Software-update: OPNsense 23.7
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben met versienummer 23.7 de halfjaarlijkse grote update uitgebracht. De releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 23.7 releasedFor more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.7, nicknamed "Restless Roadrunner", features numerous MVC/API conversions including the new OpenVPN "instances" configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2 plus much more.
Here are the full patch notes against 23.1.11:system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirectsystem: fix assorted PHP 8.2 deprecation notessystem: fix assorted permission-after-write problemssystem: introduce a gateway watcher service and fix issue with unhandled "loss" trigger when "delay" is also reportedsystem: enabled web GUI compression (contributed by kulikov-a)system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responsessystem: allow "." DNS search domain overridesystem: on boot let template generation wait for configd socket for up to 10 secondssystem: do not allow state modification on GET for power off and reboot actionssystem: better validation and escaping for cron commandssystem: better validation for logging user inputsystem: improve configuration import when interfaces or console settings do not matchsystem: name unknown tunables as "environment" as they could still be supported by e.g. the boot loadersystem: sanitize $act parameter in trust pagessystem: add severity filter in system log widget (contributed by kulikov-a)system: mute openssl errors pushed to stderrsystem: add opnsense-crypt utility to encrypt/decrypt a config.xmlsystem: call opnsense-crypt from opnsense-import to deal with encrypted importsinterfaces: extend/modify IPv6 primary address behaviourinterfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)interfaces: introduce a lock and DAD timer into newwanip for IPv6interfaces: rewrite LAGG pages via MVC/APIinterfaces: allow manual protocol selection for VLANsinterfaces: remove null_service toggle as empty service name in PPPoE works fineinterfaces: on forceful IPv6 reload do not lose the event handlinginterfaces: allow primary address function to emit device usedfirewall: move all automatic rules for interface connectivity to priority 1firewall: rewrote group handling using MVC/APIfirewall: clean up AliasField to use new getStaticChildren()firewall: "kill states in selection" button was hidden when selecting only a rule for state searchfirewall: cleanup port forward page and only show the associated filter rule for this entrycaptive portal: safeguard template overlay distributiondhcp: rewrote both IPv4 and IPv6 lease pages using MVC/APIdhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)dhcp: align router advertisements VIP code and exclude /128dhcp: allow "." for DNSSL in router advertisementsdhcp: print interface identifier and underlying device in "found no suitable address" warningsfirmware: opnsense-version: remove obsolete "-f" option stubfirmware: properly escape crash reports shownfirmware: fix a faulty JSON construction during partial upgrade checkfirmware: fetch bogons/changelogs from amd64 ABI onlyipsec: add missing config section for HA syncipsec: add RADIUS server selection for "Connections" when RADIUS is not defined in legacy tunnel configurationipsec: only write /var/db/ipsecpinghosts if not emptyipsec: check IPsec config exists before use (contributed by agh1467)ipsec: fix RSA key pair generation with size other than 2048ipsec: deprecating tunnel configuration in favour of new connections GUIipsec: clean up SPDField and VTIField types to use new getStaticChildren()ipsec: add passthrough networks when specified to prevent overlapping "connections" missing themmonit: fix alert script includesopenvpn: rewrote OpenVPN configuration as "Instances" using MVC/API available as a separate configuration optionopenvpn: rewrote client specific overrides using MVC/APIunbound: rewrote general settings and ACL handling using MVC/APIunbound: add forward-tcp-upstream in advanced settingsunbound: move unbound-blocklists.conf to configuration locationunbound: add database import/export functions for when DuckDB version changes on upgradesunbound: add cache-max-negative-ttl setting (contributed by hp197)unbound: fix upgrade migration when database is not enabledunbound: minor endpoint cleanups for DNS reporting pagewizard: restrict to validating only IPv4 addressesbackend: minor regression in deeper nested command structures in configdmvc: fill missing keys when sorting in searchRecordsetBase()mvc: properly support multi clause search phrasesmvc: allow legacy services to hook into ApiMutableServiceControllermvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ngmvc: add generic static record definition for ArrayFieldui: introduce collapsible table headers for MVC formsplugins: os-acme-client 3.18plugins: os-bind 1.27plugins: os-dnscrypt-proxy 1.14plugins: os-dyndns removed due to unmaintained code baseplugins: os-frr 1.34plugins: os-firewall 1.3 allows floating rules without interface set (contributed by Michael Muenz)plugins: os-telegraf 1.12.8plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoLplugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoLsrc: axgbe: enable RSF to prevent zero-length packets while in Netmap modesrc: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabledsrc: ipsec: add PMTUD supportsrc: FreeBSD 13.2-RELEASEports: krb 1.21.1ports: nss 3.91ports: phalcon 5.2.3ports: php 8.2.8ports: py-duckdb 0.8.1ports: py-vici 5.9.11ports: sudo 1.9.14p3ports: suricata now enables Netmap V14 API
system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirectsystem: fix assorted PHP 8.2 deprecation notessystem: fix assorted permission-after-write problemssystem: introduce a gateway watcher service and fix issue with unhandled "loss" trigger when "delay" is also reportedsystem: enabled web GUI compression (contributed by kulikov-a)system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responsessystem: allow "." DNS search domain overridesystem: on boot let template generation wait for configd socket for up to 10 secondssystem: do not allow state modification on GET for power off and reboot actionssystem: better validation and escaping for cron commandssystem: better validation for logging user inputsystem: improve configuration import when interfaces or console settings do not matchsystem: name unknown tunables as "environment" as they could still be supported by e.g. the boot loadersystem: sanitize $act parameter in trust pagessystem: add severity filter in system log widget (contributed by kulikov-a)system: mute openssl errors pushed to stderrsystem: add opnsense-crypt utility to encrypt/decrypt a config.xmlsystem: call opnsense-crypt from opnsense-import to deal with encrypted importsinterfaces: extend/modify IPv6 primary address behaviourinterfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)interfaces: introduce a lock and DAD timer into newwanip for IPv6interfaces: rewrite LAGG pages via MVC/APIinterfaces: allow manual protocol selection for VLANsinterfaces: remove null_service toggle as empty service name in PPPoE works fineinterfaces: on forceful IPv6 reload do not lose the event handlinginterfaces: allow primary address function to emit device usedfirewall: move all automatic rules for interface connectivity to priority 1firewall: rewrote group handling using MVC/APIfirewall: clean up AliasField to use new getStaticChildren()firewall: "kill states in selection" button was hidden when selecting only a rule for state searchfirewall: cleanup port forward page and only show the associated filter rule for this entrycaptive portal: safeguard template overlay distributiondhcp: rewrote both IPv4 and IPv6 lease pages using MVC/APIdhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)dhcp: align router advertisements VIP code and exclude /128dhcp: allow "." for DNSSL in router advertisementsdhcp: print interface identifier and underlying device in "found no suitable address" warningsfirmware: opnsense-version: remove obsolete "-f" option stubfirmware: properly escape crash reports shownfirmware: fix a faulty JSON construction during partial upgrade checkfirmware: fetch bogons/changelogs from amd64 ABI onlyipsec: add missing config section for HA syncipsec: add RADIUS server selection for "Connections" when RADIUS is not defined in legacy tunnel config
Source: Tweakers.net