Software-update: OPNsense 24.1

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 24.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 24.1 released

For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

24.1, nicknamed "Savvy Shark", features ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.

Here are the full patch notes against 23.7.12:

system: prevent activating shell for non-adminssystem: add OCSP trust extensions and improved authorities implementationsystem: migrate single gateway configuration to MVC/APIsystem: use new backend streaming functionality in the log viewersystem: limit file system /conf/config.xml and backups access to administratorssystem: migrate gateways model to match new class introduced in 23.7.xsystem: refactor get_single_sysctl()system: update cron modelsystem: fix migration issue in new gateways modelsystem: handle case insensitivity while reading groupssystem: shuffle authentication templates to the end of login configurationsystem: add "maxfilesize" option to enforce a log rotate when files exceed their limitreporting: print status message when Unbound DNS database was not found during firmware upgradereporting: update NetFlow modelinterfaces: implement new neighbor configuration for ARP and NDP entries using MVC/APIinterfaces: refactor interface_bring_down() into interface_reset() and interface_suspend()interfaces: migrate the overview page to MVC/APIinterfaces: add optional local/remote port to VXLANinterfaces: remove unused code from native dhclient-scriptinterfaces: do not flush states on clear eventfirewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall pluginfirewall: migrate NPTv6 page to MVC/APIfirewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixescaptive portal: fix integer validation in voucherscaptive portal: update modeldhcp: clean up duplicated domain-name-servers optiondhcp: cleanup get_lease6 script and fix parsing issuedhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCPdhcp: deduplicate records in Kea leasesintrusion detection: show rule origin in rule adjustments gridipsec: extend connection proposals tooltip to children and fix tooltip style issuelang: added traditional Chinese translation (contributed by Jason Cheng)monit: update modelopenvpn: allow optional OCSP checking per instanceopenvpn: emit device name upon creationopenvpn: add workaround for net30/p2p smaller than /29 networksopenvpn: add optional "route-metric" push option for server instancesweb proxy: integration moved to os-squid pluginwireguard: installed by default using the bundled FreeBSD 13.2 kernel modulebackend: constrain execution of user add/change/list actions to members of the wheel groupbackend: only parse stream results when configd socket could be openedbackend: wait for all configd results and add it to the log message when detachedmvc: remove legacy Phalcon migration gluemvc: add configdStream action to ApiControllerBasemvc: support array structures for better search functionality in ApiControllerBasemvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBasemvc: remove Phalcon syslog implementation with a simple wrappermvc: add a DescriptionField typemvc: add a MacAddressField typemvc: add IsDNSName to support DNS names as specified by RFC2181 in HostnameFieldui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)ui: add double click event with grid dialog in tree view to show a row layout insteadui: auto-trim MVC input fields when being pastedui: increase standard search delay from 250 ms to 1000 msui: make modal dialogs draggableui: support key/value combinations for error messages in do_input_validation()plugins: os-acme-client 4.0plugins: os-api-backup was discontinued due to overlapping functionality in coreplugins: os-firewall moved to coreplugins: os-haproxy 4.2plugins: os-nrpe updated to NRPE 4.1.xplugins: os-postfix updated to Postfix 3.8.xplugins: os-squid 1.0 offers the removed web proxy core functionalityplugins: os-wireguard moved to coreplugins: os-wireguard-go was discontinuedsrc: NFS client data corruption and kernel memory disclosuresrc: pf: merge extended support for SCTP and related stable changessrc: e1000: merge assorted driver improvements for hardware capabilitiessrc: bsdinstall: merge assorted stable changessrc: tuntap: merge assorted stable changessrc: wireguard: add experimental netmap supportsrc: sys: Use mbufq_empty instead of comparing mbufq_len against 0src: e1000/igc: remove disconnected sysctlports: libxml 2.11.6ports: openssl 3.0.12ports: php 8.2.15ports: py-duckdb 0.9.2ports: sqlite 3.45.0ports: suricata 7.0.2

