Netgate released two minor updates to its firewall and VPN appliance software this week. Both pfSense CE 2.7.2 and pfSense Plus 23.09.1 are dot releases that focus on fixing ZFS issues. While many may not think of ZFS when they think of pfSense, they are still issues that need to be addressed.
pfSense CE 2.7.2 and pfSense Plus 23.09.1 Released to Fix ZFS
The key fixes in pfSense CE 2.7.2 and pfSense Plus 23.09.1 are:
- ZFS block cloning issue bugfix (not enabled in pfSense currently)
- ZFS reporting holes in sparse files bugfix
- ZFS high CPU utilization bugfix
- Address a security advisory for a potential TCP denial of service (DoS) attack from spoofed RST packets
- Update OpenVPN to version 2.6.8
- Update strongSwan to address a potential buffer overflow issue.
- Fix bugs in the fallback implementation of AES-GCM
- And more
(Source: Netgate)
You can find more info about what has been fixed in the release notes for pfSense Plus 23.09.1 and pfSense CE 2.7.2. There are a handful of other bugfixes in the release notes that we did not cover.
Final Words
If you were looking for a major feature upgrade, this is not the release. Our best sense is that enough of these issues cropped up in the installed base making dot release fix necessary.
As always, if you are experiencing issues with something that has been fixed, it may be a good idea to update immediately. For others with less pressing needs, we might suggest checking the forums over the next few days to see if anything else crops up as part of the release before upgrading. Remember to make backups of your pfSense configuration before upgrading, as that is usually a critically important step if you ever have to fix an update gone wrong. For those with virtualized pfSense images, snapshots, and backups are your friends. We have recovered from a number of failed upgrades over the years with snapshots and backups, so it is a good practice.
In my opinion the ZFS bugs were super important as the main reason people use that filesystem is to ensure data integrity. In particular, a bug that sometimes causes data corruption and recently more so due to other changes needs to be addressed quickly.
Credit goes to pfSense to have the sense to understand the issues and issue an update in a timely fashion.
Why does a firewall need a ZFS filesystem?