Software-update: OPNsense 25.1.5
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de vijfde update voor versie 25.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 25.1.5 releasedThis release improves overall RADIUS support, moves the captive portal from IPFW to PF, creates visibility of external certificate sources in the system and offers a glimpse into the filter automation GUI revamp which could one day replace the remaining static firewall rules edit pages. Speaking of static pages: MVC/API conversions are almost 80% complete now and we would really like to continue that trend. Also brace for impact as we crash-land Dnsmasq DHCP support in a stable release within the next 90 days!
Here are the full patch notes:system: extend XMLRPC "nosync" support to keep backup items for new casessystem: improved RADIUS RFC alignment and use Message Authenticator by defaultsystem: prevent recursion loop when CAs are cross-referencing each othersystem: fix URL hash in certificate link so redirection shows the correct menu pathsystem: fix off by one error due to line ending at the end of a log filesystem: offer config directory to store locations for external certificates and support it in the certificates widgetsystem: allow multiple manual DNS search domainssystem: fix gateway watcher backoffsystem: minor code cleanups in auth.increporting: move NetFlow backend single_pass to command line parameters for easier debuggingreporting: use client time in traffic dashboard widgetfirewall: automation filter UI revampfirewall: fix presentation when alias name overlaps group namefirewall: fix regression in alias table in JSON formatfirewall: move pipe and queue configuration to "dnctl" servicefirewall: replace update_params for argparse in filter log readercaptive portal: migrate backend from IPFW to PFfirmware: ignore dashboard check for updates link automation if user clicks check for updates toofirmware: fix reboot flag handling due to changed BooleanField default in 25.1.4firmware: add cleanup audit scriptipsec: move mobile clients charon attributes to "Advanced settings"ipsec: pre-shared key permission fixkea-dhcp: add missing ACL privilegeskea-dhcp: allow manual configuration for advanced scenariosopenvpn: add "Enable static challenge (OTP)" option in client exportopenvpn: display virtual IPv6 addresses for clients in dashboard widget (contributed by cs-1 and lucaspalomodevelop)router advertisements: fix list of source addresses on overlapping link-locals (contributed by Robin Müller)unbound: drop "exclude" phrase from plugin log entryunbound: add optional TTL fieldmvc: prefer ui/user_portal above system_usermanager_passwordmg.php in ACLsmvc: implement "ignore" field type in formsui: include "all" instead of only "solid" and "brands" Font Awesome stylesui: ensure fields stay aligned relatively to another when headers are used in formsui: add fetch_options() which can build grouped selectpickersui: improve and extend Bootgrid behaviourplugins: os-caddy 1.8.5plugins: os-sftp-backup 1.1 adds hostname prefix and filedrop-only support (contributed by beposec)src: ifconfig: fix reporting optics on most 100g interfacessrc: igc: fix attach for I226-K and LMVP devicessrc: inpcb: assorted changes for upcoming FIB supportsrc: ipfw: fix dump_soptcodes() handlersrc: ixgbe: add support for 1000BASE-BX SFP modulessrc: ixgbe: fix mailbox ack handlingsrc: netinet6: add the missing lock acquire to nd6_get_llentrysrc: netinet: fix getcred sysctl handlers to do nothing if no input is givensrc: netinet: if mb_unmapped_to_ext() failed, return directlysrc: netlink: fix getting route scope of interface IPv4 addressessrc: ovpn: fix use-after-free of mbufsrc: pf: improve pf_state_key_attach() error handlingsrc: pf: only force state failure logging if logging was requestedsrc: pfkey2: use correct value for a key lengthsrc: routing: do not allow PINNED routes to be overridensrc: sctp: fix double unlock in case adding a remote address failssrc: tcp: clear sendfile logging structsrc: udp: do not recursively enter net epochsrc: wg: remove overly-restrictive address family checkports: lighttpd 1.4.79ports: openvpn 2.6.14ports: phalcon 5.9.2ports: py-duckdb 1.2.2
system: extend XMLRPC "nosync" support to keep backup items for new casessystem: improved RADIUS RFC alignment and use Message Authenticator by defaultsystem: prevent recursion loop when CAs are cross-referencing each othersystem: fix URL hash in certificate link so redirection shows the correct menu pathsystem: fix off by one error due to line ending at the end of a log filesystem: offer config directory to store locations for external certificates and support it in the certificates widgetsystem: allow multiple manual DNS search domainssystem: fix gateway watcher backoffsystem: minor code cleanups in auth.increporting: move NetFlow backend single_pass to command line parameters for easier debuggingreporting: use client time in traffic dashboard widgetfirewall: automation filter UI revampfirewall: fix presentation when alias name overlaps group namefirewall: fix regression in alias table in JSON formatfirewall: move pipe and queue configuration to "dnctl" servicefirewall: replace update_params for argparse in filter log readercaptive portal: migrate backend from IPFW to PFfirmware: ignore dashboard check for updates link automation if user clicks check for updates toofirmware: fix reboot flag handling due to changed BooleanField default in 25.1.4firmware: add cleanup audit scriptipsec: move mobile clients charon attributes to "Advanced settings"ipsec: pre-shared key permission fixkea-dhcp: add missing ACL privilegeskea-dhcp: allow manual configuration for advanced scenariosopenvpn: add "Enable static challenge (OTP)" option in client exportopenvpn: display virtual IPv6 addresses for clients in dashboard widget (contributed by cs-1 and lucaspalomodevelop)router advertisements: fix list of source addresses on overlapping link-locals (contributed by Robin Müller)unbound: drop "exclude" phrase from plugin log entryunbound: add optional TTL fieldmvc: prefer ui/user_portal above system_usermanager_passwordmg.php in ACLsmvc: implement "ignore" field type in formsui: include "all" instead of only "solid" and "brands" Font Awesome stylesui: ensure fields stay aligned relatively to another when headers are used in formsui: add fetch_options() which can build grouped selectpickersui: improve and extend Bootgrid behaviourplugins: os-caddy 1.8.5plugins: os-sftp-backup 1.1 adds hostname prefix and filedrop-only support (contributed by beposec)src: ifconfig: fix reporting optics on most 100g interfacessrc: igc: fix attach for I226-K and LMVP devicessrc: inpcb: assorted changes for upcoming FIB supportsrc: ipfw: fix dump_soptcodes() handlersrc: ixgbe: add support for 1000BASE-BX SFP modulessrc: ixgbe: fix mailbox ack handlingsrc: netinet6: add the missing lock acquire to nd6_get_llentrysrc: netinet: fix getcred sysctl handlers to do nothing if no input is givensrc: netinet: if mb_unmapped_to_ext() failed, return directlysrc: netlink: fix getting route scope of interface IPv4 addressessrc: ovpn: fix use-after-free of mbufsrc: pf: improve pf_state_key_attach() error handlingsrc: pf: only force state failure logging if logging was requestedsrc: pfkey2: use correct value for a key lengthsrc: routing: do not allow PINNED routes to be overridensrc: sctp: fix double unlock in case adding a remote address failssrc: tcp: clear sendfile logging structsrc: udp: do not recursively enter net epochsrc: wg: remove overly-restrictive address family checkports: lighttpd 1.4.79ports: openvpn 2.6.14ports: phalcon 5.9.2ports: py-duckdb 1.2.2
Source:
Tweakers.net