* firmware: fetch bogons/changelogs from amd64 ABI only
* firmware: revoke 23.4 fingerprint
* firmware: update model for clarity
* intrusion detection: fix events originating from "int^" due to IPS mode use
* intrusion detection: support "bypass" keyword in user-defined rules (contributed by Monviech)
* intrusion detection: update model and persist values for transparency
* intrusion detection: improve locking during sqlite database creation
* ipsec: only write /var/db/ipsecpinghosts if not empty
* ipsec: check IPsec config exists before use (contributed by agh1467)
* ipsec: deprecating tunnel configuration in favour of new connections GUI
* ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
* ipsec: add colon to supported character list for pre-shared key IDs
* ipsec: reqid should not stick when copying a phase 1
* ipsec: omit conditional authentication properties when not applicable on connections
* ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)
* ipsec: allow the use of eap_id = %any in instances
* ipsec: add local_port and remote_port to connections (contributed by Monviech)
* ipsec: add IP4_DNS and IP6_DNS configuration payloads to connection pools (contributed by Monviech)
* ipsec: require setting a connection pool name
* ipsec: update models
* monit: fix alert script includes
* monit: fix empty timeout value (contributed by Michael Muenz)
* monit: update model
* network time: support pool directive and maxclock (contributed by Kevin Fason)
* network time: fix "Soliciting pool server" regression (contributed by Allan Que)
* openvpn: rewrote OpenVPN configuration as "Instances" using MVC/API available as a separate configuration option `[2] <https://docs.opnsense.org/manual/vpnet.html>`__
* openvpn: rewrote client specific overrides using MVC/API
* openvpn: fix static key delete
* openvpn: fix "mode" typo and push auth "digest" into export config
* openvpn: fix race condition when using CRLs in instances
* openvpn: remove arbitrary upper bounds on some integer values in instances
* openvpn: properly map user groups for authentication
* openvpn: bring instances into server field
* openvpn: fix separator for redirect-gateway attribute in instances and CSO
* openvpn: fix mismatch issue when pinning a CSO to a specific instance
* openvpn: add advanced option for optional CA selection
* openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)
* openvpn: add CARP VHID tracking for client instances
* openvpn: add tun-mtu/fragment/mssfix combo for instances
* openvpn: add "route-gateway" advanced option to CSO
* openvpn: use new File::file_put_contents() wrapper for instances
* openvpn: updated model and clarified "auth" default option
* openvpn: force instance interface down before handing it over to daemon
* openvpn: add missing up and down scripts to instances (contributed by Daggolin)
* openvpn: allow instances authentication without certificates when verify_client_cert is set to none
* openvpn: add role to "proto" for TCP sessions as required for TAP type tunnels
* openvpn: update model
* unbound: rewrote general settings and ACL handling using MVC/API
* unbound: add forward-tcp-upstream in advanced settings
* unbound: add database import/export functions for when DuckDB version changes on upgrades
* unbound: add cache-max-negative-ttl setting (contributed by hp197)
* unbound: minor endpoint cleanups for DNS reporting page
* unbound: migration of empty nodes failed from 23.1.11 to 23.7
* unbound: fix regression when disabling first domain override
* unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)
* unbound: fix concurrent session closing the handle while still writing data in Python module
* unbound: properly set a default value for private address configuration
* unbound: allow disabled interfaces in interface field
* src: bhyve: fully reset the fwctl state machine if the guest requests a reset `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:07.bhyve.asc>`__
* The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups -- especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
* Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility "monitor" still exists but is only provided for compatibility reasons with existing user scripts.
* IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is possible. There are currently no plans to remove the deprecated legacy component so it can be used without restriction.
* The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
* The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. Ddclient used to be EoL for a few months this year but currently a new release is being prepared. We have since maintained a copy of the software and fixed bugs and shipped upstream patches as they became available in the development version. Also, a native Python backend is available in the same plugin which covers the Dyndns2 protocol, AWS Route 53, Azure, Cloudflare and DuckDNS.