Versie 2.5.2 van pfSense is uitgekomen. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewalltaken. Het is verkrijgbaar in de gratis Community Edition en een Plus-uitvoering, die voorheen als Factory Edition werd aangeboden. Het is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. Waar WireGuard uit voorzorg uit versie 2.5.1 was verwijderd, keert deze in 2.5.2 weer terug, zij het als experimentele optie. De changelog voor deze uitgave ziet er als volgt uit:
SecurityThis release includes corrections for the following vulnerabilities in pfSense software:
General
- pfSense-SA-21_02.captiveportal (XSS in Captive Portal client login page, #11843)
pfSense CE Aliases / Tables
- Added: WireGuard experimental add-on package
Authentication
- Added: PHP shell playback script to modify Alias contents #11380
Backup / Restore
- Added: Copy button for Authentication Server entries #11390
Captive Portal
- Added: Randomize time of scheduled AutoConfigBackup runs #10811
- Fixed: Automated corruption recovery from cached
config.xml
backup files should check multiple backups #11748- Fixed: AutoConfigBackup schedule custom hour value lost on page load #11946
Certificates
- Added: Redirect Captive Portal users to login page after they logout #11264
- Fixed: Captive Portal post-auth redirect is not properly respected #11842
- Fixed: Potential XSS vulnerability in Captive Portal
redirurl
handling #11843Configuration Upgrade
- Fixed: Certificate Manager does not report Unbound as using a certificate #11678
- Fixed: PHP error on certificate list due to unreadable private key #11859
- Fixed: Export P12 icon is missing if certificate is not locally renewable #11884
Console Menu
- Fixed: PHP error in
upgrade_212_to_213()
when upgrading certain IPsec tunnels #11801DHCP (IPv6)
- Changed: Allow reroot on ZFS from console and GUI reboot menu entries #11914
DNS Forwarder
- Fixed:
dhcp6withoutra_script.sh
does not get executed when advanced options are set #11883DNS Resolver
- Fixed: Disable DNSSEC option for dnsmasq #11781
- Fixed: Update dnsmasq to 2.85 to fix CVE-2021-3448 #11866
Dashboard
- Fixed: Unbound Python Integration repeatedly mounts
dev
without unmounting #11456- Fixed: Stale hostname registration data for OpenVPN clients is not deleted from the DNS Resolver configuration at boot #11704
- Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x #11915
Diagnostics
- Fixed: Thermal sensors widget no longer shows values from certain hardware #11787
- Fixed: IPsec Dashboard widget only displays first P2 subnet when using a single traffic selector #11893
- Fixed: Editing widgets on Dashboard causes a PHP Warning #11939
Dynamic DNS
- Fixed: ARP Table populates hostname values using expired DHCP lease data #11510
- Fixed: Sanitize OpenVPN Client Export certificate password in status output #11767
- Fixed: Sanitize Captive Portal RADIUS MAC secret in status output #11769
- Fixed: MAC address OEM information missing from ARP table #11819
- Fixed: State table content on
diag_dump_states.php
does not sort properly #11852Gateways
- Added: New Dynamic DNS Provider: Mythic-Beasts #7842
- Added: New Dynamic DNS Provider: one.com #11293
- Added: New Dynamic DNS Provider: Yandex PDD #11294
- Added: New Dynamic DNS Provider: NIC.RU #11358
- Added: New Dynamic DNS Provider: Gandi LiveDNS IPv6 #11420
- Fixed: Automatic 25-day forced Dynamic DNS update removes wildcard domain #11667
- Fixed: Digital Ocean Dynamic DNS help text is incorrect #11754
- Fixed: NoIP.com Dynamic DNS update failure is not detected properly #11815
- Fixed: Dynamic DNS edit page incorrectly hides username field when switching away from Digital Ocean #11840
Hardware / Drivers
- Added: Input validation to prevent setting a load balancing gateway group as default #11164
High Availability
- Changed: Deprecate old cryptographic accelerator hardware which is not viable on modern systems #11426
- Fixed: Using SHA1 or SHA256 with AES-NI may fail if AES-NI attempts to accelerate hashing #11524
IGMP Proxy
- Fixed: Incorrect RADVD log message on HA event #11966
IPsec
- Fixed: IGMP Proxy restarts unnecessarily after IPv6 gateway events #11904
IPv6 Router Advertisements (RADVD)
- Added: GUI option to set RADIUS Timeout for EAP-RADIUS #11211
- Added: Option to switch IPsec filtering modes to choose between
enc
andif_ipsec
filtering #11395- Changed: Move custom IPsec NAT-T port settings to Advanced Options #11518
- Fixed: strongSwan configuration always contains user EAP/PSK values #11564
- Added: IPsec GUI option to control Child SA
start_action
#11576- Fixed: Error when adding both IPv4 and IPv6 P2 under an IPv4 or IPv6 only IKEv1 P1 #11651
