Software-update: OPNsense 25.7.6

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de zesde update voor versie 25.7 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 25.7.6 released

The usual round of additions and reliability fixes is being rounded off with Suricata version 8 and a new package manager version 2 almost two years in the making -- at least for our project. Please be aware that during the update check the new package manager will be installed, but will fail to report the update status like it always had before and so you will end up with an error that will require checking for updates again. The fix is in is update, but impossible to install without upgrading the package manager first. We hope this will only be a minor inconvenience during the process.

Syslog-ng is also being updated and includes a fix that previously prevented 2.9.x from shipping since it would hang the boot during daemonize. Many thanks to the authors for quickly picking this up and shipping a fixed version!

Here are the full patch notes:

• system: safeguard config history delete and revert by requiring HTTP POST method
• system: change atrun interval to every minute
• system: use new file_safe() in two instances
• system: improve the HA VIP sync code
• interfaces: fix permission of packet capture file in strict security mode
• firewall: refactor live log using a ring buffer
• firewall: add toggles to disable selected automatic rules
• firewall: enable "safe delete" for categories
• firewall: improved stats rendering on automation rules
• firewall: allow searching aliases in automation rules inspect mode by IP address
• dnsmasq: strict hostname and domain validation plus improved ipset validations
• firmware: package manager upgrade changes for pkg 2.x
• intrusion detection: remove obsolete "ac-bs" pattern matcher algorithm
• ipsec: allow underscores in PSK identifiers
• openvpn: add support for pushing excluded routes via net_gateway
• openvpn: allow multiple domains settings for client connection
• unbound: use file_safe() for root hint creation
• unbound: deprecate unmaintained AdAway blocklist
• wireguard: add debug option to instances
• backend: add file_safe() helper for atomic file creation
• mvc: add RegexField to properly validate PCRE2 syntax
• mvc: support arrays in search clauses
• rc: make sure /var/lib/php/tmp can be accessed by "other" users
• rc: do not clear /tmp on a diskless install
• ui: assorted adjustments for dark theme
• ui: always show bootgrid reset button
• plugins: os-ddclient 1.28
• plugins: os-git-backup 1.1
• plugins: q-feeds-connector 1.2
• plugins: os-squid 1.4 works around CVE-2025-62168
• plugins: os-zabbix-proxy 1.15
• ports: openssh 10.2p1
• ports: pkg 2.3.1
• ports: python 3.11.14
• ports: suricata 8.0.1
• ports: syslog-ng 4.10.2