2.3.4 New Features and Changes

Security / Errata

  • Updated base OS to FreeBSD 10.3-RELEASE-p19

  • FreeBSD/ports Security Advisories

    • Updated ntpd to 4.2.8p10_2 ( FreeBSD-SA-17:03.ntp.asc )

    • Updated cURL to 7.54.0 ( CVE-2017-7407, CVE-2017-7468 )

    • Updated libevent to 2.1.8 ( CVE-2016-10197, CVE-2016-10196, CVE-2016-10195 )

  • pfSense® Software Advisories

    • Fixed encoding of displayed values from DHCP leases to prevent a badly formatted DHCP lease hostname from causing a potential XSS #7497 ( pfSense-SA-17_04.webgui )

  • See the Certificates section below for an important note about GUI certificate errors on Chrome 58 and later

Certificates

  • Improved certificate generation to always include the CN as the first Subject Alternative Name (SAN), which fixes issues with Chrome 58+ #7496

    • To work around an error with the firewall GUI certificate on Chrome 58+, take one of the following actions:

      • Generate and activate a new GUI certificate automatically, from the console/shell: pfSsh.php playback generateguicert

      • Utilize the ACME package to generate a trusted certificate for the GUI via Let’s Encrypt

      • Create your own new CA/Server certificate and use that for the GUI

      • Activate the local browser “EnableCommonNameFallbackForLocalAnchors” option in Chrome 58 (this setting will be removed by Chrome eventually, so this is only a temporary fix)

  • Fixed linking of a certificates to its CA after submitting the signed version of a CSR #7512

Firewall Rules/NAT/Shaper

  • Fixed restarting the Load Balancer (relayd) clearing system tables/aliases #7396

  • Fixed ruleset generation to notify when an unresolvable alias is encountered by the parser #7421

  • Fixed handling of a rule using an empty port alias #7428

  • Fixed the traffic shaping wizard handling of SMB rules in Raise/Lower Other Protocols, it was producing an invalid rule #7434

  • Fixed handling of alias renaming after input validation #7473

  • Fixed handling of long rule descriptions #7294

Dashboard

  • Improved formatting in the gateways widget by reducing the numeric precision of displayed values #6841

  • Fixed the NTP widget to show the server time instead of client time #7245

  • Added a “None” option to Widgets with filtering options #7318

  • Added PPPoE uptime display on the Interfaces dashboard widget #6032

  • Added filters to more dashboard widgets #7122

  • Added BIOS information to the System Information widget

  • Added Netgate Unique ID to the System Information widget

    • This identifier for support services is only displayed on the Dashboard for information purposes and is not transmitted anywhere automatically by default. In the future, customers can use this identifier when requesting support information from our staff or systems.

Configuration

  • Fixed issues restoring a configuration containing packages when the firewall does not have Internet connectivity #6594

  • Fixed factory reset when Captive Portal has Vouchers enabled #7508

  • Cleaned up unused code in diag_backup.php

Interfaces

  • Changed interface handling so it retains the original vendor MAC address at power up when spoofing, so it can be restored without a reboot #7011

  • Fixed interface assignment of QinQ interfaces #4669

  • Fixed errors in PPP service provider selection when a country without providers is selected #7399

  • Fixed input handling when editing static IP address fields on interfaces #7493

  • Added the ability for DHCP Client WANs to specify a list of IP addresses from which to reject leases #7510

User Manager / Authentication

  • Added a warning to system_authservers.php to warn that RADIUS does not work with IPv6 #4154

  • Added a status icon to the User Manager to show if a user is enabled or disabled #7517

General GUI

  • Added navigation links to breadcrumbs #7099

  • Improved service name support and error handling in pfSenseHelpers.js #7445

DHCP

  • Changed dhcpleases so it does not start when DHCP Relay is enabled #6750

  • Fixed checks for DHCP Relay being enabled/disabled so they are skipped when editing an additional pool

ARP / NDP

  • Added the ability to delete NDP entries #7513

  • Added expiration field to NDP listing #7514

Misc

  • Fixed DNS issues when upgrading NanoBSD #7345

  • Fixed the Reset Demotion Status for CARP to function when the demotion value is negative #7424

  • Fixed editing of Host Overrides in the DNS Resolver/Forwarder pages #7435

  • Fixed service handling (start/stop/restart) for Captive Portal #7444

  • Fixed display of the ALTQ “queue” view in pfTop due to recent changes in the pfTop port #7461

  • Added support for the Dynamic DNS Client Hover #7511

  • Fixed UTF-8 handling in Base64 decoding on diag_edit.php

  • Fixed handling of traffic graph data irregularities #7515

  • Added visual separation to the legend on the installed packages list #7203

  • Changed SMTP and Growl notification test to use the new, unsaved settings #7516