pfSense® 2.4.3 ultima versione

pfSense

La release Open Source di Pfsense® 2.4.3 è ora disponibile e pronta per il download. Qui di seguito, potete analizzare le caratteristiche salienti.
Qualora decidiate di utilizzarla, potete riportare la vostra esperienza sul forum di pfSense®

Security / Errata

  • FreeBSD-SA-18: 01.ipsec
  • Mitigazioni PTI del kernel per Meltdown (opzionale sintonizzabile) FreeBSD-SA-18: 03.speculative_execution.asc
  • Mitigazione IBRS per Spectre V2 (richiede un microcodice CPU aggiornato) FreeBSD-SA-18: 03.speculative_execution.asc
  • Aggiunto un meccanismo di aggiornamento del microcodice CPU (modulo cpuctl, sysutils / devcpu-data port)
  • Importata una patch di FreeBSD per risolvere i problemi di avvio durante l’esecuzione come ospite dell’hypervisor sui processori AMD Family 15h (FreeBSD PR #213155)
  • Aggiunta la convalida dei parametri RRD per garantire che i nomi dei file passati siano validi #8269
  • Risolto un potenziale vettore XSS nella codifica dell’output di RRD #8269 pfSense-SA-18_01.packages
  • Risolto un potenziale vettore XSS nella codifica di output diag_system_activity.php #8300 pfSense-SA-18_02.webgui
  • Risolto un potenziale vettore XSS nelle impostazioni traffic_graphs.widget.php #8302 pfSense-SA-18_03.webgui
  • Risolto un potenziale problema CSRF nell’elaborazione della richiesta di controllo servizi #8296
  • Abilitato la protezione CSRF per tutti i widget del dashboard #8301
  • Aggiunta della codifica per le descrizioni dell’intervallo di pianificazione del firewall n. 8259
  • Modificato sshd per usare la compressione ritardata #8245
  • Aumento delle risorse PHP-FPM su sistemi con oltre 1 GB di RAM per migliorare le prestazioni #8125
  • Importata una correzione netstat per piattaforme ARM per migliorare le prestazioni e ridurre l’utilizzo della CPU, in particolare sulla Dashboard n. 8237
  • Risolto un problema di perdita di memoria nella funzione pfSense_getall_interface_addresses () nel modulo pfSense PHP #8249
  • Supporto hardware per XG-7100, inclusi:
  • Supporto NIC C3000 (solo installazioni di fabbrica)
  • Supporto SoC C3000 (solo installazioni di fabbrica)
  • Supporto interruttore Marvell 88E6190 (solo installazioni di fabbrica)

Traffic Shaping / Limiters

  • Fixed hangs due to Limiters and pfsync in HA #4310
  • Added the Chelsio cxl driver to the list of ALTQ capable interfaces #7607
  • Fixed an issue with limiters that had fractional bandwidth values #8091
  • Changed status_queues.php to provide ‘realtime’ statistics #8185

IPsec

  • Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family #6886
  • Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups #8186
  • Fixed a problem when IPsec bypasslan was enabled while the LAN interface is disabled or doesn’t have an IP address #8239
  • Added IPv6 LAN Network to the IPsec LAN bypass list #8321

OpenVPN

  • Fixed an error message encountered by a few users when manually killing OpenVPN connections #8266
  • Added an OpenVPN tap bridge configuration option to push the bridged interface address to clients as a route-gateway for routes/redirects #8267
  • Added an option to the DNS Resolver which allows registering the CN of OpenVPN clients as hostnames #6847
  • Added an option to OpenVPN clients and servers to suppress creation of IPv4 or IPv6 gateway addresses for an interface #6848
  • Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network #8261
  • Updated the OpenVPN wizard with the current UDP and TCP protocol selections #8298
  • Added the interface for a VPN to the OpenVPN client and server list screens

Notifications

  • Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time #4031
  • Added a notification when the firewall boot sequence is complete #7643

Dashboard

  • Fixed issues with the IPsec dashboard widget causes GUI failure #6318
  • Changed the Dynamic DNS Widget so it shows the description of custom entries to identify them #7843
  • Fixed a reference to deprecated updateGatewayDisplays() function in the Gateways dashboard widget #8303
  • Added a setting to the temperature widget to display readings in Fahrenheit 8205
  • Changed the picture widget so the picture is stored on the firewall filesystem and not in config.xml to reduce the size of backup data #8371
    • On upgrade, pictures will be moved out of config.xml, so backup this file separately if it is important

