Software-update: OPNsense 23.1.6

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 23.1.6 uitgebracht en deze versie gaat vergezeld met de volgende aantekeningen:

OPNsense 23.1.6 released

Two major improvements being shipped today are standalone core DNS support for Bind and Dnscrypt-Proxy plugins as well as OpenVPN group firewall alias type. The latter makes it easier to manage distinct policies for connected VPN users. For more details please refer to the documentation listed below.

The other honorable mention is the netmap work we have been doing with Zenarmor and Klara on the FreeBSD kernel side which brings bridge device support as well as a considerable improvement to the emulated mode where several packet stalls and mbuf leaks have been identified and subsequently fixed. This should have an operational impact on Suricata (IPS mode) and Zenarmor. The state is much better now but please do not hesitate to contact us about issues that you might still be having with netmap-based packet flows as the topic is a rather complex one.

Orange FR users be aware that your ISP now requires strict VLAN PCP on all DHCPv4 requests so please do set 'Use VLAN priority' interface setting for both DHCPv4 and DHCPv6. The 'Option Modifiers' override for "vlan-pcp" in DHCPv4 can be removed and the documentation was updated accordingly.

Here are the full patch notes:

• system: register DNS service ports for unified use across core and plugins
• system: serialize deferred requests for web GUI restart
• system: relocate API messages to backend log target as they currently end up in captive portal logs
• system: remove /31 subnet restriction in wizard
• system: use data attribute to find existing rows in service widget to avoid special character issues (contributed by Alexander O'Mara)
• system: allow non-system group delete after faulty PHP 8 warning fix (contributed by kulikov-a)
• system: handle empty DNS server gateway (contributed by Nicolas Thumann)
• reporting: translate invalid interface name characters for NetFlow/Netgraph use
• reporting: sort interfaces by description in health graphs
• interfaces: ping diagnostic tool was rewritten using MVC/API
• interfaces: allow to set PCP value on IPv4 DHCP traffic to address recent Orange FR changes
• firewall: allow to create aliases for logged-in OpenVPN users
• firewall: leave out fractional seconds from timestamps in aliases
• firewall: fix progress bar default value (contributed by Nicolas Thumann)
• dhcp: fix too many addresses issue in radvd RDNSS setting
• dhcp: add missing double quotes in hostname handling
• firmware: remove flavouring support from update tools
• ipsec: pull data for dashboard widget exclusively from backend
• ipsec: move XAuth out of "IKE Extensions" block
• ipsec: add connection child as option for manual SPDs
• ipsec: another small GUI fix for basic log option in advanced settings
• openvpn: fix dashboard widget and add missing byte data to status call
• plugins: os-bind 1.26
• plugins: os-crowdsec 1.0.4
• plugins: os-ddclient 1.12
• plugins: os-dnscrypt-proxy 1.13
• plugins: os-nginx 1.32
• plugins: os-upnp now allows subnet mask 0 in rules (contributed by Reiko Asakura)
• src: bridge: add support for emulated netmap mode
• src: epair: also remove vlan metadata from mbufs
• src: ifconfig: fix configuring if_bridge with additional operating parameters
• src: netmap: fix queue stalls with generic interfaces
• src: netmap: assorted upstream stable patches
• src: sched_ule: assorted fixes to address issues on newer AMD platforms
• ports: curl 8.0.1
• ports: ifinfo now also prints interface index (contributed by Nicolas Thumann)
• ports: php 8.1.17