Software Update: OPNsense 22.1.4

The package OPNsense is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 22.1.4 with the following announcement:

OPNsense 22.1.4 released

QinQ support based on the FreeBSD 13 VLAN base functionality is finally here! To make the best use of it a MVC conversion of the GUI pages was carried out meaning these are now fully API-enabled as well. Two bugs in the previous GIF/GRE rework have also been reported and fixed.

Note while this does fix CVE-2022-0778 even for LibreSSL the security audit database by FreeBSD will falsely flag the 3.3.6 release as vulnerable when in fact it is not. Since build issues arise on LibreSSL 3.4 that involve plugin dependencies in all likelihood we will be refraining from updating to version 3.4 altogether and do not have much hope for the upcoming 3.5 either.

Here are the full patch notes:

• system: prefer configured IP address family use earlier on boot
• system: allow boot to perform generic UFS/ZFS grow using the /.probe.for.growfs marker file
• system: import ZFS pools before mounting ZFS datasets
• reporting: use asynchronous DNS resolver for reverse lookups on traffic page
• interfaces: loopback “lo0” exists for VIPs
• interfaces: only strip addresses on configured IP types
• interfaces: use new ifctl utility for DHCPv6 IP type and add manual page
• interfaces: adjust MTU configuration when parent also requires MTU changes
• interfaces: VLAN MVC conversion with API and QinQ support
• interfaces: cleanup surrounding LAGG function use
• firewall: constrain default CARP allow rules to those defined in RFC 5798
• firewall: make sure that rule use of gateways (route-to) and reply-to are mutually exclusive
• firewall: tighten alias FQDN validation to avoid accepting mistypes such as “192.168.01.1”
• firmware: revoke the 21.7 fingerprint
• intrusion detection: improve row count on alerts page
• backend: consolidate configctl utility into one location and add manual page
• plugins: os-ddclient 1.4
• plugins: os-theme-cicada 1.29
• plugins: os-theme-vicuna 1.41
• src: openssl: fix a bug in BN_mod_sqrt() that can cause it to loop forever
• src: zfs: fix handling of errors from dmu_write_uio_dbuf()
• src: debugnet: remove spurious message on boot
• ports: ca_root_nss fix for faulty upstream file linking
• ports: lipressl 3.3.6
• ports: openssl 1.1.1n
• ports: openvpn 2.5.6