pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-03-28T14:41:25ZpfSense bugtracker
Redmine pfSense - Feature #15367 (New): pfSense throughput would probably seriously benefit from jumbo fr...https://redmine.pfsense.org/issues/153672024-03-28T14:41:25ZLouis B
<p>pfSense throughput would probably seriously benefit from jumbo frames. Please support that!</p>
<p>I described this in more detail in my thread <sup>Is pfSense handling jumbo frames correct !?</sup></p>
<p>I assume pfSense could greatly benefit from bigger packages. Especially in case of link speeds above 1G. Since even the slightest package delay is strongly limiting the throughput. Assuming that the package delay is <sup>independent</sup> of package size. The overall delay of using jumbo frames for file transfer would probably something like a factor 5. <br />So I did start change my NAS-systems and some network settings top test that. And of course pfSense should support it as well. And there is the problem. In the actual GUI, I can reduce the MTU-size (default 1500), but I cannot raise the size, not above the size of the physical interface.</p>
<p>And see there the problem, there is no way to change the MTU-size of interfaces used in favor of VLAN's or LAGG's</p> pfSense - Bug #15366 (New): Ethernet rules are not blocking the ARP inside the bridgehttps://redmine.pfsense.org/issues/153662024-03-28T09:25:13ZLev Prokofev
<p>Configuration:</p>
<p>1)IX2 and DMZ interfaces are bridged (192.168.168.0/24)<br />2)Filtering enabled on members of the bridge<br /> net.link.bridge.pfil_member=1 <br /> net.link.bridge.pfil_bridge=0<br />3)The ethernet rules are set to not pass the ARP from any to any, of the members of the bridge.<br /><img src="https://redmine.pfsense.org/attachments/download/5988/clipboard-202403281317-ukct1.png" alt="" /><br />Result:</p>
<p>PC1 (192.168.168.12) requested the ARP for PC2 (192.168.168.10) and received the reply, but didn't receive an ARP reply from the gateway, so the rules cut traffic from the interface of pfSense but not inside the bridge broadcast.</p>
<p><img src="https://redmine.pfsense.org/attachments/download/5989/clipboard-202403281323-c06p2.png" alt="" /></p>
<p>tested on</p>
<pre>
23.09.1-RELEASE (amd64)
built on Wed Dec 20 21:27:00 MSK 2023
FreeBSD 14.0-CURRENT
</pre> pfSense - Bug #15362 (New): Config upgrade error with empty gateway interval tags.https://redmine.pfsense.org/issues/153622024-03-26T19:12:31ZSteve Wheeler
<p>Upgrading an old config that has set but empty gateway interval tags throws a php error.<br />For example a config containing:<br /><pre>
<gateway_item>
<interface>wan</interface>
<gateway>1.2.3.4</gateway>
<name>wan_gateway</name>
<weight/>
<interval/>
<descr><![CDATA[gw1]]></descr>
<defaultgw/>
</gateway_item>
</pre></p>
<p>Will hit:<br /><pre>
Fatal error: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
thrown in /etc/inc/upgrade_config.inc on line 4169
PHP ERROR: Type: 1, File: /etc/inc/upgrade_config.inc, Line: 4169, Message: Uncaught TypeError: Unsupported operand types: string * int in /etc/inc/upgrade_config.inc:4169
Stack trace:
#0 /etc/inc/config.lib.inc(519): upgrade_130_to_131()
#1 /etc/rc.bootup(140): convert_config()
#2 {main}
</pre></p> pfSense - Bug #15353 (New): Crashes Every ~8-12 Hours in New 2.7.2 Install with Unbound, Suricata...https://redmine.pfsense.org/issues/153532024-03-21T06:41:37ZDevin Dawson
