La versión 2.3.x de pfSense® será retirada (EOL) a partir del próximo 31 de octubre de 2018. Es hora de implementar actualizaciones en las plataformas de soluciones de seguridad afectadas al hardware compatible, como estos appliances de Netgate. Si bien pfSense versión 2.3.x continuará operando, un firewall es tan bueno como sus actualizaciones. Las nuevas vulnerabilidades se descubren continuamente, por lo que cuanto más tiempo esté en uso una versión no compatible, mayor será la probabilidad de que se vea afectada. Consulte el pfSense Book para obtener información sobre la actualización de una instalación existente para garantizar que las actualizaciones se realicen sin problemas.
La versión 2.4.4 del software pfSense ofrece parches de seguridad, numerosas características nuevas, soporte para los nuevos modelos de hardware de Netgate y correcciones de estabilidad para problemas presentes en versiones anteriores a pfSense 2.4.x
Os dejamos a continuación información super útil al respecto.
Si necesita ayuda para realizar el upgrade o quiere realizar una nueva instalación de ésta nueva versión 2.4.x., no dudéis en contactar con nosotros.
2.4.4 includes a number of significant new features:
- OS Upgrade: Base Operating System upgraded to FreeBSD 11.2-RELEASE-p3. As a part of moving to FreeBSD 11.2, support is included for C3000-based hardware.
- PHP 7.2: PHP upgraded to version 7.2, which required numerous changes to syntax throughout the source code and packages.
- Routed IPsec (VTI): Routed IPsec is now possible using using FreeBSD
if_ipsec(4)Virtual Tunnel Interfaces (VTI).
- IPsec Speed Improvements: The new Asynchronous Cryptography option under the IPsec Advanced Settingstab can dramatically improve IPsec performance on multi-core hardware.
- Default Gateway Group: The default gateway may now be configured using a Gateway Group setup for failover, which replaces Default Gateway Switching.
- Limiter AQM/Queue Schedulers: Limiters now include support for several Active Queue Management (AQM) methods and Queue Scheduler configurations such as FQ_CODEL.
- Certificate Subject Requirements: The Certificate Manager and OpenVPN wizard now only require the Common Name to be set, and all other fields are optional.
- DNS over TLS: The DNS Resolver now includes support for DNS over TLS as both a client and a server, including for domain overrides.
- Captive Portal Authentication: Captive Portal authentication is now integrated with the User Manager system. Captive Portal instances may now use RADIUS, LDAP, or Local Authentication like other integrated services.
- Captive Portal HTML Design and Usability: The default Captive Portal page has been redesigned. Controls have also been added which allow the logo and background images and Terms of Service text to be customized without editing and uploading custom HTML code.
- Integrated Switch Improvements: Netgate devices with integrated switches such as the SG-3100 and XG-7100 can now configure per-port speed and duplex settings, discrete port configuration interfaces can now be tied to switch ports for up/down status, and LAGG support is also now available (Load Balance mode only)
- New Hardware: Support has been added for the new SG-5100.
- … and more!
This release includes several important security patches:
- FreeBSD SA for CVE-2018-6922: Resource exhaustion in TCP reassembly FreeBSD-SA-18:08.tcp
- FreeBSD SA for CVE-2018-3620, CVE-2018-3646: L1 Terminal Fault (L1TF) Kernel Information Disclosure FreeBSD-SA-18:09.l1tf
- FreeBSD SA for CVE-2018-6923: Resource exhaustion in IP fragment reassembly FreeBSD-SA-18:10.ip
- FreeBSD SA for CVE-2018-14526: Unauthenticated EAPOL-Key Decryption Vulnerability FreeBSD-SA-18:11.hostapd
- FreeBSD SA for CVE-2018-6924: Improper ELF header parsing FreeBSD-SA-18:12.elf
- FreeBSD errata notice for LazyFPU remediation causing potential data corruption FreeBSD-EN-18:08.lazyfpu
- Fixed two potential XSS vectors and an authenticated command execution issue.
- Upgraded several binary packages in the base system to address upstream vulnerabilities, including strongSwan CVE-2018-5388, OpenSSH CVE-2018-15473, and cURL CVE 2018-14618
- Updated default cryptographic settings for OpenVPN, IPsec, and Certificates
- Changed the included DH groups to those defined in RFC 7919
- Added stronger IPsec Pre-Shared Key usage warnings, and a button to generate a secure PSK
- Changed from
sshguardfor monitoring failed logins and locking out offenders, this allows the lockout to work on IPv4 and IPv6 and also terminates states when adding offenders to the block list
- Disabled OpenVPN compression by default on new instances for security reasons due to VORACLE
- Users are strongly urged to disable compression on OpenVPN instances if they pass unencrypted data such as HTTP to arbitrary Internet sites.
NOTABLE BUG FIXES
In addition to security fixes, pfSense software version 2.4.4 also includes important bug fixes.
- Fixed an issue with ARM hardware not completely halting when shut down (SG-3100 and SG-1000)
- Fixed HDMI hotplug issues on Minnowboard Turbot hardware (MBT-2220 and MBT-4220)
- Fixed SG-1000 autonegotiation for 10baseT speed and duplex
- … and many more!
Due to the significant nature of the changes in this version of pfSense software, warnings and error messages, particularly from PHP and package updates, are likely to occur during the upgrade process. In nearly all cases these errors are a harmless side effect of the changes between FreeBSD 11.1 and 11.2 and between PHP 5.6 and PHP 7.2.
Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.
Do not upgrade packages before upgrading pfSense! Either remove all packages or leave the packages alone before running the update.
The upgrade will take several minutes to complete. The exact time varies based on download speed, hardware speed, and other factors such installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading it could take 10-20 minutes or more until the upgrade process ends. The firewall may reboot several times during the upgrade process. Monitor the upgrade from the firewall console for the most accurate view.
Consult the Upgrade Guide for additional information about performing upgrades to pfSense software.
Important Information about Upgrading and Installing pfSense software version 2.4.0 and later
If you have not yet upgraded to pfSense version 2.4.0 or later, read the information in the 2.4.0 Release Announcementbefore updating for important information that may impact the ability of a firewall to upgrade to pfSense version 2.4.x.
Non-pfSense Package Warning
Third party packages from alternate repositories are causing problems for users with the upgrade process and also with post-upgrade behavior. These packages have never been supported, and had to be manually added by users outside of the GUI.
Due to the major changes required for FreeBSD 11.2 and PHP 7.2, third party packages from alternate repositories cannot be present during the upgrade. There is no way to predict if a third party package supports the new version or will cause the upgrade itself to fail.
The upgrade process will automatically remove
pfSense-pkg-* packages installed from alternate repositories. After the upgrade completes, the user can reinstall these packages. Packages from alternate repositories will not appear in the Installed Packages list in the GUI, and must be entirely managed in the command line.
This change does not affect packages installed from the official pfSense package repository.
If the update system does not offer an upgrade to 2.4.4, or the upgrade will not proceed, take the following steps:
- Navigate to System > Updates
- Set Branch to Latest stable version
- Refresh the repository configuration and upgrade script by running the following commands from the console or shell:
pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
In some cases the repository information may need to be rewritten:
- Navigate to System > Updates
- Set the Branch to Latest Development Snapshots
- Wait for the page to refresh
- Set the Branch to Latest stable version
If the update still does not appear, run the commands above from the console or shell.
2.3.x EOL Reminder
The 2.3.x branch is rapidly approaching its end of life (EOL). Upgrade to 2.4.x on compatible hardware as soon as possible. See pfSense® Release 2.3.x EOL Reminder for more information.
pfSense software is Open Source
For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:
- Main repository – the web GUI, back end configuration code, and build tools.
- FreeBSD source – the source code, with patches of the FreeBSD base.
- FreeBSD ports – the FreeBSD ports used.
Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.