Software update: OPNsense 21.1.6

The OPNsense package is a firewall with extensive capabilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper . The developers have released OPNsense 21.1.6 with the following announcement:

OPNsense 21.1.6 released

With a bit of delay we bring to you the usual mix of security and reliability updates. It is of note that the OpenVPN advisory tracked as CVE-2020-15078 does not affect the provided version 2.4.11, but the security audit will falsely flag it as vulnerable because the source of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.

Plans for upcoming 21.1.x versions include a swift Phalcon 4 migration as well as Python 3.8 and PHP 7.4 updates.

Here are the full patch notes:

  • system: add audit log target and move related syslog messages there
  • system: set HSTS max-age to 1 year (contributed by Maurice Walker)
  • system: fix restore copy in console recovery
  • interfaces: overhaul approach to clear states when WAN address changes
  • interfaces: add policy-based routing support for “dynamic” interface gateways
  • interfaces: return scoped link-local in get_configured_ip_addresses()
  • firewall: NPTv6 configuration clean-up (contributed by Maurice Walker)
  • firewall: remove redundant NPTv6 binat rule (contributed by Maurice Walker)
  • firewall: live log widget multiple interfaces and inspect feature (contributed by kulikov-a)
  • firewall: add live log filter templates feature (contributed by kulikov-a)
  • dhcp: compress expanded IPv6 lease addresses for clean match with system
  • dhcp: on the GUI pages avoid the use of dhcpd_dhcp_configure()
  • dnsmasq: use dhcpd_staticmap() for lease registration
  • firmware: opnsense-patch now also invalidates the menu cache
  • ipsec: add “keyingtries” phase 1 configuration option
  • ipsec: automatic outbound NAT rules missed mobile clients
  • ipsec: fix typo in autogenerated rules for virtual IP use
  • openvpn: fix wizard regression after certificate changes in 21.1.5
  • openvpn: remove now defunct OpenSSL engine support
  • unbound: clean blacklist domain input
  • unbound: match whole entry in blacklists (contributed by kulikov-a)
  • unbound: use dhcpd_staticmap() for lease registration
  • ui: upgrade chart.js to 2.9.4
  • ui: update chartjs plugin streaming to 1.9.0
  • ui: order interfaces in groups
  • ui: sidebar menu fix for long listings (contributed by Team Rebellion)
  • plugins: os-acme-client 2.5
  • plugins: os-chrony 1.3
  • plugins: os-dyndns 1.24
  • plugins: os-freeradius 1.9.12
  • plugins: os-haproxy 3.3
  • plugins: os-intrusion-detection-content-et-open 1.0.1 adds emerging-inappropriate ruleset
  • plugins: os-nginx expected MIME type fix (contributed by Kimotu Bates)
  • plugins: os-qemu-guest-agent 1.0 (contributed by Frank Wall)
  • plugins: os relay 2.5
  • plugins: os-telegraf 1.10.1
  • plugins: os-zabbix4-proxy 1.3
  • plugins: os-zabbix5-proxy 1.5
  • src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
  • src: axgbe: add 1000BASE-BX SFP support
  • src: race condition in aesni(4) encrypt-then-auth operations
  • ports: curl 7.76.1
  • ports: filterlog 0.4 adds label support to output if applicable
  • ports: libressl 3.3.3
  • ports: libxml2 fix for CVE-2021-3541
  • ports: nss 3.65
  • ports: openssh-portable 8.6p1
  • ports: openvpn 2.4.11
  • ports: php 7.3.28
  • ports: sqlite 3.35.5
  • ports: sudo 1.9.7
  • ports: syslog-ng 3.32.1
Version number 21.1.6
Release status Final
Operating systems Linux, BSD
Website OPNsense
License type GPL