2.4.4-p1 New Features and Changes

pfSense® software version 2.4.4-p1 corrects issues found with 2.4.4-RELEASE.

Security / Errata

• FreeBSD Errata Notice FreeBSD-EN-18:09.ip: IP fragment remediation causes IPv6 fragment reassembly failure #8934

• FreeBSD Errata Notice FreeBSD-EN-18:10.syscall NULL pointer dereference in freebsd4_getfsstat system call (CVE-2018-17154)

• FreeBSD Errata Notice FreeBSD-EN-18:11.listen Denial of service in listen syscall over IPv6 socket (CVE-2018-6925)

• FreeBSD Errata Notice FreeBSD-EN-18:12.mem Small kernel memory disclosures in two system calls (CVE-2018-17155)

• Fixed a potential authenticated command injection issue with PowerD settings pfSense-SA-18_09.webgui #9061

• Fixed handling of privileges on the All group that were previously ignored #9051

  Warning

  Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before

Certificates

• Fixed CRL lifetime errors due to 2038 rollover on 32-bit ARM platforms #9098

• Fixed date display of CA/Certificate validity ending dates after 2038 rollover on 32-bit ARM platforms #9100

• Fixed PHP errors when creating certificate entries #9099

DNS

• Updated Unbound to 1.8.1 to address issues with memory leaks, especially in DNS over TLS support #9059

• Fixed issues with the DNS search domain for the firewall being omitted from resolv.conf in certain cases #9056

• Fixed PHP errors in the DNS Forwarder #8967

Dynamic DNS

• Fixed an issue with FreeDNS Dynamic DNS sending an IP address with an update #8924

• Fixed issues with Custom (v6) Dynamic DNS logging a hostname error #8977

DHCP Server

• Fixed issues with DHCPv6 network boot settings #8949

Routing/Gateways

• Reduced the logging output of gateway change events #8914

• Fixed an issue with dpinger PID files causing it to get stuck in Pending status #8921

• Fixed display of a configured gateway monitor IP address when gateway monitoring is disabled #8953

• Fixed issues with double quotes in gateway descriptions causing a blank gateway drop-down on firewall rules #8962

• Fixed an issue where the default gateway was lost in certain cases with HA after a CARP VIP status transition #8465

IPsec

• Updated strongSwan to 5.7.1 #8898

• Added 0.0.0.0/0 to both sides of an IPsec VTI P2 to allow connections with third-party routed IPsec implementations that require its presence #8859

• Fixed boot-time handling of IPsec VTI static routes #9116

• Fixed IKEv2 EAP Identity/Client ID matching so that it is strictly performed, to avoid users getting incorrect per-user settings #9055

• Fixed handling of RADIUS server names containing a . in the IPsec configuration with strongSwan 5.7.1 #9106

• Updated AWS IPsec wizard to use EC2 instance profiles and security groups, and switched the wizard from OpenBGPD to FRR

Interfaces/VIPs

• Fixed issues with DHCP client MTU causing interface configure loops when advanced options are present #8507

• Fixed issues with the Hyper-V hn(4) driver and ALTQ #8954

• Fixed issues with Hyper-V hn(4) interfaces dropping UDP6 traffic when transmit checksums were enabled #9019

• Fixed an issue with IGMP proxy failing to start on PPPoE interfaces #8935

• Fixed an issue with IPv6 Transmit checksums not being disabled when hardware checksums were set to be disabled #8980

• Updated mpd to 5.8_8 to address issues with Orange MTU #8995

• Fixed PPPoE service name checks to allow : and other alphanumeric characters #9002

• Fixed PHP errors when creating QinQ entries #9109

• Fixed the MAC address shown when editing a LAGG entry to always show the hardware MAC for each NIC and not the currently active address, which is no longer accurate for LAGG members #8937

• Fixed a PHP error when setting an interface address to act as a DHCP server from the console, when no other DHCP servers are already configured #9144

• Fixed a situation where editing a VLAN interface caused all other VLAN interfaces with the same parent to be reconfigured, which led to several other issues #9115

  Warning

  Editing a VLAN parent interface can still cause problems. If this becomes an issue on a firewall, consider moving from using the untagged parent to having that traffic be tagged so that the parent interface is not assigned or in use. #9154

  Known issues include:

  • PPPoE instances on VLANs will not reconnect after the interface is reconfigured #9148

  • VLAN interfaces that use IPv6 tracking may lose their addresses #9136

Hardware/Platform

• Fixed handling of EFI console when a device boots from UEFI, where vidconsole is not valid #8978

• Fixed PHP errors in switch configuration on platforms including integrated switches

• Added support for SG-5100 hardware watchdog

  Note

  Enable the Watchdog daemon under System > Advanced on the Miscellaneous tab, and then reboot and enable it in the BIOS with a timeout longer than the timeout configured in the GUI.

User Management / Authentication

• Fixed handling of privileges on the All group that were previously ignored #9051

  Warning

  Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before

• Added GUI options to control sshguard sensitivity and whitelisting to allow users to fine-tune the behavior of the brute force login protection #8864

• Added an option to enable SSH agent forwarding (disabled by default) #8590

• Fixed inconsistencies with ssh settings in the configuration #8974

• Fixed PHP errors with ssh settings #8606

• Added support for LDAP client certificates on authentication servers (Factory only) #9007

• Fixed an issue with Local Database authentication when using non-English languages in certain cases, such as with Captive Portal #9086

Captive Portal

• Fixed Captive Portal RADIUS NAS Identifier default values to include the zone name #8998

• Restored the ability to set a custom NAS Identifier on Captive Portal RADIUS settings #8998

• Fixed issues with Captive Portal logout popup #9010

• Fixed handling of the login page displayed when RADIUS MAC Authentication fails #9032

• Fixed username sent in RADIUS accounting with MAC-based authentication #9131

• Fixed an issue with the blocked MAC address redirect URL #9114

WebGUI / Dashboard

• Fixed nginx restart handling when toggling GUI web server options under System > Advanced, Admin Access tab

• Fixed empty crash reports after upgrade #8915

• Added CDATA protection to common name fields so they can safely contain international characters #9006

Firewall Rules / Aliases / NAT

• The filterdns daemon has been rewritten, solving a number of issues with the old implementation, including:

  • Fixes filterdns triggering every 16 seconds even when DNS records have not changed #7143

  • Fixes invalid FQDN entries in aliases causing an alias table to fail silently #8001

  • Fixes filterdns failing on a regular basis #8758

• Fixed /etc/rc.kill_states not correctly parsing pfctl output #8554

• Fixed formatting of alias names to still wrap but not replace underscores #8893

• Fixed PHP errors from filter_rules_sort() when a configuration contains no rules #8993

• Fixed PHP errors when creating schedules #9009

• Fixed PHP errors when creating entries on NAT pages #9080

• Fixed PHP errors from easyrule when no aliases are present #9119

• Fixed “Drag to reorder” description in rule list when rule drag-and-drop is disabled #9128

Traffic Shaping (ALTQ/Limiters)

• Fixed issues with Limiter queue display on upgraded configurations #8956

• Fixed the default limiter scheduler to match previous version (WF2Q+) #8973

• Added scheduler information to the limiter information page #8973

Packages

• Fixed issues with package installation causing problems when crossing major PHP versions #8938

• Fixed PHP errors when installing packages #9067

Backup/Restore

• Added schedule (cron) support to AutoConfigBackup #8947

• Fixed issues with AutoConfigBackup restoring a configuration from a different host #8901

• Fixed the AutoConfigBackup menu from the deprecated package still showing when the package is no longer present #8959

• Fixed an issue with Reinstall Packages hanging when run from Diagnostics > Backup & Restore #8933

• Fixed issues with multiple <rrddata> tags in config.xml #8994

• Fixed a race condition in package operations after a configuration restore that could lead to no packages being reinstalled #9045

• Fixed issues with the External Config Locator not finding a config.xml in /config #9066

• Fixed an issue where packages may not be reinstalled during a configuration restore performed immediately after a fresh install #9071

• Fixed a stream_select() error when restoring packages #9102

Wake on LAN

• Fixed issues with ordering of entries in Wake on LAN #8926

• Added top control buttons to Wake on LAN for Add and Wake all Devices when there are more than 25 entries #8943

NTP

• Fixed issues with NTP status when using noquery in the default permissions along with a specific ACL for localhost #7609

Logging / Notifications

• Fixed an issue with log file sizes >= 2^32/2 #9081

• Fixed PHP errors when saving log settings #9095

• Added a checkbox to disable TLS certificate verification for SMTP notifications #9001

Install/Upgrade

• Added a FAT partition to the installer memstick to make it easier to restore a config.xml file during the install process. Also includes a copy of the license and a README. #9104

• Fixed PHP errors in upgrade code for IPsec #9083

Miscellaneous

• Fixed HTTPS proxy authentication support for connections on the firewall itself #9029

• Clarified wording of Kernel PTI options on System > Advanced, Miscellaneous tab #9026

• Added a Save button to Status > Traffic Graphs to store default settings to use when loading the page #8976

• Added support for nvme controllers to the S.M.A.R.T. diagnostics page #9042