StiffGuard® 19.1 Released

This is a security and reliability release: WAN DHCP will no longer trust
the server MTU given. Uncoordinated cross site scripting issues have been
fixed.  And the Python request library was patched due to CVE 2018-18074.

Here are the full patch notes:

o system: address XSS-prone escaping issues
o firewall: add port range validation to shaper inputs
o firewall: drop description validation constraints
o interfaces: DHCP override MTU option (contributed by Team Rebellion)
o interfaces: properly configure SIM PIN on custom modems
o reporting: prevent cleanup from deleting current data when future data exists
o ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
o openvpn: multiple client export fixes
o web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
o plugins: os-acme-client 1.20
o plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
o plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
o plugins: os-nginx 1.7
o plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
o plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
o ports: ca_root_nss 3.42.1
o ports: lighttpd 1.4.53
o ports: py-request 2.21.0

Stay safe,
Your StiffGuard team

StiffGuard® 18.1 Released

For more than 3 years now, StiffGuard® is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We humbly present to you the sum of another major iteration of the StiffGuard® firewall.  Over the second half of 2017 well over 500 changes have made it into this release, nicknamed “Groovy Gecko”.  Most notably, the firewall NAT rules have been reworked to be more flexible and usable via plugins, which is going to pave the way for subsequent API works on the core firewall functionality.  For more details please find the attached list of changes below.

The upgrade track from 17.7 will be available later today.  Please be patient. 

Meltdown and Spectre patches are currently being worked on in FreeBSD, but there is no reliable timeline.  We will keep you up to date through the usual channels as more news become available.  Hang in there!
These are the most prominent changes since version 17.7:

  • FreeBSD 11.1, PHP 7.1 and jQuery 3 migration
  • Realtek vendor NIC driver version 1.94
  • Portable NAT before IPsec support
  • Local group restriction feature in OpenVPN and IPsec
  • OpenVPN multi-remote support for clients
  • Strict interface binding for SSH and web GUI
  • Improved MVC tabs and general page layout
  • Shared forwarding now works on IPv6, in conjunction with “try-forwarding” and improved reply-to multi-WAN behaviour
  • Easy-to-use update cache support for Linux and Windows in web proxy
  • Intrusion detection alert improvements and plugin support for new rulesets (ET Pro, Snort VRT)
  • Revamped HAProxy plugin with introduction pages
  • Moved interface selection to menu and quick search for firewall rules, DHCP and wireless status
  • Alias backend rewrite for future extensibility
  • Plugin-capable firewall NAT rules
  • Migration of system routes UI and backend to MVC (also available via API)
  • Reverse DNS support for insight reporting (also available via API)
  • Fully rewritten firewall live log in MVC (also available via API)
  • New plugins: zerotier, mdns-repeater, collectd, telegraf, clamav, c-icap, tor, siproxd, web-proxy-sso, web-proxy-useracl, postfix, rspamd, redis, iperf, arp-scan, zabbix-proxy, frr, node_exporter

Here is the full list of changes against version 18.1:

  • system: recover static version of PHP configuration files during boot
  • system: show warning dialog when editing web GUI listening interfaces
  • system: allow dots in certificate details
  • system: remove workaround for new 32 bit mmap disallow default (see below)
  • firewall: fix port range forward expansion
  • firewall: move alias directory to persistent memory
  • firewall: fix alias resolve during boot
  • firewall: revert VIP gateway option for PPPoE interfaces
  • interfaces: fix header link in list widget
  • interfaces: defer IP renewal during boot
  • installer: full password recovery mode enables user and sets local authentication
  • installer: prevent MFS transition on install media after import
  • network time: use all our time servers and prefer the first
  • ui: revert menu positioning improvements
  • plugins: os-freeradius 1.5.1 adds LDAP search filter (contributed by Michael Muenz)
  • plugins: os-haproxy 2.4 (contributed by Frank Wall)
  • plugins: os-node_exporter 1.0 (contributed by David Harrigan)
  • plugins: os-postfix 1.0 (contributed by Michael Muenz)
  • plugins: os-rspamd 1.0 (contributed by Fabian Franz)
  • plugins: os-telegraf 1.2 adds graphite and graylog output (contributed by Michael Muenz)
  • src: do not protect VLAN PCP write with the sysctl
  • src: enable numbered user class ID option in dhclient
  • src: set hardening.pax.disallow_map32bit.status=1 by default
  • ports: ca_root_nss 3.35
  • ports: libressl 2.6.4
  • ports: php 7.1.13
  • ports: sudo 1.8.22
  • ports: unbound 1.6.8

All images are provided with SHA-256 signatures, which can be verified against the distributed public key:

# openssl base64 -d -in image.bz2.sig -out /tmp/image.sig
# openssl dgst -sha256 -verify -signature /tmp/image.sig image.bz2

