Software-update: OPNsense 25.7.6

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de zesde update voor versie 25.7 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 25.7.6 released

The usual round of additions and reliability fixes is being rounded off with Suricata version 8 and a new package manager version 2 almost two years in the making -- at least for our project. Please be aware that during the update check the new package manager will be installed, but will fail to report the update status like it always had before and so you will end up with an error that will require checking for updates again. The fix is in is update, but impossible to install without upgrading the package manager first. We hope this will only be a minor inconvenience during the process.

Syslog-ng is also being updated and includes a fix that previously prevented 2.9.x from shipping since it would hang the boot during daemonize. Many thanks to the authors for quickly picking this up and shipping a fixed version!

Here are the full patch notes:

system: safeguard config history delete and revert by requiring HTTP POST methodsystem: change atrun interval to every minutesystem: use new file_safe() in two instancessystem: improve the HA VIP sync codeinterfaces: fix permission of packet capture file in strict security modefirewall: refactor live log using a ring bufferfirewall: add toggles to disable selected automatic rulesfirewall: enable "safe delete" for categoriesfirewall: improved stats rendering on automation rulesfirewall: allow searching aliases in automation rules inspect mode by IP addressdnsmasq: strict hostname and domain validation plus improved ipset validationsfirmware: package manager upgrade changes for pkg 2.xintrusion detection: remove obsolete "ac-bs" pattern matcher algorithmipsec: allow underscores in PSK identifiersopenvpn: add support for pushing excluded routes via net_gatewayopenvpn: allow multiple domains settings for client connectionunbound: use file_safe() for root hint creationunbound: deprecate unmaintained AdAway blocklistwireguard: add debug option to instancesbackend: add file_safe() helper for atomic file creationmvc: add RegexField to properly validate PCRE2 syntaxmvc: support arrays in search clausesrc: make sure /var/lib/php/tmp can be accessed by "other" usersrc: do not clear /tmp on a diskless installui: assorted adjustments for dark themeui: always show bootgrid reset buttonplugins: os-ddclient 1.28plugins: os-git-backup 1.1plugins: q-feeds-connector 1.2plugins: os-squid 1.4 works around CVE-2025-62168plugins: os-zabbix-proxy 1.15ports: openssh 10.2p1ports: pkg 2.3.1ports: python 3.11.14ports: suricata 8.0.1ports: syslog-ng 4.10.2

system: safeguard config history delete and revert by requiring HTTP POST method

system: change atrun interval to every minute

system: use new file_safe() in two instances

system: improve the HA VIP sync code

interfaces: fix permission of packet capture file in strict security mode

firewall: refactor live log using a ring buffer

firewall: add toggles to disable selected automatic rules

firewall: enable "safe delete" for categories

firewall: improved stats rendering on automation rules

firewall: allow searching aliases in automation rules inspect mode by IP address

dnsmasq: strict hostname and domain validation plus improved ipset validations

firmware: package manager upgrade changes for pkg 2.x

intrusion detection: remove obsolete "ac-bs" pattern matcher algorithm

ipsec: allow underscores in PSK identifiers

openvpn: add support for pushing excluded routes via net_gateway

openvpn: allow multiple domains settings for client connection

unbound: use file_safe() for root hint creation

unbound: deprecate unmaintained AdAway blocklist

wireguard: add debug option to instances

backend: add file_safe() helper for atomic file creation

mvc: add RegexField to properly validate PCRE2 syntax

mvc: support arrays in search clauses

rc: make sure /var/lib/php/tmp can be accessed by "other" users

rc: do not clear /tmp on a diskless install

ui: assorted adjustments for dark theme

ui: always show bootgrid reset button

plugins: os-ddclient 1.28

plugins: os-git-backup 1.1

plugins: q-feeds-connector 1.2

plugins: os-squid 1.4 works around CVE-2025-62168

plugins: os-zabbix-proxy 1.15

ports: openssh 10.2p1

ports: pkg 2.3.1

ports: python 3.11.14

ports: suricata 8.0.1

ports: syslog-ng 4.10.2

Source: Tweakers.net