DHCP

  • Added an option to the DHCP Server Dynamic DNS configuration to set the server key algorithm #6621
  • Added DDNS Client Updates option to DHCPv4 #7131
  • Fixed handling of the DHCPv6 DDNS reverse zone key #6319
  • Fixed DHCPv4 static mappings so that multiple MAC for same DHCP address or hostname are allowed #8220
  • Fixed a potential issue in detecting primary/secondary node in a failover configuration
  • Improved DHCP relay destination interface discovery
  • Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database#7413

Dynamic DNS

  • Added an option for RFC 2136 Dynamic DNS server key algorithm #8244
  • Added an option for RFC 2136 source address used to send updates #8278
  • Fixed issues with Dynamic DNS updates using a gateway group when the primary route is down#8333
  • Added GoDaddy Dynamic DNS provider

Interfaces / VIPs

  • Fixed issues on assign_interfaces.php with large numbers of interfaces #6400
  • Fixed handling of CARP VIPs on disabled interfaces at boot time #6677
  • Fixed issues with radvd being enabled on a disconnected interface #6974
  • Fixed issues with rtsold on VLAN interfaces #7412
  • Fixed issues with dhcp6c lock files after unclean shutdown when using “Do not wait for an RA” on IPv6 WAN interface #8106
  • Added a feature to allow pppoe on a CARP VIP so it will only be active on whichever node is master #8184
  • Fixed an error when editing PPP interfaces on a system with no VIPs #8322
  • Added VLAN priority tagging for DHCPv6 client requests #8200
  • Added support for configuring the DUID type for an IPv6 interfaces #8191
  • Allow custom INIT string for PPP modem SIM Pin and APN settings
  • Added an indicator for disabled interfaces on status_interfaces.php
  • Fixed an issue with the PPP linkup and linkdown scripts and cellular modems
  • Fixed an issue where the combination of CARP with bridging could lead to a deadlock #8056

Packages

  • Fixed reinstall process for missing packages #8183

Captive Portal

  • Fixed Pass-through MAC automatic additions so it does not add duplicate entries #8226
  • Fixed a missing global definition in Captive Portal pass-through MAC removal #8238
  • Fixed Captive Portal voucher sync errors when vouchers are expired or disconnected while the secondary node is master #8317
  • Fixed Captive Portal voucher synchronization between HA nodes #7972

Certificates

  • Fixed automatic SAN handling when the CN of a certificate contains a space #8252
  • Fixed input validation for Certificate SAN values to disallow IP addresses for FQDN/Hostname entries #8275

Gateways/Routing

  • Fixed handling of the Router Lifetime value on services_router_advertisements.php so it allows a value of 0 #7502
  • Added ospf6d to the routing log
  • Allow recursive aliases to be used with static routes

Rules/NAT

  • Fixed various pf “busy” errors when the ruleset is reloaded
  • Fixed issues with editing firewall rules in non-English languages that contain single quotes in translated strings #8219
  • Added an option to disable drag-and-drop of firewall and NAT rules
  • Added a check to prevent 1:1 NAT rules with missing information from being added to the ruleset
  • Added firewall rule tracking ID to rule list (in counter tooltip) and firewall rule edit page #8348
  • Fixed cases where automatic or scripted rules were not getting tracking IDs #8353
  • Added a check to prevent automatic outbound firewall rules with missing information from being added to the ruleset #8360

Users/Authentication

  • Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes #7469
  • Fixed an issue where a user with no privileges could not logout #8297
  • Increased maximum username length from 16 to 32 characters to catch up to the current allowed length in FreeBSD
  • Fixed required field markings on LDAP authentication server configuration fields #8337
  • Fixed display of the LDAP host when testing the GUI authentication source #8338

Misc

  • Fixed NTP Status server time for zones with minute offsets (fractions of an hour) #8129
  • Added support for custom shutdown scripts in /usr/local/etc/rc.d #8182
  • Fixed a references to an undefined function while restoring a config.xml file from an older version #8231
  • Added support to diag_packet_capture.php to capture traffic on the loopback interface #8257
  • Fixed an issue with the RAM disk warning pop-up appearing when no changes were made #8268
  • Fixed an issue with the address familiy selection for remote syslog servers using IPv6 #8323
  • Silenced warnings from sysctl that otherwise went to stderr
  • Added a disk size check to ZFS to prevent it from being used on disk which are too small to contain the OS and swap space #7308
  • Added a check to prevent pfSense-upgrade from running as a non-root user #7762
  • Added an option to disable the IGMP Proxy service #8356
  • Fixed an issue with package handling when restoring a configuration that contains a branch configuration that is not valid for the target system version #8208