Current File : //backups/router/usr/local/opnsense/changelog/25.1.htm
<p>Hi there,</p><p>For an entire decade now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.</p><p>25.1, nicknamed "Ultimate Unicorn", features numerous MVC/API conversions, improved security zones support and documentation, ZFS snapshot support, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.</p><p>Download links, an installation guide[<a target="_blank" href="https://docs.opnsense.org/manual/install.html">1</a>] and the checksums for the images can be found below as well.</p><p><ul><li>Europe: <a target="_blank" href="https://opnsense.c0urier.net/releases/25.1/">https://opnsense.c0urier.net/releases/25.1/</a></li><li>US East Coast: <a target="_blank" href="https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/">https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/</a></li><li>US West Coast: <a target="_blank" href="https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/">https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/</a></li><li>South America: <a target="_blank" href="http://mirror.ueb.edu.ec/opnsense/releases/25.1/">http://mirror.ueb.edu.ec/opnsense/releases/25.1/</a></li><li>East Asia: <a target="_blank" href="https://mirror.ntct.edu.tw/opnsense/releases/25.1/">https://mirror.ntct.edu.tw/opnsense/releases/25.1/</a></li><li>Full mirror list: <a target="_blank" href="https://opnsense.org/download/">https://opnsense.org/download/</a></li></ul></p><p>Here are the full patch notes against version 24.7.12:</p><p><ul><li>system: migrate user, group and privilege management to MVC/API</li><li>system: remove the "disable integrated authentication" feature</li><li>system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in</li><li>system: remove the old manual LDAP importer</li><li>system: migrate HA status page to MVC/API</li><li>system: allow custom additions to sshd_config (contributed by Neil Greatorex)</li><li>system: increase max-request-field-size for web GUI</li><li>system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)</li><li>system: add support for RFC 5549 routes and refactor static route creation code</li><li>system: improve notification support to also allow persistent notifications and static banners</li><li>system: add notifications for low disk space and OpenSSH file override use</li><li>system: migrate tunables page to MVC/API</li><li>system: switch to temperature sensor caching</li><li>system: add certificate widget to track expiration dates and allow quick renewal</li><li>system: remove deprecated "page-getserviceprovider", "page-dashboard-all" and "page-system-groupmanager-addprivs" privileges</li><li>system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option</li><li>system: add item edit links to several dashboard widgets</li><li>system: prioritize index page and prevent redirection to a /api page on login</li><li>system: mute disk space status in case of live install media</li><li>system: optimize system status collection</li><li>interfaces: adhere to DAD during VIP recreation in rc.newwanipv6</li><li>interfaces: remove non-functional features from bridges</li><li>interfaces: remove PPP edit in interfaces settings</li><li>interfaces: batched device type creation under "Devices" submenu</li><li>interfaces: move PPP and wireless logs to system log</li><li>interfaces: remove "Use IPv4 connectivity" setting as it will be set by default</li><li>firewall: use "skip lo0" instead of policing lo0 explicitly following OpenBSD best practice</li><li>firewall: remove duplicate table definition and make sure bogonsv6 table always exists</li><li>firewall: cleanup of CARP and IPv6 rules behaviour</li><li>firewall: filter feature parity in automation rules</li><li>firewall: offer multi-select on source and destination addresses</li><li>firewall: add experimental inline shaper support to filter rules</li><li>firewall: add missing columns on one-to-one NAT page</li><li>firewall: fix unassociated rule creation</li><li>firewall: fix anti-lockout and "allow access to DHCP failover" automatic rules</li><li>firewall: add optional authorization for URL type aliases</li><li>firewall: add "URL Table in JSON format (IPs)" alias