pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-01-12T23:40:15ZpfSense bugtracker
Redmine pfSense Packages - Regression #15159 (Confirmed): XMLRPC Replication Target required even if not ...https://redmine.pfsense.org/issues/151592024-01-12T23:40:15ZSteve Y
<p>On page Firewall/pfBlockerNG/Sync if "Sync to configured system backup server" is selected, "XMLRPC Replication Targets" > "Target IP/Hostname" is still a required field.</p> pfSense - Bug #15067 (Feedback): Secondary node attempts to delete the ``admins`` group when sync...https://redmine.pfsense.org/issues/150672023-12-05T20:40:48ZCraig Coonrad
<p>Version: 23.09-RELEASE</p>
<p>Error message:</p>
<pre>
Dec 5 20:37:30 fw102.local php-fpm[77756]: /xmlrpc.php: The command '/usr/sbin/pw groupdel -g 'admins'' returned exit code '64', the output was 'pw: Bad id 'admins': invalid'
</pre> pfSense Packages - Regression #15064 (Confirmed): Statis menu entry for APCUPSD leads to settings...https://redmine.pfsense.org/issues/150642023-12-05T10:50:58Zodo maitre
<p>if you call services/apcupsd in the gui you get the same result as if you call status/apcupsd. Both time you get the configuration menu (pkg_edit.php?xml=apcupsd.xml).(should be "apcupsd_status.php" when calling status/apcupsd)<br />I guess there is something wrong.</p> pfSense Packages - Bug #14146 (New): Small Typo in 'Advanced Outbound firewall rule settings' war...https://redmine.pfsense.org/issues/141462023-03-22T07:36:44ZJon Brown
<p>When creating an IPv4 outbound permit rule (Firewall --> pfBlockerNG --> Ip --> IPv4) and you leave the <b>Custom Protocol</b> on any you get the following error:</p>
<pre>
Settings: Protocol setting cannot be set to 'Default' with Advanced Outbound firewall rule settings.
</pre>
<p><img src="https://redmine.pfsense.org/attachments/download/4819/pfblocker-with-any-error-message.jpg" alt="" /></p>
<p>There is a typo where it is saying it cannot be left on 'Default', there is not default protocol. This should read as follows:</p>
<pre>
Settings: Protocol setting cannot be set to 'Any' with Advanced Outbound firewall rule settings.
</pre>
<p>I have swapped <strong>default</strong> for <strong>any</strong></p> pfSense - Feature #13805 (New): A way to reliably determine if system is the primary or secondary...https://redmine.pfsense.org/issues/138052022-12-26T15:29:16ZChristopher Cope
<p>There is no current way, as far as I can tell, to reliably determine if the current system is the primary or secondary.</p>
A few of the current ways include:
<ul>
<li>"Synchronize Config to IP" isn't set it's likely secondary, but isn't certain.</li>
<li>Checking the advskew is a good way, but these are sometimes changed, so it isn't 100% either.</li>
</ul>
<p>My thoughts are to add a setting to System > High Avail. Sync for Primary/Secondary.</p>
This would allow behavior specific to that to be implemented. Such as:
<ul>
<li>Disabling the ability to toggle CARP maintenance mode on the Secondary, to avoid confusion.</li>
<li>Auto filling advskew when creating new VIPs</li>
<li>etc.</li>
</ul>
<p>I could write the code and submit a merge request for this, but would appreciate any thoughts / comments on anything I may be missing before I do that.</p> pfSense - Feature #12863 (New): dynamically tune sha512crypt roundshttps://redmine.pfsense.org/issues/128632022-02-24T00:16:27ZRoyce Williamsroyce@tycho.org
<p>As touched on in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Suboptimal Password Hashing (Closed)" href="https://redmine.pfsense.org/issues/12800">#12800</a> and <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: GUI option to select the user password hashing algorithm (Resolved)" href="https://redmine.pfsense.org/issues/12855">#12855</a>, sha512crypt's default number of rounds (5000) can be cracked relatively quickly by modern standards. But "fixing" this with a static, arbitrary number of rounds could adversely impact login speed and user experience, depending on platform.</p>
