Software-update: OPNsense 25.7.10

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de tiende update voor versie 25.7 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 25.7.10 released

This update is released mainly due to the fact that FreeBSD-SA-25:12.rtsold has impact on WAN-facing DHCPv6 connectivity being used, but also offers a mid-size batch of improvements like CARP VHID awareness for DHCRelay and a thorough cleanup and improvement pass over the Suricata integration we have been discussing during Suricon in November.

Of special note is that the captive portal accounting moves back to ipfw(4) from pf(4) because in larger deployments accounting rules are much faster this way and the use case of Ethernet-less captive portals such as on top of WireGuard now work properly again. The hook for pluggable pf(4) "ether" rules remains for now but will be removed in 26.1 as we do not intend to advocate its use.

Also, Python has reported security issues of which a DoS in http.client could potentially affect existing installations given that an HTTP server sends a malicious response which "can consume a large amount of memory and CPU time and cause swapping". Python has not released an update for version 3.11 at this point in time.

Here are the full patch notes:

system: clean up and normalise the sample config.xmlsystem: replace "realif" variables with "device" in gateway codesystem: replace exec() in live banner SSH probeinterfaces: scan pltime/vltime in "ifconfig -L" modefirewall: live log: allow column modifications and combine hostname columnsfirewall: live log: add bigger table size options and simplify table updatefirewall: minor simplification in filter sync scriptreporting: health: add CPU temperature y-axis label (contributed by NOYB)dhcrelay: add CARP VHID tracking option to relaysdhcrelay: use the new mwexecf() $format supportfirmware: opnsense-update: remove architecture pinning for -X optioncaptive portal: re-introduce ipfw for accounting purposes onlydnsmasq: add DHCP logging flags toinfluence log verbosityintrusion detection: refactor query scripts and deprecate params.pyintrusion detection: increase maintainability of suricata.yaml fileintrusion detection: add support for /usr/local/etc/suricata/conf.d directoryintrusion detection: clean up views and controllersopenvpn: openvpn: add AES-256-CBC cipher for legacy compat (contributed by Fabian Franz)openvpn: add support for verify-x509-name option (contributed by laozhoubuluo)openvpn: replace exec() in MVC codeunbound: deprecate Blocklist.site blocklists (contributed by Drumba08)unbound: clean up blocklists update marker and size file handlingmvc: ApiMutableModelControllerBase: add invalidateModel() methodmvc: Config: use is_int()/array_key_first() in toArray() and fromArray()mvc: Config: mvc: use LIBXML_NOBLANKS when loading config filesmvc: FilterBaseController: move shared automation rule logic heremvc: get translated services description from API (contributed by Tobias Degen)mvc: BaseField: provide asInt() methodrc: bootstrap /var/lib/php/tests for upcoming test case useplugins: os-ndp-proxy-go 1.2plugins: os-theme-rebellion 1.9.4 (contributed by Team Rebellion)src: e1000: do not enable ASPM L1 without L0ssrc: e1000: bump 82574/82583 PBA to 32Ksrc: if_ovpn: use IFT_TUNNELsrc: ifconfig: bring back -L for netlinksrc: igb: fix VLAN support on VFssrc: irdma: fix potential memory leak on qhash cqp operationsrc: ix: add support for debug dump for E610 adapterssrc: netmap: fix error handling in nm_os_extmem_create()src: pf: reading rules with a read lock on ioctlsrc: pf: relax sctp v_tag verificationsrc: pf: handle divert packetssrc: pfsync: fix incorrect unlock during destroysrc: rtsold: remote code execution via ND6 router advertisementsports: dpinger 3.4ports: libucl 0.9.3ports: nss 3.119.1ports: phpseclib 3.0.48

system: clean up and normalise the sample config.xml

system: replace "realif" variables with "device" in gateway code

system: replace exec() in live banner SSH probe

interfaces: scan pltime/vltime in "ifconfig -L" mode

firewall: live log: allow column modifications and combine hostname columns

firewall: live log: add bigger table size options and simplify table update

firewall: minor simplification in filter sync script

reporting: health: add CPU temperature y-axis label (contributed by NOYB)

dhcrelay: add CARP VHID tracking option to relays

dhcrelay: use the new mwexecf() $format support

firmware: opnsense-update: remove architecture pinning for -X option

captive portal: re-introduce ipfw for accounting purposes only

dnsmasq: add DHCP logging flags toinfluence log verbosity

intrusion detection: refactor query scripts and deprecate params.py

intrusion detection: increase maintainability of suricata.yaml file

intrusion detection: add support for /usr/local/etc/suricata/conf.d directory

intrusion detection: clean up views and controllers

openvpn: openvpn: add AES-256-CBC cipher for legacy compat (contributed by Fabian Franz)

openvpn: add support for verify-x509-name option (contributed by laozhoubuluo)

openvpn: replace exec() in MVC code

unbound: deprecate Blocklist.site blocklists (contributed by Drumba08)

unbound: clean up blocklists update marker and size file handling

mvc: ApiMutableModelControllerBase: add invalidateModel() method

mvc: Config: use is_int()/array_key_first() in toArray() and fromArray()

mvc: Config: mvc: use LIBXML_NOBLANKS when loading config files

mvc: FilterBaseController: move shared automation rule logic here

mvc: get translated services description from API (contributed by Tobias Degen)

mvc: BaseField: provide asInt() method

rc: bootstrap /var/lib/php/tests for upcoming test case use

plugins: os-ndp-proxy-go 1.2

plugins: os-theme-rebellion 1.9.4 (contributed by Team Rebellion)

src: e1000: do not enable ASPM L1 without L0s

src: e1000: bump 82574/82583 PBA to 32K

src: if_ovpn: use IFT_TUNNEL

src: ifconfig: bring back -L for netlink

src: igb: fix VLAN support on VFs

src: irdma: fix potential memory leak on qhash cqp operation

src: ix: add support for debug dump for E610 adapters

src: netmap: fix error handling in nm_os_extmem_create()

src: pf: reading rules with a read lock on ioctl

src: pf: relax sctp v_tag verification

src: pf: handle divert packets

src: pfsync: fix incorrect unlock during destroy

src: rtsold: remote code execution via ND6 router advertisements

ports: dpinger 3.4

ports: libucl 0.9.3

ports: nss 3.119.1

ports: phpseclib 3.0.48

Source: Tweakers.net