pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-05-08T19:10:44ZpfSense bugtracker
Redmine pfSense - Todo #14359 (New): Reorganize Advanced Optionshttps://redmine.pfsense.org/issues/143592023-05-08T19:10:44ZJim Pingle
<p>The placement of several options under the various Advanced options tabs doesn't make much sense in current versions. Some are only at their current locations for historical reasons.</p>
<p>Some things should be moved, such as:</p>
<ul>
<li>Cryptographic and Thermal hardware - Split into two separate sections, no compelling reason to combine them these days.</li>
<li>Schedules - Move from Misc to Firewall & NAT tab since it's about killing states based on rule schedules</li>
<li>Gateway Monitoring - Move from Misc to Firewall & NAT tab since it's mostly about firewall states and rules based on gateway events/status.</li>
<li>Load Balancing - Move from Misc to Firewall & NAT tab since it's a pf gateway behavior option, also rename so it's more clear that it is for Multi-WAN.</li>
<li>Reset All States - Move from Networking Firewall & NAT tab since it's about resetting firewall states</li>
<li>Advanced Options section of Firewall & NAT tab, move to bottom of the page</li>
</ul>
<p>The Firewall & NAT page is getting rather long, however, so it may also be worth considering if that should be split into multiple tabs. For example the gateway bits could go on a Gateways & Multi-WAN tab.</p>
<p>It's all up for debate, but the current layout seems confusing for new users in various ways.</p> pfSense - Feature #13805 (New): A way to reliably determine if system is the primary or secondary...https://redmine.pfsense.org/issues/138052022-12-26T15:29:16ZChristopher Cope
<p>There is no current way, as far as I can tell, to reliably determine if the current system is the primary or secondary.</p>
A few of the current ways include:
<ul>
<li>"Synchronize Config to IP" isn't set it's likely secondary, but isn't certain.</li>
<li>Checking the advskew is a good way, but these are sometimes changed, so it isn't 100% either.</li>
</ul>
<p>My thoughts are to add a setting to System > High Avail. Sync for Primary/Secondary.</p>
This would allow behavior specific to that to be implemented. Such as:
<ul>
<li>Disabling the ability to toggle CARP maintenance mode on the Secondary, to avoid confusion.</li>
<li>Auto filling advskew when creating new VIPs</li>
<li>etc.</li>
</ul>
<p>I could write the code and submit a merge request for this, but would appreciate any thoughts / comments on anything I may be missing before I do that.</p> pfSense - Todo #13414 (New): IPsec: Phase 1 Delay advanced option does not include scale or type ...https://redmine.pfsense.org/issues/134142022-08-13T18:58:06ZPat Jensen
<p>The description for dead peer detection delay does not include the type of timer, or the scale. This makes it difficult to understand, configure or troubleshoot.</p>
<p>It should match the same design langauge as the Expiration timers listed above it in the Phase 1 configuration.</p>
<p>Setting is currently labeled:<br />Delay between sending peer acknowledgement messages. In IKEv2, a value of 0 sends no additional messages and only standard messages (such as those to rekey) are used to detect dead peers.</p>
<p>Setting should be labeled similarly:<br />Time, in seconds, between sending peer...</p> pfSense - Todo #13159 (New): Decrease distance between img-buttons in webGUI to eliminate mistake...https://redmine.pfsense.org/issues/131592022-05-12T21:15:09ZSergei Shablovsky
<p>Hi, dear pfSense Dev Team!</p>
<p>Please, decrease distance between img-buttons in “Action” column in most webGUI pages to eliminate mistake entry, especially when pfSense remotely accessed from iPad (or any same size tablet) or 15-16-17” notebook that mostly used by SysAdmins nowadays.</p>
<p>Because so easy to tap on wrong image-button, so SysAdmin need constantly making pinch-in/pinch out. Very annoying design mistake...Sorry</p> pfSense - Feature #12863 (New): dynamically tune sha512crypt roundshttps://redmine.pfsense.org/issues/128632022-02-24T00:16:27ZRoyce Williamsroyce@tycho.org
<p>As touched on in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Suboptimal Password Hashing (Closed)" href="https://redmine.pfsense.org/issues/12800">#12800</a> and <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: GUI option to select the user password hashing algorithm (Resolved)" href="https://redmine.pfsense.org/issues/12855">#12855</a>, sha512crypt's default number of rounds (5000) can be cracked relatively quickly by modern standards. But "fixing" this with a static, arbitrary number of rounds could adversely impact login speed and user experience, depending on platform.</p>
<p>I propose a middle-ground solution: tune the number of rounds based on platform capability to a target runtime. Multiple UX studies have cited 500ms (half a second) as an upper bound for user login delay tolerance.</p>
<p><a href="https://gist.github.com/roycewilliams/09ddd10504d560c02b28049759cd666f" class="external">This reference code</a> detects the number of rounds near 500ms performance, using a simple approach: performing a test hash, and then applying its performance ratio to the rounds count. It then hashes the password with that number of rounds. It abstracts both the sha512crypt hashing and the dynamic rounds tuning into their own functions. It also improves salt entropy in passing, to match bcrypt and scrypt's 128 bits and to match the sha512crypt</p>
<p>The code is overly commented, to explain the reasoning behind various design choices, such as those informed by attack techniques well known in the password-cracking community.</p>
<p>Sample results for a few platforms at 500ms runtimes (I am actively soliciting for additional data points):</p>
<pre>
* AMD Geode LX800 500 MHz (alix2): rounds=11851
* AMD GX-412TC SOC (apu2): rounds=157921
* Intel(R) Celeron(R) CPU N3150 @ 1.60GHz: rounds=209662
* Pentium(R) Dual-Core CPU E5: rounds=568985
* 11th Gen Intel(R) Core(TM) i7-11700K @ 3.60GHz: rounds=1741092
</pre>
<p>Note especially these higher values. A modern CPU can run 1.7 million rounds of sha512crypt in half a second. By contrast, a medium-sized pentest cracking rig (equivalent of 6 GTX 1080s) can do a little over 2 billion rounds in half a second against a single hash (scaling downward across multiple salted hashes).</p>
<p>So while not even a strong hash can protect a single very weak password for long, strengthening these hashes can do a much better job of protecting midrange and stronger ones.</p> pfSense Docs - New Content #12805 (New): Add documentation about what triggers a notficationhttps://redmine.pfsense.org/issues/128052022-02-15T17:10:01ZLogan Marchione
<p>I just setup notifications in pfSense and can't find any documentation on the page below to show what sort of actions trigger a notification. <br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html">https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html</a></p>
<p>It seems this is a semi-common problem. <br /><a class="external" href="https://www.reddit.com/r/PFSENSE/comments/ar3w9l/pfsense_email_notifications/">https://www.reddit.com/r/PFSENSE/comments/ar3w9l/pfsense_email_notifications/</a> <br /><a class="external" href="https://www.reddit.com/r/PFSENSE/comments/l6lil3/how_to_configure_whatwhen_for_email_notifications/">https://www.reddit.com/r/PFSENSE/comments/l6lil3/how_to_configure_whatwhen_for_email_notifications/</a></p>
<p>Am I missing something, or is this documentation hidden somewhere? Ideally, I'd like a giant list of checkboxes to turn on/off notifications for things, but I'd take just a plaintext list of what will trigger a notification. Right now, I'm searching GitHub to see what triggers <strong>notify_all_remote</strong>.<br /><a class="external" href="https://github.com/pfsense/pfsense/search?q=notify_all_remote">https://github.com/pfsense/pfsense/search?q=notify_all_remote</a></p> pfSense Docs - New Content #12804 (New): Add documentation for Slack notificationshttps://redmine.pfsense.org/issues/128042022-02-15T16:59:18ZLogan Marchione
<p>I saw in the issue below that support for notifications via Slack was added to 2.6.0. <br /><a class="external" href="https://redmine.pfsense.org/issues/12291">https://redmine.pfsense.org/issues/12291</a></p>
<p>However, I don't see matching docs on this page. Can these be added? <br /><a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html">https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html</a></p> pfSense Docs - Todo #12457 (New): Add UPS Configuration Recipes for apcupsd and nut UPS Packages ...https://redmine.pfsense.org/issues/124572021-10-14T12:53:43ZKris Phillips
<p>A customer requested that we add some basic "how to" recipes to the pfSense docs for basic operations in the apcupsd and nut UPS packages for common brands of UPS units.</p>
<p>This would include configuration examples for the various brands (with a note that some differences may exist by model), some basic automatic start up and shutdown configuration, etc.</p> pfSense Docs - New Content #12402 (New): Add recipe for configuring Telegram to receive notificat...https://redmine.pfsense.org/issues/124022021-09-24T00:46:30ZViktor Gurov
<p><strong>Page:</strong> <a class="external" href="https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html">https://docs.netgate.com/pfsense/en/latest/config/advanced-notifications.html</a></p>
<p><strong>Feedback:</strong></p>
