Die Open-Source Firewall Community Edition OPNsense, erhielt das Update 23.1.1 und zu letzt und kurz danach den Hotfix 23.1.1_2. Die Updates stopfen neben Sicherheitslücken auch Fehler der vorherigen Version 23.1. Die Komponenten IPsec und Unbound erhielten eine Menge an Verbesserungen. Zudem erhielt Unbound DNS-Server eine SafeSearch Option und das neue Datenbankreporting der CPU Last, sollte nun niedriger sein und einfacher zu nutzen. in particular receive a number of improvements being the more prominent areas of work for this series.
OPNSense 23.1.1 Release Notes
- system: replace single exec_command() with new shell_safe() wrapper
- system: fix assorted PHP 8.1 deprecation notes
- system: remove overreaching „Reconfigure a plugin facility“ cron job and backend command that has no visible users
- interfaces: fix VLAN rename after protocol addition in 23.1
- interfaces: fix VLAN missing a config lock on delete
- interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
- interfaces: allow VHID reuse as it was before 23.1
- firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
- firewall: do not calculate local port range for alias (contributed by kulikov-a)
- firewall: update validation of alias names to be slightly more restrictive
- firewall: safeguard download_geolite() and log errors
- firewall: do not switch gateway on bootup
- captive portal: enforce a database repair during operation if necessary
- firmware: move single-call function reporter page
- intrusion detection: properly reset metadata response when no metadata is found
- ipsec: allow „@“ character in eap_id fields for new connections
- ipsec: missing remapping pool UUID to name for new connections
- ipsec: change status column sizing and hide local/remote auth by default
- ipsec: fix username parsing in lease status
- ipsec: refactor widget to use new data format
- ipsec: migrate duplicated cron job
- ipsec: faulty unique constraint in pre-shared keys
- ipsec: fix eap_id placement for eap-mschapv2
- unbound: simplify logger logic for required queries
- unbound: add SafeSearch option to blocklists
- unbound: match white/blocklist action exactly from reporting page
- unbound: always prioritize whitelists over blocklists
- unbound: various UX improvements in reporting page
- unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
- unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
- unbound: add HTTPS record type to reporting
- unbound: remember reporting page logarithmic setting
- unbound: missing global so that cache is never flushed when requested
- mvc: cleanse $record input in searchRecordsetBase() before usage
- plugins: os-haproxy 4.1[1]
- plugins: os-openconnect 1.4.4[2]
- plugins: os-qemu-guest-agent 1.2[3]
- plugins: os-tayga fixes MVC interface registration
- plugins: os-wireguard fixes MVC interface registration
- src: geli: split the initalization of HMAC[4]
- src: fix ena driver crash after reset in 7th gen AWS instance types[5]
- src: fix sdhci broken write-protect settings[6]
- src: import tzdata 2022g[7]
- src: ipsec: clear pad bytes in PF_KEY messages
- src: fib_algo: set vnet when destroying algo instance
- src: if_ipsec: handle situations where there are no policy or SADB entry for if
- src: if_ipsec: protect against user supplying unknown address family
- src: if_me: use dedicated network privilege
- src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
- src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
- src: iflib: Add null check to iflib_stop()
- src: x86: ignore stepping for APL30 errata
- src: pfctl: rule.label is a two-dimensional array
- src: pf: fix syncookies in conjunction with tcp fast port reuse
- src: pf: fix panic on deferred packets
- src: ipfw: Add missing ‚va‘ code point name
- src: netmap: try to count packet drops in emulated mode
- src: netmap: fix a queue length check in the generic port rx path
- src: netmap: tell the compiler to avoid reloading ring indices
- ports: remove GnuTLS workarounds from ports previously required for LibreSSL
- ports: dnsmasq 2.89[8]
- ports: dpinger 3.3[9]
- ports: lighttpd 1.4.68[10]
- ports: openssh-portable 9.1p1[11]
- ports: openssl 1.1.1t[12]
- ports: php 8.1.15[13]
OPNsense Hotfix 23.1.1_2
- captive portal: remove mod_evasion use which was discontinued by lighttpd
- unbound: wait for pipe in logger (contributed by kulikov-a)
Rate limiting wurde aus dem Captive Portal war auf 250 Verbindungen von der selben IP-Adresse eingestellt und entfernt. Diese Einstellung kann einfach durch manuelle Firewallregeln mit Adavsanced Options „Max established“ auf 250 Zieladressen eingestelt werden.
Quelle: https://forum.opnsense.org/index.php?topic=32484.0
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.