Free Download pfSense for Linux ::: System Utilities

Software Screenshot:

Software Details:

Version: 2.4.3-p1 ^updated

Upload Date: 22 Jun 18

Developer: Scott Ullrich

Distribution Type: Freeware

Downloads: 2297

Download

Currently 3.78/5
1
2
3
4
5

Rating: 3.8/5 (Total Votes: 9)

pfSense® is a freely distributed and open source BSD operating system derived from the well known m0n0wall project, but with radically different goals like using Packet Filter and the latest FreeBSD technologies.

The project can be used as both router and firewall. It includes a package system that allows system administrators to easily extend the product without adding potential security vulnerabilities and bloat to the base distribution.

Features at a glance

Key features include state-of-the-art firewall, inbound/outbound load balancing, state table, NAT (Network Address Translation), high availability, VPN (Virtual Private Network) with support for IPsec, PPTP and OpenVPN, PPPoE server, Dynamic DNS, captive portal, reporting, and monitoring.

It is an actively developed firewall operating system, distributed as gz archived Live CD and installation-only ISO images, USB stick installers, as well as NanoBSD/embedded media. Both 64-bit (amd64) and 32-bit (i386) hardware platforms are supported at this time.

Several predefined boot options are available during the boot process, such as to boot the operating system with default settings, with ACPI disabled, using USB devices, in safe mode, in single user mode, with verbose logging, as well as to access a shell prompt or reboot the machine.

Getting started with pfSense®

While the distribution will ask users if they want to set up VLANs (Virtual LANs) from the get-go, it will require at least one assigned network interface to function. This means that if you don’t have/set up at least one interface, pfSense® won’t even start.

Being used as a firewall for small home networks, universities, large corporations, or any other organization where the need of protecting thousands of network devices is extremely important, pfSense® has been downloaded by over a million users from around the world, since its inception.

Bottom line

It is one of the best open source firewall projects engineered to provides users with all the features that commercial firewall products come with. Today, pfSense® is used in numerous hardware firewall solutions, including Cisco PIX, Cisco ASA, Netgear, Check Point, Juniper, Astaro, Sonicwall, or Watchguard.

pfSense® is a registered trademark and service mark owned by Electric Sheep Fencing LLC. See www.electricsheepfencing.com.

What is new in this release:

