pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-12-15T20:06:02ZpfSense bugtracker
Redmine pfSense - Bug #15098 (New): Wireguard crashes on boot if PPPoE is the default gatewayhttps://redmine.pfsense.org/issues/150982023-12-15T20:06:02ZOskar Stroka
<p>This only seems to happen after a fresh boot, and only if any PPPoE connection is the default gateway. <br />Even the service watchdog can't bring wireguard back up. <br />The workaround is to go to "Status" - "Interfaces", disconnect the PPPoE line and enable it again. <br />After that wireguard will start without a problem.<br />I've only noticed this issue after moving to newer / better hardware.</p> pfSense - Bug #15084 (New): Upgrading an EFI system installed to ZFS mirror does not upgrade EFI ...https://redmine.pfsense.org/issues/150842023-12-11T16:56:18ZJim Pingle
<p>When an EFI system installed to a ZFS mirror is upgraded, the EFI loader is only updated on the first disk of the mirror (<code>/dev/gpt/efiboot0</code>).</p>
<p>If the system has EFI filesystems on the additional disks, they are not touched during upgrade.</p>
<p>Can be worked around by manually mounting the additional EFI partitions and copying the files.</p>
<p>For example, to update the loader on the second disk:</p>
<pre><code class="shell syntaxhl"><span class="c"># mount -t msdosfs /dev/gpt/efiboot1 /mnt/</span>
<span class="c"># cp -R /boot/efi/ /mnt</span>
<span class="c"># umount /mnt</span>
</code></pre>
<p>Note that systems may or may not actually have a proper EFI filesystem on the additional disks. See <a class="issue tracker-1 status-1 priority-5 priority-high4" title="Bug: Installing to ZFS mirror does not format or populate EFI partition on additional disks (New)" href="https://redmine.pfsense.org/issues/15083">#15083</a></p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense - Bug #15082 (New): Upgrade fails due to unmounted EFI filesystemhttps://redmine.pfsense.org/issues/150822023-12-11T14:10:15ZJim Pingle
<p>This may be related to <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: Upgrade fails due to undersized EFI filesystem (New)" href="https://redmine.pfsense.org/issues/15081">#15081</a> but it's not definite.</p>
<p>Some upgrades have failed in pfSense-boot if the EFI partition is not manually mounted first.</p>
<p>There are several reports of this where simply manually mounting the EFI partition before starting the upgrade allows it to complete. See <a class="external" href="https://www.reddit.com/r/PFSENSE/comments/18d887u/netgate_releases_pfsense_plus_software_version/kcjcktm/">https://www.reddit.com/r/PFSENSE/comments/18d887u/netgate_releases_pfsense_plus_software_version/kcjcktm/</a> for example.</p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense - Bug #15081 (New): Upgrade fails due to undersized EFI filesystemhttps://redmine.pfsense.org/issues/150812023-12-11T14:01:54ZJim Pingle
<p>Some installations as recent as Plus 22.01 / CE 2.6.0 have EFI partitions that were created and/or populated by the old EFIFAT image method. This means that while the EFI <em>partition</em> is 200M, the EFI <em>filesystem</em> is only around 700KB. As a result, these installations are unable to upgrade to recent versions successfully as the loader cannot be updated.</p>
<p>This can be worked around by reformatting the EFI partition directly and copying the appropriate files back into place, as described in this forum post: <a class="external" href="https://forum.netgate.com/post/1140955">https://forum.netgate.com/post/1140955</a></p>
<pre><code class="shell syntaxhl"><span class="c"># mkdir -p /boot/efi</span>
<span class="c"># mount_msdosfs /dev/msdosfs/EFISYS /boot/efi</span>
<span class="c"># mkdir -p /tmp/efitmp</span>
<span class="c"># cp -Rp /boot/efi/* /tmp/efitmp</span>
<span class="c"># umount /boot/efi</span>
<span class="c"># newfs_msdos -F 32 -c 1 -L EFISYS /dev/msdosfs/EFISYS</span>
<span class="c"># mount_msdosfs /dev/msdosfs/EFISYS /boot/efi</span>
<span class="c"># cp -Rp /tmp/efitmp/* /boot/efi/</span>
</code></pre>
<p>There are some potential complications there. For example, the EFI filesystem may not be labeled that way, it could be <code>/dev/gpt/EFISYS</code> or it may have no label at all.</p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense - Bug #14983 (New): Upgrade can fail when unexpected EFI partitions are present.https://redmine.pfsense.org/issues/149832023-11-14T15:49:22ZSteve Wheeler
<p>pfSense-upgrade can fail when the pfSense-boot post install script tries to update the bot loader if the first EFI partition is not on the boot drive.</p>
<p>For example if the main boot drive is not installed as UEFI and the installation media is still present. The script tries and fails to update the wrong drive aborting the upgrade:</p>
<pre>
Number of packages to be reinstalled: 1
[1/1] Reinstalling pfSense-boot-23.09...
