Download OPNsense 23.7.8

The OPNsense package is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up entirely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among other things. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 23.7.8 and the release notes for that release can be found below.

OPNsense 23.7.8 released

The configuration restore GUI has been improved in a number of ways due to recent demand and Squid was updated to the new major release version 6. A number of reliability improvements were also added to the WireGuard kernel plugin which from our perspective is now ready for core inclusion. The documentation is being updated accordingly, but will take a bit more time to ensure consistency following up on the GUI changes it received.

This update also includes FreeBSD security advisories and assorted fixes. We are aware of OpenSSL 1.1.1 CVE-2023-5678 and we are already testing builds based on OpenSSL 3 which can be available in 24.1 when it does not negatively impact overall operation. We also expect fixes for version 1 to be available sooner, but without OpenSSL providing such fixes directly the roundtrip time is likely going to increase for them.

Here are the full patch notes:

• system: minor changes related to recent Gateway class refactoring
• system: use unified style for “return preg_match” idiom so the caller receives a boolean
• system: provide mismatching interface logic without reboot on configuration restore
• system: allow new backup API to download latest configuration directly via /api/core/backup/download/this
• system: extend restore to be able to migrate older configurations cleanly
• system: make trust store reload conditional
• interfaces: assorted bridge handling improvements
• interfaces: ignore ULAs for primary IPv6 detection
• interfaces: improve wireless channel parsing
• firewall: keep filtered items available longer in live log
• firewall: when migrating aliases make sure that nesting does not fail
• firewall: port can be zero in automatic rule so render it accordingly
• firewall: minor update to shaper model
• firmware: invalidate GUI caches earlier since certctl blocks this longer now
• firmware: add root file system to health audit
• monitor: minor update to model
• long: update Chinese, Czech, Italian, Korean, Polish and Spanish
• openvpn: host bits must not be set for IPv4 server directive in instances
• unbound: minor update to model
• unbound: remove localhost from automatically created ACL
• web proxy: handle the major update to version 6 and update model
• mvc: enforce uniqueness and remove validation message in UnqiueIdField
• mvc: config should be locked before calling checkAndThrowSafeDelete()
• ui: prevent form submit for MVC pages
• ui: improve default modal padding
• plugins: os-bind 1.28
• plugins: os-openconnect 1.4.5
• plugins: os-wireguard 2.5
• src: pfctl: fix incorrect mask on dynamic address
• src: libpfctl: assorted improvements
• src: msdosfs: zero partially valid extended cluster
• src: copy_file_range: require CAP_SEEK capability
• src: fflush: correct buffer handling in __sflush
• src: cap_net: correct capability name from addr2name to name2addr
• src: regcomp: use unsigned char when testing for escapes
• ports: lighttpd 1.4.73
• ports: php 8.2.12
• ports: squid 6.4
• ports: sudo 1.9.15