Autor Thema: Firewall-Distributionen diverses  (Gelesen 3777 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 157
« Antwort #77 am: 25 Juni, 2021, 22:00 »
Release Notes

After a little break, IPFire 2.25 - Core Update 157 is out! This is the largest release in size we have ever had and updates various parts of the operating system and brings an updated kernel.

Since IPFire is built from source and not based on any distribution, we get to select the best versions of open source software to be a part of it. This release is the second part of our "spring clean" release which updates various software packages and we have also dropped software that we no longer need. The vast amount of this work has been done by Adolf Belka who has been spending many nights in front of a compiler trying to make it all work. If you want to support him and the entire development team, please help us with your donation.
Deprecating Python 2

We have made huge efforts to migrate away from Python 2 which has reached its end of life on January 1st of this year. That includes repackaging third-party modules for Python 3 and migrating our own software to Python 3.

The work will continue over the next couple of weeks and we are hopeful to remove all Python 2 code with the next release. We will keep Python 2 around for a little bit longer to give everyone with custom scripts a little bit of time to migrate them away, too.
Misc.

    The IPFire kernel has been rebased on Linux 4.14.232 which brings various security and stability fixes
    Updated packages: bash 5.1.4, boost 1.76.0, cmake 3.20.2, curl 7.76.1, dejavu-fonts-ttf 2.37, expat 2.3.0, file 5.40, fuse 3.10.3, gdb 10.2, glib 2.68.1, iproute2 5.12.0, less 581.2, libaio 0.3.112, libarchive 3.5.1, libcap-ng 0.8.2, libedit 20210419-3.1, libevent2 2.1.12, libexif 0.6.22, libgcrypt 1.9.3, libgpg-error 1.42, libtiff 4.3.0, libupnp 1.14.6, libxcrypt 4.4.20, libxml2 2.9.10, lm_sensors 3.6.0, lua 5.4.3, meson 0.58.0, OpenSSH 8.6p1, perl-Canary-Stability, perl-Convert-TNET 0.18, perl-Convert-UUlib 1.8, perl-Crypt-PasswdMD5 1.41, perl-Digest 1.19, pixman 0.40.0, poppler 21.05.0 (and poppler-data 0.4.10), pppd 2.4.9, readline 8.1, sqlite 3.35.5, squid 4.15, sudo 1.9.7, wireless-regdb 2020.11.20, xfsprogs 5.11.0
    Some packages that are no longer needed for the build process have been dropped
    Peter Müller has cleaned up the web server configuration for the web user interface and removed various quirks and hacks for old software like Microsoft Internet Explorer 8
    Leo-Andres Hofmann has contributed some cosmetic changes for the live graphs
    A security vulnerability has been reported by Mücahit Saratar (#12619) where it was possible to change a script as an unprivileged user due to a file permission error which could later be executed as root. Thank you for reporting this to us.

Add-ons

    Updated packages: cifs-utils 6.13, cups 2.3.3op2, cups-filters 1.28.8, dnsdist 1.6.0, elfutils 0.184, fetchmail 6.4.19, ffmpeg 4.4, libmicrohttpd 0.9.73, mpd 0.22.6, ncat 7.91, nmap 7.91, samba 4.14.4, Tor 0.4.5.8

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.25 - Core Update 158
« Antwort #78 am: 22 Juli, 2021, 22:00 »
Release Notes

IPFire 2.25 - Core Update 158 is generally available. It comes with one-click VPNs for Apple iOS and Mac OS devices as well as with various fixes across the board including security fixes.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

IPsec with Apple iOS & Mac OS

It is now possible to export IPsec road warrior connections for Apple devices so that they can easily be imported into those with only a few clicks. This makes creating secure connections with these devices quick and fool-proof - even when certificates are involved.

Various smaller changes come with these changes: Certificates now have sane expiry times (instead of a hundred years).

Unfortunately time did not allow to provide any detailed documentation for this feature, but this will be added in the near future. If you want to help the team, you can do this with your donation.

Misc.

    IPsec
        Curve448 is now listed above Curve25519 since it provides better security, but is computationally more expensive at the same time
        There will no longer be any safety rules installed for IPsec connections in "on-demand" mode. Leaking packets is not possible in this mode and it makes certain configurations easier when it is not necessary to work around the block rules
    The web proxy removed options to fake the Referrer and User-Agent. This is practically not effective since the majority of connections are encrypted where this feature did not work.
    We have progressed in removing Python 2 from the system by porting fireinfo to Python 3
    Leo-Andres Hofmann fixed the memory usage table which showed inconsistent values
    Updated packages of the core system: apache 2.4.48, bind 9.11.32, cmake 3.20.4, curl 7.77.0, dmidecode 3.3, ethtool 5.12, expat 2.4.1, fuse 3.10.4, glib 2.68.3, gnutls 3.6.16, gzip 1.10, iputils 20210202, knot 3.0.7, libcap 2.50, libedit 20210522-3.1, libnl-3 3.5.0, libpcap 1.10.1, libusb 1.0.24, libxcrypt 4.4.22, linux-firmware 20210511 as preparation for a new kernel, nettle 3.7.3, pcre2 10.37, perl-CGI 4.53, perl-TimeDate 2.33, perl-XML-Parser 2.46, python3-setuptools, python3-pyparsing 2.4.7, qpdf 10.3.2, rng-tools 6.12, smartmontools 7.2, sudo 1.9.7p1, vnstat 2.7, xfsprogs 5.12.0, zd1211-firmware 1.5, zerofree 1.1.1, zstd 1.5.0
    Microcode updates for Intel processors are shipped in this release (20210608) to address these hardware security vulnerabilities:
        INTEL-SA-00442 - 2021.1 IPU - Intel® VT-d Advisory
        INTEL-SA-00464 - 2021.1 IPU - Intel® Processor Advisory
        INTEL-SA-00465 - 2021.1 IPU - Intel Atom® Processor Advisory
    IPFire is also vulnerable where an authenticated third-party could inject and execute shell commands as a non-privileged user (#12616, CVE-2021-33393). This has been fixed by going through over 65000 lines of code to investigate where this is possible. The underlying reason is the Perl function to call shell commands unexpectedly performs shell expansion and might perform more than just the intended command. Functions that no longer allow this behaviour have been written, tested and replaced any vulnerable places. Unfortunately this vulnerability was published without responsible disclosure.
    The root partition of the flash image has been increased to 1600 MiB by default. The minimum required disk size is still 2GB, but it is getting tight...

Add-ons

    dnsdist received an improved initscript which will print any configuration issues before trying to start or restart the daemon
    Updated packages: cups-filter 1.28.9, elfutils 0.185, flac 1.3.3, libogg 1.3.5, nano 5.8, netsnmpd 5.9.1, Postfix 3.6.1, sarg 2.4.0, tcpdump 4.99.1, tmux 3.2a, Tor 0.4.6.5

Some packages have been dropped since they didn't have a maintainer for a long while, the upstream project has been discontinued, or it is unlikely that there are any users left out there. We recommend to install these applications on a different machine than the firewall itself: Asterisk, dpfhack, lcd4linux, miniupnpd, motion, SANE, sendEmail. They will automatically be uninstalled on all systems.

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube
OPNsense 21.7
« Antwort #79 am: 02 August, 2021, 18:30 »
OPNsense is an open-source, easy-to-use, and easy-to-build HardenedBSD based firewall and routing platform.

License: Open Source

Release Notes -> https://opnsense.org/opnsense-21-7-released/

https://opnsense.org/about/about-opnsense/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 160
« Antwort #80 am: 06 Oktober, 2021, 18:00 »
Release Notes

This is the release announcement for IPFire 2.27 - Core Update 160. It comes with a large number of bug fixes and package updates and prepares for removing Python 2 which has reached its end of life.

Before we talk about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

Improving Network Throughput

In recent days and months, the development team has spent a lot of time on finding bottlenecks and removing those. Our goal is to increase throughput on hardware and bringing latency down, for a faster network.

This update brings a first change which will enable network interfaces that support it, to send packets that belong to the same stream to the same processor core. This allows taking advantage of better cache locality and the firewall engine as well as the Intrusion Prevention System benefit from this, especially with a large number of connections and especially on hardware with smaller CPU caches.

This feature is automatically enabled on all hardware that supports it.

Removing Python 2

Python 2 has reached its end-of-life (EOL) at January 1st, 2021. In the past months and years, we have moved our own code to Python 3 which has been completed with this update.

However, Python 2 is still present in the distribution for all users who still have to port any custom scripts. With the next Core Update, we will remove Python 2 which means that you have to act now to port any custom scripts written in Python 2.

Misc.

    In the firewall engine, support for redirecting services as been added and long-standing bug #12265 has been fixed
    Some bugs have been fixed in the IPsec VPN scripts that prevented users to create certificate-based connections
    The web proxy can now be used on systems that do not have a GREEN network
    The firewall log viewer now displays IP protocol names instead of numbers.
    All graphs are now rendered in SVG format which makes any scaling in the browser smoother
    Updated packages: cURL 7.78.0, ddns 014, e2fsprogs 1.46.3, ethtool 5.13, glibc was patched for CVE-2021-33574 and a follow-up issue, iproute2 5.13.0, less 590, libloc 0.9.7, libhtp 5.0.38, libidn 1.38, libssh 0.9.6, OpenSSH 8.7p1, openssl 1.1.1k which fixes CVE-2021-3712 and CVE-2021-3711, pcre 8.45, poppler 21.07.0, sqlite3 3.36, sudo 1.9.7p2, strongswan 5.9.3, suricata 5.0.7, sysstat 12.5.4, sysfsutils 2.1.1

Add-ons

    Updated packages: alsa 1.2.5.1, bird 2.0.8, clamav 0.104.0, faad2 2.10.0, freeradius 3.0.23, frr 8.0.1, Ghostscript 9.54.0, hplip 3.21.6, iperf3 3.10.1, lynis 3.0.6, mc 7.8.27, monit 5.28.1, minidlna 1.3.0, ncat 7.91, ncdu 1.16, taglib 1.12, Tor 0.4.6.7, traceroute 2.1.0, Postfix 3.6.2, spice 0.15.0

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube
IPFire 2.27 - Core Update 161 Test
« Antwort #81 am: 11 November, 2021, 22:00 »
Release Notes

A new update is available for testing: IPFire 2.27 - Core Update 161. It comes with a huge performance improvement for the Intrusion Prevention System which allows it to deliver excellent throughput even on smaller hardware. On top of that come a brand new kernel and various security and bug fixes.

Please note, that this update will reconnect any PPP connections and we recommend performing a reboot after the update has been installed.
Boosting Intrusion Prevention System Performance

The most notable change in this update is a large increase of throughput of the IPS. It can now decide to no longer see traffic from a certain IP connection and tell the kernel to bypass it. That removes all overhead for these connections and therefore increases throughput.

On systems like the Lightning Wire Labs Mini Appliance which comes with four CPU cores each at 1 GHz clock speed, it boosts throughput from about 120 MBit/s on full CPU load to 1 GBit/s on about 20% load on one CPU core for this type of connection. This releases more CPU time for scanning other traffic and allowing this device being properly used on connections with more than 100 MBit/s throughput.

For this change, a lot of work around the QoS and VPNs were necessary because of touch points in the firewall engine. Here, we were also able to tidy up code and make the system more efficient.
Fast Flux Detection in Web Proxy

This update brings Fast Flux Detection as introduced by Peter.

Updated OS Kernel

The IPFire kernel is now based on Linux 5.10.76 and various configuration changes have been made:

    Hardening of stack variables: All of those will now be zero-initialised to avoid any information leak inside the kernel's memory space
    TPM hardware is now being used as a source for entropy if available
    The kernel will now wake up more often in order to keep packet forward latency down and make the system more responsive.
    Some debugging/overhead functions have been disabled for slight performance gains

Misc.

    Python 2 has been removed from IPFire with this release
    IPFire now supports ExFAT
    Logwatch now includes status of software RAID configurations
    Regressions in the disk utilization stats due to a change in iostat(8)'s output have been fixed
    After launching an update, the Pakfire page did not correctly show the locked state
    The web proxy will now always hide its version number due avoid any information leaks
    Support for FriendlyARM NanoPI R2S has been added
    Updated packages: apache 2.4.51 fixing CVE-2021-42013 introduced due to an incomplete fix for CVE-2021-41773, curl 7.79.1, dosfsutils 4.2, GD-Graph 1.54, gd 2.3.3, iproute2 5.14.0, perl-GD 2.73, strongSwan 5.9.4

Add-ons

    Tor will now use any hardware acceleration for cryptographic operations if available
    Updated packages: 7zip 17.04, cups-filters 1.28.10, Ghostscript 9.55.0, Git 2.33.1, htop 3.1.1, krb5 1.19.2, monit 5.29.0, nano 5.9, pcengines-apu-firmware 4.14.0.4, shairport-sync 3.3.8
    avahi's and minidlna's confguration is now correctly backed up and restored on updates

[close]

https://www.ipfire.org/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 162617
  • Ohne Input kein Output
    • DVB-Cube
OPNsense 22.1
« Antwort #82 am: Gestern um 21:00 »
Changelog


o system: improved visibility and flexibility of tunables
o system: move multiple sysctl manipulations to tunables framework to allow overriding them
o system: prevent more than one default route by default
o system: sync recovery utility contents with FreeBSD 13
o system: prevent syslog-ng from crashing after update due to "syslog-ng-ctl reload" use
o system: add severity to syslog output and allow to filter for it
o system: create latest.log links for easier log consumption
o system: added opnsense-log utility to inspect logs on the console
o system: removed circular logging support
o system: background all cron backend command invokes
o system: unified cron start between legacy and MVC components
o system: improve the fallback after failing to look up specific IPv4 address match for dpinger
o system: use correct IPv6 interface for dpinger gateway monitoring when using 6RD
o system: default net.inet6.ip6.intr_queue_maxlen to 1000 like its IPv4 counterpart
o system: default net.inet6.ip6.redirect to off like its IPv4 counterpart
o system: fix potential issues with "search" syntax in resolv.conf
o system: fix general settings PHP warnings that only appear when validation fails
o system: allow additional search domain (Pierre Fevre)
o system: make /var MFS work when /var directories are mount points, e.g. on ZFS
o system: optionally disconnect PPP interfaces when going into CARP backup mode
o system: fix new PPP CARP hook function call (contributed by Markus Reiter)
o system: separate core and thread count in information widget
o system: MSDOS file system awareness in information widget for new /boot/efi partition
o system: no longer display duplicated mounted partitions on the dashboard
o system: remove spurious XML validation that cannot cope with attributes from backup restore
o system: refactor GUI rebind protection and remove its os-dyndns/os-rfc2136 references
o reporting: fix display of total in/out traffic values
o interfaces: LAGG support in console port assignment (contributed by sarthurdev)
o interfaces: improve LAGG/VLAN assignments via console option
o interfaces: repair get_interface_list() for console use
o interfaces: aligned the name and use of special /tmp files for internal interface handling
o interfaces: correctly write nameserverv6 and searchdomainv6 information on dhcp6c lease acquire
o interfaces: make cache IP files exclusive to rc.newwan and rc.newwanv6 scripts to avoid missing IP changes
o interfaces: refactored linkup event handler to avoid unnecessary recursion in the code
o interfaces: removed opportunistic functions find_interface_ip(), find_interface_ipv6() and find_interface_ipv6_ll()
o interfaces: get_interface_ip() and get_interface_ipv6() now return a valid IP address if one was given to support VIP aliases
o interfaces: interfaces_addresses() can now map a configuration interface to returned addresses to track its origin
o interfaces: VIPs now support the "no bind" option to exclude them from automatic service use when configured
o interfaces: interfaces_primary_address() is now being used like its IPv6 equivalent throughout the code
o interfaces: interfaces_primary_address6() is now considering addresses from tracking interfaces when needed
o interfaces: interfaces_scoped_address6() is now being used throughout the code
o interfaces: "tentative" state now leads to the address being ignored during configuration like "deprecated"
o interfaces: removed unmaintained 3G statistics gathering for Huawei modems that could lock up other modems
o interfaces: reworked interface creation on boot up
o interfaces: spoof MAC now only applies to actual interface and not all of its VLAN siblings or parent
o interfaces: added permanent promiscuous mode setting
o interfaces: add the interface description via ifconfig to its respective device
o interfaces: stop special treatment of bridge interfaces on linkup
o interfaces: improve validations and fix defaults for bridges
o interfaces: allow bridges to attach to VXLAN on boot
o interfaces: background all interface reconfiguration script hooks
o interfaces: no longer allow and apply media configuration for non-parent devices
o interfaces: removed restriction from interfaces without configuration to not being able to hold VIPs
o interfaces: remove defunct link support for GRE
o interfaces: align GIF configuration with base system options
o firewall: properly kill all connections from and to a WAN IPv4 on an address change
o firewall: skip rule ID for NAT type log entries (contributed by kulikov-a)
o firewall: display interface descriptions on normalisation rules (contributed by vnxme)
o firewall: dynamic IPv6 host alias support (contributed by Team Rebellion)
o firewall: removed obsolete kill states option on gateway failure
o firewall: removed the $aliastable cache
o firewall: support "no scrub" option in normalisation rules
o firewall: correctly handle IPv6 NAT in states view
o firewall: plain log default logging severity selection is now "informational"
o firewall: improve maximum shaper value validation and add Gbit/s support
o captive portal: prevent session removal crashing when no IP address was registered
o dhcp: allow for ARM architectures in network boot options (contributed by Keith Cirkel)
o dhcp: allow router advertisements to use a specific link-local VIP alias
o dhcp: refactor the IPv4 and IPv6 configuration pages and add minimal subnet size requirement hints
o dhcp: rework router advertisement "static" mode flags to separate advanced options
o dnsmasq: fix all-server overwriting strict-order configuration directive (contributed by Christian Tramnitz)
o dnsmasq: no-hosts option (contributed by agh1467)
o firmware: add a "status_reboot" variable to API return data to make clear it belongs to the offered minor update or major upgrade
o firmware: add random delays to existing firmware cron jobs to avoid update server load spikes
o firmware: added an automatic cron job to fetch changelog daily to use it as a lightweight check for updates on the dashboard
o firmware: implement cross-ABI reinstall of all packages for future use
o firmware: opnsense-update: exclude /boot/efi permission reset from base set extract
o firmware: removed obsolete business repository fingerprints and added 22.1 fingerprint
o firmware: return product info for status endpoint even when no firmware check was done
o installer: fix installation of rc.conf keymap setting selected earlier during installation
o installer: add EFI partition as a default mount point
o installer: increase EFI partition size to 260 MB
o installer: improve disk and ZFS pool scan and display
o intrusion detection: prevent config migration from crashing
o intrusion detection: update to ET-Open to version 6
o ipsec: update security of default settings when creating new phase 1 and 2
o ipsec: remove hashes and algorithms no longer supported by FreeBSD 13
o ipsec: migrated tunnel settings page to MVC
o lang: update translations for Chinese, French, German, Italian, Japanese, Norwegian, Spanish, and Turkish
o lang: demote Italian to development-only language due to lowered translation ratio
o monit: move logging to own target
o network time: add iburst option and stop using it by default (contributed by Patrick M. Hausen)
o network time: detach "limited" from "kod" option (contributed by Zsolt Zsiros)
o network time: remove PID file use as it can be unreliable
o openvpn: kill by common name when kill by address does not work
o unbound: disable do-not-query-localhost on local address server use
o unbound: update DNS with hostname-only static entries (contributed by Gareth Owen)
o update: opnsense-bootstrap: -z snapshot mode
o update: opnsense-bootstrap: improved type detection
o update: opnsense-code: -r for repository removal
o update: opnsense-fetch: emit error message of failed download
o update: opnsense-update: handle kernel debug directory like /boot/kernel
o update: opnsense-update: removed "firmware-upgrade" file support
o update: opnsense-verify: synced shared code with FreeBSD 13
o backend: unify use of configctl utility
o images: removed deprecated os-dyndns plugin from default installation
o mvc: fix logging of configd errors
o mvc: Add BlankDesc to ModelRelationField (contributed by agh1467)
o mvc: emulation versioning empty nodes for the legacy configuration sections
o mvc: add getInterfaceConfig endpoint to interface API (contributed by Paolo Asperti)
o mvc: add hint support for text fields (contributed by agh1467)
o ui: add support for terabytes, and petabytes to format_bytes() (contributed by agh1467)
o ui: universal striping adjustment for MVC components (contributed by kulikov-a)
o ui: move storing jQuery Bootgrid settings in browser from core to bootgrid (contributed by Manuel Faux)
o src: FreeBSD 13-STABLE as of 4ee9fbcd853
o src: migrated to LUA boot loader (contributed by Kyle Evans)
o src: revert upstream permission change for /root directory
o src: fix kernel build creating wrong linkers.hint file
o src: carp: fix send error demotion recovery
o src: ixgbe: prevent subsequent I2C bus read timeouts
o src: reworked shared forwarding
o plugins: os-acme-client 3.8[2]
o plugins: os-bind 1.20[3]
o plugins: os-ddclient 1.0 as an eventual replacement for os-dyndns
o plugins: os-dyndns adds local copy of get_dyndns_ip()
o plugins: os-freeradius 1.9.18[4]
o plugins: os-frr 1.26[5]
o plugins: os-haproxy 3.10[6]
o plugins: os-nginx 1.26[7]
o plugins: os-openconnect 1.4.2[8]
o plugins: os-postfix 1.21[9]
o plugins: os-rfc2136 adds local copy of get_dyndns_ip()
o plugins: os-telegraf 1.12.4[10]
o plugins: os-wireguard 1.10[11]
o plugins: os-wol adds cron support for wake action (contributed by digitalshow)
o plugins: os-zabbix-proxy 1.7[12]
o ports: expat 2.4.2[13]
o ports: filterlog 0.6[14]
o ports: flock 2.37.2
o ports: hostapd 2.10[15]
o ports: lighttpd 1.4.63[16]
o ports: nss 3.74[17]
o ports: openssl 1.1.1m[18]
o ports: openvpn 2.5.5[19]
o ports: pecl-psr 1.2.0[20]
o ports: phalcon 4.1.3[21]
o ports: php 7.4.27[22]
o ports: pkg fixes validation failures on HTTPS fetch in static binary[23]
o ports: sqlite 3.37.2[24]
o ports: syslog-ng 3.35.1[25]
o ports: unbound 1.14.0[26]
o ports: wpa_supplicant 2.10[27]

