We’ll be at three upcoming conferences in the next few weeks.
BSDCan – May 15-19, Ottawa, Canada. We won’t be doing a formal presentation here this year, but several of us will be in attendance. Get in touch if you’d like to meet up.
Texas Linux Fest – May 31-June 1, Austin, Texas. We’ll have a table here in the exhibition space, please stop by if you’ll be in attendance. We’re headquartered in Austin and are always glad to meet with folks here when schedules permit.
SouthEast Linux Fest – June 7-9, Charlotte NC. I’ll be presenting a talk on all the latest with the project, and we’ll also have a table in the exhibition space.
We look forward to meeting many of you over the next few weeks!
I’m happy to announce the release of pfSense 2.0.3. This is a maintenance release with some bug and security fixes since 2.0.2 release. You can upgrade from any previous release to 2.0.3.
- Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03.
- Fix below XSS in IPsec log possible from users possessing shared key or valid certificate
- Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.
- Fix obtaining DNS servers from PPP type WANs (PPP, PPPoE, PPTP, L2TP)
- Fix Captive Portal Redirect URL trimming
- Voucher sync fixes
- Captive portal pruning/locking fixes
- Fix problem with fastcgi crashing which caused CP issues on 2.0.2
- Clear the route for an OpenVPN endpoint IP when restarting the VPN, to avoid a situation where a learned route from OSPF or elsewhere could prevent an instance from restarting properly
- Always clear the OpenVPN route when using shared key, no matter how the tunnel network “CIDR” is set
- Use the actual OpenVPN restart routine when starting/stopping from services rather than killing/restarting manually
- Allow editing an imported CRL, and refresh OpenVPN CRLs when saving. [#2652]
- Fix interface assignment descriptions when using > 10 OpenVPN instances
- Put syslogd into secure mode so it refuses remote syslog messages
- If syslog messages are in the log, and the hostname does not match the firewall, display the supplied hostname
- Fix PPP log display to use the correct log handling method
- Run IPsec logs through htmlspecialchars before display to avoid a potential persistent XSS from racoon log output (e.g. username)
- Fix editing of traffic shaper default queues. [#1995]
- Fix wording for VoIP address option in the shaper. Add rule going the other direction to catch connections initiated both ways
Dashboard & General GUI
- Use some tweaks to PHP session management to prevent the GUI from blocking additional requests while others are active
- Remove cmd_chain.inc and preload.php to fix some issues with lighttpd, fastcgi, and resource usage
- Firmware settings manifest (Site list) now bolds and denotes entries that match the current architecture, to help avoid accidental cross-architecture upgrades
- Add header to DHCP static mappings table
- When performing a factory reset in the GUI, change output style to follow halt.php and reboot.php so the shutdown output appears in the correct location on the page
- Better validation of parameters passed during S.M.A.R.T. operations for testing HDDs
- Fixed SNMP interface binding glitch (Setting was active but not reflected when viewed in GUI)
- Add a new class called addgatewaybox to make it easier to respect custom themes [#2900]
Console Menu Changes
- Correct accidental interface assignment changes when changing settings on the console menu
- Console menu option 11 now kills all active PHP processes, kills lighttpd, and then restarts the GUI. This is a more effective way to restart the GUI since if a PHP process is hung, restarting lighttpd alone will not recover from that
- Fix port display after LAN IP reset
- Change how the listening address is passed to miniupnpd, the old method was resulting in errors for some users
- Fix “out” packet count reporting
- Be a little smarter about the default kernel in rare cases where we cannot determine what was in use
- Pass -S to tcpdump to avoid an increase in memory consumption over time in certain cases
- Minimise rewriting of /etc/gettytab (forum reference)
- Make is_pid_running function return more consistent results by using isvalidpid
- Fix ataidle error on systems that have no ATA HDD. [#2739]
- Update Time Zone database zoneinfo to 2012.j to pick up on recent zone/DST/etc changes
- Fix handling of LDAP certificates, the library no longer properly handles files with spaces in the CA certificate filename
- Bring in the RCFILEPREFIX as constant fixes from HEAD, since otherwise rc.stop_packages was globbing in the wrong dir and executing the wrong scripts. Also seems to have fixed the “bad fd” error
- NTP restart fixes
- Gitsync now pulls in git package from pfSense package repository rather than FreeBSD
- Fixed handling of RRD data in config.xml backups when exporting an encrypted config [#2836]
- Moved apinger status to /var/run instead of /tmp
- Fixes for FTP proxy on non-default gateway WANs
- Fixes for OVA images
- Use new pfSense repository location (http://github.com/pfsense/pfsense/)
- Add patch to compensate apinger calculation for down gateways by time taken from other tasks like rrd/status file/etc
- Improve tuning of lighttpd and php processes
- Use separate paths for GUI and Captive Portal fastcgi sockets
- Always make sure php has its own process manager to make lighttpd happy
- Make mod_fastcgi last to have url.rewrite work properly
- Enable mod_evasive if needed for Captive Portal
- Simplify lighttpd config
- Send all lighttpd logs to syslog
- dnsmasq to 2.65
- rsync to 3.0.9
- links 2.7
- rrdtool to 1.2.30
- PHP to 5.2.17_13
- OpenVPN 2.2 stock again (Removed IPv6 patches since those are only needed on 2.1 now)
- Fix missing “beep” binary on amd64
- Fix potential issue with IPsec routing of client traffic
- Remove lighttpd spawnfcgi dependency
- Add splash device to wrap_vga kernels (It’s in GENERIC so full installs already have it). [#2723]
- Correct an issue with unallocated structure
- Avoid issues with pidfiles being overwritten, lock the file during modifications
- Make filterdns restartable and properly cleanup its tables upon exit or during a reconfiguration
- Correct use after free and also support hostnames with other DNS suffix
- Reinit on any error rather than just forgetting. Also the difftime checks are done after having complete view, no need to do them every time
- Typo fixes
- Log that a HUP signal is being sent to the pid file submitted by argument
- Prevent bad parsing of empty hostnames in lease file. Add an f option to run dhcplease in foreground. The only option needed while in foreground is h parameter and the only usable one as well
As always, upgrade information can be found in the Upgrade Guide.
Note some of the mirrors are still syncing, it will be several hours before they’re all up to date.
These flaws aren’t applicable to pfSense users, as long as you’ve stayed up to date, or at least haven’t gone out of your way to make yourself insecure. The flaws identified in miniupnp were fixed over two years ago, and we always ship releases with the latest version. So these could only be applicable if you haven’t updated to any 2.x version. You would also have to add a firewall rule on WAN to permit the traffic in for the Internet-reachable scenario, so you would really have to go out of your way to make yourself vulnerable if running pfSense.
It’s arguable whether you should ever enable UPnP at all, ever. It’s a security vulnerability by design, really, allowing things to arbitrarily open ports on your firewall. We’ve argued against it since the inception of this project, but make it available for those who have no alternative. Of course we disable it by default.
If you’re running any other kind of router or firewall, things may not be so good. A shocking number of vendors are still building old miniupnp versions into their products (Rapid7 identified 332 such products), and shipping them with extremely insecure defaults (over 80 million unique IPs answer UPnP from the Internet). If you’re not sure whether your router is vulnerable, it’s safest to disable all UPnP functionality on devices connected to the Internet. Rapid7 has released a ScanNow tool that will scan your local network for exploitable devices.
This is also a nice example for the small number of people who still think open source solutions are somehow less secure than commercial alternatives. We’ve done things right again in this instance from day one, where a shocking number of commercial vendors have massively failed to follow basic security best practices.
Great news for many pfSense users today, as OpenVPN Technologies in collaboration with Apple have released an OpenVPN client for iOS.
Within hours of its release, Jim Pingle updated our OpenVPN Client Export package’s inline export option to be compatible with iOS (and retaining its Android compatibility). The inline export is available for 2.0.x and 2.1 versions. Upgrade your package under System>Packages to the latest version and use the inline export option, which can be imported into the iOS client via iTunes amongst other methods. I had my iPhone connected to OpenVPN within 5 minutes, it’s a quick, easy process.
Our thanks to OpenVPN Technologies and Apple for making this happen!
pfSense 2.0.2 is a maintenance release with some bug and security fixes since 2.0.1 release. You can upgrade from any previous release to 2.0.2.
Heads up for those upgrading
Auto Update URL – For those upgrading from a prior release, first please make sure you’re on the correct auto-update URL. Tens of thousands of installs were from 2.0 pre-release snapshots which had their update URL set to the snapshot server rather than the stable release updates. Others had manually set their architecture incorrectly at some point and had failed upgrades because of it. Just browse to System>Firmware, Updater Settings tab. From the “Default Auto Update URLs” drop down box, pick either the stable i386 or amd64 depending on which version you have installed, and click Save. Then you can use the auto-update and be ensured you’re pulling from the correct location.
PPP-assigned DNS server problem – those with PPP type WANs (PPP, PPPoE) using the DNS servers assigned by their ISP rather than ones defined under System>General Setup, be aware those DNS servers will not be used. There are two work arounds detailed here.
FreeBSD Security Advisories
Base OS updated to 8.1-RELEASE-p13 to address the following FreeBSD Security Advisories:
- FreeBSD-SA-12:01.openssl (v1.0/v1.1) http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc
- FreeBSD-SA-12:04.sysret (v1.0/v1.1) http://security.FreeBSD.org/advisories/FreeBSD-SA-12:04.sysret.asc
- FreeBSD-SA-12:07.hostapd http://www.freebsd.org/security/advisories/FreeBSD-SA-12:07.hostapd.asc
- NOTE: FreeBSD-SA-12:03.bind, FreeBSD-SA-12:05.bind, and FreeBSD-SA-12:06.bind do not apply to us, since we do not use nor include bind. FreeBSD-SA-12:08.linux does not apply since we do not use nor include the Linux compatibility layer of FreeBSD. FreeBSD-SA-12:02.crypt doesn’t apply because we don’t use DES in that context.
- Added a warning to PPTP VPN configuration page: PPTP is no longer considered a secure VPN technology because it relies upon MS-CHAPv2 which has been compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.
- More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
- Fix reference to PPTP secondary RADIUS server shared secret.
- PPTP 1.x to 2.x config upgrade fixes.
- OpenNTPD was dropped in favor of the ntp.org NTP daemon, used by FreeBSD.
- Status page added (Status > NTP) to show status of clock sync
- NTP logging fixed.
- NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. You can still do selective interface binding to control which IPs will accept traffic, but be aware that the default behavior has changed.
Dashboard & General GUI Fixes
- Various fixes for typos, wording, and so on.
- Do not redirect on saving services status widget.
- Don’t use $pconfig in widgets, it has unintended side effects.
- Fix display of widgets with configuration controls in IE.
- Changed some padding/margin in the CSS in order to avoid wrapping the menu.
- #2165 Change to embed to prevent IE9 from misbehaving when loading the Traffic Graph page
- Safer for 1.2.3 upgrades to assume OpenVPN interface == any, since 1.2.3 didn’t have a way to bind to an interface. Otherwise people accepting connections on OPT interfaces on 1.2.3 will break on upgrade until the proper interface is selected in the GUI
- Don’t ignore when multiple OpenVPN DNS, NTP, WINS, etc servers were specified in 1.2.3 when upgrading. 1.2.3 separated by ;, 2.x uses separate vars.
- Fix upgrade code for 1.2.3 with assigned OpenVPN interface.
- Fix LZO setting for Upgraded OpenVPN (was turning compression on even if old config had it disabled.)
- Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this start/stop. If an OpenVPN client is active on both the master and backup system, they will cause conflicting connections to the server. Servers do not care as they only accept, not initiate.
- Only do foreach on IPsec p2′s if it’s actually an array.
- #2201 Don’t let an empty subnet into racoon.conf, it can cause parse errors.
- #2201 Reject an interface without a subnet as a network source in the IPsec Phase 2 GUI.
- Add routes even when IPsec is on WAN, as WAN may not be the default gateway.
- #1986 Revamped IPsec status display and widget to properly account for mobile clients.
- Fixed a bug that caused the IPsec status and widget to display slowly when mobile clients were enabled.
User Manager Fixes
- #2066 Improve adding/removing of users accounts to the underlying OS, especially accounts with a numeric username.
- Include admin user in bootup account sync
- Fix permission and certificate display for the admin user
- Fix ssh key note to refer to DSA not just RSA since both work.
- “:” chars are invalid in a comment field, filter them out.
- When renaming a user, make sure to remove the previous user or it gets left in /etc/passwd.
- #2326 Do not allow empty passwords since this might cause problems for some authentication servers like LDAP.
Captive Portal Fixes
- Take routing table into account when figuring out which IP address to use for talking to CP clients.
- Prevent browser auto-fill username and password on voucher config, as it can interfere with the settings being properly saved if sync isn’t fully configured, which this can make happen accidentally.
- Correct the Called-Station-Id attribute setting to be the same on STOP/START packets
- Correct the Called-Station-Id attribute setting to be consistent on the data sent
- #2082 Correct the log to display the correct information about an existing session
- #2052 Remove duplicate rule
- Fix which roll to write when writing the active voucher db
- Always load ipfw when enabling CP to ensure the pfil hooks are setup right
- #2378 Fix selection of CP interfaces when using more than 10 opt interfaces.
- Strengthen voucher randomization.
NAT/Firewall Rules/Alias Fixes
- #2327 Respect the value of the per-rule “disable reply-to” checkbox.
- #1882 Fix an invalid pf rule generated from a port forward with dest=any on an interface with ip=none
- #2163 1:1 Reflection fixes for static route subnets and multiple subnets on the same interface.
- Better validation on URL table alias input from downloaded files.
- #2293 Don’t put an extra space after “pass” when assuming it as the default action or later tests will fail to match this as a pass rule.
- Update help text for Host aliases to indicate FQDNs are allowed.
- #2210 Go back to scrub rather than “scrub in”, the latter breaks MSS clamping for egress traffic the way we use it.
- Fix preservation of the selection of interfaces on input errors for floating rules.
- Fix URL table update frequency box.
- Fix input validation for port forwards, Local Port must be specified.
- Added a setting to increase the maximum number of pf tables, and increased the default to 3000.
- Properly determine active GUI and redirect ports for anti-lockout rule, for display and in the actual rule.
- Handle loading pf limits (timers, states, table/entry limits, etc) in a separate file to avoid a chicken-and-egg scenario where the limits would never be increased properly.
- Correct checking if a gif is part of bridge so that it actually works correctly adding a gif after having created it on bootup
- Use the latest functions from pfSense module for getting interface list
- Use the latest functions from pfSense module for creating bridges
- Implement is_jumbo_capable in a more performant way. This should help with large number of interfaces
- Since the CARP interface name changed to “vipN” from “carpN”, devd needs to follow that change as well.
- #2242 Show lagg protocol and member interfaces on Status > Interfaces.
- #2212 Correctly stop dhclient process when an interface is changed away from DHCP.
- Fixed 3G SIM PIN usage for Huawei devices
- Properly obey MTU set on Interface page for PPP type WANs.
Other Misc. Fixes
- #2057 Add a checkbox that disables automatically generating negate rules for directly connected networks and VPNs.
- Mark “Destination server” as a required field for DHCP Relay
- Clarify the potential pitfalls when setting the Frequency Probe and Down parameters.
- Add a PHP Shell shortcut to disable referer check (playback disablereferercheck)
- #2040 Make Wireless Status tables sortable
- #2068 Fix multiple keys in a file for RFC2136 dyndns updates.
- Check to see if the pid file exists before trying to kill a process
- #2144 Be smarter about how to split a Namecheap hostname into host/domain.
- Add a small script to disable APM on ATA drives if they claim to support it. Leaving this on will kill drives long-term, especially laptop drives, by generating excessive Load Cycles. The APM bit set will persist until the drive is power cycled, so it’s necessary to run on each boot to be sure.
- #2158 Change SNMP binding option to work on any eligible interface/VIP. If the old bindlan option is there, assume the lan interface for binding.
- Fix reference to PPTP secondary RADIUS server shared secret.
- #2147 Add button to download a .p12 of a cert+key.
- #2233 Carry over the key length on input errors when creating a certificate signing request.
- #2207 Use PHP’s built-in RFC 2822 date format, rather than trying to make our own.
- Allow specifying the branch name after the repository URL for gitsync command-line arguments and remove an unnecessary use of the backtick operator.
- Correct send_multiple_events to conform with new check_reload_status behaviour
- Do not wipe logs on reboot on full install
- Set FCGI_CHILDREN to 0 since it does not make sense for php to manage itself when lighttpd is doing so. This makes it possible to recover from 550-Internal… error.
- Support for xmlrpcauthuser and xmlrpcauthpass in $g.
- Fix Layer 7 pattern upload, button text check was incorrect.
- Correct building of traffic shaping queue to not depend on parent mask
- #2239 Add alias support to static routes
- Use !empty instead of isset to prevent accidental deletion of the last used repository URL when firmware update gitsync settings have been saved without a repository URL.
- Better error handling for crypt_data and also better password argument handling
- Stop service needs to wait for the process to be stopped before trying to restart it.
- Use a better default update url
- Fix missing description in rowhelper for packages.
- #2402, #1564 Move the stop_packages code to a function, and call the function from the shell script, and call the function directly for a reboot.
- #1917 Fix DHCP domain search list
- Update Time Zone zoneinfo database using latest zones from FreeBSD
- Handle HTTPOnly and Secure flags on cookies
- Fixed notifications for firmware upgrade progress
- Removed an invalid declaration that considered 18.104.22.168/8 a private address.
- Fixed redirect request for IE8/9
- #1049 Fix crashes on NanoBSD during package removal/reinstall. Could result in the GUI being inaccessible after a firmware update.
- Fix some issues with upgrading NanoBSD+VGA and NanoBSD+VGA Image Generation
- Fix issues upgrading from systems with the old “Uniprocessor” kernel which no longer exists.
- Fix a few potential XSS/CSRF vectors. Thanks to Ben Williams for his assistance in this area.
- Fixed issue with login page not showing the correct selected theme in certain configurations.
- Fix limiters+multi-wan
Binary/Supporting Program Updates
- Some cleanup to reduce overall image size
- Fixes to ipfw-classifyd file reading and handling
- Updated miniupnpd
- ISC DHCPD 4.2.4-P1
- mdp5 upgraded to 5.6
- pftop updated
- lighttpd updated to 1.4.32, for CVE-2011-4362 and CVE-2012-5533.
As always, information on upgrading can be found in the Upgrade Guide.
Note: some mirrors are still syncing, it will be several hours from the time of this post until all are synced.
The FreeBSD Foundation has put out their year-end fundraising campaign. The FreeBSD Foundation sponsors development of the underlying OS that pfSense is based on. We made a donation as we do every year, and we encourage our users to do the same. They are a 501(c)3 non-profit organization, so US contributors may be able to deduct contributions on their taxes.
pfSense could also use your direct donations to fund general expenses, project development and needed equipment. You can donate directly to us here, though note we’re not a 501(c)3.
About Us: BSD Perimeter is the leading provider of BSD-based network security appliances, and the company behind pfSense, one of the most widely used firewalls. We’re a small, growing company, with the opportunity for one person to have a significant impact. Our websites as a whole see millions of page views every month.
Location: Austin, TX. Remote candidates will not be considered. We will consider those who can relocate quickly at their own expense.
- Lead UI Developer for Web Based Applications
- Drive Front-end Development and Design for multiple product features
- Coordinate with Back-End developers and UI Experience Designers to build Web applications
- Coordinate with Architects to drive/develop vision of UI Framework
- Assists in the design of new systems or the redesign of existing systems to meet business requirements, changing needs, and newer technologies.
- 5+ years experience in web development and design
- Experience with jQuery and/or other similar libraries
- Experience with content management systems such as WordPress, Joomla, and similar.
- Experience with cross-browser compatibility
- Experience with mobile browsers (iOS, Android, etc.)
- Graphic design experience
- Willingness to learn and implement new client side technologies and concepts.
- Strong understanding of web application security
- Experience with a variety of open source programming languages
- Familiarity with revision control systems
- Proven ability to take a concept from idea to implementation
- Ability to work independently with minimal supervision
- Must have work eligibility in the US
Send your resume and portfolio of web and design work to [email protected].
Ermal and I will be doing a full day pfSense 2.1 tutorial at EuroBSDCon 2012, October 18 in Warsaw, Poland. Registration has just opened. This will be a training-focused session, going through many of the features common to every version, covering changes in 2.1, with focus on IPv6 in each portion of the system.