pfSense Community Edition 2.6.0 Security Feature und Bugfix Release

Das Update der auf FreeBSD basierenden Firewall pfSense CE erhiel das geplante Update 2.6.0. Die Version 2.6.0 schließt 4 Sicherheitslücken, bringt signifikante Änderungen in IPsec für eine bessere Stabilität und Performance, ZFS ist das Default Filesystem und viel mehr.

pfSense CE 2.6.0 Release Notes

Security

This release includes corrections for the following vulnerabilities in pfSense software:

• pfSense-SA-22_01.webgui (File overwrite in services_ntpd_gps.php, #12191)
• pfSense-SA-22_02.webgui (Potential vulnerabilities with route collection on diag_routes.php , #12257)
• pfSense-SA-22_03.webgui (Potential vulnerabilities in OpenVPN form validation, #12677)
• pfSense-SA-22_04.webgui (XSS in pkg.php, #12725)

Errata

• There is a patch available to improve NAT behavior for UPnP and multiple game consoles or clients playing the same game but the fix was discovered too late for it to be included in 22.01/2.6.0.For additional details and instructions on how to apply the patch, see Redmine issue #7727 note #74 and #75, the Github commit, and the forum thread for testing feedback.

General

• This release contains several significant changes to IPsec for stability and performance. Read the IPsec section of this document carefully.WarningIPsec VTI interface names have changed in this release. Configurations will be updated automatically where possible to use the new names.Check the interface names of assigned VTI instances under Interfaces > Assignments to ensure they are correct after the upgrade completes.If any third party software configurations or other manual changes referenced the old IPsec VTI interface names directly (e.g. ipsecNNNN) they must be updated to the new format.
• ZFS is now the default filesystem for new installations of pfSense Plus and pfSense CE software on all platforms which support booting from ZFS.
  • It is not possible to change from UFS to ZFS in place, a reinstallation of pfSense Plus or CE is required to migrate from UFS use ZFS.
  • The ZFS pool name and datasets have also been updated and optimized. Users who were already using ZFS may want to reinstall as well to ensure they have the most optimal disk layout.
  • pfSense Plus software has a new ZFS dashboard widget to track the status of disks using ZFS.
• Log Compression for rotation of System Logs is now disabled by default for new ZFS installations as ZFS performs its own compression.TipThe best practice is to disable Log Compression for rotation of System Logs manually for not only existing ZFS installations, but also for any system with slower CPUs. This setting can be changed under Status > System Logs on the Settings tab.
• The default password hash format in the User Manager has been changed from bcrypt to SHA-512. New users created in the User Manager will have their password stored as a SHA-512 hash. Existing user passwords will be changed to SHA-512 next time their password is changed.NoteUser Manager passwords are only stored as a hash, thus existing users cannot be automatically changed to the new format. To convert a user password from an older hash format, change the password for the user in the User Manager.
• The firewall now bootstraps its clock at boot in multiple ways, one of which utilizes multiple NTP servers with static IP addresses from Google Public NTP. This avoids a chicken-and-egg problem where the firewall cannot resolve NTP servers because DNSSEC, which is enabled by default, cannot function when the clock is inaccurate. The firewall performs this sync once per boot before it starts the NTP daemon.NoteThis behavior can easily be changed or disabled. See Changing Clock Bootstrap Behavior.
• Several areas of the documentation have been rewritten and updated for these releases. Notably, the IPsec and OpenVPN sections have been updated significantly including all of the related configuration recipes.

pfSense Plus

PHP Interpreter

• Fixed: PHP exits with signal 11 on SG-3100 when calling PCRE functions #11466

pfSense CE

Aliases / Tables

• Fixed: Error loading rules when URL Table Ports content is empty #4893
• Fixed: Mixed use of aliases in a port range produces unloadable ruleset #11818
• Fixed: Unable to create nested URL aliases #11863
• Fixed: Creating or editing aliases fails with multiple hosts separated by spaces #12124
• Fixed: When attempting to delete an in-use alias, input validation only prints the first item using the alias in the error message #12177

Authentication

• Changed: Use SHA-512 for user password hashes #10298
• Fixed: Deny SSH access for admin and root users when the admin GUI account is disabled #12346