Security / Errata
Updated to OpenSSL 1.0.2m to address CVE-2017-3736 and CVE-2017-3735
FreeBSD-SA-17:10.kldstat
FreeBSD-SA-17:08.ptrace
Fixed a potential XSS vector in status_monitoring.php #8037 pfSense-SA-17_07.packages.asc
Fixed a potential XSS vector in diag_dns.php #7999 pfSense-SA-17_08.webgui.asc
Fixed a potential XSS vector on index.php via widget sequence parameters #8000 pfSense-SA-17_09.webgui.asc
Fixed a potential XSS in the widgetkey parameter of multi-instance dashboard widgets #7998 pfSense-SA-17_09.webgui.asc
Fixed a potential clickjacking issue in the CSRF error page
Interfaces
Fixed PPP interfaces with a VLAN parent when using the new VLAN names #7981
Fixed issues with QinQ interfaces failing to show as active #7942
Fixed a panic/crash when disabling a LAGG interface #7940
Fixed issues with LAGG interfaces losing their MAC address #7928
Fixed a crash in radvd on SG-3100 (ARM) #8022
Fixed an issue with UDP packet drops on SG-1000 #7426
Added an interface to manage the built-in switch on the SG-3100
Trimmed more characters off the interface description to avoid console menu output line wrapping on a VGA console
Fixed handling of the VIP uniqueid parameter when changing VIP types
Fixed PPP link parameter field display when a VLAN parent interface was selected #8098
Operating System
Fixed issues resulting from having a manually configured filesystem layout with a separate /usr slice #8065
Fixed issues updating ZFS systems created ZFS using an MBR partition scheme (empty /boot due to bootpool not being imported) #8063
Fixed issues with BGP sessions utilizing MD5 TCP signatures in routing daemon packages #7969
Updated dpinger to 3.0
Enhanced the update repository selection choices and methods
Updated the system tunables that tell the OS not harvest data from interrupts, point-to-point interfaces and Ethernet devices to reflect the new name/format for FreeBSD 11
Changed ruleset processing so that it retries if another process is in the middle of an update, rather than presenting an error to the user
Fixed some UEFI boot issues on various platforms
Certificates
Fixed invalid entries in /etc/ssl/openssl.cnf (only affected non-standard usage of openssl in the cli/shell) #8059
Fixed LDAP authentication when the server uses a globally trusted root CA (new CA selection for "Global Root CA List") #8044
Fixed issues creating a certificate with a wildcard CN/SAN #7994
Added validation to the Certificate Manager to prevent importing a non-certificate authority certificate into the CA tab #7885
IPsec
Fixed a problem using IPsec CA certificates when the subject contains multiple RDNs of the same type #7929
Fixed an issue with enabling IPsec mobile client support in translated languages #8043
Fixed issues with IPsec status display/output, including multiple entries (one disconnected, one connected) #8003
Fixed display of multiple connected mobile IPsec clients #7856
Fixed display of child SA entries #7856
OpenVPN
Added an option for OpenVPN servers to utilize "redirect-gateway ipv6" to act as the default gateway for connecting VPN clients with IPv6, similar to "redirect-gateway def1" for IPv4. #8082
Fixed the OpenVPN Client Certificate Revocation List option #8088
Traffic Shaping
Fixed an error when configuring a limiter over 2Gb/s (new max is 4Gb/s) #7979
Fixed issues with bridge network interfaces not supporting ALTQ #7936
Fixed issues with vtnet network interfaces not supporting ALTQ #7594
Fixed an issue with Status > Queues failing to display statistics for VLAN interfaces #8007
Fixed an issue with traffic shaping queues not allowing the total of all child queues to be 100% #7786
Fixed an issue with limiters given invalid fractional/non-integer values from limiter entries or passed to Captive Portal from RADIUS #8097
Rules/NAT
Fixed selection of IPv6 gateways when creating a new firewall rule #8053
Fixed errors on the Port Forward configuration page resulting from stale/non-pfSense cookie/query data #8039
Fixed setting VLAN Priority via firewall rules #7973
XMLRPC
Fixed a problem with XMLRPC synchronization when the synchronization user has a password containing spaces #8032
Fixed XMLRPC Issues with Captive Portal vouchers #8079
WebGUI
Added an option to disable HSTS for the GUI web server #6650
Changed the GUI web service to block direct download of .inc files #8005
Fixed sorting of Services on the dashboard widget and Services Status page #8069
Fixed an input issue where static IPv6 entries allowed invalid input for address fields #8024
Fixed a JavaScript syntax error in traffic graphs when invalid data is encountered (e.g. user was logged out or session cleared) #7990
Fixed sampling errors in Traffic Graphs #7966
Fixed a JavaScript error on Status > Monitoring #7961
Fixed a display issue with empty tables on Internet Explorer 11 #7978
Changed configuration processing to use an exception rather than die() when it detects a corrupted configuration
Added filtering to the pfTop page
Added a means for packages to display a modal to the user (e.g. reboot required before package can be used)
Dashboard
Fixed display of available updates on the Installed Packages Dashboard widget #8035
Fixed a font issue in the Support Dashboard widget #7980
Fixed formatting of disk slices/partitions in the System Information Dashboard widget
Fixed an issue with the Pictures widget when there is no valid picture saved #7896
Packages
Fixed display of packages which have been removed from the repository in the Package Manager #7946
Fixed an issue displaying locally installed packages when the remote package repository is unavailable #7917
Misc
Fixed interface binding in ntpd so it does not erroneously listen on all interfaces #8046
Fixed a problem where restarting the syslogd service would make sshlockout_pf process orphans #7984
Added support for the ClouDNS dynamic DNS provider #7823
Fixed an issue in the User and Group Manager pages when operating on entries immediately after deleting an entry #7733
Changed the setup wizard so it skips interface configuration when run on an AWS EC2 Instance #6459
Fixed an IGMP Proxy issue with All-multicast mode on SG-1000 #7710

What is new in version :

Dashboard Updates:
On the 2.3.4-RELEASE Dashboard you'll find a few additional pieces of information: The BIOS vendor, version, and release date - if the firewall can determine them - and a Netgate Unique ID. The Netgate Unique ID is similar to a serial number, it is used to uniquely identify an instance of pfSense software for customers who want to purchase support services. For hardware sold in our store, it also allows us to tie units to our manufacturing records. This ID is consistent across all platforms (bare metal, virtual machines, and hosted/cloud instances such as AWS/Azure). We had originally intended to use the hardware serial number or the UUID generated by the operating system, but we found that these were unreliable, inconsistent, and they could change unexpectedly when the operating system was reinstalled.
As with the serial number, this identifier is only displayed on the Dashboard for information purposes and is not transmitted anywhere automatically by default. In the future, customers can use this identifier when requesting support information from our staff or systems.
If you haven't yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.
Firewall GUI Certificates:
Users of Chrome 58 and later, and in some cases Firefox 48 and later, may have issues accessing the pfSense Web GUI if it uses a default self-signed certificate generated automatically by a firewall running pfSense version 2.3.3-p1 or earlier. This is because Chrome 58 strictly enforces RFC 2818 which calls for only matching hostnames using Subject Alternative Name (SAN) entries rather than the Common Name field of a certificate, and the default self-signed certificate did not populate the SAN field.
We have corrected the certificate code to correctly follow RFC 2818 in a user-friendly way by automatically adding the certificate Common Name value as the first SAN entry.
Firewall administrators will need to generate a new certificate for use by the GUI in order to utilize the new format. There are several ways to generate a compatible certificate, including:
Generate and activate a new GUI certificate automatically from the console or ssh shell using one of our playback scripts:
pfSsh.php playback generateguicert
Utilize the ACME package to generate a trusted certificate for the GUI via Let's Encrypt, which is already properly formatted.
Manually create a new self-signed Certificate Authority (CA) and a Server Certificate signed by that CA, then use that for the GUI.
Activate the local browser "EnableCommonNameFallbackForLocalAnchors" option in Chrome 58. This setting will be removed by Chrome eventually, so this is only a temporary fix.
Some users may remember this is not the first time that the default certificate format has been problematic due to browser changes. Several years ago, Firefox changed the way they calculate certificate trust chains, which could make a browser appear to freeze or hang when attempting to access multiple firewalls with self-signed certificates containing common default data which resulted in all such certificates containing the same Subject. Fixing that was more of a challenge, but it resulted in a much better end-user experience.

