2.2.2 New Features and Changes

Security/Errata Notices

  • pfSense-SA-15_05.webgui: Multiple XSS Vulnerabilities in the pfSense® WebGUI

  • FreeBSD-SA-15:09.ipv6: Denial of Service with IPv6 Router Advertisements. Where a system is using DHCPv6 WAN type, devices on the same broadcast domain as that WAN can send crafted packets causing the system to lose IPv6 Internet connectivity.

  • FreeBSD-SA-15:06.openssl: Multiple OpenSSL vulnerabilities. Most aren’t applicable, and worst impact is denial of service.

Rules / NAT

  • Added hidden config option to disable blocking of link-local IPv4 (169.254.0.0/16) for the rare instances where it’s required. Not recommended, violates RFC 3927.

  • Fixed invalid ruleset generation when using port forwards with destination “any” on a DHCP client WAN-type interface, have pure NAT mode reflection enabled, and have the interface with link up but unable to reach a DHCP server for an extended period. #4564

  • Allow the use of version IPv4+IPv6 on firewall rules without restrictions on protocol. The former restrictions date back to earlier base software versions, and are no longer applicable.

  • Omit route-to from rules specifying a specific gateway when that gateway is forced down. #4566

  • Use the subnet address when forming rules for networks, rather than the interface IP address

  • Added SCTP to the protocol drop-down for firewall rules

IPsec

  • Enforce disabling of “prefer old SAs” option. When the GUI configuration checkbox was removed in 2.2.1, it fell through to the default of the underlying software in many cases, leaving the option enabled instead of disabled. Having this option enabled will cause connectivity problems after rekeying in many circumstances. Upgrading to 2.2.2 will fix this.

  • strongSwan upgraded to 5.3.0

  • Don’t apply mobile IPsec phase 2 PFS configuration to non-mobile IPsec. #4538

  • Correct applying of uniqueid configuration. #4359

  • Bring back automatic exclusion of LAN subnet to LAN IP for scenarios where remote IPsec overlaps with local LAN subnet. #4504

  • Enable ike_name for daemon logging, adding connection identifiers to IPsec logs that can be correlated to output of ‘ipsec statusall’ (GUI log viewer integration to come).

DNS Forwarder/Resolver

  • Fix DNS registration of hostname “0” #4573

  • Domain overrides to multiple server IPs are possible in DNS Resolver. Add message noting this, and how to achieve it. #4350

  • Always configure user-specified DNS servers in the Unbound configuration, to make its behavior consistent with dnsmasq

  • Only list nameservers once in resolv.conf

Wireless

  • Atheros wireless driver updated to latest from FreeBSD 11-CURRENT. Not many changes since 2.2.1-RELEASE. #4582

  • Wireless cards removed from ALTQ-capable interfaces (traffic shaper capability) since that isn’t supported at the moment. #4406

  • New option “auto” added for Standard. This omits configuring mode with ifconfig, which currently can trigger driver problems that don’t exist when not specified. Standard “auto” is preferred, and possibly required, for BSS and IBSS wireless modes with Atheros cards (at a minimum, potentially others).

IPv6

  • Make sure ‘DHCPv6 Prefix Delegation size’ is provided if ‘Send IPv6 prefix hint’ flag is checked to avoid generating invalid dhcp6c configuration file.

  • DHCPv6 Relay fixed. #4572

  • Allow “0” for id-assoc na ID, id-assoc pd ID, sla-id and sla-len DHCP6 configuration options. #4547

  • Fix the use of multiple prefixes in IPv6 router advertisements. #4468

Other

  • Clean up logic in OpenVPN resync code. Discussion here and additional change here.

  • SSL certificate validation disabled for selfhost - their certificate chain had a problem that made OpenSSL fail verification, making the service non-functional. #4545 The provider fixed the issue after 2.2.2-RELEASE, so verification has been re-enabled for 2.2.3 and newer.

  • Fix error in traffic shaping wizard. #4529

  • Fix broken image path. #4530

  • A variety of minor text clean up in web interface.

  • Remove some code no longer used in a few places.

  • Clean up of code path when adding a new user. #4620

  • Make sure RRD backup is not restored when /var memory disk is not in use. #4531

  • Show friendly name of the interface on custom RRD graph drop-down selection

  • PHP upgraded to 5.5.23

  • Prevent a user from adding a VLAN using the invalid ID “0”

  • Cleanup display of times in DHCP leases

  • Use the correct field for voucher “expired” and “no access” messages

  • Fix traffic shaper wizard bandwidth input validation calculations [https://redmine.pfsense.org/issues/4259 #4259

  • Changed Diagnostics > Sockets to display sockets bound to localhost

  • Allow single interface bridges, useful for span ports and when migrating interfaces to a bridge