Backup / Restore

• Fixed: Restoring from AutoConfigBackup presents reboot type selection option then reboots automatically #10662
• Added: Backup and restore SSH host key(s) #11118
• Fixed: Output from reboot process is printed on Backup & Restore page when restoring a configuration file #11909
• Fixed: Custom value for AutoConfigBackup schedule Hours is not shown when loading the settings page #11946
• Added: AutoConfigBackup performance improvements #12193
• Fixed: Viewing an AutoConfigBackup entry takes approximately 60 seconds to completely load #12247
• Changed: Explicitly state where AutoConfigBackup stores encrypted backup data #12296

Build / Release

• Changed: Remove deprecated libzmq code and references #12060

CARP

• Fixed: Cannot enter persistent CARP maintenance mode when CARP is disabled #11727
• Fixed: When a CARP VIP VHID change is synchronized to a secondary node, the CARP VIP is removed from the interface and the old VHIDs remain active #12202
• Fixed: Changing VHID on CARP VIP does not update VHID of related IP Alias VIPs #12227
• Fixed: rc.carpmaster only sends notifications via SMTP #12584

Captive Portal

• Fixed: Vouchers may expire too early when using RAM disks #11894
• Fixed: Incorrect variable substitution in captive portal error page #11902
• Fixed: Clicking “logout” on portal page does not function when logout popup is disabled #12138
• Fixed: Captive Portal database and ipfw rules are out of sync after unclean shutdown #12355
• Fixed: Captive Portal input validation for “After authentication Redirection URL” and “Blocked MAC address redirect URL” is swapped #12388
• Fixed: Captive Portal online user statistics data is not cleared on unclean shutdown #12455

Certificates

• Fixed: Certificate Revocation tab does not list active users of CRL entries #11831
• Fixed: Certificate manager reports CA as in use by an LDAP server when LDAP is not configured for TLS #11922
• Fixed: Certificate Manager performs redundant escaping of special characters in certificate DN fields #12034
• Added: Input validation to prevent unsupported UTF-8 characters from being used in certificate subject components #12035
• Fixed: Certificate Manager shows incorrect DN for imported entries with UTF-8 encoding #12041

Console Menu

• Fixed: Cannot configure WAN IP address with /32 CIDR mask via console menu #11581
• Changed: Suppress kernel messages when loading dummynet and thermal sensor modules #12454

DHCP (IPv4)

• Added: DHCPv4 client does not support supersede statement for option 54 #7416
• Added: Support for UEFI HTTP Boot option in DHCPv4 Server #11659
• Fixed: DHCPv4 server configuration does not include ARM TFTP filenames #11905
• Fixed: ARM 32/64 network boot options are not parsed on Static DHCP Mapping page #12216

DHCP (IPv6)

• Fixed: DHCPv6 Server should not offer configuration options for unsupported PPPoE Server interfaces #12277

DHCP Relay

• Fixed: PHP error if no DHCPv6 Relay interfaces are selected #11969

DNS Resolver

• Fixed: Unbound crashes with signal 11 when reloading #11316
• Fixed: Unbound fails to start if its configuration references a python script which does not exist #12274
• Fixed: Unbound falls back to using all outgoing network interfaces if manually selected outgoing interface(s) are unavailable #12460

Dashboard

• Fixed: System Information widget unnecessarily polls data for hidden items #12241
• Fixed: IPsec widget generates errors if no tunnels are defined #12337
• Fixed: IPsec widget treats phase 1 in “connecting” state as connected #12347
• Added: Disks dashboard widget to replace Disk Usage section of System Information widget #12349
• Fixed: Thermal Sensors Dashboard widget filter for negative values refers to invalid variable #12470

Diagnostics

• Fixed: State table content on diag_dump_states.php does not sort properly #11852
• Changed: Hide “Reboot and run a filesystem check” for ZFS systems #11983
• Fixed: “GoTo line #” function does not work on diag_edit.php #12050
• Fixed: Sanitize WireGuard private and pre-shared keys in status output #12256
• Added: Include firewall rules from packages which failed to load in status output #12269
• Added: Include firewall rules generated from OpenVPN RADIUS ACL entries in status output #12316
• Fixed: ARP table interface column empty for entries on unassigned interfaces #12698

