Sep 15 2013
I’m proud to announce the release of pfSense 2.1, and our new Gold Subscription! The 2.1 book and our AutoConfigBackup service, available for years to support subscribers, are immediately available today to Gold subscribers. See this post for details. Onto the release!
This release brings many new features, with the biggest change being IPv6 support in most every portion of the system. There are also a number of bug fixes, and touch ups in general. It’s making its way to the mirrors now, and should be on all of them by end of day Sunday. The complete list of significant changes follows, and can also be found here including more details. If you want to see every single individual change, check out RELENG_2_1 commits in our github here and the 469 completed tickets in our redmine here.
Read the rest of this entry »
Aug 29 2013
We’re doing a full day training tutorial session at EuroBSDCon 2013. Details on their website. Look forward to seeing some of you there!
May 22 2013
We’ve tagged 2.1 as RC0, as release time nears. This means it’s feature-complete, and has no significant known regressions from prior releases. How much longer until release depends on what’s discovered from here out. We don’t anticipate there being a long release candidate cycle, given how widespread 2.1 usage has been over the past year plus. Now’s the time to help test!
Please post anything that requires follow up to the 2.1 board on the forum rather than the comments here on the blog. Far more people are active on the forum and will see it there.
The master branch in git has been bumped to 2.2-ALPHA in preparation for development on 2.2 release. We’ll soon be putting efforts into getting our patches and code up to speed for FreeBSD 10.x for 2.2 release.
May 9 2013
We’ll be at three upcoming conferences in the next few weeks.
BSDCan – May 15-19, Ottawa, Canada. We won’t be doing a formal presentation here this year, but several of us will be in attendance. Get in touch if you’d like to meet up.
Texas Linux Fest – May 31-June 1, Austin, Texas. We’ll have a table here in the exhibition space, please stop by if you’ll be in attendance. We’re headquartered in Austin and are always glad to meet with folks here when schedules permit.
SouthEast Linux Fest – June 7-9, Charlotte NC. I’ll be presenting a talk on all the latest with the project, and we’ll also have a table in the exhibition space.
We look forward to meeting many of you over the next few weeks!
Apr 15 2013
I’m happy to announce the release of pfSense 2.0.3. This is a maintenance release with some bug and security fixes since 2.0.2 release. You can upgrade from any previous release to 2.0.3.
- Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03.
- Fix below XSS in IPsec log possible from users possessing shared key or valid certificate
- Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.
Read the rest of this entry »
Jan 30 2013
Rapid7 released a paper today covering new security flaws in UPnP. These findings have lead to the US Department of Homeland Security recommending everyone disable UPnP.
These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.
It’s arguable whether you should ever enable UPnP at all, ever. It’s a security vulnerability by design, really, allowing things to arbitrarily open ports on your firewall. We’ve argued against it since the inception of this project, but make it available for those who have no alternative. Of course we disable it by default.
If you’re running any other kind of router or firewall, things may not be so good. A shocking number of vendors are still building old miniupnp versions into their products (Rapid7 identified 332 such products), and shipping them with extremely insecure defaults (over 80 million unique IPs answer UPnP from the Internet). If you’re not sure whether your router is vulnerable, it’s safest to disable all UPnP functionality on devices connected to the Internet. Rapid7 has released a ScanNow tool that will scan your local network for exploitable devices.
This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.
Jan 18 2013
Great news for many pfSense users today, as OpenVPN Technologies in collaboration with Apple have released an OpenVPN client for iOS.
Within hours of its release, Jim Pingle updated our OpenVPN Client Export package’s inline export option to be compatible with iOS (and retaining its Android compatibility). The inline export is available for 2.0.x and 2.1 versions. Upgrade your package under System>Packages to the latest version and use the inline export option, which can be imported into the iOS client via iTunes amongst other methods. I had my iPhone connected to OpenVPN within 5 minutes, it’s a quick, easy process.
Our thanks to OpenVPN Technologies and Apple for making this happen!
Dec 21 2012
pfSense 2.0.2 is a maintenance release with some bug and security fixes since 2.0.1 release. You can upgrade from any previous release to 2.0.2.
Heads up for those upgrading
Auto Update URL – For those upgrading from a prior release, first please make sure you’re on the correct auto-update URL. Tens of thousands of installs were from 2.0 pre-release snapshots which had their update URL set to the snapshot server rather than the stable release updates. Others had manually set their architecture incorrectly at some point and had failed upgrades because of it. Just browse to System>Firmware, Updater Settings tab. From the “Default Auto Update URLs” drop down box, pick either the stable i386 or amd64 depending on which version you have installed, and click Save. Then you can use the auto-update and be ensured you’re pulling from the correct location.
Read the rest of this entry »
Dec 10 2012
The FreeBSD Foundation has put out their year-end fundraising campaign. The FreeBSD Foundation sponsors development of the underlying OS that pfSense is based on. We made a donation as we do every year, and we encourage our users to do the same. They are a 501(c)3 non-profit organization, so US contributors may be able to deduct contributions on their taxes.
pfSense could also use your direct donations to fund general expenses, project development and needed equipment. You can donate directly to us here, though note we’re not a 501(c)3.
Aug 2 2012
Ermal and I will be doing a full day pfSense 2.1 tutorial at EuroBSDCon 2012, October 18 in Warsaw, Poland. Registration has just opened. This will be a training-focused session, going through many of the features common to every version, covering changes in 2.1, with focus on IPv6 in each portion of the system.