Software-update: OPNsense 19.1

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packet filtering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 19.1 uitgebracht met de volgende aankondiging:

OPNsense 19.1 released

Hi there,

For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.

These are the most prominent changes since version 18.7:

• fully functional firewall alias API
• PIE firewall shaper support
• firewall NAT rule logging support
• 2FA via LDAP-TOTP combination
• WPAD / PAC and parent proxy support in the web proxy
• P12 certificate export with custom passwords
• Dpinger is now the default gateway monitor
• ET Pro Telemetry edition plugin
• extended IPv6 DUID support
• Dnsmasq DNSSEC support
• OpenVPN client export API
• Realtek NIC driver version 1.95
• HardenedBSD 11.2, LibreSSL 2.7
• Unbound 1.8, Suricata 4.1
• Phalcon 3.4, Perl 5.28
• firmware health check extended to cover all OS files, HTTPS mirror default
• updates are browser cache-safe regarding CSS and JavaScript assets
• collapsible side bar menu in the default theme
• language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
• new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy

Here are the full changes against version 19.1-RC2:

• ipsec: add firewall interface as soon as phase 1 is enabled
• ipsec: phase 1 selection GUI JavaScript compatibility fix
• monit: widget improvements and bug fix (contributed by Frank Brendel)
• ui: fix regression in single host or network subnet select in static pages
• plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)
• plugins: os-telegraf 1.7.4 fixes packet filter input
• plugins: os-theme-rebellion 1.8.2 adds image colour invert
• plugins: os-vnstat 1.1
• plugins: os-zabbix-agent now uses Zabbix version 4.0
• src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
• src: update sqlite3-3.20.0 to sqlite3-3.26.0
• src: import tzdata 2018h, 2018i
• src: avoid unsynchronized updates to kn_status
• ports: ca_root_nss 3.42
• ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
• ports: sudo patch to fix listpw=never

Migration notes and minor incompatibilities to look out for:

• Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
• Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
• Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
• Please read the FRR documentation with regard to the required system tunables.
• Bhyve UEFI boot may fail as a guest. The problem is being investigated.
• SNMP plugin has been superseded by Net-SNMP plugin.

Stay safe,
Your OPNsense team