OPNsense 16.7.4 released

Franco Fichtner franco at opnsense.org
Thu Sep 22 10:11:23 CEST 2016

Dear all,

We are deliberately skipping waiting for OpenSSL to announce their
new version today as the roundtrip time for incorporating patches
and updates into FreeBSD and maybe also LibreSSL will likely delay
an update to next week.  We will simply do a 16.7.5 next week as
well and let 16.7.4 stand on its own feet.

The prominent theme of this update is CARP.  We have identified
a number of issues with the way it was being set up and reverted
the process back to what BSD standards recommend.  We have a shiny
new test lab to preview and scrutinise these changes in a larger
environment.  The tests were promising.  Let us know what you think!

Another thing is the introduction of the Intel Gigabit driver plugin
based on the stock driver code version 7.6.2 as multiple reports
popped up regarding driver reliability.  If you are having trouble
with CARP or intrusion detection IPS mode with your em(4) driver,
try installing the new plugin and reboot to activate.

The full list of changes is a follows:

o system: SSH-enabled installer and associated changes
o system: deprecate DSA keys as per OpenSSH recommendation
o system: reworked config import / export for consistency
o system: reboot after config import is now selectable
o system: fix improper escape of HTML entities in log file filter
o system: handle legal boolean return result from searchUsers()
  (contributed by Evgeny Bevz)
o system: add dynamic DNS update to cron
o system: fix race in php.ini setup
o system: always keep repository configurations on core package deinstall
o system: properly trigger filter reload on HA peer
o system: add ordering to rc.syshook scripting facility
o system: add missing parameter for LDAPS authentication server
o firewall: change CARP to operate using BSD standards to fix several
  edge cases and reported issues
o firewall: fix validation of redirection in NAT
o firewall: redirect target IP selection can now use aliases
o firewall: simplify empty rules message in interface rules tabs
o interfaces: do not attempt to fix the MAC address of a broken NIC
o interfaces: adapt validation of PPP to not require idle timeout to be set
o interfaces: add missing help toggle to settings page
o services: DHCP lease pages show MAC manufacturers without Nmap install
o services: improve cleanup of multiple captive portal zones
o services: fix writing empty DNS resolver ACL
o reporting: automatic database repair added
o lang: translation improvements (contributed by Simon Brunet,
  Antonio Prado and Fabian Franz)
o lang: updates for French, German, Italian and Spanish
o plugins: add stock Intel e1000 driver version 7.6.2 a "os-intel-em"
  (requires a reboot)
o plugins: lower early start priorities of VMware and Xen plugins
o ports: haproxy 1.6.9[1], hyperscan 4.3.1[2], suricata 3.1.2[3],
  phalcon 3.0.1[4], samplicator 1.3.8rc1

Stay safe,
Your OPNsense team

[1] http://www.haproxy.org/download/1.6/src/CHANGELOG
[2] https://github.com/01org/hyperscan/blob/master/CHANGELOG.md
[3] https://suricata-ids.org/2016/09/07/suricata-3-1-2-released/
[4] https://github.com/phalcon/cphalcon/releases

More information about the announce mailing list