pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-21T03:59:00ZpfSense bugtracker
Redmine pfSense - Todo #15277 (New): Allow mixed source (URL (IPs), URL Table (IPs), Host(s) and Network(...https://redmine.pfsense.org/issues/152772024-02-21T03:59:00ZSergei Shablovsky
<p>Dear Brilliant pfSense DevTeam!</p>
<p>WHERE<br />in Firewall / Aliases</p>
<p>ARGUMENT <br />From firewall and user perspective there are two possible aliases:<br />- aliases for ports;<br />- aliases for IPs;<br />and pfSense make ability to entering both MANUALLY or AUTOMATICALLY by parsing the source (in PLAIN TXT, XML, JSON) himself.<br />And pfSense have WebGUI for entering this both.</p>
<p>From user perspective THE ALIASES ARE LOGICAL OBJECT TO GROUPING the IPs and ports.</p>
<p>FROM USER PERSPECTIVE would be useful mixed source of one type (for example URL (IPs), URL Table (IPs), Host(s) and Network(s) IN ONE ALIAS. <br />The same for Port(s), URL Port(s) and URL Table (Ports) - also IN ONE ALIAS.</p>
<p>EXAMPLE<br />Most external monitoring SaaS and servers/appliances manufacturers provide their services in a mixed form: FQDN + fixed IPs + fixed ports. <br />And if for ports LOGICALLY RIGHT to aggregate ports numbers in ONE ALIAS (for example StatusCake_PORT_MONITORING), for URLs would be also LOGICALLY RIGHT to aggregate IPs into ONE ALIAS (for example StatusCake_IP_MONITORING).</p>
<p>Page with example <a class="external" href="https://www.statuscake.com/kb/knowledge-base/what-are-your-ips/">https://www.statuscake.com/kb/knowledge-base/what-are-your-ips/</a></p>
<p>Otherwise pfSense user need to create 3(three!!!) separate aliases (URL (IPs), URL Table (IPs), Host(s)) for one service and after make + ANOTHER ONE alias for aggregating all 3(three) sources into one to using in pfSense firewall rules…<br />This significantly increase ability to mistyping/errors in process of rules configurations.</p>
<p>Thank You so much!</p> pfSense - Bug #15134 (Incomplete): Post upgrade to 2.7.2 - Change in alias name stops all traffichttps://redmine.pfsense.org/issues/151342024-01-03T11:03:01ZRajko Bogdanovicrajko@itroom-a.com
<p>After installing the last 2.7.2 release, when we edited an Alias name - that rule stopped working, and all traffic was blocked from that point until a full reboot was done. <br />Once rebooted, old nat/access rules are working again using a new alias.</p> pfSense - Feature #14952 (Pull Request Review): Firewall Alias Importhttps://redmine.pfsense.org/issues/149522023-11-08T05:03:00ZAdam Di Vizio
<p>Hi There,</p>
<p>When you create a new Alias in PFSENSE, you can click on import option where it gives you a text box to enter a bulk of IP addresses at a time. However, if you want to add multiple IP subnets or IP addresses to an existing alias, it currently doesn't have that option available in the GUI. The only two options is 1) Export the Alias information manually, edit the text file with the additional subnets, delete the current alias then copy the entire file again and manually create the bulk alias again or 2) manually add each individual IP address or IP subnets to an existing firewall alias.</p>
<p>I would like to see an option available where I can add bulk subnets or IP address to an existing alias as it can be beneficial for people like me who uses Snort IDS.</p>
<p>Thanks,<br />Adam</p> pfSense - Bug #14734 (New): Alias FQDN resolving issue results in incomplete tableshttps://redmine.pfsense.org/issues/147342023-08-31T13:59:20ZRobert Gijsen
<p>In CE 2.7.0, there are still issues when FQDN are used in aliasses. Vonsider an alias with 3 entries, 2 static IP's and one FQDN, pointing to one of those IP's as well. When the FQDN changes to the other IP, the IP it had initially is gone from the table.</p>
<p>Steps to reproduce:</p>
Create an alias
<ul>
<li>add 1.1.1.1</li>
<li>add 8.8.8.8</li>
<li>add a (public) dns entry you created, pointing to 1.1.1.1, ie pfsensetest.domain.com</li>
<li>monitor the table-entry for the alias, all will be ok</li>
<li>now change the DNS entry for pfsensetest.domain.com from 1.1.1.1 to 8.8.8.8 and wait for it to be replicated and pfSense to pick it up</li>
<li>in my setups, 1.1.1.1 got deleted from the table. So while 8.8.8.8 is in there 'twice' now, and 1.1.1.1 only once statically, it's not there anymore</li>
<li>killing filterdns and reloading filters repopulates the tables correctly it seems.</li>
</ul>
<p>It looks like when the FQDN is resolved, it overrules the static entry if one with the same value exists, and when the FQDN changes, the static entry is not put back in to the table. I tailed resolver.log while reproducing the issue, but it made no notion at all of resolving the FQDN to another IP. So I don't know what log to add, or which log to enable verbose logging for.</p>
<p>I consider this high priority, as it has high potential of actually functionally breaking an environment.</p> pfSense - Feature #14444 (New): Aliases options for custom OS fingerprints?https://redmine.pfsense.org/issues/144442023-06-02T14:59:34ZJonathan Lee
<p>Idea for new feature, is there a way to add some custom fingerprints? I was able to find one manually but how can I add it? Maybe just for what we use on the network? Example: 200 machines that use the same Windows 11 OS and a system admin adds in that fingerprint for an ACL to pass traffic for only Windows 11. With such options the firewall in theory can block and distinguish between different Operating Systems. Take for example Docker containers with the new bleeding edge container of Kali's pentesting OS, something like that can data marshal the NIC card on a machine. Docker for one does not have the same fingerprints as the primary OS so in theory the firewall would know what traffic to allow and what to stop at an OS level even with the newest Docker containers. It is harder to spoof a custom fingerprint as the invasive actor would not know what is in use, and to just add that in would give users that full security tool back, Thus, Aliases options for OS fingerprints.</p>
<p>running: <strong>p0f -i (intrface)</strong></p>
<p>Outputs this example of what would be used with OS aliases: <strong>4:63+1:0:1460:65228,7:mss,nop,ws,sok,ts: :0</strong><br />this is freeBSD 13.12 on Hypervisor V</p>
<p>The database just needs some updated signatures, the software still works great so the tool and features already built in should work great still.<br />How can I just add in the signatures I need as an Aliases and link them to the access control lists?</p> pfSense - Bug #14313 (Assigned): Unable to create nested URL table aliaseshttps://redmine.pfsense.org/issues/143132023-04-26T05:22:32ZAzamat Khakimyanov
<p>In docs there is a phrase:<br /><em>"URL table aliases can nest other URL table aliases, and URL aliases can nest other URL aliases."</em></p>
<p>I'm tested it on 23.01 and on 23.05-DEV and I can't create nested alias with 2 URL table aliases inside:</p>
<p>1. If I tried to create 'Type: Host(s)' alias, I got <br /><em>"The following input errors were detected:<br />The alias(es): urltest1 urltest2 cannot be nested because they are not of the same type."</em></p>
<p>2. If I tried to create 'Type: Network(s)' alias, there was no error but I didn't see this new alias in Diagnostics/Tables</p>
<p>3. If I tried to create 'Type: URL (IPs)' alias, I got <br /><em>"The following input errors were detected:<br />A valid URL or alias must be provided. Could not fetch usable data from 'urltest1'.<br />A valid URL or alias must be provided. Could not fetch usable data from 'urltest2'."</em></p>
<p>4. If I tried to create 'Type: URL Table (IPs)' alias and add one of these URL Table aliases I already created, I got<br /><em>"The following input errors were detected:<br />A valid URL must be provided."</em></p>
<p>5. If I tried to import aliases, I got no errors but I didn't see this new alias in Diagnostics/Tables</p> pfSense - Feature #14152 (New): Add a way to find where an alias is used in the GUIhttps://redmine.pfsense.org/issues/141522023-03-22T08:19:10ZJon Brown
<p>I would like the ability to find where an alias is used via the GUI. I imagine a button next to the other alias option buttons on the alias page or perhaps a modal like when you hover over a firewall rules.</p>
<p>Mechanisms that can help:</p>
<ul>
<li>Download a backup and then search the XML.
