Hello good folks of the Internet,

For more than 3 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We humbly present to you the sum of another major iteration of the OPNsense firewall. Over the second half of 2017 well over 500 changes have made it into this first release candidate. Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality. For more details please find the attached list of changes below.

Meltdown and Spectre patches are currently being worked on in FreeBSD[1], but there is no reliable timeline. We will keep you up to date through the usual channels as more news become available. Hang in there!

Download links, an installation guide[2] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/18.1/

https://opnsense.c0urier.net/releases/18.1/ US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/18.1/

http://mirrors.nycbug.org/pub/opnsense/releases/18.1/ US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/18.1/

https://mirror.sfo12.us.leaseweb.net/opnsense/releases/18.1/ South America: http://mirror.upb.edu.co/opnsense/releases/18.1/

http://mirror.upb.edu.co/opnsense/releases/18.1/ South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/18.1/

https://ftp.yzu.edu.tw/opnsense/releases/18.1/ Full mirror list: https://opnsense.org/download/

Here is the full list of changes against version 17.7.11:

system: disabled AHCI MSI to prevent early mount failures with removable media

system: use correct crypto library to gather GUI SSL ciphers

system: added "save and go back" button to user edit page

system: removed obsolete host name routing support

system: do not wrap action buttons in tunables page

system: fix CA serial number decrement on save

system: added net.link.bridge.pfil_local_phys to tunables (contributed by David Harrigan)

system: routing configuration was converted to MVC/API (contributed by Fabian Franz)

firewall: enables shared forwarding in default configuration

firewall: enables sticky connections in default configuration

firewall: normal and dynamic log viewers have been superseded by live view

firewall: fold NAT reflection type selection into simple checkbox

firewall: added option for sticky outbound NAT for WAN VIPs

firewall: rewrite of the alias backend code

firewall: backend code cleanup

firewall: NAT rules have been made pluggable

firewall: add indicator for negated fields in shaper grid view (contributed by Fabian Franz)

firewall: better NAT formatting in states dump page

interfaces: DHCPv6 VLAN priority setting (contributed by Team Rebellion)

interfaces: DHCPv6 no release setting (contributed by Team Rebellion)

interfaces: only reload DHCPv6 upon correct reason (contributed by Team Rebellion)

interfaces: static IPv6 configuration over IPv4 link (contributed by Team Rebellion)

interfaces: allow persistent saving and customising of the system IPv6 DUID (contributed by Team Rebellion)

interfaces: automatic backup and restore of the system IPv6 DUID

interfaces: deferred reload of plugins and VPN upon new interface IP request

interfaces: DNS lookup API for firewall live log and insight reporting

interfaces: make level of detail stick in packet capture

interfaces: auto-lock problematic interfaces upon assignment

reporting: do not mark multiple sub-tabs in health page as active

firmware: allow to change the package release type

firmware: add a package health audit

firmware: list installed plugins at the top of the list

firmware: visibility for base and kernel sets in packages listing

firmware: allow base and kernel set reinstall and locking

firmware: remove the discontinued hotfix backend support

firmware: allow dot in package name during package action

installer: swap partition opt-out during guided installation

installer: root password reset tool for existing installations

installer: restore IPv6 DUID on config import

installer: limit swap partition size to 8 GB (contributed by Frank Wall)

ipsec: removed obsolete dynamic host name support

ipsec: local group authentication setting

ipsec: removed the obsolete "IPsec XAUTH dialin" privilege

network time: OPNsense NTP pool is now available and used in default configuration

network time: fix for valid negative offset in health graph

network time: fix parsing of overly overlong lines

openvpn: backend code cleanup

openvpn: multiple wizard fixes

power: reboot poll dialog

web proxy: proper reload on cache setting toggle

web proxy: use PID file instead of daemon name for status probe

web gui: strict interface binding

web gui: removed login autocomplete toggle, now off by design

wizard: add Unbound to wizard and unset DNSSEC by default

ui: reworked service control look and feel

ui: folded tabs for firewall rules, DHCP / RA interfaces and wireless status into menu

ui: HTML compliance fixes button in link usage (contributed by NOYB)

ui: auto-position menu when item list does not fit the screen

ui: reworked sub-tab look and feel

ui added menu cache

ui: unification of layout of MVC and static page headers

ui: migrated to jQuery 3

ui: eliminate 300 ms tap delay (contributed by NOYB)

mvc: added ACL cache

mvc: added code-based ACL extensions

mvc: reload syslog settings for plugins

mvc: allow input fields to render as read-only (contributed by David Harrigan)

mvc: proper target page redirect after login

mvc: added mutable service controller

mvc: added sub-tab layout partials

mvc: do not render empty toggle header

plugins: c-icap 1.4 with multiple UI improvements (contributed by Alexander Shursha)

plugins: clamav 1.4 with multiple UI improvements (contributed by Alexander Shursha)

plugins: dyndns 1.5 with button in link usage fix (contributed by NOYB)

plugins: freeradius 1.5.0 with basic LDAP support (contributed by Michael Muenz)

plugins: frr 1.0 (contributed by Fabian Franz and Michael Muenz)

plugins: haproxy 2.3 allows disabling the introduction pages (contributed by Frank Wall)

plugins: helloworld 1.4

plugins: igmp-proxy 1.3 with button in link usage fix (contributed by NOYB)

plugins: quagga 1.4.4 is end of life, please use FRR instead

plugins: tinc 1.3 with path MTU discovery

plugins: tor 1.4 adds contact info (contributed by Fabian Franz)

plugins: web-proxy-useracl 1.0 (contributed by Smart-Soft)

src: update Realtek driver to vendor version 1.94

src update FreeBSD to 11.1-RELEASE-p6 with HardenedBSD additions

src: shared forwarding for IPv6 and try-forward support

ports: libressl 2.6.4[3]

The list of currently known issues with 18.1-RC1:

The firewall NAT rule generation rewrite is not yet fully verified.

The web GUI recovery is not yet fully implemented.

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig

# openssl dgst -sha256 -verify rsa.pub -signature /tmp/image.sig image.bz2

The public key for the 18.1 series is:

# -----BEGIN PUBLIC KEY-----

# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5kMyxEWUoyY3y8JLlOnz

# j2dE1QPYmWspn5Diqf1T6uSh0/HA8TwnRvI4m82dC2kgnafVB85zIS+rXQLiyJZI

# JEqmBS5f54kVcyJPVORe7NepJq372amAMTcpPwH4b0SS9ZETebAOyuHjdG/lCjKD

# yt5W5ZvaMiDMWLVuw1ZlTIxLgkRuCHsk66E1bdoiIMdZPoyk2Q9WQd3PynLRBVHC

# iT32cJ/NlHiLEALp0wcNr+FllmFQXahQ5R1uBcsE/IXa7Tg0QXlW7s5+d6NTwQ/d

# 7NVnfZzH8IiO0A/9O5jbBsD6HLmity5nMI+RBwFQ9OQoBNxl5aakkusizT6diMYb

# PG+zPZsWo/ADqsbg1U/MMLJXD8CDFjcerhIDrrWSIVlSmQKw97nMK/TdUsqnVl7N

# uDLl0RHe+N6ndmNGTQGg5HbrTmYKSEGBdS4xFtO60JCxubzfpvnkDnPCIJtxWukf

# TzhORJHj2vkGLDA5FocTSOY76lWUO4qJQBA2bB3GtGbCm/nM4TlHpL4Kbf10IUJk

# j1tRFi8gXNOhrdplFAR+lV/yy58/+ZOg61Yz7UvYG/A9rxGkyVmIjzB/4S6Wstye

# IA6vpfzHwHq82hMqafCSB2KJciuKVEgVO6DHLV03VLTPqkJVsCbWXHgNjK2fQCFX

# JeXNX68TcObIJzqbiegZYo8CAwEAAQ==

# -----END PUBLIC KEY-----

As always with our pre-releases, only OpenSSL is provided at this point, but can be switched for LibreSSL as soon as the release is available. This release candidate does update directly into the 18.1 stable track and subsequent release candidates. Please let us know about your experience!

Stay safe,

Your OPNsense team

[1] https://lists.freebsd.org/pipermail/freebsd-security/2018-January/009719.html

[2] https://docs.opnsense.org/manual/install.html

[3] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.4-relnotes.txt