Ukusatshalaliswa kwe-firewall ye-OPNsense 26.7 kukhishwe kuphrojekthi ye-pfSense ngo-2015 ngenhloso yokuthuthukisa ukusabalalisa komthombo ovulekile ongase ube nokusebenza kwezixazululo ze-firewall kanye nesango. Ngokungafani ne-pfSense, iphrojekthi ibekwe njengengalawulwa yinkampani eyodwa, ethuthukiswe ngokubamba iqhaza okuqondile komphakathi futhi ibe nenqubo yentuthuko esobala ngokuphelele, kanye nokunikeza ithuba lokusebenzisa noma yikuphi ukuthuthukiswa kwayo emikhiqizweni yezinkampani zangaphandle, kuhlanganise. ezentengiso. Ikhodi yomthombo yezingxenye zokusabalalisa, kanye namathuluzi asetshenziselwa ukuhlanganisa, asatshalaliswa ngaphansi kwelayisensi ye-BSD. Imihlangano ilungiswa ngendlela ye-LiveCD kanye nesithombe sohlelo sokuqoshwa kuma-Flash drives (490 MB).
Ingqikithi yokusabalalisa isekelwe kukhodi ye-FreeBSD. Izici ze-OPNsense zifaka: i-toolchain yokwakha yomthombo ovulekile ngokugcwele, ukwesekwa kokufakwa njengamaphakheji ngaphezu kwe-FreeBSD evamile, amathuluzi okulinganisela umthwalo, isikhombimsebenzisi sewebhu sokuhlela ukuxhumana komsebenzisi kunethiwekhi (i-Captive Portal), izindlela zokulandelela isimo sokuxhumeka (i-firewall ehlelekile esekelwe ku-pf), uhlelo lokunciphisa i-bandwidth, ukuhlunga ithrafikhi, kanye nokudalwa kwe-VPN esekelwe ku-IPsec. OpenVPN kanye ne-PPTP, ukuhlanganiswa ne-LDAP kanye ne-RADIUS, ukwesekwa kwe-DDNS (Dynamic DNS), uhlelo lwemibiko ebonakalayo namagrafu.
Ngesisekelo sokusabalalisa, kungenzeka ukudala ukucushwa okubekezelela iphutha ngokusekelwe ekusetshenzisweni kwephrothokholi ye-CARP nokuvumela ukuqalisa, ngaphezu kwe-firewall eyinhloko, i-node yokusekelayo, ezovumelaniswa ngokuzenzakalelayo ezingeni lokucushwa futhi izothatha umthwalo uma kwenzeka ukwehluleka kwe-node eyinhloko. Umlawuli unikezwa isixhumi esibonakalayo sewebhu sokumisa i-firewall, eyakhiwe kusetshenziswa uhlaka lwewebhu lwe-Bootstrap kanye ne-Phalcon MVC.
Phakathi kwezinguquko:
- Ukushintshela kwisisekelo sekhodi ye-FreeBSD 15.1 sekuqediwe (ngaphambilini kwakusetshenziswa i-FreeBSD 14.3).
- Izixhumi zokuhlela imithetho ye-firewall, ukwabela izixhumi zenethiwekhi (ezihlukanisa phakathi kwe-LAN ne-WAN), kanye nokuphatha amaqembu esango kuthuthelwe ekusebenziseni uhlaka lwe-MVC futhi manje sezitholakala nge-Web API ukuze zenze ukuphathwa kokucushwa kwenethiwekhi kube ngokuzenzakalela.
- Kungezwe i-wizard yokuthutha imithetho yokuhumusha ikheli isuka kufomethi yokucushwa ye-Outbound NAT endala iye kufomethi entsha kusetshenziswa ukwakheka kwe-Source NAT (SNAT).
- Ukusekelwa kwe-DDNS (Dynamic) kanye nokwabiwa okuzenzakalelayo kweziqalo ze-IPv6 (amabhlogo amakheli) kungeziwe ku-configurator ye-KEA DHCP.
- Usekelo lwe-IPv6 lungeziwe ku-portal ye-Captive.
- Izinguqulo ezibuyekeziwe OpenVPN 2.7, i-PHP 8.5, i-Python 3.13.
- Ubuthakathaka obubalulekile (i-CVE-2026-57155, izinga lobunzima 9.9 kwangu-10) bulungisiwe. Lobu buthakathaka buvumele umsebenzisi ongenamalungelo okufinyelela kwegobolondo kanye nokufinyelela okulinganiselwe kuma-alias (uhlu lwamagama enethiwekhi kanye nawabasingathi) ukuthi asebenzise ikhodi enamalungelo ezimpande. Ubuthakathaka bubangelwa ukuntuleka kokuhlolwa okufanele lapho kucutshungulwa idatha evela kusizindalwazi se-GeoIP esihlobanisa amazwe namakheli e-IP.
Ikhodi yezwe evela kusizindalwazi se-GeoIP yashintshwa ngaphandle kokuqinisekiswa lapho kudalwa igama lefayela elibhalwayo, okuvumela noma yiliphi ifayela ohlelweni ukuthi libhalwe phansi, njengoba umphathi esebenza ngamalungelo ezimpande. Umsebenzisi ongenamalungelo angasebenzisa i-Web API ukucacisa i-URL ukuze alande isizindalwazi se-GeoIP esiguquliwe sama-alias. Ukuze athole amalungelo ezimpande, umuntu angacacisa "../../../../../../../../../etc/newsyslog.conf.d/zzz_pwn" esikhundleni sekhodi yezwe kwenye yezindawo ezifakiwe kusizindalwazi. Lokhu kuzodala ifayela lokucushwa kwesistimu yokujikeleza kwelogi, engachaza imiyalo eqhutshwa ngamalungelo ezimpande.
Source: opennet.ru
