2.4.4-p3 New Features and Changes¶
pfSense® software version 2.4.4-p3 addresses security and other issues found in 2.4.4-p2.
Tip
For those who have not yet updated to 2.4.5-p1, consult the previous release notes and blog posts for those releases to read all important information and warnings before proceeding.
Warning
The upcoming pfSense release version 2.5.0 deprecates the built-in load balancer, and all related code has been removed as it is not compatible with FreeBSD 12. Plan migrations to alternate solutions such as the HAProxy package now.
See the 2.5.0 release notes for more information.
Security / Errata¶
Changed
sshguard
to block both ssh and the GUI using a single table, and removed the unnecessary manual scheduled table expiration pfSense-SA-19_02.sshguard #9223Fixed potential XSS vectors
pfSense-SA-19_01.webgui : Fixed potential XSS vectors in system_advanced_admin.php, interfaces_assign.php, firewall_rules_edit.php, firewall_shaper.php, services_igmpproxy_edit.php, services_ntpd_gps.php and diag_traceroute.php #9294
pfSense-SA-19_03.webgui : Fixed potential XSS vector in status_filter_reload.php #9499
pfSense-SA-19_04.webgui : Fixed potential XSS vector in the WOL widget #9507
pfSense-SA-19_05.webgui : Fixed potential XSS vector in services_acb.php #9508
Fixed privilege issues
pfSense-SA-19_06.webgui : Restrict edit access to OpenVPN-related advanced settings, and added new privilege to delegate edit permissions #9511
pfSense-SA-19_07.webgui : Strengthen widget privilege matching to avoid a potential privilege bypass for users granted access to widgets #9512
pfSense-SA-19_08.webgui : Strengthen path privilege check to avoid a potential directory-traversal-like bypass method #9513
Added privileges for Auto Config Backup pages #9519
Updated privileges: Added misc missing pages, removed obsolete pages
Addressed FreeBSD Security Advisories:
Added DNS over TLS host verification #8602
Configure hostnames for DNS over TLS servers under System > General
sqlite updates #9205
Backup / Restore¶
Certificates¶
DNS¶
Firewall Rules / NAT / Aliases¶
Fixed intermittent pf errors when NAT reflection is enabled #9446
Fixed reserved pf keyword matching when creating and editing aliases #9231
Fixed duplicate entries showing on diag_tables.php from lockout tables #9359
Fixed a PHP error deleting an imported NAT rule with no firewall rules present #9193
Do not show scheduler icon when scheduler tag is empty
Gateways / Routing¶
Fixed issues with the default IPv4 gateway set to a group failing after restart #9004
Interfaces¶
Fixed PHP error from interface groups when editing QinQ entries
IPsec¶
Fixed IPsec Phase 1 entries on upgrade to have their
protocol
field populated properly #9207
Operating System¶
Traffic Shaping¶
WebGUI¶
Numerous optimizations and improvements for status.php diagnostics output #9290
Fixed a PHP error on system_advanced_network.php when disabling “IPv6 over IPv4 Tunneling” #9264
Improved handling of large captures on diag_packet_capture.php and disabled viewing of captures larger than 50MiB. #9239
Added hostname to login page title if the user has enabled Show hostname on login banner #9096
Centralized the list of country codes used by multiple areas #9308
Updated translation files
XMLRPC¶
Clarified conditions for synchronizing certificates in HA Sync options #9283