pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-21T03:23:33ZpfSense bugtracker
Redmine pfSense - Feature #15276 (New): Support JSON content for URL type firewall aliaseshttps://redmine.pfsense.org/issues/152762024-02-21T03:23:33ZSergei Shablovsky
<p>Brilliant pfSense DevTeam!</p>
<p>WHERE<br />In Firewall / Aliases, URLs tab(selector)</p>
<p>CASE<br />JSON need to be allowed in “URL (IPs)” type of firewall aliases, the same as XML and TXT are allowed.</p>
<p>ARGUMENT<br />Nowadays most SaaS and services present their data on JSON and XML more frequently than PLAIN TXT file answer on certain URL.<br />(For example external monitoring services.)</p>
<p>And logically wrong if pfSense user able to entering the XML and PLAIN TXT source in URL (IPs), but no JSON. (And only URL Table (IPs) allow the JSON).</p>
<p>I understand that from the beginning of pfSense’s life exist only 2 types of URL-sources:<br />- small lists<br />- big lists <br />and to eliminate time and resources to keep IPs, the parameter/ability of refresh of big lists was made in WebGUI.</p>
<p>But FROM USERS PERSPECTIVE all 3(JSON, XML and PLAIN TXT) source are the same - certain amount of data, and frustrating when possible to add XML and PLAIN TXT in URL (IPs), but JSON - only in another type, only in URL Table (IPs).</p>
<p>Thank You!</p> pfSense - Feature #15209 (New): Option to specify custom user home directory pathshttps://redmine.pfsense.org/issues/152092024-01-28T17:21:29ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>There are plenty of reasons not to have a home directory in /home/username</p>
<p>There should be the option of specifying an alternative home directory</p>
<p>I can fix that from the shell, but that means changes will not be saved as part of the configuration, and things will break with backup/restore, which is VERY BAD.</p>
<p>This is particularly of concern with users with the <code>User - System: Copy files to home directory (chrooted scp)</code> privileges, as they are likely set up to access specific locations to make/retrieve backups, or facilitate the ACME challenge.</p> pfSense Plus - Feature #15186 (New): Test DNS over TLShttps://redmine.pfsense.org/issues/151862024-01-24T23:57:32ZJeff Kuehl
<p>The ability to readily confirm TLS DNS would be established once saved.</p> pfSense - Bug #15162 (Confirmed): Wrong string in “MAC address”https://redmine.pfsense.org/issues/151622024-01-13T23:54:32ZSergei Shablovsky
<p>Hi, brilliant pfSense stuff!</p>
<p>Wrong string in “ <strong>MAC address</strong> ” txt entry field in “ <strong>Services / Wake-on-LAN / Edit</strong> ” when press on “ <strong>+* ” in “ *Actions</strong> ” column in “ <strong>Diagnostics / ARP Table</strong> ” page in WebGUI.</p> pfSense Packages - Regression #15159 (Confirmed): XMLRPC Replication Target required even if not ...https://redmine.pfsense.org/issues/151592024-01-12T23:40:15ZSteve Y
<p>On page Firewall/pfBlockerNG/Sync if "Sync to configured system backup server" is selected, "XMLRPC Replication Targets" > "Target IP/Hostname" is still a required field.</p> pfSense - Bug #15067 (Feedback): Secondary node attempts to delete the ``admins`` group when sync...https://redmine.pfsense.org/issues/150672023-12-05T20:40:48ZCraig Coonrad
<p>Version: 23.09-RELEASE</p>
<p>Error message:</p>
<pre>
Dec 5 20:37:30 fw102.local php-fpm[77756]: /xmlrpc.php: The command '/usr/sbin/pw groupdel -g 'admins'' returned exit code '64', the output was 'pw: Bad id 'admins': invalid'
</pre> pfSense Packages - Regression #15064 (Confirmed): Statis menu entry for APCUPSD leads to settings...https://redmine.pfsense.org/issues/150642023-12-05T10:50:58Zodo maitre
<p>if you call services/apcupsd in the gui you get the same result as if you call status/apcupsd. Both time you get the configuration menu (pkg_edit.php?xml=apcupsd.xml).(should be "apcupsd_status.php" when calling status/apcupsd)<br />I guess there is something wrong.</p> pfSense - Bug #14936 (Feedback): radvd service shows as stopped in services list when it should b...https://redmine.pfsense.org/issues/149362023-11-01T15:03:21ZJim Pingle
<p>The <code>is_radvd_enabled()</code> function in <code>pfsense-utils.inc</code> appears to incorrectly interpret the state of the radvd service in some cases.</p>
<p>For example I have a system with WAN DHCP6, LAN Track6 to WAN, but on LAN I have DHCPv6 disabled and RA disabled. When configured in this way, the radvd service is shown in the services list, but is listed as stopped. The <code>radvd.conf</code> file only contains the header, which is expected since there are no interfaces with RA enabled.</p> pfSense - Feature #13805 (New): A way to reliably determine if system is the primary or secondary...https://redmine.pfsense.org/issues/138052022-12-26T15:29:16ZChristopher Cope
<p>There is no current way, as far as I can tell, to reliably determine if the current system is the primary or secondary.</p>
A few of the current ways include:
<ul>
<li>"Synchronize Config to IP" isn't set it's likely secondary, but isn't certain.</li>
<li>Checking the advskew is a good way, but these are sometimes changed, so it isn't 100% either.</li>
</ul>
<p>My thoughts are to add a setting to System > High Avail. Sync for Primary/Secondary.</p>
This would allow behavior specific to that to be implemented. Such as:
<ul>
<li>Disabling the ability to toggle CARP maintenance mode on the Secondary, to avoid confusion.</li>
<li>Auto filling advskew when creating new VIPs</li>
<li>etc.</li>
</ul>
