2.0.2 Release Now Available!

December 21st, 2012 by Chris Buechler

pfSense 2.0.2 is a maintenance release with some bug and security fixes since 2.0.1 release. You can upgrade from any previous release to 2.0.2.

Heads up for those upgrading

Auto Update URL – For those upgrading from a prior release, first please make sure you’re on the correct auto-update URL. Tens of thousands of installs were from 2.0 pre-release snapshots which had their update URL set to the snapshot server rather than the stable release updates. Others had manually set their architecture incorrectly at some point and had failed upgrades because of it. Just browse to System>Firmware, Updater Settings tab. From the “Default Auto Update URLs” drop down box, pick either the stable i386 or amd64 depending on which version you have installed, and click Save. Then you can use the auto-update and be ensured you’re pulling from the correct location.

PPP-assigned DNS server problem – those with PPP type WANs (PPP, PPPoE) using the DNS servers assigned by their ISP rather than ones defined under System>General Setup, be aware those DNS servers will not be used. There are two work arounds detailed here.

FreeBSD Security Advisories

Base OS updated to 8.1-RELEASE-p13 to address the following FreeBSD Security Advisories:

  • NOTE: FreeBSD-SA-12:03.bind, FreeBSD-SA-12:05.bind, and FreeBSD-SA-12:06.bind do not apply to us, since we do not use nor include bind. FreeBSD-SA-12:08.linux does not apply since we do not use nor include the Linux compatibility layer of FreeBSD. FreeBSD-SA-12:02.crypt doesn’t apply because we don’t use DES in that context.

PPTP

  • Added a warning to PPTP VPN configuration page: PPTP is no longer considered a secure VPN technology because it relies upon MS-CHAPv2 which has been compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.
  • Fix reference to PPTP secondary RADIUS server shared secret.
  • PPTP 1.x to 2.x config upgrade fixes.

NTP Changes

  • OpenNTPD was dropped in favor of the ntp.org NTP daemon, used by FreeBSD.
  • Status page added (Status > NTP) to show status of clock sync
  • NTP logging fixed.
  • NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. You can still do selective interface binding to control which IPs will accept traffic, but be aware that the default behavior has changed.

Dashboard & General GUI Fixes

  • Various fixes for typos, wording, and so on.
  • Do not redirect on saving services status widget.
  • Don’t use $pconfig in widgets, it has unintended side effects.
  • Fix display of widgets with configuration controls in IE.
  • Changed some padding/margin in the CSS in order to avoid wrapping the menu.
  • #2165 Change to embed to prevent IE9 from misbehaving when loading the Traffic Graph page

OpenVPN Fixes

  • Safer for 1.2.3 upgrades to assume OpenVPN interface == any, since 1.2.3 didn’t have a way to bind to an interface. Otherwise people accepting connections on OPT interfaces on 1.2.3 will break on upgrade until the proper interface is selected in the GUI
  • Don’t ignore when multiple OpenVPN DNS, NTP, WINS, etc servers were specified in 1.2.3 when upgrading. 1.2.3 separated by ;, 2.x uses separate vars.
  • Fix upgrade code for 1.2.3 with assigned OpenVPN interface.
  • Fix LZO setting for Upgraded OpenVPN (was turning compression on even if old config had it disabled.)
  • Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this start/stop. If an OpenVPN client is active on both the master and backup system, they will cause conflicting connections to the server. Servers do not care as they only accept, not initiate.

IPsec fixes

  • Only do foreach on IPsec p2′s if it’s actually an array.
  • #2201 Don’t let an empty subnet into racoon.conf, it can cause parse errors.
  • #2201 Reject an interface without a subnet as a network source in the IPsec Phase 2 GUI.
  • Add routes even when IPsec is on WAN, as WAN may not be the default gateway.
  • #1986 Revamped IPsec status display and widget to properly account for mobile clients.
  • Fixed a bug that caused the IPsec status and widget to display slowly when mobile clients were enabled.

User Manager Fixes

  • #2066 Improve adding/removing of users accounts to the underlying OS, especially accounts with a numeric username.
  • Include admin user in bootup account sync
  • Fix permission and certificate display for the admin user
  • Fix ssh key note to refer to DSA not just RSA since both work.
  • “:” chars are invalid in a comment field, filter them out.
  • When renaming a user, make sure to remove the previous user or it gets left in /etc/passwd.
  • #2326 Do not allow empty passwords since this might cause problems for some authentication servers like LDAP.

Captive Portal Fixes

  • Take routing table into account when figuring out which IP address to use for talking to CP clients.
  • Prevent browser auto-fill username and password on voucher config, as it can interfere with the settings being properly saved if sync isn’t fully configured, which this can make happen accidentally.
  • Correct the Called-Station-Id attribute setting to be the same on STOP/START packets
  • Correct the Called-Station-Id attribute setting to be consistent on the data sent
  • #2082 Correct the log to display the correct information about an existing session
  • #2052 Remove duplicate rule
  • Fix which roll to write when writing the active voucher db
  • Always load ipfw when enabling CP to ensure the pfil hooks are setup right
  • #2378 Fix selection of CP interfaces when using more than 10 opt interfaces.
  • Strengthen voucher randomization.

NAT/Firewall Rules/Alias Fixes

  • #2327 Respect the value of the per-rule “disable reply-to” checkbox.
  • #1882 Fix an invalid pf rule generated from a port forward with dest=any on an interface with ip=none
  • #2163 1:1 Reflection fixes for static route subnets and multiple subnets on the same interface.
  • Better validation on URL table alias input from downloaded files.
  • #2293 Don’t put an extra space after “pass” when assuming it as the default action or later tests will fail to match this as a pass rule.
  • Update help text for Host aliases to indicate FQDNs are allowed.
  • #2210 Go back to scrub rather than “scrub in”, the latter breaks MSS clamping for egress traffic the way we use it.
  • Fix preservation of the selection of interfaces on input errors for floating rules.
  • Fix URL table update frequency box.
  • Fix input validation for port forwards, Local Port must be specified.
  • Added a setting to increase the maximum number of pf tables, and increased the default to 3000.
  • Properly determine active GUI and redirect ports for anti-lockout rule, for display and in the actual rule.
  • Handle loading pf limits (timers, states, table/entry limits, etc) in a separate file to avoid a chicken-and-egg scenario where the limits would never be increased properly.

Interface/Bridging Fixes

  • Correct checking if a gif is part of bridge so that it actually works correctly adding a gif after having created it on bootup
  • Use the latest functions from pfSense module for getting interface list
  • Use the latest functions from pfSense module for creating bridges
  • Implement is_jumbo_capable in a more performant way. This should help with large number of interfaces
  • Since the CARP interface name changed to “vipN” from “carpN”, devd needs to follow that change as well.
  • #2242 Show lagg protocol and member interfaces on Status > Interfaces.
  • #2212 Correctly stop dhclient process when an interface is changed away from DHCP.
  • Fixed 3G SIM PIN usage for Huawei devices
  • Properly obey MTU set on Interface page for PPP type WANs.

Other Misc. Fixes

  • #2057 Add a checkbox that disables automatically generating negate rules for directly connected networks and VPNs.
  • Mark “Destination server” as a required field for DHCP Relay
  • Clarify the potential pitfalls when setting the Frequency Probe and Down parameters.
  • Add a PHP Shell shortcut to disable referer check (playback disablereferercheck)
  • #2040 Make Wireless Status tables sortable
  • #2068 Fix multiple keys in a file for RFC2136 dyndns updates.
  • Check to see if the pid file exists before trying to kill a process
  • #2144 Be smarter about how to split a Namecheap hostname into host/domain.
  • Add a small script to disable APM on ATA drives if they claim to support it. Leaving this on will kill drives long-term, especially laptop drives, by generating excessive Load Cycles. The APM bit set will persist until the drive is power cycled, so it’s necessary to run on each boot to be sure.
  • #2158 Change SNMP binding option to work on any eligible interface/VIP. If the old bindlan option is there, assume the lan interface for binding.
  • Fix reference to PPTP secondary RADIUS server shared secret.
  • #2147 Add button to download a .p12 of a cert+key.
  • #2233 Carry over the key length on input errors when creating a certificate signing request.
  • #2207 Use PHP’s built-in RFC 2822 date format, rather than trying to make our own.
  • Allow specifying the branch name after the repository URL for gitsync command-line arguments and remove an unnecessary use of the backtick operator.
  • Correct send_multiple_events to conform with new check_reload_status behaviour
  • Do not wipe logs on reboot on full install
  • Set FCGI_CHILDREN to 0 since it does not make sense for php to manage itself when lighttpd is doing so. This makes it possible to recover from 550-Internal… error.
  • Support for xmlrpcauthuser and xmlrpcauthpass in $g.
  • Fix Layer 7 pattern upload, button text check was incorrect.
  • Correct building of traffic shaping queue to not depend on parent mask
  • #2239 Add alias support to static routes
  • Use !empty instead of isset to prevent accidental deletion of the last used repository URL when firmware update gitsync settings have been saved without a repository URL.
  • Better error handling for crypt_data and also better password argument handling
  • Stop service needs to wait for the process to be stopped before trying to restart it.
  • Use a better default update url
  • Fix missing description in rowhelper for packages.
  • #2402#1564 Move the stop_packages code to a function, and call the function from the shell script, and call the function directly for a reboot.
  • #1917 Fix DHCP domain search list
  • Update Time Zone zoneinfo database using latest zones from FreeBSD
  • Handle HTTPOnly and Secure flags on cookies
  • Fixed notifications for firmware upgrade progress
  • Removed an invalid declaration that considered 99.0.0.0/8 a private address.
  • Fixed redirect request for IE8/9
  • #1049 Fix crashes on NanoBSD during package removal/reinstall. Could result in the GUI being inaccessible after a firmware update.
  • Fix some issues with upgrading NanoBSD+VGA and NanoBSD+VGA Image Generation
  • Fix issues upgrading from systems with the old “Uniprocessor” kernel which no longer exists.
  • Fix a few potential XSS/CSRF vectors. Thanks to Ben Williams for his assistance in this area.
  • Fixed issue with login page not showing the correct selected theme in certain configurations.
  • Fix limiters+multi-wan

Binary/Supporting Program Updates

  • Some cleanup to reduce overall image size
  • Fixes to ipfw-classifyd file reading and handling
  • Updated miniupnpd
  • ISC DHCPD 4.2.4-P1
  • mdp5 upgraded to 5.6
  • pftop updated
  • lighttpd updated to 1.4.32, for CVE-2011-4362 and CVE-2012-5533.

Upgrade Information

As always, information on upgrading can be found in the Upgrade Guide.

Download

Downloads for new installs can be found on the mirrors here.

Upgrades can be found here.

Note: some mirrors are still syncing, it will be several hours from the time of this post until all are synced.

57 Responses to “2.0.2 Release Now Available!”

  1. Kenneth Degel Says:

    Love the product, keep up the great hard work. Many thanks to all

  2. Mark Says:

    Nice! Thanks for all of the hard work you guys continue to put into the most awesome firewall project there is. It is very much appreciated! Updating two of five pfsense firewalls as I type this. The other three will have to wait as they’re in production

  3. Upgrade pfSense 2.0.2 | Seraphyn Blog Says:

    [...] obligatorische Changelog ist in dem Post 2.0.2 Release Now Available! zu [...]

  4. Astor Palmeira Says:

    Hi,
    Perfect release, We want this.
    Thanks
    Caapsoft

  5. Bryan Manske Says:

    Awesome Sauce! Thank you to all, for all that you do. You’ve just made my life easier in a lot of little ways with this update.

  6. Florian Strankowski Says:

    Built On: Mon Dec 12 18:16:13 EST 2011

    For the lulz

  7. kmnair Says:

    But I am already using 2.1beta and perfectly happy about it.!!!!.
    You guys are simply AMAZING.
    Thank you so much for such a fine product.
    Keep it up.

  8. Andrew Says:

    Yeah… So be careful if you have a bunch of packages.. My box got hung up on trying to reinstall packages, I went to the console and hit enter, and suddenly, if finished configuring and installing everything…

    However, I have a broken install, as it didn’t reinstall the squid package, or other packages that depend on squid… and I can’t get it to allow me to try removing the packages to fix the system.

    I suspect I was on one of the squid variants that were removed, however since it never notified me to this effect, I didn’t remove it prior to upgrade, and I suspect after upgrade since it can’t reinstall the exact same version.. It just hosed itself.

    Off to restore config without packages, and try reinstalling..

  9. Andrew Says:

    Oh, and if my assumptions are correct (and I really do expect that they are), can future versions check for issues and notify / stop the upgrade prior to actually doing the upgrade/ breaking things?

  10. Chris Buechler Says:

    Andrew: Users need to take care what packages they install and how they’re labeled, if they’re not stable, you’re likely to cause yourself problems. Poor quality packages from outside contributors have posed issues from day one. They’re not labeled as stable, don’t expect them to be.

    In the future I would like more safety checks on buggy packages, and 2.1 has some enhancements in that area primarily in that using PBIs makes many of those problems less likely, but not as much as I’d like to see eventually. One major thing I want to do is make it far more clear if you’re installing any package that hasn’t been appropriately vetted, you’re begging for trouble. The little “alpha”/”beta” tags on the packages has proven to not be clear enough.

    If you do get into a situation where the package reinstall fails, that’s usually fixable just by going to Diag>Backup/restore and clicking the “reinstall packages” button.

  11. Tom Gibson Says:

    My Box is running 2.0.1 and on the Dashboard indicates an update is available, however clicking the link to see details delivers the text:

    Downloading new version information…done
    Obtaining current version information…done

    You are on the latest version.

    Where is the 2.0.2 update? My updater URL is http://updates.pfsense.org/_updaters

  12. Nima Says:

    OO YEAH, Great job

  13. Stefan Says:

    Great work!
    But it seems the Auto Update with nanobsd vga image does not work. Perhaps the version-nanobsd-vga-* file does not contain the newest version? The dashboard shows the “Update available” message. confusing

  14. Andrew Says:

    Chris:
    I appreciate the thoughts. I understand that the failure wasn’t of pfSense in of itself.

    In my case, no.. I couldn’t. When I attempted that, it made things worse, as I lost access to the webconfigurator entirely. As I not so clearly pointed out, I had installed a package that had apparently been removed from the repo.

    I had checked my packages prior to install, and am/was used to the box changing to gray? (I forget what color it was, I know it wasn’t red) if the package was removed, noticed everything was white, and set off to upgrade.

    Ultimately I was able to go into the pkg includes and rm squid.* and lightsquid.* and reboot, and was able to get everything back up and running.

    In this case, I believe the specific failure was that lightsquid depends upon the squid package, and since the squid package I had installed was no longer in the repo and just got passed over during reinstall, lightsquid was installed and left broken due to requiring squid.* files that didn’t exist.

    In any case, since it’s not retained after install, I would have no idea if a package was stable, beta, release, alpha, or anything else. BTW I might add, I don’t recall seeing those tags when Upgrading a package

    Regardless of package state, an extra check of packages prior to upgrade would be nice. Since I’m sure at some point Stable packages have been or will be removed.

    Something like “The following packages will not be reinstalled after upgrade as they no longer exist in the repo. Do you want to continue the upgrade? (Y|N)”.

  15. jigp Says:

    Thank you so much, team! Happy Holidays!!

    Jigp

  16. Arnold Says:

    Where is the iso of version 2.0.2

  17. anon Says:

    stuff like squid transparent option worked ok after disable feature -> restart service -> enable feature -> restart service

  18. colreg Says:

    Thanks for all!

  19. Jyothish Says:

    When is 2.1 releasing …..Still running on bate version……..:(

  20. Chris Buechler Says:

    Arnold: Same place they’ve always been, the download for new installs link in the post.

    Jyothish: when it’s ready. Sometime in 2013.

  21. dig Says:

    Dido. Same problem as Stefan, on Nano-VGA-i386 getting notification but no new updates. Manual upload is timing out..
    Thanks!

  22. alex Says:

    Great wok. I keep beeing impressed by Pfsense. The changelog is really quite long.

    I’ve upgraded my alix board with no problem at all. Downtime was a few minute (the system is still fully usable while downloading the update).

    Obvisouly everyone is waiting for 2.1. Just realease it when it’s ready :)
    I am also looking forward to the Pfsense 2 book… hope it is coming someday.

  23. Tim Says:

    merry christmas to me! =D

  24. Sebastien Says:

    Christmas update ! Many thanks.
    I installed my first pfsense (2.0.1 at the time) on a soekris box and it worked as expected, even far beyond. So many possibilities in your firewall…

    Well, i’m gonna a give a try to that 2.0.2 update but as i really put the box in production some days ago, i would wait a little to do so.

    Anyway, thanks again for that incredible job.

  25. Ronpfs Says:

    Andrew Says:
    December 22nd, 2012 at 11:00 pm
    “Yeah… So be careful if you have a bunch of packages.. My box got hung up on trying to reinstall packages, I went to the console and hit enter, and suddenly, if finished configuring and installing everything…”

    Somehow it will go thru the re-installation of package 2-3 times, maybe more. If you let it go it should succeed.
    In my case it took 7-10 minutes for 6 packages.

  26. Nick Says:

    Thank you for the update! 2.0.1 has been rock-solid for my uses, but I upgraded to 2.0.2 anyway due to the security advisories. Had no problems at all upgrading.

    I’m looking forward to 2.1, but take your time! :)

  27. Bartek Says:

    !!!WARNING!!! Upgrade from 2.0.1 to 2.0.2 (from web autoupdate) totally messed up installation. After automatic router reboot system didn’t went up – it stopped at “BTX halted”. Nothing helped (disable ACPI, etc).

    After reinstallation (using 2.0.2 live cd) everything works OK (config restored).

    upgrade_log.txt from messed up installation contains quite strange lines:
    x ./tmp/pre_upgrade_command
    Firmware upgrade in progress…
    Installing /root/latest.tgz.
    ./var/empty/: Can’t set user=0/group=0 for var/emptyCan’t update time for var/empty
    ./boot/loader.rc: Could not unlink
    tar: Error exit delayed from previous errors.
    Image installed /root/latest.tgz.

  28. Chris Buechler Says:

    Bartek: Read the post, the very top, “Auto Update URL”. That’s what happens when you try to run 64 bit on hardware that isn’t capable of 64 bit. You had to have set your update URL to 64 bit at some point, and you upgraded from 32 to 64 bit, but your hardware isn’t 64 bit.

  29. Ronpfs Says:

    Small correction after looking at the syslog logs:

    Pfsense go thru the reinstallation only one time.

    The installation send messages to syslog and each update of the % completion send 20+ lines to syslog! It appears like it is doing the same thing over and over but it install each package once.

    Rebooting after fixed a most problems.

  30. Kamaal Says:

    Great Product, i’ve been using it for few years now, since release 1.
    Keep up the good work and thank you.

  31. nana Says:

    Great work! Guy’s Thanks

  32. FPUIG Says:

    Upgraded from 2.0.1 to 2.0.2 using the GUI without problem… PfSense is a ROCK…

  33. whois Says:

    Pfsense is solid – solid as a rock – Nearly every revision and every beta has been solid for me – Firewall, NAT, VPN, open OSPF and BGP – some of these users’ problems are they don’t know how to use PFsense to produce a reliable router and firewall. To you all of you- go away and don’t use it. We’re enjoying extraordinary performance and services from FREE software. For all of you contributors – congratulations and give these guys the kudos they deserve. Thank you gentlemen – we appreciate your efforts.

  34. Lukas Says:

    Thanks very much for this great product. Works great for years on my ALIX boards. I’m looking forward for Version 2.1 with IPv6 support. Keep up the good work ! And have a great 2013 ;o)

  35. Muhammed Abdelwdoud Says:

    there is problem in multiwan System:Gateways >>
    when using multible ADSL lines from the same ISP for exmple.
    ISP1 Gateway is 10.10.10.1
    ISP2 Gateway is 10.20.20.1
    if i am using 1 ADSL line from each ISP >> there will be no problem.
    but if i used 2 ADSL lines from the same ISP and these 2 ADSL lines are on the same route of the ISP ” has the same Gateway”
    monitoring does not work. and i must assign different monitor IP for one of them>>>
    my WANs config are PPPoE…
    every thing else is going smooth and fine thanks for the great effort.

  36. ArcticLab.org Says:

    2.0.2 is working well. Upgrades = smooth as usual. Some of the systems that we run on are Soekris (for small implementations) and Dual Xeon based systems (for large deployments). Great work. Thanks.

  37. Chris Buechler Says:

    Muhammed: that’s how it’s supposed to work, doing it any other way isn’t a valid config.

  38. niranjan Says:

    Wonderful update! Thanks for all the hard work.

  39. Seamus Says:

    Just to re-echo the thanks many have already expressed. Your work is much appreciated.

  40. Exploit: pfSense 2.0.1 XSS & CSRF Remote Root Access – Nada de pânico! | pfSense-BR Says:

    [...] Atualize o seu pfSense para a versão 2.0.2. Procure validar o seu ambiente em laboratório (em máquinas virtuais, por exemplo) – Jamais atualize o seu pfSense diretamente no ambiente de produção; [...]

  41. Goliator Says:

    Very good work, is the best firewall no comercial !!!!! Great work, thanks team !!!

  42. Stilez Says:

    Very very pleased with this unexpected bonus update between 2.0.1 and 2.1. extremely good stuff there. Thank you especially for all the PPP related fixes!

    Looking at the (impressive!) number of items on the list perhaps maintenance releases should happen say 6-9 months apart? No reason to hold onto all these this long before a maintenance release! :)

  43. Chris Buechler Says:

    Stilez: Yeah this would have been released at least 4-5 months earlier if it weren’t for some major changes happening here behind the scenes that were taking up inordinate amounts of time. We’ll be doing maintenance releases once every few months going forward.

  44. Volkan Says:

    You are awesome! Best free firewall in the world!

  45. Michael Says:

    Many thanks to the pfSense team for your dedication and all of the hard work that you put into delivering this stellar product. I’ve following pfSense for many years now, and I am continually impressed by what you deliver for us to work with and enjoy.

    Another hassle free upgrade to version 2.0.2 has just completed.

  46. ugur Says:

    excellent. i love pfsense.

  47. Neter Says:

    Upgrade went smoothly. Thanks.

  48. Ferdi KÜÇÜK Says:

    Thank You..

  49. Paul Says:

    Superb product, from whichever way you you look it. And yes, upgrades are mostly solid. I just upgraded one box between 2.1 beta revisions and another box from 2.0.1 to 2.0.2. Both went well. I did have some ipv6 addressing issues after the 2.1 update when creating a new interface. I haven’t looked into it so take that with a pinch of salt :)

  50. Simon Says:

    In the future, can you perhaps make use of digital signatures and/or approved lists based on sha256 checking for packages? A big fat warning for those unapproved, of course….

    Thanks!

  51. Chris Buechler Says:

    Simon: that’s part of what we can do with PBIs going forward.

  52. George Stancu Says:

    Great job guys… thank you for the best firewall……

  53. Paul Ansell Says:

    What a find, a truly excellent firewall – totally thrilled with it, how i never came across it earlier i don’t know. Absolutely love it, just seems to have everything, and it’s doddle to config – it just works!!!

    Fantastic stuff, thank you very much!!

  54. ekalil Says:

    Great Jobs! Tks guys!!! ;)

  55. Thet Paing Says:

    What a truly excellent firewall….

    Great stuff, thank you very much!

  56. Marcello Says:

    A 1.2.3 instance on an old mini-tower pc is still doing great after almost 1 year of continuous uptime! Looking forward to install a new shiny 2.0.2 box asap.

  57. Paul Rowe Says:

    We’ve used pfSense and its predecessor, the m0n0wall, for many years and they have been extremely reliable and easy to manage. We use them for a hub and spoke retail chain, among other things.

    The improved auto updating is a great plus.

    But the reason for my post is the thank you for the tip about setting the correct updater URL. This info can be a bit hard to find, even though it is sort of beyond obvious once it is pointed out.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply