2.2.3 New Features and Changes¶
Security/Errata Notices¶
pfSense-SA-15_06.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI
The complete list of affected pages and fields is very large and all are listed in the linked SA.
FreeBSD-SA-15:10.openssl: Multiple OpenSSL vulnerabilities (Including Logjam): CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-4000
NOTE: pfSense ships with a default set of DH parameters due to the time/CPU they require to generate. A new set of DH parameters may be generated by the user at any time as described in DH Parameters
Fixes for filesystem corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
Changed new filesystems to use the ‘sync’ option to avoid loss of data.
Added upgrade code to activate the ‘sync’ option on the root slice for existing installations.
Changed new filesystems to use softupdates and journaling (AKA SU+J).
Changed the way fsck is handled at boot time:
Followed best practice of using fsck from FreeBSD rc.d/fsck script. (Run preen mode first and later try forcefully fixing issues.)
Added as much information during boot on the status of the filesystem as possible.
Changed fsck to run with -C flag and always in foreground during boot to prevent issues that might schedule background mode.
The forcesync patch for #2401 was considered harmful to the filesystem and removed. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD.
Rules/Aliases/NAT¶
Fixed a problem with more than 64 IP addresses in the “self” table in pf.
Fixed issues with FQDNs in aliases causing static entries to be lost. #4296
Added the tracker ID rule number lookup to dynamic firewall log. #4730
Fixed alias rename and delete not being propagated to outbound NAT. #4701
Fixed tracker IDs of policy route negation rules which had been duplicating the tracker ID of the rule they were based upon. This confused the log parser and displayed the negation rule rather than the actual rule. #4651
Fixed logging of passed IGMP traffic when the rule is not set to log. #4383
Fixed a situation where a combination of L2TP, overlapping subnets, port forwards and NAT reflection could cause an invalid ruleset. #4772
Added a GUI field to control the size of the pf fragment limit #4775
IPsec¶
Updated strongSwan to 5.3.2. #4750
Integrated a patch from https://wiki.strongSwan.org/issues/951 to solve IPsec SA rekey issues on strongSwan+FreeBSD. #4686
Added patches from FreeBSD PR 200282 to help address IPsec rekey issues.
Backported FreeBSD r283146 and patch from FreeBSD PR 192774 to address PF_KEY ACQUIRE missing port and protocol information.
Added reply-to/route-to rules for mobile-ipsec. #4235
Removed the manual specification of reqid in the IPsec configuration because strongSwan 5.3.0 has fixed issues with its handling, which caused the existing code to misbehave. #4665
Fixed the display and behavior of the LAN bypass option for IPsec. #4655
Fixed IPsec LAN bypass toggling every time save is pressed. #4640
Changed how charon is started and restarted to fix a various issues with IPsec configuration reloading. #4268
Added new modes for IPsec Phase 1 according to RFC 5903 (Ecliptic Curve groups). #4260
Implemented the “make before break” feature available in strongSwan 5.3.0, which is useful for IKEv2. #4626
Fixed vpn_ipsec_configure so it always performs a filter reload to ensure the ruleset is updated where necessary in every IPsec change scenario. #4631
Added support for EAP-RADIUS to IKEv2 Mobile Clients. #4614
Fixed a panic/crash when accessing services on the firewall over mobile IPsec on 32-bit installations (set net.inet.ipsec.directdispatch=0 on i386). #4537
Fixed an issue with FQDN hosts and PSKs. #4785
OpenVPN¶
Added a space to the OpenVPN TLS Verify script to avoid appended parameters appearing the same as existing parameters.
Fixed get_interface_ip() to return the IP address correctly for gateway groups specifying a VIP, which fixed OpenVPN clients not working with gateway groups specifying VIPs. #4661
Changed the OpenVPN client settings to allow just one of either the username or password to be specified. #3633
Fixed OpenVPN servers listening on an associated IPv6 addresses.
Captive Portal¶
Fixed filterdns to use the proper API for ipfw changes on FreeBSD 10.1+ to correct captive portal allowed hostnames not being loaded into tables at boot time. #4746
Fixed Captive Portal RADIUS accounting. #4131
Fixed Captive Portal Idle-Timeout causing a value of 2147483647 for acctsessiontime. #4652
Fixed disconnection of active voucher users, and corrected disconnection of users especially when triggered via XMLRPC. #4625
Operating System¶
Fixed both the kernel and choparp to better handle I/O and prevent issues in the way it handles BPF, which can contribute to a panic when using Proxy ARP VIPs. #4685
Merged a patch that avoids a panic on sockbuf module. #4689
Fixed AESNI to be SMP friendly to avoid various decryption errors and possible encryption mistakes. Also present critical_enter/critical_exit to avoid preemption of the currentrunning thread which should fix panics. #4702
Updated time zone data from FreeBSD 10.1-RELEASE. #4459
Fixed creation of /var/spool/lock on NanoBSD at boot time. #4532
Removed boot_serial=’yes’ from loader.conf when serial is disabled. #4617
Fixed an issue where mtree would fail during an upgrade from a previous version of FreeBSD when moving to 2.2.x. #4653
Interfaces/NIC Drivers¶
Added support for Sierra Wireless MC7354.
Added support for Intel X552, ixgbe changes from stable/10, and moved altq changes for ixgbe to the large ixgbe patch.
Enabled ix/ixv/ixl modules in the kernel
Fixed duplication of statistics on vlan(4) interfaces for outgoing bytes #3314
Fixed updating wireless statistics so that the output bytes are not always zero. #4028
Added a patch from FreeBSD PR 200722 for mpd5 to preventing it from printing a warning when renaming an interface to an existing name.
Fixed SLAAC/DHCPv6 handling for cases where the global SLAAC IPv6 address might be present when using DHCPv6. #4483
Corrected descriptions on Key Rotation and Master Key Regeneration for wireless interfaces.
Removed the “insert my MAC” feature from interfaces.php.
Defined $var_path as a global key since it is being used in interfaces.inc, but it was not declared.
Fixed issues setting the MTU on certain interfaces. #4397
Packages¶
Fixed various issues with PBI generation.
Synchronized and cleaned up various pfPorts, eliminated several that had changes pushed back into FreeBSD ports.
Fixed an issue where rebuild_package_binaries_pbi.php could fail due to missing build files. #4600
Backported patches from FreeBSD stable/10 to fix a crash when stopping squid. #4592
Fixed pfflowd to use the correct version for parsing the new pfsync header and corrected the pfsync version check. #4304
Updated pkg_edit.php with fixes for usecolspan2 and combinedfields.
Fixed pagination on pkg.php.
Fixed boot-time log file initialization for package logs. #4603
DHCP/RA¶
Clarified that DNS Forwarder and Resolver both apply in DHCP/DHCPv6 and router advertisements. #3730
Removed unnecessary filtering on the DHCP static mappings table.
Added appropriate RA Flags for “Stateless DHCP”.
Added error checking to avoid warnings about DHCP relay during boot.
Fixed hostname validation for static DHCP leases such that only fully qualified hostnames must be unique, not only short names.
Fixed adding DHCP static mappings from the DHCP leases view to non-default pools. #4649
Stopped invalid DHCP settings from being applied when input errors exist.
Removed DHCP static lease overlap cleanup and its associated function and killing of the DHCP daemon. This behavior could cause problems with failover scenarios, especially when adding/editing/removing static mappings.
Web GUI¶
Fixed language selection. #4705
Changes to status.php to make it easier to gather and submit support information:
Added sanitization of OpenVPN static/tls keys to status.php.
Cleaned up, organized, and expanded the info presented by status.php.
Changed status.php to additionally save the output to individual text files and compress them into a .tgz for later download.
Fixed setup wizard LAN DHCP pool calculation to avoid an invalid pool.
Improved the setup wizard hostname check. #4712
Fixed some minor text issues in wizards.
Changed the wizard to use the current WAN gateway name rather than assuming the name. #4713
Updated and corrected the wireless status flags and capabilities list. There are many more possible flags, now documented at Wireless Status.
Added a fall back to look up local user privileges and groups if the groups could not be found from LDAP and there is a local user.
Fixed Crash Reporter submissions when symlinks were present as part of crash report, which would fail to save the report on the server. #4650
Set a user agent for the Crash Reporter.
Cleaned up code logic in status_upnp.php.
CARP¶
Changed CARP so that it does not trigger a carp demotion taskqueue if the value is 0, which can cause the cluster to misbehave.
Fixed issues for CARP+Bridges where pfSense would crash or freeze. #4607
Fixed the CARP plugin call for packages. The “interface” parameter was coming through as NULL during CARP events.
Added INIT event for CARP in devd.conf as an alternate for ‘backup’, otherwise scripts would not take down services during a MASTER->INIT transition. (e.g. interface unplug, link loss)
Fixed NTP so that it properly uses selected CARP IP addresses. #4370
Fixed CARP packet flow after initial interface creation. #4633
Traffic Shaper/Limiters¶
DNS¶
Consistently handle clear_subsystem_dirty after an Unbound restart.
Added a call to clear_subsystem_dirty(‘staticmaps’) when using Unbound, otherwise DHCP static mappings would not fully apply when Unbound was in use. #4678
Fixed an Unbound warning when “dnsallowoverride” was off and port forwarding was on. #4682
Re-enabled verification for selfhost DynDNS since their chain issue has been resolved. #4545
Misc¶
Updated PHP to 5.5.26
Fixed various issues in the installer for GEOM mirrors (mirror slice detection, gmirror cleanup on non-clean disks.) #4658
Fixed new user creation to use skel as the source of new user files rather than copying from the home directory of root.
Changed growl so it will not be called if the configured address isn’t an IP address or resolvable hostname. This avoids 1 minute timeout delay in fsockopen in growl.class. This change cuts that down to about a 20 second timeout. #4739
Added a reboot after restoring a full backup in the GUI. #4107
Deprecated /usr/local/bin/3gstat as it was no longer used. It was replaced by 3gstats.php long ago.
Started using the “host!” flag when setting CURLOPT_INTERFACE, as recommended by the CURL documentation.
Started passing the interface to CURLOPT_INTERFACE instead of the IP address, also started using the “if!” flag to avoid CURL trying to resolve the interface name.
Fixed NTP serial configuration to setup the serial port before attempting to configure a GPS unit.
Cleaned up various HTML/XHTML issues.
Fixed a check for deleting a VIP when in use by OpenVPN.
Fixed issues with backup/restore of a config.xml breaking the serial console on ADI installs. #4720
Fixed several issues with boot speed when WAN was disconnected. #4442
Reduce the timeout for HTTP/HTTPS connection attempts for items like URL table aliases. Once connected, they can run past that. 5 seconds should be more than enough for any properly-functioning network.
Removed some unused/obsolete files.