Project

General

Profile

Activity

From 04/25/2019 to 05/24/2019

05/24/2019

07:49 PM Revision f8560a14: Privilege matching -- allow JS anchors. Fixes #9550
Attempts to detect a special case where a file does not actually
exist, and yet should be allowed since it is used by... Jim Pingle
07:47 PM Revision bdbd8534: Privilege matching -- allow JS anchors. Fixes #9550
Attempts to detect a special case where a file does not actually
exist, and yet should be allowed since it is used by... Jim Pingle
02:55 PM Bug #9550 (Feedback): New privilege matching method does not allow menu or tab links to anchors (#foo)
Applied in changeset commit:bdbd8534eef5b93370065340de225a1cd5e5faa8. Jim Pingle
02:30 PM Bug #9550 (Resolved): New privilege matching method does not allow menu or tab links to anchors (#foo)
The new privilege matching method does not allow menu or tab links to anchors, such as @#foo@. Since these are not pa... Jim Pingle
02:20 PM Bug #9484 (Closed): With proper timing on boot dhclient won't be started for WAN without manual intervention
Jim Pingle
02:10 PM Bug #9484: With proper timing on boot dhclient won't be started for WAN without manual intervention
It looks that with version *2.4.4-RELEASE-p3* problem no longer exists. Tomasz K.
02:20 PM Feature #9549 (Rejected): Carp alters for backup after secondary link crash.
Without preempt, you'll get systems with a mix of MASTER/BACKUP status or nothing will trigger a failover. That isn't... Jim Pingle
01:54 PM Feature #9549 (Rejected): Carp alters for backup after secondary link crash.
Greetings,
Today when working with CARP with several links we have a problem where the master detects the down of ... Heliton Martins
01:19 PM Bug #9548 (Resolved): Do not use VLANMTU flag to decide if interface supports to run VLAN
Today there is a function called is_jumbo_capable() that detects if VLANMTU flag is supported by interface and this f... Renato Botelho
07:55 AM Bug #9547 (Duplicate): altq on vlan interfaces not supported
Duplicate of #9413 Jim Pingle
07:54 AM Bug #9547: altq on vlan interfaces not supported
btw - on XG-1541 Vladimir Lind
07:53 AM Bug #9547 (Duplicate): altq on vlan interfaces not supported
on 2.5.0-DEVELOPMENT (amd64)
built on Thu May 23 20:41:57 EDT 2019
FreeBSD 12.0-RELEASE-p4
There were error(s... Vladimir Lind

05/23/2019

07:22 PM pfSense Packages Bug #9211: GeoIP broken in pfSense-pkg-ntopng-0.8.13_3
YP Lo wrote:
> Found out recently that ntopng v3.6 is already using GeoLite2 database, and hooked up the remaining G... Tj Ng
07:32 AM pfSense Packages Bug #9211: GeoIP broken in pfSense-pkg-ntopng-0.8.13_3
Found out recently that ntopng v3.6 is already using GeoLite2 database, and hooked up the remaining GeoLite2 update s... YP Lo
03:16 PM pfSense Packages Bug #9546 (Resolved): Snort fails to load/start with host_attribute_table
Using the PfSense gui to load and import an attribute table will cause Snort to error on startup. It will not start.
... Bill B
04:17 AM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
I know it's targeted for 2.5.0, but still I'd like to inform people here that 2.4.4_3 does indeed NOT fix this, makin... Robert Gijsen

05/22/2019

08:50 PM pfSense Packages Feature #9238: Add support for Zerotier
I think it would be pretty awesome if PF supported this. ZT is a great and simple way of securing devices in a virtua... Deon George
08:20 PM Revision 00680d36: Add GUI components for MDS mitigation. Implements #9532
While here, add option to disable PTI display in sysinfo widget.
Implements #9323
(cherry picked from commit 42c48ef... Jim Pingle
08:19 PM Revision 42c48efe: Add GUI components for MDS mitigation. Implements #9532
While here, add option to disable PTI display in sysinfo widget.
Implements #9323 Jim Pingle
06:06 PM Revision ac0bb6bc: Use correct variable in IP address validation check for DNS. Fixes #9543
(cherry picked from commit 912562c4d76e9b629e99d44c56b363147d9ded0d) Jim Pingle
06:05 PM Revision 912562c4: Use correct variable in IP address validation check for DNS. Fixes #9543
Jim Pingle
03:30 PM Feature #9323 (Feedback): Option to hide 'Kernel PTI' from sysinfo widget
Applied in changeset commit:42c48efe1c326273079ac38176098a1993f8ae88. Jim Pingle
03:22 PM Feature #9323 (In Progress): Option to hide 'Kernel PTI' from sysinfo widget
Jim Pingle
03:30 PM Feature #9532 (Feedback): GUI indication and options for MDS mitigation
Applied in changeset commit:42c48efe1c326273079ac38176098a1993f8ae88. Jim Pingle
02:40 PM Feature #9532 (In Progress): GUI indication and options for MDS mitigation
Jim Pingle
02:54 PM Feature #9545 (Resolved): Enable Multipath Routing in the Kernel
Now that @ROUTE_MPATH@ is in the default kernel on FreeBSD 14 and @net.route.multipath@ is on (@1@), enable the MULTI... Jim Pingle
02:51 PM Feature #9544 (Closed): Enable ``ROUTE_MPATH`` multipath routing
Add ROUTE_MPATH to the kernel, assuming it does not cause any conflicts with existing options we need.
 Jim Pingle
01:15 PM Bug #9543 (Feedback): diag_dns.php: Reverse lookup of IPv6 fails with "Host must be a valid hostname or IP address."
Applied in changeset commit:912562c4d76e9b629e99d44c56b363147d9ded0d. Jim Pingle
01:05 PM Bug #9543 (Resolved): diag_dns.php: Reverse lookup of IPv6 fails with "Host must be a valid hostname or IP address."
Attempting to reverse resolve an IPv6 address on diag_dns.php fails with the error "Host must be a valid hostname or ... Jim Pingle
02:52 AM Feature #6626: Support for IPv6 firewall entries with dynamic delegated prefix and static host address
I think this issue really needs to be adressed ASAP. If I understand this correctly it means that today the best work... Pim Pish

05/21/2019

06:53 PM Revision b9ed452d: Remove wildcards incorrectly used in isAllowedPage(). Fixes #9541
(cherry picked from commit cf529cbe33ae53f3f95b37a227da141b97465f20) Jim Pingle
06:53 PM Revision cf529cbe: Remove wildcards incorrectly used in isAllowedPage(). Fixes #9541
Jim Pingle
05:49 PM Revision e905762d: Add sysutils/ccze to the repo
Renato Botelho
05:49 PM Revision e82e602d: Add sysutils/ccze to the repo
Renato Botelho
02:45 PM Bug #9539: HA: admin user's authorized key(s) won't get synced
Discussion ongoing in PR 4068 - https://github.com/pfsense/pfsense/pull/4068 James Webb
02:00 PM Bug #9541 (Feedback): Non-admin user with admin rights is given the wrong URL for the user manager
Applied in changeset commit:cf529cbe33ae53f3f95b37a227da141b97465f20. Jim Pingle
01:52 PM Bug #9541 (In Progress): Non-admin user with admin rights is given the wrong URL for the user manager
Looks like it's due to an instance of an incorrect usage of a wildcard when attempting to patch the page. The new str... Jim Pingle
07:47 AM Bug #9541: Non-admin user with admin rights is given the wrong URL for the user manager
Also get https://x.x.x.x/system_usermanager_passwordmg.php when you use FreeRadius for the user auth. Andy Kniveton