<p>I propose a middle-ground solution: tune the number of rounds based on platform capability to a target runtime. Multiple UX studies have cited 500ms (half a second) as an upper bound for user login delay tolerance.</p>
<p><a href="https://gist.github.com/roycewilliams/09ddd10504d560c02b28049759cd666f" class="external">This reference code</a> detects the number of rounds near 500ms performance, using a simple approach: performing a test hash, and then applying its performance ratio to the rounds count. It then hashes the password with that number of rounds. It abstracts both the sha512crypt hashing and the dynamic rounds tuning into their own functions. It also improves salt entropy in passing, to match bcrypt and scrypt's 128 bits and to match the sha512crypt</p>
<p>The code is overly commented, to explain the reasoning behind various design choices, such as those informed by attack techniques well known in the password-cracking community.</p>
<p>Sample results for a few platforms at 500ms runtimes (I am actively soliciting for additional data points):</p>
<pre>
* AMD Geode LX800 500 MHz (alix2): rounds=11851
* AMD GX-412TC SOC (apu2): rounds=157921
* Intel(R) Celeron(R) CPU N3150 @ 1.60GHz: rounds=209662
* Pentium(R) Dual-Core CPU E5: rounds=568985
* 11th Gen Intel(R) Core(TM) i7-11700K @ 3.60GHz: rounds=1741092
</pre>
<p>Note especially these higher values. A modern CPU can run 1.7 million rounds of sha512crypt in half a second. By contrast, a medium-sized pentest cracking rig (equivalent of 6 GTX 1080s) can do a little over 2 billion rounds in half a second against a single hash (scaling downward across multiple salted hashes).</p>
<p>So while not even a strong hash can protect a single very weak password for long, strengthening these hashes can do a much better job of protecting midrange and stronger ones.</p> pfSense Packages - Bug #11493 (New): After upgrade zabbix proxy wont starthttps://redmine.pfsense.org/issues/114932021-02-21T05:31:00ZPim Janssen
<p>Due to database changes between zabbix-proxy versions. The proxy database needs to be removed after upgrading else the proxy service won't start.</p>
<p>Workaround <br />manual remove database /var/db/zabbix-proxy/proxy.db</p> pfSense Packages - Bug #11000 (New): haproxy deprecated trick suggestedhttps://redmine.pfsense.org/issues/110002020-10-22T17:51:10ZManuel Piovan
<p>haproxy-devel<br />under backend<br />the description for "Http check version" say:<br /><pre><code class="php syntaxhl"><span class="nc">Defaults</span> <span class="n">to</span> <span class="s2">"HTTP/1.0"</span> <span class="k">if</span> <span class="n">left</span> <span class="n">blank</span><span class="mf">.</span> <span class="nc">Note</span> <span class="n">that</span> <span class="n">the</span> <span class="nc">Host</span> <span class="n">field</span> <span class="n">is</span> <span class="n">mandatory</span> <span class="n">in</span> <span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="p">,</span> <span class="k">and</span> <span class="k">as</span> <span class="n">a</span> <span class="n">trick</span><span class="p">,</span> <span class="n">it</span> <span class="n">is</span> <span class="n">possible</span> <span class="n">to</span> <span class="n">pass</span> <span class="n">it</span> <span class="n">after</span> <span class="s2">"</span><span class="se">\r\n</span><span class="s2">"</span> <span class="n">following</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">like</span> <span class="n">this</span><span class="o">:</span>
<span class="no">HTTP</span><span class="o">/</span><span class="mf">1.1</span><span class="err">\</span><span class="n">r\nHost</span><span class="o">:</span><span class="err">\</span> <span class="n">www</span>
</code></pre><br />but this lead to a Warning</p>
<pre><code class="php syntaxhl"><span class="p">[</span><span class="no">WARNING</span><span class="p">]</span> <span class="mi">296</span><span class="o">/</span><span class="mo">00442</span><span class="mi">8</span> <span class="p">(</span><span class="mi">78254</span><span class="p">)</span> <span class="o">:</span> <span class="n">parsing</span> <span class="p">[</span><span class="o">/</span><span class="k">var</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">haproxy</span><span class="o">/</span><span class="n">haproxy</span><span class="mf">.</span><span class="n">cfg</span><span class="o">:</span><span class="mi">67</span><span class="p">]</span><span class="o">:</span> <span class="s1">'option httpchk'</span> <span class="o">:</span> <span class="n">hiding</span> <span class="n">headers</span> <span class="k">or</span> <span class="n">body</span> <span class="n">at</span> <span class="n">the</span> <span class="n">end</span> <span class="n">of</span> <span class="n">the</span> <span class="n">version</span> <span class="n">string</span> <span class="n">is</span> <span class="n">deprecated</span><span class="mf">.</span> <span class="nc">Please</span><span class="p">,</span> <span class="n">consider</span> <span class="n">to</span> <span class="kn">use</span> <span class="s1">'http-check send'</span> <span class="n">directive</span> <span class="n">instead</span><span class="mf">.</span>
</code></pre> pfSense - Todo #10199 (New): Improve Spanish translation interfacehttps://redmine.pfsense.org/issues/101992020-01-22T09:20:34ZAluisco Miguel Ricardo MastrapapfSense Packages - Feature #9648 (New): Multiple node Sync HAProxy configuration to backup CARP m...https://redmine.pfsense.org/issues/96482019-07-25T10:00:31ZFrikkie Botha
<p>We have a cluster of 3x PFSense Firewalls running in 3 AZs on AWS.</p>
<p>FW-A (AZ-A) is configured to sync to FW-B (AZ-B) which then syncs to FW-C (AZ-C)</p>
<p>This works perfectly for all components of PFSense except for HAProxy.</p>
<p>HAProxy only syncs from FW-A (AZ-A) to FW-B (AZ-B).</p>
<p>The only workaround currently to get the changes thru to all AZs after making a change on FW-A is to</p>
<p>1. Disable the HAProxy sync on FW-B<br />2. Click Save & Apply Changes<br />3. Enable the HAProxy sync on FW-B<br />4. Click Save & Apply Changes</p>
<p>This does however only do the sync once from FW-B to FW-C and the same process needs to be followed again if an update is made to HAProxy on FW-A</p> pfSense Packages - Bug #9486 (New): ifindex values used for softflowd are incorrecthttps://redmine.pfsense.org/issues/94862019-04-26T13:16:29ZJesse White
<p>With this patch, we now pass ifIndex values to softflowd for inclusion in the flow packets:<br /> <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52">https://github.com/pfsense/FreeBSD-ports/pull/501/files#diff-451c93a8b870e13a749022e7ecf64cd6R52</a></p>
<p>However, the values used are arbitrary and do not line up with the values used by other services on the system such as snmpd:<br /><pre>
ps ax | grep soft
91600 - Ss 0:00.64 /usr/local/sbin/softflowd -i 1:igb1 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.pid -c /var/r
91913 - Is 0:00.00 /usr/local/sbin/softflowd -i 2:igb1.2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.2.pid -c /v
