Software-update: OPNsense 23.1.2

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 23.1.2 uitgebracht en deze versie gaat vergezeld met de volgende aantekeningen:

OPNsense 23.1.2 released

This is mainly a reliability update with fixes in assorted subsystems. Of note is the OpenVPN authentication framework rewrite in order to take advantage of the upcoming OpenVPN 2.6 deferred authentication feature and the fix for DHCP renew behaviour that was reported on 23.1.

The roadmap for 23.7 was published, but at this point mainly consists of MVC/API porting efforts for existing static pages. While the rewrite is not strictly necessary from a user perspective it will move us a lot closer to our mission goal to introduce privilege separation and to provide an API for all components.

Here are the full patch notes:

system: use singleton boot detection everywheresystem: protect against more stray scripts on bootsystem: several shell_safe() conversionssystem: when applying auto-far default route make sure the local address is not emptysystem: refactor system_default_route() to prevent empty $gatewaysystem: create system_resolver_configure() and cron job supportsystem: add simple script and configd action to list current group membership (configctl auth list groups)system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reloadinterfaces: protect against empty GIF host routeinterfaces: fix parsing of device names with a dot in packet captureinterfaces: force newip calls through DHCP/PPP/OVPN on IPv4interfaces: force newip calls through DHCP/PPP on IPv6firewall: fix NAT dropdowns ignoring VIPsfirewall: fix validation of alias names such as "A_BC"fIrewall: show all applicable floating rules when inspecting interface rulesfirewall: prevent networks from being sent to DNS resolver in update_tables.pyreporting: make all status mapping colors configurable for themes in the Unbound DNS pagednsmasq: add dns_forward_max, cache_size and local_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)firmware: remove retired LibreSSL flavour handling and annotationsipsec: reqid should not be provided on mobile sessionsipsec: validate pool names on connections pageipsec: allow "@" character in all other eap_id fields for new connectionsipsec: add connection data to XMLRPC syncipsec: "Dynamic gateway" (rightallowany) option should be translated to 0.0.0.0/0,::/0network time: remove "disable monitor" to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authenticationopenvpn: rename -cipher option to --data-ciphers-fallback and adjust GUI accordinglyunbound: fix typo in logger and create a pipe early in dnsbl_module.py (contributed by kulikov-a)unbound: fix type cast to prevent unnecessary updateBlocklist actionunbound: add missing blocklistui: solve deprecation in PHP via html_safe() wrapperwizard: unbound hardened DNSSEC setting movedplugins: os-acme-client 3.16plugins: os-crowdsec 1.0.2plugins: os-rfc2136 1.8plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)plugins: os-theme-tucan 1.26 (contributed by Team Rebellion)plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)src: fix multiple OpenSSL vulnerabilitiessrc: pfsync: support deferring IPv6 packetssrc: pfsync: add missing bucket locksrc: pfsync: ensure 'error' is always initialisedports: filterlog 0.7 fixes unknown TCP option printports: lighttpd 1.4.69ports: monit 5.33.0ports: nss 3.88.1ports: openldap 2.6.4ports: openssh 9.2p1ports: php 8.1.16ports: phalcon 5.2.1ports: sqlite 3.41.0ports: strongswan 5.9.10ports: sudo 1.9.13p2

system: use singleton boot detection everywhere

system: protect against more stray scripts on boot

system: several shell_safe() conversions

system: when applying auto-far default route make sure the local address is not empty

system: refactor system_default_route() to prevent empty $gateway

system: create system_resolver_configure() and cron job support

system: add simple script and configd action to list current group membership (configctl auth list groups)

system: prevent alias reload in routing reconfiguration like we do in rc.syshook monitor reload

interfaces: protect against empty GIF host route

interfaces: fix parsing of device names with a dot in packet capture

interfaces: force newip calls through DHCP/PPP/OVPN on IPv4

interfaces: force newip calls through DHCP/PPP on IPv6

firewall: fix NAT dropdowns ignoring VIPs

firewall: fix validation of alias names such as "A_BC"

fIrewall: show all applicable floating rules when inspecting interface rules

firewall: prevent networks from being sent to DNS resolver in update_tables.py

reporting: make all status mapping colors configurable for themes in the Unbound DNS page

dnsmasq: add dns_forward_max, cache_size and local_ttl options to GUI (contributed by Dr. Uwe Meyer-Gruhl)

firmware: remove retired LibreSSL flavour handling and annotations

ipsec: reqid should not be provided on mobile sessions

ipsec: validate pool names on connections page

ipsec: allow "@" character in all other eap_id fields for new connections

ipsec: add connection data to XMLRPC sync

ipsec: "Dynamic gateway" (rightallowany) option should be translated to 0.0.0.0/0,::/0

network time: remove "disable monitor" to get rid of log warnings (contributed by Dr. Uwe Meyer-Gruhl)

openvpn: replace authentication handler to prepare for upcoming OpenVPN 2.6 with deferred authentication

openvpn: rename -cipher option to --data-ciphers-fallback and adjust GUI accordingly

unbound: fix typo in logger and create a pipe early in dnsbl_module.py (contributed by kulikov-a)

unbound: fix type cast to prevent unnecessary updateBlocklist action

unbound: add missing blocklist

ui: solve deprecation in PHP via html_safe() wrapper

wizard: unbound hardened DNSSEC setting moved

plugins: os-acme-client 3.16

plugins: os-crowdsec 1.0.2

plugins: os-rfc2136 1.8

plugins: os-theme-cicada 1.33 (contributed by Team Rebellion)

plugins: os-theme-tucan 1.26 (contributed by Team Rebellion)

plugins: os-theme-vicuna 1.44 (contributed by Team Rebellion)

src: fix multiple OpenSSL vulnerabilities

src: pfsync: support deferring IPv6 packets

src: pfsync: add missing bucket lock

src: pfsync: ensure 'error' is always initialised

ports: filterlog 0.7 fixes unknown TCP option print

ports: lighttpd 1.4.69

ports: monit 5.33.0

ports: nss 3.88.1

ports: openldap 2.6.4

ports: openssh 9.2p1

ports: php 8.1.16

ports: phalcon 5.2.1

ports: sqlite 3.41.0

ports: strongswan 5.9.10

ports: sudo 1.9.13p2

Source: Tweakers.net