The public key for the 18.1 series is:


Stay safe,
Your StiffGuard® team

StiffGuard® 17.1 Released

✓ More Secure   ✓ Better Language Support   ✓ More Features

Hi everyone,

The StiffGuard® team is proud to announce the final availability of version
17.1, nicknamed “Eclectic Eagle”. This major release features FreeBSD 11.0,
the SSH remote installer, new languages Italian / Czech / Portuguese,
state-of-the-art HardenedBSD security features, PHP 7.0, new plugins for
FTP Proxy / Tinc VPN / Let’s Encrypt, native PAM authentication against e.g.
2FA (TOTP), as well a rewritten Nano-style card images that adapt to media
size to name only a few.

We would like to encourage everyone to supervise this major upgrade
physically. As such, it cannot be performed from the GUI. Instead, go
to the root console menu, choose option 12 and type “17.1” at the prompt.
The process will download a full set of updates and reboot multiple.
All operating system files and packages will be reinstalled as a consequence.
This process can also be remotely triggered via SSH.

For fresh installations, images are provided with OpenSSL for 32 and 64 bit Intel architectures. The new SSH installer feature will be listening on the LAN port, give out DHCP leases to clients and can connect using the user “root” (console menu) or “installer” (the installer, of course) with the default password “opnsense”.

Major Features

Here is the list of major features that have been worked on since 16.7 was released 6 months ago:

  • cooperative firewall forwarding to allow traffic shaper/captive portal with multi-WAN
  • install media now boots up with SSH for headless remote installation
  • HardenedBSD ASLR and PIE compilation for most binaries
  • HardenedBSD SEGVGUARD to prevent ASLR brute force attacks
  • PHP 7.0 compatibility and general GUI speed improvements
  • replaced the CSRF implementation in the non-MVC pages
  • integrated authentication using PAM to allow e.g. 2FA (TOTP) over SSH
  • system secondary console support with new EFI and Mute options
  • Portuguese/Portugal as a release language (contributed by Carlos Meireles)
  • Portuguese/Brazil as a release language (contributed by Thiago Basilio)
  • Italian as a release language (contributed by Antonio Prado)
  • Czech as a release language (contributed by Pavel Borecki)
  • improved password security (contributed by OSnet)
  • FTP proxy plugin (contributed by Frank Brendel)
  • Let’s Encrypt Plugin (contributed by Frank Wall)
  • Tinc VPN Plugin
  • IPsec tunnel isolation mode for interoperability
  • micro versioning/migrations for config items
  • constraint support for config items
  • rewritten Nano images with growfs support
  • authentication methods are now fully plugable
  • firewall rules are now fully plugable
  • FreeBSD 11.0 including additional reliability fixes

Minor Changes

Minor changes made since 16.7.14/17.1.r1:

  • system: always restore native /var layout on boot
  • system: make vt/sc configurable
  • web proxy: improve validation for SSL bump URL input (contributed by Fabian Franz)
  • web proxy: add plugin-capable pre/post authentication directories (contributed by Evgeny Bevz)
  • mvc: use empty string instead of “##Unlinked” in missing elements (contributed by Frank Wall)
  • www: replace CSRF implementation of static PHP pages
  • src: convert result of hash_packet6() into host byte order
  • src: correctly initialise subrulenr in pflog
  • ports: openssl 1.0.2k[1]
  • ports: php 7.0.15[2]

Migration Considerations

Additionally, these migration caveats should be heeded before upgrading:

  • The integrated authentication framework is now used as a system-wide default including login, su and sudo. This means that e.g. 2FA will be used for low-level password prompts as well and plain passwords are disabled by default. If this behaviour is undesired, set the “Disable integrated authentication” option under System: Settings: Administration.
  • The console settings received a non-backwards compatible change. If the VGA console is not working, simply reconfigure it from System: Settings: Administration as it was likely set to “Serial” due to a wrong GUI default.
  • FreeBSD 11.0 switched to the vt(4) console driver, but we are keeping sc as the default. You can change this after installation by enabling the virtual terminal driver under System: Settings: Administration.
  • The access privileges for “Lobby: Login / Logout / Dashboard” and “Diagnostics: Backup / Restore” have been remapped internally and need to be reapplied when they have been assigned explicitly.
  • The inherited 6rd kernel patches are not included in standard FreeBSD 11.0. The state of 6rd is possibly broken. We ask for volunteers to pick up the work if 6rd is still a requirement, as we do not have access to such setups.
  • Fundamental WiFi stack changes in FreeBSD 11.0 could still affect overall operability. Please let us know about these right away.
  • The following services moved to individual plugins and need to be reinstalled in order to be used: SNMP, Load Balancer, Wake on LAN, Universal Plug and Play, IGMP Proxy. Their respective configurations will be preserved by the system even if these plugins are not installed.
  • The Intel e1000 driver plugin has been removed due to an incompatibility
  • with FreeBSD 11.0. All previously known bugs of the FreeBSD 11.0 e1000 driver have been fixed in StiffGuard® 17.1 and reported to FreeBSD.

