Software-update: OPNsense 25.1.4

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de vierde update voor versie 25.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 25.1.4 released

This update offers support for "jq" syntax in JSON-based URL table aliases, new OpenVPN instance features and the mandatory batch of stability improvements in numerous parts of the GUI and backend.

Upcoming in 25.1.5 are better RADIUS integration and enabling message authentication. We are also replacing the captive portal implementation by moving from ipfw(4) to pf(4). Last but not least the firewall automation filter rules GUI received a generous revamp for a far better UX than before. You can preview these changes by switching to the development release type and let us know about any remaining bug that you may encounter.

Here are the full patch notes:

• system: add "Kill states when down" option to gatways
• system: stop pushing "nextuid" and "nextgid" during XMLRPC
• system: migrate tunables to implicit defaults
• system: secure access to sysctl configuration node
• system: fix RADIUS error check
• system: add "pwd_changed_at" field previously missing in user model
• system: rewire system_usermanager_passwordmg.php to /ui/user_portal for cooperation with the next business edition
• system: default "net.inet.carp.senderr_demotion_factor" tunable to "0"
• system: opnsense-beep: serialize access to /dev/speaker (contributed by Leonid Evdokimov)
• reporting: minor code cleanups in insight backend
• interfaces: move "(de)select all" button to the same row on packet capture page
• interfaces: add ARP address family option to packet capture
• interfaces: fix advanced mode visibility in VIPs
• firewall: performance improvement by using pf overall table stats instead of dumping each table
• firewall: offer better plug-ability for dynamic alias type
• firewall: alias rename action ignored due to missing lock
• firewall: support "jq" processing syntax for JSON-based URL table aliases
• openvpn: use shared base_bootgrid_table and base_apply_button
• openvpn: add support for assorted options
• openvpn: add basic HTTP client option
• router advertisements: move plugin code to its own space
• unbound: move whitelist (passlist) handling to Unbound plugin
• mvc: merge NetworkValidator into NetworkField to ease extensibility and add unit test
• mvc: send audit messages emitted in the authentication sequence to proper channel
• mvc: BooleanField now defaults to "0" on creation
• plugins: os-caddy 1.8.4
• plugins: os-frr 1.44
• plugins: os-theme-cicada 1.39
• plugins: os-theme-tukan 1.29
• plugins: os-theme-vicuna 1.49
• ports: dnsmasq 2.91
• ports: expat 2.7.0
• ports: lighttpd 1.4.78
• ports: pecl-radius now offers message authenticator support (scheduled to be enabled with 25.1.5)
• ports: phalcon 5.9.0
• ports: php 8.3.19
• ports: py-duckdb 1.2.1
• ports: py-jq 1.8.0
• ports: suricata 7.0.10