Software-update: pfSense CE 2.8.0

Versie 2.8 van de Community Edition van pfSense is uitgekomen. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewalltaken. Het is verkrijgbaar in de gratis Community Edition en een betaalde Plus-uitvoering, die voorheen als Factory Edition werd aangeboden. Het is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. De releasenotes voor deze uitgave kunnen hieronder worden gevonden.

Upgrade Notes

Warning

Due to major changes in PHP and base OS versions, there is a higher than usual chance that packages will interfere with the upgrade process. To give an upgrade the best possible chance of going smoothly, uninstall all packages before starting the upgrade. Before upgrading, pay particular attention to the Pre-Upgrade Tasks section of the Upgrade Guide. The most crucial points are noted in this post, but the best practice is to follow all of the precautions noted in the Upgrade Guide.

Legacy Serial Consoles

After upgrading, older devices with ISA-based serial console ports may not fully detect their console due to changes in how FreeBSD probes serial ports. Devices may require manual intervention.

Updated Boot Loader

This version requires an updated boot loader, which is automatically handled by the upgrade process for nearly all cases. However, there may be some edge cases where the automatic update does not update the loader currently used by the device. For example, if there are multiple unmirrored disks and the BIOS/EFI Firmware is not booting from the disk containing the updated loader, but an older, unrelated installation on a separate disk. One particular case where this can happen is when there is a previous installation of MMC, which has been followed by an installation to an add-on SSD without clearing the MMC contents.

Low Memory Hardware

Hardware with 1 GiB or less available memory may have issues upgrading depending on which features, services, or packages are running. Tip: For devices running ZFS, see ZFS Tuning for information on reducing ZFS memory usage. For the best chance of success in these cases, temporarily disable any non-critical services before starting the upgrade. Rebooting before attempting the upgrade can also be beneficial.

New Features and Improvements

Automatic Configuration Backup

Automatic Configuration Backup, also called AutoConfigBackup or ACB, is a free service Netgate provides. This feature encrypts backups of the pfSense software configuration and uploads those encrypted backups to Netgate cloud storage servers. This service provides users with a secure and convenient method to create remote backups and restore known-good configurations. In this release, Netgate has rewritten the AutoConfigBackup user interface to make it more secure and efficient, fixed several bugs, and it now includes the ability for users to further enhance security by changing the Device Key.

New PPPoE Driver

This release contains a new PPPoE backend, if_pppoe, which enables a large performance increase over the existing MPD-based implementation. This option is not enabled by default, but users can opt into this new backend with a checkbox at System > Advanced on the Networking tab. In addition to performance gains, users should see a dramatic decrease in CPU usage due to PPPoE throughput. Users who have multi-gigabit PPPoE WAN links can enable this new feature and enjoy much faster WAN speeds. However, the new if_pppoe backend does not support all advanced features of the MPD implementation. For example, it does not support MLPPP.

Kea DHCP Feature Integration

This release contains several Kea DHCP features that bring feature parity with the ISC DHCP daemon. Some features were previously exclusive to pfSense Plus software, some features are new for this release.

