pfSenseをアップデート 2.4.4→2.4.4_1

pfSenseをアップデートした記録 2.4.4→2.4.4_1

アップデート内容確認

2.4.4から2.4.4_1(2.4.4-p1)にアップデートします

変更点を確認
Releases — 2.4.4-p1 New Features and Changes | pfSense Documentation
https://www.netgate.com/docs/pfsense/releases/2-4-4-p1-new-features-and-changes.html

Security / Errata
    FreeBSD Errata Notice FreeBSD-EN-18:09.ip: IP fragment remediation causes IPv6 fragment reassembly failure #8934
    FreeBSD Errata Notice FreeBSD-EN-18:10.syscall NULL pointer dereference in freebsd4_getfsstat system call (CVE-2018-17154)
    FreeBSD Errata Notice FreeBSD-EN-18:11.listen Denial of service in listen syscall over IPv6 socket (CVE-2018-6925)
    FreeBSD Errata Notice FreeBSD-EN-18:12.mem Small kernel memory disclosures in two system calls (CVE-2018-17155)
    Fixed a potential authenticated command injection issue with PowerD settings pfSense-SA-18_09.webgui #9061
    Fixed handling of privileges on the All group that were previously ignored #9051
        Warning
        Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before

Certificates
    Fixed CRL lifetime errors due to 2038 rollover on 32-bit ARM platforms #9098
    Fixed date display of CA/Certificate validity ending dates after 2038 rollover on 32-bit ARM platforms #9100
    Fixed PHP errors when creating certificate entries #9099

DNS
    Updated Unbound to 1.8.1 to address issues with memory leaks, especially in DNS over TLS support #9059
    Fixed issues with the DNS search domain for the firewall being omitted from resolv.conf in certain cases #9056
    Fixed PHP errors in the DNS Forwarder #8967

Dynamic DNS
    Fixed an issue with FreeDNS Dynamic DNS sending an IP address with an update #8924
    Fixed issues with Custom (v6) Dynamic DNS logging a hostname error #8977

DHCP Server
    Fixed issues with DHCPv6 network boot settings #8949

Routing/Gateways
    Reduced the logging output of gateway change events #8914
    Fixed an issue with dpinger PID files causing it to get stuck in Pending status #8921
    Fixed display of a configured gateway monitor IP address when gateway monitoring is disabled #8953
    Fixed issues with double quotes in gateway descriptions causing a blank gateway drop-down on firewall rules #8962
    Fixed an issue where the default gateway was lost in certain cases with HA after a CARP VIP status transition #8465

IPsec
    Updated strongSwan to 5.7.1 #8898
    Added 0.0.0.0/0 to both sides of an IPsec VTI P2 to allow connections with third-party routed IPsec implementations that require its presence #8859
    Fixed boot-time handling of IPsec VTI static routes #9116
    Fixed IKEv2 EAP Identity/Client ID matching so that it is strictly performed, to avoid users getting incorrect per-user settings #9055
    Fixed handling of RADIUS server names containing a . in the IPsec configuration with strongSwan 5.7.1 #9106
    Updated AWS IPsec wizard to use EC2 instance profiles and security groups, and switched the wizard from OpenBGPD to FRR

Interfaces/VIPs
    Fixed issues with DHCP client MTU causing interface configure loops when advanced options are present #8507
    Fixed issues with the Hyper-V hn(4) driver and ALTQ #8954
    Fixed issues with Hyper-V hn(4) interfaces dropping UDP6 traffic when transmit checksums were enabled #9019
    Fixed an issue with IGMP proxy failing to start on PPPoE interfaces #8935
    Fixed an issue with IPv6 Transmit checksums not being disabled when hardware checksums were set to be disabled #8980
    Updated mpd to 5.8_8 to address issues with Orange MTU #8995
    Fixed PPPoE service name checks to allow : and other alphanumeric characters #9002
    Fixed PHP errors when creating QinQ entries #9109
    Fixed the MAC address shown when editing a LAGG entry to always show the hardware MAC for each NIC and not the currently active address, which is no longer accurate for LAGG members #8937
    Fixed a PHP error when setting an interface address to act as a DHCP server from the console, when no other DHCP servers are already configured #9144
    Fixed a situation where editing a VLAN interface caused all other VLAN interfaces with the same parent to be reconfigured, which led to several other issues #9115
        Warning
        Editing a VLAN parent interface can still cause problems. If this becomes an issue on a firewall, consider moving from using the untagged parent to having that traffic be tagged so that the parent interface is not assigned or in use. #9154
        Known issues include:
            PPPoE instances on VLANs will not reconnect after the interface is reconfigured #9148
            VLAN interfaces that use IPv6 tracking may lose their addresses #9136

Hardware/Platform
    Fixed handling of EFI console when a device boots from UEFI, where vidconsole is not valid #8978
    Fixed PHP errors in switch configuration on platforms including integrated switches
    Added support for SG-5100 hardware watchdog
    Note
    Enable the Watchdog daemon under System > Advanced on the Miscellaneous tab, and then reboot and enable it in the BIOS with a timeout longer than the timeout configured in the GUI.