Stay Safe – StiffGuard® Team

StiffGuard® 16.1 Released

Welcome back!

No, we would not say it was easy getting here, but booting into 16.1 for the first time sure is as relieving (and exciting) as it could get for our project growing beyond what we had ever imagined. It has been more than a year since StiffGuard® first came out. Back then it was FreeBSD 10.0. Not even two months after, 10.1 was introduced along with the update utility. Today is the day for FreeBSD 10.2, the latest and greatest release currently available for broader driver support and stability improvements.

16.1 is nick-named “Crafty Coyote” in honour of our beloved childhood TV sessions. It is the accumulation of 6 months of work, having had our focus on reengineering the captive portal, native intrusion prevention, plugin support, and transforming the reporting frontend into something more modern and flexible just to name a few. Apart from the recently published security advisories (see patch notes below), we have included a quick navigation feature which can be activated by pressing (TAB) followed by search keywords and hitting (ENTER) to go to the desired page. Last but not least, a larger batch of improvements and fixes went into assorted sections of the GUI that certainly help to get your work done without ending up dazed and confused.

Speaking of clearing things up, there is more… While Ad, Franco and a couple of amazing external contributors have been busy writing and reviewing code, Jos worked in the shadows to bring to you a fully revised set of project documentation in the form of an online handbook. More content will follow as we slow down development speed a bit in order to catch up. We will have to see how that works out.

Another thing we have noticed is that translations are hard! We have planned to finish a translation for this iteration, but the sheer amount of work overwhelmed even the sizeable German translation team. The German translation is now at 77% percent completed with Japanese, Chinese and French chasing tails. If you want to help drop us a line at for details on how to contribute.

All images have been pushed as well, although may take a bit more time to reach a mirror near you. You can find the checksums attached at the end of this announcement.

Finally, here are the full patch notes:

  • src: FreeBSD 10.2-RELEASE-p11[4]
  • bootstrap: can now update from any available FreeBSD 10 release
  • ports: libarchive 3.1.2_6, Suricata 3.0, squid 3.5.13, bind 9.10.3P3[8], sqlite 3.10.2, ntp 4.2.8p6,
  • firewall: lock source / destination port settings when neither TCP nor UDP is selected
  • firewall: simplify the outbound page to hide unwanted items and zap complicated explanations (contributed by Manuel Faux)
  • firewall: do not leak floating rules into other interface tabs
  • firewall: add clear button to all log file types
  • firewall: hide NAT rules from normal rules screen
  • firewall: removed the unsupported dscp rule option
  • firewall: display alias descriptions as tooltips (contributed by Manuel Faux)
  • universal plug and play: switch to secure mode as the new default
  • unbound: add MX entries to host overrides (contributed by Manuel Faux)
  • gateways: always safe the monitor IP regardless of monitoring being on or off
  • gateways: properly add and remove routes for monitors on toggle
  • backend: fix harmless error message caused by a sample template
  • high availability: allow specification of a different port for synchronisation
  • high availability: special characters are now being properly preserved
  • high availability: added new captive portal and traffic shaper as sync options
  • high availability: reworked and pruned the client synchronisation
  • firmware: optional php extensions now peacefully coexist with preinstalled extensions
  • firmware: update plugin list on refresh to reveal available plugin list
  • intrusion detection: adds intrusion prevention mode for netmap(4) devices (must disable Hardware CRC manually)
  • captive portal: completely rewritten on top of our new components
  • proxy: hook up remote ACL settings to translation engine (contributed by Fabian Franz)
  • proxy: add support for compressed ACLs (.gz, .tar.gz, .tgz, .zip)
  • proxy: fix toggle for storage log
  • ipsec: improve display of tunnel overview
  • openvpn: provide full ca chain on client export (contributed by Manuel Faux)
  • openvpn: fix engine detection for LibreSSL
  • layout: all tooltips and icons of action buttons have been updated for proper look and feel (contributed by Manuel Faux)
  • layout: added the infamous quick navigation feature
  • layout: consolidated the display of the upper right corner (user@host.domain)
  • interfaces: reworked all the pages for proper look and feel
  • interfaces: ARP and NDP tables have been rewritten and now properly show vendor info
  • login: improved look and feel
  • dashboard: rss widget has been reworked and its library has been updated to a new version
  • config: recover last backup automatically on broken xml
  • menu: properly aligned submenu icons
  • system: removed XDebug package from the default installation

We thank all our contributors and users for their ongoing love and support.