The OPNsense 23.1 firewall distribution has been released, which is a fork from the pfSense project, created with the goal of creating a completely open distribution that could have functionality at the level of commercial solutions for deploying firewalls and network gateways. Unlike pfSense, the project is positioned as not controlled by one company, developed with the direct participation of the community and has a completely transparent development process, as well as providing the opportunity to use any of its developments in third-party products, including commercial ones. The source texts of the distribution kit components, as well as the tools used for building, are distributed under the BSD license. The assemblies are prepared in the form of a LiveCD and a system image for writing to Flash drives (399 MB).
The core stuffing of the distribution is based on the FreeBSD code. Among the features of OPNsense, one can single out a completely open assembly toolkit, the ability to install in the form of packages over regular FreeBSD, load balancing tools, a web interface for organizing user connection to the network (Captive portal), availability of connection stateful mechanisms (stateful firewall based on pf), setting bandwidth limits, filtering traffic, creating a VPN based on IPsec, OpenVPN and PPTP, integration with LDAP and RADIUS, support for DDNS (Dynamic DNS), a system of visual reports and graphs.
The distribution provides tools for creating fault-tolerant configurations based on the use of the CARP protocol and allowing you to run a spare node in addition to the main firewall, which will be automatically synchronized at the configuration level and take over the load in case of failure of the primary node. For the administrator, a modern and simple interface for setting up a firewall is offered, built using the Bootstrap web framework.
Among the changes:
- Ported changes from the FreeBSD 13-STABLE branch.
- Updated versions of additional programs from ports, for example, php 8.1.14 and sudo 1.9.12p2.
- A new DNS-based block list implementation has been added, rewritten in Python and supporting various ad and malicious content block lists.
- Accumulation and display of statistics about the operation of the Unbound DNS server has been provided, which allows you to track DNS traffic in relation to users.
- Added a new firewall type BGP ASN.
- Added isolated PPPoEv6 mode to selectively enable IPv6 Control Protocol.
- Added support for SLAAC WAN interfaces without DHCPv6.
- The components for capturing packets and managing IPsec were transferred to the MVC framework, which made it possible to implement support for management via API in them.
- IPsec settings moved to swanctl.conf file.
- The os-sslh plugin is included to allow multiplexing of HTTPS, SSH, OpenVPN, tinc and XMPP connections through a single network port 443.
- The os-ddclient (Dynamic DNS Client) plugin now has the ability to use its own backends, including Azure.
- Plugin os-wireguard with VPN WireGuard has been switched by default to use the kernel module (the old mode of operation at the user level has been moved to a separate plugin os-wireguard-go).
Source: opennet.ru