pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162013-06-21T11:54:10ZpfSense bugtracker
Redmine pfSense - Feature #3053 (New): Automatically add DHCP static addresses to CP passthru-machttps://redmine.pfsense.org/issues/30532013-06-21T11:54:10ZWendell Borgesperlporter@gmail.com
<p>Add a new option to Captive Portal to automatically add static addresses configured on DHCP server to the list of passthru-mac;</p> pfSense - Feature #2965 (New): Mac Firewallinghttps://redmine.pfsense.org/issues/29652013-04-24T11:40:54ZSilentT and that's itclemthe19240@gmail.com
<p>Is possible to Allow/Deny MAC adress like</p>
<p>Deny MACsrc 00:90:f5:cd:ab:1d(PC) to MACDest 00:90:f5:cd:ab:1b/Pfsense - Router)</p>
<p>for block MACadr to communicate with PfSense and blocking the access to internet</p>
<p>in <a class="external" href="http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+8.3-stable&arch=default&format=html">http://www.freebsd.org/cgi/man.cgi?query=ipfw&apropos=0&sektion=0&manpath=FreeBSD+8.3-stable&arch=default&format=html</a><br />The Man of Freebsd 8.3 (the os version use with PfSense 2.1)</p>
<p>This features of MAC adresses is available</p>
<p>"{ MAC | mac } dst-mac src-mac<br /> Match packets with a given dst-mac and src-mac addresses, speci-<br /> fied as the any keyword (matching any MAC address), or six groups<br /> of hex digits separated by colons, and optionally followed by a<br /> mask indicating the significant bits. "</p>
<p>i have execute command in the shell and its works !<br />Its a good features</p>
<p>I understand that between LAN machines never go through the pfsense because the switch had the same make. But to block a mac or mac address range to leave the network by the WAN for blocking internet access, it would be great</p>
<p>implant in the PfSense GUI in a tab "Block Specified MAC adresse to WAN" Or in the Rule of Firewall</p> pfSense - Feature #2693 (New): Allow mapping mapping non-physical interfaces via consolehttps://redmine.pfsense.org/issues/26932012-11-27T09:52:56ZMathieu Simonfreebsd@simweb.ch
<p>Creating virtual interfaces via console like LAGG is another issue, that's by now only possible via gui.</p>
<p>The issue is that one cannot re-map a lagg to WAN, LAN or OPTx interface right now.</p>
<p>The "problem" is that the etc/inc/config.console.inf populates $iflist by using the default assumptions <br />of get_interface_list() (in etc/inc/util.inc).</p>
<p>If not specified, get_interface_list assumes $vfaces array with all non-physical devices including lagg.</p>
<p>I've fiddled out a (possible) way to allow larger choice without to heavy modification by adding<br />not using the default assumption of this function.<br />determine what device types would be helpful or not.</p>
<pre>
diff --git a/etc/inc/config.console.inc b/etc/inc/config.console.inc
index fed3948..aad1c21 100644
--- a/etc/inc/config.console.inc
+++ b/etc/inc/config.console.inc
@@ -63,7 +63,28 @@ function set_networking_interfaces_ports() {
echo "\n";
}
- $iflist = get_interface_list();
+ $notmapablefaces = array (
+ 'ppp',
+ 'pppoe',
+ 'pptp',
+ 'l2tp',
+ 'sl',
+ 'gif',
+ 'gre',
+ 'faith',
+ 'lo',
+ 'ng',
+ 'pflog',
+ 'plip',
+ 'pfsync',
+ 'enc',
+ 'tun',
+ 'carp',
+ 'vip',
+ 'ipfw'
+ );
+
+ $iflist = get_interface_list(null, null, $notmapablefaces);
/* Function flow is based on $key and $auto_assign or the lack thereof */
$key = null;
</pre>
<p>This example would allow mapping laggs and bridges.<br />If you are interested in such a modification change, let me know and I can prepare a pull request.</p> pfSense - Feature #2545 (New): CaptivePortal: Custom "Re-authenticate every x minutes"https://redmine.pfsense.org/issues/25452012-07-08T17:21:57ZAlexander Wilkenachtfalkeaw@web.de
<p>"Re-Authentication every 1 minute" on CP seems to be a very short time. Other vendors (CISCO) allow re-authentication times with at least 3600 seconds or more. With many users connected to CP/RADIUS a re-auth every 1 minute could cause high load on the RADIUS server so a possibility to set a custom value on CP would help to solve this problem.</p> pfSense - Feature #2443 (New): Automatically start 3G usb interfaces upon pluginhttps://redmine.pfsense.org/issues/24432012-05-20T17:37:36ZSeth Mosseth.mos@dds.nl
<p>And cleanup the old LCK files from /var/spool/lock/LCK..cuaU0.0</p>
<p>devd should be able to do this for us. It says it can act on all sorts of things.</p> pfSense - Feature #2410 (New): Support name based aliasing via CNAMEs or some other mechanism.https://redmine.pfsense.org/issues/24102012-05-03T12:55:03Zallen landsidellandsidel.allen@gmail.com
<p>Resubmission of feature request 129 from 1.2.2</p>
<p>I would like to request that this feature reconsidered. Regardless of what DJB may think, there are good reasons to use CNAMEs (or some other form of hostname aliasing).</p>
