Hi everyone,

The OPNsense team is proud to announce the final availability of version
17.1, nicknamed "Eclectic Eagle".  This major release features FreeBSD 11.0,
the SSH remote installer, new languages Italian / Czech / Portuguese,
state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for
FTP Proxy / Tinc VPN / Let's Encrypt, native PAM authentication against e.g.
2FA (TOTP), as well a rewritten Nano-style card images that adapt to media
size to name only a few.

We would like to encourage everyone to supervise this major upgrade
physically.  As such, it cannot be performed from the GUI.  Instead, go
to the root console menu, choose option 12 and type "17.1" at the prompt.
The process will download a full set of updates and reboot multiple times.
All operating system files and packages will be reinstalled as a consequence.
This process can also be remotely triggered via SSH.

For fresh installations images are provided with OpenSSL for 32 and 64 bit
Intel architectures.  The new SSH installer feature will be listening on the
LAN port 192.168.1.1, give out DHCP leases to clients and can connect using
the user "root" (console menu) or "installer" (the installer, of course) with
the default password "opnsense".  The respective checksums for the images can
be found below this announcement and the direct download links from our
capable mirror providers are as follows:

https://opnsense.c0urier.net/releases/17.1/ (Europe)
http://mirrors.nycbug.org/pub/opnsense/releases/17.1/ (US East Coast)
http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1/ (US West Coast)

https://opnsense.org/download/ (full mirror list)

Here is the list of major features that have been worked on since 16.7 was
released 6 months ago:

o cooperative firewall forwarding to allow traffic shaper/captive portal
  with multi-WAN
o install media now boots up with SSH for headless remote installation
o HardenedBSD ASLR and PIE compilation for most binaries
o HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
o PHP 7.0 compatibility and general GUI speed improvements
o replaced the CSRF implementation in the non-MVC pages
o integrated authentication using PAM to allow e.g. 2FA (TOTP) over SSH
o system secondary console support with new EFI and Mute options
o Portuguese/Portugal as a release language (contributed by Carlos Meireles)
o Portuguese/Brazil as a release language (contributed by Thiago Basilio)
o Italian as a release language (contributed by Antonio Prado)
o Czech as a release language (contributed by Pavel Borecki)
o improved password security (contributed by OSnet)
o FTP proxy plugin (contributed by Frank Brendel)
o Let's Encrypt Plugin[1] (contributed by Frank Wall)
o Tinc VPN Plugin
o IPsec tunnel isolation mode for interoperability
o micro versioning/migrations for config items
o constraint support for config items
o rewritten Nano images with growfs(8) support
o authentication methods are now fully pluggable
o firewall rules are now fully pluggable
o FreeBSD 11.0 including additional reliability fixes

Minor changes made since 16.7.14/17.1.r1:

o system: always restore native /var layout on boot
o system: make vt/sc configurable
o web proxy: improve validation for SSL bump URL input
  (contributed by Fabian Franz)
o web proxy: add plugin-capable pre/post authentication directories
  (contributed by Evgeny Bevz)
o mvc: use empty string instead of "##Unlinked" in missing elements
  (contributed by Frank Wall)
o www: replace CSRF implementation of static PHP pages
o src: convert result of hash_packet6() into host byte order
o src: correctly initialise subrulenr in pflog
o ports: openssl 1.0.2k[2]
o ports: php 7.0.15[3]

Additionally, these migration caveats should be heeded before upgrading:

o The integrated authentication framework is now used as a system-wide
  default including login(1), su(1) and sudo(8).  This means that e.g. when
  2FA is enabled for the GUI it will be used for low-level password prompts
  as well and plain passwords are disabled by default.  If this behaviour is
  undesired, set the "Disable integrated authentication" option under System:
  Settings: Administration.
o Disabled Gateway entries are now always honoured instead of being set up
  as a default gateway.
o The console settings received a non-backwards compatible change.  If the
  VGA console is not working, simply reconfigure it from System: Settings:
  Administration as it was likely set to "Serial" due to a wrong GUI default.
o FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc(4)
  as the default.  You can change this after installation by enabling the
  virtual terminal driver under System: Settings: Administration.
o EFI boots may not yield a console anymore, the setting for VGA is wrong
  now and should be switched to "EFI" under System: Settings: Administration.
o The access privileges for "Lobby: Login / Logout / Dashboard" and
  "Diagnostics: Backup / Restore" have been remapped internally and
  need to be reapplied when they have been assigned explicitly.
o The inherited 6rd kernel patches are not included in standard FreeBSD 11.0.
  The state of 6rd is possibly broken.  We ask for volunteers to pick up the
  work if 6rd is still a requirement, as we do not have access to such setups.
o Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall
  operability.  Please let us know about these right away.
o The following services moved to individual plugins and need to be reinstalled
  in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and
  Play, IGMP Proxy.  Their respective configurations will be preserved by the
  system even if these plugins are not installed.
o The Intel e1000 driver plugin has been removed due to an incompatibility
  with FreeBSD 11.0.  All previously known bugs of the FreeBSD 11.0 e1000
  driver have been fixed in OPNsense 17.1 and reported to FreeBSD.

We would love to hear your feedback!  As we want OPNsense the best it can
be for you, please do not hesitate to contact us through any of the known
channels:

o Twitter: https://twitter.com/opnsense
o Forum: https://forum.opnsense.org/
o GitHub: https://github.com/opnsense


Stay safe,
Ad, Franco, Jos and Shawn

--
[1] https://github.com/opnsense/plugins/pull/66
[2] https://www.openssl.org/news/secadv/20170126.txt
[3] https://php.net/ChangeLog-7.php#7.0.15

SHA256 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = 6cbd83204366c366b603a36f5586424dd779d84c2b34f2e2ba3d66137d28fe97
SHA256 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = fc91680ad6933f4151afbd869b136d2d84348112dfd8f4837a1e8e0880aec1ec
SHA256 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = 4ba88dc98733e38ffc7681f862ad7197b866a4b7fffb858d64403d32b42fee3f
SHA256 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = de46b29fe8aa79bd9bab6d68c24b80759efd6ef59c235b296eb59adbe408d055
SHA256 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = 29ee7759e7834d9fc162623af0172899a3cd79e25c5205ee935c5131a51e8777
SHA256 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = a89c3b15e3689693f8ed0610d4bc8a03ef779c7576b0a6bf5ae16b8080ac8c4c
SHA256 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 3314d0cdafa17900beda91a9a03a2325f164948f1e17421387532f4efdb9e9c4
SHA256 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 6a63746d021095fc72ca20303b46c4994dea85cafd9bdfca948fa17afb28f80e

MD5 (OPNsense-17.1-OpenSSL-cdrom-amd64.iso.bz2) = b39a8440377b6a2aae5832e3caea23d7
MD5 (OPNsense-17.1-OpenSSL-nano-amd64.img.bz2) = 583c7d4a4c4263d51e0fa153f8c021e4
MD5 (OPNsense-17.1-OpenSSL-serial-amd64.img.bz2) = d4da49aa8f4d24ab0dc8ed7f025b7b46
MD5 (OPNsense-17.1-OpenSSL-vga-amd64.img.bz2) = 5ea6b7771a35fbdd97abc99ca4da1b4c
MD5 (OPNsense-17.1-OpenSSL-cdrom-i386.iso.bz2) = c8b63d4018ab072f9a2370e1040381d8
MD5 (OPNsense-17.1-OpenSSL-nano-i386.img.bz2) = 3989eb61efcc7057166e64662d26714a
MD5 (OPNsense-17.1-OpenSSL-serial-i386.img.bz2) = 4ca5a146a050e46deffdac001e7b3f0d
MD5 (OPNsense-17.1-OpenSSL-vga-i386.img.bz2) = 888f3b23a381d93600596f86c0f94cd4
