pfSense Changelog

What's new in pfSense 2.4.4-p3

May 23, 2019

A privilege escalation issue where an authenticated user could have used a technique similar to directory traversal to gain access to pages for which they otherwise would not have privileges
A privilege escalation issue where an authenticated user granted access to the Dashboard or widgets could have gained access to pages for which they otherwise would not have privileges
A privilege escalation issue where an authenticated user granted access to edit OpenVPN servers, clients, or client-specific overrides could have executed shell scripts via OpenVPN advanced options to gain higher privileges
A new set of privileges has been created to delegate access to edit the advanced options fields on these pages. Existing users who are not administrators, but only have access to the stated pages, can no longer edit advanced option fields until the new privileges have been granted.
Potential cross-site scripting (XSS) vectors in 10 GUI pages
The sshguard daemon which protects the GUI and ssh against brute force attacks was changed to use a single table to block offenders from reaching the GUI and SSH, which corrects previous unexpected inconsistencies in behavior.
Several FreeBSD security advisories:
FreeBSD-SA-19:03.wpa
FreeBSD-SA-19:04.ntp
FreeBSD-SA-19:05.pf
FreeBSD-SA-19:06.pf
FreeBSD-SA-19:07.mds
FreeBSD-EN-19:08.tzdata
DNS over TLS host verification has been added, thanks to support from a recent Unbound version that made it possible on systems without OpenSSL 1.1.x.

New in pfSense 2.4.4-p2 (Jan 11, 2019)

New in pfSense 2.4.4 (Sep 26, 2018)

NEW FEATURES:
OS Upgrade: Base Operating System upgraded to FreeBSD 11.2-RELEASE-p3. As a part of moving to FreeBSD 11.2, support is included for C3000-based hardware.
PHP 7.2: PHP upgraded to version 7.2, which required numerous changes to syntax throughout the source code and packages.
Routed IPsec (VTI): Routed IPsec is now possible using using FreeBSD if_ipsec(4) Virtual Tunnel Interfaces (VTI).
IPsec Speed Improvements: The new Asynchronous Cryptography option under the IPsec Advanced Settings tab can dramatically improve IPsec performance on multi-core hardware.
Default Gateway Group: The default gateway may now be configured using a Gateway Group setup for failover, which replaces Default Gateway Switching.
Limiter AQM/Queue Schedulers: Limiters now include support for several Active Queue Management (AQM) methods and Queue Scheduler configurations such as FQ_CODEL.
Certificate Subject Requirements: The Certificate Manager and OpenVPN wizard now only require the Common Name to be set, and all other fields are optional.
DNS over TLS: The DNS Resolver now includes support for DNS over TLS as both a client and a server, including for domain overrides.
Captive Portal Authentication: Captive Portal authentication is now integrated with the User Manager system. Captive Portal instances may now use RADIUS, LDAP, or Local Authentication like other integrated services.
Captive Portal HTML Design and Usability: The default Captive Portal page has been redesigned. Controls have also been added which allow the logo and background images and Terms of Service text to be customized without editing and uploading custom HTML code.
Integrated Switch Improvements: Netgate devices with integrated switches such as the SG-3100 and XG-7100 can now configure per-port speed and duplex settings, discrete port configuration interfaces can now be tied to switch ports for up/down status, and LAGG support is also now available (Load Balance mode only)
New Hardware: Support has been added for the new SG-5100.
SECURITY:
FreeBSD SA for CVE-2018-6922: Resource exhaustion in TCP reassembly FreeBSD-SA-18:08.tcp
FreeBSD SA for CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault (L1TF) Kernel Information Disclosure FreeBSD-SA-18:09.l1tf
FreeBSD SA for CVE-2018-6923: Resource exhaustion in IP fragment reassembly FreeBSD-SA-18:10.ip
FreeBSD SA for CVE-2018-14526: Unauthenticated EAPOL-Key Decryption Vulnerability FreeBSD-SA-18:11.hostapd
FreeBSD SA for CVE-2018-6924: Improper ELF header parsing FreeBSD-SA-18:12.elf
FreeBSD errata notice for LazyFPU remediation causing potential data corruption FreeBSD-EN-18:08.lazyfpu
Fixed two potential XSS vectors and an authenticated command execution issue.
Upgraded several binary packages in the base system to address upstream vulnerabilities, including strongSwan CVE-2018-5388, OpenSSH CVE-2018-15473, and cURL CVE 2018-14618
Updated default cryptographic settings for OpenVPN, IPsec, and Certificates
Changed the included DH groups to those defined in RFC 7919
Added stronger IPsec Pre-Shared Key usage warnings, and a button to generate a secure PSK
Changed from sshlockout_pf to sshguard for monitoring failed logins and locking out offenders, this allows the lockout to work on IPv4 and IPv6 and also terminates states when adding offenders to the block list
Disabled OpenVPN compression by default on new instances for security reasons due to VORACLE
Users are strongly urged to disable compression on OpenVPN instances if they pass unencrypted data such as HTTP to arbitrary Internet sites.
NOTABLE BUG FIXES:
Fixed an issue with ARM hardware not completely halting when shut down (SG-3100 and SG-1000)
Fixed HDMI hotplug issues on Minnowboard Turbot hardware (MBT-2220 and MBT-4220)
Fixed SG-1000 autonegotiation for 10baseT speed and duplex

New in pfSense 2.4.2 (Nov 22, 2017)

Security / Errata
Updated to OpenSSL 1.0.2m to address CVE-2017-3736 and CVE-2017-3735
FreeBSD-SA-17:10.kldstat
FreeBSD-SA-17:08.ptrace
Fixed a potential XSS vector in status_monitoring.php #8037 pfSense-SA-17_07.packages.asc
Fixed a potential XSS vector in diag_dns.php #7999 pfSense-SA-17_08.webgui.asc
Fixed a potential XSS vector on index.php via widget sequence parameters #8000 pfSense-SA-17_09.webgui.asc
Fixed a potential XSS in the widgetkey parameter of multi-instance dashboard widgets #7998 pfSense-SA-17_09.webgui.asc
Fixed a potential clickjacking issue in the CSRF error page
Interfaces
Fixed PPP interfaces with a VLAN parent when using the new VLAN names #7981
Fixed issues with QinQ interfaces failing to show as active #7942
Fixed a panic/crash when disabling a LAGG interface #7940
Fixed issues with LAGG interfaces losing their MAC address #7928
Fixed a crash in radvd on SG-3100 (ARM) #8022
Fixed an issue with UDP packet drops on SG-1000 #7426
Added an interface to manage the built-in switch on the SG-3100
Trimmed more characters off the interface description to avoid console menu output line wrapping on a VGA console
Fixed handling of the VIP uniqueid parameter when changing VIP types
Fixed PPP link parameter field display when a VLAN parent interface was selected #8098
Operating System
Fixed issues resulting from having a manually configured filesystem layout with a separate /usr slice #8065
Fixed issues updating ZFS systems created ZFS using an MBR partition scheme (empty /boot due to bootpool not being imported) #8063
Fixed issues with BGP sessions utilizing MD5 TCP signatures in routing daemon packages #7969
Updated dpinger to 3.0
Enhanced the update repository selection choices and methods
Updated the system tunables that tell the OS not harvest data from interrupts, point-to-point interfaces and Ethernet devices to reflect the new name/format for FreeBSD 11
Changed ruleset processing so that it retries if another process is in the middle of an update, rather than presenting an error to the user
Fixed some UEFI boot issues on various platforms
Certificates
Fixed invalid entries in /etc/ssl/openssl.cnf (only affected non-standard usage of openssl in the cli/shell) #8059
Fixed LDAP authentication when the server uses a globally trusted root CA (new CA selection for "Global Root CA List") #8044
Fixed issues creating a certificate with a wildcard CN/SAN #7994
Added validation to the Certificate Manager to prevent importing a non-certificate authority certificate into the CA tab #7885
IPsec
Fixed a problem using IPsec CA certificates when the subject contains multiple RDNs of the same type #7929
Fixed an issue with enabling IPsec mobile client support in translated languages #8043
Fixed issues with IPsec status display/output, including multiple entries (one disconnected, one connected) #8003
Fixed display of multiple connected mobile IPsec clients #7856
Fixed display of child SA entries #7856
OpenVPN
Added an option for OpenVPN servers to utilize "redirect-gateway ipv6" to act as the default gateway for connecting VPN clients with IPv6, similar to "redirect-gateway def1" for IPv4. #8082
Fixed the OpenVPN Client Certificate Revocation List option #8088
Traffic Shaping
Fixed an error when configuring a limiter over 2Gb/s (new max is 4Gb/s) #7979
Fixed issues with bridge network interfaces not supporting ALTQ #7936
Fixed issues with vtnet network interfaces not supporting ALTQ #7594
Fixed an issue with Status > Queues failing to display statistics for VLAN interfaces #8007
Fixed an issue with traffic shaping queues not allowing the total of all child queues to be 100% #7786
Fixed an issue with limiters given invalid fractional/non-integer values from limiter entries or passed to Captive Portal from RADIUS #8097
Rules/NAT
Fixed selection of IPv6 gateways when creating a new firewall rule #8053
Fixed errors on the Port Forward configuration page resulting from stale/non-pfSense cookie/query data #8039
Fixed setting VLAN Priority via firewall rules #7973
XMLRPC
Fixed a problem with XMLRPC synchronization when the synchronization user has a password containing spaces #8032
Fixed XMLRPC Issues with Captive Portal vouchers #8079
WebGUI
Added an option to disable HSTS for the GUI web server #6650
Changed the GUI web service to block direct download of .inc files #8005
Fixed sorting of Services on the dashboard widget and Services Status page #8069
Fixed an input issue where static IPv6 entries allowed invalid input for address fields #8024
Fixed a JavaScript syntax error in traffic graphs when invalid data is encountered (e.g. user was logged out or session cleared) #7990
Fixed sampling errors in Traffic Graphs #7966
Fixed a JavaScript error on Status > Monitoring #7961
Fixed a display issue with empty tables on Internet Explorer 11 #7978
Changed configuration processing to use an exception rather than die() when it detects a corrupted configuration
Added filtering to the pfTop page
Added a means for packages to display a modal to the user (e.g. reboot required before package can be used)
Dashboard
Fixed display of available updates on the Installed Packages Dashboard widget #8035
Fixed a font issue in the Support Dashboard widget #7980
Fixed formatting of disk slices/partitions in the System Information Dashboard widget
Fixed an issue with the Pictures widget when there is no valid picture saved #7896
Packages
Fixed display of packages which have been removed from the repository in the Package Manager #7946
Fixed an issue displaying locally installed packages when the remote package repository is unavailable #7917
Misc
Fixed interface binding in ntpd so it does not erroneously listen on all interfaces #8046
Fixed a problem where restarting the syslogd service would make sshlockout_pf process orphans #7984
Added support for the ClouDNS dynamic DNS provider #7823
Fixed an issue in the User and Group Manager pages when operating on entries immediately after deleting an entry #7733
Changed the setup wizard so it skips interface configuration when run on an AWS EC2 Instance #6459
Fixed an IGMP Proxy issue with All-multicast mode on SG-1000 #7710