<p>In our network we have a single intranet server, intranet01. It gets its address from DHCP; in fact, everything on the LAN side of the network gets its address from DHCP, be it static or dynamic. Services hosted by intranet01 have their own hostnames that are accessed via apache named virtual hosting, such as cacti, nagios, svn, and so on. Presently the only way to create these named aliases in pfsense is by IP address, which means the address must (realistically) be static, and moving the host to a new address or subnet is tedious and error-prone.</p>
<p>Ideally the IP address for a server should only be entered once or never, and aliases used everywhere else, so the address can be changed quickly, easily, and safely.</p>
<p>This problem was demonstrated (somewhat catastrophically) today when we moved DHCP into a different network range, and were left with many invalid and non-working aliases throughout the system that had been created referencing the IP address of a DHCP client; in the aftermath we found that we could not fix these by changing the address to the server name.</p> pfSense - Bug #2367 (New): display negate rules in firewall_rules.php and evaluate when addedhttps://redmine.pfsense.org/issues/23672012-04-11T00:02:00ZChris Buechlercbuechler@gmail.com
<p>the fact the negate policy routing rule isn't shown is bad as it has lead to unintended consequences (ends up passing traffic people don't realize is passed because it's hidden). They should be shown as a grayed out auto-added rule, similar to block private/bogon.</p>
<p>Also need to look at when and how that rule is automatically added. In some circumstances it can allow more traffic than the user intends, such as: <br /><a class="external" href="http://forum.pfsense.org/index.php/topic,48143.0/topicseen.html">http://forum.pfsense.org/index.php/topic,48143.0/topicseen.html</a></p> pfSense - Bug #2308 (New): HFSC WebUI doesn't check for "Bandwidth" settinghttps://redmine.pfsense.org/issues/23082012-03-23T13:11:08ZOliver Loch
<p>Hi,</p>
<p>I configured pfSense todo some QoS. To get everything "firsthand" I used the HFSC module.</p>
<p>When configuring a HFSC queue you can add values for the "Service Curve" as shown in the attached screenshot.</p>
<p>If you add the realtime settings m1,d,m2 or just m2, and don't put anything inside the "Bandwidth"-field above, you can save and reload those settings.</p>
<p>After the reload you get error messages that say something like this:</p>
<p>php: : New alert found: There were error(s) loading the rules: pfctl: the sum of the child bandwidth higher than parent "root_em1" pfctl: linkshare sc exceeds parent's sc /tmp/rules.debug:47: errors in queue definition pfctl: the sum of the child bandwidth higher than parent "root_bridge1" pfctl: linkshare sc exceeds parent's sc /tmp/rules.debug:59: errors in queue definition pfctl: the sum of the child bandwidth higher than parent "root_bridge1" pfctl: linkshare sc exceeds parent's sc /tmp/rules.debug:60: errors in queue definition pfctl: Syntax error in config file: pf rules not loaded The line in question reads [ the sum of the child bandwidth higher than parent "root_em1" pfctl]:</p>
<p>This comes from the fact, that the empty "Bandwidth"-field results in a pf rule like this:</p>
<pre><code>queue wweb on em1 qlimit 500 hfsc ( realtime (10%, 10000, 5%) )</code></pre>
<p>which doesn't hold the "bandwidth"-statement and results in an error like:</p>
<p>[2.0.1-RELEASE][<a class="email" href="mailto:root@pfSense.localdomain">root@pfSense.localdomain</a>]/tmp(4): pfctl -nf rules.debug<br />pfctl: the sum of the child bandwidth higher than parent "root_em1" <br />pfctl: linkshare sc exceeds parent's sc<br />rules.debug:47: errors in queue definition<br />pfctl: the sum of the child bandwidth higher than parent "root_bridge1" <br />pfctl: linkshare sc exceeds parent's sc<br />rules.debug:59: errors in queue definition<br />pfctl: the sum of the child bandwidth higher than parent "root_bridge1" <br />pfctl: linkshare sc exceeds parent's sc<br />rules.debug:60: errors in queue definition<br />[2.0.1-RELEASE][<a class="email" href="mailto:root@pfSense.localdomain">root@pfSense.localdomain</a>]/tmp(5):</p>
<p>That's because the system assumes "100%" bandwidth if the option is omitted.</p>
<p>The errors on line 59 and line 60 are from those lines:</p>
<p>59: queue lweb on bridge1 qlimit 500 hfsc ( realtime (10%, 10000, 6%) )<br />60: queue lmail on bridge1 qlimit 500 hfsc ( realtime 5% )</p>
<p>Same shit, different pile ...</p>
<p>It would be nice to ask the user what todo, or to just set "m2" as the "Bandwidth" of the queue as one can use "m2" alone for realtime settings without a peak.</p> pfSense - Todo #2099 (New): Remove "queue" from CARP traffichttps://redmine.pfsense.org/issues/20992012-01-17T03:00:19ZMichele Di Mariamichele@nt2.it
<p>Hello,<br /> as it happened for the "Outbound NAT", there's the possibility that the CARP traffic can be matched by one of the rules in the "Floating Rules" (For example: Interface: LAN, source: ANY). This brings, under heavy traffic, to loose some of the CARP packets, which causes CARP to promote the secondary machine as master.</p>
<p>What could be done is to create a static rule just after the "floating rules" that matches all the CARP traffic and removes the queue (but I don't know if it's possible).</p> pfSense - Feature #1935 (New): Allow rule with max-src-conn-* options to make conditional use of ...https://redmine.pfsense.org/issues/19352011-10-07T09:31:43ZDim Hatz
<p>Firewall: Rules: Advanced Options offers various options, to limit max number of connections per source IP and connections/sec, however it silently puts any source IP that exceeds them into the <virusprot> table, effectively blocking all traffic from it for a significant period.</p>
<p><strong>For pfsense rules involving max-src-conn-xyz restrictions, consider making the (overload <virusprot>) either an optional or a configurable action.</strong></p>
<p>My aim is to do flexible TCP connection throttling with pfsense. I find it useful for e.g. outbound SMTP connections, as I wrote in <a class="external" href="http://forum.pfsense.org/index.php/topic,41679.0.html">http://forum.pfsense.org/index.php/topic,41679.0.html</a></p>
<blockquote>
<p>Throttling outgoing SMTP (port 25) connections?</p>
<p>The situation I'm trying to mitigate is when e.g. in a public hotspot, a guest's malware-infected PC starts sending out 1000s of spam mails. I wouldn't want to block outgoing port 25 completely (as many people still connect to their mailserver using SMTP AUTH over TCP/25), but as a compromise I prefer to limit port 25 outgoing connections to a low number, e.g. 3/min.</p>
<p>With Linux iptables I might use directives like:<br />-p tcp --dport 25 --limit 3/min --limit-burst x<br />etc<br />This way, any port 25 connections beyond the limit of 3 per minute are dropped, but the port becomes available again very soon. And no other ports are affected.</p>
<p>pfsense offers advanced options with similar features (pf's max-src-conn-rate), but apparently adds "offending" IPs to the <virusprot> table, thus blocking those IPs entirely for all protocols, rather than effectively throttling port 25 only.</p>
</blockquote> pfSense - Feature #1506 (New): Notifications should spoolhttps://redmine.pfsense.org/issues/15062011-05-05T12:58:42ZPhil Parrisphil.networkadmin@gmail.com
<p>If the firewall can't connect to the mail server notifications fail and never attempt to notify again. A nice feature would be a check box to spool notifications so they are sent when connect to the mail server has been restored.</p> pfSense - Feature #1434 (New): Radius Accounting in OpenVPNhttps://redmine.pfsense.org/issues/14342011-04-14T11:08:16ZFan Netfannet08@gmail.com
<p>Radius Accounting packets are critical to any enterprise implementation of OpenVPN due to compliance reasons. It is also important for anyone that wants to maintain a historical log of who logged in, how much data they sent, what IP they had while they were logged in, etc. Currently other parts of PFSense (PPTP) send out radius accounting data but OpenVPN does not (it does however do AUTH just fine). This is even more confusing since defining a radius server in the user-management section requires you to give the radius accounting port (leading you to believe it is support across the platform). There are openvpn accounting modules currently available for debian (radiusplugin.so) which function fine.</p> pfSense - Feature #1367 (New): Input validation on partial config restoreshttps://redmine.pfsense.org/issues/13672011-03-21T01:16:53ZChris Buechlercbuechler@gmail.com
<p>Restoring partial 1.2.x configs does not work since it does not go through the config upgrade process. There is also little verification done of partial config restores. We should have some sanity checking that prevents clearly invalid partial restores, like those matching 1.2.x.</p> pfSense - Feature #521 (New): Group manager Assigned Permissionshttps://redmine.pfsense.org/issues/5212010-04-18T14:52:58ZLarry Titusadministrator@pseudo-servers.com
<p>Change the Assigned Privileges section of the Group Manager to use the same type of "swap box" as Group Memberships to make it easier to add/remove multiple permissions.</p> pfSense - Feature #84 (New): Nightly Filter Summary E-Mailhttps://redmine.pfsense.org/issues/842009-09-12T21:11:12ZJim Pingle
<p>Scott and I talked about this earlier on IRC. Could be a package for 2.0, or worked in somehow.</p>
<p>A daemon of some sort could check filter logs every 5 minutes and collect summary data, then store it in an xml or serialized data file. At the end of a 24 hour period, this data could be used to generate a report on the filter activity for the day.</p>
<p>The report could look similar to the pie charts output by the filter log summary graphs, but those only work on whatever data is currently in the log.</p>
<p>It would need to keep track of the last log message it read to ensure that it isn't counting things more than once. If the entire log file wraps in under 5 minutes, it should log an error telling the admin to increase the log size (also feature that doesn't yet exist, but should be fairly easy to add.)</p>