<p>After reading some FreeBSD posts, it appears that this bug is potentially triggered by high CPU load. This occurs for me particularly during reloading or updating pfblockerNG, even though it's not consistently reproducible. I've attempted some mitigations such as disabling promiscuous mode in Suricata and restricting its use to the WAN interface, which seems to reduce the frequency of the issue but does not eliminate it entirely. Previously, running pfblockerNG in python mode alongside Suricata on both LAN and WAN interfaces resulted in the bug occurring more frequently.</p>
<p>The crash tends to happen approximately every 8 hours or so and appears to be related to two other FreeBSD issues:</p>
<pre><code>FreeBSD Commit "vm: Fix racy checks for swap objects" - <a class="external" href="https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815">https://cgit.freebsd.org/src/commit/?id=e123264e4dc394602f9fed2f0376204b5998d815</a><br /> FreeBSD Bug Report "panic: vm_page_free_prep: freeing mapped page" - <a class="external" href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707">https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261707</a>"</code></pre>
<p>Further investigation and possible collaboration with the FreeBSD community may be necessary to address this issue effectively.</p>
<pre><code class="shell syntaxhl">Intel<span class="o">(</span>R<span class="o">)</span> Pentium<span class="o">(</span>R<span class="o">)</span> CPU G3250 @ 3.20GHz
2 CPUs: 1 package<span class="o">(</span>s<span class="o">)</span> x 2 core<span class="o">(</span>s<span class="o">)</span>
AES-NI CPU Crypto: No
QAT Crypto: No
Kernel PTI Enabled
MDS Mitigation VERW
</code></pre>
<pre><code class="shell syntaxhl">amd64
14.0-CURRENT
FreeBSD 14.0-CURRENT amd64 1400094 <span class="c">#1 RELENG_2_7_2-n255948-8d2b56da39c: Wed Dec 6 20:45:47 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/obj/amd64/StdASW5b/var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/F</span>
Filename: /var/crash/textdump.tar.0
ddb.txt
db:0:kdb.enter.default> show registers
cs 0x20
ds 0x3b
es 0x3b
fs 0x13
gs 0x1b
ss 0
rax 0x12
rcx 0xffffffff81451bc8
rdx 0xffffffff844195ff
rbx 0x100
rsp 0xfffffe00f5272780
rbp 0xfffffe00f5272780
rsi 0xfffffe00f52721f0
rdi 0xffffffff82d3f3d8 vt_conswindow+0x10
r8 0x10
r9 0x10
r10 0xf
r11 0x10
r12 0
r13 0x2
r14 0xffffffff813d55bb
r15 0xfffffe00f54e6e40
rip 0xffffffff80d32342 kdb_enter+0x32
rflags 0x82
kdb_enter+0x32: movq <span class="nv">$0</span>,0x234a4c3<span class="o">(</span>%rip<span class="o">)</span>
db:0:kdb.enter.default> run lockinfo
db:1:lockinfo> show locks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show alllocks
No such <span class="nb">command</span><span class="p">;</span> use <span class="s2">"help"</span> to list available commands
db:1:lockinfo> show lockedvnods
Locked vnodes
db:0:kdb.enter.default> show pcpu
cpuid <span class="o">=</span> 1
dynamic pcpu <span class="o">=</span> 0xfffffe009af25f80
curthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 tid 100715 critnest 1 <span class="s2">"unbound-control"</span>
curpcb <span class="o">=</span> 0xfffffe00f54e7360
fpcurthread <span class="o">=</span> 0xfffffe00f54e6e40: pid 27610 <span class="s2">"unbound-control"</span>
idlethread <span class="o">=</span> 0xfffffe001de1ec80: tid 100004 <span class="s2">"idle: cpu1"</span>
self <span class="o">=</span> 0xffffffff84011000
curpmap <span class="o">=</span> 0xfffff803a5a05ad0
tssp <span class="o">=</span> 0xffffffff84011384
rsp0 <span class="o">=</span> 0xfffffe00f5273000
kcr3 <span class="o">=</span> 0x800000008aefd67f
ucr3 <span class="o">=</span> 0x8000000271748e7f
scr3 <span class="o">=</span> 0x271748e7f
gs32p <span class="o">=</span> 0xffffffff84011404
ldt <span class="o">=</span> 0xffffffff84011444
tss <span class="o">=</span> 0xffffffff84011434
curvnet <span class="o">=</span> 0
db:0:kdb.enter.default> bt
Tracing pid 27610 tid 100715 td 0xfffffe00f54e6e40
kdb_enter<span class="o">()</span> at kdb_enter+0x32/frame 0xfffffe00f5272780
vpanic<span class="o">()</span> at vpanic+0x163/frame 0xfffffe00f52728b0
panic<span class="o">()</span> at panic+0x43/frame 0xfffffe00f5272910
trap_fatal<span class="o">()</span> at trap_fatal+0x40c/frame 0xfffffe00f5272970
trap_pfault<span class="o">()</span> at trap_pfault+0x4f/frame 0xfffffe00f52729d0
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f52729d0
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0xffffffff8127ee47, rsp <span class="o">=</span> 0xfffffe00f5272aa0, rbp <span class="o">=</span> 0xfffffe00f5272ac0 <span class="nt">---</span>
free_pv_entry<span class="o">()</span> at free_pv_entry+0x47/frame 0xfffffe00f5272ac0
pmap_pv_promote_pde<span class="o">()</span> at pmap_pv_promote_pde+0x14e/frame 0xfffffe00f5272b00
pmap_promote_pde<span class="o">()</span> at pmap_promote_pde+0x2fa/frame 0xfffffe00f5272b80
pmap_enter<span class="o">()</span> at pmap_enter+0xe8f/frame 0xfffffe00f5272c50
vm_fault<span class="o">()</span> at vm_fault+0xbf4/frame 0xfffffe00f5272d60
vm_fault_trap<span class="o">()</span> at vm_fault_trap+0x6b/frame 0xfffffe00f5272db0
trap_pfault<span class="o">()</span> at trap_pfault+0x1d9/frame 0xfffffe00f5272e10
<span class="nb">trap</span><span class="o">()</span> at <span class="nb">trap</span>+0x442/frame 0xfffffe00f5272f30
calltrap<span class="o">()</span> at calltrap+0x8/frame 0xfffffe00f5272f30
<span class="nt">---</span> <span class="nb">trap </span>0xc, rip <span class="o">=</span> 0x82784d8d0, rsp <span class="o">=</span> 0x820a9f758, rbp <span class="o">=</span> 0x820a9f940 <span class="nt">---</span>
</code></pre> pfSense - Feature #15348 (New): Block out PSK when viewing Phase 1 IPsec configurationhttps://redmine.pfsense.org/issues/153482024-03-18T14:31:12ZMike Moore
<p>When filling out a PSK in the phase 1 proposal section, the PSK really should be entered in obfuscated with the option in the WebUI to show the password.<br />Entering a password in clear text so anyone shoulder surfing can see it is a security issue.</p> pfSense - Bug #15291 (New): Error on Traffic Shaper 0% Bandwidthhttps://redmine.pfsense.org/issues/152912024-02-26T09:35:21ZPavan K
<p>Link to post on pfSense Forum: <br /><a class="external" href="https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963">https://forum.netgate.com/topic/186137/error-on-traffic-shaper-0-bandwidth?_=1708915183963</a></p>
<p>Backstory:<br />recently we migrated from pfSense 2.4.x to 2.7.2 which was a direct update. Everything worked fine etc the traffic shaping feature.</p>
<p>Following is the error:<br />There were error(s) loading the rules: pfctl: the sum of the child<br />bandwidth (1200000000) higher than parent "root_igc4" (1000000000) -<br />The line in question reads [0]: @ 2024-01-31 16:45:05</p>
<p>Following is our configuration:<br />Name → FAIRQ_7<br />Priority→ 7<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>Add new Queue(Default)<br />Enable<br />Name → qFAIRQ_2(Default)<br />Priority→ 2<br />Scheduler Option → Default<br />Bandwidth → None</p>
<p>Add new Queue(ACK)<br />Enable<br />Name → qACK_6<br />Priority→ 6<br />Scheduler Option → Random Early detection in and out<br />Bandwidth → None</p>