<ul>
<li>I have used this. </li>
<li>perhaps the process of creating the backup and then grep the file could be utilised internally in pfSense</li>
</ul>
</li>
<li>when you try and delete an alias that is in use it fails
<ul>
<li>this is because pfSense knows it is in use.</li>
<li>perhaps this mechanism could be utilised to show the usage of the alias</li>
</ul></li>
</ul>
<p>This was originally posted 10 years ago but I think it was closed because a patch was posted but it was for a different issue. <a class="issue tracker-2 status-7 priority-4 priority-default closed" title="Feature: Add a way to find where an alias is used (Needs Patch)" href="https://redmine.pfsense.org/issues/2640">#2640</a></p> pfSense - Bug #13772 (Confirmed): Changing the alias resolve interval to the default value does n...https://redmine.pfsense.org/issues/137722022-12-18T11:52:17ZMarcos M
<p>Under <code>System / Advanced / Firewall & NAT</code>, if the <code>Aliases Hostnames Resolve Interval</code> option is changed from a custom value to a blank (default) value, <code>filterdns</code> processes are not restarted. Changes to custom values do correctly restart the processes.</p> pfSense - Bug #13706 (Confirmed): Static routes are not updated when updating a nested alias.https://redmine.pfsense.org/issues/137062022-11-28T19:16:13ZMarcos M
<p>Tested on <code>22.05</code> and <code>23.01.a.20221123.0600</code>.</p>
Setup:
<ul>
<li>Create the network alias <code>a2</code> with a subnet defined.</li>
<li>Create the network alias <code>a1</code> with <code>a2</code> as an entry and an additional subnet.</li>
<li>Add a static route using the alias <code>a1</code>.</li>
</ul>
Issue:
<ul>
<li>Updating <code>a2</code> correctly updates the alias table seen under Diagnostics / Tables, but it does not affect the route table.</li>
<li>Re-saving <code>a1</code> adds a new route with the updated settings, but the old route is not removed.</li>
<li>Removing <code>a2</code> from <code>a1</code> does not delete the routes.</li>
</ul> pfSense - Feature #12600 (New): allow custom mask for a network alias created from a FQDNhttps://redmine.pfsense.org/issues/126002021-12-15T10:45:07ZBob Dig
<p>This is not IPv6 specific:<br />It would be nice if a network alias created from a FQDN could have a mask other then /128 (/32), for instance /64.</p>
<p>That would be especially useful to allow incoming connections from a specific /64, because of privacy extensions that are used in Windows all the time.</p>
<p>Or a /56 could be used where on the other side only the router does DDNS.</p> pfSense - Feature #12564 (New): add column to show that an Alias is in use by or nothttps://redmine.pfsense.org/issues/125642021-12-04T08:14:01Zkhaled osama
<p>can you add column to show that an Alias is in used or not<br />and it is clickable to show where it is used ?</p>
<p>is it applicable ?</p>
<p>thanks and best regards,</p> pfSense - Feature #10918 (New): IP Aliases de-duplicationhttps://redmine.pfsense.org/issues/109182020-09-20T00:00:19ZNima Mohammadinimamhd@gmail.com
<p>when i add an IP Aliases with duplicate or same IP-address, it will add those IPs without any warning about duplicate entries.</p>
<p>I think it is much better to prevent duplicate IPs in Aliases.</p> pfSense - Bug #7665 (New): Host range validation for Aliases is not strict enoughhttps://redmine.pfsense.org/issues/76652017-06-28T11:41:34ZRe Load
<p>Steps to reproduce:</p>
<p>1. Enter an invalid host range for an IP alias, such as 192.168.1.1-10, and click Save.</p>
<p>The host range will be accepted, but does not function as one might expect. In fact, the syntax is invalid and only the first host in the range will be matched by this alias.</p>
<p>Desired behaviour:</p>
<p>The host range should be rejected by the form validation. The correct syntax for the example above would be 192.168.1.1-192.168.1.10</p> pfSense - Feature #3387 (New): process_alias_urltable Frequencyhttps://redmine.pfsense.org/issues/33872014-01-06T11:35:18ZShawn Brucekantlivelong@gmail.com
<p>Currently the urltable design only allows for updates on a daily interval and is processed via crontab every 12 hours. It would be more beneficial to allow the user to decide on the update frequency in minutes instead.</p>
<p>Proposed changes:<br />1.)Change the frequency from a dropdown to a text field.<br />2.)Change current crontab to:
* * * * * root /usr/bin/nice -n20 /etc/rc.update_urltables<br />3.)Change process_alias_urltable() to use 60 instead of 86400 seconds ( After pending merge <a class="external" href="https://github.com/pfsense/pfsense/pull/876">https://github.com/pfsense/pfsense/pull/876</a> )</p> pfSense - Feature #1979 (New): Add some default read-only system aliaseshttps://redmine.pfsense.org/issues/19792011-10-25T13:42:20ZJim Pingle
<p>It would be useful to have some stock aliases that come by default which are not editable by users. These aliases would be somewhat of an extension to the choices we already have for things like "xxx Subnet" and "xxx Address".</p>
Some ideas:
<ul>
<li>Local Networks</li>
<li>ipv4_private (or perhaps rfc1918) - 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12</li>
<li>ipv6_linklocal - fe80::/10</li>
<li>ipv6_private - fc00::/7</li>
<li>ipv6_multicast - ff00::/8</li>
</ul>
<p>Having those available would save users from having to look them up, hardcode them, or make their own aliases for the same values on every system.</p>