Software-update: OPNsense 22.1.4

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 22.1.4 uitgebracht met de volgende aankondiging:

OPNsense 22.1.4 released

QinQ support based on the FreeBSD 13 VLAN base functionality is finally here! To make the best use of it a MVC conversion of the GUI pages was carried out meaning these are now fully API-enabled as well. Two bugs in the previous GIF/GRE rework have also been reported and fixed.

Note while this does fix CVE-2022-0778 even for LibreSSL the security audit database by FreeBSD will falsely flag the 3.3.6 release as vulnerable when in fact it is not. Since build issues arise on LibreSSL 3.4 that involve plugin dependencies in all likelihood we will be refraining from updating to version 3.4 altogether and do not have much hope for the upcoming 3.5 either.

Here are the full patch notes:

• system: prefer configured IP address family use earlier on boot
• system: allow boot to perform generic UFS/ZFS grow using the /.probe.for.growfs marker file
• system: import ZFS pools before mounting ZFS datasets
• reporting: use asynchronous DNS resolver for reverse lookups on traffic page
• interfaces: loopback "lo0" exists for VIPs
• interfaces: only strip addresses on configured IP types
• interfaces: use new ifctl utility for DHCPv6 IP type and add manual page
• interfaces: adjust MTU configuration when parent also requires MTU changes
• interfaces: VLAN MVC conversion with API and QinQ support
• interfaces: cleanup surrounding LAGG function use
• firewall: constrain default CARP allow rules to those defined in RFC 5798
• firewall: make sure that rule use of gateways (route-to) and reply-to are mutually exclusive
• firewall: tighten alias FQDN validation to avoid accepting mistypes such as "192.168.01.1"
• firmware: revoke the 21.7 fingerprint
• intrusion detection: improve row count on alerts page
• backend: consolidate configctl utility into one location and add manual page
• plugins: os-ddclient 1.4
• plugins: os-theme-cicada 1.29
• plugins: os-theme-vicuna 1.41
• src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever
• src: zfs: fix handling of errors from dmu_write_uio_dbuf()
• src: debugnet: remove spurious message on boot
• ports: ca_root_nss fix for faulty upstream file linking
• ports: libressl 3.3.6
• ports: openssl 1.1.1n
• ports: openvpn 2.5.6