What is new in version 2.3.4:

Dashboard Updates:
On the 2.3.4-RELEASE Dashboard you'll find a few additional pieces of information: The BIOS vendor, version, and release date - if the firewall can determine them - and a Netgate Unique ID. The Netgate Unique ID is similar to a serial number, it is used to uniquely identify an instance of pfSense software for customers who want to purchase support services. For hardware sold in our store, it also allows us to tie units to our manufacturing records. This ID is consistent across all platforms (bare metal, virtual machines, and hosted/cloud instances such as AWS/Azure). We had originally intended to use the hardware serial number or the UUID generated by the operating system, but we found that these were unreliable, inconsistent, and they could change unexpectedly when the operating system was reinstalled.
As with the serial number, this identifier is only displayed on the Dashboard for information purposes and is not transmitted anywhere automatically by default. In the future, customers can use this identifier when requesting support information from our staff or systems.
If you haven't yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.
Firewall GUI Certificates:
Users of Chrome 58 and later, and in some cases Firefox 48 and later, may have issues accessing the pfSense Web GUI if it uses a default self-signed certificate generated automatically by a firewall running pfSense version 2.3.3-p1 or earlier. This is because Chrome 58 strictly enforces RFC 2818 which calls for only matching hostnames using Subject Alternative Name (SAN) entries rather than the Common Name field of a certificate, and the default self-signed certificate did not populate the SAN field.
We have corrected the certificate code to correctly follow RFC 2818 in a user-friendly way by automatically adding the certificate Common Name value as the first SAN entry.
Firewall administrators will need to generate a new certificate for use by the GUI in order to utilize the new format. There are several ways to generate a compatible certificate, including:
Generate and activate a new GUI certificate automatically from the console or ssh shell using one of our playback scripts:
pfSsh.php playback generateguicert
Utilize the ACME package to generate a trusted certificate for the GUI via Let's Encrypt, which is already properly formatted.
Manually create a new self-signed Certificate Authority (CA) and a Server Certificate signed by that CA, then use that for the GUI.
Activate the local browser "EnableCommonNameFallbackForLocalAnchors" option in Chrome 58. This setting will be removed by Chrome eventually, so this is only a temporary fix.
Some users may remember this is not the first time that the default certificate format has been problematic due to browser changes. Several years ago, Firefox changed the way they calculate certificate trust chains, which could make a browser appear to freeze or hang when attempting to access multiple firewalls with self-signed certificates containing common default data which resulted in all such certificates containing the same Subject. Fixing that was more of a challenge, but it resulted in a much better end-user experience.

What is new in version 2.3.3-p1:

FreeBSD-SA-16:26.openssl - Multiple vulnerabilities in OpenSSL. The only significant impact on pfSense is OCSP for HAproxy and FreeRADIUS.
Several HyperV-related Errata in FreeBSD 10.3, FreeBSD-EN-16:10 through 16:16. See https://www.freebsd.org/relnotes/10-STABLE/errata/errata.html for details.
Several built-in packages and libraries have been updated, including:
PHP to 5.6.26
libidn to 1.33
curl to 7.50.3
libxml2 to 2.9.4
Added encoding to the 'zone' parameter on Captive Portal pages.
Added output encoding to diag_dns.php for results returned from DNS. #6737
Worked around a Chrome bug with regular expression parsing of escaped characters within character sets. Fixes "Please match the requested format" on recent Chrome versions. #6762
Fixed DHCPv6 server time format option #6640
Fixed /usr/bin/install missing from new installations. #6643
Increased filtering tail limit for logging so searching will locate sufficient entries. #6652
Cleaned up Installed Packages widget and HTML. #6601
Fixed widget settings corruption when creating new settings. #6669
Fixed various typos and wording errors.
Removed defunct links to the devwiki site. Everything is on https://doc.pfsense.org now.
Added a field to CA/Cert pages for OU, which is required by some external CAs and users. #6672
Fixed a redundant HTTP "User-Agent" string in DynDNS updates.
Fixed the font for sortable tables.
Added a check to verify if an interface is active in a gateway group before updating dynamic DNS.
Fixed wording of the "Reject leases from" option for a DHCP interface (it can only take addresses, not subnets.) #6646
Fixed error reporting for SMTP settings test.
Fixed saving of country, provider, and plan valies for PPP interfaces
Fixed checking of invalid "Go To Line" numbers on diag_edit.php. #6704
Fixed off-by-one error with "Rows to Display" on diag_routes.php. #6705
Fixed description of the filter box on diag_routes.php to reflect that all fields are searchable. #6706
Fixed description of the box for the file to edit on diag_edit.php. #6703
Fixed description of the main panel on diag_resetstate.php. #6709
Fixed warning dialog when a box is unchecked on diag_resetstate.php. #6710
Fixed log shortcut for DHCP6 areas. #6700
Fixed the network delete button showing when only one row was present on services_unbound_acls.php #6716
Fixed disappearing help text on repeatable rows when the last row is deleted. #6716
Fixed dynamic DNS domain for static map DHCP entries
Added control to set dashboard widget refresh period
Added "-C /dev/null" to the dnsmasq command line parameters to avoid it picking up an incorrect default configuration which would override our options. #6730
Added "-l" to traceroute6 to show both IP Addresses and Hostnames when resolving hops on diag_traceroute.php. #6715
Added note about max ttl/hop limit in source comment on diag_traceroute.php.
Clarified language on diag_tables.php. #6713
Cleaned up the text on diag_sockets.php. #6708
Fixed display of VLAN interface names during console assignment. #6724
Fixed domain-name-servers option showing twice in pools when set manually.
Fixed handling of DHCP options in pools other than the main range. #6720
Fixed missing hostnames in some cases with dhcpdv6. #6589
Improved pidfile handling for dhcpleases.
Added checks to prevent accessing an undefined offset in IPv6.inc.
Fixed the display of the alias popup and edit options on source and destination for both the address and port on outbound NAT.
Fixed handling of backup config count. #6771
Removed some dangling PPTP references that are no longer relevant.
Fixed up/caught up remote syslog areas. Added "routing", "ntpd", "ppp", "resolver", fixed "vpn" to include all VPN areas (IPsec, OpenVPN, L2TP, PPPoE Server). #6780
Fixed missing checkboxes in some cases when adding rows on services_ntpd.php. #6788
Revised service running/stopped icons.
Added a check to CRL management to remove certificates from the drop-down list that are already contained in the CRL being edited.
Fixed rule separators moving when multiple firewall rules are deleted at the same time. #6801

What is new in version 2.3.3:

FreeBSD-SA-16:26.openssl - Multiple vulnerabilities in OpenSSL. The only significant impact on pfSense is OCSP for HAproxy and FreeRADIUS.
Several HyperV-related Errata in FreeBSD 10.3, FreeBSD-EN-16:10 through 16:16. See https://www.freebsd.org/relnotes/10-STABLE/errata/errata.html for details.
Several built-in packages and libraries have been updated, including:
PHP to 5.6.26
libidn to 1.33
curl to 7.50.3
libxml2 to 2.9.4
Added encoding to the 'zone' parameter on Captive Portal pages.
Added output encoding to diag_dns.php for results returned from DNS. #6737
Worked around a Chrome bug with regular expression parsing of escaped characters within character sets. Fixes "Please match the requested format" on recent Chrome versions. #6762
Fixed DHCPv6 server time format option #6640
Fixed /usr/bin/install missing from new installations. #6643
Increased filtering tail limit for logging so searching will locate sufficient entries. #6652
Cleaned up Installed Packages widget and HTML. #6601
Fixed widget settings corruption when creating new settings. #6669
Fixed various typos and wording errors.
Removed defunct links to the devwiki site. Everything is on https://doc.pfsense.org now.
Added a field to CA/Cert pages for OU, which is required by some external CAs and users. #6672
Fixed a redundant HTTP "User-Agent" string in DynDNS updates.
Fixed the font for sortable tables.
Added a check to verify if an interface is active in a gateway group before updating dynamic DNS.
Fixed wording of the "Reject leases from" option for a DHCP interface (it can only take addresses, not subnets.) #6646
Fixed error reporting for SMTP settings test.
Fixed saving of country, provider, and plan valies for PPP interfaces
Fixed checking of invalid "Go To Line" numbers on diag_edit.php. #6704
Fixed off-by-one error with "Rows to Display" on diag_routes.php. #6705
Fixed description of the filter box on diag_routes.php to reflect that all fields are searchable. #6706
Fixed description of the box for the file to edit on diag_edit.php. #6703
Fixed description of the main panel on diag_resetstate.php. #6709
Fixed warning dialog when a box is unchecked on diag_resetstate.php. #6710
Fixed log shortcut for DHCP6 areas. #6700
Fixed the network delete button showing when only one row was present on services_unbound_acls.php #6716
Fixed disappearing help text on repeatable rows when the last row is deleted. #6716
Fixed dynamic DNS domain for static map DHCP entries
Added control to set dashboard widget refresh period
Added "-C /dev/null" to the dnsmasq command line parameters to avoid it picking up an incorrect default configuration which would override our options. #6730
Added "-l" to traceroute6 to show both IP Addresses and Hostnames when resolving hops on diag_traceroute.php. #6715
Added note about max ttl/hop limit in source comment on diag_traceroute.php.
Clarified language on diag_tables.php. #6713
Cleaned up the text on diag_sockets.php. #6708
Fixed display of VLAN interface names during console assignment. #6724
Fixed domain-name-servers option showing twice in pools when set manually.
Fixed handling of DHCP options in pools other than the main range. #6720
Fixed missing hostnames in some cases with dhcpdv6. #6589
Improved pidfile handling for dhcpleases.
Added checks to prevent accessing an undefined offset in IPv6.inc.
Fixed the display of the alias popup and edit options on source and destination for both the address and port on outbound NAT.
Fixed handling of backup config count. #6771
Removed some dangling PPTP references that are no longer relevant.
Fixed up/caught up remote syslog areas. Added "routing", "ntpd", "ppp", "resolver", fixed "vpn" to include all VPN areas (IPsec, OpenVPN, L2TP, PPPoE Server). #6780
Fixed missing checkboxes in some cases when adding rows on services_ntpd.php. #6788
Revised service running/stopped icons.
Added a check to CRL management to remove certificates from the drop-down list that are already contained in the CRL being edited.
Fixed rule separators moving when multiple firewall rules are deleted at the same time. #6801

What is new in version 2.3.2-p1:

FreeBSD-SA-16:26.openssl - Multiple vulnerabilities in OpenSSL. The only significant impact on pfSense is OCSP for HAproxy and FreeRADIUS.
Several HyperV-related Errata in FreeBSD 10.3, FreeBSD-EN-16:10 through 16:16. See https://www.freebsd.org/relnotes/10-STABLE/errata/errata.html for details.
Several built-in packages and libraries have been updated, including:
PHP to 5.6.26
libidn to 1.33
curl to 7.50.3
libxml2 to 2.9.4
Added encoding to the 'zone' parameter on Captive Portal pages.
Added output encoding to diag_dns.php for results returned from DNS. #6737
Worked around a Chrome bug with regular expression parsing of escaped characters within character sets. Fixes "Please match the requested format" on recent Chrome versions. #6762
Fixed DHCPv6 server time format option #6640
Fixed /usr/bin/install missing from new installations. #6643
Increased filtering tail limit for logging so searching will locate sufficient entries. #6652
Cleaned up Installed Packages widget and HTML. #6601
Fixed widget settings corruption when creating new settings. #6669
Fixed various typos and wording errors.
Removed defunct links to the devwiki site. Everything is on https://doc.pfsense.org now.
Added a field to CA/Cert pages for OU, which is required by some external CAs and users. #6672
Fixed a redundant HTTP "User-Agent" string in DynDNS updates.
Fixed the font for sortable tables.
Added a check to verify if an interface is active in a gateway group before updating dynamic DNS.
Fixed wording of the "Reject leases from" option for a DHCP interface (it can only take addresses, not subnets.) #6646
Fixed error reporting for SMTP settings test.
Fixed saving of country, provider, and plan valies for PPP interfaces
Fixed checking of invalid "Go To Line" numbers on diag_edit.php. #6704
Fixed off-by-one error with "Rows to Display" on diag_routes.php. #6705
Fixed description of the filter box on diag_routes.php to reflect that all fields are searchable. #6706
Fixed description of the box for the file to edit on diag_edit.php. #6703
Fixed description of the main panel on diag_resetstate.php. #6709
Fixed warning dialog when a box is unchecked on diag_resetstate.php. #6710
Fixed log shortcut for DHCP6 areas. #6700
Fixed the network delete button showing when only one row was present on services_unbound_acls.php #6716
Fixed disappearing help text on repeatable rows when the last row is deleted. #6716
Fixed dynamic DNS domain for static map DHCP entries
Added control to set dashboard widget refresh period
Added "-C /dev/null" to the dnsmasq command line parameters to avoid it picking up an incorrect default configuration which would override our options. #6730
Added "-l" to traceroute6 to show both IP Addresses and Hostnames when resolving hops on diag_traceroute.php. #6715
Added note about max ttl/hop limit in source comment on diag_traceroute.php.
Clarified language on diag_tables.php. #6713
Cleaned up the text on diag_sockets.php. #6708
Fixed display of VLAN interface names during console assignment. #6724
Fixed domain-name-servers option showing twice in pools when set manually.
Fixed handling of DHCP options in pools other than the main range. #6720
Fixed missing hostnames in some cases with dhcpdv6. #6589
Improved pidfile handling for dhcpleases.
Added checks to prevent accessing an undefined offset in IPv6.inc.
Fixed the display of the alias popup and edit options on source and destination for both the address and port on outbound NAT.
Fixed handling of backup config count. #6771
Removed some dangling PPTP references that are no longer relevant.
Fixed up/caught up remote syslog areas. Added "routing", "ntpd", "ppp", "resolver", fixed "vpn" to include all VPN areas (IPsec, OpenVPN, L2TP, PPPoE Server). #6780
Fixed missing checkboxes in some cases when adding rows on services_ntpd.php. #6788
Revised service running/stopped icons.
Added a check to CRL management to remove certificates from the drop-down list that are already contained in the CRL being edited.
Fixed rule separators moving when multiple firewall rules are deleted at the same time. #6801

What is new in version 2.3.2:

Backup/Restore:
Don't allow applying changes on interface mismatch post-config restore until the reassignment is saved. #6613
Dashboard:
Dashboard now has per-user configuration options, documented in User Manager. #6388
DHCP Server:
Disabled dhcp-cache-threshold to avoid bug in ISC dhcpd 4.3.x omitting client-hostname from leases file, which makes dynamic hostname registration fail in some edge cases. #6589
Note that DDNS key must be HMAC-MD5. #6622
DHCP Relay:
Imported fix for dhcrelay relaying requests on the interface where the target DHCP server resides. #6355
Dynamic DNS:
Allow * for hostname with Namecheap. #6260
Interfaces:
Fix "can't assign requested address" during boot with track6 interfaces. #6317
Remove deprecated link options from GRE and gif. #6586, #6587
Obey "Reject leases from" when DHCP "Advanced options" is checked. #6595
Protect enclosed delimiters in DHCP client advanced configuration, so commas can be used there. #6548
Fix default route on PPPoE interfaces missing in some edge cases. #6495
IPsec:
strongSwan upgraded to 5.5.0.
Include aggressive in ipsec.conf where IKE mode auto is selected. #6513
Gateway Monitoring:
Fixed "socket name too large" making gateway monitoring fail on long interface names and IPv6 addresses. #6505
Limiters:
Set pipe_slot_limit automatically to maximum configured qlimit value. #6553
Monitoring:
Fixed no data periods being reported as 0, skewing averages. #6334
Fix tooltip showing as "none" for some values. #6044
Fix saving of some default configuration options. #6402
Fix X axis ticks not responding to resolution for custom time periods. #6464
OpenVPN:
Re-sync client specific configurations after save of OpenVPN server instances to ensure their settings reflect the current server configuration. #6139
Operating System:
Fixed pf fragment states not being purged, triggering "PF frag entries limit reached". #6499
Set core file location so they can't end up in /var/run and exhaust its available space. #6510
Fixed "runtime went backwards" log spam in Hyper-V. #6446
Fixed traceroute6 hang with non-responding hop in path. #3069
Added symlink /var/run/dmesg.boot for vm-bhyve. #6573
Set net.isr.dispatch=direct on 32 bit systems with IPsec enabled to prevent crash when accessing services on the host itself via VPN. #4754
Router Advertisements:
Added configuration fields for minimum and maximum router advertisement intervals and router lifetime. #6533
Routing:
Fixed static routes with IPv6 link local target router to include interface scope. #6506
Rules / NAT:
Fixed "PPPoE Clients" placeholder in rules and NAT, and ruleset error when using floating rules specifying PPPoE server. #6597
Fixed failure to load ruleset with URL Table aliases where empty file specified. #6181
Fixed TFTP proxy with xinetd. #6315
Upgrade:
Fixed nanobsd upgrade failures where DNS Forwarder/Resolver not bound to localhost. #6557
Virtual IPs:
Fixed performance problems with large numbers of virtual IPs. #6515
Fixed PHP memory exhaustion on CARP status page with large state tables. #6364
Web Interface:
Added sorting to DHCP static mappings table. #6504
Fixed file upload of NTP leap seconds. #6590
Added IPv6 support to diag_dns.php. #6561
Added IPv6 support to filter logs reverse lookup. #6585
Package system - retain field data on input error. #6577
Fixed multiple IPv6 input validation issues allowing invalid IPv6 IPs. #6551, #6552
Fixed some DHCPv6 leases missing from GUI leases display. #6543
Fixed state killing for 'in' direction and states with translated destination. #6530, #6531
Restore input validation of captive portal zone names to prevent invalid XML. #6514
Replaced calendar date picker in the user manager with one that works in browsers other than Chrome and Opera. #6516
Restored proxy port field to OpenVPN client. #6372
Clarify description of ports aliases. #6523
Fixed translation output where gettext passed an empty string. #6394
Fixed speed selection for 9600 in NTP GPS configuration. #6416
Only allow IPv6 IPs on NPT screen. #6498
Add alias import support for networks and ports. #6582
Fixed sortable table header wrap oddities. #6074
Clean up Network Booting section of DHCP Server screen. #6050
Fix "UNKNOWN" links in package manager. #6617
Fix missing bandwidth field for traffic shaper CBQ queues. #6437
UPnP:
UPnP presentation URL and model number now configurable. #6002
User Manager:
Prohibit admins from deleting their own accounts in the user manager. #6450
Other:
Added PHP shell sessions to enable and disable persistent CARP maintenance mode. "playback enablecarpmaint" and "playback disablecarpmaint". #6560
Exposed serial console configuration for nanobsd VGA. #6291

What is new in version 2.3.1 Update 5:

The most significant changes in this release are a rewrite of the webGUI utilizing Bootstrap, and the underlying system, including the base system and kernel, being converted entirely to FreeBSD pkg. The pkg conversion enables us to update pieces of the system individually going forward, rather than the monolithic updates of the past. The webGUI rewrite brings a new responsive look and feel to pfSense requiring a minimum of resizing or scrolling on a wide range of devices from desktop to mobile phones.