• High Availability in the Kea DHCP daemon. This implementation has several advantages over the older ISC DHCP implementation, including:
  • Supports HA for DHCPv4 and DHCPv6.
  • Simplified HA setup, all in one place on each node for each type.
  • Works in hot standby mode, which is more reliable.
  • Can synchronize lease data over the SYNC interface for security and ease of use.
  • Optionally encrypts lease synchronization data for added protection.
• DNS Registration of DHCP client hostnames from the Kea DHCP daemon to the Unbound DNS Resolver.
  • Updates DNS records dynamically on-the-fly, updates do not require a resolver restart and are not disruptive.
  • Supports DNS Registration for DHCPv4 and DHCPv6.
  • DNS Registration can be configured in a per-interface or global manner, with the ability to enable or disable specific interfaces as needed.
  • DNS records are not limited to the system domain name. DNS Registration honors the domain name on the DHCP settings for each interface and on static mappings.
  • Keeps DNS records accurate and up-to-date on both high availability peers.
  • Can register static mappings when Kea starts (similar to ISC) or when a static mapping client obtains a lease.
• DHCPv6 Prefix Delegation.
  • Prefix Delegation settings in Kea use a different format than the ISC DHCPv6 daemon, so Kea cannot use existing settings for Prefix Delegation; settings for Prefix Delegation in Kea must be re-created manually when switching from ISC DHCPv6 to Kea DHCPv6.
  • See DHCPv6 Prefix Delegation in the pfSense software documentation for details.
• Static ARP Support.
  • This functionality was previously available in ISC DHCP, but is new to Kea.
• Custom Configuration Support.
  • Enables users to implement Kea features and options not supported in the pfSense software GUI by using JSON configuration snippets.
• Stability Improvements.
  • This release fixes several bugs in Kea on pfSense software which affected its configuration, stability, and overall operation.

NAT64

This release contains full support for NAT64. NAT64 is a form of NAT that enables clients with only IPv6 addresses to reach remote hosts using IPv4 addresses. NAT64 accomplishes this by mapping IPv4 addresses into a special IPv6 prefix dedicated to this purpose, such as the default NAT64 prefix, 64:ff9b::/96.

NAT64 on pfSense software is implemented across multiple areas, including NAT64 firewall rules, PREF64 in router advertisements, and DNS64 in the DNS Resolver Advanced options. There is a complete walkthrough for implementing NAT64 in the pfSense software documentation.

Gateway Fail-Back

This release includes support for enhanced gateway recovery "fail back" by optionally clearing states from lower tier gateways when a more preferred gateway recovers. This allows the firewall to force connections back to a higher priority gateway when it recovers, which can help in environments when lower priority gateways have significantly lower bandwidth or metered charges.

System Aliases

This release contains new Built-in System Aliases that allow user-created firewall rules to utilize aliases that were previously only usable by internal firewall rules. This feature also contains several new aliases with common collections of reserved and special-purpose networks, so that users do not need to define their own alias on each device for things like private networks or multicast networks.

State Policy

This release changes the default State Policy from Floating to Interface Bound for increased security. However, Interface Bound states may have issues in certain cases with IPsec VTI, Multi-WAN policy routing, as well as with High Availability state synchronization on non-identical hardware. Workarounds are in place to fall back to Floating states in certain cases, such as IPsec/VTI. The default policy can be toggled back to Floating using the State Policy option under System > Advanced on the Firewall & NAT tab. There is also an option to override this behavior on a per-rule basis in the advanced options when editing a firewall rule.

Security Advisories

This release fixes several security issues in pfSense software, including:

• pfSense-SA-25_01.webgui: Multiple problems in Dashboard widget key handling which could lead to XSS, denial of service, or configuration corruption.
• pfSense-SA-25_02.webgui: OpenVPN management interface command injection from OpenVPN status and Dashboard widget.
• pfSense-SA-25_03.webgui: Potential XSS in the AutoConfigBackup backup list.
• pfSense-SA-25_04.webgui: Potential disclosure of AutoConfigBackup Device Key if SSH service is enabled and exposed to untrusted networks.
• pfSense-SA-25_05.webgui: Stored XSS in Firewall Schedules.
• pfSense-SA-25_06.webgui: Stored XSS in IPsec tunnel Phase 1 list.
• pfSense-SA-25_07.webgui: Stored XSS in Wake on LAN pages and Dashboard widget.

System Patches for Previous Versions

Fixes for these security issues are available via the recommended patches function of the System Patches Package for users running pfSense Plus software version 24.11 as well as pfSense CE software version 2.7.2.

• See our previous post about Using the System Patches Package for a walkthrough that covers installing/updating the package and applying recommended patches.

Operating System and Base System Component Updates

This release includes additional security fixes for issues in FreeBSD as well as base system component packages. These binary-only fixes are only available by upgrading to a new release.