Nov 29 2014
We’re getting an increasing number of “When will 2.2-RELEASE happen?” queries. In an attempt to answer the question for a more general audience, we’ve put together some data.
pfSense® software version 2.2 started with a few seemingly simple goals:
- move the base to a very recent version of FreeBSD.
- update the IPsec stack to include AES-GCM, and IKEv2.
- update PHP to something more recent than what is used in pfSense software version 2.1.
These seemingly simple goals produced a lot of work. When we re-launched the 2.2 project in October 2013, we estimated that it would take 9-10 months, producing a release in April or May of 2014. We had no way of knowing that we would end up producing a train of 5 additional releases based on pfSense software version 2.1, starting with 2.1.1 in early April, which was immediately followed by 2.1.2 to fix the “Heartbleed” issue, then 2.1.3, 2.1.4 and 2.1.5 during the following 139 days. And three weeks after the 2.1.5 release, we finally got pfSense 2.2 into a BETA release.
We are now close enough to a 2.2-RELEASE that we can state with some certainty that FreeBSD 10.1-RELEASE will serve as the base for pfSense 2.2-RELEASE. In order to transparently support both IKEv1 and IKEv2 we moved from ipsec-tools to strongSwan, taking advantage of its monolithic IKEv1/IKEv2 daemon. And the PHP backend has been switched from FastCGI to PHP-FPM, while PHP has been updated to version 5.5(.19).
But meeting these three seemingly innocuous goals opened a plethora of issues. BIND is no longer a part of FreeBSD, so we switched to Unbound. While the initial work on this was done by a community member, we’ve had to fix a number of real issues with the result since entering BETA. For the past 60 days it’s been heads down, opening tickets, and getting them resolved by fixing bugs, then re-testing the result.
Open/Closed tickets – last 90 days
Below you can find a bit more of the internal data that drives the decisions on the release process. We are now, likely, days away from a “release candidate” for pfSense software version 2.2. You can help by running a snapshot (several of us have been doing so since the 2.2 BETA), or the RC series and reporting any issues you find.
Total Tickets by Status – Past Year.
Open/Closed tickets, last year
Changes by user – Past 90 days
Nov 21 2014
Our monthly pfSense hangout has been scheduled! Please make note that because of the Thanksgiving holiday, we will have the event on Tuesday, November 25, 2014 at 1PM CST. Log-in to your portal account on the day of the event for details on how to join us. This month’s topic is: New and Improved Features in pfSense 2.2. Your host will be Jim Pingle
Here is a preview of the hangout:
Nov 5 2014
Ten years ago today, the pfsense.org(com/net) domains were first registered, marking the birth of the project as we know it. We began on a server named “projectx” a few months prior, going public after settling on a name on November 5, 2004. We’ve come incredibly far since then, having grown to one of the most widely used network firewall distributions in the world, with every metric we can count continuing to grow further.
Thanks to everyone who’s made the past decade possible. The best is yet to come!
Oct 16 2014
We’re happy to announce the pfSense Gold Hangout for October 2014!
The older ALIX-based appliances (i.e. m1n1wall) are a tremendously popular and successful product. But as one might expect, this product is rapidly approaching its end of life (EOL). It’s successor, the VK-T40E is taking its place as the leader in small, form-factor, low power, entry level pfSense firewall appliances for small business, SOHO, and remote branch office environments.
Our October Hangout will cover the process for upgrading from an older ALIX unit to its successor, the VK-T40E. We will talk about upgrade precautions, how to make the move easier, common pitfalls, and deploying the new device.
When: Friday, October 24, 2014 @ 1PM Central US Time Where: Check your portal account on the day of the event for the link to join us Who: This event will be hosted by Jim Pingle
Mark your calendar and we look forward to seeing you!
In order to join us, you must be a pfSense Gold subscriber.
Subscribe to Gold Here!
Get your VK-T40E here
Here is a preview of the hangout:
Oct 14 2014
As I’ve written elsewhere, we are starting to focus on performance in pfSense 2.2 and beyond. The first project was to implement AES-GCM with AES-NI acceleration (on CPUs that support it) for IPSec. This project was accomplished in partnership between the FreeBSD Foundation, ESF, and Netgate, and has been stable in pfSense 2.2 snapshots for several weeks.
If your CPU is able to process AES-NI instructions, I encourage you to try it out.
The next investigation, as the title to this post implies, is to improve the speed of pf. The first thing was to measure the existent performance. So we (as Netgate) enlisted the help of George Neville-Neil, who wrote a tool called “Conductor“.
One of the first things we noticed was that the Jenkins hash in FreeBSD 10 seems to take a lot of time. XXHASH is demonstrably faster than Jenkins, and gives a measurable performance gain to pf.
While the patch won’t be available to FreeBSD 10.1 (it’s too late in the process for that), we can make it available in pfSense 2.2, and same will be in the next set of snapshots. Performance will likely be most measurable above 1Gbps.
- I emphasize that this is an early result.
- Please test and let us know.
Sep 25 2014
tl;dr: If you’re having shell problems I feel bad for you son. I got 99 problems but bash ain’t one.
If you’ve not heard, Stephane Chazelas discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name. In many common configurations, this vulnerability is exploitable over the network.
NIST has assigned a CVSS of 10 CVE-2014-6271. POCs are starting to appear.
So the question becomes, “is pfSense affected?”
The short answer is: Unlikely, though there are three packages which could lead to an exploit. The base system of pfSense does not include bash. Since bash isn’t on the system, the problem is reduced to packages.
Three packages are affected, and only one is commonly used. The affected packages are:
- Anyterm — This package contains bash in its binaries which are in the git repo, not a .pbi or .tgz. This package will simply be retired as it is unmaintained and rarely used. We will review all packages, and any which contain binaries which we have not built from source will be removed or re-engineered such that we can compile from source.
- Freeswitch-dev — Runs pkg_add for bash. This package is not actively maintained, and can likely be safely removed from the list of packages with minimal community impact.
- FreeRADIUS2 — Adds bash via pkg_add using FreeBSD’s 8.3-RELEASE package set if the user activates Mobile-One-Time-Password (varsettingsmotpenable). We’re looking into the best way to fix it.
- Mailscanner –– Includes bash also, will be fixed shortly.
Given the lack of impact to pfSense software version 2.1.5 or the pfSense 2.2-BETA images, no fix is required, so we don’t plan any release in response to this issue.
UPDATE: Affected packages have been updated or removed. Full details are in the security announcement which was posted this afternoon. -jimp
Sep 23 2014
The monthly pfSense Hangout is upon us. For September, 2014, the topic will be “Advanced OpenVPN Concepts”. This month’s host will be Jim Pingle. The hangout will happen this Friday, September 26 at 1PM Central US time.
OpenVPN is one of the most frequently used features within pfSense. This month, Jim will dive a little deeper to cover some of the more obscure and complex pieces of this feature.
The pfSense Hangout is an exclusive benefit for our Gold subscribers. Subscribers will find the meeting link after logging in to the members section. If you’re not yet a subscriber, sign up now and you’ll get immediate access. If you can’t make the live event, the video and audio recording and slides are available for members to download within a few hours of the session’s completion.
By subscribing to Gold, you are also helping to keep the project alive! We staff developers, a support team, engineers and other functions on a full time basis so we can keep bringing you a quality product!
Here is a preview of the hangout:
Sep 19 2014
The 2.2 release has now reached the beta milestone. This means the release is feature complete, a comprehensive list of new features and changes can be found here, and should stay relatively stable throughout the remainder of the development process. That’s not to say it’s production ready though, our developers are using it in production and have been for months, but unless you have a solid understanding of the underlying system and can manually verify the configuration, 2.2 is not yet for you (young padawan).
If you have a non-critical environment where you can try it out, you can find the latest build on the snapshot server. Please report your experiences on the 2.2 board on the forum. Note that snapshots have the risk of changes being made in the source very frequently, and you may get a snapshot from a point in time that caught part but not all of certain changes.
The most current list of known issues marked as “Feedback” are either believed to be resolved but need more testing, or need further details to be able to replicate and resolve – feel free to add comments to any of those tickets if you can test the specific scenario described. Those marked as “New” are outstanding issues. We welcome contributions, if you can provide a fix for any of the open issues. Before opening a new ticket there, please post to the 2.2 board on the forum where we can help quantify the issue. Before reporting problems, ensure you’re on the latest snapshot, it’s very possible the issue you found is already fixed in our git repository. You can see all commits here.
Important upgrade warning
You can upgrade from 2.1.x to 2.2 just as with any other release, BUT, you cannot downgrade from 2.2 to 2.1.x. And after you upgrade, your configuration will be converted to a format that is usable only on 2.2. If you do upgrade, get a backup first so you can reinstall if needed. Several of the features in 2.2 were revamped to the extent that a change in configuration formatting was necessitated.
Proceed with caution! Expect things to be broken, this is not production-ready for most scenarios for non-developers, but development is moving along rapidly, and we would appreciate feedback from those in a position to test things (and potentially break their network).
Sep 11 2014
Last weekend pfSense University had another successful pfSense Fundamentals and Practical Application Course, co-taught by Co-Founder Chris Buechler and Principal Engineer George Phillips. We had attendees from across the globe and from varying industries attend this two day course which includes a hands on lab. Not only is this a great venue to learn the complexities of pfSense, but it’s an opportunity to meet some of the pfSense team as well as share notes with other talented pfSense users. Look forward to more courses in the future.
Chris and George doing some hands on training.
Note the free coffee.
Chris assisting while George teaches.
George assisting while Chris teaches.
Aug 27 2014
The 2.1.5 release follows shortly after 2.1.4 and is primarily a security release.
Handle a missing DHCPD config section properly during a configuration upgrade
Fix a regression that broke CARP+IP alias VIP functionality
Fix the Pass, Block, Reject and Interface filters in the Firewall Logs Widget [#3725]
Use HTTPS for dyndns providers that support it
Avoid resetting the firewall hostname from a WAN DHCP server [#3746]
Add missing qlimit keyword in some shaper rules
Change Cancel button to call history.back() when editing firewall aliases to fix issues with IE 11 [#3728]
Allow hostnames in bulk import since they are valid entries in a network type alias
Fix input validation logic on diag_testport.php, escape more shell arguments for good measure
Escape the individual dnsmasq advanced/custom options
Encode the detail field of an alias entry before displaying its contents back to the user
Encode interface/VIP descriptions before displaying them on the NTP daemon settings, and GIF/GRE interfaces
Per the dhcpd.conf man page and other documentation from ISC, mclt must not be defined on the secondary
Shorten the wait at “reload” in startup wizard to 5 seconds from 60
Do not execute DNS lookups on GET, only pre-fill Host box so the user can press the button to execute
Turn alias creation links from DNS lookups into submit buttons for POST
Require click-through POST confirmation when restoring or deleting a configuation from the backup history page
Avoid a “Cannot use string offset as an array” error if the packages section of the config is missing
Avoid generating an invalid IPsec (racoon) config if the user specified a mobile pool that is too small
IPsec phase 2 pinghost was not used if the source IP was a virtual IP address [#3798]
Move dhcp6c log to dhcpd.log [#3799]
Do not reset source and destination port range values when it’s an associated rule created by NAT port forward. [#3778]
Added filter.so to list of extensions loaded for filter_var() support.
The pfSense PHP module was setting the subnet mask of lo0 to /0, which could break some routes and cause other unintended routing side effects.