2.0.1 New Features and Changes¶
This is a maintenance release with some bug and security fixes since 2.0 release. It is possible to upgrade from any previous release to 2.0.1.
For those who use the built in certificate manager, pay close attention to the notes below on a potential security issue with those certificates.
The following changes were made after 2.0-RELEASE and were included in 2.0.1-RELEASE.
- Improved accuracy of automated state killing in various cases (#1421)
- Various fixes and improvements to relayd
- Added to Status > Services and widget
- Added ability to kill relayd when restarting (#1913)
- Added DNS load balancing
- Moved relayd logs to their own tab
- Fixed default SMTP monitor syntax and other send/expect syntax
- Fixed path to FreeBSD packages repo for 8.1
- Various fixes to syslog:
- Fixed syslogd killing/restarting to improve handling on some systems that were seeing GUI hangs resetting logs
- Added more options for remote syslog server areas
- Fixed handling of ‘everything’ checkbox
- Moved wireless to its own log file and tab
- Removed/silenced some irrelevant log entries
- Fixed various typos
- Fixes for RRD upgrade/migration and backup (#1758)
- Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
- Fixed policy route negation for VPN networks (#1950)
- Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
- Fixed VoIP rules produced by the traffic shaper wizard (#1948)
- Fixed uname display in System Info widget (#1960)
- Fixed LDAP custom port handling
- Fixed Status > Gateways to show RTT and loss like the widget
- Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
- Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
- Clarified text of serial field when importing a CA (#2031)
- Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
- Fixed Captive Portal MAC passthrough rules (#1976)
- Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
- Fixed CARP status widget to properly show “disabled” status.
- Fixed end time of custom timespan RRD graphs (#1990)
- Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
- Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
- Fixed handling of OpenVPN client bandwidth limit option
- Fixed handling of LDAP certificates (#2018, #1052, #1927)
- Enforce validity of RRD graph style
- Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
- Fixed handling of hostnames in DHCP that start with a number (#2020)
- Fixed saving of multiple dynamic gateways (#1993)
- Fixed handling of routing with unmonitored gateways
- Fixed Firewall > Shaper, By Queues view
- Fixed handling of spd.conf with no phase 2’s defined
- Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc)
- Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
- Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
- Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
- Lowered size of CF images again fix newer and ever-shrinking CF cards.
- Clarified text for media selection (#1910)
Notes for certificate generation vulnerability¶
Certificates generated with the built-in certificate manager in all 2.0 versions prior to 2.0.1 are excessively permissive for non-CA certificates. These certificates can be used as a certificate authority, meaning a user can use their own certificate to create chained certificates. We have defaulted OpenVPN on 2.0.1 and newer versions to not accept chained certificates, which mitigates this. However, if untrusted users have certificates generated from 2.0 release, we suggest re-generating all certificates and issuing new ones. Certificates generated by easy-rsa and imported into 2.0 are not affected. If using certificates generated on pfSense for other purposes, revoke those and issue new certificates generated on 2.0.1. A CRL must be utilized in that case. To be on the safe side, start from scratch with a new CA and certificates after deleting all existing ones. Thanks to Florent Daigniere for bringing this issue to our attention and helping confirm our resolution.