New in pfSense 2.4.1 (Oct 27, 2017)

New in pfSense 2.4.0 (Oct 13, 2017)

New in pfSense 2.3.4 (May 5, 2017)

Dashboard Updates:
On the 2.3.4-RELEASE Dashboard you’ll find a few additional pieces of information: The BIOS vendor, version, and release date – if the firewall can determine them – and a Netgate Unique ID. The Netgate Unique ID is similar to a serial number, it is used to uniquely identify an instance of pfSense software for customers who want to purchase support services. For hardware sold in our store, it also allows us to tie units to our manufacturing records. This ID is consistent across all platforms (bare metal, virtual machines, and hosted/cloud instances such as AWS/Azure). We had originally intended to use the hardware serial number or the UUID generated by the operating system, but we found that these were unreliable, inconsistent, and they could change unexpectedly when the operating system was reinstalled.
As with the serial number, this identifier is only displayed on the Dashboard for information purposes and is not transmitted anywhere automatically by default. In the future, customers can use this identifier when requesting support information from our staff or systems.
If you haven’t yet caught up on the changes in 2.3.x, check out the Features and Highlights video. Past blog posts have covered some of the changes, such as the performance improvements from tryforward, and the webGUI update.
Firewall GUI Certificates:
Users of Chrome 58 and later, and in some cases Firefox 48 and later, may have issues accessing the pfSense Web GUI if it uses a default self-signed certificate generated automatically by a firewall running pfSense version 2.3.3-p1 or earlier. This is because Chrome 58 strictly enforces RFC 2818 which calls for only matching hostnames using Subject Alternative Name (SAN) entries rather than the Common Name field of a certificate, and the default self-signed certificate did not populate the SAN field.
We have corrected the certificate code to correctly follow RFC 2818 in a user-friendly way by automatically adding the certificate Common Name value as the first SAN entry.
Firewall administrators will need to generate a new certificate for use by the GUI in order to utilize the new format. There are several ways to generate a compatible certificate, including:
Generate and activate a new GUI certificate automatically from the console or ssh shell using one of our playback scripts:
pfSsh.php playback generateguicert
Utilize the ACME package to generate a trusted certificate for the GUI via Let’s Encrypt, which is already properly formatted.
Manually create a new self-signed Certificate Authority (CA) and a Server Certificate signed by that CA, then use that for the GUI.
Activate the local browser “EnableCommonNameFallbackForLocalAnchors” option in Chrome 58. This setting will be removed by Chrome eventually, so this is only a temporary fix.
Some users may remember this is not the first time that the default certificate format has been problematic due to browser changes. Several years ago, Firefox changed the way they calculate certificate trust chains, which could make a browser appear to freeze or hang when attempting to access multiple firewalls with self-signed certificates containing common default data which resulted in all such certificates containing the same Subject. Fixing that was more of a challenge, but it resulted in a much better end-user experience.

New in pfSense 2.3.2-p1 (Oct 6, 2016)

FreeBSD-SA-16:26.openssl - Multiple vulnerabilities in OpenSSL. The only significant impact on pfSense is OCSP for HAproxy and FreeRADIUS.
Several HyperV-related Errata in FreeBSD 10.3, FreeBSD-EN-16:10 through 16:16. See https://www.freebsd.org/relnotes/10-STABLE/errata/errata.html for details.
Several built-in packages and libraries have been updated, including:
PHP to 5.6.26
libidn to 1.33
curl to 7.50.3
libxml2 to 2.9.4
Added encoding to the 'zone' parameter on Captive Portal pages.
Added output encoding to diag_dns.php for results returned from DNS. #6737
Worked around a Chrome bug with regular expression parsing of escaped characters within character sets. Fixes "Please match the requested format" on recent Chrome versions. #6762
Fixed DHCPv6 server time format option #6640
Fixed /usr/bin/install missing from new installations. #6643
Increased filtering tail limit for logging so searching will locate sufficient entries. #6652
Cleaned up Installed Packages widget and HTML. #6601
Fixed widget settings corruption when creating new settings. #6669
Fixed various typos and wording errors.
Removed defunct links to the devwiki site. Everything is on https://doc.pfsense.org now.
Added a field to CA/Cert pages for OU, which is required by some external CAs and users. #6672
Fixed a redundant HTTP "User-Agent" string in DynDNS updates.
Fixed the font for sortable tables.
Added a check to verify if an interface is active in a gateway group before updating dynamic DNS.
Fixed wording of the "Reject leases from" option for a DHCP interface (it can only take addresses, not subnets.) #6646
Fixed error reporting for SMTP settings test.
Fixed saving of country, provider, and plan valies for PPP interfaces
Fixed checking of invalid "Go To Line" numbers on diag_edit.php. #6704
Fixed off-by-one error with "Rows to Display" on diag_routes.php. #6705
Fixed description of the filter box on diag_routes.php to reflect that all fields are searchable. #6706
Fixed description of the box for the file to edit on diag_edit.php. #6703
Fixed description of the main panel on diag_resetstate.php. #6709
Fixed warning dialog when a box is unchecked on diag_resetstate.php. #6710
Fixed log shortcut for DHCP6 areas. #6700
Fixed the network delete button showing when only one row was present on services_unbound_acls.php #6716
Fixed disappearing help text on repeatable rows when the last row is deleted. #6716
Fixed dynamic DNS domain for static map DHCP entries
Added control to set dashboard widget refresh period
Added "-C /dev/null" to the dnsmasq command line parameters to avoid it picking up an incorrect default configuration which would override our options. #6730
Added "-l" to traceroute6 to show both IP Addresses and Hostnames when resolving hops on diag_traceroute.php. #6715
Added note about max ttl/hop limit in source comment on diag_traceroute.php.
Clarified language on diag_tables.php. #6713
Cleaned up the text on diag_sockets.php. #6708
Fixed display of VLAN interface names during console assignment. #6724
Fixed domain-name-servers option showing twice in pools when set manually.
Fixed handling of DHCP options in pools other than the main range. #6720
Fixed missing hostnames in some cases with dhcpdv6. #6589
Improved pidfile handling for dhcpleases.
Added checks to prevent accessing an undefined offset in IPv6.inc.
Fixed the display of the alias popup and edit options on source and destination for both the address and port on outbound NAT.
Fixed handling of backup config count. #6771
Removed some dangling PPTP references that are no longer relevant.
Fixed up/caught up remote syslog areas. Added "routing", "ntpd", "ppp", "resolver", fixed "vpn" to include all VPN areas (IPsec, OpenVPN, L2TP, PPPoE Server). #6780
Fixed missing checkboxes in some cases when adding rows on services_ntpd.php. #6788
Revised service running/stopped icons.
Added a check to CRL management to remove certificates from the drop-down list that are already contained in the CRL being edited.
Fixed rule separators moving when multiple firewall rules are deleted at the same time. #6801

