Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 24.1.2 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 24.1.2 releasedIt is time to move back to Suricata version 7 after identifying the relevant default option changes in order to keep IPS/Netmap happy when running it. Kea also received a number of tweaks and updates as well as our VPN service integrations. Last but not least this includes FreeBSD 13.2-p10 and the recent DNS denial of service attack mitigation.
Here are the full patch notes:
- system: accept colon character in log queries
- system: add issuer and logo to OTP link
- system: fix gateway migration issue causing individual items to be skipped
- reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)
- interfaces: fix strpos() deprecation null haystack
- interfaces: add missing ACL entries for ARP/NDP tables
- interfaces: fix VXLAN validation
- firewall: change default traffic normalization behavior and choose "in" as standard direction for manual rules
- firewall: make select width more consistent on alias diagnostics table selection
- dhcp: set RemoveAdvOnExit to off in CARP mode for router advertisements
- dhcp: make sure the register DNS leases options reflect that this is only supported for ISC DHCP
- dhcp: make option_data_autocollect option more explicit in Kea
- dhcp: gather missing Kea leases another way since the logs are unreliable
- dhcp: add address constraint to Kea reservations
- dhcp: add unique constraint for MAC address + subnet in Kea
- dhcp: add domain-name to client configuration in Kea
- dhcp: loosen constraints for TFTP boot in Kea
- intrusion detection: adjust for default behaviour changes in Suricata 7
- ipsec: improve enable button placement on connections page
- ipsec: show EAP-RADIUS settings only when legacy tunnels are being used
- ipsec: allow % to support %any in ID for connections
- openvpn: when "cert_depth" is left empty it should ignore the value
- openvpn: data-ciphers-fallback should be a single option
- openvpn: fix support for /30 p2p/net30 instances
- openvpn: add "various_push_flags" field for simple boolean server push options in connections
- unbound: prevent os.write() on None when another thread closed the pipe in Python module
- wireguard: key constraints should only apply on peers and not instances
- wireguard: peer uniqueness should depend on pubkey + endpoint
- wireguard: skip attached instance address routes
- wireguard: remove duplicate ID columns
- mvc: fix Phalcon 5.4 and up
- src: jail: fix information leak
- src: bhyveload: use a dirfd to support -h
- src: EVFILT_SIGNAL: do not use target process pointer on detach
- src: setusercontext(): apply personal settings only on matching effective UID
- src: re: generate an address if there is none in the EEPROM
- src: wg: detect loops in netmap mode
- src: wg: detach bpf upon destroy as well
- src: wg: fix access to noise_local->l_has_identity and l_private
- src: wg: fix erroneous calculation in calculate_padding() for p_mtu == 0
- plugins: os-acme-client 4.1
- plugins: os-ddclient 1.21
- plugins: os-dnscrypt-proxy 1.15
- ports: dnsmasq 2.90
- ports: openvpn 2.6.9
- ports: phalcon 5.6.1
- ports: radvd adds upstream patch for RemoveAdvOnExit option
- ports: suricata 7.0.3
- ports: unbound 1.19.1