<p>According to the configuration the Bandwidth on Queue(ACK) should be 0% which was migrated off from 2.4.x but on 2.7.2 it's not letting us save 0% bandwidth for some reason.</p>
<p>And due to this new rules which are created are not taking effect it's only after we disable and enable the Traffic Shaper completely the rule is effective.</p> pfSense - Bug #15116 (New): Kea not working with UEFI HTTPBoot URL configuredhttps://redmine.pfsense.org/issues/151162023-12-26T19:06:26ZJason Montleon
<p>I have configured and successfully use http boot to occasionally boot libvirt vms by checking off `Enable Network Booting` and entering a URL in the `UEFI HTTPBoot URL` field.</p>
<p>Seeing the banner message that ISC DHCP is deprecated I navigated to `System / Advanced / Networking` and switched to Kea DHCP. But when I do this I am no longer able to successfully use UEFI HTTPBoot.</p>
<p>Switching back and forth between ISC DHCP and Kea DHCP is all I need to do to fix and break the functionality again.</p>
<p>Looking at kea-dhcp4.conf there is nothing that stands out to me as obviously wrong, but clients never access the http server I have configured.</p> pfSense - Bug #15110 (New): pfSense hangs when rebootinghttps://redmine.pfsense.org/issues/151102023-12-21T16:09:41ZDanilo Zrenjanin
<p>Start the reboot from the GUI:<br /><pre>
Enter an option: pflog0: promiscuous mode disabled
Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining... 0 0 0 0 0 0 done
All buffers synced.
Uptime: 3m20s
Khelp module "ertt" can't unload until its refcount drops from 1 to 0.
uhub0: detached
</pre><br />At this point, it hangs. Noticed on a Netgate 6100 with 23.09.1.</p> pfSense - Bug #15084 (New): Upgrading an EFI system installed to ZFS mirror does not upgrade EFI ...https://redmine.pfsense.org/issues/150842023-12-11T16:56:18ZJim Pingle
<p>When an EFI system installed to a ZFS mirror is upgraded, the EFI loader is only updated on the first disk of the mirror (<code>/dev/gpt/efiboot0</code>).</p>
<p>If the system has EFI filesystems on the additional disks, they are not touched during upgrade.</p>
<p>Can be worked around by manually mounting the additional EFI partitions and copying the files.</p>
<p>For example, to update the loader on the second disk:</p>
<pre><code class="shell syntaxhl"><span class="c"># mount -t msdosfs /dev/gpt/efiboot1 /mnt/</span>
<span class="c"># cp -R /boot/efi/ /mnt</span>
<span class="c"># umount /mnt</span>
</code></pre>
<p>Note that systems may or may not actually have a proper EFI filesystem on the additional disks. See <a class="issue tracker-1 status-1 priority-5 priority-high4" title="Bug: Installing to ZFS mirror does not format or populate EFI partition on additional disks (New)" href="https://redmine.pfsense.org/issues/15083">#15083</a></p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense - Bug #15082 (New): Upgrade fails due to unmounted EFI filesystemhttps://redmine.pfsense.org/issues/150822023-12-11T14:10:15ZJim Pingle
<p>This may be related to <a class="issue tracker-1 status-1 priority-4 priority-default" title="Bug: Upgrade fails due to undersized EFI filesystem (New)" href="https://redmine.pfsense.org/issues/15081">#15081</a> but it's not definite.</p>
<p>Some upgrades have failed in pfSense-boot if the EFI partition is not manually mounted first.</p>
<p>There are several reports of this where simply manually mounting the EFI partition before starting the upgrade allows it to complete. See <a class="external" href="https://www.reddit.com/r/PFSENSE/comments/18d887u/netgate_releases_pfsense_plus_software_version/kcjcktm/">https://www.reddit.com/r/PFSENSE/comments/18d887u/netgate_releases_pfsense_plus_software_version/kcjcktm/</a> for example.</p>