92156 - Is 0:00.00 /usr/local/sbin/softflowd -i 3:igb1.3 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb1.3.pid -c /v
92774 - Is 0:00.00 /usr/local/sbin/softflowd -i 4:ovpnc2 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.ovpnc2.pid -c /v
93644 - Ss 0:00.69 /usr/local/sbin/softflowd -i 5:igb0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.igb0.pid -c /var/r
93969 - Is 0:00.00 /usr/local/sbin/softflowd -i 6:lo0 -n 127.0.0.1:8877 -v 5 -T full -t general=60 -p /var/run/softflowd.lo0.pid -c /var/run
</pre></p>
<pre>
$ snmpwalk -c public -v 2c 10.1.1.1 IF-MIB::ifDescr
IF-MIB::ifDescr.1 = STRING: igb0
IF-MIB::ifDescr.2 = STRING: igb1
IF-MIB::ifDescr.3 = STRING: enc0
IF-MIB::ifDescr.4 = STRING: lo0
IF-MIB::ifDescr.5 = STRING: pflog0
IF-MIB::ifDescr.6 = STRING: pfsync0
IF-MIB::ifDescr.7 = STRING: igb1.2
IF-MIB::ifDescr.8 = STRING: igb1.3
IF-MIB::ifDescr.9 = STRING: ovpnc2
</pre>
<p>For example igb1.2 is set to ifIndex 2, but it should really be 7.</p>
<p>The proper ifIndex can be retrieved using:<br /> <a class="external" href="https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html">https://www.freebsd.org/cgi/man.cgi?query=if_nametoindex&apropos=0&sektion=3&manpath=FreeBSD+11.0-RELEASE&arch=default&format=html</a></p> pfSense Packages - Feature #9141 (New): FRR xmlrpc https://redmine.pfsense.org/issues/91412018-11-21T08:22:54ZChris Macmahon
<p>FRR seems to be missing the option to sync the config viar XLMRPC.</p> pfSense Packages - Bug #8454 (New): Arpwatch package break email notifications from other sourceshttps://redmine.pfsense.org/issues/84542018-04-12T07:18:20ZYehuda Katz
<p>Arpwatch replaces /usr/sbin/sendmail with a symlink to a PHP script that specifically mentioned Arpwatch in the message subject:<br /><a class="external" href="https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L217">https://github.com/pfsense/FreeBSD-ports/blob/015971be238550a1f9aa060fe5ed93849c01572e/net-mgmt/pfSense-pkg-arpwatch/files/usr/local/pkg/arpwatch.inc#L217</a></p>
<p>This causes notifications from ACME (run by CRON) to come with subjects like this:</p>
<blockquote>
<p>wall.example.com - Arpwatch Notification : Cron <root@wall> /usr/local/pkg/acme/acme_command.sh "renewall"</p>
</blockquote> pfSense - Todo #6727 (New): Missing file apple-touch-icon-precomposed.png ?https://redmine.pfsense.org/issues/67272016-08-18T14:10:11ZAndy Kniveton
<p>I notice this occasionally in my log files after logging in via the web browser :-</p>
<p>Aug 18 19:50:38 pfsense.localdomain nginx: 2016/08/18 19:50:38 [error] 36942#100114: *10595 open() "/usr/local/www/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 172.16.1.20, server: , request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "172.16.1.1"</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/apple-touch-icon-precomposed.png<br />ls: /usr/local/www/apple-touch-icon-precomposed.png: No such file or directory</p>
<p>[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root: ls /usr/local/www/*.png<br />/usr/local/www/apple-touch-icon.png/usr/local/www/logo.png<br />/usr/local/www/logo-black.png /usr/local/www/pfs-mini.png<br />[2.3.2-RELEASE][<a class="email" href="mailto:admin@pfsense.localdomain">admin@pfsense.localdomain</a>]/root:</p>
<p>Maybe its just worth doing a symbolic link in the next pfSense build.</p> pfSense - Bug #4298 (Assigned): Excessive errors from snmpdhttps://redmine.pfsense.org/issues/42982015-01-26T04:32:43ZHolger Hampel
<p>When accessing snmp from a montitoring system I get many, many errors (logged in the central syslog):</p>
<p>snmpd<sup><a href="#fn95772">95772</a></sup>: could not encode error response</p>
<p>I tried to disable some mibs, but there is no change.</p>
<p>Same monitoring worked in 2.1.5</p>