- Fixed: Cannot disable IPsec P1 when related P2s are in VTI mode and enabled #11792
- Fixed: IPsec VTI interface names are not properly formed for more than 32 interfaces #11794
- Fixed: Applying IPsec settings for more than ~30 tunnels times out PHP #11795
- Fixed:
ipsec_vti()
does not skip disabled VTI entries #11832- Fixed: IPsec GUI allows creating multiple identical Phase 1 entries when using FQDN for remote gateway #11912
- Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967
Interfaces
- Added: Use virtual link local IP address as RA source address for HA environments #11103
- Added: Shortcut buttons for service control and logs on RADVD configuration #11911
- Fixed: RADVD breaks on SIGHUP #11913
L2TP
- Fixed: DHCP interfaces are always treated as having a gateway, even if one is not assigned by the upstream DHCP server #5135
- Fixed: Interfaces page displays MAC Address field for interfaces which do not support L2 #11387
- Fixed: CLI interface configuration without IPv6 leaves RA enabled #11609
- Fixed: Incomplete PPPoE custom reset values lead to invalid cron entry #11698
- Fixed: Error when changing MTU if the interface is used for both IPv4 and IPv6 default routes #11855
- Added: VLAN list sorting #11968
NTPD
- Fixed: Unused L2TP VPN files are not removed when the service is disabled #11299
- Added: GUI option to set MTU for L2TP VPN server #11406
Notifications
- Fixed: NTP widget displays incorrect status #11495
- Fixed: NTP authentication input validation rejects valid keys #11850
OpenVPN
- Fixed: Invalid HTML encoding in modal Notices window #11765
Operating System
- Added: Allow the firewall to use DNS servers provided to an OpenVPN client instance #11140
- Fixed: OpenVPN Wizard does not support gateway groups #11141
- Added: Set Explicit Exit Notify to
1
by default for new OpenVPN client instances #11521- Added: Support for Cisco AVPair
{clientipv6}
template in firewall rules returns by RADIUS #11596- Changed: Set
explicit-exit-notify
option by default for new OpenVPN server instances #11684- Fixed: OpenVPN does not clean up parsed
Cisco-AVPair
rules on non-graceful disconnect #11699- Fixed: OpenVPN does not kill IPv6 client states on disconnect #11700
- Fixed: OpenVPN client starts when CARP VIP is in BACKUP status when bound to Virtual IP aliased to CARP VIP #11793
- Fixed: Certificate validation with OCSP always fails in
openvpn.tls-verify.php
#11830- Changed: Update OpenVPN to 2.5.2 #11844
- Fixed: OpenVPN client startup error if IPv6 Tunnel Network is defined in TAP mode #11869
Routing
- Added: Kernel modules for alternate congestion control algorithms #7092
- Added: Kernel module for RTL8153 driver #11125
- Added: Xen console support #11402
- Fixed: Unquoted variable in
dot.tcshrc
can cause proxy password to be printed #11867Rules / NAT
- Fixed: IPv4 link-local (
169.254.x.x
) gateway does not function #11806Traffic Shaper (ALTQ)
- Added: Support for IPv6 firewall entries with dynamic delegated prefix and static host address #6626
- Fixed: Disabling all interfaces associated with a floating rule causes the firewall to generate an incorrect pf rule #11688
- Fixed: Input validation prevents creating 1:1 NAT rules on IPsec #11751
- Fixed: Invalid combinations of TCP flag matching options cause
pfctl
parser error #11762- Fixed: Port forward rules only function through the default gateway interface,
reply-to
does not work for Multi-WAN (CE Only) #11805- Fixed: Error loading rules in certain cases where an interface is temporarily without an address #11861
- Fixed: NAT 1:1 fail to validate aliases #11923
Traffic Shaper (Limiters)
- Fixed: Harmless error when enabling traffic shaper #11229
- Fixed: Segmentation fault when loading ALTQ traffic shaping rules using FAIRQ #11550
Upgrade
- Fixed: Unused Limiter entries with schedules create unnecessary cron jobs #11636
- Fixed: Error when setting queue limit on CODELQ limiter #11725
Web Interface
- Fixed: Language presented to user during upgrade is misleading #11897
WireGuard
- Added: Replace HTTP links with HTTPS in the GUI #11228
- Fixed: Ambiguous text in help and input validation error for system domain name #11658
- Fixed: PHP error if
PHP_error.log
file is too large #11685- Fixed: RAM Disk Settings shows Kernel Memory at
0
Kb and does not allow the user to create RAM disks #11702- Fixed: HTTP Referer error message text is incorrect #11873
- Fixed: Missing
/0
subnet when cloning repeatable CIDR mask controls #11880- Fixed: Update NGINX to address CVE-2021-23017 #12061
Wireless XMLRPC
- Fixed: Ignore WireGuard configurations under
<installedpackages></installedpackages>
#11808