PfSense 1.2.3 Release Available!

grage95

1.2.3 Release Available!

1.2.3 release is now available! This is a maintenance release in the 1.2.x series, bringing an updated FreeBSD base, some minor enhancements, some bug fixes, and a couple security updates. We’ve been waiting a few weeks in anticipation of a FreeBSD security advisory for the SSL/TLS renegotiation vulnerability, which came last week and allowed us to finalize the release.
Change list

The primary changes from 1.2.2 are listed below.

Upgrade to FreeBSD 7.2 – The FreeBSD base version has changed from 7.0 to 7.2. This also brings fixes for two FreeBSD security advisories. One patching the SSL/TLS renegotiation vulnerability, which is applicable with HTTPS web interface access and potentially with OpenVPN. Another fixes a local root vulnerability, though it isn’t really applicable with pfSense as if you have the access required to exploit this, you already have root, and hence there is nothing to elevate. Warning for those using Intel PRO/100 cards – there is a regression in the fxp driver in FreeBSD 7.2 that may require disabling hardware checksum offloading under System -> Advanced if you have connectivity problems.

Embedded switched to nanobsd - this is a major improvement of our embedded version, and the old embedded has been discontinued. This is explained in detail here.

Dynamic interface bridging bug fix – The bridging bug fix in 1.2.2 introduced a problem with bridging any dynamic/non-Ethernet interface, such as VLANs, tun, tap, etc. which has been fixed.

IPsec connection reloading improvements – When making changes to a single IPsec connection, or adding an IPsec connection, it no longer reloads all your IPsec connections. Only the changed connections are reloaded. That wasn’t a big deal in most environments, but in some it meant you couldn’t change anything in IPsec except during maintenance windows. This is being used in a critical production environment with 400 connections, and works well.

Dynamic site to site IPsec – because of the above change, it was trivial to add support for dynamic DNS hostnames in IPsec. While 1.2.x will not receive new features, this became an exception.

Sticky connections enable/disable – sticky connections were previously only changed status at boot time for the server load balancer.

Ability to delete DHCP leases – A delete button has been added to the DHCP leases page, and when adding a static mapping, the old lease is automatically deleted.

Polling fixed – polling was not being applied properly previously, and the supported interfaces list has been updated.

ipfw state table size – for those who use Captive Portal in large scale environments, ipfw’s state table size is now synced with pf’s state table size.

Server load balancing – ICMP monitor fixed.

UDP state timeout increases – By default, PF does not increase UDP timeouts when set to “conservative”, only TCP. Some VoIP services will experience disconnects with the default UDP state timeouts, setting state type to “conservative” under System -> Advanced will now increase UDP timeouts as well to fix this.

Disable auto-added VPN rules option - added to System -> Advanced to prevent the addition of auto-added VPN rules for PPTP, IPsec, and OpenVPN tun/tap interfaces. Allows filtering of OpenVPN client-initiated traffic when tun/tap interfaces are assigned as an OPT.

Multiple servers per-domain in DNS forwarder overrides - previously the GUI limited you to one server per domain override in the DNS forwarder, you can now put in multiple entries for the same domain for redundancy.

No XMLRPC Sync rules fixed - in some circumstances, rules marked to not sync would sync regardless.

Captive portal locking replaced – the locking used by the captive portal has never been great (same as used in m0n0wall, where a replacement is also under consideration), and in some circumstances in high load environments (hundreds or thousands of users) it could wreak havoc on the portal. This has been replaced with a better locking mechanism that has resolved these issues.

DNS Forwarder now queries all configured DNS servers simultaneously, using the one that responds the fastest. In some circumstances this will improve DNS performance considerably.

Outbound load balancer replaced – The underlying software that does the monitoring and ruleset reloads for outbound multi-WAN load balancing has been replaced. This does not change anything from the user’s perspective, as only back end code changed. This fixed WAN flapping that was experienced by a small number of users.
Downloads

New installs  donwload here http://www.pfsense.org/mirror.php?section=downloads

ipoelnet

Pf saya :

• pfSense-1.2.3-RC1-LiveCD-Installer
  di update ke :
• pfSense-Full-Update-1.2.3-RC3
  terus update ke yg mana ya OM? agar dukung yg baru pfSense 1.2.3 Release, atau mungkin install Pf Lagi ke yg baru?

serangku

waduh …

sudah final release 1.2.3 ...
seeppp ...

anto_DIGIT

Versi 1 ini udah benar yg terakhir ?
http://snapshots.pfsense.org untuk versi 1 udah ga ada lagi ..
Berarti nanti tinggal fokus utk ke develop versi 2 …

zass

Mahu tanya , saya guna versi 1.2.3 rc1 , saya sudah dload versi 1.2.3 Full Update

RELEASE tgz , jika mggunakan manual update fail yg telah di dload tadi, apakah

setting untuk squid / lusca saya akan hilang . Minta penerangan dulu sebelum

apa-apa terjadi . :) TKasih

zass

ada yang update 123 release ni? , sy terpaksa install balik 1.2.3 rc 1

menggunakan release version entah mengapa browsing slow dan sangkut2 saja

package install Lusca, Lightsquid , Squidguard

PII 500mhz
768mb memory
20g hdd

mungkin freebsd 7.2 tidak sesuai pd system ini . ada sapa 2 yg mengalami masalah ini ?

tq

biatche

ada bug di lusca + freebsd 7.2 (pfsense 1.2.3)…. i sudah report dengan developer lusca, their sudah buat debugging dan confirm ada bug. tunggu bugfix saja. atau, pergi freebsd 8.0 cuba.

serangku

ehmm …

boleh tahu bugnya apa yah ...
krusial kah ?

grage95

bug, jika hanya 1 orang yang melakukan aktifas browsing + download, jika lebih > 1 normal2 sahaja,

patch utk bug ini :

--- src/libiapp/comm_generic.c.orig  2008-06-30 18:36:05.000000000 +0700
+++ src/libiapp/comm_generic.c      2010-01-22 22:07:43.000000000 +0700
@@ -357,11 +357,11 @@
     int rc;
     double start = current_dtime;

-    debug(5, 3) ("comm_select: timeout %d\n", msec);
-
     if (msec > MAX_POLL_TIME)
        msec = MAX_POLL_TIME;

+    debug(5, 3) ("comm_select: timeout %d, max %d\n", msec, MAX_POLL_TIME);
+
 #if DELAY_POOLS
     /* We have delayed fds in queue? */
     if (n_slow_fds

nanti saya update package-nya

serangku

sudah keluar kah edisi patchnya om grage95 ?
waduh … jadi nyusahin si om ...  ;D

grage95

sudah di upload :

silahkan di sedot : http://squid-proxy-pkg.googlecode.com/files/pfsense-lusca-head-r14371_3.tbz
fix comm_select
fix delay_body_maxsize > 1 pool

kambeeng

terus berkarya …. :D

serangku

sudah di update om …

mantap om :D

zass

Maaf mau tanya , kenapa 'Disable X-Forward' , pada Squid UI tidak mau jalan, maksudnya masih menunjukkan LAN ip di Lagado proxy test , sudah On dan Off kan pun sama saja . TQ

ps :  sudah update : http://squid-proxy-pkg.googlecode.com/files/pfsense-lusca-head-r14371_3.tbz

grage95

http://www.squid-cache.org/Doc/config/forwarded_for/ ????

zass

solved : jangan tick pada 'Disable X Forward' di UI , tapi letakkan ' forwarded_for off' ' dalam ' Custom Option' . tq

sorri , dlm tunning ada di letakkan 'forwarded_for on',  buang saja 'off' kan saja pada UI