Software-update: OPNsense 25.1

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 25.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 25.1 released

For an entire decade now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

25.1, nicknamed "Ultimate Unicorn", features numerous MVC/API conversions, improved security zones support and documentation, ZFS snapshot support, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.

Here are the full patch notes against version 24.7.12:

• system: migrate user, group and privilege management to MVC/API
• system: remove the "disable integrated authentication" feature
• system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in
• system: remove the old manual LDAP importer
• system: migrate HA status page to MVC/API
• system: allow custom additions to sshd_config (contributed by Neil Greatorex)
• system: increase max-request-field-size for web GUI
• system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
• system: add support for RFC 5549 routes and refactor static route creation code
• system: improve notification support to also allow persistent notifications and static banners
• system: add notifications for low disk space and OpenSSH file override use
• system: migrate tunables page to MVC/API
• system: switch to temperature sensor caching
• system: add certificate widget to track expiration dates and allow quick renewal
• system: remove deprecated "page-getserviceprovider", "page-dashboard-all" and "page-system-groupmanager-addprivs" privileges
• system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option
• system: add item edit links to several dashboard widgets
• system: prioritize index page and prevent redirection to a /api page on login
• system: mute disk space status in case of live install media
• system: optimize system status collection
• interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
• interfaces: remove non-functional features from bridges
• interfaces: remove PPP edit in interfaces settings
• interfaces: batched device type creation under "devices" submenu
• interfaces: move PPP and wireless logs to system log
• interfaces: remove "Use IPv4 connectivity" setting as it will be set by default
• firewall: use "skip lo0" instead of policing lo0 explicitly following OpenBSD best practice
• firewall: remove duplicate table definition and make sure bogonsv6 table always exists
• firewall: cleanup of CARP and IPv6 rules behaviour
• firewall: filter feature parity in automation rules
• firewall: offer multi-select on source and destination addresses
• firewall: add experimental inline shaper support to filter rules
• firewall: add missing columns on one-to-one NAT page
• firewall: fix unassociated rule creation
• firewall: fix anti-lockout and "allow access to DHCP failover" automatic rules
• firewall: add optional authorization for URL type aliases
• firewall: add "URL Table in JSON format (IPs)" alias type
• dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)
• firmware: fix "r" abbreviation vs. version_compare();
• installer: fixed missing prompt and help text in ZFS disk selection
• installer: warn on low RAM for ZFS as well
• installer: added a power off option
• intrusion detection: policy content dropdown missing data-container
• intrusion detection: cleanse metadata for brackets
• ipsec: add log search button in sessions
• ipsec: add banner message when using custom configuration files
• kea-dhcp: add "match-client-id" in subnet definitions
• lang: update available translations
• monit: wrap exec in double quotes to allow arguments
• monit: flag file overwrites when they exist
• network time: take IPv6 addresses into account
• network time: remove support for explicit VIP selection
• openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
• unbound: cleanup available blocklists and add hagezi blocklists
• unbound: fix root.hits permission on copy
• unbound: flag file overwrites when they exist
• backend: -m option is unused so remove its complication
• mvc: implement reusable grid template using form definitions
• mvc: add Default() method to reset a model to its factory defaults
• mvc: fix LegacyMapper when the mount point is not the XML root
• mvc: move explicit cast in BaseModel when calling field->setValue()
• mvc: fields should implement getCurrentValue() rather than __toString()
• mvc: fix value lookup in LinkAddressField
• mvc: memory preservation fix in BaseListField
• mvc: support lazy loading on alias models and use it in NetworkAliasField
• mvc: fix NetworkValidator for IPv4-mapped addresses with netmask
• ui: upgrade Font Awesome icons to version 6
• ui: push search/edit logic towards bootgrid implementation
• ui: improved links with automatic edit and/or search
• ui: rewritten default theme for a light look and new logo
• ui: added default theme variant with a dark look
• plugins: turning binary data into JSON may fail globally
• plugins: os-acme-client 4.8
• plugins: os-caddy 1.8.1
• plugins: os-cpu-microcode 1.1 removes unneeded late loading code
• plugins: os-haproxy 4.5
• pluginsL os-tailscale 1.2
• src: FreeBSD 14.2-RELEASE
• src: p9fs: add an implementation of the 9P filesystem
• ports: lighttpd 1.4.77
• ports: openvpn 2.6.13
• ports: php 8.3.15
• ports: radvd 2.20

Migration notes, known issues and limitations:

• The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.
• PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.
• FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.
• Let's Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.