type</li><li>dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)</li><li>firmware: fix "r" abbreviation vs. version_compare();</li><li>installer: fixed missing prompt and help text in ZFS disk selection</li><li>installer: warn on low RAM for ZFS as well</li><li>installer: added a power off option</li><li>intrusion detection: policy content dropdown missing data-container</li><li>intrusion detection: cleanse metadata for brackets</li><li>ipsec: add log search button in sessions</li><li>ipsec: add banner message when using custom configuration files</li><li>kea-dhcp: add "match-client-id" in subnet definitions</li><li>lang: update available translations</li><li>monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)</li><li>monit: flag file overwrites when they exist</li><li>network time: take IPv6 addresses into account</li><li>network time: remove support for explicit VIP selection</li><li>openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations</li><li>unbound: cleanup available blocklists and add hagezi blocklists</li><li>unbound: fix root.hits permission on copy</li><li>unbound: flag file overwrites when they exist</li><li>backend: -m option is unused so remove its complication</li><li>mvc: implement reusable grid template using form definitions</li><li>mvc: add Default() method to reset a model to its factory defaults</li><li>mvc: fix LegacyMapper when the mount point is not the XML root</li><li>mvc: move explicit cast in BaseModel when calling field->setValue()</li><li>mvc: fields should implement getCurrentValue() rather than __toString()</li><li>mvc: fix value lookup in LinkAddressField</li><li>mvc: memory preservation fix in BaseListField</li><li>mvc: support lazy loading on alias models and use it in NetworkAliasField</li><li>mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)</li><li>ui: upgrade Font Awesome icons to version 6</li><li>ui: push search/edit logic towards bootgrid implementation</li><li>ui: improved links with automatic edit and/or search</li><li>ui: rewritten default theme for a light look and new logo</li><li>ui: added default theme variant with a dark look</li><li>plugins: turning binary data into JSON may fail globally</li><li>plugins: os-acme-client 4.8[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr">2</a>]</li><li>plugins: os-caddy 1.8.1[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr">3</a>]</li><li>plugins: os-cpu-microcode 1.1 removes unneeded late loading code</li><li>plugins: os-haproxy 4.5[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr">4</a>]</li><li>plugins: os-tailscale 1.2[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.1/security/tailscale/pkg-descr">5</a>]</li><li>src: FreeBSD 14.2-RELEASE[<a target="_blank" href="https://www.freebsd.org/releases/14.2R/relnotes/">6</a>]</li><li>src: p9fs: add an implementation of the 9P filesystem</li><li>ports: lighttpd 1.4.77[<a target="_blank" href="https://www.lighttpd.net/2025/1/10/1.4.77/">7</a>]</li><li>ports: openvpn 2.6.13[<a target="_blank" href="https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13">8</a>]</li><li>ports: php 8.3.15[<a target="_blank" href="https://www.php.net/ChangeLog-8.php#8.3.15">9</a>]</li><li>ports: radvd 2.20[<a target="_blank" href="https://radvd.litech.org/">10</a>]</li></ul></p><p>Migration notes, known issues and limitations:</p><p><ul><li>The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.</li><li>PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.</li><li>FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.</li><li>Let's Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.</li></ul></p><p>The public key for the 25.1 series is:</p><p><pre>-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
-----END PUBLIC KEY-----</pre></p><p><br>Stay safe,<br> Your OPNsense team</p><p><pre>SHA256 (OPNsense-25.1-dvd-amd64.iso.bz2) = 68efe0e5c20bd5fbe42918f000685ec10a1756126e37ca28f187b2ad7e5889ca
SHA256 (OPNsense-25.1-nano-amd64.img.bz2) = a51e4499df6394042ad804daa8e376c291e8475860343a0a44d93d8c8cf4636e
SHA256 (OPNsense-25.1-serial-amd64.img.bz2) = 57c05e935790f9b2b800a19374948284889988741cfbaf6fae7600f7a4451022
SHA256 (OPNsense-25.1-vga-amd64.img.bz2) = 89fcf5bdb1d2ea2ea6ba4cdc1268ea0a1e22b944330d7bee0711c8630cc905af</pre></p>
Mini Shell