Known issues and limitations:

o This release contains a new major operating system version and should be carried out with the necessary care.  Despite extended test coverage changes made by FreeBSD may still affect operation without our knowledge.  Except for ZFS boot environments rollbacks between major operating system versions are extremely fragile and a reinstall of an older version should be attempted in the worst case.  For more information please consult the FreeBSD 13.0 release notes[28].
o IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream.  If you are using MD5, Blowfish, DES, 3DES, or CAST128 in your phase 2 please move to more secure settings prior to the upgrade.  Note that phase 1 settings are unaffected, but insecure settings should still be avoided.  For more information see the FreeBSD commit in question[29].
o The Realtek vendor driver is no longer bundled with the updated FreeBSD kernel.  If unsure whether FreeBSD 13 supports your Realtek NIC please install the os-realtek-re plugin prior to upgrading to retain operability of your NICs.
o MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface.  This can introduces unwanted configuration due to previous side effects in the code.  Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
o Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect.  This can introduce unwanted configuration due to previous side effects in the code.  If the parent interface was not previously assigned please assign it to reapply the required media settings.
o NTPD defaults changed to exclude the "iburst" option by default.  "limited" setting was detached from "kod" option.  In both cases configuration adjustments can achieve previous behaviour if required.
o Rebind checks through os-dyndns or os-rfc2136 will no longer work due to the deprecation of both plugins.  Please add your rebind hosts manually or disable rebind protection prior to the upgrade.
o GRE link1 support has been removed and needs a static route to function now.
o Circular logging support has been removed.  No user interaction is required.

[close]

https://opnsense.org/about/about-opnsense/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )