pfSenseをアップデートした記録 2.4.4_2→2.4.4_3
アップデート内容確認
2.4.4_2(2.4.4-p2)から2.4.4_3(2.4.4-p3)にアップデートします
変更点を確認
https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3-new-features-and-changes.html
Security / Errata Changed sshguard to block both ssh and the GUI using a single table, and removed the unnecessary manual scheduled table expiration pfSense-SA-19_02.sshguard #9223 Fixed potential XSS vectors pfSense-SA-19_01.webgui : Fixed potential XSS vectors in system_advanced_admin.php, interfaces_assign.php, firewall_rules_edit.php, firewall_shaper.php, services_igmpproxy_edit.php, services_ntpd_gps.php and diag_traceroute.php #9294 pfSense-SA-19_03.webgui : Fixed potential XSS vector in status_filter_reload.php #9499 pfSense-SA-19_04.webgui : Fixed potential XSS vector in the WOL widget #9507 pfSense-SA-19_05.webgui : Fixed potential XSS vector in services_acb.php #9508 Fixed privilege issues pfSense-SA-19_06.webgui : Restrict edit access to OpenVPN-related advanced settings, and added new privilege to delegate edit permissions #9511 pfSense-SA-19_07.webgui : Strengthen widget privilege matching to avoid a potential privilege bypass for users granted access to widgets #9512 pfSense-SA-19_08.webgui : Strengthen path privilege check to avoid a potential directory-traversal-like bypass method #9513 Added privileges for Auto Config Backup pages #9519 Updated privileges: Added misc missing pages, removed obsolete pages Addressed FreeBSD Security Advisories: FreeBSD-SA-19:03.wpa FreeBSD-SA-19:04.ntp FreeBSD-SA-19:05.pf FreeBSD-SA-19:06.pf FreeBSD-SA-19:07.mds FreeBSD-EN-19:08.tzdata Added DNS over TLS host verification #8602 Configure hostnames for DNS over TLS servers under System > General sqlite updates #9205 Backup / Restore Fixed issues with output buffering causing configuration backup download failures #9390 Fixed automatic package reinstallation after restoring config.xml from the installer #9214 Force <enableserial> when restoring a backup on a device with serial only console Certificates Added missing countries from CA list on certificate pages #9308 Fixed an error when adding a new user and choosing to generate a certificate #9317 DNS Fixed input validation on diag_dns.php to allow a trailing dot on hostnames #9276 Removed non-functional tools links from diag_dns.php #9275 Fixed rewriting of the DNS Resolver file remotecontrol.conf if it is present but empty #9470 Firewall Rules / NAT / Aliases Fixed intermittent pf errors when NAT reflection is enabled #9446 Fixed reserved pf keyword matching when creating and editing aliases #9231 Fixed duplicate entries showing on diag_tables.php from lockout tables #9359 Fixed a PHP error deleting an imported NAT rule with no firewall rules present #9193 Do not show scheduler icon when scheduler tag is empty Gateways / Routing Fixed issues with the default IPv4 gateway set to a group failing after restart #9004 Interfaces Fixed PHP error from interface groups when editing QinQ entries IPsec Fixed IPsec Phase 1 entries on upgrade to have their protocol field populated properly #9207 Operating System Fixed support for ZFS encrypted+mirrored swap #9281 Fixed problems saving crash dumps when /var is a RAM disk #9409 Traffic Shaping Fixed a PHP error when loading a limiter that does not exist #9313 Fixed limiter selection validation Fixed Queues menu items ending with “:” in certain languages #8970 WebGUI Numerous optimizations and improvements for status.php diagnostics output #9290 Fixed a PHP error on system_advanced_network.php when disabling “IPv6 over IPv4 Tunneling” #9264 Improved handling of large captures on diag_packet_capture.php and disabled viewing of captures larger than 50MiB. #9239 Added hostname to login page title if the user has enabled Show hostname on login banner #9096 Centralized the list of country codes used by multiple areas #9308 Updated translation files XMLRPC Clarified conditions for synchronizing certificates in HA Sync options #9283
当初はまだリリースされる予定ではなかったのですが
Intel CPUのMDS問題への対応で前倒しされた模様で
結果的に現時点で修正されていたXSSなどの脆弱性対応や不具合修正も入っています
アップデートの手順
事前に設定のバックアップをした上で以下の操作でアップデートを実行
手順はいつもと同じです
まずダッシュボードのVersionのところにある雲マークか
System→Updateを選択
2.4.4_2から2.4.4_3へアップデートと表示出てるのを確認して「Confirm」を押す
Update時の処理ログ
>>> Updating repositories metadata... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. >>> Removing vital flag from lang/php72... done. >>> Downloading upgrade packages... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (18 candidates): .......... done Processing candidates (18 candidates): .......... done The following 18 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: wpa_supplicant: 2.6_2 -> 2.8 [pfSense] unbound: 1.8.1 -> 1.9.1 [pfSense] sshguard: 2.2.0_4 -> 2.3.1 [pfSense] sqlite3: 3.24.0_1 -> 3.28.0 [pfSense] python27: 2.7.15 -> 2.7.16 [pfSense] pfSense-rc: 2.4.4_2 -> 2.4.4_3 [pfSense-core] pfSense-kernel-pfSense: 2.4.4_2 -> 2.4.4_3 [pfSense-core] pfSense-default-config: 2.4.4_2 -> 2.4.4_3 [pfSense-core] pfSense-base: 2.4.4_2 -> 2.4.4_3 [pfSense-core] pfSense-Status_Monitoring: 1.7.6 -> 1.7.7 [pfSense] pfSense: 2.4.4_2 -> 2.4.4_3 [pfSense] ntp: 4.2.8p12 -> 4.2.8p13 [pfSense] nginx: 1.14.0_6,2 -> 1.14.1,2 [pfSense] libzmq4: 4.2.3 -> 4.3.1 [pfSense] hostapd: 2.6_2 -> 2.8 [pfSense] dhcpleases: 0.3_1 -> 0.3_2 [pfSense] devcpu-data: 1.19 -> 1.22 [pfSense] curl: 7.62.0 -> 7.64.0 [pfSense] Number of packages to be upgraded: 18 The process will require 6 MiB more space. 71 MiB to be downloaded. [1/18] Fetching wpa_supplicant-2.8.txz: .......... done [2/18] Fetching unbound-1.9.1.txz: .......... done [3/18] Fetching sshguard-2.3.1.txz: .......... done [4/18] Fetching sqlite3-3.28.0.txz: .......... done [5/18] Fetching python27-2.7.16.txz: .......... done [6/18] Fetching pfSense-rc-2.4.4_3.txz: .. done [7/18] Fetching pfSense-kernel-pfSense-2.4.4_3.txz: .......... done [8/18] Fetching pfSense-default-config-2.4.4_3.txz: . done [9/18] Fetching pfSense-base-2.4.4_3.txz: .......... done [10/18] Fetching pfSense-Status_Monitoring-1.7.7.txz: ... done [11/18] Fetching pfSense-2.4.4_3.txz: . done [12/18] Fetching ntp-4.2.8p13.txz: .......... done [13/18] Fetching nginx-1.14.1,2.txz: .......... done [14/18] Fetching libzmq4-4.3.1.txz: .......... done [15/18] Fetching hostapd-2.8.txz: .......... done [16/18] Fetching dhcpleases-0.3_2.txz: .. done [17/18] Fetching devcpu-data-1.22.txz: .......... done [18/18] Fetching curl-7.64.0.txz: .......... done Checking integrity... done (0 conflicting) >>> Upgrading pfSense-rc... Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: pfSense-rc: 2.4.4_2 -> 2.4.4_3 [pfSense-core] Number of packages to be upgraded: 1 [1/1] Upgrading pfSense-rc from 2.4.4_2 to 2.4.4_3... [1/1] Extracting pfSense-rc-2.4.4_3: .... done >>> Upgrading pfSense kernel... Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: pfSense-kernel-pfSense: 2.4.4_2 -> 2.4.4_3 [pfSense-core] Number of packages to be upgraded: 1 [1/1] Upgrading pfSense-kernel-pfSense from 2.4.4_2 to 2.4.4_3... [1/1] Extracting pfSense-kernel-pfSense-2.4.4_3: .......... done ===> Keeping a copy of current kernel in /boot/kernel.old >>> Removing unnecessary packages... done. Upgrade is complete. Rebooting in 10 seconds. Success
pfSense 2.5系へ
FreeBSD 11.2をベースとしたpfSense2.4系はほぼ開発終了のようで
開発サイドは既にFreeBSD 12をベースとしたpfSense 2.5系へ移行した模様
現時点ではリリース予定日も設定されていない状態なので
当分先の話かなという感じです
現時点で通知されている情報では
今まで標準でビルトインされていたロードバランサーが廃止される模様で
代替としてHAProxyパッケージを利用するようアナウンスされてます
もし現時点でLoad Balancer(relayd)をご利用の方は時間があるときにでも
HAProxyへの移行をトライした方が2.5リリース時に慌てなくて済みそうです
コメント