Software-update: OPNsense 23.1.7

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 23.1.7 uitgebracht en deze versie gaat vergezeld met de volgende aantekeningen:

OPNsense 23.1.7 released

Today we switch to OpenVPN 2.6 including deferred authentication which we know some people have been waiting for. The routing subsystem received a refactor to integrate default gateway switching into the actual routing code.

Suricata was finally updated to a newer release since the Netmap (IPS) stall bug inside their code had been found and fixed while we were still using an older code base that did not have the error.

Please also note that OpenVPN does no longer support the XOR feature due to FreeBSD ports blocking these types of out-of-project contributions and OpenVPN itself was never interested in supporting it natively. We have been keeping this alive since 2015, but several alternatives exist now that were not available back then.

Here are the full patch notes:

• system: restructure routing to carry out default gateway switching and address family specific reconfig
• system: prevent PHP session garbage collection from running early (contributed by lin-xianming)
• system: finish simplifying plugins_run()
• firewall: add missing scrub rules in dependency check for alias use
• firewall: usability improvements and cleanups in scheduler pages (contributed by kuya1284)
• interfaces: ensure single PPP netgraph node has the proper name
• interfaces: reject invalid self-assignments in VLAN parent
• interfaces: migrate trace route page to MVC/API
• interfaces: migrate port probe page to MVC/API
• interfaces: remove indirection in PPP ports handling
• interfaces: exclude a few cases from PPPoEv6 negotiation
• reporting: fix incorrect interface index in NetFlow init (contributed by Nicolas Thumann)
• dhcp: restart radvd on config changes, otherwise keep SIGHUP
• dhcp: when cleaning up static leases do not remove entries where only a MAC address is set
• firmware: update size requirements for major upgrades from command line
• firmware: embed build metadata into package annotations for use in runtime remote queries
• firmware: fix execution of version queries when not possible
• firmware: revoke 22.7 fingerprint
• openvpn: fix two widget display issues
• openvpn: use CARP INIT state the same way as BACKUP state for client start/stop
• openvpn: enable deferred authentication (sponsored by m.a.x. it)
• unbound: minor improvements to handle "Dot" endpoints ambiguity
• web proxy: allow more signs for username and password (contributed by Bi0T1N)
• mvc: change Phalcon logging to omit type and date
• mvc: add strict option to NetworkField
• ui: prevent crashing out when endpoint does not return data for SimpleActionButton
• plugins: os-ddclient 1.13
• plugins: os-stunnel fix for missing OpenSSL CRL functions
• plugins: os-smart fix for highlighting result (contributed by Justin Horton)
• ports: libxml 2.10.4
• ports: openvpn 2.6.3
• ports: sqlite 3.41.2
• ports: suricata 6.0.11
• ports: syslog-ng 4.1.1