New in pfSense 2.3.2 (Jul 26, 2016)

Backup/Restore:
Don't allow applying changes on interface mismatch post-config restore until the reassignment is saved. #6613
Dashboard:
Dashboard now has per-user configuration options, documented in User Manager. #6388
DHCP Server:
Disabled dhcp-cache-threshold to avoid bug in ISC dhcpd 4.3.x omitting client-hostname from leases file, which makes dynamic hostname registration fail in some edge cases. #6589
Note that DDNS key must be HMAC-MD5. #6622
DHCP Relay:
Imported fix for dhcrelay relaying requests on the interface where the target DHCP server resides. #6355
Dynamic DNS:
Allow * for hostname with Namecheap. #6260
Interfaces:
Fix "can't assign requested address" during boot with track6 interfaces. #6317
Remove deprecated link options from GRE and gif. #6586, #6587
Obey "Reject leases from" when DHCP "Advanced options" is checked. #6595
Protect enclosed delimiters in DHCP client advanced configuration, so commas can be used there. #6548
Fix default route on PPPoE interfaces missing in some edge cases. #6495
IPsec:
strongSwan upgraded to 5.5.0.
Include aggressive in ipsec.conf where IKE mode auto is selected. #6513
Gateway Monitoring:
Fixed "socket name too large" making gateway monitoring fail on long interface names and IPv6 addresses. #6505
Limiters:
Set pipe_slot_limit automatically to maximum configured qlimit value. #6553
Monitoring:
Fixed no data periods being reported as 0, skewing averages. #6334
Fix tooltip showing as "none" for some values. #6044
Fix saving of some default configuration options. #6402
Fix X axis ticks not responding to resolution for custom time periods. #6464
OpenVPN:
Re-sync client specific configurations after save of OpenVPN server instances to ensure their settings reflect the current server configuration. #6139
Operating System:
Fixed pf fragment states not being purged, triggering "PF frag entries limit reached". #6499
Set core file location so they can't end up in /var/run and exhaust its available space. #6510
Fixed "runtime went backwards" log spam in Hyper-V. #6446
Fixed traceroute6 hang with non-responding hop in path. #3069
Added symlink /var/run/dmesg.boot for vm-bhyve. #6573
Set net.isr.dispatch=direct on 32 bit systems with IPsec enabled to prevent crash when accessing services on the host itself via VPN. #4754
Router Advertisements:
Added configuration fields for minimum and maximum router advertisement intervals and router lifetime. #6533
Routing:
Fixed static routes with IPv6 link local target router to include interface scope. #6506
Rules / NAT:
Fixed "PPPoE Clients" placeholder in rules and NAT, and ruleset error when using floating rules specifying PPPoE server. #6597
Fixed failure to load ruleset with URL Table aliases where empty file specified. #6181
Fixed TFTP proxy with xinetd. #6315
Upgrade:
Fixed nanobsd upgrade failures where DNS Forwarder/Resolver not bound to localhost. #6557
Virtual IPs:
Fixed performance problems with large numbers of virtual IPs. #6515
Fixed PHP memory exhaustion on CARP status page with large state tables. #6364
Web Interface:
Added sorting to DHCP static mappings table. #6504
Fixed file upload of NTP leap seconds. #6590
Added IPv6 support to diag_dns.php. #6561
Added IPv6 support to filter logs reverse lookup. #6585
Package system - retain field data on input error. #6577
Fixed multiple IPv6 input validation issues allowing invalid IPv6 IPs. #6551, #6552
Fixed some DHCPv6 leases missing from GUI leases display. #6543
Fixed state killing for 'in' direction and states with translated destination. #6530, #6531
Restore input validation of captive portal zone names to prevent invalid XML. #6514
Replaced calendar date picker in the user manager with one that works in browsers other than Chrome and Opera. #6516
Restored proxy port field to OpenVPN client. #6372
Clarify description of ports aliases. #6523
Fixed translation output where gettext passed an empty string. #6394
Fixed speed selection for 9600 in NTP GPS configuration. #6416
Only allow IPv6 IPs on NPT screen. #6498
Add alias import support for networks and ports. #6582
Fixed sortable table header wrap oddities. #6074
Clean up Network Booting section of DHCP Server screen. #6050
Fix "UNKNOWN" links in package manager. #6617
Fix missing bandwidth field for traffic shaper CBQ queues. #6437
UPnP:
UPnP presentation URL and model number now configurable. #6002
User Manager:
Prohibit admins from deleting their own accounts in the user manager. #6450
Other:
Added PHP shell sessions to enable and disable persistent CARP maintenance mode. "playback enablecarpmaint" and "playback disablecarpmaint". #6560
Exposed serial console configuration for nanobsd VGA. #6291

New in pfSense 2.3.1 Update 5 (Jun 16, 2016)

New in pfSense 2.3.1 Update 1 (May 27, 2016)

New in pfSense 2.3.1 (May 19, 2016)

Config Upgrade:
Fixed config upgrade for CARP VIPs on gateway groups, GRE and gif for uniqid format. #6222
Fixed config upgrade for IP aliases with CARP IP parent. #6164
Correct OpenVPN topology config upgrade to retain 2.2.x and prior net30 topology. #6140
Correct and adjust apinger parameters to dpinger parameters automatically on upgrade. #6142
Gateways:
Fix static route for IPv6 monitor IP with link-local gateway. #6353
Fix default gateway switching with IPv6 and link-local gateways. #6258
OS / Backend:
NanoBSD is now permanent read-write, to avoid issues with slow rw->ro mount times and systems getting stuck read-only mounted. #6184
Systems using a RAM disk for /var/ have their alias tables backed up and restored during bootup. #6189
Set console settings (serial configuration, password protection, etc.) post-upgrade. #6120
Ensure package repo is updated with latest metadata when checking for latest version. #6115
Display consistent firmware version on dashboard and in update checker. #6320
Correct description of update branch options. #6136
Prevent update checking failures from killing webGUI. #6177
Make pkg use configured proxy server settings where they exist. #6149
Web GUI:
Fix row delete button on unsaved aliases, NTP, UPnP and other screens. #6101
Captive portal MAC passthrough credits waiting period box restored. #6290
Outbound NAT edit screen destination field alias auto-completion restored. #6287
Captive portal allowed IPs direction selection on edit fixed. #6267
Restored input validation on port forwards to prohibit IPv6. #6265
Restored input validation on firewall rules to prohibit IPv6 IPs in IPv4 rules and vice versa. #6211
Fixed PHP error on edit of PPP interfaces. #6264
Fixed radio button placement on gateways dashboard widget settings. #6259
Fixed display post-refresh of system information dashboard widget. #6251
Restored in/out bytes counters on Status>Interfaces. #6244
Correctly show and hide OpenVPN topology field as applicable. #6236 #6214
Correct voucher character set input validation. #6231
Disable background update checking on dashboard update check is disabled. #6212
Restore input validation of IP address family and rule type, verifying IPv6 IPs with IPv6 rules, and IPv4 for IPv4 rules. #6218
Add validation of address family and protocol combinations on packet capture page. #6219
Add validation of IP aliases with CARP parent interfaces to ensure matching address family. #6218
Restore GET parameters on status_graph.php. #6192
Fixed PHP error on input validation failure with floating rules in some cases. #6175
Use CDATA for firewall rule separator descriptions so non-English characters work. #6174
Fix port forward edit destination field filling when virtual IPs configured. #6173
Fix load balancer monitor edit. #6171
Restore "none" in load balancer fall-back pool. #6170
Restore use of aliases in load balancer. #6169
Fix duplicate for load balancer pools and virtual servers. #6168
Restore description field on lagg edit page. #6163
Fix saving of bogons update frequency. #6162
Restore description field on captive portal IP passthrough. #6161
Fix saving of sticky connections timeout field. #6146
Show all restore areas in backup/restore screen. #6144
Fix moving of rule separator before saving. #6128
Use consistent up and down arrow formats on dashboard widgets. #6123
Fix typo on OpenVPN server description. #6102
Fix missing string on notification "mark as read" button. #6104
Fix firewall rule separator positioning with easy rule addition. #6105
Prevent closing of info box on monitoring page. #6106
Use infoblock on IPsec PSK screen. #6107
Fixed loss of "Do not NAT" enable on edit on outbound NAT. #6112
Correct label of 1:1 NAT edit screen. #6114
Add AJAX updates to NTP status page. #6117
Fix button spacing on Edit File and Command pages. #5995
Fix specification of port in DNS Resolver domain overrides. #6091
Fix moving of multiple items to bottom of list on firewall, NAT and IPsec screens. #6092
Fix setup wizard with only WAN assigned and using static IP. #6093
Remove logo from wizard since it's now redundant. #6095
Fix gateway widget cut-off with 3 column dashboard. #6096
Fixed force update on RFC 2136 DDNS. https://redmine.pfsense.org/issues/6359
Fix reboot prompt when changing RAM disk setting and encountering an input error. #6349
Fix highlighted tab when editing IPsec mobile P1. #6341
Fix selection of configured speed and duplex on interface page. #6331
Fix division by zero in status_queues.php. #6329
Fix alignment issues in forms. #6327
Fix entry of CIDR range in host aliases for conversion to IPs. #6322
Allow use of # and ! again in DNS Forwarder domain overrides. #6310
Restored hostname infobox in menu bar. #6306
Fixed editing and deleting of additional DHCP pools. #6303
Fixed requests to diag_system_activity.php piling up on slow systems. #6166
Interfaces:
Unset LAN DHCPv6/RA configuration if LAN interface is removed. #6152
IPsec:
Fix starting of strongswan twice. #6160
DNS Resolver:
Switched domain overrides from stub-zone to forward-zone so domain overrides don't require the target server provide recursion. #6065
Allow adding 0.0.0.0/0 to access lists. #6073
Added 100,000 and 200,000 options for Unbound cache limit. #6230
Fix Unbound startup where both DNS Forwarder and Resolver are enabled. #6354
DHCP Server:
Hostnames now allowed for NTP servers. #6239
IPsec:
Fixed LAN interfaces stopping functioning when IPsec is in use. #6292
Mobile PSK matching issue with multiple PSKs fixed. #6286
leftsendcert=always specified for all RSA types. #6082
rc.newipsecdns fixed to check correct enabled status. #6351
Notifications:
Fixed growl notifications to unresolvable hostname generating crash report. #6187
Fixed growl notification test with no password. #6221
Captive Portal:
Fixed error handling captive portal username with single quote. #6203
Fixed issues with mixed-case zone names. #6278
OpenVPN:
Prevent leading space in tunnel network configuration causing invalid configuration. #6198
User Manager:
Fix RADIUS login with attribute class (25) when the server returns multiple attribute entries with different data. #6086
Honor deny config write for RADIUS users. #6088
Package System:
Uninstall all packages pre-upgrade from

New in pfSense 2.3 (Apr 12, 2016)

New in pfSense 2.3 RC (Apr 2, 2016)

New in pfSense 2.2.6 / 2.3 Alpha (Dec 22, 2015)

New in pfSense 2.2.5 (Nov 8, 2015)

New in pfSense 2.2.4 (Jul 28, 2015)

New in pfSense 2.2.3 (Jun 25, 2015)

New in pfSense 2.2.2 (Apr 16, 2015)

New in pfSense 2.2.1 (Mar 18, 2015)

New in pfSense 2.2 (Jan 24, 2015)

New in pfSense 2.1.4 (Jun 26, 2014)

Security Fixes:
pfSense-SA-14_07.openssl
FreeBSD-SA-14:14.openssl
pfSense-SA-14_08.webgui
pfSense-SA-14_09.webgui
pfSense-SA-14_10.webgui
pfSense-SA-14_11.webgui
pfSense-SA-14_12.webgui
pfSense-SA-14_13.packages
Packages also had their own independent fixes and need updating. During the firmware update process the packages will be reinstalled properly. Otherwise, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use.
Other Fixes:
Patch for Captive Portal pipeno leaking issue which leads to the ‘Maximum login reached’ on Captive Portal. #3062
Remove text not relevant to Allowed IPs on the Captive Portal. #3594
Remove units from burst as it is always specified in bytes. (Per ipfw(8)).
Add column for internal port on UPnP status page.
Make listening on interface rather than IP optional for UPnP.
Fix highlighting of selected rules. #3646
Add guiconfig to widgets not including it. #3498
/etc/version_kernel and /etc/version_base no longer exist, use php_uname to get the version for XMLRPC check instead.
Fix variable typo. #3669
Delete all IP Aliases when an interface is disabled. #3650
Properly handle RRD archive rename during upgrade and squelch errors if it fails.
Convert protocol ssl:// to https:// when creating HTTP headers for XMLRPC.
Show disabled interfaces when they were already part of an interface group. This avoids showing a random interface instead and letting the user add it by mistake. #3680
The client-config-dir directive for OpenVPN is also useful when using OpenVPN’s internal DHCP while bridging, so add it in that case also.
Use curl instead of fetch to download update files. #3691
Escape variable before passing to shell from stop_service().
Add some protection to parameters that come through _GET in service management.
Escape argument on call to is_process_running, also remove some unecessary mwexec() calls.
Do not allow interface group name to be bigger than 15 chars. #3208
Be more precise to match members of a bridge interface, it should fix #3637
Do not expire already disabled users, it fixes #3644
Validate starttime and stoptime format on firewall_schedule_edit.php
Be more careful with host parameter on diag_dns.php and make sure it’s escaped when call shell functions
Escape parameters passed to shell_exec() in diag_smart.php and elsewhere
Make sure variables are escaped/sanitized on status_rrd_graph_img.php
Replace exec calls to run rm by unlink_if_exists() on status_rrd_graph_img.php
Replace all `hostname` calls by php_uname(‘n’) on status_rrd_graph_img.php
Replace all `date` calls by strftime() on status_rrd_graph_img.php
Add $_gb to collect possibly garbage from exec return on status_rrd_graph_img.php
Avoid directory traversal in pkg_edit.php when reading package xml files, also check if file exists before try to read it
Remove id=0 from miniupnpd menu and shortcut
Remove . and / from pkg name to avoid directory traversal in pkg_mgr_install.php
Fix core dump on viewing invalid package log
Avoid directory traversal on system_firmware_restorefullbackup.php
Re-generate session ID on a successful login to avoid session fixation
Protect rssfeed parameters with htmlspecialchars() in rss.widget.php
Protect servicestatusfilter parameter with htmlspecialchars() in services_status.widget.php
Always set httponly attribute on cookies
Set ‘Disable webConfigurator login autocomplete’ as on by default for new installs
Simplify logic, add some protection to user input parameters on log.widget.php
Make sure single quotes are encoded and avoid javascript injection on exec.php
Add missing NAT protocols on firewall_nat_edit.php
Remove extra data after space in DSCP and fix pf rule syntax. #3688
Only include a scheduled rule if it is strictly before the end time. #3558

New in pfSense 2.1.1 (Apr 5, 2014)

New in pfSense 2.1 (Sep 16, 2013)