[1/1] Extracting pfSense-boot-23.09: .......... done
mount_msdosfs: /dev/msdosfs/EFISYS: Read-only file system
pkg-static: POST-INSTALL script failed
failed.
__RC=1 __REBOOT_AFTER=10
</pre> pfSense - Regression #14970 (Feedback): Static ARP assignments lose ``permanent`` flag in ARP tablehttps://redmine.pfsense.org/issues/149702023-11-11T21:01:26ZDenny Page
<p>Arp flips back and forth between reporting static arp entries as permanent or having timeouts with large negative values, and eventually looses the concept that entries are static at all.</p>
<pre>
[23.09-RELEASE][root@fw]/root: arp -s 192.168.230.202 70:b3:d5:e3:d0:40
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in 938 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 938 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in 938 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -s 192.168.230.201 70:b3:d5:e3:d0:22
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in 841 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 841 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -s 192.168.230.203 70:b3:d5:e3:d0:23
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 816 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 812 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735173 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735173 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 808 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735173 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 802 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 797 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735254 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735254 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 727 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735254 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735261 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735261 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 720 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735261 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735265 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735265 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 716 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735265 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 690 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root:
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 660 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735329 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735329 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 652 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735329 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 649 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735337 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735337 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 644 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735337 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 641 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735343 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735343 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 638 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735343 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735345 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735345 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 636 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735345 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 permanent [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 permanent [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 635 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 permanent [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735351 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735351 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 630 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735351 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in -1699735353 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in -1699735353 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 628 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in -1699735353 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in 1140 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in 1140 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 1140 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in 1140 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in 1113 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in 1113 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 1113 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in 1113 seconds [ethernet]
[23.09-RELEASE][root@fw]/root: arp -i ix0 -a | grep leontp
leontp2 (192.168.230.202) at 70:b3:d5:e3:d0:40 on ix0 expires in 1112 seconds [ethernet]
leontp3 (192.168.230.203) at 70:b3:d5:e3:d0:23 on ix0 expires in 1112 seconds [ethernet]
leontp0 (192.168.230.200) at a0:39:75:00:00:7f on ix0 expires in 1112 seconds [ethernet]
leontp1 (192.168.230.201) at 70:b3:d5:e3:d0:22 on ix0 expires in 1112 seconds [ethernet]
[23.09-RELEASE][root@fw]/root:
</pre> pfSense - Regression #14930 (Feedback): Clean installation using Auto (ZFS) + MBR (BIOS) does not...https://redmine.pfsense.org/issues/149302023-10-28T02:19:25ZBoycee .
<p>Installing pfSense 2.7.0 using the Auto (ZFS) + MBR (BIOS) options appears successful, however when the installer reboots the system, the system fails to boot successfully, with a message displayed indicating the operating system is missing.</p>
<p>It is possible to install 2.6.0 with these options (Auto (ZFS) + MBR (BIOS)) and successfully upgrade to 2.7.0.</p>
<p>I believe this issue is inherited from FreeBSD:</p>
<p><a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267843">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267843</a><br /><a class="external" href="https://reviews.freebsd.org/D40816">https://reviews.freebsd.org/D40816</a></p>
<p>Whilst this issue should ideally be resolved in future releases of pfSense, I assume it must be considering for future in-place upgrades to avoid “bricking” devices already configured in this way.</p> pfSense - Bug #14613 (New): Incorrect wireguard control panel status managementhttps://redmine.pfsense.org/issues/146132023-07-26T14:59:29Zhao zhang
<p><img src="https://redmine.pfsense.org/attachments/download/5201/clipboard-202307262256-rlh8k.png" alt="" /><br />Wireguard can still be clicked on to start while in the boot state and is unresponsive when clicked on, making wireguard uncontrollable.<br />pfsense2.7<br />pfSense-pkg-WireGuard 0.2.0_2</p> pfSense - Regression #14410 (New): Behavior of ``earlyshellcmd`` changed, ``ngeth`` interfaces ca...https://redmine.pfsense.org/issues/144102023-05-24T01:27:46ZTaylor Jasko
