OPNsense neues Release 18.7

OPNsense 18.1 “Groovy Gecko” ist End of Life und wurde durch OPNsense 18.7 “Happy Hippo” abgelöst. Die neue Version erscheint nach ca. 3.5 Jahren nach dem ersten Release.

Damit diese Version installiert werden kann, muss sie über die WebGUI, SSH oder per Installer freigeschaltet werden. Zuvor solltest du unbedingt die Release Notes mit den Änderungen und Anpassungen lesen.

OPNSense 18.7 Release Notes

• improved WAN DHCPv6 and SLAAC connectivity and tracking
• functional IPv6 Rapid Deployment (6RD) support
• improved default route handling and gateway switching
• OpenVPN default setup improvements for IPv6 and RADIUS attribute support
• Dpinger gateway monitoring integration
• password policies for local authentication and coupled TOTP
• Monit core integration to eventually replace the legacy notifications
• OpenSSH access via group and shell selection instead of privilege
• pluggable backup framework with new Nextcloud option
• sytem tunables are now also used as loader tunables
• unrestricted VLAN usage for e.g. Xen
• QinQ interface removal
• firmware GUI speedup, improved error parsing and console reboot hint
• ZFS on root boot support (installer support is pending, but opnsense-bootstrap works)
• ZFS and MSDOS config import support
• ISC DHCP version moves from 4.3 to 4.4
• RRDtool version moves from 1.2 to 1.7
• rework rc.syshook facility to use drop-in directories instead of suffixes
• backports of FreeBSD 11.2 Intel NIC drivers
• stand-alone frontend UI development tools
• language updates for Czech, French, German, Portuguese (Brazil)
• UI header security and SSL cipher hardening
• extensive UI cleanups and menu consolidation
• new and rewritten plugins: os-cache, os-lcdproc-sdeclcd, os-net-snmp,
  os-nut, os-openconnect, os-relayd 2.0, os-shadowsocks, os-theme-cicada,
  os-theme-rebellion, os-theme-tukan, os-wol 2.0

Migration notes and minor incomatibilities to look out for:

• SSH access is now bound to the “wheel” group which is automatically
  added to “admins” group, which “root” is a member of. “root” is the
  only user that has a default shell, namely opnsense-shell, which is the
  root console menu.
• SSH access can be set for an arbitrary group as well under System:
  Administration for non-members of “admins” group. However, in both
  cases only SCP works due to a request in the forum to be more proactive
  regarding yielding of shell access rights. If you want a user to gain
  true SSH access you need to change their shell from “nologin” to an
  installed shell in their respective settings.
• Web GUI HTTPS ciphers have been hardened. To gain access please use a
  recent browser.
• The authentication fallback for the GUI/system has been removed in
  favour of selecting multiple authentication servers at once. Reassign
  your fallback as a primary authentication method or now use more than
  two methods.
• It has been found that although WAN interfaces require gateways to
  function, they do not necessarily have to be assigned in single-WAN
  scenarios to avoid interfering with WAN reply behaviour. The “none”
  selection was therefore changed to “auto-detect” to reflect this and
  now is the recommended setting unless multi-WAN is used.
• In preparation for the firewall alias API the per-item descriptions have
  been removed along with support for the deprecated types urltable_ports
  and url_ports.
• OpenVPN /31 tunnel network calculation changed to use the first and last
  address as network address and broadcast address do not exist. If you
  are affected, adjust your clients or export their configuration again
  which includes the configuration fix. Additionally, /32 tunnel networks
  are now prohibited.

All images are provided with SHA-256 signatures, which can be verified
against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.7 series is:

—–BEGIN PUBLIC KEY—–
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvkEFA2+DAhWXfucsgdvZ
8xxkuzNt0nYttTmbRtLVJRKREysOj3/nqBcFWtvLr3ooVhkbxVY7HPLEoicqFdG/
+m5lLR2kI7hnZ2mpkl+/NKSixJaZkqXi5cQCp8KUlE7oOu3d6O5ZtTg4g40Ms8Dp
bQw8oZo3NpBrQK3gEEEzNYgChkZwTrEZ1Y8v8+/3zggh44sqg4vA1j5g9jq3Ldms
3KnulBgettpHIapeAmbtCokaLaXxf4lgQxyUsy077aeNRptDpGG3D5ZQgtIjaYeE
h3u51PaVTL5OY/2uvcTnxR/ZrrHpppkIutUGzGJo9KK0gfrXLi31r9e+xtBJYBdC
FtdefujlV3Cfw1OFpUY/Y1p921xgHftNnrVDk+C9kl+FKf3qvFeyGCbd9V2k1JM2
uXHDwbsjZNPhbxbqtCoCDMbsUjBsfWyAOIoZfXOSmqJQt3jBUvwXKwLKncVh4Tvu
wxJGXNZXk/OCHVQYlx/uzwf5/ly/ApIwMKqr66E7mo0OVkPaME0uCCUJolugu9lI
tW8TJVZryBCQMQ4XhPZkcny22I2oRI5nCu7baRrFNJ8gB8UYUnrIPTIJIhrjrVOg
pFOxSb/tZAqtutFOE8F5+KwcgGlOBOKXPaNrdQ79X4kH7egChPrhm283rfW1oEG6
8rHzvP45S09L8o7OXUddo8UCAwEAAQ==
—–END PUBLIC KEY—–

Quelle: https://opnsense.org/opnsense-18-7-released/

JARVIS

Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.