Current File : //backups/router/usr/local/opnsense/changelog/25.7.htm
<p>Hi there,</p><p>For over a decade now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.</p><p>25.7, nicknamed "Visionary Viper", features reusable and thoroughly revamped frontend code, an SFTP backup plugin, experimental privilege separation for the GUI, JSON container support for aliases, a new and improved firewall automation GUI, performance enhancements especially for numerous aliases being used at once, Dnsmasq DHCP support, Kea DHCPv6 support, Greek as a new language, FreeBSD 14.3 plus much more.</p><p>Download links, an installation guide[<a target="_blank" href="https://docs.opnsense.org/manual/install.html">1</a>] and the checksums for the images can be found below as well.</p><p><ul><li>Europe: <a target="_blank" href="https://opnsense.c0urier.net/releases/25.7/">https://opnsense.c0urier.net/releases/25.7/</a></li><li>US East Coast: <a target="_blank" href="https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.7/">https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.7/</a></li><li>US West Coast: <a target="_blank" href="https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.7/">https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.7/</a></li><li>South America: <a target="_blank" href="http://mirror.ueb.edu.ec/opnsense/releases/25.7/">http://mirror.ueb.edu.ec/opnsense/releases/25.7/</a></li><li>East Asia: <a target="_blank" href="https://mirror.ntct.edu.tw/opnsense/releases/25.7/">https://mirror.ntct.edu.tw/opnsense/releases/25.7/</a></li><li>Full mirror list: <a target="_blank" href="https://opnsense.org/download/">https://opnsense.org/download/</a></li></ul></p><p>Here are the full patch notes:</p><p><ul><li>system: the setup wizard was rewritten using MVC/API</li><li>system: change default DHCP use from ISC to Dnsmasq for factory reset and console port and address assignments</li><li>system: numerous permission, ownership and directory alignments for web GUI privilege separation</li><li>system: allow experimental feature to run web GUI privilege separated as "wwwonly" user</li><li>system: add a banner when trying to revert the privilege separated GUI back to root at run time</li><li>system: consistently use empty() checks on "blockbogons", "blockpriv", "dnsallowoverride" and "dnsallowoverride_exclude"</li><li>system: change default system domain to "internal" (contributed by Self-Hosting-Group)</li><li>system: add missing "kernel" application for remote logging</li><li>system: remove the "optional" notion of tunables known to the system</li><li>system: enable kernel timestamps by default</li><li>system: allow CSR to be downloaded from System/Trust/Certificates (contributed by Gavin Chappell)</li><li>reporting: removed the unused second argument in getSystemHealthAction()</li><li>reporting: renamed getRRDlistAction() to getRrdListAction()</li><li>interfaces: fix media settings write issue since 24.7 as it would not apply when "autoselect" result already matched</li><li>interfaces: removed defunct SLAAC tracking functionality (SLAAC on WAN still works fine)</li><li>interfaces: no longer fix improper WLAN clone naming at run time as it should be ensured by code for a long time now</li><li>interfaces: remove the functions get_configured_carp_interface_list() and get_configured_ip_aliases_list()</li><li>interfaces: add VIP grid formatter to hide row field content based on the set mode</li><li>interfaces: drop redundant updates in rtsold_resolvconf.sh (contributed by Andrew Baumann)</li><li>firewall: add expire option to external aliases to automatically cleanup tables via cron</li><li>firewall: removed the expiretable binary use in favour of the builtin pfctl</li><li>firewall: speed up alias functionality by using the new model caching</li><li>firewall: consolidated ipfw/dnctl scripting and fix edge case reloads</li><li>firewall: code cleanup and performance improvements for alias diagnostics page</li><li>firewall: fix AttributeError: DNAME object has no attribute address on DNS fetch for aliases</li><li>firewall: assorted UI updates for automation pages</li><li>captive portal: make room for additional authentication profiles</li><li>captive portal: API dispatcher is now privilege separated via "wwwonly" user and group</li><li>dnsmasq: add optional subnet mask to "dhcp-range" to satisfy DHCP relay requirements</li><li>dnsmasq: sync CSV export with ISC and Kea structure</li><li>dnsmasq: add CNAME configuration option to host overrides</li><li>dnsmasq: add ipset support</li><li>firmware: opnsense-version: build time package variable replacements can now be read at run time</li><li>firmware: hide community plugins by default and add a checkbox to unhide them on the same page</li><li>firmware: introduce a new support tier 4 for development and otherwise unknown plugins</li><li>firmware: disable the FreeBSD-kmods repository by default</li><li>firmware: sunset mirror dns-root.de (many thanks to Alexander Lauster for maintaining it for almost a decade!)</li><li>intrusion detection: add an override banner for custom.yaml use</li><li>intrusion detection: add JA4 support (contributed by Maxime Thiebaut)</li><li>isc-dhcp: show tracking IPv6 interfaces when automatically enabled and offer an explicit disable</li><li>isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience</li><li>isc-dhcp: add static mapping CSV export</li><li>kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229)</li><li>lang: add Greek as a new language (contributed by sopex)</li><li>lang: make more strings translate-able (contributed by Tobias Degen)</li><li>openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation</li><li>openvpn: "keepalive_timeout" must be at least twice the interval value validation</li><li>wireguard: add diagnostics and log file ACL</li><li>backend: trigger boot template reload without using configd</li><li>mvc: introduce generic model caching to improve operational performance</li><li>mvc: field types quality of life improvements with new getValues() and isEqual() functions</li><li>mvc: filed types deprecated getCurrentValue() in favour of getValue() and removed isEmptyString()</li><li>mvc: new BaseSetField() as a parent class for several other field types and numerous new and improved unit tests</li><li>mvc: support chown/chgrp in File and FileObject classes</li><li>mvc: use getNodeContent() to gather grid data</li><li>mvc: allow PortOptional=Y for IPPortField</li><li>mvc: remove SelectOptions support for CSVListField</li><li>ui: switch from Bootgrid to Tabulator for MVC grid rendering</li><li>ui: numerous switches to shared base_bootgrid_table and base_apply_button use</li><li>ui: flatten nested containers for grid inclusion</li><li>ui: use snake_case for all API URLs and adjust ACLs accordingly</li><li>ui: add standard HTML color input support</li><li>ui: move tooltip load event to single-fire mode</li><li>ui: add checkmark to SimpleActionButton as additional indicator</li><li>ui: improve menu icons/text spacing (contributed by sopex)</li><li>plugins: replace variables in package scripts by default</li><li>plugins: os-acme-client 4.10[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr">2</a>]</li><li>plugins: os-bind 1.34[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.7/dns/bind/pkg-descr">3</a>]</li><li>plugins: os-crowdsec 1.0.11[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.7/security/crowdsec/pkg-descr">4</a>]</li><li>plugins: os-frr 1.45[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr">5</a>]</li><li>plugins: os-gdrive-backup 1.0 for Google Drive backup support</li><li>plugins: os-grid_example 1.1 updates best practice on grid development</li><li>plugins: os-openvpn-legacy 1.0 for legacy OpenVPN components support</li><li>plugins: os-puppet-agent 1.2[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/puppet-agent/pkg-descr">6</a>]</li><li>plugins: os-strongswan-legacy 1.0 for legacy IPsec components support</li><li>src: FreeBSD 14.3-RELEASE-p1 plus assorted stable/14 networking commits[<a target="_blank" href="https://www.freebsd.org/releases/14.3R/relnotes/">7</a>]</li></ul></p><p>Migration notes, known issues and limitations:</p><p><ul><li>Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.</li><li>API URLs registered in the default ACLs have been switched from "camelCase" to "snake_case".</li><li>API grid return values now offer "%field" for a value description when available. "field" will now always be the literal value from the configuration. The API previously returned a display value for some field types, but not all.</li><li>Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults. If you want these set differently, then add them with an explicit value.</li><li>While the mirror dns-root.de has been removed it will not be stripped from a running configuration and may keep working for a while longer. To ensure updates, however, please choose a different mirror at your own convenience.</li><li>Moved OpenVPN legacy to plugins as a first step to deprecation.</li><li>Moved IPsec legacy to plugins as a first step to deprecation.</li></ul></p><p>The public key for the 25.7 series is:</p><p><pre>-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
-----END PUBLIC KEY-----</pre></p><p><br>Stay safe and keep believing,<br> Your OPNsense team</p><p><pre>SHA256 (OPNsense-25.7-dvd-amd64.iso.bz2) = fa4b30df3f5fd7a2b1a1b2bdfaecfe02337ee42f77e2d0ae8a60753ea7eb153e
SHA256 (OPNsense-25.7-nano-amd64.img.bz2) = f58f57da42a2a6d445b6e04780572d6e2d6d9ceaff8a9e5f7bbefd0fedeaa3c0
SHA256 (OPNsense-25.7-serial-amd64.img.bz2) = 889d81fa738d472b996008c35718278e2076d19b7bbc108f2dc04353e01766fd
SHA256 (OPNsense-25.7-vga-amd64.img.bz2) = 705e112e3c0566e6e568605173a8353a51d48074d48facf5c5831d2a0f7fb175</pre></p>
Mini Shell