1.2.3 Release Available!

1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.

Change list

The primary changes from 1.2.2 are listed below.

Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards – there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.

Embedded switched to nanobsd – this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.

Dynamic interface bridging bug fix– The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.

IPsec connection reloading improvements– When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.

Dynamic site to site IPsec– because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.

Sticky connections enable/disable– sticky connections were previously only changed status at boot time for the server load balancer.

Ability to delete DHCP leases– A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.

Polling fixed– polling was not being applied properly previously, and the supported interfaces list has been updated.

ipfw state table size– for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.

Server load balancingICMP monitor fixed.

UDP state timeout increases– By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.

Disable auto-added VPN rules option– added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.

Multiple servers per-domain in DNS forwarder overrides– previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.

No XMLRPC Sync rules fixed – in some circumstances, rules marked to not sync would sync regardless.

Captive portal locking replacedthe locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.

DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.

Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.


New installs


VMware appliance

For information on upgrading, see the Upgrade Guide.

Buy it pre-installed

You can get 1.2.3 pre-installed from Netgate on the ALIX and Hamakua platforms, as well as Applianceshop.eu, and our other recommended hardware vendors.

pfSense: The Definitive Guide Book

If you haven’t gotten your copy of the book yet (foreword here), it was fully written to account for all the changes in the 1.2.3 release (which were final before it went to print). Pick up your copy today!

Share this Post:

60 Responses to “1.2.3 Release Available!”

  1. dennis Says:

    What a great Christmas present for us all! Thank you!

  2. nuno Says:

    Great work as usual.
    By far my favorite FW.

  3. Lindley Says:

    Export settings, format and install 1.2.3, import settings, and up and running in less than 15 min! Excellent – feels a tad bit more responsive.

  4. Chris Buechler Says:

    Lindley: unless you were running the old embedded and moving to the new embedded, you don’t need to reinstall (just to clarify for anyone else who may see this), just follow the info in the upgrade guide linked in the post.

    Though it’s definitely quick to get back up and running.

  5. Scott Idem Says:

    So far this version is working great. I have it running on two firewalls with no problems. It seems faster too. Thank you for fixing the captive portal bug!! We were using this firewall at one of our large meetings with hundreds of people trying to authenticate through the captive portal. We found the bug the hard way!

  6. JEU Says:

    Excellent work!!! congratulations for all members of the team!!! :D. We are using pfsense in different scenarios for firewall/vpn/filtering proxy and it works great, amazing stability. Keep going ahead guys!!

  7. Martin Says:

    Awesome! Looking forward to 2010 enhancements and can’t wait for the 2.0 release.

  8. aldi kavari Says:

    congratulation and wonderful
    I lived in Indonesia makassar city,
    i’m user pfSense and I want to say that this is the best router products that ever existed and will remain the best. hopefully the future we can contribute in this humanitarian project.
    once again thank you and congratulations

  9. Robert Says:

    Chris, Please fix the Intel Pro/100 issue when FreeBSD is updated. If that is the only major change, how much rework would it entail to put out a 1.24 release? Version 2.0 is probably a long way off and many of us want to use 1.23 (err…1.24) in production. Thanks.

  10. Chris Buechler Says:

    Robert: It’s not a big deal to turn off checksum offloading. It’s unlikely we’ll spend any time putting out another 1.2.x release. There is a RELENG_7 1.2.3 build here:
    which should have that fix, but read this first:

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply