After 6 months of development release of a distribution kit for creating firewalls , which is an offshoot of the pfSense project, designed to provide a completely open source distribution that could provide functionality at the level of commercial solutions for deploying firewalls and network gateways. Unlike pfSense, the project is positioned as not controlled by one company, developed with the direct participation of the community and has a completely transparent development process, as well as providing the opportunity to use any of its developments in third-party products, including commercial ones. The source texts of the distribution kit components, as well as the tools used for building, under the BSD license. Assemblies in the form of a LiveCD and a system image for writing to Flash drives (290 MB).
The basic stuffing of the distribution is based on the code , which supports a synchronized fork of FreeBSD that integrates additional security mechanisms and techniques to counter exploitation techniques. Among OPNsense can be distinguished by a completely open assembly toolkit, the ability to install in the form of packages over regular FreeBSD, load balancing tools, a web interface for organizing user connection to the network (Captive portal), availability of mechanisms for tracking connection states (stateful firewall based on pf), setting restrictions bandwidth, traffic filtering, creating a VPN based on IPsec, OpenVPN and PPTP, integration with LDAP and RADIUS, support for DDNS (Dynamic DNS), a system of visual reports and graphs.
In addition, the distribution provides tools for creating fault-tolerant configurations based on the use of the CARP protocol and allowing you to run a spare node in addition to the main firewall, which will be automatically synchronized at the configuration level and take over the load in case of failure of the primary node. For the administrator, a modern and simple interface for setting up a firewall is offered, built using the Bootstrap web framework.
In the new version:
- Built-in ability to send logs to a remote server using Syslog-ng;
- Added a separate list for viewing automatically generated packet filter rules;
- Added statistics for all packet filter rules;
- Improved management in firewall rules (allow variables to be used instead of hosts, port numbers, and subnets). Added the ability to import and export aliases in JSON format. There was an optional possibility of maintaining statistics for aliases;
- Rewritten code for processing and switching gateways;
- Implemented the ability to synchronize LDAP groups;
- Added the ability to send certificate signing requests;
- Added support for route forwarding via IPsec (VTI);
- Synchronization of aliases, VHIDs and widgets is implemented through XMLRPC;
- Possibility of authentication in Web proxy and IPsec through PAM is added;
- Added support for connecting through a proxy chain;
- The ability to use groups to configure connection privileges through a proxy has been introduced;
- Plugins for Netdata, WireGuard, Maltrail and Mail-Backup (PGP) have been prepared. Ported Dpinger and DHCP servers to the plugin system;
- Updated translations into Russian;
- New versions of Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7 and Squid 4 are involved.
Source: opennet.ru