pfSenseをアップデートした記録 2.5.0→2.5.1
アップデート内容確認
2.5.0から2.5.1にアップデートします
変更点を確認
https://docs.netgate.com/pfsense/en/latest/releases/21-02-2_2-5-1.html
Known Issues / Errata
There is an issue with AES-NI hash acceleration for SHA1 and SHA-256. If the AES-NI driver detects a system capable of accelerating SHA1 or SHA-256 and the firewall attempts to utilize one of those hashes, the affected operation may fail. This affects IPsec and OpenVPN, among other uses. pfSense Plus users can change to QAT acceleration on supported hardware instead. In cases where QAT is unavailable, change to AES-GCM, change to a different unaccelerated hash (e.g. SHA-512), or disable AES-NI. See #11524 for details.
There is a similar issue which affects SafeXcel SHA1 and SHA2 hash acceleration on SG-1100 and SG-2100. On that hardware, change to an AEAD cipher such as AES-GCM or switch to an unaccelerated hash. This issue is being tracked internally on NG #6005
The FRR package on pfSense Plus 21.02 and pfSense CE 2.5.0 and later no longer exchanges routes with BGP peers by default without being explicitly allowed to do so. This is more secure behavior but requires a manual change. To replicate the previous behavior, add a route map to permit all routes (Name: allow-all, Action: Permit, Sequence: 100), then set that route map on BGP neighbors for inbound and outbound peer filtering. For increased security, utilize route maps which filter incoming and outgoing routes so they match more strictly. See Peer Filtering and BGP Example Configuration for more information.
pfSense Plus
Certificates
Fixed: CA and certificate validity end dates after 2038 are not handled properly on 32-bit ARM #11504
Interfaces
Added: Interface Status page information for switch uplinks may be replaced by switch port data when media state monitoring is set #10804
Rules / NAT
Fixed: State matching problem with reponses to packets arriving on non-default WANs #11436
Upgrade
Fixed: LEDs do not indicate available upgrade status #11689
pfSense CE
Aliases / Tables
Fixed: Alias name change is not reflected in firewall rules #11568
Authentication
Fixed: Unreachable LDAP server for SSH auth causes boot process to stop at at ‘Synchronizing user settings’ and no user can login over SSH #11644
Certificates
Fixed: Invalid certificate data can cause a PHP error #11489
Fixed: Renewing a self-signed CA or certificate does not update the serial number #11514
Fixed: Unable to renew a certificate without a SAN #11652
Fixed: Certificates with escaped x509 characters display the escaped version when renewing #11654
Fixed: Creating a certificate while creating a user does not fully configure the certificate properly #11705
Fixed: Renewing a certificate without a type value assumes a server certificate #11706
DNS Resolver
Fixed: DNS Resolver does not add a local-zone type for ip6.arpa domain override #11403
Fixed: DNS Resolver does not bind to an interface when it recovers from a down state #11547
Dashboard
Fixed: CPU details are incorrect in the System Information widget after resetting log files #11428
Fixed: Disabling ‘State Table Size’ in the System Information widget prevents other data from being displayed #11443
Gateway Monitoring
Fixed: Automatic default gateway mode does not select expected entries #11729
Gateways
Fixed: Gateways with “Use non-local gateway” set are not added to routing table #11433
IPsec
Fixed: IPsec status incorrect for entries using expanded IKE connection numbers #11435
Fixed: Distinguished Name (FQDN) IPsec peer identifier type is not formatted properly in swanctl.conf secrets #11442
Fixed: Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses #11446
Fixed: Broken help link on IPsec Advanced Settings tab #11474
Fixed: Connect and disconnect buttons on the IPsec status page do not work for all tunnels #11486
Fixed: IPsec tunnels using expanded IKE connection numbers do not have proper child SA names in swanctl.conf #11487
Fixed: IPsec tunnel definitions have pools = entry in swanctl.conf with no value #11488
Fixed: Mobile IPsec broken when using strict certificate revocation list checking #11526
Fixed: IPsec VTI tunnel between IPv6 peers may not configure correctly #11537
Fixed: IPsec peer ID of “Any” does not generate a proper remote definition or related secrets #11555
Fixed: IPsec tunnel does not function when configured on a 6RD interface #11643
IPv6 Router Advertisements (RADVD)
Fixed: IPv6 RA RDNSS lifetime is too short, not compliant with RFC 8106 #11105
Installer
Fixed: Installer does not add required module to loader.conf when using ZFS #11483
Interfaces
Fixed: IPv4 MSS value is incorrectly applied to IPv6 packets #11409
Fixed: Gateway value for DHCP6 interfaces missing after RA events triggered script without gateway information #11454
Fixed: Delayed packet transmission in cxgbe driver can lead to latency and reduced performance #11602
Fixed: DHCP6 interfaces are reconfigured multiple times at boot when more than one interface is set to Track #11633
Logging
Fixed: Entries from rotated log files may be displayed out of order when log display includes contents from multiple files #11639
Notifications
Fixed: Telegram and Pushover notification API calls do not respect proxy configuration #11476
OpenVPN
Fixed: OpenVPN authentication and certificate validation fail due to size of data passed through fcgicli #4521
Added: Display negotiated data encryption algorithm in OpenVPN connection status #7077
Fixed: OpenVPN does not start with several authentication sources selected #11104
Fixed: OpenVPN client configuration page displays Shared Key option when set for SSL/TLS #11382
Fixed: Incorrect order of route-nopull option in OpenVPN client-specific override configuration #11448
Fixed: OpenVPN using the wrong OpenSSL command to list digest algorithms #11500
Fixed: Selected Data Encryption Algorithms list items reset when an input validation error occurs #11554
Fixed: OpenVPN does not start with a long list of Data Encryption Algorithms #11559
Fixed: ACLs generated from RADIUS reply attributes do not parse {clientip} macro #11561
Fixed: ACLs generated from RADIUS reply attributes have incorrect syntax #11569
Fixed: OpenVPN binds to all interfaces when configured on a 6RD interface #11674
Operating System
Fixed: Unexpected Operator error on console at boot with ZFS and RAM Disks #11617
Changed: Upgrade OpenSSL to 1.1.1k #11755
Routing
Fixed: Disabled static route entries trigger ‘route delete’ error at boot #3709
Fixed: Route tables with many entries can lead to PHP errors and timeouts when looking up routes #11475
Fixed: Error when removing automatic DNS server route #11578
Fixed: IPv6 routes with a prefix length of 128 result in an invalid route table entry #11594
Fixed: Error when deleting IPv6 link-local routes #11713
Rules / NAT
Fixed: Saved state timeout values not loaded into GUI fields on system_advanced_firewall.php #11565
Fixed: Firewall rule schedule cannot be changed #11747
Upgrade
Fixed: pfSense Proxy Authentication not working #11383
Wake on LAN
Fixed: Potential stored XSS vulnerability in services_wol.php #11616
Web Interface
Fixed: Requests to ews.netgate.com do not honor proxy configuration #11464
XMLRPC
Fixed: XMLRPC error with Captive Portal and CARP failover when GUI is on non-standard port #11425
Fixed: Incorrect DHCP failover IP address configured on peer after XMLRPC sync #11519
Fixed: PHP error in logs from XMLRPC if no sections are selected to sync #11638
今回は修正メインのアップデートで
更新パッケージも少なく、短時間で完了しました
大きなポイントとしては2.5.0で導入されたWireGuardが
今回の2.5.1で削除されていますので
WireGuardを有効にしていた場合は無効設定に変更してから
2.5.1へアップデートすることが推奨されています
WireGuardについてはNetgateがMatthew Macyに依頼し
ベースOSであるFreeBSDにWireGuardをカーネル実装しようとしていたのですが
どうやらその移植されたソースコードがかなりの問題作だったようです
細かい情報が気になる方は「Matthew Macy WireGuard」で検索
結果的にはFreeBSD 13.0-RELEASEでの実装計画はキャンセルとなりましたが
Matthew MacyではなくWireGuardを開発したJason A. Donenfeld自身が
カーネル実装を表明したりしているので方針自体は継続しており
現時点ではFreeBSD 13.xでの実装を予定されておりますので
いずれpfSenseでもWireGuardが利用できる日がくると思われます
[ANNOUNCE] WireGuard for FreeBSD in development for 13.y – and a note of how we got here
https://lists.zx2c4.com/pipermail/wireguard/2021-March/006494.html
あと既知の問題にある通り、2.5系においてAES-NI利用に不具合が確認されています
SHA1とSHA-256を使ったIPsec・OpenVPNを利用している場合は注意してください
2.5系を利用している場合の回避策は
SHA-512にするかAES-GCMにするかAES-NI無効の3択です
私の環境はOpenVPNを利用していましたが
元々AES-GCMを利用していたので特に影響はなく
2.5.1でも問題なく利用できています
アップデートの手順
今回もpfSense CEでのアップデートです
事前に設定のバックアップをした上で以下の操作でアップデートを実行
手順はいつもと同じです
2.5.0から2.5.1へアップデートと表示出てるのを確認して「Confirm」を押す
無事に完了すると自動で再起動開始されます
最後に2.5.1の状態で設定をバックアップして完了
Update時の処理ログ
>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: . done
Processing entries: . done
pfSense-core repository update completed. 7 packages processed.
Updating pfSense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
pfSense repository update completed. 508 packages processed.
All repositories are up to date.
>>> Removing vital flag from php74... done.
>>> Downloading upgrade packages...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (9 candidates): ......... done
Processing candidates (9 candidates): ......... done
The following 9 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
bind-tools: 9.16.11 -> 9.16.12 [pfSense]
nettle: 3.6 -> 3.7.2_1 [pfSense]
openvpn: 2.5.0 -> 2.5.1 [pfSense]
pfSense: 2.5.0 -> 2.5.1 [pfSense]
pfSense-base: 2.5.0 -> 2.5.1 [pfSense-core]
pfSense-default-config: 2.5.0 -> 2.5.1 [pfSense-core]
pfSense-kernel-pfSense: 2.5.0 -> 2.5.1 [pfSense-core]
pfSense-rc: 2.5.0 -> 2.5.1 [pfSense-core]
unbound: 1.13.0_2 -> 1.13.1 [pfSense]
Number of packages to be upgraded: 9
95 MiB to be downloaded.
[1/9] Fetching unbound-1.13.1.txz: .......... done
[2/9] Fetching pfSense-rc-2.5.1.txz: .. done
[3/9] Fetching pfSense-kernel-pfSense-2.5.1.txz: .......... done
[4/9] Fetching pfSense-default-config-2.5.1.txz: . done
[5/9] Fetching pfSense-base-2.5.1.txz: .......... done
[6/9] Fetching pfSense-2.5.1.txz: . done
[7/9] Fetching openvpn-2.5.1.txz: .......... done
[8/9] Fetching nettle-3.7.2_1.txz: .......... done
[9/9] Fetching bind-tools-9.16.12.txz: .......... done
Checking integrity... done (0 conflicting)
>>> Downloading pkg...
The following packages will be fetched:
New packages to be FETCHED:
pkg: 1.16.1 (7 MiB: 100.00% of the 7 MiB to download)
Number of packages to be fetched: 1
The process will require 7 MiB more space.
7 MiB to be downloaded.
Fetching pkg-1.16.1.txz: .......... done
>>> Upgrading pfSense-rc...
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
pfSense-rc: 2.5.0 -> 2.5.1 [pfSense-core]
Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-rc from 2.5.0 to 2.5.1...
===> Setting net.pf.request_maxcount=400000
[1/1] Extracting pfSense-rc-2.5.1: ...... done
>>> Upgrading pfSense kernel...
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
pfSense-kernel-pfSense: 2.5.0 -> 2.5.1 [pfSense-core]
Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-kernel-pfSense from 2.5.0 to 2.5.1...
[1/1] Extracting pfSense-kernel-pfSense-2.5.1: .......... done
===> Keeping a copy of current kernel in /boot/kernel.old
>>> Removing unnecessary packages... done.
System is going to be upgraded. Rebooting in 10 seconds.
Success
コメント