05/20/2019

09:46 PM pfSense Packages Bug #9542 (Closed): FreeRadius with MySQL not started and require mysql-client packet
Hello!
Freedaius start log (with Mysql-enable)
> Could not link driver rlm_sql_mysql: Shared object "libmysqlclient... Konstantin Ab
07:49 PM Bug #9541 (Resolved): Non-admin user with admin rights is given the wrong URL for the user manager
In 2.4.4p3 a user with admin rights that is not the admin user is given when opening the user manager:
https://x.x.x... Steve Wheeler
06:44 PM Bug #9539: HA: admin user's authorized key(s) won't get synced
This is to do with how users are synced in /usr/local/www/xmlrpc.php
In this file one will find:... James Webb
03:54 AM Bug #9539 (Resolved): HA: admin user's authorized key(s) won't get synced
Follow up from the forums: https://forum.netgate.com/topic/143452/admin-user-not-fully-synced/3
We had that tested... Jens Groh
03:36 PM Revision 057d15dc: Fix a potential source of PHP errors when saving per-log settings. Fixes #9540
While here, fix save descriptions.
(cherry picked from commit 303641f8283016a88f53c7743c962e16ba683579) Jim Pingle
03:35 PM Revision 303641f8: Fix a potential source of PHP errors when saving per-log settings. Fixes #9540
While here, fix save descriptions. Jim Pingle
10:45 AM Bug #9540 (Feedback): PHP Uncaught Error in Status/System Logs/Firewall/Dynamic View
Applied in changeset commit:303641f8283016a88f53c7743c962e16ba683579. Jim Pingle
10:33 AM Bug #9540: PHP Uncaught Error in Status/System Logs/Firewall/Dynamic View
I can't reproduce this on 2.5.0 or 2.4.4-p3. I can change the setting every which way, no errors. That said, I can so... Jim Pingle
09:19 AM Bug #9540 (Resolved): PHP Uncaught Error in Status/System Logs/Firewall/Dynamic View
I clicked the wrench in the upper-right corner to change the display to reverse order (newest first) and I got this f... Jay Simons
08:14 AM Bug #9362: rc.dyndns.update: Cloudflare DDNS with proxy enabled doesn't work at all
Chiming in that this is broken for me as well, as described in the original description.
2.4.4-p2 Berzerker Berzerker

05/19/2019

08:21 PM Bug #9294 (Resolved): XSS issues on multiple pages
Jim Pingle
08:20 PM Todo #9511 (Resolved): OpenVPN server/client/override advanced settings privilege separation
Jim Pingle
06:27 AM Feature #9538 (Resolved): add support for athp(4) driver
It would be great to get the athp driver into a 2.5 snapshot for testing. what we need is kernel with option ALQ and ... Manuel Piovan
05:43 AM pfSense Packages Bug #9537 (New): One month offset in displayed data between time changes
There is a bug in the Status > Traffic Totals package with a one-month offset in displaying data. The offset occurs a... Anonymous

05/18/2019

11:52 AM Bug #9535: Captive Portal users can't access internet after reboot ?
this issue is already discussed there but can't find any solution.
https://forum.netgate.com/topic/136262/clients-... Adeel Asghar
11:31 AM Bug #9535 (Rejected): Captive Portal users can't access internet after reboot ?
There is not enough information here for a valid bug report. Post on the forum to discuss and diagnose the issue befo... Jim Pingle
05:30 AM Bug #9535 (Rejected): Captive Portal users can't access internet after reboot ?
Hi,
in Pfsense after 2.4.4 upgarade captive portal users remain logged in after system reboot but can't access to in... Adeel Asghar
11:40 AM Feature #9536 (New): Support dynamic prefix in DHCPv6 Server
Most of the ISPs using dynamic IPv6 PD. Pfsense receive the prefix and can allocate a /64 prefix on LAN interfaces (T... Jozsef Krizsik

05/17/2019

08:08 PM Bug #9534 (Rejected): Captive Portal users can't disconnect after reboot ?
Do not report bugs against outdated versions. Update to the latest supported version and if you can reproduce the iss... Jim Pingle
06:13 PM Bug #9534 (Rejected): Captive Portal users can't disconnect after reboot ?
Hi,
in Pfsense 2.4.4 captive portal users remain logged in after system reboot but can't access to internet and the... Adeel Asghar
04:02 PM Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)
Alright will test within our lab setup and try it with the customer if that works. Will report back! Jens Groh
03:46 PM Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)
The first patch above, commit:4fc267484e604509b072b398642f19cb6797ef21, applies cleanly to 2.4.4-p2 and 2.4.4-p3 and ... Jim Pingle
03:37 PM Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)
Jim Pingle wrote:
> The first patch to add group 31 might, but the 32 would not since it requires a patch to strongS... Jens Groh
03:31 PM Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)
Jens Groh wrote:
> Just curious: would the changeset be appliable to 2.4.4-p3 when released?
The first patch to a... Jim Pingle
03:28 PM Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)
Just curious: would the changeset be appliable to 2.4.4-p3 when released?
I have a current customer that would lik... Jens Groh
03:08 PM Feature #9531 (Feedback): [IPSEC] Add additional curve-based DH Groups (31+)
Looks good on the current snapshot with group 31 and 32
 Jim Pingle
10:27 AM Feature #9531 (In Progress): [IPSEC] Add additional curve-based DH Groups (31+)
That was quick. Fix is in upstream: https://wiki.strongswan.org/projects/strongswan/repository/revisions/97708f7ff757... Jim Pingle
10:15 AM Feature #9531 (Feedback): [IPSEC] Add additional curve-based DH Groups (31+)
Applied in changeset commit:4fc267484e604509b072b398642f19cb6797ef21. Jim Pingle
10:04 AM Feature #9531: [IPSEC] Add additional curve-based DH Groups (31+)
Group 31 (curve25519) works. Group 32 (curve448) does not. Appears to be a strongSwan issue, I raised a bug report up... Jim Pingle
08:16 AM Feature #9531 (In Progress): [IPSEC] Add additional curve-based DH Groups (31+)
Jim Pingle
06:13 AM Feature #9531 (Resolved): [IPSEC] Add additional curve-based DH Groups (31+)
DH Group 31/32 (incl. curve25519) variants are available in Strongswan and it would be nice to have them as additions... Jens Groh
03:44 PM Revision 3f45cc99: Add in DH 32, a patch for strongSwan will be in soon to test with. Issue #9531
Jim Pingle
03:06 PM Revision 4fc26748: Add RFC 8031 Group 31 to IPsec. Implements #9531
Jim Pingle
01:44 PM Bug #9478: Unable to check for updates from the GUI when using a proxy with authentication
This also affects console option 13. I can't run option 13 with proxy+auth set, but if I drop to a shell, pfSense-upg... Jim Pingle
01:20 PM Feature #2358: NAT64 support
I was disappointed that this has not been at least added to the roadmap for 2.5. It seems as though Netgate didn't ca... Rick Coats
12:21 PM Bug #9533: XG-7100 FAT config restore not working post-install
It looks to me like the USB drive is being detected and loaded after the ECL has run which why it does not see the co... Steve Wheeler
11:37 AM Bug #9533 (Resolved): XG-7100 FAT config restore not working post-install
With the recent pfSense releases, it's possible to restore a configuration by copying the config.xml to a FAT partiti... Clinton Cory
10:42 AM Feature #9532 (Resolved): GUI indication and options for MDS mitigation
Similar to the option for Kernel PTI on system_advanced_misc.php we should have an option for MDS.
It is controlle... Jim Pingle

05/16/2019

08:44 PM pfSense Packages Feature #9530 (Duplicate): FRR package add sync function to HA / backup firewall
If you're using FRR and the existing feature;
*CARP Status IP* _Used to determine the CARP status. When the CARP vhi... Steven Perreau
08:42 PM Bug #1605: DHCP Server should group known clients by interface
Segregation by class (assumed to be directly linked to interface) is now possible.
https://github.com/pfsense/pfse... Daniel Koh
08:36 PM pfSense Packages Feature #9529 (Resolved): Version upgrade for FRR package and support new faster OSPF convergence features
Version bump up in FRR and please add GUI support for faster convergence features in latest FRR;
*ip ospf dead-int... Steven Perreau
08:24 PM pfSense Packages Bug #9528 (Duplicate): FRR OSPF state stuck in Extart / Exchange because of MTU following pfSense restart
1. Build FRR with OSPF, build the VTi interfaces, etc. Start OSPF and it will work. OSFP will link up neighbor state ... Steven Perreau
12:53 PM Revision 0a9163aa: Feature #9527 - LDAP extended query on groups in RFC2307 containers.
Steve Powers
11:35 AM Bug #9390 (Resolved): diag_backup.php: Backup output generation failure with CSRF script tag inserted into XML
Unable to reproduce on -p3. Looks good all around.
No CSRF string in a previously affected system, and also a comp... Jim Pingle
11:30 AM Bug #9508 (Resolved): Potential XSS in services_acb.php via download parameter
Unable to reproduce on -p3. Looks good. Jim Pingle
11:27 AM Bug #9499 (Resolved): Potential XSS in status_filter_reload.php via NAT rule description
Unable to reproduce on -p3. Looks good.
 Jim Pingle
11:27 AM Bug #9507 (Resolved): Potential XSS in WOL widget (widgets/widgets/wage_on_lan_widget.php) via WOL entry description
Unable to reproduce on -p3. Looks good.
 Jim Pingle
11:14 AM Bug #9519 (Resolved): Fix ACB Privileges
Privileges are not present on -p2
Privileges are on -p3 and work as intended
 Jim Pingle
11:08 AM Bug #9313 (Resolved): PHP Fatal error: Uncaught Error: Call to a member function addGlobal() on null in /usr/local/www/firewall_shaper_vinterface.php:415
Tested on a different system. Saw the PHP the error on 2.4.4-p2, upgraded to -p3 and only the nice "Queue not found" ... Jim Pingle
08:03 AM Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers.
Jim Pingle wrote:
> This looks good to me at a glance, do you mind submitting this as a pull request on Github?
>
... Steve Powers
07:21 AM Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers.
I noticed there was an erroneous reference to $userdn in the last debug() function, this updated patch removes that:
 Steve Powers
07:19 AM Feature #9527: Add ability for LDAP extended query on groups in RFC2307 containers.
This looks good to me at a glance, do you mind submitting this as a pull request on Github?
https://docs.netgate.c... Jim Pingle
07:08 AM Feature #9527 (Resolved): Add ability for LDAP extended query on groups in RFC2307 containers.
We have successfully deployed OpenLDAP authentication on several pfSense units, but needed to limit access to certain... Steve Powers

05/15/2019

08:24 PM Bug #9526: /var/log/nginx/error.log - Never cleared, invisible, always grows until /var overflows :(
For the vast majority of users, the nginx log does not contain much of anything. I'd look into what you've got going ... Jim Pingle
08:22 PM Bug #9526: /var/log/nginx/error.log - Never cleared, invisible, always grows until /var overflows :(
Half-baked workaround: add an earlyshellcmd of... Pete Holzmann
07:30 PM Bug #9526: /var/log/nginx/error.log - Never cleared, invisible, always grows until /var overflows :(
Jim Pingle wrote:
> Will be irrelevant soon due to #8350
In the meantime, a real killer ;)
 Pete Holzmann
07:28 PM Bug #9526 (Duplicate): /var/log/nginx/error.log - Never cleared, invisible, always grows until /var overflows :(
Will be irrelevant soon due to #8350 Jim Pingle
07:26 PM Bug #9526 (Duplicate): /var/log/nginx/error.log - Never cleared, invisible, always grows until /var overflows :(
+*SYMPTOMS*+
* My /var partition overflowed, causing havoc.
* Found a huge /log/nginx/error.log with many weeks of ... Pete Holzmann
08:18 PM Revision 2bf6d432: Revert "LDAP TLS option update. Implements #9417"
This reverts commit efdba6ca75e001e8426b2ecab49f71b53d5c9e30. Jim Pingle
05:43 PM Revision 22d6b2c4: Use correct certificate path for LDAP
Jim Pingle
04:19 PM Bug #9223 (Resolved): SSHGUARD doesn't work as expected
Confirmed against CE 2.4.4p2. Triggering lockout via SSH still allows unlimited login attempts at the gui.
Confirm... Steve Wheeler
03:35 PM Todo #9417: Convert LDAP TLS setup from environment to LDAP_OPT_X_TLS_* set options
It looks like LDAP_OPT_X_TLS_CACERTDIR and LDAP_OPT_X_TLS_CACERTFILE are being set but for some reason not honored as... Jim Pingle
03:28 PM Todo #9417 (New): Convert LDAP TLS setup from environment to LDAP_OPT_X_TLS_* set options
Jim Pingle
03:25 PM Todo #9417 (Feedback): Convert LDAP TLS setup from environment to LDAP_OPT_X_TLS_* set options
Applied in changeset commit:2bf6d4322622765bd1ce6ca8915ff75890885566. Jim Pingle
03:17 PM Todo #9417 (New): Convert LDAP TLS setup from environment to LDAP_OPT_X_TLS_* set options
Upon further testing this does not appear to be working for self-signed certificates. It works for global, however. W... Jim Pingle
11:18 AM Todo #9417 (Resolved): Convert LDAP TLS setup from environment to LDAP_OPT_X_TLS_* set options
Jim Pingle
01:12 PM Bug #4584: Static Mapped clients on one LAN get a DHCP IP from another LAN even when Deny unknown clients is checked on the other LAN
New PR to fix this: https://github.com/pfsense/pfsense/pull/4066 Daniel Koh
12:38 PM Bug #9225: Gateway group routing not updated on OpenVPN client reconnect
I too have this exact problem, on multiple installations...
The problem exists with two PPPoE connections too.
Ha... Riccardo Di Sarcina
12:05 PM Feature #9525: Automatic checksums on GPS init strings
Sorry, I must have had potatoes on my eyes...
...thanks for pointing out what should have been obvious. Ronald Antony
11:14 AM Feature #9525 (Rejected): Automatic checksums on GPS init strings
There is already a checkbox to automatically correct lines and add checksums. Jim Pingle
12:06 AM Feature #9525 (Rejected): Automatic checksums on GPS init strings
Under
Services > NTP > Serial GPS there's a section GPS Initialization that takes command strings.
It would be n... Ronald Antony
11:39 AM Bug #9359 (Resolved): diag_tables.php duplicate entries from webConfigurator lockout table
Jim Pingle
11:29 AM Bug #9359: diag_tables.php duplicate entries from webConfigurator lockout table
2.4.4-p3 looks good
Tested against sshguard table since webConfiguratorlockout table has been deprecated by #9223 ... Chris Linstruth
11:13 AM Bug #9513: Privilege bypass due to relative paths in URL after initial page filename
I was able to get the configuration xml following the commands above on the :
2.4.4-RELEASE-p2 (arm64)
built on W... Danilo Zrenjanin
11:03 AM Bug #9513 (Resolved): Privilege bypass due to relative paths in URL after initial page filename
A few of us have been hammering on this internally and thus far haven't been able to break it with the patch applied.... Jim Pingle
03:41 AM Bug #9513: Privilege bypass due to relative paths in URL after initial page filename
I am not 100% confident that I am testing this correctly but I was able to get the configuration xml from 1 2.4.4-p2 ... Chris Linstruth
11:12 AM Bug #9207 (Resolved): Phase1s created before pfSense 2.1.0 no longer work after upgrade to 2.4.3: IPsec ERROR: Could not find phase 1 source for connection [redacted]. Omitting from configuration file.
Jim Pingle
01:12 AM Bug #9207: Phase1s created before pfSense 2.1.0 no longer work after upgrade to 2.4.3: IPsec ERROR: Could not find phase 1 source for connection [redacted]. Omitting from configuration file.
2.4.4-p3
Restored an 18.9 configuration with protocol intentionally removed. The configuration was updated to 19.1... Chris Linstruth
11:12 AM Bug #9281 (Resolved): ZFS encrypted+mirrored swap may not be activated on 2.4.4-p2
Jim Pingle
01:50 AM Bug #9281: ZFS encrypted+mirrored swap may not be activated on 2.4.4-p2
2.4.4-p3
Installed 2.4.4-p1 with ZFS Mirrored, Encrypted swap. Looked good.
Upgraded to 2.4.4-p2 - No swap availa... Chris Linstruth
08:36 AM Bug #9512 (Resolved): Privilege bypass due to match style used by widget privileges
Jim Pingle
03:48 AM Bug #9512: Privilege bypass due to match style used by widget privileges
Confirmed user could access any page by appending ?&.widget.php to the URL in 2.4.4-p2. 2.4.4-p3 only allowed access ... Chris Linstruth
03:26 AM pfSense Packages Bug #9524: HAProxy-Backend blocks routed vlan traffic
Hi guys,
thanks for your answers.
I didn't recognize the warning above the the "Use Client-IP" feature. I am sorry... Jonas Bechtel

05/14/2019

11:09 PM pfSense Packages Bug #9424: arpwatch package logs CARP MAC address changes
Just a note that upstream arpwatch from FreeBSD was updated.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235... Art Manion
11:08 PM Todo #9417: Convert LDAP TLS setup from environment to LDAP_OPT_X_TLS_* set options
2.4.4-p3
This all seems to work. It also seems much more consistent as posited in the description. I did a lot of ... Chris Linstruth
01:44 PM pfSense Packages Bug #9524: HAProxy-Backend blocks routed vlan traffic
Its likely because of transparent-client-ip feature enabled in the backend of haproxy, combined with the 'bug' / miss... Pi Ba
10:26 AM pfSense Packages Bug #9524 (Not a Bug): HAProxy-Backend blocks routed vlan traffic
This is almost certainly a configuration issue, and this site is not for support or diagnostic discussion.
For ass... Jim Pingle
09:56 AM pfSense Packages Bug #9524 (Not a Bug): HAProxy-Backend blocks routed vlan traffic
Hi everybody,
we have a weird haproxy-backend problem. HAProxy-backends seems to block routet traffic between two co... Jonas Bechtel
12:12 PM Bug #9317 (Resolved): Warning/crash when adding a new user and choosing to generate a certificate
Jim Pingle
12:11 PM Bug #9317 (Rejected): Warning/crash when adding a new user and choosing to generate a certificate
Jim Pingle
11:42 AM Bug #9317: Warning/crash when adding a new user and choosing to generate a certificate
Tried on 2.4.4-p3. I do not observe the issue. User and its cert were created without errors and warnings. I tried to... Constantine Kormashev
10:32 AM Bug #9409 (Resolved): Crash dumps cannot be saved when RAM disks are enabled for /var
Jim Pingle
10:30 AM Bug #9409: Crash dumps cannot be saved when RAM disks are enabled for /var
Tried on 2.4.4-p3. Set RAM Disk Size to 100 (enable swap) and perform sysctl debug.kdb.panic=1, /var/crash contains d... Constantine Kormashev
10:28 AM Bug #9264 (Resolved): Disabling "IPv6 over IPv4 Tunneling" breaks config
Jim Pingle
08:04 AM Bug #9264: Disabling "IPv6 over IPv4 Tunneling" breaks config
Tried on 2.4.4-p3. I do not observe the issue.
0. set IPv6 on LAN
1. enable "IPv6 over IPv4 Tunneling" and set an... Constantine Kormashev
09:40 AM Bug #4584: Static Mapped clients on one LAN get a DHCP IP from another LAN even when Deny unknown clients is checked on the other LAN
Bringing this up again to see if anyone will fix. Daniel Koh
07:14 AM Bug #9193 (Resolved): firewall_nat.php: PHP error deleting an imported NAT rule with no firewall rules present
Jim Pingle
05:01 AM Bug #9193: firewall_nat.php: PHP error deleting an imported NAT rule with no firewall rules present
Tried on 2.4.4-p3, I do not observe the issue. I could upload config with empty firewall rule list <filter></filter>,... Constantine Kormashev
07:14 AM Bug #9316 (Resolved): diag_backup.php: Parse error: syntax error, unexpected ';' in /usr/local/www/diag_backup.php on line 333
Jim Pingle
12:12 AM Bug #9316: diag_backup.php: Parse error: syntax error, unexpected ';' in /usr/local/www/diag_backup.php on line 333
2.3.3-p3 looks good:
Verified configuration can be backed up and restored and also verified the missing close-pare... Chris Linstruth
07:14 AM Bug #9283 (Resolved): Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
Jim Pingle
07:14 AM Bug #9275 (Resolved): ip tools link not working
Jim Pingle
07:14 AM Bug #9276 (Resolved): DNS troubleshooting tool incorrectly reporting "ai." as an invalid hostname
Jim Pingle
07:13 AM Bug #9446 (Resolved): Filter reload error with NAT reflection enabled
Jim Pingle
07:13 AM Feature #9290 (Resolved): Need a way to suppress status output display in /status.php
Jim Pingle
07:13 AM Bug #9470 (Resolved): unbound remotecontrol.conf not rewritten when the file is empty
Jim Pingle
07:13 AM Bug #9231 (Resolved): firewall_aliases_edit.php: pf keyword matching is not catching some problem cases
Jim Pingle
07:12 AM Bug #9239 (Resolved): WebGUI: Diagnostics > Packet Capture will try to display any size of pcap file.
Jim Pingle
07:12 AM Feature #8602 (Resolved): DNS over TLS host verification
Jim Pingle
06:24 AM Bug #9004 (Resolved): Default gateway IPv4 set to a group fails after restart on 2.4.4
Renato Botelho
04:26 AM Bug #9004: Default gateway IPv4 set to a group fails after restart on 2.4.4
2.4.4-p3 does not observe the issue.
WAN_Failover GW Group with 2 links: WAN Tier1 and WAN2 Tier2, set as default GW... Constantine Kormashev
06:23 AM Bug #9308 (Resolved): Missing countries from list used on certificate pages
Renato Botelho
12:02 AM Bug #9308: Missing countries from list used on certificate pages
2.4.4-p3 looks good:
Country list populated and /etc/ca_countries removed. Chris Linstruth

05/13/2019

11:57 PM Bug #9283: Not obvious that HA sync will still sync certs if cert sync disabled but OpenVPN sync enabled
2.4.4-p3 looks good:
NAT configuration
IPsec configuration
OpenVPN configuration (Implies CA/Cert/CRL Sync)
DHC... Chris Linstruth
11:53 PM Bug #9275: ip tools link not working
2.4.4-p3
Links not present in *Diagnostics > DNS Lookup* nor *Diagnostics > Traceroute* results. Chris Linstruth
11:47 PM Bug #9276: DNS troubleshooting tool incorrectly reporting "ai." as an invalid hostname
2.4.4-p3
*Diagnostics > DNS Lookup* accepts _ai._ as a hostname and returns valid results. Ran a couple other quer... Chris Linstruth
11:44 PM Bug #9446: Filter reload error with NAT reflection enabled
2.4.4-p3 looks good:
# Reflection redirects and NAT for 1:1 mappings
rdr on { vtnet0 vtnet2 enc0 openvpn } from a... Chris Linstruth
10:18 PM Feature #9290: Need a way to suppress status output display in /status.php
2.4.4-p3:
Tested normal, archiveonly, nocleanup and from the shell. All looked good. Thank you so much for this. Chris Linstruth
10:12 PM Bug #9470: unbound remotecontrol.conf not rewritten when the file is empty
2.4.4-p3 Looks good:
cp /dev/null /var/unbound/remotecontrol.conf
Save unbound configuration
/var/unbound/remote... Chris Linstruth
10:08 PM Bug #9231: firewall_aliases_edit.php: pf keyword matching is not catching some problem cases
2.4.4-p3:
Could not create aliases with the same name as the pfSense interface name or the descriptive name of any e... Chris Linstruth
10:03 PM Bug #9239: WebGUI: Diagnostics > Packet Capture will try to display any size of pcap file.
Looks good.
Packet capture file is too large to display in the GUI.
Download the file, or view it in the console ... Chris Linstruth
09:51 PM Feature #8602 (Feedback): DNS over TLS host verification
Looks good with the new build with unbound 1.9.1. Only fails with a bogus hostname defined. Works with either 149.112... Chris Linstruth
02:44 PM Feature #8602 (Assigned): DNS over TLS host verification
Looks like we'll need to import Unbound 1.9.0 Jim Pingle
02:41 PM Feature #8602: DNS over TLS host verification
2.4.4-p3:
May 13 19:39:24 unbound 82673:1 error: no name verification functionality in ssl library, ignored nam... Chris Linstruth
03:36 PM Revision 657ab393: Welcome 2.4.4-RELEASE-p3
Renato Botelho
03:22 PM Bug #9214 (Resolved): Packages fail to reinstall after restoring config.xml from the installer
Jim Pingle
02:57 PM Bug #9214: Packages fail to reinstall after restoring config.xml from the installer
I upgraded from 2.4.4-p2 to 2.4.4-p3 using the iso and confix.xml recovery.
Got the banner that package install wa... Chris Linstruth
10:35 AM Bug #9214 (Feedback): Packages fail to reinstall after restoring config.xml from the installer
Jim Pingle
03:02 PM Revision 92d5396f: Implement new OpenVPN advanced options privilege. Fixes #9511
(cherry picked from commit 4a1841a1fabcba0100f6a4f505fc1e132c29da20) Jim Pingle
03:02 PM Revision 0dd99de7: Remove Advanced box from OpenVPN Wizard. Issue #9511
(cherry picked from commit b8ca6554d022e99921835a2fdb35103f41a7302e) Jim Pingle
03:01 PM Revision 4a1841a1: Implement new OpenVPN advanced options privilege. Fixes #9511
Jim Pingle
03:01 PM Revision b8ca6554: Remove Advanced box from OpenVPN Wizard. Issue #9511
Jim Pingle
02:50 PM Feature #9096 (Resolved): Login Page: Make pfSense Login Page Tab Name More Unique
Short hostname seems good enough to me. If you have enough tabs open to need the distinction, the size of most tabs w... Jim Pingle
02:47 PM Feature #9096: Login Page: Make pfSense Login Page Tab Name More Unique
This is a big help. Looks good. Thank you. Not sure if this should be the entire FQDN like the post-login title.
 Chris Linstruth
10:58 AM Bug #9459: patch pf: silence a runtime warning pfr_update_stats: assertion failed.
So I was able to find another way to keep nat reflection turned on and stop the spam. I changed one of the port forwa... rub man
10:42 AM Bug #8970: Queues Menu item ends with ":"
This was fixed likely before -p3, but those versions are closed, so I'll move it to -p3. Jim Pingle
10:10 AM Todo #9511 (Feedback): OpenVPN server/client/override advanced settings privilege separation
Applied in changeset commit:4a1841a1fabcba0100f6a4f505fc1e132c29da20. Jim Pingle
10:01 AM Todo #9511: OpenVPN server/client/override advanced settings privilege separation
* Removed Advanced options from the OpenVPN wizard. If a user has privileges for it, they can add the settings later.... Jim Pingle
06:37 AM Feature #1189: Gateway: Multiple monitor ips
+1
Please consider implementing this. I just experienced my first down time because 1.0.0.1 was unavailable from You... Stefan B. Christensen

05/12/2019

11:15 PM pfSense Packages Bug #9502: ACME's XMLRPC restart of remote webgui sometimes retains old certificates
Jim Pingle wrote:
> I am not sure it would be related to what you saw, but you might give the newest version of the ... Mike Barnes
11:02 AM pfSense Packages Feature #9523: LADVD: Feature to enable setting interface descriptions
Looking at FreeNAS, they've got a much more succinct description and only added support for the -z option, which seem... Jason Unovitch
10:21 AM pfSense Packages Feature #9523 (Resolved): LADVD: Feature to enable setting interface descriptions
Good day. I'd be interested in seeing options for the -y and -z flag to LADVD get added.
These are explain in ladv... Jason Unovitch
07:54 AM Bug #9223: SSHGUARD doesn't work as expected
Jim Pingle wrote:
>
> We opted not to add any more patches on top of sshguard, but you should absolutely submit th... Joshua Sign
06:41 AM Bug #9522 (Resolved): Diagnostics > System Activity shows only the header
In current 2.5 snapshots the 'top' output in Diagnostics > System Activity seems truncated.
I see only:... Steve Wheeler
05:33 AM pfSense Packages Feature #9521 (Resolved): Upgrade to HAProxy 1.9
Some of our backends support HTTP/2, but it seems that HAProxy 1.8 only support HTTP/2 for the frontends.
The latest... S. Debreuil

05/11/2019

10:55 PM Revision 7ccb4524: Fix ACB privileges. Fixes #9519
(cherry picked from commit 18c1de41332473dacd8a24ddf34e558f6366c714) Jim Pingle
10:55 PM Revision 18c1de41: Fix ACB privileges. Fixes #9519
Jim Pingle
07:38 PM pfSense Docs Correction #9520 (Closed): Feedback on Routing and Multi-WAN — Gateway Settings
*Page:* https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html
*Feedback:* There is no document... Brendon Baumgartner
06:05 PM Bug #9470 (Feedback): unbound remotecontrol.conf not rewritten when the file is empty
Jim Pingle
06:05 PM Bug #9519 (Feedback): Fix ACB Privileges
Applied in changeset commit:18c1de41332473dacd8a24ddf34e558f6366c714. Jim Pingle
05:48 PM Bug #9519 (Resolved): Fix ACB Privileges
ACB pages have missing/incorrect privilege headers, and are not listed in the privilege list properly. Jim Pingle
06:05 PM Bug #9446 (Feedback): Filter reload error with NAT reflection enabled
Jim Pingle
06:05 PM Feature #9290 (Feedback): Need a way to suppress status output display in /status.php
Jim Pingle
06:05 PM Bug #9281 (Feedback): ZFS encrypted+mirrored swap may not be activated on 2.4.4-p2
Jim Pingle
06:05 PM Bug #9276 (Feedback): DNS troubleshooting tool incorrectly reporting "ai." as an invalid hostname
Jim Pingle
06:04 PM Bug #9275 (Feedback): ip tools link not working
Jim Pingle
06:04 PM Bug #9264 (Feedback): Disabling "IPv6 over IPv4 Tunneling" breaks config
Jim Pingle
06:04 PM Bug #9239 (Feedback): WebGUI: Diagnostics > Packet Capture will try to display any size of pcap file.
Jim Pingle
06:04 PM Bug #9231 (Feedback): firewall_aliases_edit.php: pf keyword matching is not catching some problem cases
Jim Pingle
06:04 PM Bug #9193 (Feedback): firewall_nat.php: PHP error deleting an imported NAT rule with no firewall rules present
Jim Pingle
06:04 PM Feature #8602 (Feedback): DNS over TLS host verification
Jim Pingle
05:21 PM Feature #9096 (Feedback): Login Page: Make pfSense Login Page Tab Name More Unique
Implemented in commit:814a7c2f1d828fedef13bb2bf326d8014e9e25bf (master) and commit:87642f6bd1fc96f116ee6756a15ef2a9cf... Jim Pingle
09:17 AM Bug #9514 (Not a Bug): DNS servers
The DNS Resolver (Unbound) doesn't work that way.
You can do that in the DNS forwarder by telling it to query sequ... Jim Pingle
08:56 AM Bug #9514 (Not a Bug): DNS servers
Right now, the query order for DNS servers can vary based on query times. Using DNS from multiple providers is great ... Dallas Haselhorst

05/10/2019

08:20 PM Revision 6cb5a937: Rewrite unbound remotecontrol.conf when it is empty. Fixes #9470
(cherry picked from commit 4b70a2006e6afb7813344eec8cafb8570e67256b) Jim Pingle
08:20 PM Revision 44fb8aca: Add back DNS over TLS host verification code. Fixes #8602
Requires Unbound 1.9.0_1 from pfsense/freebsd-ports, which fixes a bug
in Unbound 1.9.0 which did not fully implement... Jim Pingle
08:19 PM Revision fdb7f0a5: status.php updates
* Ensure firewall info is generated when run from the CLI
* For SG-1100, also include its public key
(cherry picked ... Jim Pingle
08:19 PM Revision c6d54302: Fix another typo
(cherry picked from commit a0930ca608eb6b22b256c95ab2d829932b085f82) Jim Pingle
08:19 PM Revision ff32782a: Add parens around NAT reflection rule interface. Fixes #9446
(cherry picked from commit 8800ee6f90d2ac91ca9c2886bd260bc1a4e12893) Jim Pingle
08:19 PM Revision 1f5fcdb7: Fix typo
(cherry picked from commit 929cc874f6d32908739cc30e70c0eeba25127fb8) Jim Pingle
07:55 PM Revision 70f50a2b: Fix a typo.
Reported by: jimt
(cherry picked from commit b0945941088c7383882688a6c6e774eb831f6486) Luiz Souza
07:55 PM Revision 87642f6b: #9096 - updated login title
(cherry picked from commit 814a7c2f1d828fedef13bb2bf326d8014e9e25bf) Clinton Cory
07:55 PM Revision efdba6ca: LDAP TLS option update. Implements #9417
(cherry picked from commit 996a1ad90e5682bf881bafd8b75d1b1a7e3f7831) Jim Pingle
07:52 PM Revision 4a762cf0: Update copyright notices to 2019. Happy New Year
(cherry picked from commit 0b4c14a491664053aad3cc76e1ffd67b70ff2da1) Steve Beaver
07:30 PM Revision ffe379ad: Strengthen path privilege check. Fixes #9513
* Removes/resolves any relative paths in the submitted URL
* Validates that the file exists
* Trims the path componen... Jim Pingle
07:28 PM Revision 0604f688: Strengthen path privilege check. Fixes #9513
* Removes/resolves any relative paths in the submitted URL
* Validates that the file exists
* Trims the path componen... Jim Pingle
02:40 PM Bug #9513 (Feedback): Privilege bypass due to relative paths in URL after initial page filename
Applied in changeset commit:0604f68855ff65b92cdebd57a08a2ceccbef675c. Jim Pingle
02:27 PM Bug #9513: Privilege bypass due to relative paths in URL after initial page filename
I was finally able to reproduce this, it took some extra parameters in cURL to make it happen.
Setup:
* Create a ... Jim Pingle
10:35 AM Bug #9294 (Feedback): XSS issues on multiple pages
These have all been handled but need testing and confirmation of the fixes. Jim Pingle

05/09/2019

08:40 PM Revision 2d7ec8bf: Make widget privilege matching more specific. Fixes #9512
(cherry picked from commit bc319bc01a4d709b39e4c93c7223d277ee666bff) Jim Pingle
08:39 PM Revision bc319bc0: Make widget privilege matching more specific. Fixes #9512
Jim Pingle
08:23 PM Revision a8a07cfb: Add warning for OpenVPN client, server, and override privileges.
Since these can use OpenVPN advanced directives to call external
scripts, they can be used to run commands that the u... Jim Pingle
08:22 PM Revision f75b0eb8: Add warning for OpenVPN client, server, and override privileges.
Since these can use OpenVPN advanced directives to call external
scripts, they can be used to run commands that the u... Jim Pingle
07:17 PM Revision 48ab49ab: Encode download parameter before use. Fixes #9508
(cherry picked from commit ce77c104eee92cfbbc0d84980e60899295dadeac) Jim Pingle
07:17 PM Revision ce77c104: Encode download parameter before use. Fixes #9508
Jim Pingle
06:20 PM Todo #6647: Enable Additional Security Headers
A quick test with the below inserted into head.inc... Bill Marquette
05:26 PM Bug #6167: IPsec IPComp not working
Is this actually ever going to happen? For three years now, this is just moving from one release to the next, without... Ronald Antony
03:51 PM Bug #9513 (Resolved): Privilege bypass due to relative paths in URL after initial page filename
N.B.: I have not yet managed to reproduce this, adding it based on a user report.
Due to the way the privilege sys... Jim Pingle
03:45 PM Bug #9512 (Feedback): Privilege bypass due to match style used by widget privileges
Applied in changeset commit:bc319bc01a4d709b39e4c93c7223d277ee666bff. Jim Pingle
03:39 PM Bug #9512: Privilege bypass due to match style used by widget privileges
Changing the match to start with the path to the widgets works around the problem:... Jim Pingle
03:37 PM Bug #9512 (Resolved): Privilege bypass due to match style used by widget privileges
The current dashboard and widget privileges specify a leading wildcard, for example:... Jim Pingle
03:19 PM Bug #9489: pfsense with ha closing sessions when apply any rule, xmlrpc erros are shown
This is not a bug, but a problem with your configuration. This site is not for support or diagnostic discussion.
F... Jim Pingle
03:06 PM Bug #9489: pfsense with ha closing sessions when apply any rule, xmlrpc erros are shown
running packages:
pfBlockerNG-devel
Service_Watchdog
snort
squid
squidGuard
 chris j
03:04 PM Bug #9489: pfsense with ha closing sessions when apply any rule, xmlrpc erros are shown
A communications error occurred while attempting to call XMLRPC method restore_config_section: @ 2019-05-09 20:54:59
... chris j
03:03 PM Bug #9489: pfsense with ha closing sessions when apply any rule, xmlrpc erros are shown
I 2nd this issue, brand new install setup HA cluster with just two machines, everything seems fine and config seems t... chris j
03:17 PM Todo #9511: OpenVPN server/client/override advanced settings privilege separation
If or when this is implemented, the warnings added for #9510 can be removed. Jim Pingle
03:15 PM Todo #9511 (Resolved): OpenVPN server/client/override advanced settings privilege separation
This issue needs some additional thought and debate.
Due to advanced directives in OpenVPN it is possible for user... Jim Pingle
02:25 PM Bug #9508 (Feedback): Potential XSS in services_acb.php via download parameter
Applied in changeset commit:ce77c104eee92cfbbc0d84980e60899295dadeac. Jim Pingle
02:16 PM Bug #9508 (Resolved): Potential XSS in services_acb.php via download parameter
Attempt to load /services_acb.php?download=%22%3E%3Cscript%3Ealert(1)%3C/script%3E and the client displays a JS alert... Jim Pingle

05/08/2019

08:44 PM Revision 5b5bb248: Encode descr in the WOL widget. Fixes #9507
(cherry picked from commit 5789a02eab9b2ebbcb1f28d1d037b408b436a853) Jim Pingle
08:44 PM Revision 5789a02e: Encode descr in the WOL widget. Fixes #9507
Jim Pingle
03:50 PM Bug #9507 (Feedback): Potential XSS in WOL widget (widgets/widgets/wage_on_lan_widget.php) via WOL entry description
Applied in changeset commit:5789a02eab9b2ebbcb1f28d1d037b408b436a853. Jim Pingle
03:44 PM Bug #9507 (Resolved): Potential XSS in WOL widget (widgets/widgets/wage_on_lan_widget.php) via WOL entry description
The WOL widget, widgets/widgets/wage_on_lan_widget.php, does not encode the description before display, so user-enter... Jim Pingle
09:06 AM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
As a workaround I have installed the Cron package with the following additional entries:... Gavin Stewart
05:07 AM Bug #9296: Alias content is sometimes incomplete when an alias contains both FQDN and IP address entries
I see this behavior on 2.4.4_p2, on 2.4.5-dev and on 2.5.0-dev.
As workaround we can:
- in console run 'pkill filte... Azamat Khakimyanov
08:41 AM pfSense Packages Bug #9502: ACME's XMLRPC restart of remote webgui sometimes retains old certificates
I am not sure it would be related to what you saw, but you might give the newest version of the ACME package a try (0... Jim Pingle
08:40 AM pfSense Packages Bug #9492 (Resolved): Cannot reload remote haproxy via ACME package
Great! Jim Pingle
08:39 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
Works. Thx! Florian Apolloner
08:00 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
I pushed another change just now that might help. Not sure it will, but it's worth a try.
 Jim Pingle
07:57 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
Hi Jim. Yes Haproxy did restart. While I agree that the sync error should be from something else it still seems to be... Florian Apolloner
07:58 AM pfSense Packages Feature #9498: ACME Package: Sorting on name, expiration, etc
Pushed a new fix just now, try the next version when it shows up. Jim Pingle
01:09 AM pfSense Packages Feature #9498: ACME Package: Sorting on name, expiration, etc
Hi!
Great job, but sorting date does not work OK.
 Greg M

05/07/2019

10:03 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
There is no error in that output related to the service restart. The error at the top is from config sync, which isn'... Jim Pingle
02:24 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
I just installed, 0.5.7 but it still throws an error (Interestingly only on the firewall running ACME). Can I get mor... Florian Apolloner
07:53 AM pfSense Packages Bug #9502 (Not a Bug): ACME's XMLRPC restart of remote webgui sometimes retains old certificates
That isn't possible as the code that does the sync comes before the reload, and the sync process blocks. I haven't se... Jim Pingle
07:49 AM Bug #9503 (Not a Bug): Granting "WebCfg - OpenVPN: Clients" privilege does not display the "VPN" > "OpenVPN" > "Clients" menu in the menu bar
That isn't how privileges and menu entries work. The menu has no means by which it can know about access to other tab... Jim Pingle
02:34 AM Bug #9503 (Not a Bug): Granting "WebCfg - OpenVPN: Clients" privilege does not display the "VPN" > "OpenVPN" > "Clients" menu in the menu bar
Hi,
I granted a user the "WebCfg - OpenVPN: Clients" privilege.
He can access the settings typing directly /vpn... Antoine Brodin
07:46 AM Feature #9504: Include hostname being updated in Dynamic DNS notifications
OK sorry, didn't intend to be rude. robi robi
07:45 AM Feature #9504: Include hostname being updated in Dynamic DNS notifications
I was agreeing with you, the attitude is unnecessary. Jim Pingle
07:43 AM Feature #9504: Include hostname being updated in Dynamic DNS notifications
Perhaps???
On WAN1 we have 7 different hostnames, on WAN2 we have 3 different hostnames. Sometimes we need to chan... robi robi
07:33 AM Feature #9504: Include hostname being updated in Dynamic DNS notifications
The text could be a little more descriptive, perhaps.
The messages are already grouped. If multiple messages fire ... Jim Pingle
07:17 AM Feature #9504 (Resolved): Include hostname being updated in Dynamic DNS notifications
We have multiple Dynamic DNSes set up for multiple interfaces. Several WANs, each with several Dynamic DNS entries. W... robi robi
07:45 AM Bug #9505: Multiple Dynamic DNS update notifications for the same interface, with the same text
10 seconds? Aaaahhh....
OK robi robi
07:41 AM Bug #9505: Multiple Dynamic DNS update notifications for the same interface, with the same text
It works fine, I get multiple grouped messages every day for various things when testing. The window is 10s. If you w... Jim Pingle
07:40 AM Bug #9505: Multiple Dynamic DNS update notifications for the same interface, with the same text
Unfortunately grouping doesn't work correctly then. All events happen withing 20 seconds or so, and we get separate m... robi robi
07:35 AM Bug #9505: Multiple Dynamic DNS update notifications for the same interface, with the same text
See my comments on the other message, then. There is already code to handle that. Either this is a duplicate or it's ... Jim Pingle
07:31 AM Bug #9505: Multiple Dynamic DNS update notifications for the same interface, with the same text
I wouldn't say this is a duplicate, because this bug is about sending too many messages after each other about (almos... robi robi
07:25 AM Bug #9505 (Duplicate): Multiple Dynamic DNS update notifications for the same interface, with the same text
Duplicate of #9504 Jim Pingle
07:19 AM Bug #9505 (Duplicate): Multiple Dynamic DNS update notifications for the same interface, with the same text
We have multiple Dynamic DNSes set up for the same interface. Whenever an update happens, we get as many e-mails as m... robi robi
07:27 AM Bug #9506 (Duplicate): Dynamic DNS update notification sent even if IP address didn't change
pfSense sends Dynamic DNS update notifications even in the cases when IP address doesn't change.
For some reason, th... robi robi

05/06/2019

09:54 PM pfSense Packages Bug #9502 (Not a Bug): ACME's XMLRPC restart of remote webgui sometimes retains old certificates
I have two hosts using HA syncing to push the certificate store from host1 (primary) to host2 (backup). ACME renewal ... Mike Barnes
01:02 PM pfSense Packages Bug #9492 (Feedback): Cannot reload remote haproxy via ACME package
Give 0.5.7 a try when it shows up shortly. It should work. Jim Pingle
02:27 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
OK, thanks, I was highly optimistic about having found a probable cause for a minute there, but I guess I get to go b... Mike Barnes
02:00 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
I does not affect the webgui because it uses another xmlrpc call. It affects every normal service though. I could als... Florian Apolloner
01:02 PM pfSense Packages Feature #9498 (Feedback): ACME Package: Sorting on name, expiration, etc
ACME pkg 0.5.7 now has search and sorting. Jim Pingle
10:31 AM Todo #9501: turn off form autocompletion on OpenVPN client config page (maybe the whole web interface)
Not effectively, because they also key off the form field labels, and then it becomes a never-ending whack-a-mole of ... Jim Pingle
10:18 AM Todo #9501: turn off form autocompletion on OpenVPN client config page (maybe the whole web interface)
Sorry, should have done my homework first.
https://stackoverflow.com/questions/15738259/disabling-chrome-autofill
... Corey Boyle
09:29 AM Todo #9501 (Not a Bug): turn off form autocompletion on OpenVPN client config page (maybe the whole web interface)
Browsers no longer respect autocomplete settings in HTML. We can set the tags, but browsers and password manager plug... Jim Pingle
08:48 AM Todo #9501 (Not a Bug): turn off form autocompletion on OpenVPN client config page (maybe the whole web interface)
Some of the fields (usually the proxy info) will get autofilled by the browser with random data.
 Corey Boyle

05/05/2019

08:15 PM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
Would this affect more than just haproxy? This fits a failure to restart the webui on a remote system that occurred f... Mike Barnes

05/04/2019

08:51 AM pfSense Packages Bug #9500 (New): HAproxy does not delete non-applicable action config
The steps to reproduce this are:
# Create a HAproxy frontend
# Create an action and populate its options
# Expor... Greg Toombs

05/03/2019

07:25 PM Revision 41c9fac8: Encode output in status_filter_reload.php. Fixes #9499
(cherry picked from commit 1af9400d594cd183d011f22fa9b3a7630570a250) Jim Pingle
07:24 PM Revision 1af9400d: Encode output in status_filter_reload.php. Fixes #9499
Jim Pingle
02:30 PM Bug #9499 (Feedback): Potential XSS in status_filter_reload.php via NAT rule description
Applied in changeset commit:1af9400d594cd183d011f22fa9b3a7630570a250. Jim Pingle
02:24 PM Bug #9499 (Resolved): Potential XSS in status_filter_reload.php via NAT rule description
status_filter_reload.php does not encode the output before display, so user-entered free-form text such as rule descr... Jim Pingle
01:29 PM Revision 42d32909: Init array before use
Jim Pingle
01:29 PM Revision 89c1390a: Init array before use
(cherry picked from commit a8a0b1321d2a477772aac4d0034d819b61f2c9bf) Jim Pingle
01:20 PM pfSense Packages Bug #9355: Telegraf Package - https for InfluxDB Server
https is working for me: https://maxammann.org/posts/2019/05/pfsense-telegraf-letsencrypt/ Max Ammann
01:54 AM pfSense Packages Bug #9211: GeoIP broken in pfSense-pkg-ntopng-0.8.13_3
Mark Vejvoda wrote:
> I got this working on my SG-3100 by copying files from:
>
> https://centminmod.com/centminm... Tj Ng

05/02/2019

09:50 PM pfSense Packages Bug #9211: GeoIP broken in pfSense-pkg-ntopng-0.8.13_3
I got this working on my SG-3100 by copying files from:
https://centminmod.com/centminmodparts/geoip-legacy/
to... Mark Vejvoda
05:52 PM pfSense Packages Feature #9498: ACME Package: Sorting on name, expiration, etc
The ACME package has been working flawless for me now, for well over a year, I've migrated all of my ACME certs to it... Dan Thunder
05:44 PM pfSense Packages Feature #9498 (Resolved): ACME Package: Sorting on name, expiration, etc

The ACME package has been working flawless for me now, for well over a year, I've migrated all of my ACME certs t... Dan Thunder

05/01/2019

02:58 PM pfSense Packages Bug #9492 (Assigned): Cannot reload remote haproxy via ACME package
Yeah, you're right. I didn't have a setup to test that handy, but it would have to come earlier. I'll come up with a ... Jim Pingle
02:51 PM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
Jim Pingle wrote:
> Fixed in ACME pkg v0.5.6
I just tried this and it still throws an error, to the best of my un... Florian Apolloner
10:52 AM pfSense Packages Bug #9492 (Feedback): Cannot reload remote haproxy via ACME package
Fixed in ACME pkg v0.5.6 Jim Pingle
10:54 AM pfSense Packages Bug #9368 (Resolved): ACME certificates cannot have more than ~35 SAN entries due to input variable limits
Jim Pingle
10:54 AM pfSense Packages Feature #8613 (Resolved): pfSense-pkg-acme: acme_certificates_edit.php - Add support for --challenge-alias acme.sh flag
Jim Pingle
10:54 AM pfSense Packages Feature #8490 (Resolved): pfSense-pkg-acme: acme_certificates_edit.php - Add ability to specify (vs generate) private key
Jim Pingle
10:53 AM pfSense Packages Feature #8211 (Resolved): ACME cron job <- log activity
Jim Pingle
10:52 AM pfSense Packages Bug #9340 (Feedback): Buypass CA does not support wildcard
Fixed in ACME pkg v0.5.6 Jim Pingle
10:14 AM pfSense Packages Bug #9495: AWS VPC VPN wizard produces incorrect config (SHA256 should be SHA1)
So far I have been unable to replicate this.
Tested with a 7100 and 1100 against us-west-2 and us-east-2 using AWS W... Steve Wheeler
10:06 AM pfSense Packages Bug #9497: AWS VPN Wizard: WebGUI times out.
When you apply the settings at step 3 the GUI times out. If you check AWS suring that time the Virtual Private Gatewa... Steve Wheeler

04/30/2019

01:42 PM pfSense Packages Bug #9497 (New): AWS VPN Wizard: WebGUI times out.
When creating a new VPN using the AWS VPN Wizard the webgui times out at step 3 going to step 4 and also at step 4 go... Steve Wheeler
11:03 AM Feature #9496 (Duplicate): Include the athp(4) driver.
It would be great to get the athp driver into a 2.5 snapshot for testing. Even if it's not loaded by default.
https:... Steve Wheeler
09:53 AM pfSense Packages Bug #9495: AWS VPC VPN wizard produces incorrect config (SHA256 should be SHA1)
Sorry, forgot to add: in looking over the download configuration from AWS, I noticed that it also recommends the Phas... Frank Hecker
09:24 AM pfSense Packages Bug #9495 (New): AWS VPC VPN wizard produces incorrect config (SHA256 should be SHA1)
I was trying to create a site-to-site VPN to my AWS default VPC in the us-west-2 region using the AWS VPC VPN Wizard ... Frank Hecker
07:05 AM Bug #9460 (Resolved): OpenVPN local auth failing due to fcgicli output
Jim Pingle

