pfSenseをアップデートした記録 2.4.4→2.4.4_1
アップデート内容確認
2.4.4から2.4.4_1(2.4.4-p1)にアップデートします
変更点を確認
Releases — 2.4.4-p1 New Features and Changes | pfSense Documentation
https://www.netgate.com/docs/pfsense/releases/2-4-4-p1-new-features-and-changes.html
Security / Errata
FreeBSD Errata Notice FreeBSD-EN-18:09.ip: IP fragment remediation causes IPv6 fragment reassembly failure #8934
FreeBSD Errata Notice FreeBSD-EN-18:10.syscall NULL pointer dereference in freebsd4_getfsstat system call (CVE-2018-17154)
FreeBSD Errata Notice FreeBSD-EN-18:11.listen Denial of service in listen syscall over IPv6 socket (CVE-2018-6925)
FreeBSD Errata Notice FreeBSD-EN-18:12.mem Small kernel memory disclosures in two system calls (CVE-2018-17155)
Fixed a potential authenticated command injection issue with PowerD settings pfSense-SA-18_09.webgui #9061
Fixed handling of privileges on the All group that were previously ignored #9051
Warning
Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before
Certificates
Fixed CRL lifetime errors due to 2038 rollover on 32-bit ARM platforms #9098
Fixed date display of CA/Certificate validity ending dates after 2038 rollover on 32-bit ARM platforms #9100
Fixed PHP errors when creating certificate entries #9099
DNS
Updated Unbound to 1.8.1 to address issues with memory leaks, especially in DNS over TLS support #9059
Fixed issues with the DNS search domain for the firewall being omitted from resolv.conf in certain cases #9056
Fixed PHP errors in the DNS Forwarder #8967
Dynamic DNS
Fixed an issue with FreeDNS Dynamic DNS sending an IP address with an update #8924
Fixed issues with Custom (v6) Dynamic DNS logging a hostname error #8977
DHCP Server
Fixed issues with DHCPv6 network boot settings #8949
Routing/Gateways
Reduced the logging output of gateway change events #8914
Fixed an issue with dpinger PID files causing it to get stuck in Pending status #8921
Fixed display of a configured gateway monitor IP address when gateway monitoring is disabled #8953
Fixed issues with double quotes in gateway descriptions causing a blank gateway drop-down on firewall rules #8962
Fixed an issue where the default gateway was lost in certain cases with HA after a CARP VIP status transition #8465
IPsec
Updated strongSwan to 5.7.1 #8898
Added 0.0.0.0/0 to both sides of an IPsec VTI P2 to allow connections with third-party routed IPsec implementations that require its presence #8859
Fixed boot-time handling of IPsec VTI static routes #9116
Fixed IKEv2 EAP Identity/Client ID matching so that it is strictly performed, to avoid users getting incorrect per-user settings #9055
Fixed handling of RADIUS server names containing a . in the IPsec configuration with strongSwan 5.7.1 #9106
Updated AWS IPsec wizard to use EC2 instance profiles and security groups, and switched the wizard from OpenBGPD to FRR
Interfaces/VIPs
Fixed issues with DHCP client MTU causing interface configure loops when advanced options are present #8507
Fixed issues with the Hyper-V hn(4) driver and ALTQ #8954
Fixed issues with Hyper-V hn(4) interfaces dropping UDP6 traffic when transmit checksums were enabled #9019
Fixed an issue with IGMP proxy failing to start on PPPoE interfaces #8935
Fixed an issue with IPv6 Transmit checksums not being disabled when hardware checksums were set to be disabled #8980
Updated mpd to 5.8_8 to address issues with Orange MTU #8995
Fixed PPPoE service name checks to allow : and other alphanumeric characters #9002
Fixed PHP errors when creating QinQ entries #9109
Fixed the MAC address shown when editing a LAGG entry to always show the hardware MAC for each NIC and not the currently active address, which is no longer accurate for LAGG members #8937
Fixed a PHP error when setting an interface address to act as a DHCP server from the console, when no other DHCP servers are already configured #9144
Fixed a situation where editing a VLAN interface caused all other VLAN interfaces with the same parent to be reconfigured, which led to several other issues #9115
Warning
Editing a VLAN parent interface can still cause problems. If this becomes an issue on a firewall, consider moving from using the untagged parent to having that traffic be tagged so that the parent interface is not assigned or in use. #9154
Known issues include:
PPPoE instances on VLANs will not reconnect after the interface is reconfigured #9148
VLAN interfaces that use IPv6 tracking may lose their addresses #9136
Hardware/Platform
Fixed handling of EFI console when a device boots from UEFI, where vidconsole is not valid #8978
Fixed PHP errors in switch configuration on platforms including integrated switches
Added support for SG-5100 hardware watchdog
Note
Enable the Watchdog daemon under System > Advanced on the Miscellaneous tab, and then reboot and enable it in the BIOS with a timeout longer than the timeout configured in the GUI.
User Management / Authentication
Fixed handling of privileges on the All group that were previously ignored #9051
Warning
Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before
Added GUI options to control sshguard sensitivity and whitelisting to allow users to fine-tune the behavior of the brute force login protection #8864
Added an option to enable SSH agent forwarding (disabled by default) #8590
Fixed inconsistencies with ssh settings in the configuration #8974
Fixed PHP errors with ssh settings #8606
Added support for LDAP client certificates on authentication servers (Factory only) #9007
Fixed an issue with Local Database authentication when using non-English languages in certain cases, such as with Captive Portal #9086
Captive Portal
Fixed Captive Portal RADIUS NAS Identifier default values to include the zone name #8998
Restored the ability to set a custom NAS Identifier on Captive Portal RADIUS settings #8998
Fixed issues with Captive Portal logout popup #9010
Fixed handling of the login page displayed when RADIUS MAC Authentication fails #9032
Fixed username sent in RADIUS accounting with MAC-based authentication #9131
Fixed an issue with the blocked MAC address redirect URL #9114
WebGUI / Dashboard
Fixed nginx restart handling when toggling GUI web server options under System > Advanced, Admin Access tab
Fixed empty crash reports after upgrade #8915
Added CDATA protection to common name fields so they can safely contain international characters #9006
Firewall Rules / Aliases / NAT
The filterdns daemon has been rewritten, solving a number of issues with the old implementation, including:
Fixes filterdns triggering every 16 seconds even when DNS records have not changed #7143
Fixes invalid FQDN entries in aliases causing an alias table to fail silently #8001
Fixes filterdns failing on a regular basis #8758
Fixed /etc/rc.kill_states not correctly parsing pfctl output #8554
Fixed formatting of alias names to still wrap but not replace underscores #8893
Fixed PHP errors from filter_rules_sort() when a configuration contains no rules #8993
Fixed PHP errors when creating schedules #9009
Fixed PHP errors when creating entries on NAT pages #9080
Fixed PHP errors from easyrule when no aliases are present #9119
Fixed “Drag to reorder” description in rule list when rule drag-and-drop is disabled #9128
Traffic Shaping (ALTQ/Limiters)
Fixed issues with Limiter queue display on upgraded configurations #8956
Fixed the default limiter scheduler to match previous version (WF2Q+) #8973
Added scheduler information to the limiter information page #8973
Packages
Fixed issues with package installation causing problems when crossing major PHP versions #8938
Fixed PHP errors when installing packages #9067
Backup/Restore
Added schedule (cron) support to AutoConfigBackup #8947
Fixed issues with AutoConfigBackup restoring a configuration from a different host #8901
Fixed the AutoConfigBackup menu from the deprecated package still showing when the package is no longer present #8959
Fixed an issue with Reinstall Packages hanging when run from Diagnostics > Backup & Restore #8933
Fixed issues with multiple <rrddata> tags in config.xml #8994
Fixed a race condition in package operations after a configuration restore that could lead to no packages being reinstalled #9045
Fixed issues with the External Config Locator not finding a config.xml in /config #9066
Fixed an issue where packages may not be reinstalled during a configuration restore performed immediately after a fresh install #9071
Fixed a stream_select() error when restoring packages #9102
Wake on LAN
Fixed issues with ordering of entries in Wake on LAN #8926
Added top control buttons to Wake on LAN for Add and Wake all Devices when there are more than 25 entries #8943
NTP
Fixed issues with NTP status when using noquery in the default permissions along with a specific ACL for localhost #7609
Logging / Notifications
Fixed an issue with log file sizes >= 2^32/2 #9081
Fixed PHP errors when saving log settings #9095
Added a checkbox to disable TLS certificate verification for SMTP notifications #9001
Install/Upgrade
Added a FAT partition to the installer memstick to make it easier to restore a config.xml file during the install process. Also includes a copy of the license and a README. #9104
Fixed PHP errors in upgrade code for IPsec #9083
Miscellaneous
Fixed HTTPS proxy authentication support for connections on the firewall itself #9029
Clarified wording of Kernel PTI options on System > Advanced, Miscellaneous tab #9026
Added a Save button to Status > Traffic Graphs to store default settings to use when loading the page #8976
Added support for nvme controllers to the S.M.A.R.T. diagnostics page #9042
FreeBSDのエラッタ修正がメインですが
2.4.4から期間が空いたのもありp1とは思えない数の修正点があります
消化したチケットの数を見ても0.0.1アップ規模ですね
アップデートの手順
事前に設定のバックアップをした上で以下の操作でアップデートを実行
手順はいつもと同じです
まずダッシュボードのVersionのところにある雲マークか
System→Updateを選択
2.4.4から2.4.4_1へアップデートと表示出てるのを確認して「Confirm」を押す
無事に完了すると自動で再起動開始されます
最後に2.4.4_1の状態で設定をバックアップして完了
Update時の処理ログ
>>> Updating repositories metadata... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. >>> Setting vital flag on pkg... done. >>> Removing vital flag from lang/php72... done. >>> Downloading upgrade packages... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (13 candidates): .......... done Processing candidates (13 candidates): .......... done The following 14 package(s) will be affected (of 0 checked): New packages to be INSTALLED: ccache: 3.4.2 [pfSense] Installed packages to be UPGRADED: unbound: 1.7.3 -> 1.8.1 [pfSense] strongswan: 5.6.3 -> 5.7.1 [pfSense] php72-pfSense-module: 0.64_6 -> 0.65 [pfSense] pfSense-rc: 2.4.4 -> 2.4.4_1 [pfSense-core] pfSense-kernel-pfSense: 2.4.4 -> 2.4.4_1 [pfSense-core] pfSense-default-config: 2.4.4 -> 2.4.4_1 [pfSense-core] pfSense-base: 2.4.4 -> 2.4.4_1 [pfSense-core] pfSense: 2.4.4 -> 2.4.4_1 [pfSense] mpd5: 5.8_7 -> 5.8_8 [pfSense] igmpproxy: 0.2.1,1 -> 0.2.1_1,1 [pfSense] filterdns: 1.0_16 -> 2.0_1 [pfSense] curl: 7.61.1 -> 7.62.0 [pfSense] Installed packages to be REINSTALLED: scponly-4.8.20110526_2 [pfSense] (direct dependency added: ccache) Number of packages to be installed: 1 Number of packages to be upgraded: 12 Number of packages to be reinstalled: 1 55 MiB to be downloaded. [1/14] Fetching unbound-1.8.1.txz: .......... done [2/14] Fetching strongswan-5.7.1.txz: .......... done [3/14] Fetching scponly-4.8.20110526_2.txz: ... done [4/14] Fetching php72-pfSense-module-0.65.txz: ...... done [5/14] Fetching pfSense-rc-2.4.4_1.txz: .. done [6/14] Fetching pfSense-kernel-pfSense-2.4.4_1.txz: .......... done [7/14] Fetching pfSense-default-config-2.4.4_1.txz: . done [8/14] Fetching pfSense-base-2.4.4_1.txz: .......... done [9/14] Fetching pfSense-2.4.4_1.txz: . done [10/14] Fetching mpd5-5.8_8.txz: .......... done [11/14] Fetching igmpproxy-0.2.1_1,1.txz: ... done [12/14] Fetching filterdns-2.0_1.txz: ... done [13/14] Fetching curl-7.62.0.txz: .......... done [14/14] Fetching ccache-3.4.2.txz: .......... done Checking integrity... done (0 conflicting) >>> Upgrading pfSense-rc... Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: pfSense-rc: 2.4.4 -> 2.4.4_1 [pfSense-core] Number of packages to be upgraded: 1 [1/1] Upgrading pfSense-rc from 2.4.4 to 2.4.4_1... [1/1] Extracting pfSense-rc-2.4.4_1: .... done >>> Upgrading pfSense kernel... Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: pfSense-kernel-pfSense: 2.4.4 -> 2.4.4_1 [pfSense-core] Number of packages to be upgraded: 1 [1/1] Upgrading pfSense-kernel-pfSense from 2.4.4 to 2.4.4_1... [1/1] Extracting pfSense-kernel-pfSense-2.4.4_1: .......... done ===> Keeping a copy of current kernel in /boot/kernel.old >>> Removing unnecessary packages... done. Upgrade is complete. Rebooting in 10 seconds. Success
コメント