Software-update: OPNsense 24.7.3

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 24.7.3 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 24.7.3 released

Today we are switching pf stateful tracking of ICMPv6 neighbour discoveries off in order to fix the previous instability with the FreeBSD security advisory first shipped in 24.7.1. We do this in order to provide the same reliable IPv6 functionality that was on all previous versions prior to 24.7.1 at the cost of resurfacing CVE-2024-6640 until a better solution has been devised. A link to the long and difficult upstream bug report is included below.

But that is not all. The GUI gains snapshot support on ZFS installations by implementing what is called "boot environments" which allows one to move seamlessly from one snapshot to another via reboot. This functionality can also be accessed from the boot loader menu option "8" for a quick recovery ensuring that at least one other snapshot was created to boot into. A very special thank you to Sheridan Computers for contributing this feature.

Here are the full patch notes:

• system: add snapshots (boot environments) support via MVC/API
• system: remove obsolete dashboard sync
• system: compact services widget on dashboard
• system: convert lock mode to edit mode on dashboard
• system: link certificates by subject on import
• system: unify how log search clauses work and add a search time constraint
• system: move to static imports for widget base classes on dashboard
• system: fix ACL check on dashboard restore and add safety check for save action
• system: change dashboard modify buttons to a bootstrap group (contributed by Jaka Prašnikar)
• interfaces: add "newwanip_map" event and deprecate old "newwanip" one
• interfaces: keep 24.7 backwards compatibility by allowing 6RD and 6to4 on PPP
• interfaces: add logging to PPP link scripts to check for overlap
• interfaces: return correct uppercase interface name in getArp()
• interfaces: fix issue with PPP port not being posted
• dhcrelay: start on "newwanip_map" event as well
• intrusion detection: update the default suricata.yaml (contributed by Jim McKibben)
• ipsec: move two logging settings to correct location misplaced in previous version
• ipsec: fix migration and regression during handling of "disablevpnrules" setting
• wireguard: support CARP VHID reuse on different interfaces
• mvc: when a hint is provided, also show them for selectpickers
• rc: fix banner HTTPS fingerprint
• plugins: os-ddclient 1.24
• plugins: os-theme-advanced 1.0 based on AdvancedTomato (contributed by Jaka Prašnikar)
• plugins: os-theme-cicada 1.38 (contributed by Team Rebellion)
• plugins: os-theme-vicuna 1.48 (contributed by Team Rebellion)
• plugins: os-upnp 1.6
• plugins: os-wol 2.5 adds widget for new dashboard (contributed by Michał Brzeziński)
• src: pf: fully annotated patch of disabling ND state tracking and issues for ICMPv6
• src: u3g: add SIERRA AC340U
• ports: dhcrelay 1.0 switches to official release numbering, but otherwise equal to 0.6
• ports: sqlite 3.46.1