OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support,

OPNsense 19.1 released

Linux Distribution

OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 18.7:

o fully functional firewall alias API
o PIE firewall shaper support
o firewall NAT rule logging support
o 2FA via LDAP-TOTP combination
o WPAD / PAC and parent proxy support in the web proxy
o P12 certificate export with custom passwords
o Dpinger is now the default gateway monitor
o ET Pro Telemetry edition plugin[2]
o extended IPv6 DUID support
o Dnsmasq DNSSEC support
o OpenVPN client export API
o Realtek NIC driver version 1.95
o HardenedBSD 11.2, LibreSSL 2.7
o Unbound 1.8, Suricata 4.1
o Phalcon 3.4, Perl 5.28
o firmware health check extended to cover all OS files, HTTPS mirror default
o updates are browser cache-safe regarding CSS and JavaScript assets
o collapsible side bar menu in the default theme
o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins

Here are the full changes against version 19.1-RC2:

o ipsec: add firewall interface as soon as phase 1 is enabled
o ipsec: phase 1 selection GUI JavaScript compatibility fix
o monit: widget improvements and bug fix (contributed by Frank Brendel)
o ui: fix regression in single host or network subnet select in static pages 
o plugins: os-frr 1.7 updates OSFP outbound rules (contributed by Fabian Franz)
o plugins: os-telegraf 1.7.4 fixes packet filter input
o plugins: os-theme-rebellion 1.8.2 adds image colour invert
o plugins: os-vnstat 1.1[3]
o plugins: os-zabbix-agent now uses Zabbix version 4.0
o src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
o src: update sqlite3-3.20.0 to sqlite3-3.26.0[4]
o src: import tzdata 2018h, 2018i[5]
o src: avoid unsynchronized updates to kn_status[6]
o ports: ca_root_nss 3.42
o ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
o ports: sudo patch to fix listpw=never[7]

Migration notes and minor incompatibilities to look out for:

o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
o Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
o Please read the FRR documentation with regard to the required system tunables[8].
o Bhyve UEFI boot may fail as a guest. The problem is being investigated.
o SNMP plugin has been superseded by Net-SNMP plugin.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.