This release brings many new features, with the biggest change being IPv6 support in most every portion of the system. There are also a number of bug fixes, and touch ups in general. It’s making its way to the mirrors now, and should be on all of them by end of day Sunday. The complete list of significant changes follows, and can also be found here including more details. If you want to see every single individual change, check out RELENG_2_1 commits in our github here and the 469 completed tickets in our redmine here.
Security Updates:
Three FreeBSD security advisories are applicable to prior pfSense releases. These aren’t remotely exploitable in and of themselves, but anyone who can execute arbitrary code on your firewall could use one or more of these to escalate privileges.
FreeBSD-SA-13:13.nullfs
FreeBSD-SA-13:12.ifioctl.asc
FreeBSD-SA-13:09.ip_multicast.asc
IPv6 Support:
IPv6 Added to many areas of the GUI. At least the following areas/features are IPv6-enabled. Others may work as well
Aliases (Firewall) – Aliases can contain both IPv4 and IPv6, only addresses relevant to a given rule will be used
CARP RA
CARP Failover
DHCP Server w/Prefix Delegation
SLAAC WAN
6to4 WAN
6to4 WAN w/Prefix Delegation
6rd WAN
6rd WAN w/Prefix Delegation
DHCP6 WAN
DHCP6 WAN w/Prefix Delegation
DHCPv6 Relay
DNS Forwarder
Firewall Rules
Gateway Groups/Multi-WAN
Gateway Status (apinger)
GIF Tunnels
GRE Tunnels
GUI Access
IPsec
L2TP
Network Prefix Translation (NPt)
NTP
OpenVPN
Packet Capture
PPPoE WAN
Router Advertisements
Routing
Server LB
Static IP
Syslog (remote)
Limiters (dummynet pipes)
Virtual IPs – IP Alias
Virtual IPs – CARP
DNS from RA
Accept RA when forwarding
Auth via RADIUS
Auth via LDAP
XMLRPC Sync
RRD Graphs
DHCP Static Mapping – Works by DUID
DynDNS (HE.net hosted DNS, RFC2136, custom)
MAC OUI database lookup support for NDP and DHCPv6. (Was already present for DHCP leases and ARP table) requires the nmap package to be installed to activate
NOTE: Unlike earlier snapshots, BETA, etc, currently we do NOT flip the “Allow IPv6″ checkbox on upgrade, to preserve existing behavior. To activate IPv6 traffic, a user will have to flip this setting manually.
Packages:
PBI (push button installer) package support – all of a package’s files and dependencies are kept in an isolated location so packages cannot interfere with one another in the way that was possible on 2.0.x and before using tbz packages
RIP (routed) moved to a package
OLSRD moved to a package
Unbound moved back to a package (Will try integration again for 2.2)
Increase the verboseness of the package reinstallation process in the system logs for a post-firmware-update package reinstallation operation
OS/Binary/Supporting Program Updates:
Based on FreeBSD 8.3
Updated Atheros drivers
OpenSSL 1.0.1e (or later) used by OpenVPN, PHP, IPsec, etc
PHP to 5.3.x
OpenVPN to 2.3.x
Added mps kernel module
Added ahci kernel module
Updated ixgbe driver
Many other supporting packages have been updated
Dashboard & General GUI:
Switch from Prototype to jQuery
Improved navigation and service status in the GUI (shortcut icons in each section to quickly access config, logs, status, control services, etc)
Multiple language support, a mostly-complete translation for Brazilian Portuguese is included
Read-only privilege to create a user that cannot modify config.xml
Dashboard update check can be disabled
Fixed theme inconsistencies between the login form and other parts of the GUI
Various fixes to pages to reduce potential exposure to certain CSRF/XSS vectors
Updated CSRF Magic
Set CSRF Magic token timeout to be the same as the login expiration
Added IE Mobile for WP8 to list of browsers that get an alternate theme at login
Truncate service status so long package descriptions cannot break formatting of the status table
Many fixes to HTML/XHTML to improve rendering and validation
Added a note to the setup wizard letting the user know that it can be canceled at any time by clicking the logo image
Make dashboard update check respect nanobsd-vga
Firewall Logs Widget filtering and column changes
Added totals for some dashboard widget meters (memory, swap, disk usage)
Changed dashboard display for states and mbufs to be meters, and to show usage as a percentage
Update dashboard mbuf count via AJAX
Show a count and layout of CPUs in the dashboard if multiple CPUs are detected
Captive Portal:
Multi instance Captive Portal
Multiple Captive Portal RADIUS authentication sources (e.g. one for users, one for cards)
Logic fixes for voucher encryption
Many optimizations to Captive Portal processing, including a database backend and moving functions to a php module to improve speed
Optional Captive Portal user privilege
Add checks to make sure CP hard timeout is less than or equal DHCP server default lease time, to avoid issues with CP sessions being valid for incorrect IPs, and users switching IPs while they should still be connected to the portal
Fixes for captive portal voucher syncing on HTTPS with a custom port
Fixes for custom Captive Portal files leaving symlinks on the filesystem after files were removed
Added MAC OUI database lookup support to CP status (requires nmap package to be installed)
OS/System Management:
Ability to select serial port speed
Added a manual way to enable TRIM if someone needs it
Added a manual way to trigger a fsck on reboot
AES-NI support (Cryptographic Accelerator feature on new Intel/AMD CPUs) — Still experimental, not supported by some areas of the OS yet.
Support for certain thermal sensors via ACPI, coretemp, and amdtemp
System startup beep can be disabled
Separate powerd setting for when on battery
Add optional ability to change the size of RAM disks for /var/ and /tmp/ for systems that have RAM to spare
Add optional ability for full installs to use RAM disks for /var/ and /tmp/ as is done on NanoBSD. Reduces overall writes to the media, should be more SSD-friendly
Use a custom sysDescr for snmp similar to m0n0wall’s format.
Added tunable to allow disabling net.inet.udp.checksum – disabling UDP checksums can improve performance, but can also have negative side effects
Added an mtree database with the correct default permissions, owner, sha256 sum, and some other information that is used to verify file permissions post-install and post-upgrade
APC is not started for PHP unless the system has over 512MB RAM, to reduce memory usage on systems with low RAM
Multi-WAN:
DynDNS multi-WAN failover
IPsec multi-WAN failover
OpenVPN multi-WAN failover
Changed descriptions of the values for gateway monitoring
Display apinger (gateway monitoring daemon) as a service when it is enabled
Fixes for apinger to reload via SIGHUP properly, to avoid unnecessary restarts and loss of gateway status data
“State Killing on Gateway Failure” now kills ALL states when a gateway has been detected as down, not just states on the failing WAN. This is done because otherwise the LAN-side states were not killed before, and thus some connections would be in limbo, especially SIP.
Due to the change in its behavior, “State Killing on Gateway Failure” is now disabled by default in new configurations and is disabled during upgrade. If you want the feature, you’ll have to manually re-enable it post-upgrade.
NTP:
NTP daemon now has GPS support
IPsec:
More IPsec hash algorithms and DH key groups added, “base” negotiation mode added
Mobile IPsec supports separate “split DNS” field and doesn’t just assume the default domain for split DNS domains
Properly ignore disabled IPsec phase 2 entries
NAT before IPsec (1:1 or many:1) outbound
Set default Proposal Check setting to Obey for mobile IPsec
LDAP and RADIUS are now possible authentication sources for IPsec mobile xauth
Delete the SPDs for an old IPsec entry when it is disabled or removed
Manage active SPDs on CARP secondary during sync
Add an option to force IPsec to reload on failover, which is needed in some cases for IPsec to fail from one interface to another.
OpenVPN:
OpenVPN can accept attributes from RADIUS via avpairs for things like inacl, outacl, dns-server, routes
OpenVPN checkbox for “topology subnet” to use one IP per client in tun mode
OpenVPN local/remote network boxes can accept multiple comma-separated networks
OpenVPN status for SSL/TLS server instances can now display the routing table for the VPN instance
OpenVPN now allows selecting “localhost” as the interface
Gateways are created for assigned OpenVPN server instances as well as clients
OpenVPN instances can run on the same port on different interfaces
OpenVPN status page now has service controls to show the status of the daemon running each instance, and allow for stop/start/restart from that page
Changed wording of the error displayed when a daemon is not running or the management interface of OpenVPN cannot be reached for an instance
OpenVPN client-specific Override cleanup fixes
Fixed double-click to edit of OpenVPN Client-Specific Overrides
NAT/Firewall Rules/Alias:
Aliases separated into tabs for Hosts, Ports, and URLs to improve manageability
NAT reflection options re-worded to be less confusing
Adjustable source tracking timeout for Sticky connections
Firewall rules now support matching on ECE and CWR TCP flags
Filtering on ECE and CWR TCP flags is now possible
Added ICMP to protocol list when creating rdr (port forward) rules
Keep proper positioning of duplicated outbound NAT rules
When using the + at the top of Outbound NAT rules, add the rule to the top of the list and not the bottom
Fix ordering of interface group rules in the ruleset
Track time and user@host which created or updated a firewall, NAT port forward, or outbound NAT rule. If timestamp records are present, display them at the bottom of the rule page when editing. Have the created time/user pre-filled for automated rules such as NAT port forward associated rules and the switch from automatic to manual outbound NAT
Fix generation of manual outbound NAT rules so that localhost and VPN rules are not unnecessarily duplicated
Prevent using “block” for an alias name, as it is a pf reserved keyword
Allow TCP flags to be used on block or reject rules, since they are also valid there
Updates/fixes to DSCP handling
Allow advanced options state-related parameters to be used for TCP, UDP and ICMP — Formerly only allowed on TCP
Respect ports found in rules when policy route negation rules are made
Do not include disabled OpenVPN networks in generated policy route negation rules
Certificates:
Improved denoting of certificate purposes in the certificate list
Imported CRLs can be edited and replaced
Can set digest algorithm for CA/Certs (sha1, sha256, etc)
Default digest algorithm is now SHA256
Show CA and certificate start and end dates in the their listings
Correct tooltip description when adding a certificate
Relax input validation on a CA/Cert description since it is only used cosmetically in pfSense and not in the actual CA/cert subject
Allow removing blank/empty CA and Cert entries
Logging:
More system log separation, Gateways, Routing, Resolver split into their own tabs
