pfSense Digest

1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.

Change list

The primary changes from 1.2.2 are listed below.

Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards – there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.

Embedded switched to nanobsd - this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.

Dynamic interface bridging bug fix – The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.

IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.

Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.

Sticky connections enable/disable – sticky connections were previously only changed status at boot time for the server load balancer.

Ability to delete DHCP leases – A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.

Polling fixed – polling was not being applied properly previously, and the supported interfaces list has been updated.

ipfw state table size – for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.

Server load balancing – ICMP monitor fixed.

UDP state timeout increases – By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.

Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.

Multiple servers per-domain in DNS forwarder overrides - previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.

No XMLRPC Sync rules fixed - in some circumstances, rules marked to not sync would sync regardless.

Captive portal locking replaced – the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.

DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.

Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.

Downloads

New installs

Upgrades

VMware appliance

For information on upgrading, see the Upgrade Guide.

Buy it pre-installed

You can get 1.2.3 pre-installed from Netgate on the ALIX and Hamakua platforms, as well as Applianceshop.eu, and our other recommended hardware vendors.

pfSense: The Definitive Guide Book

If you haven’t gotten your copy of the book yet (foreword here), it was fully written to account for all the changes in the 1.2.3 release (which were final before it went to print). Pick up your copy today!

1.2.2 is now making its way to the mirrors. Only five changes from 1.2.1, but we did want to get these issues fixed and an updated version out there.

• Setup wizard fix – removing BigPond from the WAN page on the setup wizard caused problems.
• SVG graphs fixed in Google Chrome. The graph page used to not require authentication, which is how it works in m0n0wall, I believe because at the time the feature was implemented in m0n0wall that is the only way it would work. We added required authentication on this page, and while it worked in Firefox, the way it was implemented broke Chrome. Chrome is now fixed. IE believed to still be broken, and the only resolution appears to be not requiring authentication for the graph. We would rather break the SVG graphs in IE and tighten that down than leave it open.
• IPsec reload fix specific to large (100+ site) deployments
• Bridge creation code changes – there have always been issues when attempting to bridge more than two interfaces. This fixes several bugs when attempting to use more than one bridge.
• FreeBSD updates for two security advisories on January 7, 2009, listed here. The OpenSSL one could possibly affect OpenVPN users, as discussed on the mailing list.

Most users on 1.2.1 won’t have any need to upgrade to 1.2.2. If any of the above applies to you, then upgrade to this version.

1.2.2 should be used for all new installs.

Downloads

New installs

Updates

For information on upgrading, see the Upgrade Guide. If you haven’t upgraded to 1.2.1 yet, you can upgrade from 1.2 and prior versions directly to 1.2.2, skipping 1.2.1.

The pfSense team has a Christmas present for you all – the 1.2.1 final release. 

The only changes since RC4: 

• Fixed problem preventing RIP from starting
• Fixed broken link in VLAN reboot notification
• Fixed problem with SSL certificate generation

Changes since 1.2 release

This is a strictly a maintenance release, meaning it contains only bug fixes in the pfSense code, no new features. Though we also upgraded the base OS from FreeBSD 6.2 to 7.0, which necessitated numerous changes in how things are configured. The change to FreeBSD 7.0 brings improved performance and more hardware support.  

Change log

cvstrac contains a list of every single change from 1.2 release to 1.2.1 release. For those interested in just the highlights (lot of minor trivial things in the full change list), see the RC2, RC3 and RC4 release blog posts. 

Download

New Installs

Upgrades - for information on upgrading, read the Upgrade Guide. 

VMware Firewall/Router Appliance

RC3 was short lived because of a regression in the FTP proxy for those who use it to host FTP servers behind NAT. Unforeseen consequences of a bug fix in RC2 broke this. 

The only change from RC3 to RC4 is this bug fix resolving problems with the FTP proxy. 

1.2.1-RC4 VMware Appliance is also available.

1.2.1-RC3 is here!

This release has been replaced by RC4 because of a regression for the FTP helper with FTP servers hosted on your network behind NAT. 

Changes since 1.2.1-RC2 include:

• Do not accept \ in alias fieldnames
• Fix setup wizard WAN configuration page since removal of BIGPond
• Replaced route get default with netstat -rn equivalent
• No longer syncs CARP configuration when not needed
• Do not use broadcast on CARP addresses
• Fixes for CARP and VLANs related to interface and IP changes
• Added OpenNTPD to Status -> Services
• Removed enable filter bridge checkbox, it’s on by default
• Fixed “no state” rules
• Corrected description for bogon rule
• Now shows rejected rule icon correctly on firewall edit page
• Minor fixes for embedded upgrades (needs further testing)
• Creates a backup of config.xml prior to package installations
• Correct interface polling
• Minor PHP Shell changes/fixes
• Bumped /cf/ to 4.5M
• No longer destroys enc0
• NAT Reflection timeouts are now consistent for TCP/UDP
• Ensure default gateway is present after filter reload
• Detect iPhone / iPod and switch theme temporarily to pfSense
• Other minor changes, please see cvstrac.pfsense.org reports section for RELENG_1_2

If all goes well we will be releasing 1.2.1-Final on XMAS!

Happy pfSensing!

pfSense 1.2.1-RC2 is now available for testing. This is the first official RC release of 1.2.1, and we believe it eliminates all regressions that have been found since the first 1.2.1 snapshots were made available 4 months ago. Plus it fixes several bugs in 1.2.

1.2.1-RC2 VMware Appliance is also available.

The changes from 1.2 release:

• Numerous changes to accommodate differences in FreeBSD 7.0. Lesson learned here – we hoped 1.2.1 would be a fast release cycle, but it ended up being a significant amount of work because of the changes in FreeBSD from 6.2 to 7.0. It’s certainly for the better, as 7.0 brings improved performance, more and better hardware support, enhanced wireless capabilities, and more.
• Multi-WAN bug fix – reply-to was not added to WAN rules, which caused difficulties under some specific circumstances with accessing services running on the firewall using OPT WAN interfaces.
• Bridging bug fix – problem with the way firewall rules were being applied to bridging could lead to strange behavior in some bridging scenarios. Also, DHCP clients used to be automatically allowed through bridges. This is no longer the case, if you use a DHCP client behind a bridge, your firewall rules must allow the DHCP traffic.
• Captive Portal bug fix – imported from m0n0wall, related to MAC authentication with RADIUS.
• Keep state change – the newer pf version changed to defaulting to keep state, rules that required no state keeping (same interface firewall rule bypass) needed “no state” added.
• NAT reflection bug fix – 20 second timeout was being incorrectly applied, affecting long-lived connections.
• Mobile IPsec fixes
• Some minor text clean up, typo fixes
• Packages screen now has a “Package Info” column rather than the “maintainer” column which was of limited use. Links to information on the package are shown there, for packages that have links defined. Many have links already, and work is currently under way to add a link for every package and expand the information available on them. The Installed Packages tab also shows the Package Info links. When you access the package screens, it fetches the most recent package information from our servers, incluing the Package Info links. You will see more links come with time, without having to upgrade pfSense.
• Significant speed up in boot process, especially when using CARP. There were some delays in the boot process that could be removed thanks to changes in FreeBSD 7.0, which has made booting quite a bit faster. 

The pfSense development team is proud to bring you the 1.2 release! This brings the features and bug fixes from more than 16 months of development since the 1.0 release. Already widely tested and deployed throughout the Release Candidate phase, this release provides the finishing touches on releases already proven in a wide range of network environments. The Release Candidate versions have been downloaded more than 250,000 times.

The changes since the RC4 release follow.

• Improve CARP input validation – GUI previously allowed incorrect configurations that caused panics. Fixed to not allow entry of such configurations, so typos and configuration errors cannot crash system.
• Clarify text and fix typos on several screens.
• Revert DHCP client to default timeout of 60 seconds.
• Reload static routes when an interface IP address is changed by an administrator.
• Fix a few areas allowing potential cross site scripting.
• Fix a couple issues with package uninstalls.
• Shorten firewall rule, NAT and traffic shaper description fields to prevent users from entering description names too long for the pf ruleset.
• Fix traffic shaper queue name generation to prevent creating invalid ruleset for interface names longer than 15 characters.
• Improve efficiency of RRD graph creation by removing duplicate commands. Graph updates now use less CPU time.

For a complete list of all source commits since the branching of the 1.2 release, see the cvstrac change log.

Upgrade Information

For those wishing to upgrade to the 1.2 release from any previous pfSense release, please see the Upgrade Guide.

New to the pfSense Project?

For those new to the project, we recommend checking out our Features page and screenshot gallery.

If you’re ready to install, a user contributed installation guide is available.

Downloads

It will be as long as 24 hours before all the mirrors have the 1.2 release, but it is currently available on some of them including the NYI.net mirror.

Note if you aren’t sure which version you need, see the Versions page on the website.

New installs
Updates

Support for previous versions

1.2 is the only supported pfSense version. No previous releases will receive any bug fix updates nor any future security updates. 1.2 is significantly more stable than past release versions, and we strongly recommend everyone make plans to upgrade. There are systems out there with several years of uptime running very early alpha pfSense releases that are stable, but we advise against that.