<p>How to configure Telegram notifications:<br />1) Find the bot BotFather<br />2) Add a new bot with the commands: "/newbot", <botname>, <botusername> (must end in 'bot'),<br />save the API Token value<br />see <a class="external" href="https://core.telegram.org/bots#creating-a-new-bot">https://core.telegram.org/bots#creating-a-new-bot</a> and screenshot<br />3) Create a new private chat and add a new bot to it with the "Post messages" privilege<br />4) How to get private chat id:<br />4.1) First way:<br />Just send to the bot your invite link to your private channel<br />and check it with <a class="external" href="https://api.telegram.org/bot&lt;BOT_TOKEN&gt;/getUpdates">https://api.telegram.org/bot&lt;BOT_TOKEN&gt;/getUpdates</a>:<br /><pre>
{"ok":true,"result":[{"update_id":191337144,
"my_chat_member":{"chat":{"id":-1001550670765,"title":"myprivatetest","type":"channel"},"from":
</pre><br />4.2) Second way:<br />- You should convert your channel to public with some @channelName<br />- Send message to this channel through Bot API: <a class="external" href="https://api.telegram.org/bot111:222/sendMessage?chat_id=@channelName&text=123">https://api.telegram.org/bot111:222/sendMessage?chat_id=@channelName&text=123</a><br />- As response you will get info with chat_id of your channel:<br /><pre>
{ "ok" : true, "result" : { "chat" : { "id" : -1001005582487, "title" : "Test Private Channel", "type" : "channel" }, "date" : 1448245538, "message_id" : 7, "text" : "123ds" } }
</pre><br />- Now you can convert Channel back to private (by deleting channel's link) and send message directly to this chat_id "-1001005582487"</p> pfSense - Todo #12025 (New): Add 1:1 Validation to Notify Someone They are 1:1 NAT'ing an Interfa...https://redmine.pfsense.org/issues/120252021-06-10T17:34:03ZKris Phillips
<p>Although it is VERY rarely necessary, we should add a banner to the top of the 1:1 NAT page notifying end users that they have just 1:1 NAT'ed the WAN interface address and this is usually not recommended due to connectivity issues for dpinger, IPSec, etc. that may occur. Often we see users 1:1 NAT their WAN address out of lack of experience/understanding. Additionally, this should be useful if there was a way to verify against an HA member as well or CARP VIP as it can sometimes be easy to forget that your secondary unit is using the 1:1 NAT address you just configured on the primary and pushed it to the secondary (which then causes gateway monitoring to fail on that interface).</p> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense Packages - Feature #9141 (New): FRR xmlrpc https://redmine.pfsense.org/issues/91412018-11-21T08:22:54ZChris Macmahon
<p>FRR seems to be missing the option to sync the config viar XLMRPC.</p> pfSense - Todo #8270 (New): Fix grammatically erroneous repetitionhttps://redmine.pfsense.org/issues/82702018-01-10T16:06:23ZMaxwell Cody
<p>The pfSense web interface has some grammatically incorrect repetition due to, what I suspect to be, a very lackadaisical use of initialisms. You will notice that on at least four different pages, the phrase "IP Protocol" is used to refer to the delineation between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). The grammatical error here is rather simple to notice by simply deconstructing the initialism. By deconstructing the initialism you will see that the deconstructed phrase reads "Internet Protocol Protocol." This is grammatically incorrect.</p>
<p>I've personally come up with two unique and novel solutions to this issue.</p>
<p>1. Change the phrase to read simply "Protocol." <br />2. Change the phrase to read "IP Version." (Deconstructing the initialism here may be preferable)</p>
Pages affected:
<ul>
<li>status_logs_settings.php</li>
<li>diag_testport.php</li>
<li>diag_traceroute.php</li>
<li>diag_ping.php</li>
</ul> pfSense - Todo #6727 (New): Missing file apple-touch-icon-precomposed.png ?https://redmine.pfsense.org/issues/67272016-08-18T14:10:11ZAndy Kniveton
<p>I notice this occasionally in my log files after logging in via the web browser :-</p>
<p>Aug 18 19:50:38 pfsense.localdomain nginx: 2016/08/18 19:50:38 [error] 36942#100114: *10595 open() "/usr/local/www/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 172.16.1.20, server: , request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "172.16.1.1"</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/apple-touch-icon-precomposed.png<br />ls: /usr/local/www/apple-touch-icon-precomposed.png: No such file or directory</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/*.png<br />/usr/local/www/apple-touch-icon.png/usr/local/www/logo.png<br />/usr/local/www/logo-black.png /usr/local/www/pfs-mini.png<br />[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root:</p>
<p>Maybe its just worth doing a symbolic link in the next pfSense build.</p> pfSense - Todo #6647 (New): Enable Additional Security Headershttps://redmine.pfsense.org/issues/66472016-07-26T20:30:24ZChris Buechlercbuechler@gmail.com
<p>The nginx instance for the web GUI should enable CSP. Just adding the following works:</p>
<pre>
add_header Content-Security-Policy "default-src 'self';";
</pre>
<p>though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.</p>
<p>Adding upgrade-insecure-requests while there wouldn't hurt either.</p>