pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-21T03:23:33ZpfSense bugtracker
Redmine pfSense - Feature #15276 (New): Support JSON content for URL type firewall aliaseshttps://redmine.pfsense.org/issues/152762024-02-21T03:23:33ZSergei Shablovsky
<p>Brilliant pfSense DevTeam!</p>
<p>WHERE<br />In Firewall / Aliases, URLs tab(selector)</p>
<p>CASE<br />JSON need to be allowed in “URL (IPs)” type of firewall aliases, the same as XML and TXT are allowed.</p>
<p>ARGUMENT<br />Nowadays most SaaS and services present their data on JSON and XML more frequently than PLAIN TXT file answer on certain URL.<br />(For example external monitoring services.)</p>
<p>And logically wrong if pfSense user able to entering the XML and PLAIN TXT source in URL (IPs), but no JSON. (And only URL Table (IPs) allow the JSON).</p>
<p>I understand that from the beginning of pfSense’s life exist only 2 types of URL-sources:<br />- small lists<br />- big lists <br />and to eliminate time and resources to keep IPs, the parameter/ability of refresh of big lists was made in WebGUI.</p>
<p>But FROM USERS PERSPECTIVE all 3(JSON, XML and PLAIN TXT) source are the same - certain amount of data, and frustrating when possible to add XML and PLAIN TXT in URL (IPs), but JSON - only in another type, only in URL Table (IPs).</p>
<p>Thank You!</p> pfSense - Feature #15209 (New): Option to specify custom user home directory pathshttps://redmine.pfsense.org/issues/152092024-01-28T17:21:29ZRonald Antonyrcfa+pfsense.org@cubiculum.com
<p>There are plenty of reasons not to have a home directory in /home/username</p>
<p>There should be the option of specifying an alternative home directory</p>
<p>I can fix that from the shell, but that means changes will not be saved as part of the configuration, and things will break with backup/restore, which is VERY BAD.</p>
<p>This is particularly of concern with users with the <code>User - System: Copy files to home directory (chrooted scp)</code> privileges, as they are likely set up to access specific locations to make/retrieve backups, or facilitate the ACME challenge.</p> pfSense - Bug #15162 (Confirmed): Wrong string in “MAC address”https://redmine.pfsense.org/issues/151622024-01-13T23:54:32ZSergei Shablovsky
<p>Hi, brilliant pfSense stuff!</p>
<p>Wrong string in “ <strong>MAC address</strong> ” txt entry field in “ <strong>Services / Wake-on-LAN / Edit</strong> ” when press on “ <strong>+* ” in “ *Actions</strong> ” column in “ <strong>Diagnostics / ARP Table</strong> ” page in WebGUI.</p> pfSense - Feature #15068 (New): Show if an alias is currently in usehttps://redmine.pfsense.org/issues/150682023-12-05T22:36:42ZMarcelo Cury
<p>I would like to check if it is possible to include in a future release the ability to see if an alias is being used in a Firewall rule when checking the aliases page.<br />Perhaps also show the Track ID ? I think this would be a very nice feature to have.</p>
<p>As I see it, it would help a lot to track things, avoid exclusions of aliases that are in use and help to clean up.</p>
<p>Thanks.</p> pfSense - Bug #15067 (Feedback): Secondary node attempts to delete the ``admins`` group when sync...https://redmine.pfsense.org/issues/150672023-12-05T20:40:48ZCraig Coonrad
<p>Version: 23.09-RELEASE</p>
<p>Error message:</p>
<pre>
Dec 5 20:37:30 fw102.local php-fpm[77756]: /xmlrpc.php: The command '/usr/sbin/pw groupdel -g 'admins'' returned exit code '64', the output was 'pw: Bad id 'admins': invalid'
</pre> pfSense - Bug #14936 (Feedback): radvd service shows as stopped in services list when it should b...https://redmine.pfsense.org/issues/149362023-11-01T15:03:21ZJim Pingle
<p>The <code>is_radvd_enabled()</code> function in <code>pfsense-utils.inc</code> appears to incorrectly interpret the state of the radvd service in some cases.</p>
<p>For example I have a system with WAN DHCP6, LAN Track6 to WAN, but on LAN I have DHCPv6 disabled and RA disabled. When configured in this way, the radvd service is shown in the services list, but is listed as stopped. The <code>radvd.conf</code> file only contains the header, which is expected since there are no interfaces with RA enabled.</p> pfSense - Feature #14907 (New): DNS Resolution on Diagnostics > States Summaryhttps://redmine.pfsense.org/issues/149072023-10-22T17:24:02ZWolfgang Thegreat
<p>Hello,</p>
<p>In version 2.7.0, the page of Diagnostics > States Summary shows numeric IPs, which are sometimes hard to understand / remember their meaning, so I ask to have a checkbox at this page to add their matching name next to the numeric IP value - either, as first option, their local pfSense alias name and if non exists, then do a reverse DNS lookup to find their DNS name.</p>
<p>Thank you.</p> pfSense - Feature #14886 (New): Visual improvement to the Gateway widget: display the icon in a c...https://redmine.pfsense.org/issues/148862023-10-16T19:25:35ZPatrik Stahlman
<p>A small tweak to the Gateway widget to display the icon in a color reflecting the status.</p>
<p>Rationale: <br />In my four column setup the status text is not always visible so I can't quickly determine the gateway status without shifting/scrolling the widget to the right. With this change I can see the status in the icon color.</p>
<p>Change:<br />1. move the code that determines the background color before the output of the icon. No change to the code, just a move.<br />2. add the background color to the icon formatting</p> pfSense - Feature #14860 (New): Column consistancy between DHCP Static mapping and ARPhttps://redmine.pfsense.org/issues/148602023-10-10T20:05:01ZJohn Weithman
<p>Just a suggestion that the column IP and MAC be swapped in the table for Diagnostics / ARP. This would be consistant in showing MAC, IP, Hostname (at least these 3 columns) in the same.</p>
<p>I was copy/pasting from both tables to do some comparison and noticed the difference and thought it would be better.</p> pfSense - Bug #14587 (New): Firewall Log Sort By Timehttps://redmine.pfsense.org/issues/145872023-07-18T15:14:08ZBrian Shell
<p>When viewing the System Logs > Firewall, and trying to sort by Time with newest first, it appears the sort is working alphabetically instead of chronologically. For example, this is the order I see when attempting to sort. Don't be concerned about the gaps of time between as this is simply due to to events being logged during those times and that is expected based on the logging I have enabled. Jun 30, Jun 28, Jun 27, Jun 26, Jun 25, Jun 24, Jun 23, Jun 22, Jun 21, Jul 6, Jul 4, Jul 18, Jul 13, Jul 10. Hopefully this will be something reproducible so a developer can see it because it is hard to explain in words. Attaching part of a screenshot so you can see the sorting. You won't see the issue from my screenshot I would have to scroll down and send many pages of screens.</p> pfSense - Feature #13805 (New): A way to reliably determine if system is the primary or secondary...https://redmine.pfsense.org/issues/138052022-12-26T15:29:16ZChristopher Cope
<p>There is no current way, as far as I can tell, to reliably determine if the current system is the primary or secondary.</p>
A few of the current ways include:
<ul>
<li>"Synchronize Config to IP" isn't set it's likely secondary, but isn't certain.</li>
<li>Checking the advskew is a good way, but these are sometimes changed, so it isn't 100% either.</li>
</ul>
<p>My thoughts are to add a setting to System > High Avail. Sync for Primary/Secondary.</p>
This would allow behavior specific to that to be implemented. Such as:
<ul>
<li>Disabling the ability to toggle CARP maintenance mode on the Secondary, to avoid confusion.</li>
<li>Auto filling advskew when creating new VIPs</li>
<li>etc.</li>
</ul>
<p>I could write the code and submit a merge request for this, but would appreciate any thoughts / comments on anything I may be missing before I do that.</p> pfSense - Feature #12863 (New): dynamically tune sha512crypt roundshttps://redmine.pfsense.org/issues/128632022-02-24T00:16:27ZRoyce Williamsroyce@tycho.org
