1.2.3 Release Available!

December 10th, 2009 by Chris Buechler

1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.

Change list

The primary changes from 1.2.2 are listed below.

Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards – there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.

Embedded switched to nanobsd - this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.

Dynamic interface bridging bug fix– The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.

IPsec connection reloading improvements– When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.

Dynamic site to site IPsec– because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.

Sticky connections enable/disable– sticky connections were previously only changed status at boot time for the server load balancer.

Ability to delete DHCP leases– A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.

Polling fixed– polling was not being applied properly previously, and the supported interfaces list has been updated.

ipfw state table size– for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.

Server load balancingICMP monitor fixed.

UDP state timeout increases– By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.

Disable auto-added VPN rules option- added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.

Multiple servers per-domain in DNS forwarder overrides- previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.

No XMLRPC Sync rules fixed - in some circumstances, rules marked to not sync would sync regardless.

Captive portal locking replacedthe locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.

DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.

Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.

Downloads

New installs

Upgrades

VMware appliance

For information on upgrading, see the Upgrade Guide.

Buy it pre-installed

You can get 1.2.3 pre-installed from Netgate on the ALIX and Hamakua platforms, as well as Applianceshop.eu, and our other recommended hardware vendors.

pfSense: The Definitive Guide Book

If you haven’t gotten your copy of the book yet (foreword here), it was fully written to account for all the changes in the 1.2.3 release (which were final before it went to print). Pick up your copy today!

60 Responses to “1.2.3 Release Available!”

  1. Teg Bains Says:

    Congratualions and thanks for all the hard work!

  2. Sam Says:

    Great Job. Thanks for using it free forever.

  3. Tim Nelson Says:

    As always, great work! Your team is amazing. I cannot wait to see where you’ll take pfSense and hopefully, where pfSense will take you. Thank you for another quality release.

  4. Mahesh Chowta Says:

    Congratualions and thanks to pfsense team for all the hard work.

  5. igum Says:

    i have been tested on my ibm server with 50 user, work good, thanks alot

  6. pamana Says:

    I am in Thailand. How can i order or buy The Definitive Guide Book.

  7. Chris Buechler Says:

    Thanks everyone.

    pamana: not sure, check with local booksellers, they should be able to get it for you.

  8. Gabriel Paniagua Castro Says:

    Excelent work. You help us very much, you will be in the best reviews and will be premiated. You are the winners of the open source firewalls. Microsoft ISA has nothing to do jeje

  9. Jan Rome Says:

    You talk the talk and you walk the walk!

  10. Jan Says:

    Great work, can’t wait yo upgrade all my boxes.

  11. Technoaddict » PfSense 1.2.3 disponible Says:

    [...] dynamique en IPSec, la possibilité de supprimer des baux DHCP … Je vous renvoie à la release notes pour la liste exhaustive des changements. Pour mettre à jour votre Firewall, rendez-vous dans [...]

  12. aeschma.de » Neue pfSense Version 1.2.3 Says:

    [...] durch diesen Schritt der Einsatz eines WRAP-Boards nicht mehr ohne Weiteres möglich. Ein genaues ChangeLog gibt es hier. Im Laufe der nächsten Woche werde ich wohl Zeit für eine Aktualisierung finden [...]

  13. pfSense 1.2.3 Release « eriks weblog Says:

    [...] belangrijkste verschillen tussen versie 1.2.2 en 1.2.3 staan hier [...]

  14. Michael Maris Says:

    Great work, guys, and thanks a lot for keeping this fantastic software up to date. I ordered the Definitive Guide 3 weeks ago. I read it through in a week. Very understandable, even for an amateur like me. (at least I understand now why traffic shaping is not working in my set-up with cheap NIC’s).

  15. Bill C Says:

    Congratulations, and thanks to the team for all the great work. Well done, and many thanks for a great product!

  16. pfSense 1.2.3 « Λғгιяʍαтιυє Says:

    [...] fixed; ipfw state table size; UDP state timeout increases….” Read the rest of the release announcement for a complete list of changes and [...]

  17. Carlos Vasquez E Says:

    Congratulations to pfsense team and thanks , I hope the new version to prove, pfsense have been an excelent product for me and all my clients , saludos desde Bogota Col..

  18. Astor Palmeira Says:

    Congratulatios for this work!
    Thanks for help me with my job!

  19. BSDfr.net » PfSense 1.2.3 est sortie Says:

    [...] de domaine dynamique en IPSec, la possibilité de supprimer des baux DHCP … Je vous renvoie à la release notes pour la liste exhaustive des changements. Pour mettre à jour votre Firewall, rendez-vous dans [...]

  20. Oliver Says:

    Excellent work pfSense team! I have been using 1.2.3-RC3 for a couple months now and it’s great! Nice to see the release.

    Oh, and the book is great and is obviously written to be used once 1.2.3 was released so it is very relevant and helpful.

  21. rhawk1 Says:

    Thank you so much for such a great product. All my customers are using it and we are dying for using version 2.0 and its traphic shaping multiwan features… Sooo GRRREAT Product!

  22. Wayne Says:

    STILL! you guys continue to deliver the best. congrads!

  23. Dominik Says:

    Nice work. I am going to update one of my pfSense Fireewalls tomorrow and will order one of the books for me. :)

    pfSense is a very nice and good piece of software and a great Firewall.

  24. Kevin Bowling Says:

    Brilliant! Time to reflash some embedded installs!

  25. Podilarius Says:

    Awesome, thanks for all the hard work. I know our company has a copy of the book on the way. Onward to 2.0!

    Cheers!!!

  26. Hazim Says:

    Thank you guys very much for the great firewall
    Wonderful gift for Christmas )),, like always

  27. Scott Ullrich Says:

    One other thing we forgot to note is that there is a few new themes: codered and pfsense-ng.

  28. mindbets Says:

    thanks a lot guys!!!! great job

  29. ugur Says:

    PerFect thanks.

  30. Stephen Waits Says:

    So for us WRAP folks, does this still apply?

    http://doc.pfsense.org/index.php/NanoBSD_on_WRAP

    Or is the released image already set to boot properly?

  31. Chris Buechler Says:

    Stephen: That still applies, the WRAP problem is a hardware problem

  32. Alberto Rocca Says:

    Great!!
    I upgraded from 1.2.3RC3.
    I only got the following msg: Fatal error: Cannot redeclare download_file_with_progress_bar() (previously declared in /usr/local/www/system_firmware_auto.php:198) in /etc/inc/pkg-utils.inc on line 383

    However the upgrade went smoothly.

    Great job!!

  33. Stephen Waits Says:

    Ok thanks. It’s a bit of a bummer.

    Thanks for all the hard work. pfSense is still working great for me!

  34. jkqm Says:

    Ok! Very nice!!1 great job!

  35. Anders Jensen Says:

    Very nice indeed. I also just got the book delivered so I’m really looking forward to working with my pfsense installations.

    Btw will there be some regular updates to Open-vm-tools? I’m hoping to run most of my pfsense installs in ESXi 4.

  36. Tim Adam Says:

    Nice work on some of the rough edges!

  37. RG Says:

    You are my hero :D

  38. UnixPortal.net - Contenuti » Rilasciato pfSense 1.2.3 Says:

    [...] [...]

  39. George Madison Says:

    Congratulations, and I look forward to seeing what it can do!

    A couple of questions, though – as it happens, I DO use the Intel PRO/100 cards; where would I look for more information on when this driver issue in the underlying OS might get resolved, and in what time frame?

    The idea of adding the VGA/Keyboard console to the Embedded release was discussed earlier – do I take it from the fact it’s not mentioned here as a change that didn’t happen for release? It would be SO helpful…!

  40. David Haman Says:

    Will PfSense ever allow for 2 way authentication for open vpn such as user name and password required first then authenticate with the certificates ? If this is already possible via an easy way could someone please post. Also will PfSense ever go into adding UTM features such as content filter, IPS etc..

    Great work..i use Pfsense at home but as soon as Pfsense can support multiple vpn users this is going into my work network (over 250) users

  41. Chris Buechler Says:

    George: embedded is still serial console only. re: the fxp issue, I believe it’s been fixed in FreeBSD RELENG_7 (what will become 7.3), but I don’t know that we’ll ever put out another 7.x release.

    David: OpenVPN and IPsec already have user auth in 2.0. The rest of what you mentioned is doable with packages now, and being enhanced for 2.0.

  42. pfSense naujienos | FreeBSD.lt Says:

    [...] Plačiau [...]

  43. Lamm Says:

    the vmware link should be http://files.pfsense.org/vmware/pfSense-1.2.3-VM.zip

  44. Chris Buechler Says:

    thanks Lamm, link fixed, I renamed the file earlier and forgot it was linked here.

  45. Integrator Says:

    Excellent! Excellent! I upgraded the Dec 12. Works well. Added a second quad port e1000 card. interface names changed. Modified my config and was up in a breeze. load balancing 7 connections in a Dell 2950.

  46. jake ocampo Says:

    nice! great job for the team…

  47. Released: pfSense 1.2.3 | FreeBSD - the unknown Giant Says:

    [...] Buechler has announced pfSense 1.2.3 1.2.3 release is now available! This is a maintenance release in the 1.2.x series, [...]

  48. pfSense v 1.2.3 Now Available | Tech Paranoia Says:

    [...] From blog.pfsense.org: [...]

  49. Links 19/12/2009: Many New GNU/Linux Releases, Android Products | Boycott Novell Says:

    [...] 1.2.3 Release Available! 1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release. [...]

  50. Kateznik Says:

    Thanks for the great job !
    Just updated with autoupdater, things went very smoothly. This is to be noted !

    Rarely managed to do so much with a fw.

    Cheers !

  51. dennis Says:

    What a great Christmas present for us all! Thank you!

  52. nuno Says:

    Great work as usual.
    By far my favorite FW.

  53. Lindley Says:

    Export settings, format and install 1.2.3, import settings, and up and running in less than 15 min! Excellent – feels a tad bit more responsive.

  54. Chris Buechler Says:

    Lindley: unless you were running the old embedded and moving to the new embedded, you don’t need to reinstall (just to clarify for anyone else who may see this), just follow the info in the upgrade guide linked in the post.

    Though it’s definitely quick to get back up and running.

  55. Scott Idem Says:

    So far this version is working great. I have it running on two firewalls with no problems. It seems faster too. Thank you for fixing the captive portal bug!! We were using this firewall at one of our large meetings with hundreds of people trying to authenticate through the captive portal. We found the bug the hard way!

  56. JEU Says:

    Excellent work!!! congratulations for all members of the team!!! :D. We are using pfsense in different scenarios for firewall/vpn/filtering proxy and it works great, amazing stability. Keep going ahead guys!!

  57. Martin Says:

    Awesome! Looking forward to 2010 enhancements and can’t wait for the 2.0 release.

  58. aldi kavari Says:

    congratulation and wonderful
    I lived in Indonesia makassar city,
    i’m user pfSense and I want to say that this is the best router products that ever existed and will remain the best. hopefully the future we can contribute in this humanitarian project.
    once again thank you and congratulations

  59. Robert Says:

    Chris, Please fix the Intel Pro/100 issue when FreeBSD is updated. If that is the only major change, how much rework would it entail to put out a 1.24 release? Version 2.0 is probably a long way off and many of us want to use 1.23 (err…1.24) in production. Thanks.

  60. Chris Buechler Says:

    Robert: It’s not a big deal to turn off checksum offloading. It’s unlikely we’ll spend any time putting out another 1.2.x release. There is a RELENG_7 1.2.3 build here:
    http://files.nl.pfsense.org/1.2.3-RELENG_7/
    which should have that fix, but read this first:
    http://files.nl.pfsense.org/1.2.3-RELENG_7/README.txt

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply