2.1 now release candidate tagged

May 22nd, 2013 by Chris Buechler

We’ve tagged 2.1 as RC0, as release time nears. This means it’s feature-complete, and has no significant known regressions from prior releases. How much longer until release depends on what’s discovered from here out. We don’t anticipate there being a long release candidate cycle, given how widespread 2.1 usage has been over the past year plus. Now’s the time to help test!

Please post anything that requires follow up to the 2.1 board on the forum rather than the comments here on the blog. Far more people are active on the forum and will see it there.

The master branch in git has been bumped to 2.2-ALPHA in preparation for development on 2.2 release. We’ll soon be putting efforts into getting our patches and code up to speed for FreeBSD 10.x for 2.2 release.

Upcoming Conferences

May 9th, 2013 by Chris Buechler

We’ll be at three upcoming conferences in the next few weeks.

BSDCan – May 15-19, Ottawa, Canada. We won’t be doing a formal presentation here this year, but several of us will be in attendance. Get in touch if you’d like to meet up.

Texas Linux Fest – May 31-June 1, Austin, Texas. We’ll have a table here in the exhibition space, please stop by if you’ll be in attendance. We’re headquartered in Austin and are always glad to meet with folks here when schedules permit.

SouthEast Linux Fest – June 7-9, Charlotte NC. I’ll be presenting a talk on all the latest with the project, and we’ll also have a table in the exhibition space.

We look forward to meeting many of you over the next few weeks!

 

2.0.3 Release Now Available!

April 15th, 2013 by Chris Buechler

I’m happy to announce the release of pfSense 2.0.3.┬áThis is a maintenance release with some bug and security fixes since 2.0.2 release. You can upgrade from any previous release to 2.0.3.

Change List

Security Fixes

  • Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03.
  • Fix below XSS in IPsec log possible from users possessing shared key or valid certificate
  • Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.

Read the rest of this entry »

Security flaws in Universal Plug and Play

January 30th, 2013 by Chris Buechler

Rapid7 released a paper today covering new security flaws in UPnP. These findings have lead to the US Department of Homeland Security recommending everyone disable UPnP.

These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.

It’s arguable whether you should ever enable UPnP at all, ever. It’s a security vulnerability by design, really, allowing things to arbitrarily open ports on your firewall. We’ve argued against it since the inception of this project, but make it available for those who have no alternative. Of course we disable it by default.

If you’re running any other kind of router or firewall, things may not be so good. A shocking number of vendors are still building old miniupnp versions into their products (Rapid7 identified 332 such products), and shipping them with extremely insecure defaults (over 80 million unique IPs answer UPnP from the Internet). If you’re not sure whether your router is vulnerable, it’s safest to disable all UPnP functionality on devices connected to the Internet. Rapid7 has released a ScanNow tool that will scan your local network for exploitable devices.

This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.

OpenVPN client now available on Apple iOS!

January 18th, 2013 by Chris Buechler

Great news for many pfSense users today, as OpenVPN Technologies in collaboration with Apple have released an OpenVPN client for iOS.

Within hours of its release, Jim Pingle updated our OpenVPN Client Export package’s inline export option to be compatible with iOS (and retaining its Android compatibility). The inline export is available for 2.0.x and 2.1 versions. Upgrade your package under System>Packages to the latest version and use the inline export option, which can be imported into the iOS client via iTunes amongst other methods. I had my iPhone connected to OpenVPN within 5 minutes, it’s a quick, easy process.

Our thanks to OpenVPN Technologies and Apple for making this happen!

2.0.2 Release Now Available!

December 21st, 2012 by Chris Buechler

pfSense 2.0.2 is a maintenance release with some bug and security fixes since 2.0.1 release. You can upgrade from any previous release to 2.0.2.

Heads up for those upgrading

Auto Update URL – For those upgrading from a prior release, first please make sure you’re on the correct auto-update URL. Tens of thousands of installs were from 2.0 pre-release snapshots which had their update URL set to the snapshot server rather than the stable release updates. Others had manually set their architecture incorrectly at some point and had failed upgrades because of it. Just browse to System>Firmware, Updater Settings tab. From the “Default Auto Update URLs” drop down box, pick either the stable i386 or amd64 depending on which version you have installed, and click Save. Then you can use the auto-update and be ensured you’re pulling from the correct location.
Read the rest of this entry »

FreeBSD Foundation Year-End Fundraising Campaign

December 10th, 2012 by Chris Buechler

The FreeBSD Foundation has put out their year-end fundraising campaign. The FreeBSD Foundation sponsors development of the underlying OS that pfSense is based on. We made a donation as we do every year, and we encourage our users to do the same. They are a 501(c)3 non-profit organization, so US contributors may be able to deduct contributions on their taxes.

pfSense could also use your direct donations to fund general expenses, project development and needed equipment. You can donate directly to us here, though note we’re not a 501(c)3.

2.1 Tutorial at EuroBSDCon 2012

August 2nd, 2012 by Chris Buechler

Ermal and I will be doing a full day pfSense 2.1 tutorial at EuroBSDCon 2012, October 18 in Warsaw, Poland. Registration has just opened. This will be a training-focused session, going through many of the features common to every version, covering changes in 2.1, with focus on IPv6 in each portion of the system.

pfSense at Texas Linux Fest 2012

July 15th, 2012 by Chris Buechler

I will be presenting on pfSense 2.1 and IPv6 at Texas Linux Fest, August 3-4 in San Antonio. We’ll also have a table in the exhibition area where I’ll be camped out most of both days talking to users, so if you’re in the area, stop by! Our friends at Netgate are providing an ALIX we’ll be giving away. Look forward to meeting many of you there.

Happy World IPv6 Launch Day!

June 6th, 2012 by Chris Buechler

Today is World IPv6 Launch day, when many major websites have permanently added AAAA records to make their sites accessible via IPv6. All our sites have been IPv6-enabled (on native connectivity thanks to bluegrass.net) since last year, running behind pfSense 2.1. Many others are using the current snapshots in production networks.

We’d hoped to have 2.1 released in time for today, but getting to the point we consider full IPv6 support has taken far more work than anticipated. As has become the norm for us over the last several years, we do much more than put a GUI on things, having to implement and/or fix things in the underlying software to meet the needs of our users. There was far more to implement and fix in the underlying software than we anticipated. We have the last major piece addressed this week with CARP IPv6 support now functional. We’re just validating things at this point and fixing some last issues, with the official release coming roughly in the next 1-2 months.

IPv6 isn’t yet a critical need for most every network, but it will be getting to that point quickly. I know many IT professionals have been ignoring it, but it’s time to get up to speed for those who haven’t yet. I encourage everyone to at least start experimenting with it at home if you haven’t yet. For the bulk of us who don’t have an option for native IPv6 at home, our Using IPv6 on 2.1 with a Tunnel Broker document will get you going.