Seit letztem Monat gibt es das neue Mainrelease 19.7, der beliebten Open-Source Firewall – OPNsense alias Jazzy Jaguar. Zu den Highlights gehören:
- built-in remote system logging through Syslog-ng
- route-based IPsec
- updated translations with Spanish as a brand new and already fully translated
language - and newer Netmap code with VirtIO, VLAN child and vmxnet support
Vor kurzem gab es die Updates 19.7.1 und 19.7.2 hier die:
OPNsense 19.7.2 Release Notes
- system: missing “” in legacy output via Syslog-ng
- system: fix writing gateway information for DNS servers
- system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
- firewall: unhide automatic interface-based output rules
- firewall: unhide automatic non-interface-based floating rules
- firewall: lift length restriction in NAT rule description
- firewall: avoid newlines in rule descriptions
- firewall: only show usable addresses in NAT outbound rules
- interfaces: fix extended CARP output when parsing interface information
- interfaces: add more outputs to overview page to increase usefulness
- interfaces: use shared DHCP lease reader for ARP list
- captive portal: fix binary read issue in Python 3
- dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
- firmware: handle file signature verify correctly with multiple fingerprint repositories
- firmware: Aivian mirror is no longer active
- firmware: Cloudfence mirror in Brazil added
- plugins: os-acme-client 1.24[1]
- plugins: os-bind 1.6 (contributed by crazy-max)
- plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
- plugins: os-grid_example 1.0[2]
- plugins: os-helloworld Python 3 compatibility[3]
- plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
- plugins: os-sunnyvalley 1.0[4][5]
- src: fix panic from Intel CPU vulnerability mitigation[6]
- src: fix multiple telnet client vulnerabilities[7]
- src: fix pts write-after-free[8]
- src: fix kernel memory disclosure in freebsd32_ioctl[9]
- src: fix reference count overflow in mqueuefs[10]
- src: fix byhve out-of-bounds read in XHCI device[11]
- src: fix file descriptor reference count leak[12]
- ports: libevent 2.1.11[13]
Quelle: https://opnsense.org/opnsense-19-7-2-released/
OPNsense 19.7 Release Notes
- List automatic firewall rules
- Statistics for all firewall rules
- Alias JSON import / export
- Optional statistics for aliases
- Firewall rule locator for live log and automatic rules
- Rewritten gateway handling and switching
- Remote logging via Syslog-ng
- LDAP group sync support
- Support certificate signing requests
- Route-based IPsec support (VTI)
- XMLRPC sync support for alias, VHID, widgets
- Unbound host overrides alias support
- Web proxy and IPsec authentication using PAM
- Parent web proxy support
- Web proxy login privilege via group
- Improved reliability and utility of opnsense-patch
- Dpinger and DHCP servers ported to plugin framework
- Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
- Spanish as a new language
- Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
- Netmap update for VirtIO, VLAN child and vmxnet support
- Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
And here are the full changes against version 19.7-RC1:
- system: lower automatic gateway priority for tunnel interfaces
- system: only show enabled interfaces on gateway edit
- system: speed up console banner interface print
- interfaces: typo in default WAN selection for packet capture
- interfaces: support multiple interfaces for packet capture
- interfaces: fix ambiguity in get_parent_interface()
- firewall: restart filterlog with every filter reload
- firmware: add update syshook
- ipsec: phase2 IP type selector using the wrong class
- reporting: fix Insight bug not processing top port and address statistics
- ui: window_highlight_table_option() fix for Safari
- wizard: improve logo contrast in welcome message
- plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
- plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
- plugins: os-haproxy 2.17[2][3]
- plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
- plugins: os-maltrail 1.0 (contributed by Michael Muenz)
- plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
- plugins: os-tinc chroot setup with resolv.conf
- plugins: os-wireguard 1.0 (contributed by Michael Muenz)
- plugins: os-wol 2.2 fixes byte conversion
- src: bump netmap ring size, still too small in FreeBSD
- src: add FCC6_FCCA regulatory domain to ath_hal(4)
- src: restore IPV6_NEXTHOP option support
- src: fix privilege escalation in cd(4) driver[4]
- src: fix kernel stack disclosure in UFS/FFS[5]
- src: fix iconv buffer overflow[6]
- src: import tzdata 2019b
- ports: ca_root_nss 3.45
- ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
- ports: postfix update is now non-interactive to prevent stalls
- ports: rrdtool 1.7.2[7]
Known issues and limitations:
- Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to “Services: Web Proxy: Administration” tab “Support” and click “Reset”.
- Web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
- Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
- OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
Quelle: https://opnsense.org/opnsense-19-7-jazzy-jaguar-released/