OPNsense 19.1 Inspiring Iguana veröffentlicht

Wie angekündigt, haben die Entwickler der Open-Source Firewall, OPNsense, das neueste Release 19.1 veröffentlicht. Nach 6 Monaten Entwicklung, seit Version 18.7, und 620 einzelnen Änderungen, sowie 12 Updates, ist der nächste Schritt in Richtung modularem Aufbau, schnelleren Releasezyklen, bei mehr Stabilität und Nutzerfreundlichkeit, gemacht. “Inspiring Iguana” löst somit “Happy Hippo” ab um noch erfolgreicher zu werden.

Beachtet vor dem Upgrade die Upgrade Notes ganz unten.

Ein paar Highlights der OPNsense Version 19 sind:

• Alias API ist final integriert
• Migration zu HardenedBSD 11.2 ist vollzogen
• Two-Factor-Authentication (2FA) ist mittels Kombination von remote LDAP / local TOTP mögilch
• der OpenVPN Client Export ist für die Unterstützung des API Supports komplett neugeschrieben worden

OPNsense 19.1 Release Notes mit Änderungen seit 18.7

• fully functional firewall alias API
• PIE firewall shaper support
• firewall NAT rule logging support
• 2FA via LDAP-TOTP combination
• WPAD / PAC and parent proxy support in the web proxy
• P12 certificate export with custom passwords
• Dpinger is now the default gateway monitor
• ET Pro Telemetry edition plugin[2]
• extended IPv6 DUID support
• Dnsmasq DNSSEC support
• OpenVPN client export API
• Realtek NIC driver version 1.95#
• HardenedBSD 11.2, LibreSSL 2.7
• Unbound 1.8, Suricata 4.1
• Phalcon 3.4, Perl 5.28
• firmware health check extended to cover all OS files, HTTPS mirror default
• updates are browser cache-safe regarding CSS and JavaScript assets
• collapsible side bar menu in the default theme
• language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
• new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy

Änderungen zu OPNsense 19.1-RC2

• ipsec: add firewall interface as soon as phase 1 is enabled
• ipsec: phase 1 selection GUI JavaScript compatibility fix
• monit: widget improvements and bug fix (contributed by Frank Brendel)
• ui: fix regression in single host or network subnet select in static pages
• plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)
• plugins: os-telegraf 1.7.4 fixes packet filter input
• plugins: os-theme-rebellion 1.8.2 adds image colour invert
• plugins: os-vnstat 1.1[3]
• plugins: os-zabbix-agent now uses Zabbix version 4.0
• src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
• src: update sqlite3-3.20.0 to sqlite3-3.26.0[4]
• src: import tzdata 2018h, 2018i[5]
• src: avoid unsynchronized updates to kn_status[6]
• ports: ca_root_nss 3.42
• ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
• ports: sudo patch to fix listpw=never[7]

Infos zum Upgrade

• Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.  Apinger is no longer available.
• Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
• Quagga plugin has been superseded by FRR plugin.  A binary quagga package has been conserved for the time being.
• Please read the FRR documentation with regard to the required system tunables[8].
• Bhyve UEFI boot may fail as a guest.  The problem is being investigated.
• SNMP plugin has been superseded by Net-SNMP plugin.

—
[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/manual/etpro_telemetry.html
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:04.tzdata.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:05.kqueue.asc
[7] https://bugzilla.sudo.ws/show_bug.cgi?id=869
[8] https://docs.opnsense.org/manual/dynamic_routing.html