Software-update: OPNsense 25.7.9
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de negende update voor versie 25.7 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 25.7.9 releasedA bug snuck into the last release that did not properly disable the caching of DNS entries when using multiple blocklists with different network restrictions. We have used the opportunity to polish the notification code and apply behaviour during the migration of the old blocklist to the new format. The saga around safe command execution continues in this release as well. Otherwise it is a rather quiet release and 2025 is almost over.
Here are the full patch notes:system: gateway monitor Shell class use et alsystem: no longer back up DUID but add compatibility glue to opnsense-importersystem: replace exec() in config encrypt/decryptsystem: replace history diff exec() with shell_safe()system: safe execution tweaks in rc.routing_configuresystem: fix log keyword search regression introduced in 25.7.7reporting: unbound: fix quick allow/blocklist actions by applying them to all blocklistsfirewall: run filterlog directly after rules apply and remove promiscous modefirewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types throughfirewall: do not allow nesting in GeoIP aliasesfirewall: live log: restructure DOM layout to reduce wasted header spacefirewall: live log: revert static property, persistence is disabled for this gridfirewall: safe execution changes in rules reloading codefirewall: safe execution changes in rc.filter_synchronizednsmasq: minor tweaks in lease commandsfirmware: Shell class replacements in scriptingkea-dhcp: add lease commands, tabulator GroupBy, URL hasheskea-dhcp: add DNR option (contributed by schreibubi)network time: status: refactor to MVC/APIipsec: connections: prevent model caching when referring items within the same modelipsec: sessions: fix missing commands translationisc-dhcp: move syslog definitions to plugin fileunbound: prevent caching of blocklist entries on overlapping subnet policiesunbound: notify user if a blocklist reset is requiredunbound: reconfigure if marker file presentunbound: missing lock in del_host_override actionbackend: minor shell execution changes and readabilitybackend: use mwexecf(m) where possiblebackend: extend mwexecfb() with PID and log file supportmvc: fix default sort order being ignored in fetchBindRequest()shell: rewite timeout() using safe execution functionsui: refresh notification status after default apply button is doneui: remove obsolete jQuery bootgrid filesplugins: os-acme-client 4.11plugins: os-ndp-proxy-go 1.1plugins: os-tailscale 1.3plugins: os-turnserver 1.1plugins: os-upnp 1.8 features assorted improvements to plugin and daemon (contributed by Self-Hosting-Group)plugins: os-web-proxy-sso has been marked for removal in 26.1plugins: os-zabbix-agent 1.18plugins: os-zabbix-proxy 1.16ports: filterlog no longer uses unneeded promiscuous modeports: openvpn 2.6.17ports: unbound 1.24.2
system: gateway monitor Shell class use et alsystem: no longer back up DUID but add compatibility glue to opnsense-importersystem: replace exec() in config encrypt/decryptsystem: replace history diff exec() with shell_safe()system: safe execution tweaks in rc.routing_configuresystem: fix log keyword search regression introduced in 25.7.7reporting: unbound: fix quick allow/blocklist actions by applying them to all blocklistsfirewall: run filterlog directly after rules apply and remove promiscous modefirewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types throughfirewall: do not allow nesting in GeoIP aliasesfirewall: live log: restructure DOM layout to reduce wasted header spacefirewall: live log: revert static property, persistence is disabled for this gridfirewall: safe execution changes in rules reloading codefirewall: safe execution changes in rc.filter_synchronizednsmasq: minor tweaks in lease commandsfirmware: Shell class replacements in scriptingkea-dhcp: add lease commands, tabulator GroupBy, URL hasheskea-dhcp: add DNR option (contributed by schreibubi)network time: status: refactor to MVC/APIipsec: connections: prevent model caching when referring items within the same modelipsec: sessions: fix missing commands translationisc-dhcp: move syslog definitions to plugin fileunbound: prevent caching of blocklist entries on overlapping subnet policiesunbound: notify user if a blocklist reset is requiredunbound: reconfigure if marker file presentunbound: missing lock in del_host_override actionbackend: minor shell execution changes and readabilitybackend: use mwexecf(m) where possiblebackend: extend mwexecfb() with PID and log file supportmvc: fix default sort order being ignored in fetchBindRequest()shell: rewite timeout() using safe execution functionsui: refresh notification status after default apply button is doneui: remove obsolete jQuery bootgrid filesplugins: os-acme-client 4.11plugins: os-ndp-proxy-go 1.1plugins: os-tailscale 1.3plugins: os-turnserver 1.1plugins: os-upnp 1.8 features assorted improvements to plugin and daemon (contributed by Self-Hosting-Group)plugins: os-web-proxy-sso has been marked for removal in 26.1plugins: os-zabbix-agent 1.18plugins: os-zabbix-proxy 1.16ports: filterlog no longer uses unneeded promiscuous modeports: openvpn 2.6.17ports: unbound 1.24.2
Source:
Tweakers.net