default including login(1), su(1) and sudo(8). This means that e.g. 2FA will be used for low-level password prompts as well and plain passwords are disabled by default. If this behaviour is undesired, set the “Disable integrated authentication” option under System: Settings: Administration.
• The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to “Serial” due to a wrong GUI default.
• FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4) as the default. You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.
• The access privileges for “Lobby: Login / Logout / Dashboard” and “Diagnostics: Backup / Restore” have been remapped internally and need to be reapplied when they have been assigned explicitly.
• The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken. We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.
• Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability. Please let us know about these right away.
• The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy. Their respective configurations will be preserved by the system even if these plugins are not installed.
• The Intel e1000 driver plugin has been removed due to an incompatibility
• with FreeBSD 11.0. All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in OPNsense 17.1 and reported to FreeBSD.

We would love to hear your feedback! As we want OPNsense the best it can
be for you, please do not hesitate to contact us through any of the known
channels: