NOTE: pfSense ships with a default set of DH parameters due to the
time/CPU they require to generate. A new set of DH parameters may
be generated by the user at any time as described in
DH Parameters
Fixes for filesystem corruption in various cases during an unclean shut down
(crash, power loss, etc.).
#4523
Changed new filesystems to use the ‘sync’ option to avoid loss of
data.
Added upgrade code to activate the ‘sync’ option on the root slice
for existing installations.
Changed new filesystems to use softupdates and journaling (AKA
SU+J).
Changed the way fsck is handled at boot time:
Followed best practice of using fsck from FreeBSD rc.d/fsck
script. (Run preen mode first and later try forcefully fixing
issues.)
Added as much information during boot on the status of the
filesystem as possible.
Changed fsck to run with -C flag and always in foreground
during boot to prevent issues that might schedule background
mode.
The forcesync patch for
#2401 was considered
harmful to the filesystem and removed. As such, there may be some
noticeable slowness with NanoBSD on certain slower disks, especially
CF cards and to a lesser extent, SD cards. If this is a problem, the
filesystem may be kept read-write on a permanent basis using the
option on Diagnostics > NanoBSD.
Fixed a problem with more than 64 IP addresses in the “self” table in
pf.
Fixed issues with FQDNs in aliases causing static entries to be lost.
#4296
Added the tracker ID rule number lookup to dynamic firewall log.
#4730
Fixed alias rename and delete not being propagated to outbound NAT.
#4701
Fixed tracker IDs of policy route negation rules which had been
duplicating the tracker ID of the rule they were based upon. This
confused the log parser and displayed the negation rule rather than
the actual rule. #4651
Fixed logging of passed IGMP traffic when the rule is not set to log.
#4383
Fixed a situation where a combination of L2TP, overlapping subnets,
port forwards and NAT reflection could cause an invalid ruleset.
#4772
Added a GUI field to control the size of the pf fragment limit
#4775
Backported FreeBSD r283146 and patch from FreeBSD PR
192774
to address PF_KEY ACQUIRE missing port and protocol information.
Added reply-to/route-to rules for mobile-ipsec.
#4235
Removed the manual specification of reqid in the IPsec configuration
because strongSwan 5.3.0 has fixed issues with its handling, which
caused the existing code to misbehave.
#4665
Fixed the display and behavior of the LAN bypass option for IPsec.
#4655
Fixed IPsec LAN bypass toggling every time save is pressed.
#4640
Changed how charon is started and restarted to fix a various issues
with IPsec configuration reloading.
#4268
Added new modes for IPsec Phase 1 according to RFC 5903 (Ecliptic
Curve groups). #4260
Implemented the “make before break” feature available in strongSwan
5.3.0, which is useful for IKEv2.
#4626
Fixed vpn_ipsec_configure so it always performs a filter reload to
ensure the ruleset is updated where necessary in every IPsec change
scenario. #4631
Added support for EAP-RADIUS to IKEv2 Mobile Clients.
#4614
Fixed a panic/crash when accessing services on the firewall over
mobile IPsec on 32-bit installations (set
net.inet.ipsec.directdispatch=0 on i386).
#4537
Added a space to the OpenVPN TLS Verify script to avoid appended
parameters appearing the same as existing parameters.
Fixed get_interface_ip() to return the IP address correctly for
gateway groups specifying a VIP, which fixed OpenVPN clients not
working with gateway groups specifying VIPs.
#4661
Changed the OpenVPN client settings to allow just one of either the
username or password to be specified.
#3633
Fixed OpenVPN servers listening on an associated IPv6 addresses.
Fixed filterdns to use the proper API for ipfw changes on FreeBSD
10.1+ to correct captive portal allowed hostnames not being loaded
into tables at boot time.
#4746
Fixed both the kernel and choparp to better handle I/O and prevent
issues in the way it handles BPF, which can contribute to a panic
when using Proxy ARP VIPs.
#4685
Merged a patch that avoids a panic on sockbuf module.
#4689
Fixed AESNI to be SMP friendly to avoid various decryption errors and
possible encryption mistakes. Also present
critical_enter/critical_exit to avoid preemption of the
currentrunning thread which should fix panics.
#4702
Updated time zone data from FreeBSD 10.1-RELEASE.
#4459
Fixed creation of /var/spool/lock on NanoBSD at boot time.
#4532
Removed boot_serial=’yes’ from loader.conf when serial is disabled.
#4617
Fixed an issue where mtree would fail during an upgrade from a
previous version of FreeBSD when moving to 2.2.x.
#4653
Clarified that DNS Forwarder and Resolver both apply in DHCP/DHCPv6
and router advertisements.
#3730
Removed unnecessary filtering on the DHCP static mappings table.
Added appropriate RA Flags for “Stateless DHCP”.
Added error checking to avoid warnings about DHCP relay during boot.
Fixed hostname validation for static DHCP leases such that only fully
qualified hostnames must be unique, not only short names.
Fixed adding DHCP static mappings from the DHCP leases view to
non-default pools.
#4649
Stopped invalid DHCP settings from being applied when input errors
exist.
Removed DHCP static lease overlap cleanup and its associated function
and killing of the DHCP daemon. This behavior could cause problems
with failover scenarios, especially when adding/editing/removing
static mappings.
Changed CARP so that it does not trigger a carp demotion taskqueue if
the value is 0, which can cause the cluster to misbehave.
Fixed issues for CARP+Bridges where pfSense would crash or freeze.
#4607
Fixed the CARP plugin call for packages. The “interface” parameter
was coming through as NULL during CARP events.
Added INIT event for CARP in devd.conf as an alternate for ‘backup’,
otherwise scripts would not take down services during a MASTER->INIT
transition. (e.g. interface unplug, link loss)
Fixed NTP so that it properly uses selected CARP IP addresses.
#4370
Fixed CARP packet flow after initial interface creation.
#4633
Consistently handle clear_subsystem_dirty after an Unbound restart.
Added a call to clear_subsystem_dirty(‘staticmaps’) when using
Unbound, otherwise DHCP static mappings would not fully apply when
Unbound was in use.
#4678
Fixed an Unbound warning when “dnsallowoverride” was off and port
forwarding was on.
#4682
Re-enabled verification for selfhost DynDNS since their chain issue
has been resolved.
#4545
Fixed various issues in the installer for GEOM mirrors (mirror slice
detection, gmirror cleanup on non-clean disks.)
#4658
Fixed new user creation to use skel as the source of new user files
rather than copying from the home directory of root.
Changed growl so it will not be called if the configured address
isn’t an IP address or resolvable hostname. This avoids 1 minute
timeout delay in fsockopen in growl.class. This change cuts that down
to about a 20 second timeout.
#4739
Added a reboot after restoring a full backup in the GUI.
#4107
Deprecated /usr/local/bin/3gstat as it was no longer used. It was
replaced by 3gstats.php long ago.
Started using the “host!” flag when setting CURLOPT_INTERFACE, as
recommended by the CURL documentation.
Started passing the interface to CURLOPT_INTERFACE instead of the IP
address, also started using the “if!” flag to avoid CURL trying to
resolve the interface name.
Fixed NTP serial configuration to setup the serial port before
attempting to configure a GPS unit.
Cleaned up various HTML/XHTML issues.
Fixed a check for deleting a VIP when in use by OpenVPN.
Fixed issues with backup/restore of a config.xml breaking the serial
console on ADI installs.
#4720
Fixed several issues with boot speed when WAN was disconnected.
#4442
Reduce the timeout for HTTP/HTTPS connection attempts for items
like URL table aliases. Once connected, they can run past that. 5
seconds should be more than enough for any properly-functioning
network.