Hi there,
For more than 6 and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide[1] and the checksums for the images can be found below as well.
Here are the full patch notes against 21.1.7:
- system: Norwegian translation (contributed by Stein-Aksel Basma)
- system: correctly enforce "Disable writing log files to the local disk" when circular logs are not used
- system: allow to edit gateway entries with non-conforming names
- system: add HA sync entry for live log templates
- system: lock config writes during HA merges
- system: raised PHP memory limit to 1G
- system: raised encryption standard for encrypted config.xml export
- system: removed NextCloud backup from core functionality
- system: allow more characters in the certificate/authority organization fields (contributed by Jan De Luyck)
- system: default gateway failure state killing is now disabled by default
- system: circular logs are now disabled by default
- system: removed unused traffic API dashboard feed
- interfaces: improve GRE/GIF configuration handling and dynamic reload behaviour
- interfaces: remove duplicated handling of PPP IPv6 interface detection
- interfaces: refactored address removal into interfaces_addresses_flush()
- interfaces: flush IPv6 addresses on the correct IPv6 interface when it differs from the IPv4 interface
- interfaces: do not check for existing CARP interfaces midstream
- interfaces: remove non-tunnel restriction from address collection
- interfaces: set tunnel flag for IPv4 tunnel plus cleanups
- interfaces: allow interface-based overrides of hardware checksum settings
- interfaces: refactor DNS lookup and add PTR to output (contributed by Maurice Walker)
- firewall: set label for obsolete rule in live log (contributed by kulikov-a)
- firewall: MVC rewrite of the states diagnostics pages under "States"
- firewall: renamed "pfTables" diagnostics to "Aliases"
- firewall: add quick link to states counter from firewall rule inspection
- firewall: add manual reply-to configuration to rules
- firewall: delete related rules when an interface group is removed
- firewall: rename source/destination networks when group name changes
- dhcp: remove ::/0 route from router advertisements (contributed by Maurice Walker)
- dhcp: always deprecate prefixes in automatic router advertisements
- dhcp: fix table header sorting in lease pages (contributed by vnxme)
- dhcp: lock access to settings pages when interface is not suitable for running a DHCP server
- firmware: introduced connectivity check
- firmware: confirm plugin removal dialog
- intrusion detection: fix alert reads from eve.json
- ipsec: adhere to system defaults for route-to and reply-to when creating automatic VPN rules
- ipsec: switched to explicit type selection for identities
- network time: added NTPD client mode
- openvpn: offer the ability to export a user without a certificate
- openvpn: increase consistency between export types
- unbound: fix domain overrides for private address reverse lookup zones (contributed by Maurice Walker)
- console: throw error when opnsense-importer encounters an encrypted config.xml
- mvc: reduce differentials in config.xml when saving models
- ui: work on unification of add buttons by minifying them and adding primary color markup
- ui: prevent translation line breaks from breaking JS
- ui: switch firewall category icon for clarity
- ui: inject default tooltips into bootgrid formatters
- ui: removed $main_buttons magic handler
- ui: improved JS hook_ipv4v6() to jump to /64 on IPv6 and back to /32 on IPv4
- plugins: os-etpro-telemetry 1.5 exclude stale data from telemetry upload
- plugins: os-fetchmail 1.0 (contributed by Michael Muenz)
- plugins: os-freeradius 1.9.14[2]
- plugins: os-maltrail 1.8[3]
- plugins: os-nut 1.8[4]
- plugins: os-telegraf 1.11.0[5]
- plugins: os-zabbix5-proxy is now a plugin variant
- plugins: os-postfix 1.9
- plugins: os-net-snmp 1.5
- plugins: os-frr 1.22
- src: dhclient support for VLAN 0 decapsulation
- src: FreeBSD updates for the pf(4) and iflib(4) subsystems
- src: FreeBSD updates for Intel e1000, ixgbe and ixl drivers
- src: compatibility shim for upcoming rtsold "-M" command line option
- ports: drop hardening options to ease migration to FreeBSD ports tree
- ports: libxml 2.9.12[6]
- ports: nettle 3.7.3
- ports: nss 3.67[7]
- ports: openvpn 2.5.3[8]
- ports: php 7.4.20[9]
- ports: phpseclib 2.0.32[10]
- ports: python 3.8.10[11]
- ports: sudo 1.9.7p1[12]
Known issues and limitations:
- NextCloud backup plugin removed from core, but not yet available as stable plugin via GUI. Install manually from console as follows: pkg install os-nextcloud-backup-devel
- IPsec identities are now set using their explicit type. See StrongSwan documentation[13] for the old automatic defaults.
- CLOG creating garbage logs when used. Fix scheduled for 21.7-RC2.
- Unbound advanced configuration not yet replaced.
The public key for the 21.7 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1Cc2Mw+t6NAgU5Ts8feU
+vJSn4N8Ex1afuZ/tyXnRwxQ7w0+Hr0Bs8Ygy2X67KQi/7pi5FQ/hIJyEnf5Tm/7
7sS6O6XPvu2fg7UN1RBi5VgFJh4vajwhVGUg+EpuMNIgZw7AkWNlULvQSLBHOX7S
FAthJQQ957OU2RARQA+LVT3wyiLpEhQp0S9h/YAO1tITQKlsPjlU4+0Iv58JZuAG
lek+FaZyBLqCUF4ItLxGjqO3L4cx5iy3yD7qIOR3dN7tncdEYxQweut8cA80hFUe
Wy8DgPUKVZRRZnVWSZp9QXzoo9ACLebAv6DOzN17DrVdO0iH6iYr6s/7tDoxtN0G
+r6huk0tTKQ0UJX7O9l5GAQe+HWFH1WxTU37Pb79BbxXW+9LCUtAZ35HKLmIaQyb
6t3Jr0FTX+LtJBMUpWtYIAYjQIH2dlBGbwFRbljsibbSTsi/E+1WW3ob1r5O5fML
b734CktIXm3HFvQ0qZ4DyIQDZS0J8zoVO2wHjlh9MsxCJdDvDXe6Dbj/Y93SBXVr
Az8T8YrEwjK0fPt8dB1p+Ue49eYXPs5lJPmB5iaiXlp1VTqUwH2Lm3BZG5bUKded
zOjHavmTeTXuSKWEYh/UP7mLGeY1FQF0o7VHJfdiJLt/4s2ybM9DNUssjSDBqBRV
CPvKwujGiI0N2BPJHP21g1ECAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
SHA256 (OPNsense-21.7.r1-OpenSSL-dvd-amd64.iso.bz2) = e1a9cd3296352a99f8a5ac7c7edd5f7161361fde4688115186292bed91252a1Gc
SHA256 (OPNsense-21.7.r1-OpenSSL-nano-amd64.img.bz2) = 94478b919bca3850f3afd213b15df6ad08904ac505e3ecc3d979b9cd33276afc
SHA256 (OPNsense-21.7.r1-OpenSSL-serial-amd64.img.bz2) = a72ef31a6e97644db8091cb9fa5cd7c785671da88c587ebbe417ac2fcb180202
SHA256 (OPNsense-21.7.r1-OpenSSL-vga-amd64.img.bz2) = bc7f9a3b36cf4b52b630ee5ff28b31044db4aabfdcb73f54177307d6fc5623ba