User Management / Authentication
    Fixed handling of privileges on the All group that were previously ignored #9051
        Warning
        Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before
    Added GUI options to control sshguard sensitivity and whitelisting to allow users to fine-tune the behavior of the brute force login protection #8864
    Added an option to enable SSH agent forwarding (disabled by default) #8590
    Fixed inconsistencies with ssh settings in the configuration #8974
    Fixed PHP errors with ssh settings #8606
    Added support for LDAP client certificates on authentication servers (Factory only) #9007
    Fixed an issue with Local Database authentication when using non-English languages in certain cases, such as with Captive Portal #9086

Captive Portal
    Fixed Captive Portal RADIUS NAS Identifier default values to include the zone name #8998
    Restored the ability to set a custom NAS Identifier on Captive Portal RADIUS settings #8998
    Fixed issues with Captive Portal logout popup #9010
    Fixed handling of the login page displayed when RADIUS MAC Authentication fails #9032
    Fixed username sent in RADIUS accounting with MAC-based authentication #9131
    Fixed an issue with the blocked MAC address redirect URL #9114

WebGUI / Dashboard
    Fixed nginx restart handling when toggling GUI web server options under System > Advanced, Admin Access tab
    Fixed empty crash reports after upgrade #8915
    Added CDATA protection to common name fields so they can safely contain international characters #9006

Firewall Rules / Aliases / NAT
    The filterdns daemon has been rewritten, solving a number of issues with the old implementation, including:
        Fixes filterdns triggering every 16 seconds even when DNS records have not changed #7143
        Fixes invalid FQDN entries in aliases causing an alias table to fail silently #8001
        Fixes filterdns failing on a regular basis #8758
    Fixed /etc/rc.kill_states not correctly parsing pfctl output #8554
    Fixed formatting of alias names to still wrap but not replace underscores #8893
    Fixed PHP errors from filter_rules_sort() when a configuration contains no rules #8993
    Fixed PHP errors when creating schedules #9009
    Fixed PHP errors when creating entries on NAT pages #9080
    Fixed PHP errors from easyrule when no aliases are present #9119
    Fixed “Drag to reorder” description in rule list when rule drag-and-drop is disabled #9128

Traffic Shaping (ALTQ/Limiters)
    Fixed issues with Limiter queue display on upgraded configurations #8956
    Fixed the default limiter scheduler to match previous version (WF2Q+) #8973
    Added scheduler information to the limiter information page #8973

Packages
    Fixed issues with package installation causing problems when crossing major PHP versions #8938
    Fixed PHP errors when installing packages #9067

Backup/Restore
    Added schedule (cron) support to AutoConfigBackup #8947
    Fixed issues with AutoConfigBackup restoring a configuration from a different host #8901
    Fixed the AutoConfigBackup menu from the deprecated package still showing when the package is no longer present #8959
    Fixed an issue with Reinstall Packages hanging when run from Diagnostics > Backup & Restore #8933
    Fixed issues with multiple <rrddata> tags in config.xml #8994
    Fixed a race condition in package operations after a configuration restore that could lead to no packages being reinstalled #9045
    Fixed issues with the External Config Locator not finding a config.xml in /config #9066
    Fixed an issue where packages may not be reinstalled during a configuration restore performed immediately after a fresh install #9071
    Fixed a stream_select() error when restoring packages #9102

Wake on LAN
    Fixed issues with ordering of entries in Wake on LAN #8926
    Added top control buttons to Wake on LAN for Add and Wake all Devices when there are more than 25 entries #8943

NTP
    Fixed issues with NTP status when using noquery in the default permissions along with a specific ACL for localhost #7609

Logging / Notifications
    Fixed an issue with log file sizes >= 2^32/2 #9081
    Fixed PHP errors when saving log settings #9095
    Added a checkbox to disable TLS certificate verification for SMTP notifications #9001

Install/Upgrade
    Added a FAT partition to the installer memstick to make it easier to restore a config.xml file during the install process. Also includes a copy of the license and a README. #9104
    Fixed PHP errors in upgrade code for IPsec #9083

Miscellaneous
    Fixed HTTPS proxy authentication support for connections on the firewall itself #9029
    Clarified wording of Kernel PTI options on System > Advanced, Miscellaneous tab #9026
    Added a Save button to Status > Traffic Graphs to store default settings to use when loading the page #8976
    Added support for nvme controllers to the S.M.A.R.T. diagnostics page #9042

FreeBSDのエラッタ修正がメインですが
2.4.4から期間が空いたのもありp1とは思えない数の修正点があります
消化したチケットの数を見ても0.0.1アップ規模ですね

アップデートの手順

事前に設定のバックアップをした上で以下の操作でアップデートを実行
手順はいつもと同じです

まずダッシュボードのVersionのところにある雲マークか
System→Updateを選択

2.4.4から2.4.4_1へアップデートと表示出てるのを確認して「Confirm」を押す

無事に完了すると自動で再起動開始されます

最後に2.4.4_1の状態で設定をバックアップして完了

Update時の処理ログ

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
>>> Setting vital flag on pkg... done.
>>> Removing vital flag from lang/php72... done.
>>> Downloading upgrade packages... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (13 candidates): .......... done
Processing candidates (13 candidates): .......... done
The following 14 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
  ccache: 3.4.2 [pfSense]

Installed packages to be UPGRADED:
  unbound: 1.7.3 -> 1.8.1 [pfSense]
  strongswan: 5.6.3 -> 5.7.1 [pfSense]
  php72-pfSense-module: 0.64_6 -> 0.65 [pfSense]
  pfSense-rc: 2.4.4 -> 2.4.4_1 [pfSense-core]
  pfSense-kernel-pfSense: 2.4.4 -> 2.4.4_1 [pfSense-core]
  pfSense-default-config: 2.4.4 -> 2.4.4_1 [pfSense-core]
  pfSense-base: 2.4.4 -> 2.4.4_1 [pfSense-core]
  pfSense: 2.4.4 -> 2.4.4_1 [pfSense]
  mpd5: 5.8_7 -> 5.8_8 [pfSense]
  igmpproxy: 0.2.1,1 -> 0.2.1_1,1 [pfSense]
  filterdns: 1.0_16 -> 2.0_1 [pfSense]
  curl: 7.61.1 -> 7.62.0 [pfSense]

Installed packages to be REINSTALLED:
  scponly-4.8.20110526_2 [pfSense] (direct dependency added: ccache)

Number of packages to be installed: 1
Number of packages to be upgraded: 12
Number of packages to be reinstalled: 1

55 MiB to be downloaded.
[1/14] Fetching unbound-1.8.1.txz: .......... done
[2/14] Fetching strongswan-5.7.1.txz: .......... done
[3/14] Fetching scponly-4.8.20110526_2.txz: ... done
[4/14] Fetching php72-pfSense-module-0.65.txz: ...... done
[5/14] Fetching pfSense-rc-2.4.4_1.txz: .. done
[6/14] Fetching pfSense-kernel-pfSense-2.4.4_1.txz: .......... done
[7/14] Fetching pfSense-default-config-2.4.4_1.txz: . done
[8/14] Fetching pfSense-base-2.4.4_1.txz: .......... done
[9/14] Fetching pfSense-2.4.4_1.txz: . done
[10/14] Fetching mpd5-5.8_8.txz: .......... done
[11/14] Fetching igmpproxy-0.2.1_1,1.txz: ... done
[12/14] Fetching filterdns-2.0_1.txz: ... done
[13/14] Fetching curl-7.62.0.txz: .......... done
[14/14] Fetching ccache-3.4.2.txz: .......... done
Checking integrity... done (0 conflicting)
>>> Upgrading pfSense-rc... 
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
  pfSense-rc: 2.4.4 -> 2.4.4_1 [pfSense-core]

Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-rc from 2.4.4 to 2.4.4_1...
[1/1] Extracting pfSense-rc-2.4.4_1: .... done
>>> Upgrading pfSense kernel... 
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
  pfSense-kernel-pfSense: 2.4.4 -> 2.4.4_1 [pfSense-core]

Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-kernel-pfSense from 2.4.4 to 2.4.4_1...
[1/1] Extracting pfSense-kernel-pfSense-2.4.4_1: .......... done
===> Keeping a copy of current kernel in /boot/kernel.old
>>> Removing unnecessary packages... done.
Upgrade is complete.  Rebooting in 10 seconds.
Success