<p>Marked as Plus 24.03/CE 2.8.0 but if it can be fixed in the pfSense-boot package the fix could be picked back to 23.09.1/2.7.2.</p> pfSense - Bug #14983 (New): Upgrade can fail when unexpected EFI partitions are present.https://redmine.pfsense.org/issues/149832023-11-14T15:49:22ZSteve Wheeler
<p>pfSense-upgrade can fail when the pfSense-boot post install script tries to update the bot loader if the first EFI partition is not on the boot drive.</p>
<p>For example if the main boot drive is not installed as UEFI and the installation media is still present. The script tries and fails to update the wrong drive aborting the upgrade:</p>
<pre>
Number of packages to be reinstalled: 1
[1/1] Reinstalling pfSense-boot-23.09...
[1/1] Extracting pfSense-boot-23.09: .......... done
mount_msdosfs: /dev/msdosfs/EFISYS: Read-only file system
pkg-static: POST-INSTALL script failed
failed.
__RC=1 __REBOOT_AFTER=10
</pre> pfSense - Bug #14371 (New): Firewall does not respond to UDP traceroute requests over IPsechttps://redmine.pfsense.org/issues/143712023-05-10T22:08:35ZMarcos M
<p>Tested on <code>23.01</code>.</p>
<p>pfSense itself does not respond to UDP traceroutes when it receives the request over IPsec (both policy/routed tunnels tested, as well as with pf disabled).</p>
<p>In the following example, traceroute is run from a LAN client behind siteA to the LAN interface address of siteB.<br /><pre>
### siteA client
[22.01-DEVELOPMENT][root@sitea-lanhost.lab.arpa]/root: traceroute -n -I 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 48 byte packets
1 172.19.1.1 0.337 ms 0.106 ms 0.174 ms
2 192.168.1.1 0.684 ms 0.607 ms 0.531 ms
[22.01-DEVELOPMENT][root@sitea-lanhost.lab.arpa]/root: traceroute -n 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 64 hops max, 40 byte packets
1 172.19.1.1 0.283 ms 0.185 ms 0.189 ms
2 * * *
3 * *^C
### siteB firewall
[23.01-RELEASE][root@siteb-fw1.lab.arpa]/root: ifconfig vmx1
vmx1: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN
options=4e000bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>
ether 00:50:56:b2:00:fe
inet6 fe80::250:56ff:feb2:fe%vmx1 prefixlen 64 scopeid 0x2
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[23.01-RELEASE][root@siteb-fw1.lab.arpa]/root: tcpdump -ni enc0 'host 172.19.1.4'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes
19:01:30.681093 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 4, length 28
19:01:30.681173 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 4, length 28
19:01:30.681567 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 5, length 28
19:01:30.681586 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 5, length 28
19:01:30.682120 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4 > 192.168.1.1: ICMP echo request, id 32776, seq 6, length 28
19:01:30.682142 (authentic,confidential): SPI 0xcaa92d26: IP 192.168.1.1 > 172.19.1.4: ICMP echo reply, id 32776, seq 6, length 28
19:01:34.226850 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33438: UDP, length 12
19:01:39.310089 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33439: UDP, length 12
19:01:44.388844 (authentic,confidential): SPI 0xca57b541: IP 172.19.1.4.32816 > 192.168.1.1.33440: UDP, length 12
^C
9 packets captured
242 packets received by filter
0 packets dropped by kernel
</pre></p>
<p>Traceroutes to other clients on the siteB LAN work fine.</p> pfSense - Bug #13624 (New): Only one alias in local network of OpenVPN Server works in 2.6.0https://redmine.pfsense.org/issues/136242022-11-02T11:55:36ZFlorian Bat