Dynamic DNS

• Added: Option to set interval of forced Dynamic DNS updates #9092
• Added: Support DNS Made Easy authentication without a username #9341
• Fixed: RFC 2136 Dynamic DNS client uses IPv6 alias VIP instead of Track IPv6 address for AAAA records #11816
• Added: New Dynamic DNS Provider: Strato #11978
• Fixed: Dynamic DNS cache expiration time check calculation method may cause update to happen on the wrong day #12007
• Fixed: NoIP.com incorrectly encodes Dynamic DNS update credentials #12021
• Added: New Dynamic DNS Provider: deSEC #12086
• Added: Support Check IP services which return bare IP address values #12194
• Fixed: Yandex Dynamic DNS client does not set the PddToken value #12331
• Added: Dynamic DNS client proxy support #12342
• Fixed: Update Dynamic DNS code for one.com to use their new login process #12352
• Fixed: Dynamic DNS updates do not respect certificate authority trust store #12589
• Fixed: Dynamic DNS client updates using a private IP address when it cannot determine the public IP address #12617
• Fixed: Dynamic DNS may not use the correct interface when updating during failover #12631

FreeBSD

• Fixed: Duplicate comconsole_port lines in /boot/loader.conf #11653
• Changed: Upgrade to pkg 1.17.x #12171

Gateways

• Added: Support DNS server gateway selection on system.php for multiple gateways not assigned to interfaces #12116
• Fixed: Default IPv4 gateway may be set to IPv6 gateway value in certain cases #12282

Hardware / Drivers

• Added: Support for network interfaces using the qlnxe driver #11750

High Availability

• Fixed: Incorrect RADVD log message on HA event #11966

IGMP Proxy

• Added: Support 0 CIDR mask for IGMP Proxy networks #7749

IPsec

• Fixed: Disconnected IPsec phase 2 entries are not shown in IPsec status #6275
• Fixed: UDP fragments received over IPsec tunnel are not properly reassembled and forwarded #7801
• Fixed: EAP-RADIUS Mobile IPsec clients with RADIUS-assigned addresses do not get additional configuration attributes #11447
• Fixed: Incorrect phase 2 entry removed when deleting multiple items consecutively #11552
• Fixed: strongSwan configuration contains incorrect structure for mobile pool DNS records #11891
• Fixed: IPsec status tunnel descriptions are incorrect #11910
• Changed: PC/SC Smart Card Daemon pcscd running on all devices at all times, should be optional #11933
• Fixed: IPsec status fails when many tunnels are connected #11951
• Fixed: Mobile IPsec advanced RADIUS parameters do not allow numeric values with a decimal point #11967
• Fixed: Mobile IPsec NAT/BINAT entries missing from firewall rules #12023
• Fixed: Applying IPsec settings for many tunnels is slow or times out #12026
• Fixed: Gateway alarm always triggers IPsec restart #12039
• Changed: Improve IPsec identifier settings #12044
• Fixed: IPsec status IKE disconnect button drops all connections for the IKE ID, not a specific IKE SA ID #12052
• Fixed: Tunnels with conflicting REQID values can lead to multiple identical Child SA entries #12155
• Added: IPsec keep alive option to initiate phase 2 without using ICMP #12169
• Added: Add connect/disconnect buttons to IPsec dashboard widget #12181
• Added: GUI options to configure IKE retransmission behavior #12184
• Fixed: IPsec status shows connect buttons while tunnel is connecting #12189
• Fixed: IPsec writes CRL files when tunnel does not use certificates #12195
• Fixed: IPsec settings fail to apply when a remote gateway is set to an FQDN and there are no DNS servers available #12196
• Fixed: Mobile IPsec phase 1 should not display “Gateway duplicates” option #12197
• Fixed: Disabling an IPsec phase 1 entry does not disable related phase 2 entries #12198
• Fixed: Disabled IPsec VTI interfaces are always created #12212
• Fixed: IPsec bypass rules display help text under each entry #12236
• Fixed: IPsec phase 1 entry with 0.0.0.0 as its remote gateway does not receive correct automatic firewall rules #12262
• Changed: Update “IPsec Filter Mode” option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE) #12289
• Fixed: IPsec manual initiation and termination should use a timeout value or forced actions #12298
• Fixed: IPsec tunnels using a gateway group do not get reloaded in some cases #12315
• Fixed: IPsec Phase 2 entry incorrectly orders proposals in AH mode #12323
• Fixed: Hash algorithm GUI options are disabled after switching a phase 2 entry to AH mode #12324
• Fixed: IPsec VTI interface remote endpoint is not resolved the correct way #12328
• Fixed: Incorrect label for IPsec DH group 32 #12350
• Added: Distinguish between policy-based and route-based entries on IPsec status SPD tab #12397
• Fixed: Console boot output includes Configuring IPsec VTI interfaces when no VTI interfaces are configured #12419
• Changed: Add IPsec phase 2 BINAT subnet size input validation #12430
• Fixed: IPsec initiates on HA backup node when a tunnel interface is set to a gateway group #12566
• Fixed: IPsec Mobile Client RADIUS Advanced parameters are not reset to default values when disabled #12575

IPv6 Router Advertisements (RADVD)

• Fixed: radvd only responds to the first Router Solicitation received after each multicast Router Advertisement #10304
• Fixed: “Default preferred lifetime” router advertisement validation check uses incorrect variable #12159
• Fixed: IPv6 RA DNSSL lifetime is too short, not compliant with RFC 8106 #12173
• Fixed: Default IPv6 router advertisement intervals and lifetime are too low #12280
• Fixed: “Default preferred lifetime” field for IPv6 RA does not have input validation #12439
• Fixed: IPv6 interface prefix change not reflected in RADVD configuration #12604
• Fixed: Router Advertisement DNS search domain from one interface may unintentionally be used by other interfaces #12626

Installer

• Added: Restore RRD and extra data from configuration backups when restoring during installation #12518
• Fixed: Minnowboard Turbo cannot boot a clean install #12707

Interfaces

• Fixed: GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot #6507
• Fixed: Interface column empty in list of GIF tunnels when using IP Alias on CARP VIP as Interface #11337
• Fixed: QinQ using OpenVPN ovpn interface as a parent is not configured at boot time #11662
• Fixed: VLAN and QinQ edit pages allows selecting incompatible OpenVPN tun interfaces #11675
• Fixed: Advanced DHCP client configuration “Protocol timing” help text is in the wrong location #11926
• Added: VLAN list sorting #11968
• Fixed: Boot messages contain entries about configuring LAGG/VLAN/QinQ interfaces even when no entries of those types are configured #12002
• Fixed: Input validation incorrectly rejects a second IPv4-only GRE tunnel #12049
• Fixed: Interface assignment mismatch is not detected if VLAN-only parent interface is removed #12170
• Fixed: IPv6 DNS servers from dynamic sources are not listed on status_interfaces.php #12252
• Fixed: IPv6 gateway for an interface is not shown on status_interfaces.php if the interface does not also have an IPv4 gateway #12253
• Fixed: Remove subnet overlap check on LAN interfaces when using 6rd #12371
• Fixed: “6RD Prefix” field does not have input validation #12435
• Fixed: Trying to delete an assigned PPPoE interface fails without printing an error message #12514

L2TP

• Fixed: Kernel panic during L2TP retransmit #9058
• Fixed: FQDN L2TP server address is only resolved at boot #12072

Logging

• Fixed: Logging configuration added by a package is not removed on uninstall #11846
• Fixed: Remote log server input validation allows invalid values #12000
• Added: Disable log compression on new installations when /var/log is a ZFS dataset with compression enabled #12011
• Changed: Improve log settings help text for file size, compression, and retention count #12012
• Added: Create a log entry when a configuration change occurs #12118
• Fixed: Rotation settings for individual log files do not take effect after saving #12366

NTPD

• Added: Poll Interval For GPS and PPS #9439
• Added: Support for NTP Peer mode #11496
• Fixed: File overwrite in services_ntpd_gps.php via gpsport parameter #12191
• Added: Support SHA-256 hash NTP authentication #12213
• Fixed: ZFS installations without an RTC battery boot with clock at BIOS/EFI default value because they do not receive initial clock value from filesystem data #12769

Notifications

• Added: Option to suppress expiration notifications for revoked certificates #12109
• Added: Support for Slack notifications #12291
• Added: Send notification for halt, reboot, and reroot events #12441
• Fixed: rc.notify_message only sends notifications via SMTP #12585

OpenVPN

• Added: Support aliases in OpenVPN local/remote/tunnel network fields #2668
• Changed: Set explicit-exit-notify option by default for new OpenVPN server instances #11684
• Fixed: OpenVPN client certificate validation with OCSP always fails #11829
• Added: Option to validate OpenVPN peer TLS certificate key usage #11865
• Added: Log external IP address of OpenVPN clients on connect and disconnect #11935
• Fixed: DNS Resolver does not add PTR record for OpenVPN clients #11938
• Fixed: OpenVPN IPv6 tunnel network is not validated properly #11999
• Fixed: OpenVPN RADIUS-based firewall rules use incorrect port ranges #12020
• Fixed: Incorrect OpenVPN Client Export help link #12022
• Fixed: OpenVPN RADIUS-based firewall rules do not use expected value for RADIUS-assigned IP addresses #12076
• Fixed: Prevent using OpenVPN “Exit Notify” option with point-to-point modes #12102
• Fixed: OpenVPN Wizard configuration missing recently added default values #12172
• Fixed: OpenVPN does not clean up previous CA and CRL files #12192
• Changed: Move “Description” option on OpenVPN server and client pages to top of the page, show internal instance ID #12218
• Fixed: Prevent using OpenVPN “Inactive” option with point-to-point modes #12219
• Fixed: Configuration files are not deleted after disabling an OpenVPN instance #12223
• Fixed: OpenVPN page allows to delete/disable instance with an assigned interface #12224
• Fixed: OpenVPN status incorrect for TAP servers without a defined tunnel network #12232
• Fixed: OpenVPN client connect/disconnect scripts are not used in Remote Access (SSL/TLS) mode #12238
• Added: Pop-up window to view firewall rules generated from RADIUS ACL entries on the OpenVPN status page #12321
• Added: Support OpenVPN client-kill to terminate remote clients instead of clearing their session #12416
• Fixed: Set OpenVPN Gateway Creation value to “Both” by default for new instances #12448
• Fixed: OpenVPN form validation issues #12677

Operating System

• Changed: Ensure /usr/local/sbin/ scripts use full path to executable files #11985
• Fixed: Update NGINX to address CVE-2021-23017 #12061
• Added: Suppress kernel messages for lo0 configuration during boot #12094
• Changed: Convert RAM disks to tmpfs #12145
• Changed: Improve uses of grep which utilize user-supplied patterns #12265
• Fixed: Update mpd5 to address vulnerabilities in < 5.9_2 #12373
• Fixed: Update python to address vulnerabilities < 3.8.12 #12374
• Fixed: Multiple cURL Vulnerabilities #12434
• Changed: Add note in log settings that disabling logging also disables sshguard login protection #12511
• Fixed: Kernel panic in nd6_dad_timer() #12548

PHP Interpreter

• Fixed: diag_dump_states.php no longer filters by rule ID #12605

PPP Interfaces

• Fixed: PPP interfaces lose the description field in ifconfig output when restarted #11959

PPPoE Server

• Added: Option to select PPPoE Server authentication protocol #12438

Package System

• Fixed: Package <plugins> and <tabs> content missing from configuration in some cases #11290
• Added: Add librdkafka package to the pfSense package repository #12290
• Fixed: PHP error on pkg_mgr_install.php when multiple instances are running #12713
• Fixed: Potential XSS in pkg.php via pkg_filter #12725

RRD Graphs

• Added: Graph for hardware temperature readings #9297

Routing

• Fixed: Static routes using aliases are not automatically updated when alias content changes #7547
• Fixed: Input validation does not prevent removing a gateway used by a DNS server #8390
• Fixed: Kernel route table entries are removed if they match disabled static route entries #10706
• Fixed: Modifying static routes results in a logged error, changes are not reflected in routing table #11599
• Added: Require user to manually apply changes after altering static route entries #11895
• Fixed: Route data collection method on diag_routes.php has multiple issues #12257

Rules / NAT

• Added: IPv6 support in easyrule CLI script #11439
• Fixed: NAT rule overlap detection is inconsistent #11734
• Fixed: Input validation not working for 1:1 NAT entries using an alias as a destination #11923
• Fixed: easyrule script does not function properly #12151
• Fixed: IPv6 policy routing does not work if an IPsec tunnel phase 2 remote network is configured for ::/0 #12164
• Fixed: 1:1 NAT rule with internal IP address of “Any” results in an invalid firewall rule #12168
• Fixed: Firewall rule tabs load slowly when many rules on the tab utilize gateways #12174
• Fixed: VIP network addresses are not expanded on Port Forward rules #12233
• Fixed: Duplicating a Port Forward does not copy “Filter Rule Association” values of “None” or “Pass” #12272
• Added: Display default “Reflection Timeout” value on system_advanced_firewall.php #12318
• Fixed: NAT rule overlap detection does not check special networks #12361
• Fixed: Input validation prevents creating 1:1 NAT rules on OpenVPN #12408
• Fixed: 1:1 NAT edit page lists incorrect entries in the Destination field #12410
• Added: Icon for traffic direction on floating rules tab #12433
• Fixed: Port forward rules are not created for special networks (pppoe, openvpn) #12452
• Fixed: Automatic outbound NAT for reflection does not support IPv6 #12500
• Fixed: Interface group name starting with a digit creates invalid XML for rule separators #12529
• Added: Change Gateway/Group name in firewall rule list to clickable link to edit page for the entry #12555
• Fixed: Automatic rule tracker IDs incorrect after multiple filter reloads #12588
• Fixed: PHP error when clicking Delete on Outbound NAT with no rules selected #12694

SNMP

• Added: IPv6 support for base system SNMP service #12325

Services

• Fixed: System attempts to stop inactive services at shutdown #12001
• Fixed: System attempts to start inactive services at boot #12038

Traffic Shaper (ALTQ)

• Added: IPv6 support in the Traffic Shaper Wizard #4769
• Fixed: Panic when using CBQ traffic shaping #11470
• Added: Allow Chelsio T6 CXGBE (cc) drivers to be used for ALTQ traffic shaping #12499
• Changed: Traffic shaper wizard default bandwidth type should be Mbit/s #12501

Traffic Shaper (Limiters)

• Fixed: Unable to delete limiter referenced in filter rules #12503
• Fixed: Kernel panic when using fq_pie limiter scheduler #12622

UPnP/NAT-PMP

• Added: UPnP/NAT-PMP STUN configuration options #10587

Upgrade

• Changed: pfSense-upgrade should reinstall all packages on new version upgrades #12235

User Manager / Privileges

• Added: Copy button for group entries in the User Manager #12226

Virtual IP Addresses

• Fixed: Validation when deleting a VIP does not check if the VIP is used by IPsec phase 1 entries #12356
• Fixed: Validation when deleting a VIP does not prevent deleting a CARP VIP used as a parent for an IP Aliases VIP #12362

Wake on LAN

• Added: Wake on LAN button to wake all devices #12480

Web Interface

• Changed: Update font formats to WOFF2 #11507
• Fixed: DHCP Leases page and ARP table page fail to load if DNS is not available #11512
• Fixed: Notifications page cannot be saved without configuring or disabling SMTP #12107
• Changed: Convert help shortcut links to server-side redirects #12314
• Fixed: Help text for RAM disk settings does not mention Captive Portal data #12389
• Fixed: Input validation error can unintentionally result in removal of PPP type interface settings #12498

Wireless

• Fixed: wpa_supplicant uses 100% of a CPU core at boot #11453
• Fixed: Interfaces page does not show Wireless EAP client options #12239

XMLRPC

• Fixed: XMLRPC sync results in an error when a failover peer IP address is specified in DHCP server settings for an unconfigured interface #10955
• Added: XMLRPC synchronization for DHCP relay settings #11957
• Changed: XMLRPC client improvements #12051
• Fixed: Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync #12075

Quelle: Releases — 22.01/2.6.0 New Features and Changes | pfSense Documentation (netgate.com)