04/29/2019

10:19 PM Bug #9460: OpenVPN local auth failing due to fcgicli output
OpenVPN auth both local and radius are now functioning for me Jake K
02:00 PM pfSense Docs Correction #9494 (Resolved): Feedback on VPN — IPsec — NAT with IPsec Phase 2 Networks
*Page:* https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html
*Feedback:*
https://docs.netgate.co... Wayne Johnson
11:41 AM Feature #9493 (Closed): XMLRPC Sync to ECMP clusters
That is not what the XMLRPC sync features was designed to do, or to be. It is only intended to be used for two nodes ... Jim Pingle
11:33 AM Feature #9493 (Closed): XMLRPC Sync to ECMP clusters
We scale PFSense by running ECMP though BGP and taking advantage of pfsync to keep up to six firewalls active simulta... Eric Houston
08:20 AM Bug #9491: Can't create vlans or change interfaces when logged in as AD-User via LLDP
Jim Pingle wrote:
> Almost certainly a problem with your configuration, such as accidentally selecting "Deny Config ... David Teslow
07:54 AM Bug #9491 (Not a Bug): Can't create vlans or change interfaces when logged in as AD-User via LLDP
Almost certainly a problem with your configuration, such as accidentally selecting "Deny Config Write" on the group f... Jim Pingle
06:23 AM Bug #9491: Can't create vlans or change interfaces when logged in as AD-User via LLDP
Sorry i ment LDAP in the subjects field not LLDP. David Teslow
04:59 AM Bug #9491 (Not a Bug): Can't create vlans or change interfaces when logged in as AD-User via LLDP
Hello pfSense Team,
as described in the subject that pretty much the problem that i noticed.
Create a vlan and pr... David Teslow
07:53 AM Feature #8602 (Resolved): DNS over TLS host verification
Jim Pingle
07:53 AM Bug #9446 (Resolved): Filter reload error with NAT reflection enabled
Jim Pingle
07:52 AM Bug #9470 (Resolved): unbound remotecontrol.conf not rewritten when the file is empty
Jim Pingle
07:52 AM Feature #9412 (Resolved): Add sorting and search/filtering to CA/Certificates
Jim Pingle
06:33 AM Bug #9488: No console when booting CE Memstick UEFI.
The ISO image behaves exactly the same. There is no output after root is mounted other than the interface state chang... Steve Wheeler
06:04 AM Bug #9488: No console when booting CE Memstick UEFI.
ISO image is hybrid and can be used to boot using a flash drive. Can you try it to see if the results are the same? Renato Botelho
05:20 AM pfSense Packages Bug #9492: Cannot reload remote haproxy via ACME package
If I replace:... Florian Apolloner
05:14 AM pfSense Packages Bug #9492 (Resolved): Cannot reload remote haproxy via ACME package
The acme instance cannot restart a remote haproxy service. I looked at the code and found this snippet: https://githu... Florian Apolloner

04/28/2019

11:49 PM Feature #8602: DNS over TLS host verification
Similar results here. Mismatched FQDN for the server results in a certificate verify error for unbound:
Apr 29 04:48... Chris Linstruth
11:37 PM Bug #9446: Filter reload error with NAT reflection enabled
Getting parens on that interface. No rule loading errors:
eg. no nat on vtnet0 proto tcp from (vtnet0) to 172.25.236... Chris Linstruth
11:30 PM Bug #9470: unbound remotecontrol.conf not rewritten when the file is empty
Looks good here. cp /dev/null /var/etc/unbound.conf then a save of the unbound configuration populated the file. Chris Linstruth
11:25 PM Feature #9412: Add sorting and search/filtering to CA/Certificates
This looks great to me. Searching and column sorting work. Chris Linstruth
10:13 PM Bug #9490 (Not a Bug): PFSense fails to mount drives under KVM/QEMU
Nothing for pfSense to do there. That's all between FreeBSD and your hypervisor. Maybe choosing a different partition... Jim Pingle
09:29 PM Bug #9490 (Not a Bug): PFSense fails to mount drives under KVM/QEMU
I'm not sure if this is relevant to the pfsense code itself, but caught me this afternoon so will pass along for refe... B C
09:53 PM pfSense Packages Bug #9211: GeoIP broken in pfSense-pkg-ntopng-0.8.13_3
Looks like it :(. Anybody knows how to do a quick workaround and install 3.8 manually? or can I download the old vers... Tj Ng
07:30 PM Bug #9489 (Not a Bug): pfsense with ha closing sessions when apply any rule, xmlrpc erros are shown
You have a configuration error, probably a down gateway triggering state killing. Keep the discussion on the forum. Jim Pingle
07:05 PM Bug #9489 (Not a Bug): pfsense with ha closing sessions when apply any rule, xmlrpc erros are shown
Cloned from:
https://forum.netgate.com/topic/131916/pfsense-with-ha-closing-sessions-when-apply-any-rule
On XG-71... Daniele Palumbo
05:32 PM Bug #8235: The browser must support cookies to login
I'm getting affected by this as well, under similar circumstances.
Jim Pingle wrote:
> Does the same thing happen... Greg Toombs
07:50 AM Bug #9488 (Resolved): No console when booting CE Memstick UEFI.
Testing 2.5 snapshots. When booting the VGA Memstick image as UEFI there is no usable console presented.
This appl... Steve Wheeler

04/27/2019

12:33 PM Bug #8987: Web GUI main page very slow to load if wan interface is enabled but not connected.
I currently have a DNS server configured in "System->General Setup" and have the DNS Resolver enabled so I can do loo... Rafael Possamai

04/26/2019

06:18 PM Revision b8d74978: Fix #9451: Enable build of zabbix 4.2
Renato Botelho
06:17 PM Revision 30335336: Fix #9451: Enable build of zabbix 4.2
Renato Botelho
05:43 PM Revision 1b5941eb: Remove zabbix 3.2 and 3.4 options
Renato Botelho
05:42 PM Revision f5adb939: Add Zabbix 4.2 config options
(cherry picked from commit 169754517a586b259677025e551b8e972de310e5) Danilo Baio
05:42 PM Revision 92e209a4: Merge pull request #4065 from dbaio/zabbix42
Renato Botelho
01:59 PM pfSense Packages Bug #9487: FRR package sending dual Hello packets on carp (OSPF)
v 2.4.4 FRR 0.2_8 Andres Noriega
01:59 PM pfSense Packages Bug #9487 (Rejected): FRR package sending dual Hello packets on carp (OSPF)
There is not enough information here to identify anything with certainty. Nothing about the versions, your config, et... Jim Pingle
01:56 PM pfSense Packages Bug #9487 (Rejected): FRR package sending dual Hello packets on carp (OSPF)
I have detected FRR package on an OSPF implementation sending hello packets related to the protocol, with 2 ips
car... Andres Noriega
01:31 PM Revision 16975451: Add Zabbix 4.2 config options
Danilo Baio
01:25 PM pfSense Packages Bug #9451 (Feedback): Add Zabbix 4.2 (agent and proxy) packages
Applied in changeset pfsense:commit:30335336358db3bcdc0ede634a4f81b7f3273c7b. Renato Botelho
12:47 PM pfSense Packages Bug #9451: Add Zabbix 4.2 (agent and proxy) packages
PR adding make.conf items was merged and original commit adding 4.2 to ports tree cherry-picked Renato Botelho
01:08 AM pfSense Packages Bug #9451: Add Zabbix 4.2 (agent and proxy) packages
4.2 seems to be available in FreeBSD Ports now. https://www.freebsd.org/cgi/ports.cgi?query=zabbix&stype=all Sebastian Werner
01:16 PM pfSense Packages Bug #9486 (New): ifindex values used for softflowd are incorrect
With this patch, we now pass ifIndex values to softflowd for inclusion in the flow packets:
https://github.com/pfs... Jesse White
08:52 AM Bug #9485 (New): password match error on system_usermanager causes Group membership to be reset.
I went to set the pre-shared key on my own account. In the process, a browser form filler entered my password on the... Wayne Johnson
07:24 AM Bug #9431 (Resolved): Upgrading to 2.5.0 with devel/aws-sdk-php installed fails
Jim Pingle
05:59 AM Bug #9431: Upgrading to 2.5.0 with devel/aws-sdk-php installed fails
It is :)
Thanks! Greg M

04/25/2019

01:21 PM Bug #9484 (Closed): With proper timing on boot dhclient won't be started for WAN without manual intervention
My setup
* Pfsense WAN (igb0) connected directly to ISP modem (configured as bridge)
* Pfesnse LAN (igb1 - with a f... Tomasz K.
07:29 AM Bug #9479 (Duplicate): Alias table not updated when adding new entry
Jim Pingle
02:18 AM Bug #9479: Alias table not updated when adding new entry
Removed FQDN's - it didn't happen. Looks 9296 related. Vladimir Lind
 

Also available in: Atom