<p>I could write the code and submit a merge request for this, but would appreciate any thoughts / comments on anything I may be missing before I do that.</p> pfSense - Feature #13732 (New): Allow the use of macros within aliaseshttps://redmine.pfsense.org/issues/137322022-12-07T11:33:09ZLuc Courville
<p>Because of limitation of IPv6 at the current way. (Traffic is allow between Vlan) I found a solution but this will be better if we can have more flexibility.</p>
<p>Can you make the option to create an Alias with Interface net and interface address.(drop down list) (same as when we create rules in destination drop down list) (ex: This Firewall, any, Alias or host, interface_name net....)<br />That way when we create a alias we choose Lan net, dmz net....<br />After that we can create a any rules with that alias.</p>
<p>There is my workaround about ipv6 traffic. <br /><img src="https://redmine.pfsense.org/attachments/download/4558/clipboard-202212071225-g4pv3.png" alt="" /><br />I create an interface group and add all local net. (Dynamic ipv6 from ISP)<br />Then create all rules for my need and it seem to work.</p>
<p>All other tab is reserved to IPv4 only.</p>
<p>If we can have alias as request the correct rules could be in tab interface instead of having lots of deny rules.</p>
<p>Best way to have the same behavior as we have in ipv4 (block all communication between vlan).</p> pfSense - Feature #12863 (New): dynamically tune sha512crypt roundshttps://redmine.pfsense.org/issues/128632022-02-24T00:16:27ZRoyce Williamsroyce@tycho.org
<p>As touched on in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Suboptimal Password Hashing (Closed)" href="https://redmine.pfsense.org/issues/12800">#12800</a> and <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: GUI option to select the user password hashing algorithm (Resolved)" href="https://redmine.pfsense.org/issues/12855">#12855</a>, sha512crypt's default number of rounds (5000) can be cracked relatively quickly by modern standards. But "fixing" this with a static, arbitrary number of rounds could adversely impact login speed and user experience, depending on platform.</p>
<p>I propose a middle-ground solution: tune the number of rounds based on platform capability to a target runtime. Multiple UX studies have cited 500ms (half a second) as an upper bound for user login delay tolerance.</p>
<p><a href="https://gist.github.com/roycewilliams/09ddd10504d560c02b28049759cd666f" class="external">This reference code</a> detects the number of rounds near 500ms performance, using a simple approach: performing a test hash, and then applying its performance ratio to the rounds count. It then hashes the password with that number of rounds. It abstracts both the sha512crypt hashing and the dynamic rounds tuning into their own functions. It also improves salt entropy in passing, to match bcrypt and scrypt's 128 bits and to match the sha512crypt</p>
<p>The code is overly commented, to explain the reasoning behind various design choices, such as those informed by attack techniques well known in the password-cracking community.</p>
<p>Sample results for a few platforms at 500ms runtimes (I am actively soliciting for additional data points):</p>
<pre>
* AMD Geode LX800 500 MHz (alix2): rounds=11851
* AMD GX-412TC SOC (apu2): rounds=157921
* Intel(R) Celeron(R) CPU N3150 @ 1.60GHz: rounds=209662
* Pentium(R) Dual-Core CPU E5: rounds=568985
* 11th Gen Intel(R) Core(TM) i7-11700K @ 3.60GHz: rounds=1741092
</pre>
<p>Note especially these higher values. A modern CPU can run 1.7 million rounds of sha512crypt in half a second. By contrast, a medium-sized pentest cracking rig (equivalent of 6 GTX 1080s) can do a little over 2 billion rounds in half a second against a single hash (scaling downward across multiple salted hashes).</p>
<p>So while not even a strong hash can protect a single very weak password for long, strengthening these hashes can do a much better job of protecting midrange and stronger ones.</p> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense Packages - Feature #9141 (New): FRR xmlrpc https://redmine.pfsense.org/issues/91412018-11-21T08:22:54ZChris Macmahon
<p>FRR seems to be missing the option to sync the config viar XLMRPC.</p> pfSense - Todo #6727 (New): Missing file apple-touch-icon-precomposed.png ?https://redmine.pfsense.org/issues/67272016-08-18T14:10:11ZAndy Kniveton
<p>I notice this occasionally in my log files after logging in via the web browser :-</p>
<p>Aug 18 19:50:38 pfsense.localdomain nginx: 2016/08/18 19:50:38 [error] 36942#100114: *10595 open() "/usr/local/www/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 172.16.1.20, server: , request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "172.16.1.1"</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/apple-touch-icon-precomposed.png<br />ls: /usr/local/www/apple-touch-icon-precomposed.png: No such file or directory</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/*.png<br />/usr/local/www/apple-touch-icon.png/usr/local/www/logo.png<br />/usr/local/www/logo-black.png /usr/local/www/pfs-mini.png<br />[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root:</p>
<p>Maybe its just worth doing a symbolic link in the next pfSense build.</p> pfSense - Bug #4298 (Assigned): Excessive errors from snmpdhttps://redmine.pfsense.org/issues/42982015-01-26T04:32:43ZHolger Hampel
<p>When accessing snmp from a montitoring system I get many, many errors (logged in the central syslog):</p>
<p>snmpd<sup><a href="#fn95772">95772</a></sup>: could not encode error response</p>
<p>I tried to disable some mibs, but there is no change.</p>
<p>Same monitoring worked in 2.1.5</p>