Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben versie 26.7 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 26.71 releasedFor over 11 a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates, modern IPv6 support, as well as clear and stable 2-Clause BSD licensing.
26.7, nicknamed "Xenial Xenops", features interface assignments and gateway groups via MVC/API, firewall rules now defaulting to MVC/API, outbound NAT to source NAT migration assistant, captive portal IPv6 support, Kea DDNS/custom options/dynamic prefix delegation, FreeBSD 15.1, OpenVPN 2.7, PHP 8.5, Python 3.13, plus much more.
The upgrade path for 26.1 will likely be unlocked later today. We want to ensure the upgrade goes as smoothly as possible so please be patient! :)
Here are the full patch notes:Migration notes, known issues and limitations:
- system: remove periodic backups settings and backend code
- system: migrate gateway groups to MVC/API
- system: new service widget flat tile layout (partially contributed by Konstantinos Spartalis)
- system: make LDAP auth adhere to bad login penalty as well (contributed by Matt Andreko)
- system: move ldap_escape() to caller for now to avoid side effects
- system: improve the log_archive script to also work on log subdirectories
- system: change our version of "certctl" to emit files instead of links like it is the case in FreeBSD 15.1
- system: include interfaces widget in dashboard default
- system: adjust dashboard widget resize logic to observe border box instead of content box
- reporting: migrate several settings pages to MVC/API and assorted changes
- reporting: do not show disabled interfaces in traffic graphs (contributed by Konstantinos Spartalis)
- interfaces: migrate interface assignments to MVC/API
- interfaces: fix faulty netmask on loopback address due to upstream change
- firmware: remove overzealous cleansing in output_cmd to unhide individual character progress
- firewall: move config.xml default LAN allow rules to new rules GUI
- firewall: legacy rules pages move to plugin
- firewall: restrict automatic DHCPv6 filter rules to plugin/track6 use
- firewall: always set a sequence at the end of the rule set when cloning a NAT rule
- firewall: remove unused "safepoint" actions
- firewall: fix automatic source NAT rules not displayed for PPPoE interfaces
- firewall: flatten automatic source NAT rules into two per WAN type interface
- firewall: prevent deletion if a group is referenced in MVC rules
- firewall: constraint source NAT getAction() to only general page and align setAction() accordingly
- firewall: use proper path for one-to-one NAT rules for renaming operations
- firewall: avoid emitting reply-to on block rules as well
- firewall: change interface group render/apply order
- firewall: adjust MVC alias rename according to address_to_pconfig()
- firewall: adapt getAdvancedIds() to the sectioned form structure
- firewall: invalidate rule stats cache for firewall utilities API endpoint
- captive portal: move template actions out of the ServiceController into its own TemplateController
- captive portal: adjust accounting interval to Acct-Interim-Interval
- dnsmasq: possible use before define in lease watcher
- intrusion detection: rename "uncategorized" rule package to "adult" (contributed by Konstantinos Spartalis)
- monit: fix mail-format and poll-time validation
- unbound: missing NetMaskAllowed=N on override address
- wireguard: add allowed-ips to reresolve-dns.py in case none are set yet
- acl: merge user management ACLs into one single privilege
- backend: allow "strict" mode +TARGETS using the preamble "!"
- backend: swap "strict" template logic as it was reversed
- mvc: refactor base_dialog and parseFormNode() to simplify the template
- mvc: remove unused argument from getFormGrid()
- mvc: BaseField: emit descriptions in getNodes() when they are not the same as the value to match getNodeContent()
- mvc: PortField: reject whitespaces in port ranges during validation
- mvc: ModelRelationField: remove grouped option handling
- mvc: add file type to forms
- ui: add "opnsense-auto" theme which switches between "opnsense" and "opnsense-dark" depending on browser setting
- ui: decrease flashing in opnsense-auto theme when switching (contributed by Konstantinos Spartalis)
- ui: remove direct apply_btn_id usage in favour of base_apply_button template partial
- ui: fix menu registration not setting "active"
- plugins: os-firewall-legacy 1.0 contains the static PHP firewall rules pages
- plugins: os-ndproxy has been removed, use os-ndp-proxy-go instead
- src: FreeBSD 15.1-RELEASE-p1 plus assorted stable/15 networking commits
- src: pf: do not mangle IP header before shared forwarding
- src: pf: stop resolving hosts via DNS that use ":" modifier
- src: pf: clear anchor after stepping into it in pf_match_translation_rule()
- src: pf: pf_route() "dst" no longer holds the gateway in 15.x
- ports: libevent 2.1.13
- ports: lighttpd 1.4.85
- ports: openvpn 2.7.5
- ports: sqlite 3.53.3
- ports: suricata 8.0.6
- The privileges "page-system-groupmanager" and "page-system-usermanager-addprivs" were merged into "page-system-groupmanager" and are no longer available separately. This was done to avoid the misconception that access to a user management page gives constrained rights to each page, but that is not the case. User management is a process involving all 3 pages.
- The static PHP pages for firewall rule management have been moved to the "os-firewall-legacy" plugin which can be manually installed before or after the upgrade. All rules will continue to work regardless of the plugin being installed or not and are easily migrated using the given assistant.
- Hyper-V guests may be producing panics on certain hosts with more than one virtual processor assigned. Make sure to snapshot beforehand and stay on 26.1.x until the situation is clear.
- Since this is a major OS upgrade and OpenSSL changes from 3.0 to 3.5 third party repositories may interfere with your upgrade experience. Removing offending repositories and plugins may help; or wait for affirmation from the respective repository owners.

:strip_icc():strip_exif()/u/11631/tentacle.jpg?f=community)
:strip_icc():strip_exif()/u/900587/crop58d287fd6389a_cropped.jpeg?f=community)
/u/94596/crop643fb12fd4e6d.png?f=community)
/u/307041/crop5f24227a531bc_cropped.png?f=community)
:strip_icc():strip_exif()/u/146731/crop562615a0aa64c.jpeg?f=community)