Software-update: OPNsense 25.7

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor MFA, WireGuard, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 25.7 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 25.7 released

25.7, nicknamed "Visionary Viper", features reusable and thoroughly revamped frontend code, an SFTP backup plugin, experimental privilege separation for the GUI, JSON container support for aliases, a new and improved firewall automation GUI, performance enhancements especially for numerous aliases being used at once, Dnsmasq DHCP support, Kea DHCPv6 support, Greek as a new language, FreeBSD 14.3 plus much more.

Here are the full patch notes:

• system: the setup wizard was rewritten using MVC/API
• system: change default DHCP use from ISC to Dnsmasq for factory reset and console port and address assignments
• system: numerous permission, ownership and directory alignments for web GUI privilege separation
• system: allow experimental feature to run web GUI privilege separated as "wwwonly" user
• system: add a banner when trying to revert the privilege separated GUI back to root at run time
• system: consistently use empty() checks on "blockbogons", "blockpriv", "dnsallowoverride" and "dnsallowoverride_exclude"
• system: change default system domain to "internal" (contributed by Self-Hosting-Group)
• system: add missing "kernel" application for remote logging
• system: remove the "optional" notion of tunables known to the system
• system: enable kernel timestamps by default
• system: allow CSR to be downloaded from System/Trust/Certificates (contributed by Gavin Chappell)
• reporting: removed the unused second argument in getSystemHealthAction()
• reporting: renamed getRRDlistAction() to getRrdListAction()
• interfaces: fix media settings write issue since 24.7 as it would not apply when "autoselect" result already matched
• interfaces: removed defunct SLAAC tracking functionality (SLAAC on WAN still works fine)
• interfaces: no longer fix improper WLAN clone naming at run time as it should be ensured by code for a long time now
• interfaces: remove the functions get_configured_carp_interface_list() and get_configured_ip_aliases_list()
• interfaces: add VIP grid formatter to hide row field content based on the set mode
• interfaces: drop redundant updates in rtsold_resolvconf.sh (contributed by Andrew Baumann)
• firewall: add expire option to external aliases to automatically cleanup tables via cron
• firewall: removed the expiretable binary use in favour of the builtin pfctl
• firewall: speed up alias functionality by using the new model caching
• firewall: consolidated ipfw/dnctl scripting and fix edge case reloads
• firewall: code cleanup and performance improvements for alias diagnostics page
• firewall: fix AttributeError: DNAME object has no attribute address on DNS fetch for aliases
• firewall: assorted UI updates for automation pages
• captive portal: make room for additional authentication profiles
• captive portal: API dispatcher is now privilege separated via "wwwonly" user and group
• dnsmasq: add optional subnet mask to "dhcp-range" to satisfy DHCP relay requirements
• dnsmasq: sync CSV export with ISC and Kea structure
• dnsmasq: add CNAME configuration option to host overrides
• dnsmasq: add ipset support
• firmware: opnsense-version: build time package variable replacements can now be read at run time
• firmware: hide community plugins by default and add a checkbox to unhide them on the same page
• firmware: introduce a new support tier 4 for development and otherwise unknown plugins
• firmware: disable the FreeBSD-kmods repository by default
• firmware: sunset mirror dns-root.de (many thanks to Alexander Lauster for maintaining it for almost a decade!)
• intrusion detection: add an override banner for custom.yaml use
• intrusion detection: add JA4 support (contributed by Maxime Thiebaut)
• isc-dhcp: show tracking IPv6 interfaces when automatically enabled and offer an explicit disable
• isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience
• isc-dhcp: add static mapping CSV export
• kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229)
• lang: add Greek as a new language (contributed by sopex)
• lang: make more strings translate-able (contributed by Tobias Degen)
• openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation
• openvpn: "keepalive_timeout" must be at least twice the interval value validation
• wireguard: add diagnostics and log file ACL
• backend: trigger boot template reload without using configd
• mvc: introduce generic model caching to improve operational performance
• mvc: field types quality of life improvements with new getValues() and isEqual() functions
• mvc: filed types deprecated getCurrentValue() in favour of getValue() and removed isEmptyString()
• mvc: new BaseSetField() as a parent class for several other field types and numerous new and improved unit tests
• mvc: support chown/chgrp in File and FileObject classes
• mvc: use getNodeContent() to gather grid data
• mvc: allow PortOptional=Y for IPPortField
• mvc: remove SelectOptions support for CSVListField
• ui: switch from Bootgrid to Tabulator for MVC grid rendering
• ui: numerous switches to shared base_bootgrid_table and base_apply_button use
• ui: flatten nested containers for grid inclusion
• ui: use snake_case for all API URLs and adjust ACLs accordingly
• ui: add standard HTML color input support
• ui: move tooltip load event to single-fire mode
• ui: add checkmark to SimpleActionButton as additional indicator
• ui: improve menu icons/text spacing (contributed by sopex)
• plugins: replace variables in package scripts by default
• plugins: os-acme-client 4.10
• plugins: os-bind 1.34
• plugins: os-crowdsec 1.0.11
• plugins: os-frr 1.45
• plugins: os-gdrive-backup 1.0 for Google Drive backup support
• plugins: os-grid_example 1.1 updates best practice on grid development
• plugins: os-openvpn-legacy 1.0 for legacy OpenVPN components support
• plugins: os-puppet-agent 1.2
• plugins: os-strongswan-legacy 1.0 for legacy IPsec components support
• src: FreeBSD 14.3-RELEASE-p1 plus assorted stable/14 networking commits

Migration notes, known issues and limitations:

• Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
• API URLs registered in the default ACLs have been switched from "camelCase" to "snake_case".
• API grid return values now offer "%field" for a value description when available. "field" will now always be the literal value from the configuration. The API previously returned a display value for some field types, but not all.
• Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults. If you want these set differently, then add them with an explicit value.
• While the mirror dns-root.de has been removed it will not be stripped from a running configuration and may keep working for a while longer. To ensure updates, however, please choose a different mirror at your own convenience.
• Moved OpenVPN legacy to plugins as a first step to deprecation.
• Moved IPsec legacy to plugins as a first step to deprecation.