pfSense 2.0.1 release is now available. This is a maintenance release with some bug and security fixes since 2.0 release. This is the recommended release for all installations. As always, you can upgrade from any previous release to 2.0.1, so if you haven’t upgraded to 2.0 yet, just upgrade straight to 2.0.1. For those who use the built in certificate manager, pay close attention to the notes below on a potential security issue with those certificates.
The following changes were made since 2.0 release.
- Improved accuracy of automated state killing in various cases (#1421)
- Various fixes and improvements to relayd
- Added to Status > Services and widget
- Added ability to kill relayd when restarting (#1913)
- Added DNS load balancing
- Moved relayd logs to their own tab
- Fixed default SMTP monitor syntax and other send/expect syntax
- Fixed path to FreeBSD packages repo for 8.1
- Various fixes to syslog:
- Fixed syslogd killing/restarting to improve handling on some systems that were seeing GUI hangs resetting logs
- Added more options for remote syslog server areas
- Fixed handling of ‘everything’ checkbox
- Moved wireless to its own log file and tab
- Removed/silenced some irrelevant log entries
- Fixed various typos
- Fixes for RRD upgrade/migration and backup (#1758)
- Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
- Fixed policy route negation for VPN networks (#1950)
- Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
- Fixed VoIP rules produced by the traffic shaper wizard (#1948)
- Fixed uname display in System Info widget (#1960)
- Fixed LDAP custom port handling
- Fixed Status > Gateways to show RTT and loss like the widget
- Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth - CVE-2011-4197
- Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) - CVE-2011-4197
- Clarified text of serial field when importing a CA (#2031)
- Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
- Fixed Captive Portal MAC passthrough rules (#1976)
- Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
- Fixed CARP status widget to properly show “disabled” status.
- Fixed end time of custom timespan RRD graphs (#1990)
- Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
- Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
- Fixed handling of OpenVPN client bandwidth limit option
- Fixed handling of LDAP certificates (#2018, #1052, #1927)
- Enforce validity of RRD graph style
- Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
- Fixed handling of hostnames in DHCP that start with a number (#2020)
- Fixed saving of multiple dynamic gateways (#1993)
- Fixed handling of routing with unmonitored gateways
- Fixed Firewall > Shaper, By Queues view
- Fixed handling of spd.conf with no phase 2’s defined
- Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc)
- Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
- Updated ISC DHCP server to 4.2.3 (#1888) - this fixes a denial of service vulnerability in dhcpd.
- Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
- Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
- Clarified text for media selection (#1910)
Notes for certificate generation vulnerability
Certificates generated with the built-in certificate manager in all 2.0 versions prior to 2.0.1 are excessively permissive for non-CA certificates. These certificates can be used as a certificate authority, meaning a user can use their own certificate to create chained certificates. We have defaulted OpenVPN on 2.0.1 and newer versions to not accept chained certificates, which mitigates this. However, if untrusted users have certificates generated from 2.0 release, we suggest re-generating all your certificates and issuing new ones. Certificates generated by easy-rsa and imported into 2.0 are not affected.
If using certificates generated on pfSense for other purposes, you should revoke those and issue new certificates generated on 2.0.1. You must utilize a CRL in that case. To be on the safe side, you may want to start from scratch with a new CA and certificates after deleting all your existing ones if this applies to you.
Thanks to Florent Daigniere for bringing this issue to our attention and helping confirm our resolution.
It is very important to read the upgrade guide before performing an upgrade for those still on 1.2.x versions.
NOTE: With 2.0 release and newer versions, we’re now also building the oft-requested nanobsd embedded version with VGA! You’ll find alternate builds with VGA in the filename, which are the VGA-enabled versions. Only use these on hardware with VGA video. The regular serial version must be used on all hardware that has only a serial port, like the popular PC Engines and Soekris models amongst others, as they will not boot or function correctly otherwise.