2.2.1 New Features and Changes¶
pfSense-SA-15_03.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI
pfSense-SA-15_04.webgui: Arbitrary file deletion vulnerability in the pfSense WebGUI
FreeBSD-EN-15:01.vt: vt(4) crash with improper ioctl parameters
FreeBSD-EN-15:02.openssl.asc: Update to include reliability fixes from OpenSSL
The following updates are included from upstream in FreeBSD, but are not directly relevant. Neither pfSense nor its packages include SCTP services, but such services may have been manually added by the user.
OpenSSL “FREAK” vulnerability:
Does not affect the web server configuration on the firewall as it does not have export ciphers enabled.
pfSense 2.2 already included OpenSSL 1.0.1k which addressed the client-side vulnerability.
If packages include a web server or similar component, such as a proxy, an improper user configuration may be affected. Consult the package documentation or forum for details.
Some cases remain where filterdns does not properly handle hostnames in multiple aliases properly. Most of the cases have been fixed, so the situation is better than 2.2-RELEASE, but it is not 100% resolved. See issue #4296 for details. Placing hostname aliases into a separate alias so they are not mixed with static entries effectively works around the issue.
Updated the default SSL cipher list to be stronger, obsoletes the need for a “BEAST protection” option #4230
Fixed gen_subnet_max returning an incorrect result on 32 bit (i386) versions, which in turn fixed Wake on LAN and other areas on 32 bit (i386) versions. #4318
Fixed crash on boot with some hardware, caused by gpioapu on systems where smbios.system.product is null. Mostly seemed to be the recycled Watchguard users affected by this issue. #4363
Updated ufslabels.sh to handle a wider variety of disk layouts.
Added a choice of SMTP authentication protocols for notifications, Office365 mail support. #4176
Removed latin-1 encoding of RSS feed to fix display issues of RSS items.
Fixed an issue where the GUI setting for PAP or CHAP in L2TP Server was not being respected.
Fixed changing source tracking value separate from changing the Sticky option.
Added input validation to force a minimum 100000 byte log file size to prevent undersizing the logs.
Added more cleanup to the Restart PHP-FPM console menu action.
Removed PTR records for aliases in host overrides.
Fixed diag_arp.php to allow underscore in resolved host names.
Fixed an issue in DHCP settings where the “add routers” value was not being preserved across a loop for each interface.
Added capability to handle reverse lookup domain overrides.
Fixed issues with NTP RRD graph state changes.
Added input validation to require RADIUS protocol and server IP address/host in Captive Portal when RADIUS authentication is selected. #4384
Fixed swap size calculation in the installer to avoid creating improperly sized partitions in systems with lots of RAM but not much disk space.
Fixed test for comconsole when matching for enabling serial console. #4464
Updated pfSense PHP shell help to current configuration structure. #4492
Fixed switching from a PPP type WAN to “None” or “DHCP”.
Disables SNMP hostres module on APU boards until we figure out why it’s crashing on this specific board. #4403
Removed -U from mtree call used to restore files permissions as it was breaking symlinks on upgrade. #4328
Added input validation for Wireless configurations to prevent problematic combinations of settings. #4178
Improved handling of FQDN entries in aliases with filterdns, but not 100% resolved. #4296
Fixed various typo, style, and formatting issues.
Rules / NAT¶
Fixed ordering of DHCPv6 client and bogon rules so the bogon rules can’t block DHCPv6 requests. #3395
Fixed a bug where applying NAT changes in Hyper-V could break the running NAT configuration. #4445
Fixed a bug where marking a packet with only a number resulted in a broken rule. #4274
Fixed DSCP choices that were non-functional and resulted in a broken ruleset. #4302
Fixed input validation on Outbound NAT to accept a port range. #4300
Removed Carrier-Grade NAT subnet from “Block private networks” as it was in 2.0.x and earlier releases since it specifically notes RFC 1918 and CGN is more closely related to bogon networks. #4379
Removed code that set adaptive.start and end to 0, now they are left at their defaults (60% and 120% of the state limit, respectively) if not user-overridden.
Added configuration options for state timeout values under System>Advanced, Firewall/NAT. #4509
Added MOBIKE control, now disabled by default. #3979
Fixed page rendering so MOBIKE is only shown with IKEv2 selected, NAT-T only shown with IKEv1 selected.
Removed Prefer older IPsec SAs option from the GUI, and existing configurations with it enabled will not have that setting applied. This is almost never desirable, and with the change to strongSwan it frequently was the source of problems. The very few who might desire such an option can configure the net.key.preferred_oldsa sysctl accordingly under System > Advanced, System Tunables.
Fixed Phase 2 duplication issue. #4349
Added input validation to prevent use of AES key lengths larger than 128-bit when the glxsb cryptographic accelerator is enabled. #4361
Added an option for an IPsec tunnel to act as a responder only. #4360
Added a filter reload when IPsec is disabled. #4245
Fixed RSA cert handling in IPsec to use double quotes on asn1dn specification so it is properly interpreted by strongSwan. #4275
Added an option to allow controlling unique ID handling in IPsec advanced settings. #4359
Fixed restartipsec command line script.
Fixed handling of IPsec with Gateway Groups #4482
Added a workaround to disable the strongSwan Unity plugin. #4178
Added error logging when an IPsec Phase 1 cannot be located.
Upgraded to Unbound 1.5.3.
Added correct scaling of rrset-cache-size in unbound.conf. #4367
Added support for 0x20 DNS random bit. #4205
Changed DNS Resolver default values to be a bit more strict: Enable Hide Identity, Hide Version, Harden DNSSEC data.
Force harden glue configuration option, and remove GUI control of that option. Problem with Unbound pre-1.5.2 means in 2.2-RELEASE, having this option enabled, and DNSSEC disabled, could lead to DNS cache poisoning. #4402
Added a check to test if Unbound is enabled and using the same port before allowing dnsmasq to be enabled. #4332
Removed hard-coded value for harden-referral-path. It defaults to no, so no behavior change, and that setting is unlikely to ever become a default. This allows users to configure an override to enable this option if desired. #4399
Fixed calculation of the 6rd default gateway honoring netmasks other than /32.
Fixed recording of the IPv6 interface’s new IP address and do not issue commands that cannot succeed. #3669
Fixed not being able to save custom and custom-v6 DynDNS entries.
Added IPv6 IP addresses to /etc/hosts in the same manner IPv4 IP addresses are added. #4395
Fix computation of the displayed DHCPv6 range start to be consistent with the actual check.
Added dhcp6.name-servers option with DHCPD-PD regardless of PD length.
Fixed Net_IPv6::compress() to properly handle all-zeros address.
UnicastOnlyin radvd for
Removed requesting a prefix delegation when there are no tracking interfaces setup to use it. #4436
Added code to destroy stf interface when a 6rd or 6to4 tunnel is disabled. #4471
Added input validation to prevent the VIP “interfaces” from being assigned since they are just an identification of the VIP for tracking and not actual interfaces. #4389
Fixed functions to properly return the VIP subnet now that the CARP might not match its parent interface subnet. #4390
Fixed a bug that caused the status icon from previous CARP VIP to be shown in cases where the IP address was not present on an interface.
Changed the carp demotion factors slightly to avoid CARP transitions that are most likely unnecessary. (Do not demote on NIC send errors or pfsync errors)
Expanded the CARP demotion error
Added button to reset demotion status
Fixed handling of IP Alias deletion from a secondary node using XMLRPC configuration sync #4446
Misc Binary/OS Changes¶
Upgraded PHP to 5.5.22.
Re-enabled Suhosin in PHP.
Updated 802.11 code and Atheros wireless driver from FreeBSD 11-CURRENT
Added patch to fix crash with Ralink wireless cards in access point mode. #4117
Added athstats, cryptostats and cryptodev back. #4239
Fixed AESNI module checks when used inside a virtual machine.