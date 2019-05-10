Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 19.1.7 uitgebracht met de volgende aankondiging:

OPNsense 19.1.7 released



Hello, hello!



This update features a number of improvements such as link-local support for bridges, HA sync consolidation, adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4.



Python 3 migration is also underway now which requires to pull in both Python versions which may be heavy on embedded Nano installs, but we cannot see another way for this tedious task which will probably stretch into 19.7 to be fully carried out in 20.1.



And speaking of 20.1: This is the first of many reminders that 20.1 will discontinue the i386 (Intel 32 Bit) franchise as discussed a number of times within the community over the years. Our hope is that ARM64 will make a viable replacement. But that is for another time.



As you may have noticed the project has not been delivering releases every other week and there are a number of reasons for it:



Security-wise we have not had a lot of necessary third-party software updates. Feature-wise we are sitting on a number of improvements for the upcoming 19.7 series that will trickle into 19.1.x now, but that have also required larger preparations and testing in the meantime. On the community side of the spectrum, sponsored by our partner m.a.x. it, we have started to work on better default gateway switching which led to an overall gateway integration rework and then quickly to interface handling restructuring, which in turn led to improving plugin capabilities of core services (OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it has been the largest rework so far on code established many years ago and only occasionally patched. We hope this shows our dedication to the code base even when things are not always 100% bug free. If you feel like pitching in now is a good time to try the development version and let us know about how it performs.



Without further ado, here are the full patch notes: system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)

system: support for syncing alias and VHID to the slave

system: cleanly rewrite CA root files and add local trusted CAs as well

system: disable backup cron job when no backup is enabled

system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)

system: migrate health graph scripts to Python 3.6

interfaces: properly add and remove IPv6 trackers after interface apply

interfaces: validate prefix ID of IPv6 trackers so that each ID is unique

interfaces: display "0x" in prefix ID field so that it is clear that value is in hex

interfaces: fix passing VLAN name in interface_virtual_create()

interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters

interfaces: allow link-local address on bridges via optional setting

interfaces: PPP-related code cleanups

firewall: prevent double-escaping of text in rules page

firewall: handle IDNA encode failures in aliases

firewall: alias import / export option

captive portal: update to bootstrap 3.4.1

captive portal: fix a race in directory creation and listClients()

dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)

dhcp: merge static mac addresses with leases

dhcp: prevent double-escaping of text in leases page

firmware: add private log file for major upgrade package install step

firmware: use a safer major upgrade package install mode

firmware: retain /etc/motd on base updates

ipsec: implemented wildcard includes (contributed by Mark Plomer)

ipsec: only apply mobile PFS to mobile phase 2

ipsec: restyle mobile settings a little

ipsec: switch XAuth to PAM

ipsec: partial fix for static routes on routed tunnels during boot

network time: reload RRD since NTP has a setting for it

web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)

web proxy: switch authentication to PAM

backend: treat non existing key as empty string in sortDictList()

mvc: pluggable PAM-based authentication framework

mvc: add filter closure to searchBase()

plugins: introduce plugins_run() for collecting structured data from plugins

plugins: os-clamav 1.6

plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)

plugins: os-frr 1.10

plugins: os-netdata 1.0 (contributed by Michael Muenz)

plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)

plugins: os-rfc2136 1.5 removes unused gateway group related code

src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()

src: ensure that IP addresses match in ICMP error packets in pf(4)

src: add bsdinstall utility for upcoming 19.7 installer replacement

ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78)

ports: hostapd / wpa_supplicant 2.8

ports: perl 5.28.2

ports: py-yaml 5.1

ports: suricata 4.1.4

ports: sqlite 3.27.2 Stay safe,

Your OPNsense team