OPNsense 24.1 - 基于 FreeBSD 的开源防火墙和路由平台
请访问原文链接:https://sysin.org/blog/opnsense/,查看最新版。原创作品,转载请保留出处。
作者主页:sysin.org
关于 OPNsense
OPNsense 是一个开源、易于使用且易于构建的基于 FreeBSD 的防火墙和路由平台。OPNsense 包括昂贵的商业防火墙中可用的大部分功能,在许多情况下甚至更多。它带来了丰富的商业产品功能集以及开放和可验证资源的优势。
OPNsense 于 2014 年作为 pfSense® 和 m0n0wall 的分支开始 (sysin),于 2015 年 1 月首次正式发布。该项目发展非常迅速,同时仍保留了 m0n0wall 和 pfSense 的熟悉方面。对安全性和代码质量的高度关注推动了项目的发展。
OPNsense 每周提供少量安全更新,以在流行时间内对新出现的威胁做出反应。每年有 2 个主要版本的固定发布周期为企业提供了提前计划升级的机会。对于每个主要版本,都会制定一个路线图以指导开发并设定明确的目标。
功能 Features
OPNsense 的功能集包括高端功能,例如前向缓存代理、流量整形、入侵检测和简单的 OpenVPN 客户端设置。最新版本基于 FreeBSD 以获得长期支持,并使用新开发的基于 Phalcon 的 MVC 框架。
OPNsense 对安全性的关注带来了独特的功能,例如使用 LibreSSL 而不是 OpenSSL 的选项(可在 GUI 中选择)和基于 FreeBSD 的自定义版本。
强大可靠的更新机制使 OPNsense 能够及时提供重要的安全更新。
OPNsense Core Features:
- Traffic Shaper
- Two-factor Authentication throughout the system
- Captive portal
- Forward Caching Proxy (transparent) with Blacklist support
- Virtual Private Network (site to site & road warrior, IPsec, OpenVPN & legacy PPTP support)
- High Availability & Hardware Failover (with configuration synchronization & synchronized state tables)
- Intrusion Detection and Prevention
- Build-in reporting and monitoring tools including RRD Graphs
- Netflow Exporter
- Network Flow Monitoring
- Support for plugins
- DNS Server & DNS Forwarder
- DHCP Server and Relay
- Dynamic DNS
- Encrypted configuration backup to Google Drive
- Stateful inspection firewall
- Granular control over state table
- 802.1Q VLAN support
- and more... see features
许可证 LICENSE
OPNsense 已获得 Open Source Initiative approved license 的许可。OPNsense 现在和将来都将提供简单的 2 条款 BSD 许可证。我们认为,一个开源项目应提供构建它的资源和工具。
新增功能
根据 OPNsense 24.1 Roadmap,实现新功能如下:
Base system
OpenSSL 3 ports migration *
Suricata 7 *
System: limit /conf/config.xml access to administrators *
System: Configuration: History: migrate to MVC *
System: Configuration: Backups: Improve restore area selection offering fine grained import control for advanced users *
System: Gateways: Single: migrate to MVC *
System: Trust: Revocation: Restrict CRL's to one per CA to ease future migration *
Interfaces
Overview: migrate to MVC to allow API support and increase usability *
[new] Interfaces: Neighbors to administer static ARP and NDP entries *
Interfaces: Other Types: VXLAN: add support for non standard port numbers *
Firewall
NPTv6: migrate to MVC *
os-firewall plugin inclusion to ease API usage *
os-firewall - Add API support for port definitions in automation *
VPN
OpenVPN: Instances - add carp vhid tracking for clients. *
OpenVPN: Instances - add optional OCSP support *
Improve WireGuard kernel plugin and implement it in core *
Wireguard CARP vhid tracking support *
IPsec: Virtual Tunnel Interfaces dual stack support *
Services
KEA DHCPv4 server as alternative for isc-dhcp[4] *
Squid Web Proxy: move to plugins *
下载地址
OPNsense 24.1
dvd : ISO installer image with live system capabilities running in VGA mode. On amd64, UEFI boot is supported as well.
OPNsense-24.1-dvd-amd64.iso.bz2 (SHA256) : 6d1e22713bf031d0a36a73b3820cd1564f426cae9c67a6ade4b7fa6518afa2d5
vga : USB installer image with live system capabilities running in VGA mode as GPT boot. On amd64, UEFI boot is supported as well.
OPNsense-24.1-vga-amd64.img.bz2 (SHA256) : ec08755245017cd449a8d174b6ea7c4e2038c454a8abecfad0d0378729d8b331
serial : USB installer image with live system capabilities running in serial console (115200) including UEFI support.
OPNsense-24.1-serial-amd64.img.bz2 (SHA256) : c4c53e5dd80660cc67b349fa588b3ca11efd9f45d09f6cb391d8e19b48dd7fcc
nano : a preinstalled serial image for USB sticks, SD or CF cards as MBR boot. These images are 3G in size and automatically adapt to the installed media size after first boot.
OPNsense-24.1-nano-amd64.img.bz2 (SHA256) : 6bc86a13bda81702382383b1e9b31550177bafe88fa599e0c2ed8064040461b1