pfSense® CE 2.2 note di rilascio

La release di pfSense® CE 2.2 è ormai operativa. Questo sigifica che tutte le sue nuove features sono ora stabili.
Qualora decidiate di utilizzarla, potete riportare la vostra esperienza sul forum di pfSense® CE 2.2.

Avviso di aggiornamento importante

possibile aggiornare dalla 2.1 alla 2.2 come una qualsiasi versione, ma non sarà più possibile il downgrade dalla 2.2 alla 2.1 Dopo l’aggiornamento, il formato della tua configurazione sarà convertita dalla 2.1 alle 2.2 . Quindi, prima di fare l’aggiornamento, fai un backup della tua 2.1 in modo che se lo desideri tu possa reinstallarlo e ricaricare la tua configurazione. Fate attenzione!!!

pfSense® CE 2.2: nuove features e miglioramenti

La principale novità della versione 2.2 di pfSense® CE è rappresentata dal sistema operativo alla base della relise e cioè FreeBSD 10.1-RELEASE.
Questo comporta un maggior numero di driver supportati ed una gestione dei processi che sfrutta molto meglio il multi-core alla base delle CPU di nuova generazione.

Alcune caratteristiche del S.O. alla base della versione 2.1 di pfSense® CE infatti limitavano l’esecuzione del processo ad un solo core, come per esempio “pf” poteva causare rallentamenti di tutto il sistema in quanto la sua esecuzione era limitata allo sfruttamento di un singolo CORE.
Sono in fase di ultimazione due nuove piattaforme hardware che sfruttano CPU da 4 (APUTM metti link) e da 8 CORE, che permetteranno di gestire meglio realtà con elevate esigenze di traffico.
Anche nella gestione del Captice Portal è stato introdotto SQLite3 in grado di gestire meglio grandi moli di dati.

Di seguito un elenco completo delle nuove features.

OS Changes

  • Updated base OS to FreeBSD 10.1-RELEASE
  • PHP backend switched from FastCGI to PHP-FPM
  • PHP Moved to 5.5
  • Migrate captive portal code to SQLite3 PHP module
  • Fix some lingering call-time pass-by-reference instances that fail on PHP 5.5
  • Default serial speed is now 115200 #3715
  • Sync gettytab and etc/ttys with FreeBSD 10-STABLE and reduce customizations
  • Log pfSense® CE version to syslog after bootup
  • Set the sysctl net.inet.icmp.reply_from_interface to 1 to use the incoming interface to send the icmp reply from.#3666
  • Switched the hash method in pf to XXHASH for speed improvements

DNS

  • Imported Unbound for use as the default DNS Resolver. The old dnsmasq DNS Forwarder will be available as a non-default option.
  • Removal of bind from FreeBSD base necessitated the switch to alternate programs for DNS utilities (e.g. drill for dig, different nsupdate)
  • AJAX DNS updates for firewall logs (when clicked)
  • Make sure that the DNS Forwarder/Resolver is actually capable of accepting queries on localhost before using it as a DNS server.
  • IPv6 support in Unbound

CARP

  • Changes to CARP for new FreeBSD 10 CARP system
  • Provide a way to ‘permanently’ set carp to ‘maintenance mode’ (advskew 254) persisting a reboot Option to set CARP interfaces to ‘maintenance mode’, persisting through a reboot so the primary machines stays as backup/inactive. This is required when there are some problems (possibly with the hardware) and the primary machine needs to be booted and checked again before becoming ‘master’. Currently it will take back the master state during reboot even though there might still be problems or some re-configuring to do.
  • Key off net.inet.carp.demotion and display a warning to the user if the system has self-demoted its CARP status
  • Allow CARP IP address to be outside interface and alias subnets

Interfaces

  • Implement an option to allow using the IPv4 connectivity interface for sending the dhcpv6 information. Usually useful for ppp[oe] type links and some ISP
  • Add gre and gif checks for for IPv4 function interface_has_gateway($friendly), like they are already for IPv6
  • Do not allow the user to set IPs for GRE interfaces on interface edit page. #3575
  • On interfaces_assign.php, let user select network port to add instead of picking the first available #3846
  • When changing a pre existing VIP, use previous configured interface for checking, this fixes the issue that happens when you try to change a VIP to a new interface. #3807
  • Validate the GIF interface MTU (must be something between 1280 and 8192) #3927
  • Properly set MTU for lagg(4) interface #3922

Gateways/Routing

  • Add an option to force a gateway to be down. #2847
  • List GWGs in Interface to send DynDNS update from
  • Allow reordering, batch delete, and disable of Static Routes
  • Option to disable a gateway
  • Check gateway for IPv6 also for reply-to rules.
  • Fix issue where ICMP6 messages sometimes have the wrong source IP address when a monitor IP address has been set #3607
  • Improve look of gateways widget
  • Provide a toggle for apinger debug messages to be logged to syslog

NAT/Firewall Rules/Aliases

  • Custom logging daemon that provides easy-to-parse output on a single line
  • Persistent tracking ID for firewall rules so that logs may always be traced back to their corresponding rules
  • Allow individual line descriptions on alias bulk import
  • Hybrid outbound NAT style that allows the user to keep the existing automatic behavior but layer manual rules on top of it.
  • Option to disable outbound NAT without disabling pf
  • Display networks used in automatic outbound NAT when using that mode
  • Allow reordering, batch delete, and disable of 1:1 NAT rules
  • Removed settings for maximum tables and maximum table entries since pf on FreeBSD 10 does not have any limits for these.
  • Implement URL Table aliases for ports
  • Optimizations for URL table aliases to use less memory and be more robust in general
  • Expose all p0f OS types that it supports so that subtypes of various Operating Systems can be detected (e.g. blocking Windows XP)
  • Remove units from Limiter burst parameter as it is always specified in bytes. (Per ipfw(8)).
  • The “(self)” concept of “Any IP address on this firewall” is now a choice for firewall rule destination (and floating rule source for out direction rules), port forward destination, and outbound NAT source.
  • Can now optionally log default pass rules as well as default block rules
  • Add IP alias subnets to interface subnet macro on GUI. #983
  • Take virtual IPs into consideration for automatic outbound NAT rules #983
  • Adjust states summary for new pfctl -ss output. #2121
  • Alias name cannot have more than 31 chars, add maxlength to the field as an extra check. #3827
  • Allow the Virtual IP list table to be sorted (cosmetic only)
  • Add a more obvious note on group rules about how they do not work as expected for WANs
  • block IPv4 link-local. Per RFC 3927, hosts “MUST NOT send the packet to any router for forwarding”, and “any network device receiving such a packet MUST NOT forward it”. FreeBSD won’t route it (route-to can override in some circumstances), so it can’t be in use as a real network anywhere with the possible exception of local-only networks. Unlikely any such situation exists anywhere #2073

Dashboard & General GUI

  • Various fixes for XHTML compliance
  • Various fixes for typos
  • Add a setting to allow the user to specify the clog file size so more (or less) entries may be kept in the raw logs. Retain previous default size values if the user has not specified a preferred size. Files can only be resized when initialized, so provide a “Reset All Logs” button as well to force clear all logs and set them up at the new size.
  • Add an option for users to be able to adjust how many configuration revisions are kept in the local backup cache.
  • Show backup file size in config history.
  • Display pfSense® CE interface name on status interfaces
  • Dashboard cleanups/fixes for jQuery
  • Add “pfsense_ng_fs” full screen/widescreen theme
  • GUI redirect works on both HTTP and HTTPS #3437
  • Disk usage section of the System Information widget now shows all ufs, zfs, and cd9660 filesystems, not just the root (/) slice, and also indicates if they are a RAM disk.
  • Add a message about Gold to the setup wizard and add a link in the menu to the Gold signup page.
  • Add pages missing from the Status > Traffic Graph privilege that are required for the full page to load
  • Fix traffic graph widget default autoscale
  • Be more strict on user and group removal to avoid removing accidentally removing additional users #3856
  • Add an option to restart php-fpm from console

Translations

  • Change default charset on pages to utf-8
  • Updates to pt_BR translation
  • Added Japanese translation
  • Added Turkish translation
  • Fixes for gettext

Captive Portal

  • Add a way to download CP portal, error and logout html pages. #3339
  • Add an option to restore default logout/error/portal custom pages on Captive Portal. #3362

IPsec

  • IPsec backend changed from racoon to StrongSWAN
  • Provide a setting to disable the auto added LAN SPDs in the DB
  • IKEv2 settings have been enabled in the GUI
  • IPsec status page changes to accommodate different output from StrongSWAN
  • Move the IPsec settings from System > Advanced, Misc tab to “Advanced Settings” tab under VPN > IPsec.
  • It is now possible to configure L2TP+IPsec
  • Add AES-GCM and AES-XCBC to the list of availble IPsec algorithms and hashes, respectively. Expand P1 DH groups up to 24.
  • Allow HASH algorithms to be empty for phase2 in case the encryption one is AES-GCM
  • Allow to reorder IPsec Phase 1 and Phase 2 items, remove multiple P1/P2 items, toggle enable/disable status of P1/P2 items #3328
  • Provide a first implementation of EAP-TLS authentication with IKEv2. It is a start and might not work on all cases
  • Do not accept non-ascii characters on IPsec PSK #3931

OpenVPN

  • Allow entering OpenVPN client credentials in the GUI
  • Add support for local (push route) and remote (iroute) network definitions in an OpenVPN client-specific override entry.
  • Change OpenVPN Compression settings to cover the full range of allowed settings on OpenVPN (unset, off, on, adaptive) rather than a simple off/on switch that either doesn’t set the value or enables it with adaptive (OpenVPN’s default).
  • Add an Authentication Digest Algorithm drop-down to OpenVPN server/client and to the wizard (SHA1 is the default since that is OpenVPN’s default)
  • Add option to specify client management port for OpenVPN client export use
  • Ensure e-mail address carries over from the CA screen to the Cert screen in the OpenVPN wizard.
  • Allow the user to select “None” for OpenVPN client certificate, so long as they supply an auth user/pass. #3633
  • Byte counts on OpenVPN status are now human readable rather than huge unformatted numbers.
  • OpenVPN instances have new options: “Disable IPv6”, route-nopull, route-noexec, verb selector

DHCP

  • Add code for UEFI booting and DHCP
  • Advanced RFC 2136 configuration for DHCPd service
  • Add ability to not supply a DHCP gateway to clients
  • Allow defining dhcp static mappings using dhcp-client-identifier
  • Do not call write_config() when Applying Changes on DHCP settings #3797

Packages

  • Package signing to ensure validity/authenticity
  • Single package manifest (XML) file rather than one per architecture
  • Various improvements to PBI setup/structure from upstream (PC BSD)
  • Added the capability for package hooks in /etc/rc.carpmaster and /etc/rc.carpbackup
  • Split package category display into separate tabs for categories, and provide an “All” tab
  • Move the fetching of a package’s config file and additional files to separate functions, and then have the “xml” package button perform these so that it is not only a redundant copy of the “pkg” reinstall button. This can help ensure a package files are in a known-good state before other actions are performed, in case the deinstall would fail or behave erratically due to other files being missing.

Dynamic DNS

  • Added support for DynDNS Provider “City Network”
  • Added support for DynDNS Provider “OVH DynHOST”
  • Added support for DynDNS Provider “GratisDNS”
  • Added support for DynDNS Provider “Euro DNS”
  • Added support for DynDNS Provider “CloudFlare”
  • Add support for custom IPv6 DDNS.
  • Add backend support for HE.net AAAA record updates.
  • Add additional options to Custom DynDNS
  • Allow hostname to start with ‘@.’ for namecheap #3568

GEOM Mirrors (gmirror)

  • New gmirror library to perform various gmirror tasks and get information, using some of the former widget logic to start.
  • Added a Diag > GEOM Mirrors page that displays information about existing mirrors and performs various management tasks. This will only show in the menu if a gmirror is detected at bootup. Current actions include rebuilding a drive, forgetting disconnected mirror drives, insert/remove, deactivate/activate, clearing medatada. It’s now possible to use the GUI to rebuild a failed mirror by performing a forget, then insert action to replace a missing/dead drive.
  • Also included is a notification setup. Mirror status is polled every 60 seconds, and if any aspect of the mirror changes, notifications are issued that alert in the GUI and by SMTP, etc.

NOTE: If a manual gmirror configuration was performed post-install and not using the pfSense® CE installer gmirror option before install, there is a chance that the mirror will not function on pfSense® CE 2.2 because the manual post-install method did not create a completely proper mirror setup. If you find your upgraded mirror does not function on 2.2, you can use the following /boot/loader.conf.local entry to work around the integrity check that would otherwise fail.

kern.geom.part.check_integrity=0

If you have one of these configurations, we recommend backing up the configuration and reinstalling using the built-in gmirror option in the pfSense® CE installer.

Traffic Shaping

  • Fix DSCP values and provide a config upgrade to fix values stored in config.xml. #3688
  • Remove ‘multi lan/single wan’ and ‘multi wan/single lan’ traffic shaper wizards, multi lan/wan can be used to replace any of them.
  • Only show the correct type of interfaces (LAN/WAN) on traffic shaper wizards #3535
  • Shaper wizard will automatically attempt to guess the correct number of WANs and LANs.
  • Updated and expanded traffic shaping for games, game consoles, and other applications.
  • Allow up to 2900 limiters. This was set to 30. #3213

Misc

  • Cleaned up various older files/scripts that were no longer being used
  • Dropped all support for cvsup. cvs is dead, long live svn and git.
  • Optimizations/changes to the XML Parsing code
  • NTP updates to handle a wider ranges of GPS devices and more NTP options
  • Move to zerocopy_enbale for bpf to optimize bpf logging which uses bpf interface. This should increase the general performance since pflog is always enabled.
  • Add sshd service to list (if enabled)
  • Add a “status” subcommand to the svc php shell script.
  • When using the reset webConfigurator password option on the console, if authentication server is not Local Database, ask user to back to it. #3341
  • Fix interface selections on UPnP to show the customized descriptions entered by the user. While here, add an external interface selection knob. Fixes #3141
  • Layer 7 Pattern: EAOrigin.pat
  • Layer 7 Pattern: SWF (Flash)
  • Remove some old obsolete code that referred to the now-defunct “embedded” platform that was replaced with NanoBSD back in 1.2.x.
  • Sometimes fsck requires a second run, teach rc script to call it more than once when it’s necessary
  • Add column for internal port on UPnP status page
  • Make listening on interface rather than IP optional for UPnP
  • Use interface name for miniupnpd rather than IPv4 address #3874
  • Packet Capture: Host field supports rudimentary boolean logic. Captures can specify multiple IP addresses and use and/or between IP addresses. Example: To perform an “and” match where both hosts must match: “192.168.1.1, 192.168.1.2”. To perform an “or” match where any of the specified hosts can match: “192.168.1.1|192.168.1.2|192.168.1.3”
  • Packet Capture: Protocol, host, and port now support negation.
  • Added interface column to Diagnostics > States
  • Change is_port() to only validate a single port, we have is_portrange() for specific cases. #3857
  • Fix guess_interface_from_ip() to account for differences in netstat output. #3853
  • Fix Certificate Authority SAN name handling #3347
  • Add a basic command line password reset script.
  • Use configured proxy URL/port for downloading Bogons. Does not use credentials. #3789

Link utili

Questo documento è stato preso dal sito pfSense® CE e l’originale si trova
a questo indirizzo.