<p>In pfSense Plus 23.01, I was leveraging <a href="https://docs.netgate.com/pfsense/en/latest/development/boot-commands.html#earlyshellcmd-option" class="external">earlyshellcmd</a> to create a virtual network interface & handle 802.1x authentication <em>before</em> pfSense checks whether reassignment of interfaces is required. While this specific use case has been <a href="https://docs.netgate.com/pfsense/en/latest/recipes/authbridge.html" class="external">recently solved</a> in 23.05 through other officially supported ways, there's another issue at hand here.</p>
<p>For some background, I'm utilizing <code>pfatt</code> (as called out in the link above) to handle 802.1x auth with AT&T. After applying the update, pfSense was unable to boot due to not finding the <code>ngeth0</code> interface that the <code>pfatt</code> script was tasked to create. This is because in 23.05, I have confirmed that the configured shell commands with the <code>earlyshellcmd</code> option are being executed later in the boot sequence than the previous release. More specifically, the <code>/etc/rc.bootup</code> PHP script was updated so that the early shell commands (which are called off by <code>system_do_shell_commands(1)</code>) are executed after the <code>while (is_interface_mismatch() == true)...</code> code block (which then halts the boot process if it fails). Previously to 23.05, <code>system_do_shell_commands(1)</code> was called before that aforementioned <code>while</code> loop, just like how pfSense CE functions today, which can be seen in the code <a href="https://github.com/pfsense/pfsense/blob/9fab01eae0698ce23979663fc18d58536dc305f0/src/etc/rc.bootup#L121-L167" class="external">here</a>.</p>
<p>While my particular issue can be solved by the newly introduced auth bridging functionality, it still begs the question of whether the changed execution sequence of <code>earlyshellcmd</code> commands being impacted was intentional or not; from my standpoint, it's a regression as other pfSense Plus users may be relying on these early shell commands executing before the networking interfaces are checked.</p>
<p>Specifically to my use case, I'll switch over to the new way of configuring this authentication method soon, however, I wanted to file this issue so the pfSense Plus team is aware of this regression. Please let me know if you require any more insight into this problem.</p>
<p>Thanks!</p> pfSense Packages - Feature #13096 (Feedback): Improve robustness of Snort Rules Update Log size l...https://redmine.pfsense.org/issues/130962022-04-25T09:47:09ZBill Meeks
<p>Change the code for truncating the Snort Rules Update Log file when it exceeds the maximum configured size to be more robust by dropping the use of <em>unlink()</em> and use the method used in the Suricata package instead.</p> pfSense Packages - Bug #13095 (Feedback): Snort VRT change in Shared Object Rules path name resul...https://redmine.pfsense.org/issues/130952022-04-25T09:43:25ZBill Meeks
<p>Apparently the Snort Vulnerability Research Team recently altered part of the path name inside the Snort Rules Update archive. This results in failure of the Snort package code to properly extract and copy the Shared Object (SO) rules when performing the periodic rules update. A portion of the long directory path in the archive was changed from "x86_64" to "x86-64" (replaced the underscore with a dash).</p> pfSense Packages - Bug #12979 (Pull Request Review): Snort Rules Update Process Using Deprecated ...https://redmine.pfsense.org/issues/129792022-03-23T14:23:01ZBill Meeks
<p>Beginning around the first of March 2022, the Snort rules update package from the Snort VRT changed the subdirectory name for the precompiled Shared Object (SO) rules, in the archive, from "FreeBSD-12" to "FreeBSD-13". The Snort rules update code in the GUI parses the current FreeBSD version from the operating system, so since pfSense is still on FreeBSD 12.3, this results in the rules update code searching for a non-existent "FreeBSD-12" subdirectory in the archive when unpacking it. Until such time as pfSense moves to FreeBSD-13, this logic needs to be changed and the subdirectory name hard-coded to "FreeBSD-13".</p> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense - Feature #9293 (New): Provide WebUI message (banner) prior to loginhttps://redmine.pfsense.org/issues/92932019-01-29T06:18:56ZRyan Haraschak
<p>While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.</p>
<p>Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?</p>
<p>Here's an example from the <a href="https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2018-03-01/finding/V-38593" class="external">DoD RHEL STIGs</a>:</p>
<pre>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
</pre> pfSense - Bug #6605 (Confirmed): rc.linkup logic issues with actions takenhttps://redmine.pfsense.org/issues/66052016-07-12T19:46:41ZChris Buechlercbuechler@gmail.com
<p>The actions taken by rc.linkup differ depending on whether the interface has a static or no IPv4 and IPv6 IP, and every other case (where either the v4 or v6 type of the interface is dynamic). <br /><a class="external" href="https://github.com/pfsense/pfsense/blob/RELENG_2_3/src/etc/rc.linkup#L70">https://github.com/pfsense/pfsense/blob/RELENG_2_3/src/etc/rc.linkup#L70</a></p>
<p>While there are no doubt some edge case reasons for that being the way it is, it's not sensible logic in general. The actions taken should be much closer to the same between them.</p>
<p>The only known problem this causes is with CARP. The interface_bring_down function removes CARP VIPs from the interface. If you have a static v4 and track6 LAN, this makes CARP get into dual master on WAN when the LAN loses link. What should happen is the CARP IP stays in INIT, which increments net.inet.carp.demotion by 240, which makes the secondary take over for the WAN VIPs. What actually happens is it increments demotion by 240, fails over to the secondary, then the VIP is deleted from the LAN on primary so demotion gets a +240 on the primary because the VIP is gone, and the primary takes back over master. Then you have dual master on WAN.</p>
<p>interface_bring_down should never be run on an interface where a CARP VIP resides to avoid this situation. It's questionable whether it's ever actually necessary or desirable when losing link on a NIC.</p>
<p>This is a potentially touchy area for regressions, so it'll need a good deal of review, testing and time to run in snapshots.</p>