Software-update: OPNsense 24.7.1

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 24.7.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 24.7.1 released

This release includes a batch of dashboard changes due to the reliable feedback we have received from you all so far. There will be more dashboard changes in the future mostly relating to UX and sane default behaviour so just know we are aware. A few smaller regressions due to the Phalcon module replacement efforts have been fixed as well. IPv6 behaviour has been adjusted for SLAAC and the web GUI.

Last but not least we found and fixed a number of issues with FreeBSD 14.1 and are including its security advisories from yesterday while at it. MVC/API conversions are already being carried out in the development version and it seems that PPP-related connectivity will get a bigger makeover too. The roadmap for 25.1 will be discussed and likely published later this month.

Here are the full patch notes:

system: guard destroy on traffic widgetsystem: adjust address display in interfaces widgetsystem: fix display of multiple sources in thermal sensor widgetsystem: add load average back to system info widgetsystem: remove dots from traffic widget graphssystem: add publication date to announcement widgetsystem: fix monit widget status code handlingsystem: allow and persist vertical resize in widgetssystem: improve formatting of byte values in widgetssystem: update OpenVPN widget server status colorsystem: add aggregated traffic information about connected children in IPsec widgetsystem: remove animated transition from row hover for table widgetssystem: improve the styling of the widget lock buttonsystem: apply locked state to newly added widgets as wellsystem: account for removal of rows in non-rotated widget tables with top headerssystem: use "importmap" to force cache safe imports of base classes for widgetssystem: allow custom fonts in the widgets with gauges (contributed by Jaka Prasnika)system: add monitor IP to gateway API result (contributed by Herman Bonnes)system: better define "in use" flag and safety guards in certificates sectionsystem: export p12 resulted in mangled binary blob in certificates sectionsystem: when using debug kernels prevent them from triggering unrelated panics on assertionssystem: switch Twitter to Reddit URL in message of the daysystem: fix API exception on empty CA selectionsystem: skip tentative IPv6 addresses for binding in the web GUI (contributed by tionu)interfaces: avoid deprecating SLAAC address for nowfirewall: show inspect button on "xs" size screenfirewall: fix parsing port alias names in /etc/servicescaptive portal: fix client disconnect (contributed by Vivek Panchal)firmware: revoke old fingerprintsipsec: add aggregated traffic totals to phase 1 viewkea-dhcp: ignore invalid hostnames in static mappings to prevent DNS services crashesopenvpn: use new trust model to link users by common_name in exporteropenvpn: DCO mode only supports UDP on FreeBSDopenvpn: add "float" option to instances (contributed by Christian Kohlstedde)backend: patch -6 address support into pluginctlmvc: fix API endpoint sending data without giving the Response object the chance to flush its headersplugins: os-acme-client 4.5plugins: os-apcupsd 1.2plugins: os-caddy 1.6.2plugins: os-ddclient 1.23plugins: os-theme-rebellion 1.9.1 fixes more compatibility issues with new dashboard (contributed by Team Rebellion)src: pf incorrectly matches different ICMPv6 states in the state tablesrc: ktrace(2) fails to detach when executing a setuid binarysrc: NFS client accepts file names containing path separatorssrc: xen/netfront: Decouple XENNET tags from mbuf lifetimessrc: dummynet: fix fq_pie traffic stallsrc: mcast: fix leaked igmp packets on multicast cleanupsrc: wg: change dhost to something other than a broadcast address (contributed by Sunny Valley Networks)ports: curl 8.9.1ports: dhcrelay 0.6ports: kea 2.6.1ports: nss 3.102ports: php 8.2.22ports: rrdtool 1.9.0ports: syslog-ng 4.8.0

system: guard destroy on traffic widget

system: adjust address display in interfaces widget

system: fix display of multiple sources in thermal sensor widget

system: add load average back to system info widget

system: remove dots from traffic widget graphs

system: add publication date to announcement widget

system: fix monit widget status code handling

system: allow and persist vertical resize in widgets

system: improve formatting of byte values in widgets

system: update OpenVPN widget server status color

system: add aggregated traffic information about connected children in IPsec widget

system: remove animated transition from row hover for table widgets

system: improve the styling of the widget lock button

system: apply locked state to newly added widgets as well

system: account for removal of rows in non-rotated widget tables with top headers

system: use "importmap" to force cache safe imports of base classes for widgets

system: allow custom fonts in the widgets with gauges (contributed by Jaka Prasnika)

system: add monitor IP to gateway API result (contributed by Herman Bonnes)

system: better define "in use" flag and safety guards in certificates section

system: export p12 resulted in mangled binary blob in certificates section

system: when using debug kernels prevent them from triggering unrelated panics on assertions

system: switch Twitter to Reddit URL in message of the day

system: fix API exception on empty CA selection

system: skip tentative IPv6 addresses for binding in the web GUI (contributed by tionu)

interfaces: avoid deprecating SLAAC address for now

firewall: show inspect button on "xs" size screen

firewall: fix parsing port alias names in /etc/services

captive portal: fix client disconnect (contributed by Vivek Panchal)

firmware: revoke old fingerprints

ipsec: add aggregated traffic totals to phase 1 view

kea-dhcp: ignore invalid hostnames in static mappings to prevent DNS services crashes

openvpn: use new trust model to link users by common_name in exporter

openvpn: DCO mode only supports UDP on FreeBSD

openvpn: add "float" option to instances (contributed by Christian Kohlstedde)

backend: patch -6 address support into pluginctl

mvc: fix API endpoint sending data without giving the Response object the chance to flush its headers

plugins: os-acme-client 4.5

plugins: os-apcupsd 1.2

plugins: os-caddy 1.6.2

plugins: os-ddclient 1.23

plugins: os-theme-rebellion 1.9.1 fixes more compatibility issues with new dashboard (contributed by Team Rebellion)

src: pf incorrectly matches different ICMPv6 states in the state table

src: ktrace(2) fails to detach when executing a setuid binary

src: NFS client accepts file names containing path separators

src: xen/netfront: Decouple XENNET tags from mbuf lifetimes

src: dummynet: fix fq_pie traffic stall

src: mcast: fix leaked igmp packets on multicast cleanup

src: wg: change dhost to something other than a broadcast address (contributed by Sunny Valley Networks)

ports: curl 8.9.1

ports: dhcrelay 0.6

ports: kea 2.6.1

ports: nss 3.102

ports: php 8.2.22

ports: rrdtool 1.9.0

ports: syslog-ng 4.8.0

Source: Tweakers.net