pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-04-30T23:55:28ZpfSense bugtracker
Redmine pfSense Plus - Bug #14329 (New): DDNS IPv6 update PHP errorhttps://redmine.pfsense.org/issues/143292023-04-30T23:55:28ZRyan Haraschak
<p>Dynamic DNS updates to DigitalOcean for IPv6 fail with a PHP error. This error appears in both the GUI's crash report banner, and in the browser if a forced update is invoked.<br />DigitalOcean IPv4 (same API key) appears to be successful.</p>
<p>Firmware and all packages on latest version.</p>
<pre>
Crash report begins. Anonymous machine information:
amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS
Crash report details:
PHP Errors:
[28-Apr-2023 01:01:00 Asia/Tokyo] PHP Fatal error: Uncaught Error: Attempt to assign property "domain_records" on null in /etc/inc/dyndns.class:1425
Stack trace:
#0 /etc/inc/dyndns.class(479): updatedns->_update()
#1 /etc/inc/services.inc(2355): updatedns->__construct('digitalocean-v6', '[redacted hostname]', '[redacted domain]', '', '[redacted key]', false, false, '', 'opt4', NULL, NULL, NULL, '', NULL, '', '3600', '', 'opt4', '', '0', false, false, false, NULL)
#2 /etc/inc/services.inc(2407): services_dyndns_configure_client(Array)
#3 /etc/rc.dyndns.update(40): services_dyndns_configure()
#4 {main}
thrown in /etc/inc/dyndns.class on line 1425
</pre> pfSense - Feature #9293 (New): Provide WebUI message (banner) prior to loginhttps://redmine.pfsense.org/issues/92932019-01-29T06:18:56ZRyan Haraschak
<p>While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.</p>
<p>Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?</p>
<p>Here's an example from the <a href="https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2018-03-01/finding/V-38593" class="external">DoD RHEL STIGs</a>:</p>
<pre>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
</pre> pfSense - Bug #8510 (Duplicate): Loopback virtual IP does not survive a reboot.https://redmine.pfsense.org/issues/85102018-05-13T06:20:16ZRyan Haraschak
Impact:
<ul>
<li>Monitoring and remote administration via loopback virtual IP is broken after a reboot. With services like NRPE & NET-SNMP bound to this IP, they fail to start until the recovery steps are performed.</li>
</ul>
Expected:
<ul>
<li>IP Alias survives reboot, assigned prior to start of packages.</li>
</ul>
Steps to reproduce:
<ul>
<li>Navigate to firewall_virtual_ip.php</li>
<li>Create new IP Alias type on Localhost, Single address, /32</li>
<li>Click Save, Apply Changes</li>
</ul>
Steps to recover:
<ul>
<li>Navigate to firewall_virtual_ip.php</li>
<li>Edit existing Loopback virtual IP</li>
<li>Click Save, Apply Changes</li>
</ul>
Additional info:
<ul>
<li>Also affects SG-1000</li>
<li>Using dynamic routing and multiple paths to the firewalls, binding NRPE and SNMP to physical or VPN interfaces would not guarantee a connection. Rather, using a loopback interface, accessible by multiple paths (BGP, OSPF, etc...), would remain up when physical or VPN interfaces are down.</li>
</ul> pfSense - Bug #7038 (Resolved): SG-1000 Quagga zebra service fails to start with signal 6 aborthttps://redmine.pfsense.org/issues/70382016-12-25T22:24:11ZRyan Haraschak
<p>Quagga_OSPF 0.6.16 package installed from package manager. Using config pasted below (raw, not assisted). OSPFd service starts, zebra service does not.</p>
<p>Performed reinstall:<br /><pre>
Installed packages to be REINSTALLED:
pfSense-pkg-Quagga_OSPF-0.6.16 [pfSense]
Number of packages to be reinstalled: 1
[1/1] Reinstalling pfSense-pkg-Quagga_OSPF-0.6.16...
[1/1] Extracting pfSense-pkg-Quagga_OSPF-0.6.16: .......... done
Removing Quagga_OSPF components...
Menu items... done.
Services... done.
Loading package instructions...
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_resync_config_command()...done.
Menu items... done.
Services... done.
Writing configuration... done.
>>> Cleaning up cache... done.
Success
</pre></p>
<p>Affected System's OS:<br /><pre>
2.4.0-BETA (arm)
built on Sat Dec 24 01:15:14 CST 2016
FreeBSD 11.0-RELEASE-p5
</pre></p>
<p>Running zebra from command line:<br /><pre>
# zebra -f /var/etc/quagga/zebra.conf
Abort
</pre></p>
<p>OSFP config:<br /><pre>
password <redacted>
log syslog
interface ovpnc1
ip ospf network broadcast
ip ospf cost 10
ip ospf authentication-key <redacted>
interface ovpnc2
ip ospf network broadcast
ip ospf cost 10
ip ospf authentication-key <redacted>
interface cpsw1
router ospf
ospf router-id 10.8.8.1
passive-interface cpsw1
network 10.8.8.0/27 area 0.0.0.0
network 10.8.8.32/27 area 0.0.0.0
network 192.168.1.0/24 area 0.0.0.0
area 0.0.0.0 authentication
</pre></p>
<p>Zebra config:<br /><pre>
password <redacted>
log syslog
</pre></p>
Additional packages:
<ul>
<li>None</li>
</ul>
Interfaces:
<ul>
<li>2x OpenVPN clients</li>
<li>2x CPSW</li>
</ul>
<p>Last know working configuration (different hardware):<br /><pre>
2.3.2-RELEASE-p1 (amd64)
built on Tue Sep 27 12:13:07 CDT 2016
FreeBSD 10.3-RELEASE-p9
</pre></p> pfSense - Feature #4165 (Rejected): Allow for security zones when defining interfaces and firewal...https://redmine.pfsense.org/issues/41652014-12-31T00:24:34ZRyan Haraschak
<p>I have experience using CheckPoint and PaloAlto appliances with "zone" features. This allows you to group networks\interfaces into security zones. These zones can be trusted, untrusted, vpn, etc... Instead of needing to block all additional trusted zones from your DMZ network when your intent is to allow traffic to the internet only, you can set the destination zone in the rule to "external" or "untrusted" resulting in the same policy but with a single rule. This makes policy creation and management much simpler while ensuring tight security and intended behavior. I know pfSense allows you to group interfaces and manage them in one common rule set, but the idea of zones is different and quickly being adopted across the industry. It closes up leaks that are commonly overlooked.</p>