Software-update: OPNsense 24.7.6
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 24.7.6 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 24.7.6 releasedA few security and reliability issues this week. Most notably Suricata and Unbound. The dashboard rework seems to be concluded now as the ACL behaviour was now aligned and should match the user expectation on the "Lobby" section privileges. Note not all widgets have separate ACLs as it aims to provide a minimal safe selection of system widgets associated with the access to the dashboard page in general. We will, however, continue to improve the dashboard further while we also tackle other interesting areas for 25.1. That being said have a look at the new roadmap we published recently.
You may notice the increased activity on the trust store side due to our LINCE certification efforts. Valuable feedback and code changes have come from this process that will also find their way into other related projects in the near future.
Here are the full patch notes:system: do not render non-reachable dashboard widget linkssystem: handle picture deletion via hidden input on general settings pagesystem: straighten out API ACL entries for several componentssystem: remove unreachable "page-getstats" ACL entrysystem: adjust "page-system-login-logout" ACL entry to be used as a minimal dashboard privilegesystem: deprecate the "page-dashboard-all" ACL entry as it will be removed in 25.1system: add descriptions on CA and certificate downloads file namessystem: show user icon when certificate is not otherwise used (in case CN matches any of our registered users)system: add proper validation when certificates are being imported via CSRsystem: add missing CRL changed event when CRLs are saved in the GUIsystem: add a trust settings page and move existing trust settings there as wellsystem: optionally fetch and store CRLs attached to trusted authoritiessystem: improve and extend certctl.py script doing the trust store rehashingsystem: enforce CRL behaviour for existing revocations in the trust store when doing remove syslog sending over TLSinterfaces: simplify and clarify pfsync reconfiguration hooksinterfaces: non-functional refactors in PPP configurationinterfaces: send IPv6 solicit immediately on WAN interfacesfirewall: add gateway groups to the list of gateways in automation rulessrc: pf: revert part of 39282ef3 to properly log the drop due to state limitssrc: pflog: pass the action to pflog directlysrc: various check removals for malloc(M_WAITOK) driver callssrc: libpfctl: ensure we return useful error codessrc: x86/ucode: add support for early loading of CPU ucode on AMDsrc: libfetch: improve optional CRL verificationsrc: fetch: fix "--crl" option not workingdhcrelay: refactor for plugins_argument_map() usefirmware: opnsense-verify now lists repository prioritiesipsec: add "make_before_break" option to settingsfirmware: opnsense-verify now also lists repository prioritieskea-dhcp: add configurable "max-unacked-clients" parameter and change its default to 2kea-dhcp: add missing constraint on IP address for reservationsopenvpn: register OpenVPN group immediately when setting up instancesopenvpn: push "data-ciphers-fallback" in client export when configured to align with legacy setupunbound: port to newwanip_map / plugins_interface_map()ui: remove bold text from tab headers for consistencyplugins: os-acme-client 4.6plugins: os-caddy 1.7.2plugins: os-frr 1.41plugins: os-smart 2.3 adds new dashboard widget (contributed by Francisco Dimattia)ports: curl 8.10.1ports: crowdsec fix for stuck service handlingports: dhcp6c 20241008 properly handle NoAddrAvail status codeports: monit 5.34.1ports: php 8.2.24ports: dnspython 2.7.0ports: py-duckdb 1.1.1ports: suricata 7.0.7ports: unbound 1.21.1
system: do not render non-reachable dashboard widget linkssystem: handle picture deletion via hidden input on general settings pagesystem: straighten out API ACL entries for several componentssystem: remove unreachable "page-getstats" ACL entrysystem: adjust "page-system-login-logout" ACL entry to be used as a minimal dashboard privilegesystem: deprecate the "page-dashboard-all" ACL entry as it will be removed in 25.1system: add descriptions on CA and certificate downloads file namessystem: show user icon when certificate is not otherwise used (in case CN matches any of our registered users)system: add proper validation when certificates are being imported via CSRsystem: add missing CRL changed event when CRLs are saved in the GUIsystem: add a trust settings page and move existing trust settings there as wellsystem: optionally fetch and store CRLs attached to trusted authoritiessystem: improve and extend certctl.py script doing the trust store rehashingsystem: enforce CRL behaviour for existing revocations in the trust store when doing remove syslog sending over TLSinterfaces: simplify and clarify pfsync reconfiguration hooksinterfaces: non-functional refactors in PPP configurationinterfaces: send IPv6 solicit immediately on WAN interfacesfirewall: add gateway groups to the list of gateways in automation rulessrc: pf: revert part of 39282ef3 to properly log the drop due to state limitssrc: pflog: pass the action to pflog directlysrc: various check removals for malloc(M_WAITOK) driver callssrc: libpfctl: ensure we return useful error codessrc: x86/ucode: add support for early loading of CPU ucode on AMDsrc: libfetch: improve optional CRL verificationsrc: fetch: fix "--crl" option not workingdhcrelay: refactor for plugins_argument_map() usefirmware: opnsense-verify now lists repository prioritiesipsec: add "make_before_break" option to settingsfirmware: opnsense-verify now also lists repository prioritieskea-dhcp: add configurable "max-unacked-clients" parameter and change its default to 2kea-dhcp: add missing constraint on IP address for reservationsopenvpn: register OpenVPN group immediately when setting up instancesopenvpn: push "data-ciphers-fallback" in client export when configured to align with legacy setupunbound: port to newwanip_map / plugins_interface_map()ui: remove bold text from tab headers for consistencyplugins: os-acme-client 4.6plugins: os-caddy 1.7.2plugins: os-frr 1.41plugins: os-smart 2.3 adds new dashboard widget (contributed by Francisco Dimattia)ports: curl 8.10.1ports: crowdsec fix for stuck service handlingports: dhcp6c 20241008 properly handle NoAddrAvail status codeports: monit 5.34.1ports: php 8.2.24ports: dnspython 2.7.0ports: py-duckdb 1.1.1ports: suricata 7.0.7ports: unbound 1.21.1
Source:
Tweakers.net