pfSenseをアップデート 2.4.4_2→2.4.4_3

pfSenseをアップデートした記録 2.4.4_2→2.4.4_3

アップデート内容確認

2.4.4_2(2.4.4-p2)から2.4.4_3(2.4.4-p3)にアップデートします

変更点を確認
https://docs.netgate.com/pfsense/en/latest/releases/2-4-4-p3-new-features-and-changes.html

Security / Errata
  Changed sshguard to block both ssh and the GUI using a single table, and removed the unnecessary manual scheduled table expiration pfSense-SA-19_02.sshguard #9223
  Fixed potential XSS vectors
  pfSense-SA-19_01.webgui : Fixed potential XSS vectors in system_advanced_admin.php, interfaces_assign.php, firewall_rules_edit.php, firewall_shaper.php, services_igmpproxy_edit.php, services_ntpd_gps.php and diag_traceroute.php #9294
  pfSense-SA-19_03.webgui : Fixed potential XSS vector in status_filter_reload.php #9499
  pfSense-SA-19_04.webgui : Fixed potential XSS vector in the WOL widget #9507
  pfSense-SA-19_05.webgui : Fixed potential XSS vector in services_acb.php #9508
  Fixed privilege issues
  pfSense-SA-19_06.webgui : Restrict edit access to OpenVPN-related advanced settings, and added new privilege to delegate edit permissions #9511
  pfSense-SA-19_07.webgui : Strengthen widget privilege matching to avoid a potential privilege bypass for users granted access to widgets #9512
  pfSense-SA-19_08.webgui : Strengthen path privilege check to avoid a potential directory-traversal-like bypass method #9513
  Added privileges for Auto Config Backup pages #9519
  Updated privileges: Added misc missing pages, removed obsolete pages
  Addressed FreeBSD Security Advisories:
  FreeBSD-SA-19:03.wpa
  FreeBSD-SA-19:04.ntp
  FreeBSD-SA-19:05.pf
  FreeBSD-SA-19:06.pf
  FreeBSD-SA-19:07.mds
  FreeBSD-EN-19:08.tzdata
  Added DNS over TLS host verification #8602
  Configure hostnames for DNS over TLS servers under System > General
  sqlite updates #9205
Backup / Restore
  Fixed issues with output buffering causing configuration backup download failures #9390
  Fixed automatic package reinstallation after restoring config.xml from the installer #9214
  Force <enableserial> when restoring a backup on a device with serial only console
Certificates
  Added missing countries from CA list on certificate pages #9308
  Fixed an error when adding a new user and choosing to generate a certificate #9317
DNS
  Fixed input validation on diag_dns.php to allow a trailing dot on hostnames #9276
  Removed non-functional tools links from diag_dns.php #9275
  Fixed rewriting of the DNS Resolver file remotecontrol.conf if it is present but empty #9470
Firewall Rules / NAT / Aliases
  Fixed intermittent pf errors when NAT reflection is enabled #9446
  Fixed reserved pf keyword matching when creating and editing aliases #9231
  Fixed duplicate entries showing on diag_tables.php from lockout tables #9359
  Fixed a PHP error deleting an imported NAT rule with no firewall rules present #9193
  Do not show scheduler icon when scheduler tag is empty
Gateways / Routing
  Fixed issues with the default IPv4 gateway set to a group failing after restart #9004
Interfaces
  Fixed PHP error from interface groups when editing QinQ entries
IPsec
  Fixed IPsec Phase 1 entries on upgrade to have their protocol field populated properly #9207
Operating System
  Fixed support for ZFS encrypted+mirrored swap #9281
  Fixed problems saving crash dumps when /var is a RAM disk #9409
Traffic Shaping
  Fixed a PHP error when loading a limiter that does not exist #9313
  Fixed limiter selection validation
  Fixed Queues menu items ending with “:” in certain languages #8970
WebGUI
  Numerous optimizations and improvements for status.php diagnostics output #9290
  Fixed a PHP error on system_advanced_network.php when disabling “IPv6 over IPv4 Tunneling” #9264
  Improved handling of large captures on diag_packet_capture.php and disabled viewing of captures larger than 50MiB. #9239
  Added hostname to login page title if the user has enabled Show hostname on login banner #9096
  Centralized the list of country codes used by multiple areas #9308
  Updated translation files
XMLRPC
  Clarified conditions for synchronizing certificates in HA Sync options #9283










当初はまだリリースされる予定ではなかったのですが
Intel CPUのMDS問題への対応で前倒しされた模様で
結果的に現時点で修正されていたXSSなどの脆弱性対応や不具合修正も入っています

アップデートの手順

事前に設定のバックアップをした上で以下の操作でアップデートを実行
手順はいつもと同じです

まずダッシュボードのVersionのところにある雲マークか
System→Updateを選択

2.4.4_2から2.4.4_3へアップデートと表示出てるのを確認して「Confirm」を押す

無事に完了すると自動で再起動開始されます

最後に2.4.4_3の状態で設定をバックアップして完了

Update時の処理ログ

>>> Updating repositories metadata... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
>>> Removing vital flag from lang/php72... done.
>>> Downloading upgrade packages... 
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (18 candidates): .......... done
Processing candidates (18 candidates): .......... done
The following 18 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
  wpa_supplicant: 2.6_2 -> 2.8 [pfSense]
  unbound: 1.8.1 -> 1.9.1 [pfSense]
  sshguard: 2.2.0_4 -> 2.3.1 [pfSense]
  sqlite3: 3.24.0_1 -> 3.28.0 [pfSense]
  python27: 2.7.15 -> 2.7.16 [pfSense]
  pfSense-rc: 2.4.4_2 -> 2.4.4_3 [pfSense-core]
  pfSense-kernel-pfSense: 2.4.4_2 -> 2.4.4_3 [pfSense-core]
  pfSense-default-config: 2.4.4_2 -> 2.4.4_3 [pfSense-core]
  pfSense-base: 2.4.4_2 -> 2.4.4_3 [pfSense-core]
  pfSense-Status_Monitoring: 1.7.6 -> 1.7.7 [pfSense]
  pfSense: 2.4.4_2 -> 2.4.4_3 [pfSense]
  ntp: 4.2.8p12 -> 4.2.8p13 [pfSense]
  nginx: 1.14.0_6,2 -> 1.14.1,2 [pfSense]
  libzmq4: 4.2.3 -> 4.3.1 [pfSense]
  hostapd: 2.6_2 -> 2.8 [pfSense]
  dhcpleases: 0.3_1 -> 0.3_2 [pfSense]
  devcpu-data: 1.19 -> 1.22 [pfSense]
  curl: 7.62.0 -> 7.64.0 [pfSense]

Number of packages to be upgraded: 18

The process will require 6 MiB more space.
71 MiB to be downloaded.
[1/18] Fetching wpa_supplicant-2.8.txz: .......... done
[2/18] Fetching unbound-1.9.1.txz: .......... done
[3/18] Fetching sshguard-2.3.1.txz: .......... done
[4/18] Fetching sqlite3-3.28.0.txz: .......... done
[5/18] Fetching python27-2.7.16.txz: .......... done
[6/18] Fetching pfSense-rc-2.4.4_3.txz: .. done
[7/18] Fetching pfSense-kernel-pfSense-2.4.4_3.txz: .......... done
[8/18] Fetching pfSense-default-config-2.4.4_3.txz: . done
[9/18] Fetching pfSense-base-2.4.4_3.txz: .......... done
[10/18] Fetching pfSense-Status_Monitoring-1.7.7.txz: ... done
[11/18] Fetching pfSense-2.4.4_3.txz: . done
[12/18] Fetching ntp-4.2.8p13.txz: .......... done
[13/18] Fetching nginx-1.14.1,2.txz: .......... done
[14/18] Fetching libzmq4-4.3.1.txz: .......... done
[15/18] Fetching hostapd-2.8.txz: .......... done
[16/18] Fetching dhcpleases-0.3_2.txz: .. done
[17/18] Fetching devcpu-data-1.22.txz: .......... done
[18/18] Fetching curl-7.64.0.txz: .......... done
Checking integrity... done (0 conflicting)
>>> Upgrading pfSense-rc... 
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
  pfSense-rc: 2.4.4_2 -> 2.4.4_3 [pfSense-core]

Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-rc from 2.4.4_2 to 2.4.4_3...
[1/1] Extracting pfSense-rc-2.4.4_3: .... done
>>> Upgrading pfSense kernel... 
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
  pfSense-kernel-pfSense: 2.4.4_2 -> 2.4.4_3 [pfSense-core]

Number of packages to be upgraded: 1
[1/1] Upgrading pfSense-kernel-pfSense from 2.4.4_2 to 2.4.4_3...
[1/1] Extracting pfSense-kernel-pfSense-2.4.4_3: .......... done
===> Keeping a copy of current kernel in /boot/kernel.old
>>> Removing unnecessary packages... done.
Upgrade is complete.  Rebooting in 10 seconds.
Success

pfSense 2.5系へ

FreeBSD 11.2をベースとしたpfSense2.4系はほぼ開発終了のようで
開発サイドは既にFreeBSD 12をベースとしたpfSense 2.5系へ移行した模様

現時点ではリリース予定日も設定されていない状態なので
当分先の話かなという感じです

現時点で通知されている情報では
今まで標準でビルトインされていたロードバランサーが廃止される模様で
代替としてHAProxyパッケージを利用するようアナウンスされてます

もし現時点でLoad Balancer(relayd)をご利用の方は時間があるときにでも
HAProxyへの移行をトライした方が2.5リリース時に慌てなくて済みそうです