Firewall logs can now be filtered by many different criteria
Firewall logs can be sorted by any column
Firewall logs can optionally show the matching rule description in a separate column or in between rows
Firewall logs now show an indicator icon if the direction of a log entry is OUT rather than IN
Add popup DNS resolution method to firewall log view
Reduced logging output from IGMP proxy
Reduced logging output from DynDNS
Relocated filterdns logs to the resolver log file/tab
Relocated DHCP client logs to the DHCP tab
Fix system script logging so the correct script filename is printed in the log, rather than omitting the script name entirely
Add independent logging choices to disable logging of bogon network rules and private network rules. Add upgrade code to obey the existing behavior for users (if default block logging was disabled, so is bogon/private rule blocking)
Add a checkbox to disable the lighttpd log for people who don’t want their system log full of messages from lighttpd in some cases where they are filling the log unnecessarily
Notifications:
Add the ability to disable Growl or SMTP notifications but keep their settings intact, so the mail settings can be used for other purposes (packages, etc)
Add a test button to selectively test Growl or SMTP notifications without re-saving settings
Do not automatically generate a test notification on saving notification settings, as there are now individual test buttons
High Availability (CARP, pfsync, XML-RPC):
High Availability Synchronization options (Formerly known as “CARP Settings” under Virtual IPs Promoted to its own menu entry, System > High Avail. Sync
This is to make it easier to find, as well as make its purpose more clear. “CARP” is a part of High Availability, as is XMLRPC/pfsync state synchronization, but it’s a bit of a misnomer to refer to the sync settings as CARP
Ensure that the user does not remove only the last IP alias needed for a CARP VIP in an additional subnet
Disable pfsync interface when state synchronization is not in use
Fixed issues with DHCP server config synchronization ordering on secondary nodes
Restart OpenVPN servers when CARP transitions to master (clients were already restarted), otherwise if CARP was disabled, the servers would never recover
Removed the automatic pfsync rule, since the documentation always recommends adding it manually, and to add it behind the scenes with no way to block it can be counter-productive (and potentially insecure). If you did not follow the documentation and add your own pfsync or allow all rule on the sync interface, your state synchronization may break after this upgrade. Add an appropriate rule to the sync interface and it will work again.
Allow XMLRPC to sync IP Alias VIPs set to Localhost for their interface
In DHCP leases view, use the internal interface name (lan/opt1/etc) for the failover pool name, rather than a number. In certain cases the number can get out of sync between the two nodes, but the interface names will always match
Print the user-configured interface description next to the DHCP failover pool name, rather than only the internal name (lan/opt1/etc)
Add option to synchronize authentication servers (RADIUS, LDAP) via XMLRPC
NanoBSD:
Fixes for conf_mount_ro/conf_mount_rw reference checking/locking
Diag > NanoBSD now has button to switch media between read/write and read-only
Diag > NanoBSD now has a checkbox option to keep the media read/write
Fixed an issue with NanoBSD time zones not being properly respected by all processes the first reboot after a firmware upgrade
DHCP Server:
DHCP can support multiple pools inside a single subnet, with distinct options per pool
DHCP can allow/deny access to a DHCP pool by partial (or full) MAC address
DHCP static mappings can have custom settings for gateway, DNS, etc
DHCP static mappings can optionally have a static ARP entry created
Fix Dynamic DNS updates from DHCP (ISC changed the config layout and requires zone declarations)
When crafting DHCP Dynamic DNS zones, do not use invalid DNS servers for the IP type (e.g. skip IPv6 DNS servers, because the DHCP daemon rejects them)
Added a config backup section choice for DHCPv6
Traffic Shaper:
Schedules can now be used with limiters
Traffic shaper queues view updated
CoDel AQM Shaper Discipline
Allow PRIQ queues to be deleted.
Limiters now allow the user to set the mask they want to use, rather than assuming masking will always be per-IP. This allows per-subnet limits and similar
Limiters now allow setting masking for IPv6
Limiters now allow setting a burst size. This will pass X amount of data (TOTAL, NOT a rate) after an idle period before enforcing the limit
DNS Forwarder:
In DNS forwarder, DNS query forwarding section with options for sequential and require domain
Allow a null forwarding server in DNS Forwarder domain overrides to ensure that queries stay local and never go outside the firewall
Add DNS Forwarder option to not forward private reverse lookups
DNS Forwarder domain overrides can now specify a source address for the query, to help resolve hostnames over VPN tunnels
DNS Forwarder now can change the port upon which it listens, for better cohabitation with other DNS software such as tinydns or unbound, if both are needed
DNS Forwarder now has an option to select the interfaces/IP Addresses upon which it will respond to queries
DNS Forwarder can now be set to only bind to specific IPv4 IPs (the underlying software, dnsmasq, does not support selectively binding to IPv6 IPs)
Improved handling of some dnsmasq custom config options
User Manager:
Configurable RADIUS authentication timeout in User Manager
Print the error message from LDAP in the log for a bind failure. Helps track down reasons for authentication failures
Re-enable admin user if it’s disabled when ‘Reset webConfigurator password’ option is used.
Restrict maximum group name length to 16 characters or less (OS restriction)
Added option to UTF-8 encode LDAP parameters to improve handling of international characters
CDATA protected LDAP fields in config to avoid invalid XML with international characters
DynDNS:
Fixed handling of DynDNS 25-day update and add ability to configure update interval
Added DynDNS No-IP Free Account Support
Add AAAA support to RFC2136 updates
Add cached IP support to RFC2136, add GUI button to force update for single host
Fix double click row to edit for RFC2136
Add option to RFC2136 to find/use the public IP if the interface IP is private. (Off by default to preserve existing behavior on upgrade)
Add server IP column and cached IP display to RFC2136 host list
Include RFC2136 hosts in DNS rebinding checks
Include both dyndns and RFC2136 hosts in referer check
Graphs:
Add ability to reverse-resolve IPs on Status > Traffic Graph in the rate table
Add ability to filter local or remote IPs on Status > Traffic Graph in the rate table
Change maximum values for RRD throughput to account for 10G links. Previous maximums would have caused blank spots on the graph during periods of high throughput
Fixes to RRD data resolution/retention
Added RRD Graph for mbuf clusters
Changed default RRD graph colors to be more visually distinct to help avoid ambiguity between multiple values on the same graph
Misc:
Add option to the packet capture page to control whether or not promiscuous mode is used on the NIC. Rarely, NICs can have issues with promiscuous mode
Make parent interface and all VLANs share MTU
Fix cellular signal strength indicator
Fix PPP config cleanup when removing an interface
Disallow adding IP Alias or CARP VIP that would be the network or broadcast address of a subnet
Diagnostics > Sockets page to show open network sockets on the firewall
Diagnostics > Test Port page to perform a simple TCP connection test to see if a port is open
The pftop page has additional options to display more detailed information and sort it
Fixed conflict between static IP and static route in the same subnet
Do not apply static ARP entries to disabled interfaces
Do not allow bridge members to be assigned to itself
Changed Diag > Ping to use more available source addresses (CARP VIPs, IP Alias VIPs, OpenVPN interfaces, IPv6 Link-Local IPs)
Changed Diag > Traceroute to use more available source addresses (CARP VIPs, IP Alias VIPs, OpenVPN interfaces, IPv6 Link-Local IPs)
Changed shell prompt to not force background color, to be kinder to those not using black as a background in their terminal
Add a field to allow rejecting DHCP leases from a specific upstream DHCP server.
Updated the help system to handle some recent added files for 2.x and clean out some old/obsolete files
Allow selecting “Localhost” as an interface for IP Alias VIPs – this way you can make IP Alias VIPs for binding firewall services (e.g. Proxy, VPN, etc) in routed subnets without burning IPs for CARP unnecessarily
Updated list of mobile service providers
Fix max length for WPA passphrase. A 64-char passphrase would be rejected by hostapd and leave an AP in an open state
Added MSS clamping to the setup wizard
Add a setting to configure the filterdns hostname resolution interval (defaults to 300s, 5 minutes)
Omit IP mismatch warnings (e.g. behind a port forward, VPN IP, etc) if HTTP_REFERER protection is disabled
Fixes for selecting/detecting PPP devices such as 3G/4G modems
Rather than doing auto-detection to find serial PPP devices, use a glob when listing potential PPP serial devices
Prevent sshlockout from a crash/coredump if a format string like %s is present in the buffer
Fix SMART to see adaX devices
Fix SMART interpretation of output from SCSI devices
Fixed display of user SSH keys when present
Updated p0f database from FreeBSD
Fix UPnP Interface name selection to show the configured description entered by the user
Allow setting the external UPnP interface (must be default route WAN)
Fix Diag > Tables AJAX fadeOut after deletion for rows with CIDR mask format
Improve Diagnostics > Routes to fetch output via AJAX and have configurable filtering and sizes. Improves handling of large routing tables, such as a full BGP feed
When deleting or renaming a virtual server from the Load Balancer (relayd) manually clean up the NAT rules it leaves behind to avoid conflicts
Many, many bug fixes
Various fixes for typos, formatting, input validation, etc
SH/PHP Shell Scripts:
Git package for gitsync is now pulled in as a pfSense-style PBI package
Added playback shell scripts added to enable/disable CARP
Added playback shell scripts to add and remove packages from the command line
Added playback shell script to remove shaper settings
Added playback shell script to control services from the command line
Add a simple CLI mail script capable of sending an SMTP message using echo/piped input. (Uses SMTP notification settings for server details)
Added a script to convert a user’s filesystem from device names to UFS labels, for easier portability in case the disk device changes names (e.g. adX to adY, adX to daY, or adX to adaX). ONLY FOR FULL INSTALLS. NanoBSD already uses labels

New in pfSense 2.0.3 (Apr 16, 2013)

Security Fixes:
Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03.
Fix below XSS in IPsec log possible from users possessing shared key or valid certificate
Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.
PPP:
Fix obtaining DNS servers from PPP type WANs (PPP, PPPoE, PPTP, L2TP)
Captive Portal:
Fix Captive Portal Redirect URL trimming
Voucher sync fixes
Captive portal pruning/locking fixes
Fix problem with fastcgi crashing which caused CP issues on 2.0.2
OpenVPN:
Clear the route for an OpenVPN endpoint IP when restarting the VPN, to avoid a situation where a learned route from OSPF or elsewhere could prevent an instance from restarting properly
Always clear the OpenVPN route when using shared key, no matter how the tunnel network “CIDR” is set
Use the actual OpenVPN restart routine when starting/stopping from services rather than killing/restarting manually
Allow editing an imported CRL, and refresh OpenVPN CRLs when saving. [#2652]
Fix interface assignment descriptions when using > 10 OpenVPN instances
Logging:
Put syslogd into secure mode so it refuses remote syslog messages
If syslog messages are in the log, and the hostname does not match the firewall, display the supplied hostname
Fix PPP log display to use the correct log handling method
Run IPsec logs through htmlspecialchars before display to avoid a potential persistent XSS from racoon log output (e.g. username)
Traffic Shaper:
Fix editing of traffic shaper default queues. [#1995]
Fix wording for VoIP address option in the shaper. Add rule going the other direction to catch connections initiated both ways
Dashboard & General GUI:
Use some tweaks to PHP session management to prevent the GUI from blocking additional requests while others are active
Remove cmd_chain.inc and preload.php to fix some issues with lighttpd, fastcgi, and resource usage
Firmware settings manifest (Site list) now bolds and denotes entries that match the current architecture, to help avoid accidental cross-architecture upgrades
Add header to DHCP static mappings table
When performing a factory reset in the GUI, change output style to follow halt.php and reboot.php so the shutdown output appears in the correct location on the page
Better validation of parameters passed during S.M.A.R.T. operations for testing HDDs
Fixed SNMP interface binding glitch (Setting was active but not reflected when viewed in GUI)
Add a new class called addgatewaybox to make it easier to respect custom themes [#2900]
Console Menu Changes:
Correct accidental interface assignment changes when changing settings on the console menu
Console menu option 11 now kills all active PHP processes, kills lighttpd, and then restarts the GUI. This is a more effective way to restart the GUI since if a PHP process is hung, restarting lighttpd alone will not recover from that
Fix port display after LAN IP reset
Misc Changes:
Change how the listening address is passed to miniupnpd, the old method was resulting in errors for some users
Fix “out” packet count reporting
Be a little smarter about the default kernel in rare cases where we cannot determine what was in use
Pass -S to tcpdump to avoid an increase in memory consumption over time in certain cases
Minimise rewriting of /etc/gettytab (forum reference)
Make is_pid_running function return more consistent results by using isvalidpid
Fix ataidle error on systems that have no ATA HDD. [#2739]
Update Time Zone database zoneinfo to 2012.j to pick up on recent zone/DST/etc changes
Fix handling of LDAP certificates, the library no longer properly handles files with spaces in the CA certificate filename
Bring in the RCFILEPREFIX as constant fixes from HEAD, since otherwise rc.stop_packages was globbing in the wrong dir and executing the wrong scripts. Also seems to have fixed the “bad fd” error
NTP restart fixes
Gitsync now pulls in git package from pfSense package repository rather than FreeBSD
Fixed handling of RRD data in config.xml backups when exporting an encrypted config [#2836]
Moved apinger status to /var/run instead of /tmp
Fixes for FTP proxy on non-default gateway WANs
Fixes for OVA images
Use new pfSense repository location (http://github.com/pfsense/pfsense/)
Add patch to compensate apinger calculation for down gateways by time taken from other tasks like rrd/status file/etc
lighttpd changes:
Improve tuning of lighttpd and php processes
Use separate paths for GUI and Captive Portal fastcgi sockets
Always make sure php has its own process manager to make lighttpd happy
Make mod_fastcgi last to have url.rewrite work properly
Enable mod_evasive if needed for Captive Portal
Simplify lighttpd config
Send all lighttpd logs to syslog
Binary changes:
dnsmasq to 2.65
rsync to 3.0.9
links 2.7
rrdtool to 1.2.30
PHP to 5.2.17_13
OpenVPN 2.2 stock again (Removed IPv6 patches since those are only needed on 2.1 now)
Fix missing “beep” binary on amd64
Fix potential issue with IPsec routing of client traffic
Remove lighttpd spawnfcgi dependency
Add splash device to wrap_vga kernels (It’s in GENERIC so full installs already have it). [#2723]
filterdns:
Correct an issue with unallocated structure
Avoid issues with pidfiles being overwritten, lock the file during modifications
Make filterdns restartable and properly cleanup its tables upon exit or during a reconfiguration
dhcpleases:
Correct use after free and also support hostnames with other DNS suffix
Reinit on any error rather than just forgetting. Also the difftime checks are done after having complete view, no need to do them every time
Typo fixes
Log that a HUP signal is being sent to the pid file submitted by argument
Prevent bad parsing of empty hostnames in lease file. Add an f option to run dhcplease in foreground. The only option needed while in foreground is h parameter and the only usable one as well

New in pfSense 2.0.2 (Dec 22, 2012)

FreeBSD Security Advisories:
Base OS updated to 8.1-RELEASE-p13 to address the following FreeBSD Security Advisories:
FreeBSD-SA-12:01.openssl (v1.0/v1.1) http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc
FreeBSD-SA-12:04.sysret (v1.0/v1.1) http://security.FreeBSD.org/advisories/FreeBSD-SA-12:04.sysret.asc
FreeBSD-SA-12:07.hostapd http://www.freebsd.org/security/advisories/FreeBSD-SA-12:07.hostapd.asc
NOTE: FreeBSD-SA-12:03.bind, FreeBSD-SA-12:05.bind, and FreeBSD-SA-12:06.bind do not apply to us, since we do not use nor include bind. FreeBSD-SA-12:08.linux does not apply since we do not use nor include the Linux compatibility layer of FreeBSD. FreeBSD-SA-12:02.crypt doesn’t apply because we don’t use DES in that context.
PPTP:
Added a warning to PPTP VPN configuration page: PPTP is no longer considered a secure VPN technology because it relies upon MS-CHAPv2 which has been compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.
More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
Fix reference to PPTP secondary RADIUS server shared secret.
PPTP 1.x to 2.x config upgrade fixes.
NTP Changes:
OpenNTPD was dropped in favor of the ntp.org NTP daemon, used by FreeBSD.
Status page added (Status > NTP) to show status of clock sync
NTP logging fixed.
NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. You can still do selective interface binding to control which IPs will accept traffic, but be aware that the default behavior has changed.
Dashboard & General GUI Fixes:
Various fixes for typos, wording, and so on.
Do not redirect on saving services status widget.
Don’t use $pconfig in widgets, it has unintended side effects.
Fix display of widgets with configuration controls in IE.
Changed some padding/margin in the CSS in order to avoid wrapping the menu.
#2165 Change to embed to prevent IE9 from misbehaving when loading the Traffic Graph page
OpenVPN Fixes:
Safer for 1.2.3 upgrades to assume OpenVPN interface == any, since 1.2.3 didn’t have a way to bind to an interface. Otherwise people accepting connections on OPT interfaces on 1.2.3 will break on upgrade until the proper interface is selected in the GUI
Don’t ignore when multiple OpenVPN DNS, NTP, WINS, etc servers were specified in 1.2.3 when upgrading. 1.2.3 separated by ;, 2.x uses separate vars.
Fix upgrade code for 1.2.3 with assigned OpenVPN interface.
Fix LZO setting for Upgraded OpenVPN (was turning compression on even if old config had it disabled.)
Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this start/stop. If an OpenVPN client is active on both the master and backup system, they will cause conflicting connections to the server. Servers do not care as they only accept, not initiate.
IPsec fixes:
Only do foreach on IPsec p2′s if it’s actually an array.
#2201 Don’t let an empty subnet into racoon.conf, it can cause parse errors.
#2201 Reject an interface without a subnet as a network source in the IPsec Phase 2 GUI.
Add routes even when IPsec is on WAN, as WAN may not be the default gateway.
#1986 Revamped IPsec status display and widget to properly account for mobile clients.
Fixed a bug that caused the IPsec status and widget to display slowly when mobile clients were enabled.
User Manager Fixes:
#2066 Improve adding/removing of users accounts to the underlying OS, especially accounts with a numeric username.
Include admin user in bootup account sync
Fix permission and certificate display for the admin user
Fix ssh key note to refer to DSA not just RSA since both work.
“:” chars are invalid in a comment field, filter them out.
When renaming a user, make sure to remove the previous user or it gets left in /etc/passwd.
#2326 Do not allow empty passwords since this might cause problems for some authentication servers like LDAP.
Captive Portal Fixes:
Take routing table into account when figuring out which IP address to use for talking to CP clients.
Prevent browser auto-fill username and password on voucher config, as it can interfere with the settings being properly saved if sync isn’t fully configured, which this can make happen accidentally.
Correct the Called-Station-Id attribute setting to be the same on STOP/START packets
Correct the Called-Station-Id attribute setting to be consistent on the data sent
#2082 Correct the log to display the correct information about an existing session
#2052 Remove duplicate rule
Fix which roll to write when writing the active voucher db
Always load ipfw when enabling CP to ensure the pfil hooks are setup right
#2378 Fix selection of CP interfaces when using more than 10 opt interfaces.
Strengthen voucher randomization.
NAT/Firewall Rules/Alias Fixes:
#2327 Respect the value of the per-rule “disable reply-to” checkbox.
#1882 Fix an invalid pf rule generated from a port forward with dest=any on an interface with ip=none
#2163 1:1 Reflection fixes for static route subnets and multiple subnets on the same interface.
Better validation on URL table alias input from downloaded files.
#2293 Don’t put an extra space after “pass” when assuming it as the default action or later tests will fail to match this as a pass rule.
Update help text for Host aliases to indicate FQDNs are allowed.
#2210 Go back to scrub rather than “scrub in”, the latter breaks MSS clamping for egress traffic the way we use it.
Fix preservation of the selection of interfaces on input errors for floating rules.
Fix URL table update frequency box.
Fix input validation for port forwards, Local Port must be specified.
Added a setting to increase the maximum number of pf tables, and increased the default to 3000.
Properly determine active GUI and redirect ports for anti-lockout rule, for display and in the actual rule.
Handle loading pf limits (timers, states, table/entry limits, etc) in a separate file to avoid a chicken-and-egg scenario where the limits would never be increased properly.
Interface/Bridging Fixes:
Correct checking if a gif is part of bridge so that it actually works correctly adding a gif after having created it on bootup
Use the latest functions from pfSense module for getting interface list
Use the latest functions from pfSense module for creating bridges
Implement is_jumbo_capable in a more performant way. This should help with large number of interfaces
Since the CARP interface name changed to “vipN” from “carpN”, devd needs to follow that change as well.
#2242 Show lagg protocol and member interfaces on Status > Interfaces.
#2212 Correctly stop dhclient process when an interface is changed away from DHCP.
Fixed 3G SIM PIN usage for Huawei devices
Properly obey MTU set on Interface page for PPP type WANs.
Other Misc. Fixes:
#2057 Add a checkbox that disables automatically generating negate rules for directly connected networks and VPNs.
Mark “Destination server” as a required field for DHCP Relay
Clarify the potential pitfalls when setting the Frequency Probe and Down parameters.
Add a PHP Shell shortcut to disable referer check (playback disablereferercheck)
#2040 Make Wireless Status tables sortable
#2068 Fix multiple keys in a file for RFC2136 dyndns updates.
Check to see if the pid file exists before trying to kill a process
#2144 Be smarter about how to split a Namecheap hostname into host/domain.
Add a small script to disable APM on ATA drives if they claim to support it. Leaving this on will kill drives long-term, especially laptop drives, by generating excessive Load Cycles. The APM bit set will persist until the drive is power cycled, so it’s necessary to run on each boot to be sure.
#2158 Change SNMP binding option to work on any eligible interface/VIP. If the old bindlan option is there, assume the lan interface for binding.
Fix reference to PPTP secondary RADIUS server shared secret.
#2147 Add button to download a .p12 of a cert+key.
#2233 Carry over the key length on input errors when creating a certificate signing request.
#2207 Use PHP’s built-in RFC 2822 date format, rather than trying to make our own.
Allow specifying the branch name after the repository URL for gitsync command-line arguments and remove an unnecessary use of the backtick operator.
Correct send_multiple_events to conform with new check_reload_status behaviour
Do not wipe logs on reboot on full install
Set FCGI_CHILDREN to 0 since it does not make sense for php to manage itself when lighttpd is doing so. This makes it possible to recover from 550-Internal… error.
Support for xmlrpcauthuser and xmlrpcauthpass in $g.
Fix Layer 7 pattern upload, button text check was incorrect.
Correct building of traffic shaping queue to not depend on parent mask
#2239 Add alias support to static routes
Use !empty instead of isset to prevent accidental deletion of the last used repository URL when firmware update gitsync settings have been saved without a repository URL.
Better error handling for crypt_data and also better password argument handling
Stop service needs to wait for the process to be stopped before trying to restart it.
Use a better default update url
Fix missing description in rowhelper for packages.
#2402, #1564 Move the stop_packages code to a function, and call the function from the shell script, and call the function directly for a reboot.
#1917 Fix DHCP domain search list
Update Time Zone zoneinfo database using latest zones from FreeBSD
Handle HTTPOnly and Secure flags on cookies
Fixed notifications for firmware upgrade progress
Removed an invalid declaration that considered 99.0.0.0/8 a private address.
Fixed redirect request for IE8/9
#1049 Fix crashes on NanoBSD during package removal/reinstall. Could result in the GUI being inaccessible after a firmware update.
Fix some issues with upgrading NanoBSD+VGA and NanoBSD+VGA Image Generation
Fix issues upgrading from systems with the old “Uniprocessor” kernel which no longer exists.
Fix a few potential XSS/CSRF vectors.
Fixed issue with login page not showing the correct selected theme in certain configurations.
Fix limiters+multi-wan
Binary/Supporting Program Updates:
Some cleanup to reduce overall image size
Fixes to ipfw-classifyd file reading and handling
Updated miniupnpd
ISC DHCPD 4.2.4-P1
mdp5 upgraded to 5.6
pftop updated
lighttpd updated to 1.4.32, for CVE-2011-4362 and CVE-2012-5533.

pfSense Changelog

What's new in pfSense 2.4.4-p3

New in pfSense 2.4.4-p2 (Jan 11, 2019)

New in pfSense 2.4.4 (Sep 26, 2018)

New in pfSense 2.4.2 (Nov 22, 2017)

New in pfSense 2.4.1 (Oct 27, 2017)

New in pfSense 2.4.0 (Oct 13, 2017)

New in pfSense 2.3.4 (May 5, 2017)

New in pfSense 2.3.2-p1 (Oct 6, 2016)

New in pfSense 2.3.2 (Jul 26, 2016)

New in pfSense 2.3.1 Update 5 (Jun 16, 2016)

New in pfSense 2.3.1 Update 1 (May 27, 2016)

New in pfSense 2.3.1 (May 19, 2016)

New in pfSense 2.3 (Apr 12, 2016)

New in pfSense 2.3 RC (Apr 2, 2016)

New in pfSense 2.2.6 / 2.3 Alpha (Dec 22, 2015)

New in pfSense 2.2.5 (Nov 8, 2015)

New in pfSense 2.2.4 (Jul 28, 2015)

New in pfSense 2.2.3 (Jun 25, 2015)

New in pfSense 2.2.2 (Apr 16, 2015)

New in pfSense 2.2.1 (Mar 18, 2015)

New in pfSense 2.2 (Jan 24, 2015)

New in pfSense 2.1.4 (Jun 26, 2014)

New in pfSense 2.1.1 (Apr 5, 2014)

New in pfSense 2.1 (Sep 16, 2013)

New in pfSense 2.0.3 (Apr 16, 2013)

New in pfSense 2.0.2 (Dec 22, 2012)

New in pfSense 1.2.3 (Dec 11, 2009)

New in pfSense 1.2.2 (Jan 10, 2009)

New in pfSense 1.2.1 (Dec 27, 2008)

New in pfSense 1.2.1 RC2 (Nov 21, 2008)