We are excited to announce the release of pfSense® software version 2.4.3, now available for new installations and upgrades!

pfSense software version 2.4.3 brings security patches, several new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.

pfSense 2.4.3-RELEASE updates and installation images are available now!

Highlights

This release includes several important security patches:

Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc

IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc

Fixes for FreeBSD-SA-18:01.ipsec

Fixed three potential XSS vectors, and two potential CSRF issues

CSRF protection for all dashboard widgets

Updated several base system packages to address CVEs

In addition to security fixes, pfSense software version 2.4.3 also includes important bug fixes.

Notable bug fixes in 2.4.3 include:

Fixed hangs due to Limiters and pfsync in High Availability configurations

Imported a netstat fix to improve performance and reduce CPU usage, especially on the Dashboard and ARM platforms

fix to improve performance and reduce CPU usage, especially on the Dashboard and ARM platforms Fixed a memory leak in the pfSense PHP module

Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database

Fixed issues on assign_interfaces.php with large numbers of interfaces

Fixed multiple issues that could result in an invalid ruleset being generated

Fixed multiple Captive Portal voucher synchronization issues with HA

Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes

… and many more!

There are several new features in 2.4.3, some of the more important ones are:

Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family

Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups

Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time

Added options to RFC 2136 Dynamic DNS for server key algorithm and to change the source address used to send updates

Added VLAN priority tagging for DHCPv6 client requests

Hardware support for the new XG-7100 including C3000 SoC support, C3000 NIC support, and Marvell 88E6190 switch support (Factory installations only)

… and more!

To see the rest of the changes, and find more detail, see the Release Notes.

Important Information about Upgrading and Installing pfSense software version 2.4.0 and later

If you have not yet upgraded to pfSense version 2.4.0 or later, read the information in the 2.4.0 Release Announcement before updating for important information that may impact the ability of a firewall to upgrade to pfSense version 2.4.x.

If either by choice or by hardware limitations a firewall cannot be upgraded to pfSense 2.4.x, see the pfSense 2.3.5-RELEASE announcement for information on obtaining the latest 2.3.x release.

Reporting Issues

This release is ready for a production use. Should any issues come up with pfSense 2.4.3-RELEASE, please post about them on the the forum, the mailing list, or on the /r/pfSense subreddit.

Thanks!

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Main repository - the web GUI, back end configuration code, and build tools.

FreeBSD source - the source code, with patches of the FreeBSD base.

FreeBSD ports - the FreeBSD ports used.

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.