Software update: OPNsense 21.1.4

The package OPNsense is a firewall with extensive options. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 21.1.4 with the following announcement:

OPNsense 21.1.4 released

The third party crypto libraries need patching so here we go! The number of user contributions and interaction regarding stability fixes and improvements from the OPNsense side seems to be picking up as well and that is great to see. The development version includes an update of Suricata to version 6.0.2 in case any of you want to try it out. Also, improvements in the DHCP static mapping can now deal with IPv6 prefix merge for such deployments using Unbound and Dnsmasq host registration.

In the past 3 months we have also been working on a business edition relaunch and now feel obligated to quickly present the results of these efforts: The upcoming release of the business edition will be versioned as 21.4 in order to decouple it from the community release cycle . To that end–and to stay true to open source–we have published the release engineering core branch for said business release.

You will see more distinction between “community” and “business” in communication, but the basic approach of a more conservative release cycle in volume and timing for the business edition remains the same. On top of this, the business edition also offers additional plugins, eg for central management tasks.

Here are the full patch notes:

• system: add assorted missing configuration sections for high availability sync
• system: restart web GUI with delay from services to prevent session disconnect
• system: improve error reporting in LDAP authentication (contributed by kulikov-a)
• system: changed USB serial option to use “on” instead of problematic “onifconsole”
• system: ignore garbled data in log lines
• system: fix single core activity display
• interfaces: immediately enable SLAAC during IPv6 initiation
• interfaces: fix a typo in the GIF setup code
• firewall: allow to select rules with no category set
• firewall: sort pfTable results before slice (contributed by kulikov-a)
• firewall: make categories work with numbers only (contributed kulikov-a)
• reporting: skip damaged NetFlow records
• dhcp: correct help text for IPv6 ranges (contributed by Team Rebellion)
• dhcp: remove obsolete subnet validation for static entries
• firmware: refine missing/invalid signature message during health check (contributed by Erik Inge Bolso)
• firmware: zap changelog remove description (contributed by Jacek Tomasiak)
• firmware: make status API endpoint synchronous when using POST
• openvpn: remove checks for NTP servers 3 and 4 (contributed by Christian Brueffer)
• unbound: Fix PTR records for DHCP endpoints (contributed by Gareth Owen)
• ui: use HTTPS everywhere (contributed by Robin Schneider)
• ui: bootgrid translation compatibility with Internet Explorer 11 (contributed by kulikov-a)
• plugins: add service annotations to supported plugins
• plugins: os-freeradius 1.9.10
• plugins: os-haproxy 3.1
• plugins: os-stunnel 1.0.3 adds client mode (contributed by Nicola Bonavita)
• plugins: os-telegraf 1.9.0
• plugins: os-theme-cicada 1.28 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.25 (contributed by Team Rebellion)
• plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion)
• plugins: os wireguard 1.5
• plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a)
• src: fix multiple OpenSSL vulnerabilities
• ports: ca_root_nss / nss 3.63
• ports: libressl 3.2.5
• ports: openldap 2.4.58
• ports: openssh fix for double free in ssh-agent
• ports: openssl 1.1.1k
• ports: sudo 1.9.6p1
• ports: suricata 5.0.6
• ports: syslog-ng 3.31.2
• ports: wpa_supplicant p2p vulnerability