What is new in version 2.2.6 / 2.3 Alpha:

pfSense-SA-15_09.webgui: Local File Inclusion Vulnerability in the pfSense WebGUI
pfSense-SA-15_10.captiveportal: SQL Injection Vulnerability in the pfSense captive portal logout
pfSense-SA-15_11.webgui: Multiple XSS and CSRF Vulnerabilities in the pfSense WebGUI
Updated to FreeBSD 10.1-RELEASE-p25
FreeBSD-SA-15:26.openssl Multiple vulnerabilities in OpenSSL
Updated strongSwan to 5.3.5_2
Includes fix for CVE-2015-8023 authentication bypass vulnerability in the eap-mschapv2 plugin.

What is new in version 2.2.5 / 2.3 Alpha:

pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
Updated to FreeBSD 10.1-RELEASE-p24:
FreeBSD-SA-15:25.ntp Multiple vulnerabilities in NTP [REVISED]
FreeBSD-SA-15:14.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.
FreeBSD-SA-15:16.openssh: OpenSSH client does not correctly verify DNS SSHFP records when a server offers a certificate. CVE-2014-2653 OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.
FreeBSD-SA-15:18.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.
FreeBSD-SA-15:20.expat: Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.
FreeBSD-SA-15:21.amd64: If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.
FreeBSD-SA-15:22.openssh: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of the sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.

What is new in version 2.2.4:

pfSense-SA-15_07.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
The complete list of affected pages and fields is listed in the linked SA.
FreeBSD-SA-15:13.tcp: Resource exhaustion due to sessions stuck in LAST_ACK state. Note this only applies to scenarios where ports listening on pfSense itself (not things passed through via NAT, routing or bridging) are opened to untrusted networks. This doesn't apply to the default configuration.
Note: FreeBSD-SA-15:13.openssl does not apply to pfSense. pfSense did not include a vulnerable version of OpenSSL, and thus was not vulnerable.
Further fixes for file corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
Fixed pw in FreeBSD to address passwd/group corruption
Fixed config.xml writing to use fsync properly to avoid cases when it could end up empty. #4803
Removed the ‘sync' option from filesystems for new full installs and full upgrades now that the real fix is in place.
Removed softupdates and journaling (AKA SU+J) from NanoBSD, they remain on full installs. #4822
The forcesync patch for #2401 is still considered harmful to the filesystem and has been kept out. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD. With the other above changes, risk is minimal. We advise replacing the affected CF/SD media by a new, faster card as soon as possible. #4822
Upgraded PHP to 5.5.27 to address CVE-2015-3152 #4832
Lowered SSH LoginGraceTime from 2 minutes to 30 seconds to mitigate the impact of MaxAuthTries bypass bug. Note Sshlockout will lock out offending IPs in all past, current and future versions. #4875

What is new in version 2.2.3:

pfSense-SA-15_06.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI
The complete list of affected pages and fields is large and all are listed in the linked SA.
FreeBSD-SA-15:10.openssl: Multiple OpenSSL vulnerabilities (Including Logjam): CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-4000

What is new in version 2.2.2:

This release includes two low-risk security updates:
FreeBSD-SA-15:09.ipv6: Denial of Service with IPv6 Router Advertisements. Where a system is using DHCPv6 WAN type, devices on the same broadcast domain as that WAN can send crafted packets causing the system to lose IPv6 Internet connectivity.
FreeBSD-SA-15:06.openssl: Multiple OpenSSL vulnerabilities. Most aren't applicable, and worst impact is denial of service.

What is new in version 2.2.1:

Security Fixes:
pfSense-SA-15_02.igmp: Integer overflow in IGMP protocol (FreeBSD-SA-15:04.igmp)
pfSense-SA-15_03.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI
pfSense-SA-15_04.webgui: Arbitrary file deletion vulnerability in the pfSense WebGUI
FreeBSD-EN-15:01.vt: vt(4) crash with improper ioctl parameters
FreeBSD-EN-15:02.openssl: Update to include reliability fixes from OpenSSL
A note on the OpenSSL "FREAK" vulnerability:
Does not affect the web server configuration on the firewall as it does not have export ciphers enabled.
pfSense 2.2 already included OpenSSL 1.0.1k which addressed the client-side vulnerability.
If packages include a web server or similar component, such as a proxy, an improper user configuration may be affected. Consult the package documentation or forum for details.

What is new in version 2.2:

This release brings improvements in performance and hardware support from the FreeBSD 10.1 base, as well as enhancements we've added such as AES-GCM with AES-NI acceleration, among a number of other new features and bug fixes.
In the process of reaching release, we've closed out 392 total tickets (this number includes 55 features or tasks), fixed 135 bugs affecting 2.1.5 and prior versions, fixed another 202 bugs introduced in 2.2 by advancing the base OS version from FreeBSD 8.3 to 10.1, changing IPsec keying daemons from racoon to strongSwan, upgrading the PHP backend to version 5.5 and switching it from FastCGI to PHP-FPM, and adding the Unbound DNS Resolver, and many smaller changes.
This release contains four low-impact security fixes:
openssl update for FreeBSD-SA-15:01.openssl
Multiple XSS vulnerabilities in web interface. pfSense-SA-15_01
OpenVPN update for CVE-2014-8104
NTP update FreeBSD-SA-14:31.ntp - though these circumstances don't seem to impact pfSense.

What is new in version 2.1.4:

Security Fixes:
pfSense-SA-14_07.openssl
FreeBSD-SA-14:14.openssl
pfSense-SA-14_08.webgui
pfSense-SA-14_09.webgui
pfSense-SA-14_10.webgui
pfSense-SA-14_11.webgui
pfSense-SA-14_12.webgui
pfSense-SA-14_13.packages
Packages also had their own independent fixes and need updating. During the firmware update process the packages will be reinstalled properly. Otherwise, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use.
Other Fixes:
Patch for Captive Portal pipeno leaking issue which leads to the ‘Maximum login reached' on Captive Portal. #3062
Remove text not relevant to Allowed IPs on the Captive Portal. #3594
Remove units from burst as it is always specified in bytes. (Per ipfw(8)).
Add column for internal port on UPnP status page.
Make listening on interface rather than IP optional for UPnP.
Fix highlighting of selected rules. #3646
Add guiconfig to widgets not including it. #3498
/etc/version_kernel and /etc/version_base no longer exist, use php_uname to get the version for XMLRPC check instead.
Fix variable typo. #3669
Delete all IP Aliases when an interface is disabled. #3650
Properly handle RRD archive rename during upgrade and squelch errors if it fails.
Convert protocol ssl:// to https:// when creating HTTP headers for XMLRPC.
Show disabled interfaces when they were already part of an interface group. This avoids showing a random interface instead and letting the user add it by mistake. #3680
The client-config-dir directive for OpenVPN is also useful when using OpenVPN's internal DHCP while bridging, so add it in that case also.
Use curl instead of fetch to download update files. #3691
Escape variable before passing to shell from stop_service().
Add some protection to parameters that come through _GET in service management.
Escape argument on call to is_process_running, also remove some unecessary mwexec() calls.
Do not allow interface group name to be bigger than 15 chars. #3208
Be more precise to match members of a bridge interface, it should fix #3637
Do not expire already disabled users, it fixes #3644
Validate starttime and stoptime format on firewall_schedule_edit.php
Be more careful with host parameter on diag_dns.php and make sure it's escaped when call shell functions
Escape parameters passed to shell_exec() in diag_smart.php and elsewhere
Make sure variables are escaped/sanitized on status_rrd_graph_img.php
Replace exec calls to run rm by unlink_if_exists() on status_rrd_graph_img.php
Replace all `hostname` calls by php_uname(‘n') on status_rrd_graph_img.php
Replace all `date` calls by strftime() on status_rrd_graph_img.php
Add $_gb to collect possibly garbage from exec return on status_rrd_graph_img.php
Avoid directory traversal in pkg_edit.php when reading package xml files, also check if file exists before try to read it
Remove id=0 from miniupnpd menu and shortcut
Remove . and / from pkg name to avoid directory traversal in pkg_mgr_install.php
Fix core dump on viewing invalid package log
Avoid directory traversal on system_firmware_restorefullbackup.php
Re-generate session ID on a successful login to avoid session fixation
Protect rssfeed parameters with htmlspecialchars() in rss.widget.php
Protect servicestatusfilter parameter with htmlspecialchars() in services_status.widget.php
Always set httponly attribute on cookies
Set ‘Disable webConfigurator login autocomplete' as on by default for new installs
Simplify logic, add some protection to user input parameters on log.widget.php
Make sure single quotes are encoded and avoid javascript injection on exec.php
Add missing NAT protocols on firewall_nat_edit.php
Remove extra data after space in DSCP and fix pf rule syntax. #3688
Only include a scheduled rule if it is strictly before the end time. #3558

What is new in version 2.1.1:

The largest change is to close the following security issues / CVEs:
FreeBSD-SA-14:01.bsnmpd / CVE-2014-1452
FreeBSD-SA-14:02.ntpd / CVE-2013-5211
FreeBSD-SA-14:03.openssl / CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
Other than these, the em/igb/ixgb/ixgbe drivers have been upgraded to add support for i210 and i354 NICs. Some Intel 10Gb Ethernet NICs will also see improved performance.

22 Jun 18 in System Utilities, Operating Systems & Updates

Search by Category