diff --git a/release_notes.rst b/release_notes.rst index 79e67876..1a88b5df 100644 --- a/release_notes.rst +++ b/release_notes.rst @@ -7,6 +7,63 @@ NethSecurity releases changelogs. - List of `known bugs `_ - Discussions around `possible bugs `_ +Major changes on 2025-10-xx +=========================== + +From this release, NethSecurity image will use a progressive version scheme not based on OpenWrt versioning. + +Image version: `8.7` + +.. rubric:: New Features + +- OpenWrt 24.10.3: the image has been rebased on OpenWrt which includes several package updates and security fixes. see `upstream changelog `_ +- my.nethesis.it: the resources tab now shows the product card with hardware details for nethsecurity 8 devices, restoring parity with nethsecurity 7 +- Refactoring build system: build system refactor makes switching targets and openwrt versions easier, improves package override and hash consistency, decouples image releases from openwrt, and resolves prior limitations after verification +- Flood firewall protection: syn flood protection default disabled to align with safer practices, with enhanced dos blocking via customizable traffic limits in threat shield ip (banip) and clearer ui/documentation with standardized labels +- Threat shield dns allowlist: a local url allowlist has been added to threat shield dns ui, letting users permit specific websites without manual file edits, taking precedence over blocklist +- Port forwards and firewall rules: system entries are now marked as "automated"; keeping system rules visible but non-editable for transparency without clutter +- Zones: when creating a guest or DMZ zones now UI pre-fills most common settings to simplify setup and avoid misconfigurations +- Backup: + - Allow download of unencrypted backup even with passphrase set: ui now allows downloading unencrypted backups when a passphrase is set and subscription is active, simplifying backup management + - Add password confirmation field and ui improvements for backup passphrase management: passphrase management ui adds a confirmation field, a status badge indicating passphrase presence, and a dedicated removal modal to prevent mistakes and improve clarity +- Threat shield DNS: added domain allowlist to easily permit specific domains without manual edits +- IPsec: now supports selecting dh groups 19, 20 and 21 for ike and esp, aligning with modern security standards +- Threat shield IP: firewalls with active subscriptions automatically whitelist nethesis enterprise ips when threat shield ip is enabled, ensuring uninterrupted access to core services +- Controller: + - enable remote support login with nethsupport: support agents can sign in to the controller with a temporary support code, without user credentials or 2fa, with access auto-revoked when support ends + - added unit-group based access control, ip-based access restrictions, centralized configuration with encrypted sensitive data, performance optimizations, and ui refinements for scale + - units now report to controllers over a secure vpn using new registration parameters, restricting access to vpn-connected units while maintaining fallback compatibility + - a description field syncs between unit and controller, is editable in configuration, and appears in the units table for easier identification + - ns-plug adds an mtu connectivity test and a configurable persistent mtu setting, improving diagnostics and avoiding manual fixes after vpn reconnections + +.. rubric:: Bug Fixes + +- Interfaces: qosify and mwan3 configurations now update correctly when a wan interface is removed, preventing stale settings and status inconsistencies +- DNS: manual dns settings now override dhcp/pppoe-provided servers, ensuring predictable resolution and preventing unintended use of wan dns +- DPI: dpi rules now effectively block ICMP traffic via automatic conntrack labels, this fix also solves a startup segfault and improves behavior under bursts +- Port forward: kenabling or disabling rules via the kebab menu now works when a domain set is used in "limit access to" +- Reverse proxy: certificate usage indicators now display correct statuses +- OpenVPN tunnels: lzo compression option is now saved correctly, allowing openvpn tunnels to start as expected +- Port forward: ip validation now correctly rejects invalid destination addresses when a destination port is specified +- Controller: fixed a controller bug where 2fa could be enabled on cancel, ensuring activation only after completing setup with a valid otp +- DHCP: now DHCP server correctly serves only one DHCP response per request when multiple dnsmasq servers are configured + +.. rubric:: Migration of High Availability from Beta 1 + +Installations where the HA feature were enabled, must be reconfigured after the update. +Before proceeding with the update, please connect to the server via SSH on the LAN interface and +execute the following command to reset the HA configuration: + +.. code:: + + rm -f /etc/keepalived/keys/id_rsa* /etc/conntrackd/conntrackd.conf + /etc/init.d/conntrackd stop; /etc/init.d/conntrackd disable + /etc/init.d/keepalived stop; /etc/init.d/keepalived disable + echo "config globals 'globals'" > /etc/config/keepalived + reload_config + +Beware that this will remove the current HA configuration and stop the WAN interfaces. +After the update, configure the WAN interface normally and reconfigure the :ref:`High availability `. Major changes on 2025-06-30 =========================== @@ -16,7 +73,7 @@ Image version: `8-24.10.0-ns.1.6.0` .. rubric:: New Features - High Availability: added support for two-node clusters in backup mode. automatic failover within seconds. configured via command line. -- Flashstarto ProPLus: added support for multi-profile configurations, dynamic blocklists, and improved dns client management. +- Flashstart ProPLus: added support for multi-profile configurations, dynamic blocklists, and improved dns client management. - Security wizard: assists with initial security setup (password, ssh, and ui). appears after login if not yet completed and can be skipped. - Automatic persistent storage for logs: free disk space is auto-assigned to logs by default, preventing log loss during reboot. admins can change the destination. - Threat Shield: blocked ip management from the ui: added interface to view, search, and unblock ips. ipv4 and ipv6 blocklists manageable from the ui.