Software Update: OPNsense 20.1.8

The package OPNsense is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers previously released OPNsense 20.1.8 with the following announcement:

OPNsense 20.1.8 released

Sorry about the delay while we chased a race condition in the updates back to an issue with the latest FreeBSD package manager updates. For now we reverted to our current version but all relevant third party packages have been updated as updates became available over the last weeks, eg cURL and Python, and hostapd / wpa_supplicant amongst others.

Here are the full patch notes:

• system: simpler get_interface_ip() usage in IPv4 renewal
• system: allow HA sync of network time settings
• system: download all filtered items in log export
• system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)
• interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)
• firewall: fix missing address filter error by moving NAT targets to runtime resolve
• firewall: prevent gateway protocol mismatch from breaking the ruleset
• firewall: work around categories typeahead issue with recent jQuery libraries
• firewall: improve alias help text (contributed by Team Rebellion)
• firewall: switch from single log filter to one per attribute
• intrusion detection: when enabling rules prefixed with ‘# ‘ consume the extra space (contributed by Tra5is)
• intrusion detection: less sensitive rule parsing
• intrusion detection: compress stats.log backups
• ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)
• unbound: add DNS64 support (contributed by Maurice Walker)
• web proxy: fix wrong button label for Download ACLs (contributed by 90er)
• mvc: add sort_flags optional parameter support (contributed by NOYB)
• rc: add full PATH to rc.syshook invoke
• plugins: os-acme-client[1][2]
• plugins: os-dnscrypt-proxy 1.8[3]
• plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)
• plugins: os-freeradius 1.9.7[4]
• plugins: os-haproxy 2.23[5]
• plugins: os-intrusion-detection-content-snort-vrt 1.1
• plugins: os-stunnel 1.0[6] (sponsored by Incenter Technology)
• plugins: os-tayga 1.1[7]
• plugins: os-theme-rebellion 1.8.4[8]
• ports: ca_root_nss 3.53
• ports: curl 7.71.0[9]
• ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory[10]
• ports: krb5 1.18.2[11]
• ports: ntp 4.2.8p15[12]
• ports: pcre 8.44[13]
• ports: perl 5.30.3[14]
• ports: php 7.3.19[15]
• ports: python CVE-2019-18348 and CVE-2020-8492
• ports: sqlite 3.32.2[16]
• ports: sudo 1.9.1[17]
• ports: unbound 1.10.1[18]