Software-update: OPNsense 24.7.5

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 24.7.5 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 24.7.5 released

This release removes significant processing overhead from larger setups due to being able to coalesce parallel configuration requests for the same component instead of iterating over the list of selected interfaces one by one. A number of third party software updates and FreeBSD security advisories are included as well.

This update also disables NUMA by default which can bring a boost in network throughput on affected systems. And of course we are still working on dashboard improvements so now the treasured picture widget is back with a better integration approach. Also take note that the NTP default changes to "restrict noquery" so that the system cannot externally be queried for revealing system internals anymore unless explicitly allowed.

Here are the full patch notes:

• system: update default dashboard layout and include the services widget
• system: render header for failed active widgets to allow identification and removal
• system: add ability for widget referral links
• system: cleaned up ACL definitions and use thereof
• system: add a picture widget
• system: default to vm.numa.disabled=1
• system: handle log lines with no timestamp (contributed by Iain MacDonnell)
• system: use interface maps in system_routing_configure() and dpinger_configure_do()
• system: when only selecting TLS1.3 ciphers make sure to only allow 1.3 as well in web GUI
• system: move web GUI restart to newwanip_map / plugins_argument_map() use
• interfaces: move compatible event listeners to newwanip_map
• interfaces: decouple PPP configure/reset from IPv4/IPv6 modes
• interfaces: move legacy RFC2136 invoke to plugin hook
• interfaces: add "spoofmac" device option and enforce it
• interfaces: prevent CARP VIP removal when VHID group is in use by IP aliases
• interfaces: routing configuration on changed interfaces only during apply
• firmware: opnsense-update: support unescaped mirror input (contributed by Michael Gmelin)
• firmware: opnsense-verify: show repository priority while listing active repositories
• ipsec: convert to vpn_map event invoke and plugins_argument_map() use
• monit: fix undefined function error in CARP script
• network time: enable "restrict noquery" by default (contributed by doktornotor)
• openssh: port to plugins_argument_map()
• openvpn: validate "Auth Token Lifetime" to require a non-zero renegotiate time in instances
• openvpn: convert to vpn_map event invoke and plugins_argument_map() use
• wireguard: convert to vpn_map event invoke
• ui: refine cookie policies and make them explicit
• plugins: add plugins_argument_map() helper
• plugins: os-caddy 1.7.1
• src: bhyve: improve input validation in pci_xhci
• src: libnv: correct the calculation of the size of the structure
• src: ifnet: Remove if_getamcount()
• src: ifnet: Add handling for toggling IFF_ALLMULTI in ifhwioctl()
• src: ifconfig: Add an allmulti verb
• src: date: include old and new time in audit log
• src: bpf: Add IfAPI analogue for bpf_peers_present()
• src: pf: use AF_INET6 when comparing IPv6 addresses
• src: if_ovpn: ensure it is safe to modify the mbuf
• src: if_ovpn: declare our dependency on the crypto module
• ports: curl 8.10.0
• ports: dhcp6c 20240919 reintroduced fixed arc4random() usage
• ports: expat 2.6.3
• ports: libpfctl 0.13
• ports: libxml 2.11.9
• ports: nss 3.104
• ports: python 3.11.10
• ports: sudo 1.9.16