<p>As touched on in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Suboptimal Password Hashing (Closed)" href="https://redmine.pfsense.org/issues/12800">#12800</a> and <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: GUI option to select the user password hashing algorithm (Resolved)" href="https://redmine.pfsense.org/issues/12855">#12855</a>, sha512crypt's default number of rounds (5000) can be cracked relatively quickly by modern standards. But "fixing" this with a static, arbitrary number of rounds could adversely impact login speed and user experience, depending on platform.</p>
<p>I propose a middle-ground solution: tune the number of rounds based on platform capability to a target runtime. Multiple UX studies have cited 500ms (half a second) as an upper bound for user login delay tolerance.</p>
<p><a href="https://gist.github.com/roycewilliams/09ddd10504d560c02b28049759cd666f" class="external">This reference code</a> detects the number of rounds near 500ms performance, using a simple approach: performing a test hash, and then applying its performance ratio to the rounds count. It then hashes the password with that number of rounds. It abstracts both the sha512crypt hashing and the dynamic rounds tuning into their own functions. It also improves salt entropy in passing, to match bcrypt and scrypt's 128 bits and to match the sha512crypt</p>
<p>The code is overly commented, to explain the reasoning behind various design choices, such as those informed by attack techniques well known in the password-cracking community.</p>
<p>Sample results for a few platforms at 500ms runtimes (I am actively soliciting for additional data points):</p>
<pre>
* AMD Geode LX800 500 MHz (alix2): rounds=11851
* AMD GX-412TC SOC (apu2): rounds=157921
* Intel(R) Celeron(R) CPU N3150 @ 1.60GHz: rounds=209662
* Pentium(R) Dual-Core CPU E5: rounds=568985
* 11th Gen Intel(R) Core(TM) i7-11700K @ 3.60GHz: rounds=1741092
</pre>
<p>Note especially these higher values. A modern CPU can run 1.7 million rounds of sha512crypt in half a second. By contrast, a medium-sized pentest cracking rig (equivalent of 6 GTX 1080s) can do a little over 2 billion rounds in half a second against a single hash (scaling downward across multiple salted hashes).</p>
<p>So while not even a strong hash can protect a single very weak password for long, strengthening these hashes can do a much better job of protecting midrange and stronger ones.</p> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense - Todo #6727 (New): Missing file apple-touch-icon-precomposed.png ?https://redmine.pfsense.org/issues/67272016-08-18T14:10:11ZAndy Kniveton
<p>I notice this occasionally in my log files after logging in via the web browser :-</p>
<p>Aug 18 19:50:38 pfsense.localdomain nginx: 2016/08/18 19:50:38 [error] 36942#100114: *10595 open() "/usr/local/www/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 172.16.1.20, server: , request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "172.16.1.1"</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/apple-touch-icon-precomposed.png<br />ls: /usr/local/www/apple-touch-icon-precomposed.png: No such file or directory</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/*.png<br />/usr/local/www/apple-touch-icon.png/usr/local/www/logo.png<br />/usr/local/www/logo-black.png /usr/local/www/pfs-mini.png<br />[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root:</p>
<p>Maybe its just worth doing a symbolic link in the next pfSense build.</p> pfSense - Bug #4298 (Assigned): Excessive errors from snmpdhttps://redmine.pfsense.org/issues/42982015-01-26T04:32:43ZHolger Hampel
<p>When accessing snmp from a montitoring system I get many, many errors (logged in the central syslog):</p>
<p>snmpd<sup><a href="#fn95772">95772</a></sup>: could not encode error response</p>
<p>I tried to disable some mibs, but there is no change.</p>
<p>Same monitoring worked in 2.1.5</p>