2.4.4-p1 New Features and Changes

pfSense software version 2.4.4-p1 corrects issues found with 2.4.4-RELEASE.

Security / Errata

  • FreeBSD Errata Notice FreeBSD-EN-18:09.ip: IP fragment remediation causes IPv6 fragment reassembly failure #8934

  • FreeBSD Errata Notice FreeBSD-EN-18:10.syscall NULL pointer dereference in freebsd4_getfsstat system call (CVE-2018-17154)

  • FreeBSD Errata Notice FreeBSD-EN-18:11.listen Denial of service in listen syscall over IPv6 socket (CVE-2018-6925)

  • FreeBSD Errata Notice FreeBSD-EN-18:12.mem Small kernel memory disclosures in two system calls (CVE-2018-17155)

  • Fixed a potential authenticated command injection issue with PowerD settings pfSense-SA-18_09.webgui #9061

  • Fixed handling of privileges on the All group that were previously ignored #9051

    Warning

    Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before

Certificates

  • Fixed CRL lifetime errors due to 2038 rollover on 32-bit ARM platforms #9098
  • Fixed date display of CA/Certificate validity ending dates after 2038 rollover on 32-bit ARM platforms #9100
  • Fixed PHP errors when creating certificate entries #9099

DNS

  • Updated Unbound to 1.8.1 to address issues with memory leaks, especially in DNS over TLS support #9059
  • Fixed issues with the DNS search domain for the firewall being omitted from resolv.conf in certain cases #9056
  • Fixed PHP errors in the DNS Forwarder #8967

Dynamic DNS

  • Fixed an issue with FreeDNS Dynamic DNS sending an IP address with an update #8924
  • Fixed issues with Custom (v6) Dynamic DNS logging a hostname error #8977

DHCP Server

  • Fixed issues with DHCPv6 network boot settings #8949

Routing/Gateways

  • Reduced the logging output of gateway change events #8914
  • Fixed an issue with dpinger PID files causing it to get stuck in Pending status #8921
  • Fixed display of a configured gateway monitor IP address when gateway monitoring is disabled #8953
  • Fixed issues with double quotes in gateway descriptions causing a blank gateway drop-down on firewall rules #8962
  • Fixed an issue where the default gateway was lost in certain cases with HA after a CARP VIP status transition #8465

IPsec

  • Updated strongSwan to 5.7.1 #8898
  • Added 0.0.0.0/0 to both sides of an IPsec VTI P2 to allow connections with third-party routed IPsec implementations that require its presence #8859
  • Fixed boot-time handling of IPsec VTI static routes #9116
  • Fixed IKEv2 EAP Identity/Client ID matching so that it is strictly performed, to avoid users getting incorrect per-user settings #9055
  • Fixed handling of RADIUS server names containing a . in the IPsec configuration with strongSwan 5.7.1 #9106
  • Updated AWS IPsec wizard to use EC2 instance profiles and security groups, and switched the wizard from OpenBGPD to FRR

Interfaces/VIPs

  • Fixed issues with DHCP client MTU causing interface configure loops when advanced options are present #8507

  • Fixed issues with the Hyper-V hn(4) driver and ALTQ #8954

  • Fixed issues with Hyper-V hn(4) interfaces dropping UDP6 traffic when transmit checksums were enabled #9019

  • Fixed an issue with IGMP proxy failing to start on PPPoE interfaces #8935

  • Fixed an issue with IPv6 Transmit checksums not being disabled when hardware checksums were set to be disabled #8980

  • Updated mpd to 5.8_8 to address issues with Orange MTU #8995

  • Fixed PPPoE service name checks to allow : and other alphanumeric characters #9002

  • Fixed PHP errors when creating QinQ entries #9109

  • Fixed the MAC address shown when editing a LAGG entry to always show the hardware MAC for each NIC and not the currently active address, which is no longer accurate for LAGG members #8937

  • Fixed a PHP error when setting an interface address to act as a DHCP server from the console, when no other DHCP servers are already configured #9144

  • Fixed a situation where editing a VLAN interface caused all other VLAN interfaces with the same parent to be reconfigured, which led to several other issues #9115

    Warning

    Editing a VLAN parent interface can still cause problems. If this becomes an issue on a firewall, consider moving from using the untagged parent to having that traffic be tagged so that the parent interface is not assigned or in use. #9154

    Known issues include:

    • PPPoE instances on VLANs will not reconnect after the interface is reconfigured #9148
    • VLAN interfaces that use IPv6 tracking may lose their addresses #9136

Hardware/Platform

  • Fixed handling of EFI console when a device boots from UEFI, where vidconsole is not valid #8978

  • Fixed PHP errors in switch configuration on platforms including integrated switches

  • Added support for SG-5100 hardware watchdog

    Note

    Enable the Watchdog daemon under System > Advanced on the Miscellaneous tab, and then reboot and enable it in the BIOS with a timeout longer than the timeout configured in the GUI.

User Management / Authentication

  • Fixed handling of privileges on the All group that were previously ignored #9051

    Warning

    Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before

  • Added GUI options to control sshguard sensitivity and whitelisting to allow users to fine-tune the behavior of the brute force login protection #8864

  • Added an option to enable SSH agent forwarding (disabled by default) #8590

  • Fixed inconsistencies with ssh settings in the configuration #8974

  • Fixed PHP errors with ssh settings #8606

  • Added support for LDAP client certificates on authentication servers (Factory only) #9007

  • Fixed an issue with Local Database authentication when using non-English languages in certain cases, such as with Captive Portal #9086

Captive Portal

  • Fixed Captive Portal RADIUS NAS Identifier default values to include the zone name #8998
  • Restored the ability to set a custom NAS Identifier on Captive Portal RADIUS settings #8998
  • Fixed issues with Captive Portal logout popup #9010
  • Fixed handling of the login page displayed when RADIUS MAC Authentication fails #9032
  • Fixed username sent in RADIUS accounting with MAC-based authentication #9131
  • Fixed an issue with the blocked MAC address redirect URL #9114

WebGUI / Dashboard

  • Fixed nginx restart handling when toggling GUI web server options under System > Advanced, Admin Access tab
  • Fixed empty crash reports after upgrade #8915
  • Added CDATA protection to common name fields so they can safely contain international characters #9006

Firewall Rules / Aliases / NAT

  • The filterdns daemon has been rewritten, solving a number of issues with the old implementation, including:
    • Fixes filterdns triggering every 16 seconds even when DNS records have not changed #7143
    • Fixes invalid FQDN entries in aliases causing an alias table to fail silently #8001
    • Fixes filterdns failing on a regular basis #8758
  • Fixed /etc/rc.kill_states not correctly parsing pfctl output #8554
  • Fixed formatting of alias names to still wrap but not replace underscores #8893
  • Fixed PHP errors from filter_rules_sort() when a configuration contains no rules #8993
  • Fixed PHP errors when creating schedules #9009
  • Fixed PHP errors when creating entries on NAT pages #9080
  • Fixed PHP errors from easyrule when no aliases are present #9119
  • Fixed “Drag to reorder” description in rule list when rule drag-and-drop is disabled #9128

Traffic Shaping (ALTQ/Limiters)

  • Fixed issues with Limiter queue display on upgraded configurations #8956
  • Fixed the default limiter scheduler to match previous version (WF2Q+) #8973
  • Added scheduler information to the limiter information page #8973

Packages

  • Fixed issues with package installation causing problems when crossing major PHP versions #8938
  • Fixed PHP errors when installing packages #9067

Backup/Restore

  • Added schedule (cron) support to AutoConfigBackup #8947
  • Fixed issues with AutoConfigBackup restoring a configuration from a different host #8901
  • Fixed the AutoConfigBackup menu from the deprecated package still showing when the package is no longer present #8959
  • Fixed an issue with Reinstall Packages hanging when run from Diagnostics > Backup & Restore #8933
  • Fixed issues with multiple <rrddata> tags in config.xml #8994
  • Fixed a race condition in package operations after a configuration restore that could lead to no packages being reinstalled #9045
  • Fixed issues with the External Config Locator not finding a config.xml in /config #9066
  • Fixed an issue where packages may not be reinstalled during a configuration restore performed immediately after a fresh install #9071
  • Fixed a stream_select() error when restoring packages #9102

Wake on LAN

  • Fixed issues with ordering of entries in Wake on LAN #8926
  • Added top control buttons to Wake on LAN for Add and Wake all Devices when there are more than 25 entries #8943

NTP

  • Fixed issues with NTP status when using noquery in the default permissions along with a specific ACL for localhost #7609

Logging / Notifications

  • Fixed an issue with log file sizes >= 2^32/2 #9081
  • Fixed PHP errors when saving log settings #9095
  • Added a checkbox to disable TLS certificate verification for SMTP notifications #9001

Install/Upgrade

  • Added a FAT partition to the installer memstick to make it easier to restore a config.xml file during the install process. Also includes a copy of the license and a README. #9104
  • Fixed PHP errors in upgrade code for IPsec #9083

Miscellaneous

  • Fixed HTTPS proxy authentication support for connections on the firewall itself #9029
  • Clarified wording of Kernel PTI options on System > Advanced, Miscellaneous tab #9026
  • Added a Save button to Status > Traffic Graphs to store default settings to use when loading the page #8976
  • Added support for nvme controllers to the S.M.A.R.T. diagnostics page #9042