<p>Issue <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: Support aliases in OpenVPN local/remote/tunnel network fields (Resolved)" href="https://redmine.pfsense.org/issues/2668">#2668</a> implemented the possibility to have host/network aliases in the OpenVPN local/remote/tunnel network fields.</p>
<p>When using host aliases in the local network field, it seems only the hosts of the very first alias are pushed to the client as local network. all other aliases seem to be ignored.</p>
<p><strong>Example:</strong><br />Let's say I have 3 host alias lists (named alias1, alias2 and alias3) with 2 hosts defined in each alias.</p>
<p>Using this as "local network" in the OpenVPN Server definition only pushes the ips of the <strong>alias1</strong> list.</p>
<pre><code class="html syntaxhl">alias1, alias2, alias3
</code></pre>
<p>This only pushes the hosts of <strong>alias2</strong>:</p>
<pre><code class="html syntaxhl">alias2, alias3, alias1
</code></pre>
<p>And this would push the two hosts of <strong>alias1</strong> plus the <strong>192.168.1.0/24</strong> and <strong>192.168.2.0/24</strong> networks as local networks.</p>
<pre><code class="html syntaxhl">alias1, alias2, 192.168.1.0/24, alias3, 192.168.2.0/24
</code></pre>
<p>I am using<br />2.6.0-RELEASE (amd64)<br />built on Mon Jan 31 19:57:53 UTC 2022<br />FreeBSD 12.3-STABLE</p> pfSense - Bug #12747 (New): System log is filled by sshguardhttps://redmine.pfsense.org/issues/127472022-02-01T08:47:15ZSteve Wheeler
<p>sshguard has to restart when he logs are rotated in 2.6 in order to monitor the current file. When it does so it logs the service restart.<br />In an even moderately busy firewall this can produce a lot of log entries to the point it starts to hide other more important logs.<br />It appears to restart whenever any log is rotated, is that actually required?</p>
<p>For example on a test system where an IPSec tunnel is configured but never connects the ipsec log rotates frequently resulting in a system log:<br /><pre>
Jan 31 00:25:00 sshguard 29496 Exiting on signal.
Jan 31 00:25:00 sshguard 9940 Now monitoring attacks.
Jan 31 03:17:00 sshguard 9940 Exiting on signal.
Jan 31 03:17:00 sshguard 60321 Now monitoring attacks.
Jan 31 06:09:00 sshguard 60321 Exiting on signal.
Jan 31 06:09:00 sshguard 83661 Now monitoring attacks.
Jan 31 09:01:00 sshguard 83661 Exiting on signal.
Jan 31 09:01:00 sshguard 93166 Now monitoring attacks.
Jan 31 11:53:00 sshguard 93166 Exiting on signal.
Jan 31 11:53:00 sshguard 94019 Now monitoring attacks.
</pre></p>
<p>It's possible to mitigate this to some extent by increasing the log file size reducing the rotation frequency.</p> pfSense - Feature #9293 (New): Provide WebUI message (banner) prior to loginhttps://redmine.pfsense.org/issues/92932019-01-29T06:18:56ZRyan Haraschak
<p>While trying to deploy in govt environments, they have security guidelines (STIGs) we're required to follow. Some, as trivial as they seem, include displaying banners before logging in. I've been able to modify the html\php to meet this requirement, however, as expected, the changes are lost after an update.</p>
<p>Would it be possible to add a text entry field on the general settings page that provides a persistent webui login banner?</p>
<p>Here's an example from the <a href="https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2018-03-01/finding/V-38593" class="external">DoD RHEL STIGs</a>:</p>
<pre>
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
</pre>