Blog News

OPNsense 19.1-RC1 released – OPNsense, Your Next Open Source Firewall

Hi there,

For nearly four years now, OPNsense is driving innovation by means of modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language help, HardenedBSD safety, quick adoption of upstream software updates in addition to clear and secure 2-Clause BSD licensing.

We thank all of you for serving to check, form and contribute to the challenge! We know it might not be the identical with out you.

Download links, an set up guide[1] and the checksums for the pictures might be found under as properly.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror listing: https://opnsense.org/download/

Listed here are the complete modifications towards version 18.7.10:

o system: console port task can now assign OPT without LAN
o system: anti-lockout will use OPT1 if LAN just isn’t present
o system: permit creation of combined shopper/server SSL certificates
o system: gateway monitoring switches to Dpinger with Apinger eliminated
o system: detect unassigned gateways in static handle setups
o system: more superior gateway monitoring options for Dpinger (contributed by Staff Insurrection)
o system: removing of the previous notification system in favour of Monit
o system: only permit syslog remote binding to assigned interfaces
o system: disable IP aliases configured with VHID on short-term disable
o system: remove AHCI MSI disable workaround used in FreeBSD 11.1
o system: default gateway switching strikes again to basic settings
o system: beep sound notification setting strikes to misc. settings
o system: restrict log line length in log widget
o interfaces: change 6RD/6to4 interface prefix from inner identify to physical system
o interfaces: prohibit monitoring on 6RD with /64 upstream prefix
o interfaces: take away unneeded use of probably clashing fe80::1:1 addresses for IPv6 monitoring
o interfaces: clear an apparently faulty system DUID when no guide DUID is about
o interfaces: up to date customized dhclient-script used for DHCPv4
o interfaces: VIP help for GRE units
o interfaces: simplify find_interface_ip* features
o interfaces: take away get_interface_subnet* features
o interfaces: take away unused get_possible_listen_ips perform
o interfaces: link standing indicator on assignments page
o interfaces: unify interface removing code
o firewall: change GeoIP database download to HTTPS
o firewall: discover IP reference device for aliases
o firewall: improve alias page responsiveness with giant number of addresses
o firewall: show system errors when reloading aliases
o firewall: NAT port ahead logging choice and reside view help
o firewall: optionally resolve all host names in stay view
o firewall: not all states might be removed in diagnostics page
o firewall: clean up unused NAT rule association code
o reporting: improve handling of empty Insight datasets
o reporting: prepare for Python Three conversion
o firmware: change default mirror location to HTTPS
o firmware: health verify for base and kernel information together with model examine
o firmware: help base and kernel file measurement in packages overview
o firmware: /var MFS compatibility on base installation when reboot is deferred
o firmware: command line core lock function prevents package deal upgrades
o firmware: internally keep in mind plugins installed or removed within the GUI
o firmware: present final recognized replace go online web page open
o firmware: show untrusted repository error in GUI
o firmware: separate chanelogs tab for readability
o dhcp: refuse setup of situations that haven’t any related IP handle
o dhcp: fix lease time local vs. UTC show in IPv6 leases
o installer: change communication from TCP to named pipes
o installer: repair sporadic segmentation faults in frontend code
o installer: permit config import from ZFS swimming pools
o installer: permit password reset on ZFS pools
o installer: removed various unused modules
o ipsec: generate right config for “Hybrid-RSA + XAuth” (contributed by Max Weller)
o ipsec: reworked strongswan.conf era
o ipsec: use new interface subnet retrieval code
o monit: help declaring dependencies (contributed by Alexander Werner)
o monit: add Service/Check sort relation (contributed by Frank Brendel)
o monit: add CARP status to plain providers
o monit: add gateway alerts to plain providers
o monit: backend rework to simplify the service
o intrusion detection: help base ruleset overlays and enhance logging
o intrusion detection: GeoIP function in user-defined rules has been removed
o intrusion detection: obey Content material-Disposition header
o openvpn: shopper export rewrite, new export choice for The Inexperienced Bow
o unbound: reworked slab calculation
o unbound: added statistics page
o unbound: only bind to interfaces or OpenVPN situations, all the time bind to loopback
o unbound: fix ACL subnet calculation for OpenVPN situations
o unbound: do not generate host entries for OpenVPN situations
o unbound: enhance assist text wording and common settings format
o net proxy: mum or dad proxy help (contributed by Michael Muenz)
o wizard: fix checkbox label styling
o mvc: converted reboot, halt and license page to MVC
o mvc: compared-to-field constraint (contributed by Fabian Franz)
o mvc: external shoppers which set Authorization header now obtain uncooked JSON responses
o mvc: repair empty worth examine in grid (contributed by Sensible-Mushy)
o mvc: globally lock config when multiple gadgets are deleted directly
o mvc: volt template JavaScript cleanups
o ui: up to date bootstrap-select to model 1.13.Three
o ui: collapsible sidebar help in default theme (contributed by Group Insurrection)
o plugins: os-acme-client 1.19[2]o plugins: os-c-icap 1.7 provides template help (contributed by Michael Muenz)
o plugins: os-dmidecode 1.zero hardware info widget (contributed by Sensible-Mushy)
o plugins: os-dyndns 1.12 modifications HE tunnel broker to newer API (contributed by Dusan Dragic)
o plugins: os-frr switches to FRR 5.zero.2, please see under
o plugins: os-l2tp 1.8 interface now selects reachable server tackle
o plugins: os-pptp 1.eight interface now selects reachable server handle
o plugins: os-openconnect 1.Three.Three[3]o plugins: os-quagga removed, please use os-frr as an alternative
o plugins: os-nginx 1.6[4]o plugins: os-rspamd 1.4 permits to set guide spam scores and subject (contributed by Michael Muenz and Fabian Franz)
o plugins: os-snmp eliminated, please use os-net-snmp as an alternative
o plugins: os-theme-cicada 1.13
o plugins: os-theme-tukan 1.12
o plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)
o src: HardenedBSD 11.2-RELEASE-p7[5][6][7]o src: fix lacking transmit visibility for BPF-based listeners in native netmap mode
o src: restrict the utmost number of fragments per packet in pf
o src: substitute rwlock on PF_RULES_LOCK with rmlock in pf
o src: do not discard UDP6 visitors in Hyper-V adaptors
o src: fix state sync during initial bulk replace in pfsync
o src: unbreak dhclient(8) choice 26 processing
o src: import APU 1-3 LED kernel module
o ports: krb5 1.17[8]o ports: php 7.1.26[9]o ports: sudo 1.eight.27[10]o ports: perl 5.28.1[11]o ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)

Recognized points and limitations:

o Gateway health graphs may have a guide reset because of the Apinger to Dpinger migration.
o Intrusion detection GeoIP rules are mechanically deactivated and must be manually migrated to firewall alias GeoIP.
o Monit common settings don’t save. A patch exists[12] to remedy this drawback: opnsense-patch a2899594
o Situation with IDS migration code making a spurious crash report. Patch already completed for the final 19.1.
o Quagga plugin has been outmoded by FRR plugin. A binary quagga package deal has been conserved in the intervening time.
o Please read the FRR documentation with regard to the required system tunables[13].
o SNMP plugin has been outmoded by Internet-SNMP plugin.
o ZFS guided installation pending.

The general public key for the 19.1 collection is:

—–BEGIN PUBLIC KEY—–
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvkEFA2+DAhWXfucsgdvZ
8xxkuzNt0nYttTmbRtLVJRKREysOj3/nqBcFWtvLr3ooVhkbxVY7HPLEoicqFdG/
+m5lLR2kI7hnZ2mpkl+/NKSixJaZkqXi5cQCp8KUlE7oOu3d6O5ZtTg4g40Ms8Dp
bQw8oZo3NpBrQK3gEEEzNYgChkZwTrEZ1Y8v8+/3zggh44sqg4vA1j5g9jq3Ldms
3KnulBgettpHIapeAmbtCokaLaXxf4lgQxyUsy077aeNRptDpGG3D5ZQgtIjaYeE
h3u51PaVTL5OY/2uvcTnxR/ZrrHpppkIutUGzGJo9KK0gfrXLi31r9e+xtBJYBdC
FtdefujlV3Cfw1OFpUY/Y1p921xgHftNnrVDk+C9kl+FKf3qvFeyGCbd9V2k1JM2
uXHDwbsjZNPhbxbqtCoCDMbsUjBsfWyAOIoZfXOSmqJQt3jBUvwXKwLKncVh4Tvu
wxJGXNZXk/OCHVQYlx/uzwf5/ly/ApIwMKqr66E7mo0OVkPaME0uCCUJolugu9lI
tW8TJVZryBCQMQ4XhPZkcny22I2oRI5nCu7baRrFNJ8gB8UYUnrIPTIJIhrjrVOg
pFOxSb/tZAqtutFOE8F5+KwcgGlOBOKXPaNrdQ79X4kH7egChPrhm283rfW1oEG6
8rHzvP45S09L8o7OXUddo8UCAwEAAQ==
—–END PUBLIC KEY—–

Please let us know about your expertise!

Stay protected,
Your OPNsense group


[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1134
[3] https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[5] https://hardenedbsd.org/content/easy-feature-comparison
[6] https://www.freebsd.org/releases/11.2R/relnotes.html
[7] https://www.freebsd.org/releases/11.2R/errata.html
[8] https://web.mit.edu/kerberos/krb5-1.17/
[9] http://php.net/ChangeLog-7.php#7.1.26
[10] https://www.sudo.ws/stable.html#1.8.27
[11] https://metacpan.org/changes/release/SHAY/perl-5.28.1
[12] https://github.com/opnsense/core/commit/a2899594
[13] https://docs.opnsense.org/manual/dynamic_routing.html

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337advert50e00a6ffc1cca793277f1890b63

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db