1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.
Change list
The primary changes from 1.2.2 are listed below.
Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards - there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.
Embedded switched to nanobsd - this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.
Dynamic interface bridging bug fix– The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.
IPsec connection reloading improvements– When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.
Dynamic site to site IPsec– because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.
Sticky connections enable/disable– sticky connections were previously only changed status at boot time for the server load balancer.
Ability to delete DHCP leases– A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.
Polling fixed– polling was not being applied properly previously, and the supported interfaces list has been updated.
ipfw state table size– for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.
Server load balancing- ICMP monitor fixed.
UDP state timeout increases– By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.
Disable auto-added VPN rules option- added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.
Multiple servers per-domain in DNS forwarder overrides- previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.
No XMLRPC Sync rules fixed - in some circumstances, rules marked to not sync would sync regardless.
Captive portal locking replaced - the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.
DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.
Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.
Downloads
For information on upgrading, see the Upgrade Guide.
pfSense: The Definitive Guide Book
If you haven’t gotten your copy of the book yet (foreword here), it was fully written to account for all the changes in the 1.2.3 release (which were final before it went to print).