system: prevent activating shell for non-admins

system: add OCSP trust extensions and improved authorities implementation

system: migrate single gateway configuration to MVC/API

system: use new backend streaming functionality in the log viewer

system: limit file system /conf/config.xml and backups access to administrators

system: migrate gateways model to match new class introduced in 23.7.x

system: refactor get_single_sysctl()

system: update cron model

system: fix migration issue in new gateways model

system: handle case insensitivity while reading groups

system: shuffle authentication templates to the end of login configuration

system: add "maxfilesize" option to enforce a log rotate when files exceed their limit

reporting: print status message when Unbound DNS database was not found during firmware upgrade

reporting: update NetFlow model

interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API

interfaces: refactor interface_bring_down() into interface_reset() and interface_suspend()

interfaces: migrate the overview page to MVC/API

interfaces: add optional local/remote port to VXLAN

interfaces: remove unused code from native dhclient-script

interfaces: do not flush states on clear event

firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin

firewall: migrate NPTv6 page to MVC/API

firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes

captive portal: fix integer validation in vouchers

captive portal: update model

dhcp: clean up duplicated domain-name-servers option

dhcp: cleanup get_lease6 script and fix parsing issue

dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP

dhcp: deduplicate records in Kea leases

intrusion detection: show rule origin in rule adjustments grid

ipsec: extend connection proposals tooltip to children and fix tooltip style issue

lang: added traditional Chinese translation (contributed by Jason Cheng)

monit: update model

openvpn: allow optional OCSP checking per instance

openvpn: emit device name upon creation

openvpn: add workaround for net30/p2p smaller than /29 networks

openvpn: add optional "route-metric" push option for server instances

web proxy: integration moved to os-squid plugin

wireguard: installed by default using the bundled FreeBSD 13.2 kernel module

backend: constrain execution of user add/change/list actions to members of the wheel group

backend: only parse stream results when configd socket could be opened

backend: wait for all configd results and add it to the log message when detached

mvc: remove legacy Phalcon migration glue

mvc: add configdStream action to ApiControllerBase

mvc: support array structures for better search functionality in ApiControllerBase

mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase

mvc: remove Phalcon syslog implementation with a simple wrapper

mvc: add a DescriptionField type

mvc: add a MacAddressField type

mvc: add IsDNSName to support DNS names as specified by RFC2181 in HostnameField

ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)

ui: add double click event with grid dialog in tree view to show a row layout instead

ui: auto-trim MVC input fields when being pasted

ui: increase standard search delay from 250 ms to 1000 ms

ui: make modal dialogs draggable

ui: support key/value combinations for error messages in do_input_validation()

plugins: os-acme-client 4.0

plugins: os-api-backup was discontinued due to overlapping functionality in core

plugins: os-firewall moved to core

plugins: os-haproxy 4.2

plugins: os-nrpe updated to NRPE 4.1.x

plugins: os-postfix updated to Postfix 3.8.x

plugins: os-squid 1.0 offers the removed web proxy core functionality

plugins: os-wireguard moved to core

plugins: os-wireguard-go was discontinued

src: NFS client data corruption and kernel memory disclosure

src: pf: merge extended support for SCTP and related stable changes

src: e1000: merge assorted driver improvements for hardware capabilities

src: bsdinstall: merge assorted stable changes

src: tuntap: merge assorted stable changes

src: wireguard: add experimental netmap support

src: sys: Use mbufq_empty instead of comparing mbufq_len against 0

src: e1000/igc: remove disconnected sysctl

ports: libxml 2.11.6

ports: openssl 3.0.12

ports: php 8.2.15

ports: py-duckdb 0.9.2

ports: sqlite 3.45.0

ports: suricata 7.0.2

Migration notes, known issues and limitations:

Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be able to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.

Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be able to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.

ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.

The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.

The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.

Source: Tweakers.net