2.7.2 New Features and Changes

This is a maintenance software release including new features and bug fixes.

Consult the Upgrade Guide before proceeding with any upgrade.

Security / Errata

FreeBSD Notices

This release includes corrections for several FreeBSD Errata Notices and Security Advisories, including:

• FreeBSD-SA-23:17.pf - TCP spoofing vulnerability in pf(4)

• FreeBSD-EN-23:16.openzfs - Potential ZFS Data Corruption

  For more information about ZFS data corruption, see ZFS Data Corruption Details later in this document.

• FreeBSD-EN-23:18.openzfs - High CPU usage by ZFS kernel threads

• FreeBSD-EN-23:17.ossl - ossl(4)’s AES-GCM implementation may give incorrect results

• FreeBSD-EN-23:20.vm - Incorrect results from the kernel physical memory allocator

• Performance issues in OpenSSL have also been identified and corrected, notably with acceleration such as AES-NI.

EFI Issue on Proxmox® VE

Some users of pfSense® software running under Proxmox VE 7.4 have had issues booting Virtual Machines via EFI. This may also affect other versions of Proxmox VE and pfSense software as well as FreeBSD.

Adding a serial port to the VM hardware appears to work around the issue for the time being. A fix for the root cause is under investigation and development for future versions.

At this time the best practice to avoid potential problems is to add a serial port to the VM, then shutdown the VM and start it back up before beginning the pfSense software upgrade process.

See also

See EFI Boot Issues for additional recommendations.

ZFS Data Corruption Details

Two data corruption bugs were recently reported against ZFS, including the version of ZFS in recent releases of pfSense software. These bugs have been corrected upstream in FreeBSD and the fixes have been imported into this release.

One bug was in block cloning, which is disabled by default on pfSense software, and thus is unlikely to be a significant concern on this platform. The other bug has been present in ZFS for years and was difficult to trigger.

Given the history of data corruption problems due to hole reporting in files, the corrections for this issue include a preventive measure to disable hole reporting. The downside of disabling hole reporting is the possibly increased disk space usage.

Tip

Users on previous releases of pfSense software can reduce the likelihood of encountering the data corruption issue by creating a System Tunable for vfs.zfs.dmu_offset_next_sync with a value of 0.

pfSense CE

Changes in this version of pfSense CE software.

DHCP (IPv4)

• Fixed: ISC DHCP responds from a random port #15011

DHCP (IPv6)

• Fixed: PHP error on services_dhcpv6.php if the configuration contains an empty dhcpv6 section #14978

DHCP Relay

• Fixed: Input validation prevents saving DHCPv6 Relay settings #14965

IPsec

• Fixed: Mobile IPsec Group Authentication cannot be enabled #14963

• Fixed: Incorrect permissions on ipsec.auth-user.php #14974

• Fixed: IPsec log categories set to “Audit” do not function properly or save properly in the GUI #14990

• Changed: Update strongSwan to 5.9.11_3 #15050

Installer

• Added: Add an appropriately named file to install images to indicate what they are #14887

Interfaces

• Fixed: Mulicast traffic on a detached interface causes a panic #14917

• Fixed: PHP Error on interfaces.php when creating a PPP interface #14949

OpenVPN

• Changed: Update OpenVPN to 2.6.8_1 #15049

Operating System

• Fixed: Potential ZFS file corruption #15034

Rules / NAT

• Fixed: Invalid outbound NAT rules break the following rule #15024

• Fixed: Automatic outbound NAT rules show an empty NAT Address #15025

Upgrade

• Fixed: pfSense-boot does not update the EFI loader #15007

Web Interface

• Fixed: Firewall Maximum Table Entries “default size” is whatever is entered #11566