Die Open-Source Firewall Community Edition OPNsense, erhielt das Update 23.1.1 und zu letzt und kurz danach den Hotfix 23.1.1_2. Die Updates stopfen neben Sicherheitslücken auch Fehler der vorherigen Version 23.1. Die Komponenten IPsec und Unbound erhielten eine Menge an Verbesserungen. Zudem erhielt Unbound DNS-Server eine SafeSearch Option und das neue Datenbankreporting der CPU Last, sollte nun niedriger sein und einfacher zu nutzen. in particular receive a number of improvements being the more prominent areas of work for this series.
OPNSense 23.1.1 Release Notes
- system: replace single exec_command() with new shell_safe() wrapper
- system: fix assorted PHP 8.1 deprecation notes
- system: remove overreaching “Reconfigure a plugin facility” cron job and backend command that has no visible users
- interfaces: fix VLAN rename after protocol addition in 23.1
- interfaces: fix VLAN missing a config lock on delete
- interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
- interfaces: allow VHID reuse as it was before 23.1
- firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
- firewall: do not calculate local port range for alias (contributed by kulikov-a)
- firewall: update validation of alias names to be slightly more restrictive
- firewall: safeguard download_geolite() and log errors
- firewall: do not switch gateway on bootup
- captive portal: enforce a database repair during operation if necessary
- firmware: move single-call function reporter page
- intrusion detection: properly reset metadata response when no metadata is found
- ipsec: allow “@” character in eap_id fields for new connections
- ipsec: missing remapping pool UUID to name for new connections
- ipsec: change status column sizing and hide local/remote auth by default
- ipsec: fix username parsing in lease status
- ipsec: refactor widget to use new data format
- ipsec: migrate duplicated cron job
- ipsec: faulty unique constraint in pre-shared keys
- ipsec: fix eap_id placement for eap-mschapv2
- unbound: simplify logger logic for required queries
- unbound: add SafeSearch option to blocklists
- unbound: match white/blocklist action exactly from reporting page
- unbound: always prioritize whitelists over blocklists
- unbound: various UX improvements in reporting page
- unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
- unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
- unbound: add HTTPS record type to reporting
- unbound: remember reporting page logarithmic setting
- unbound: missing global so that cache is never flushed when requested
- mvc: cleanse $record input in searchRecordsetBase() before usage
- plugins: os-haproxy 4.1[1]
- plugins: os-openconnect 1.4.4[2]
- plugins: os-qemu-guest-agent 1.2[3]
- plugins: os-tayga fixes MVC interface registration
- plugins: os-wireguard fixes MVC interface registration
- src: geli: split the initalization of HMAC[4]
- src: fix ena driver crash after reset in 7th gen AWS instance types[5]
- src: fix sdhci broken write-protect settings[6]
- src: import tzdata 2022g[7]
- src: ipsec: clear pad bytes in PF_KEY messages
- src: fib_algo: set vnet when destroying algo instance
- src: if_ipsec: handle situations where there are no policy or SADB entry for if
- src: if_ipsec: protect against user supplying unknown address family
- src: if_me: use dedicated network privilege
- src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
- src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
- src: iflib: Add null check to iflib_stop()
- src: x86: ignore stepping for APL30 errata
- src: pfctl: rule.label is a two-dimensional array
- src: pf: fix syncookies in conjunction with tcp fast port reuse
- src: pf: fix panic on deferred packets
- src: ipfw: Add missing ‘va’ code point name
- src: netmap: try to count packet drops in emulated mode
- src: netmap: fix a queue length check in the generic port rx path
- src: netmap: tell the compiler to avoid reloading ring indices
- ports: remove GnuTLS workarounds from ports previously required for LibreSSL
- ports: dnsmasq 2.89[8]
- ports: dpinger 3.3[9]
- ports: lighttpd 1.4.68[10]
- ports: openssh-portable 9.1p1[11]
- ports: openssl 1.1.1t[12]
- ports: php 8.1.15[13]
OPNsense Hotfix 23.1.1_2
- captive portal: remove mod_evasion use which was discontinued by lighttpd
- unbound: wait for pipe in logger (contributed by kulikov-a)
Rate limiting wurde aus dem Captive Portal war auf 250 Verbindungen von der selben IP-Adresse eingestellt und entfernt. Diese Einstellung kann einfach durch manuelle Firewallregeln mit Adavsanced Options “Max established” auf 250 Zieladressen eingestelt werden.