We are excited to announce the release of pfSense® software version 2.4.3, now available for new installations and upgrades!
pfSense software version 2.4.3 brings security patches, several new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.
pfSense 2.4.3-RELEASE updates and installation images are available now!
Highlights
This release includes several important security patches:
- Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
- IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc
- Fixes for FreeBSD-SA-18:01.ipsec
- Fixed three potential XSS vectors, and two potential CSRF issues
- CSRF protection for all dashboard widgets
- Updated several base system packages to address CVEs
In addition to security fixes, pfSense software version 2.4.3 also includes important bug fixes.
Notable bug fixes in 2.4.3 include:
- Fixed hangs due to Limiters and pfsync in High Availability configurations
- Imported a
netstat
fix to improve performance and reduce CPU usage, especially on the Dashboard and ARM platforms - Fixed a memory leak in the pfSense PHP module
- Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database
- Fixed issues on assign_interfaces.php with large numbers of interfaces
- Fixed multiple issues that could result in an invalid ruleset being generated
- Fixed multiple Captive Portal voucher synchronization issues with HA
- Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes
- … and many more!
There are several new features in 2.4.3, some of the more important ones are:
- Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family
- Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups
- Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time
- Added options to RFC 2136 Dynamic DNS for server key algorithm and to change the source address used to send updates
- Added VLAN priority tagging for DHCPv6 client requests
- Hardware support for the new XG-7100 including C3000 SoC support, C3000 NIC support, and Marvell 88E6190 switch support (Factory installations only)
- … and more!
To see the rest of the changes, and find more detail, see the Release Notes.
Important Information about Upgrading and Installing pfSense software version 2.4.0 and later
If you have not yet upgraded to pfSense version 2.4.0 or later, read the information in the 2.4.0 Release Announcement before updating for important information that may impact the ability of a firewall to upgrade to pfSense version 2.4.x.
If either by choice or by hardware limitations a firewall cannot be upgraded to pfSense 2.4.x, see the pfSense 2.3.5-RELEASE announcement for information on obtaining the latest 2.3.x release.
Reporting Issues
This release is ready for a production use. Should any issues come up with pfSense 2.4.3-RELEASE, please post about them on the the forum, or on the /r/pfSense subreddit.
Thanks!
pfSense CE software is Open Source
For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:
- Main repository - the web GUI, back end configuration code, and build tools.
- FreeBSD source - the source code, with patches of the FreeBSD base.
- FreeBSD ports - the FreeBSD ports used.
Download
Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.
Supporting the Project
Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.
- Official appliances direct from Netgate. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
- Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
- Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.