Software update: pfSense 2.4.4




pfSense logo (75 pix) Version 2.4.4 of pfSense has been released. This package is based on the FreeBSD operating system and focuses on router and firewall tasks. It started in 2004 as a demerger of m0n0wall because of different visions of the developers and over the years has grown into a router and firewall package that can be used in both small and very large environments. For more information we refer to this page . The highlights for this issue are as follows:

Free pfSense Gold Content
With the release of pfSense 2.4.4, all former pfSense Gold content is now free for all !

AutoConfigBackup is integrated into pfSense version 2.4.4 and free for all to use. It is no longer an add-on package. It is now located under Services> Auto Config Backup.
All hangout videos are available on YouTube , and future hangouts are being broadcast using YouTube Live.
The pfSense Book is now available on the Netgate website .
New Features
2.4.4 includes a number of significant new features:

OS Upgrade: Base Operating System upgraded to FreeBSD 11.2-RELEASE-p3. As part of moving to FreeBSD 11.2, support is included for C3000-based hardware.
PHP 7.2: PHP upgraded to version 7.2, which required changes to syntax throughout the source code and packages.
Routed IPsec (VTI): Routed IPsec is now available using FreeBSD if_ipsec(4) Virtual Tunnel Interfaces (VTI).
IPsec Speed ‚Äč‚ÄčImprovements: The new Asynchronous Cryptography option under the IPsec Advanced Settings tab can dramatically improve IPsec performance on multi-core hardware.
Default Gateway Group: The default gateway may be configured using a Gateway Group setup for failover, which replaces Default Gateway Switching.
Limiter AQM / Queue Schedulers: Limiters now include support for several Active Queue Management (AQM) methods and Queue Scheduler configurations such as FQ_CODEL.
Certificate Subject Requirements: The Certificate Manager and OpenVPN wizard now only require the Common Name, and all other fields are optional.
DNS about TLS: The DNS Resolver now includes support for DNS on TLS as both a client and a server, including for domain overrides.
Captive Portal Authentication: Captive Portal authentication is now integrated with the User Manager system. Captive Portal instances may use RADIUS, LDAP, or Local Authentication like other integrated services.
Captive Portal HTML Design and Usability: The default Captive Portal page has been redesigned. Controls have also been added and modified custom HTML code.
Integrated Switch Improvements: Netgate devices with integrated switches such as SG-3100 and XG-7100 can now configure per-port speed and duplex settings, discrete port configuration interfaces can now be connected to ports for up / down status, and LAGG support is also now available (Load Balance mode only)
New Hardware: Support has been added for the new SG-5100 .
… and more !
This release includes several important security patches:

FreeBSD SA for CVE-2018-6922: Resource exhaustion in TCP reassembly FreeBSD-SA-18: 08.tcp
FreeBSD SA for CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault (L1TF) Kernel Information Disclosure FreeBSD-SA-18: 09.l1tf
FreeBSD SA for CVE-2018-6923: Resource exhaustion in IP fragment reassembly FreeBSD-SA-18: 10.IP
FreeBSD SA for CVE-2018-14526: Unauthenticated EAPOL-Key Decryption Vulnerability FreeBSD-SA-18: 11.hostapd
FreeBSD SA for CVE-2018-6924: Improper ELF header parsing FreeBSD-SA-18: 12.elf
FreeBSD errata notice for LazyFPU remediation causing potential data corruption FreeBSD-EN-18: 08.lazyfpu
Fixed two potential XSS vectors and authenticated command execution issue.
Upgraded several binary packages in the base system to address upstream vulnerabilities, including strongSwan CVE-2018-5388, OpenSSH CVE-2018-15473, and cURL CVE 2018-14618
Updated default cryptographic settings for OpenVPN, IPsec, and Certificates
Changed the included DH groups to those defined in RFC 7919
Added stronger IPsec Pre-Shared Key usage warnings, and a button to generate a secure PSK
Changed from sshlockout_pf to sshguard for monitoring failed logins and locking out offenders.
Disabled OpenVPN compression by default on new instances for security reasons due to VORACLE

Users are strongly urged to disable compression on OpenVPN instances if they pass unencrypted data such as HTTP to arbitrary Internet sites.
Notable Bug Fixes
In addition to security fixes, pfSense software version 2.4.4 also includes important bug fixes.

Fixed an issue with ARM hardware not completely halting when shut down ( SG-3100 and SG-1000 )
Fixed HDMI hotplug issues on Minnowboard Turbot hardware (MBT-2220 and MBT-4220)
Fixed SG-1000 autonegotiation for 10baseT speed and duplex
… and many more !
pfSense 2.3.3 screenshot (810 pix)

Version number 2.4.4
Release status Final
Operating systems BSD
License type Conditions (GNU / BSD / etc.)


In: A Technology & Gadgets Asked By: [23633 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »