Download pfSense 2.4.3

Version 2.4.3 of pfSense has been released. This package is based on the FreeBSD operating system and focuses on router and firewall tasks. It started in 2004 as a fork of m0n0wall due to differing views among the developers and over the years has grown into a router and firewall package that can be deployed in both small and very large environments. For more information, please refer to this page. The highlights for this release are as follows:

Highlights

This release includes several important security patches:

• Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
• IBRS mitigation for Specter V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc
• Fixes for FreeBSD-SA-18:01.ipsec
• Fixed three potential XSS vectors, and two potential CSRF issues
• CSRF protection for all dashboard widgets
• Updated several base system packages to address CVEs

In addition to security fixes, pfSense software version 2.4.3 also includes important bug fixes.

Notable bug fixes in 2.4.3 include:

• Fixed hangs due to Limiters and pfsync in High Availability configurations
• Imported a netstat fix to improve performance and reduce CPU usage, especially on the Dashboard and ARM platforms
• Fixed a memory leak in the pfSense PHP module
• Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database
• Fixed issues on assign_interfaces.php with large numbers of interfaces
• Fixed multiple issues that could result in an invalid ruleset being generated
• Fixed multiple Captive Portal voucher synchronization issues with HA
• Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes
• …and many more!

There are several new features in 2.4.3, some of the more important ones are:

• Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family
• Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups
• Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time
• Added options to RFC 2136 Dynamic DNS for server key algorithm and to change the source address used to send updates
• Added VLAN priority tagging for DHCPv6 client requests
• Hardware support for the new XG-7100 including C3000 SoC support, C3000 NIC support, and Marvell 88E6190 switch support (Factory installations only)
• …and more!

To see the rest of the changes, and find more detail, see the Release Notes.