Software-update: PfSense 2.2.2

Er is een update voor versie 2.2 van pfSense is uitgekomen. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewall-taken. Het is in 2004 begonnen als een fork van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewall-pakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. De changelog voor pfSense 2.2.2 ziet er als volgt uit:

Security/Errata Notices

• FreeBSD-SA-15:09.ipv6: Denial of Service with IPv6 Router Advertisements. Where a system is using DHCPv6 WAN type, devices on the same broadcast domain as that WAN can send crafted packets causing the system to lose IPv6 Internet connectivity.
• FreeBSD-SA-15:06.openssl: Multiple OpenSSL vulnerabilities. Most aren't applicable, and worst impact is denial of service.

Rules / NAT

• Added hidden config option to disable blocking of link-local IPv4 (169.254.0.0/16) for the rare instances where it's required. Not recommended, violates RFC 3927.
• Fixed invalid ruleset generation when using port forwards with destination "any" on a DHCP client WAN-type interface, have pure NAT mode reflection enabled, and have the interface with link up but unable to reach a DHCP server for an extended period. #4564
• Allow the use of version IPv4+IPv6 on firewall rules without restrictions on protocol. The former restrictions date back to earlier base software versions, and are no longer applicable.
• Omit route-to from rules specifying a specific gateway when that gateway is forced down. #4566

IPsec

• Enforce disabling of "prefer old SAs" option. When the GUI configuration checkbox was removed in 2.2.1, it fell through to the default of the underlying software in many cases, leaving the option enabled instead of disabled. Having this option enabled will cause connectivity problems after rekeying in many circumstances. Upgrading to 2.2.2 will fix this.
• strongSwan upgraded to 5.3.0
• Don't apply mobile IPsec phase 2 PFS configuration to non-mobile IPsec. #4538
• Correct applying of uniqueid configuration. #4359
• Bring back automatic exclusion of LAN subnet to LAN IP for scenarios where remote IPsec overlaps with local LAN subnet. #4504
• Enable ike_name for daemon logging, adding connection identifiers to IPsec logs that can be correlated to output of 'ipsec statusall' (GUI log viewer integration to come).

DNS Forwarder/Resolver

• Fix DNS registration of hostname "0" #4573
• Domain overrides to multiple server IPs are possible in DNS Resolver. Add message noting this, and how to achieve it. #4350

Wireless

• Atheros wireless driver updated to latest from FreeBSD 11-CURRENT. Not many changes since 2.2.1-RELEASE. #4582
• Wireless cards removed from ALTQ-capable interfaces (traffic shaper capability) since that isn't supported at the moment. #4406
• New option "auto" added for Standard. This omits configuring mode with ifconfig, which currently can trigger driver problems that don't exist when not specified. Standard "auto" is preferred, and possibly required, for BSS and IBSS wireless modes with Atheros cards (at a minimum, potentially others).

IPv6

• Make sure 'DHCPv6 Prefix Delegation size' is provided if 'Send IPv6 prefix hint' flag is checked to avoid generating invalid dhcp6c configuration file.
• DHCPv6 Relay fixed. #4572
• Allow "0" for id-assoc na ID, id-assoc pd ID, sla-id and sla-len DHCP6 configuration options. #4547
• Fix the use of multiple prefixes in IPv6 router advertisements. #4468

Other

• Clean up logic in OpenVPN resync code. Discussion here and additional change here.
• SSL certificate validation disabled for selfhost - their certificate chain had a problem that made OpenSSL fail verification, making the service non-functional. #4545 The provider fixed the issue after 2.2.2-RELEASE, so verification has been re-enabled for 2.2.3 and newer.
• Fix error in traffic shaping wizard. #4529
• Fix broken image path. #4530
• A variety of minor text clean up in web interface.
• Remove some code no longer used in a few places.
• Clean up of code path when adding a new user. #4620
• Make sure RRD backup is not restored when /var memory disk is not in use. #4531
• PHP upgraded to 5.5.23