I am authoring a new book about pfSense written from scratch. I found various bugs or issues as I read lots of code and used the many interfaces. I will work on adding these to the bug tracker. As I add the bugs to redmine I will link to them with the redmine issue numbers.

A list of my reported issues is here.

For more details about my new book see http://www.reedmedia.net/books/pfsense/ .


BUG: icon for Related log entries for the DHCPv6 Server is for logfile=dhcp but that doesn't match anything specific and shows everything "General".
https://redmine.pfsense.org/issues/6700
BUG: the diag_authentication "related status" icon links to same page :)
https://redmine.pfsense.org/issues/6701 THIS WAS RESOLVED BUT ONLY ONE PART WAS FIXED. SHOULD I OPEN NEW TICKET?
BUG: syntax error in the PHP execution in Command Prompt menu should not cause a crash detection to suggest reporting to pfSense
https://redmine.pfsense.org/issues/6702
BUG: suggestion for the Edit File have the input box have some description or label like "Path name" or "File name or directory"
https://redmine.pfsense.org/issues/6703
BUG: Edit File "Go to Line" selection box allows negative numbers and line numbers longer than the file contains
https://redmine.pfsense.org/issues/6704
BUG: the diag_routes "Rows to display" is off by one as it includes the header line too. If you choose 10 you would want ten lines of results data to display
https://redmine.pfsense.org/issues/6705
BUG: diag_routes "Use a regular expression to filter IP address or hostnames" actually works to match any field like flags, mtu, netif; I suggest it is kept the way it works and fix the description to not limit to just the address or hostname
https://redmine.pfsense.org/issues/6706
BUG: it appears the diag_smart is broken. For example, its has $start_script = "/usr/local/etc/rc.d/smartd.sh"; and it is used once for a stop and start. But that script doesn't exist. It is at /usr/local/etc/rc.d/smartd (no ".sh" at end). Anyways, I now see the code there is marked with //FIXME. The smartd -M test is used to test configuration. Also in diag_smart, it tries to put email address into /usr/local/etc/smartd.conf but that file doesn't exist. Then it does an attempted HUP of smartd but that daemon is not running. Also the user interface is not intuitive. I'd suggest it have options to enable the service, and that the "Send test email" button should be available even if email address is not saved; I didn't test but I think can be done like: echo /dev/sda -m foo@host -M test | smartd -c - -q onecheck (By the way, it is interesting to have such a detailed disk monitoring service, so it would be just as important to have a network device and network in general monitoring service; I understand sending email may not work, but it could check for some "predictive" failures and send warning before network is down.)
https://redmine.pfsense.org/issues/6707
BUG: the diag_sockets.php info says sockstat uses -L when using the -l. It does not use -L and it does show the the loopback addresses (::1 or 127.0.0.0/8). Also why there don't use the man page details verbatim, so exclude the unnecessary ADDRESS and other UNIX sockets documentation.
https://redmine.pfsense.org/issues/6708
BUG: in diag_dump_states.php clicking the Packets or Bytes header for sorting is not intelligent nor intuitive. It doesn't really sort packet counts or bytes considering they may be formatted using acronyms. Also the sort is for just one part, but each has two counts in/out.
THIS APPEARS TO BE FIXED.
BUG: diag_resetstate.php header says "Select States to Reset" but the docs there says "will remove all entries from the corresponding tables". There is nothing to select in this view.
https://redmine.pfsense.org/issues/6709
BUG: diag_resetstate.php if the checkbox is UNchecked, clicking "Reset" still prompts "Are you sure you wish to Reset?" and Okay does nothing. This is not intuitive. Get rid the checkbox. The pop-up window is good enough.
https://redmine.pfsense.org/issues/6710
BUG: diag_states_summary is not intuitive as each table has two columns with same "# States" header. first is for $ipinfo['seen']; and second is for $protoinfo['seen']; Maybe have the header say "Protocol counts" over the last three fields or add a documentation line at top (or bottom) to explain that.
https://redmine.pfsense.org/issues/6711
BUG: services_unbound.php I cannot get any Host Override to be configured with unbound. /var/unbound/host_entries.conf lists my /etc/hosts entries but not my override entries. My config.xml has my details for but I don't see it at all in my /var/unbound settings. I don't see any /etc/inc/unbound.inc code to use it but may be overlooking.
https://redmine.pfsense.org/issues/6712
BUG: be consistent in naming or add more doc details to the diag_tables page as custom tables are called "aliases" elsewhere also it uses the word "database" in some places for table or aliases too.
https://redmine.pfsense.org/issues/6713
BUG: diag_tables often says "Date of last update of table is unknown." but table comments at same time shows the date: last updated 1463027701 (Thu May 12 04:35:01 2016 GMT) (that was for bogons) I assume one is for the locate timestamp while the other is the timestamp as provided in the remote's original file, but either way using same terminology may be confusing, so maybe should be explained there.
MAYBE FIXED AS I CANNOT SEE THIS ANYMORE
BUG: diag_tables has "Related status" shortcut for "aliases" that goes to same diag_tables page. diag_routes and maybe other pages have this too. It was a little misleading to click through it to realize it was not a related page. Suggest comparing the target with the link, like is done for Related settings in shortcuts.inc: if (!empty($link) && ($_SERVER['REQUEST_URI'] != "/{$link}")) { (that worked for me) But maybe there was a reason already this wasn't used? Also see diag_limiter_info.php links to itself. I didn't notice problem for Related logs, but maybe there too.
Just added to my existing ticket: https://redmine.pfsense.org/issues/6701
BUG: diag_testport 1) can output error "Cannot connect to an IPv6 address using IPv4." (and vice-versa) But that is_ipaddrv4 / is_ipaddrv6 is for IP addresses. The "host" field may be a hostname, so a hostname like ipv6.test-ipv6.com returns only AAAA, and doesn't give that "Cannot connect" error. This is misleading. I do understand that the hostname is passed direct to netcat. 2) In addition, diag_testport has confusing documentation about mix of IPv4 and AAAA, but I can set IP Protocol to IPv6 and I have NO IPv6 and a test will return "successful." Also it uses the word "forced" but IPv4 and IPv6 are only options so one must be selected. 3) since the IP Protocol list only has two choices, maybe just display as radio instead of drop-down menu 4) the diag_testport code suggests that -4 or -6 should be used, but that is only done if the host is an IP number and not a hostname. It is interesting that the code has many checks for setting this -4 or -6, but the IP Protocol selection is not even used unless the host is an IP number. If -6 is used on an IPv4 network, even the getaddrinfo() will fail and netcat will indicate that (but diag_testport won't do that). 5) Actually the IP Protocol selection as a choice makes no sense: diag_testport is smart enough to detect that it is mismatched and smart enough to see an optional sourceip's protocol, then it is smart enough to select the protocol on its own. But if it would honor the ipprotocol for hostnames (no IP number), then maybe a value of having that IP Protocol selection is valid.
BUG: diag_testport It may be useful to run netcat with -v and provide that output, like "No route to host" or "Succeeded!".
https://redmine.pfsense.org/issues/6714
BUG: diag_traceroute.php misspelling for "number": 'Maximum nuber of hops',
ALREADY FIXED
BUG: diag_traceroute.php the IPv4 traceroute when resolving IPs to hostnames outputs both, but the IPv6 traceroute6 only shows the hostnames and not the address. My suggestion is to use -l when ipv6 when not using -n.
BUG: the max hops for FreeBSD IPv6 traceroute6 is 255, which the max allowed IPv6 "hops limit". Maybe it should allow that? Then again, the nginx may Time-out beyond 64?
https://redmine.pfsense.org/issues/6715

LEFT OFF HERE STILL HAVE MORE TICKETS TO ADD:
BUG: diag_dns.php press enter when adding a hostname when "add alias" is first button will cause the entry to be added as a Firewall Alias even if just wanted to look it up. IN addition, it will add the alias even if "could not be resolved." My recommendation would be to have "Lookup" button be first button.

BUG: SUGGESTION: for the DNS Stuff links in diag_dns could also add links to DNS research and not just the IP

BUG: /etc/inc/dyndns.class comment has "dyns.org" but I think that is dyns.net.

BUG: services_dyndns_edit "Verify SSL peer" checkbox doesn't show its corresponding form label. It is set to "null". I suggest it be set to "HTTP API options". By the way, maybe curl_ssl_verifypeer form should be also called "HTTP API options" as pfsense users shouldn't have to know what "CURL" is.

BUG: services_unbound has system_domain_local_zone_type type of redirect but does not have corresponding (second) "local-zone:" line for it that has the different address record. And BUG: related, when "Redirect" choice is set unbound crashed with: Aug 11 08:37:20 unbound 27341:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A 172.16.1.4 Aug 11 08:37:20 unbound 27341:0 fatal error: Could not set up local zones Aug 11 08:38:01 unbound 58991:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A 172.16.1.4 Aug 11 08:38:01 unbound 58991:0 fatal error: Could not set up local zones BUT no Notices indicated it and no input errors were detected. When I set System Domain Local Zone Type to Deny or to default Transparent I get input errors detected: The generated config file cannot be parsed by unbound. Please correct the following errors: [1470922977] unbound-checkconf[77900:0] error: local-data in redirect zone must reside at top of zone, not at pfSense.office AAAA fde4:8dba:82e1:: [1470922977] unbound-checkconf[77900:0] fatal error: failed local-zone, local-data configuration NOTE: it still says "redirect" zone even though using transparent now. config.xml still had: redirect meaning I couldn't change it. I made it so the test subdirectory wasn't removed. I removed my Host Override entry and applied the change and it was successful. unbound process still not running so I clicked the Start Service action icon. The status_services page said "unbound had been started" but then showed below "Stopped" status for it. I used viconfig to remove the bogus system_domain_local_zone_type entry. Then the Start service action worked. I recommend that the "redirect" choice be removed until it can be configured with additional details.

BUG: services_unbound.php has "Register DHCP leases in the DNS Resolver" unchecked by default but unbound.conf includes dhcpleases_entries.conf which has them by default. I played with dnsmasq earlier and it started the dhcpleases watcher daemon and since unbound was enabled it included unbound configuration setup. When I stopped dnsmasq and even though unbound didn't have it enabled, it still kept running. The bugs: 1) /etc/inc/system.inc don't configure dhcpleases for unbound if unbound's regdhcp is not enabled. 2) stop dhcpleases daemon when not used. 3) remove the hostnames from dhcp leases in /dhcpleases_entries.conf (see comment "dhcpleases automatically entered") when dhcpleases / regdhcp for unbound is no longer used.

BUG: maybe I am overlooking it, but I don't see any code honoring unbound's regdhcpstatic setting. I do see it for dnsmasq.

BUG: move services_unbound.php custom_options to services_unbound_advanced.php. This is certainly a dangerous feature so move to "Advanced Settings". Also it makes it more obvious that some features are already available via the webConfigurator.

BUG: services_unbound_advanced.php this is a trivial bug here and elsewhere, but checkbox and other form input names are inconsistently ending with or without trailing periods. Also some statements begin with capitalized letter and some don't. Be consistent. While in services_unbound_advanced.php change "0x-20" to "0x20".

BUG: services_unbound_advanced.php has Number of Queries per Thread and a few other tunable descriptions that mention "thread" but the number of threads isn't displayed. Consider showing the value here. In some cases the default is only "1" (disabled) so using this terminology doesn't make sense.

BUG: services_unbound_advanced.php shows Number of Queries per Thread has 512 even though I have: /var/unbound/unbound.conf:num-queries-per-thread: 4096 which is the default in ./etc/inc/unbound.inc so if you save that page it will reset it to 512. Probably 512 is okay, but it shouldn't reset its default.

BUG: services_unbound_acls.php allows a access list rule that doesn't have any name. So if you have no name, and no description then the table view will just show the action with blank fields next to it. So you have a edit and delete icons with zero reference to what they are for. This is not intuitive. I recommend that the address/net is listed in the table view to be more obvious. Then you don't need the Access List Name plus a description. I suggest this be simplified. If don't show the address/net in the table, then require some name or description. In fact, maybe simplify more to just have the description per network and not per rule.

BUG: services_unbound_acls.php and /var/unbound/access_lists.conf access-control:. I don't know if this is a bug in pfsense or in unbound, but from various checks it appears that allow and allow_snoop behave the same. I am able to see the same cached entries with allow and also am able to see the local-data: authoritative (aa) entries from host_entries.conf with allow. According to docs, allow_snoop is for nonrecursive too, but I see the authoritative data with out sending recursion-desired bit with "allow" too. I cannot get the authoritative data when the DNS Resolver access list is empty so can confirm that opens it. If I am checking this wrong, please improve the docs to make it more clear.

BUG: services_unbound_acls.php?act=new has a Delete button for the Networks even if a single entry. But if you click on it, it has popup "You may not delete the last row!" It should not offer a Delete button if it cannot be used. "row" is wrong word for this anyways and is out of context. If you click "Add network" and then on either "Delete" button, both "Delete" buttons will disappear. So that is correct as it shouldn't have a Delete button for a single required entry. Another BUG there is that when you Delete the entry, it will show the text "Network/mask Network/mask" (twice) even though there is only one set of fields for that.

BUG: the unbound Domain Override versus the dnsmasq Domain Override have different behavior. It is a different feature with same name. Unbound uses forward-zone/forward-addr (used to use stub-zone) which queries the defined auth server and then returns the record from then on from the resolver cache. This means the unbound answer is not "aa" and the TTL counts down. But for the dnsmasq feature, it is always "aa" authoritative and the TTL never counts down (since dnsmasq re-looks-up answer in real time each time). Unbound requires that RD recursion desired bit to set to see it or it is REFUSED. dnsmasq doesn't refuse it if RD is not set. This is two very different implementations, but have same "Domain Override" name. Either clearly document this. Optionally also change the names of these pfSense features. By the way, the code /etc/inc/unbound.inc still have comment about stub-addr and maybe comment should say forward-addr instead.

BUG: services_unbound_domainoverride_edit.php "e.g.: testormycompany.localdomainor1.168.192.in-addr.arpa" I assume spaces were meant for the three examples in that Form_Input description, like "e.g.: test or mycompany.localdomain or 1.168.192.in-addr.arpa"

BUG: dnsmasq - does it make any sense to use -\-strict-order (strict_order option) with pfsense's default -\-all-servers ? maybe the /etc/inc/services.inc conditional should have an "else" to set -\-all-servers

BUG: services_dnsmasq says "Entries in this section override individual results from the forwarders. Use these for changing DNS results" , but the forwarders aren't queried for these overrides nor does it change DNS results. In the case with Host Overrides, it is simply an authoritative server. I verified this with tcpdump :)

BUG: services_dnsmasq doesn't have a delete icon for an Hosts Override alias entry , please add that. And another related BUG: in services_dnsmasq_edit when clicking Delete on a single alias (additional name) causes a pop-up "You may not delete the last row!". Please allow removing it. And third BUG: if you delete the parent Hosts Override entry via the delete icon in the table, it will also remove its aliases (additional names); I suggest that it keep them since not obvious.

BUG: services_dnsmasq_edit.php is overly strict. It uses is_unqualified_hostname() which doesn't allow a period, so cannot use hostname "foo.bar" and domain "tld" and will error with "A valid hostname is specified, but the domain name part should be omitted". Same thing with the "Additional Names" alias.

BUG: in services_dnsmasq_edit.php if click "Add Host Name" under "Additional Names for this Host" and save, it will error abou the empty field: "The field Alias Domain is required." The workaround is to click "Delete" button for that new empty field. It should just ignore the empty entry if all empty.

BUG: the services_dnsmasq Host Overrides are misleading since it has different fields for Host and Domain, so someone may configure "www" with "apple.com" and "www" with "ibm.com" and then the "www" will be resolved in DNS as a round-robin with both addresses returned. Also the first match, based on alphabetical order, will be returned for gethostbyname-type lookups using the /etc/hosts database. In other words, an admin adding an entirely different DNS label to the Host Overrides but has same first "Host" part will break other entry. My recommendation is to get rid of the "Host" part and just have a single "DNS name" field; if someone wants the old behaviour they can still add additional entries for it.

BUG: services_dnsmasq_domainoverride_edit mentions "#" (pound sign) for the dnsmasq special server address to forward as usual. But the gui interface won't accept it and says "Please match the requested format." I assume it is because it is using Form_IpAddress. Same thing for "!" to not forward. It won't let it Save.

BUG: services_dnsmasq_domainoverride_edit maybe Source IP should use a Form_Select of interfaces such as done in services_dnsmasq. If not, then better explain this here.

BUG: services_dnsmasq_domainoverride_edit.php Domain Override doesn't require "Apply Changes" button to be used when Saved and automatically restarts dnsmasq with the -\-server and -\-rebind-domain-ok switches. This is different behavior versus the Host Overrides and other Forwarder options which, when Saved, indicates changes must be applied to take effect.

BUG: services_dnsmasq.php or related ... the DNS overrides will not be placed into /etc/hosts until the "Enable DNS forwarder" is set. But if the "Enable DNS forwarder" is unchecked, saved and applied, the entries will stay in the /etc/hosts file - no dnsmasq will be running but local programs like ping will still have access to them. This is inconsistent - either put them into /etc/hosts regardless, or remove from /etc/hosts if dnsmasq is not enabled.

BUG: I saw muiltiple sentences and paragraphs in the interface that were verbatim from the pf.conf manual; the license.php page should list the copyright and license

BUG: document why pfsense_default_state_size() assumes each state is 10 kB in size?

BUG: no where else in the code, dead code? $ipseccfg['dns-interval'] see dns-interval for similar config

BUG: just for code /etc/inc/filter.inc s/ftp_proxy_entry/tftp_proxy_entry/ because it is TFTP not FTP no behavior change By the way, why does xinetd listen on port 6969 and fork tftp-proxy by default, even if not used? xinetd logs about "readjusting" this every 15 minutes even if not used.

BUG: no choices for video font, screenmap, or keymap, so just continue by selecting "Accept these Settings" by using down arrow a few times and press Enter.

BUG: Are you sure? menu says choose Custom Installation from the Main Menu. But if come here from Recovery then that main menu nor Custom Installation has never been seen before

BUG: pressing F10 in the Custom Install menus didn't "Refresh Display" as shown in the top line, but went to previous menu. Pressing it repeatedly keeps going to previous menu until out of the Custom Install. Also F1 for help in some menus simply goes back to previous step too.

BUG: the capacity for swap by default may have so many places after the fractional megabyte decimal that you cannot see size at one time; the cursor confusingly scrolls through it. I recommend just displaying it with no fractional amount.

BUG: why untar kernel from cd if already was copied to /mnt disk tar xzpf /kernels/kernel_*SMP*.gz -C /mnt/boot/ why not just untar it from /mnt tar xzpf /mnt/kernels/kernel_*SMP*.gz -C /mnt/boot/

BUG: why /etc/rmt link to non-existent /usr/sbin/rmt ?

BUG: using exec sh causes exit from shell to also close the ssh: Enter an option: read: read error: Input/output error

BUG: ctrl-c in the Developer Shell shouldn't exit ssh session

BUG: /usr/local/sbin/pfSsh.php contains $tccommands[] = "master"; $tccommands[] = "RELENG_1_2"; but this code is unused also what uses tccommands?

BUG: in pfSsh = does nothing as the currentline is replaced

BUG: all exclamation marks are escaped if first character has it

BUG: listpkg Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11

BUG: name is inconsistent: why disabled vs disable?

BUG: this config name and script name is used primarily for different purpose than it is named for

BUG: why does it do this twice: unset($config["interfaces"]["wan"]["blockbogons"]); unlink_if_exists("/tmp/config.cache"); ... unlink_if_exists("/tmp/config.cache"); unset($config['interfaces']['wan']['blockbogons']);

BUG: cannot run twice since Cannot redeclare get_boot_disk() via the include of /etc/ecl.php

BUG: can this even work? $locations_to_check = array("/", "/config"); foreach ($locations_to_check as $ltc) { $tocheck = "/tmp/mnt/cf{$ltc}config.xml"; checks for /tmp/mnt/cf/config.xml and /tmp/mnt/cf/configconfig.xml but the file would be at /tmp/mnt/cf/conf/config.xml

BUG: also get_boot_disk and get_swap_disks don't work since modern systems use ufsid labels but later try to compare with device names

BUG: does not work, references an array that doesn't exist Playback of file listpkg started. Installed packages: Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11 I checked with: if (!is_array($config['installedpackages']['package'])) { echo "not an array\n"; return; }

BUG: cannot run twice in the developer shell since Cannot redeclare usage()

BUG: the traffic_shaper_wizard_dedicated.xml scheduler types drop-down are marked as "Local interface" and "WAN interface". Change to also say "Schedule Type". While there note that "interface" is started with lowercase "i" in some uses and uppercase "I" in other uses. Also maybe add "speed" or "rate" and maybe "measurement" or "units" for the upload and download parameters.

BUG: minor bug; the traffic_shaper_wizard_dedicated.xml page has both Penalty Box and PenaltyBox (no space); be consistent?

BUG: the traffic_shaper_wizard_dedicated.xml doesn't have a check to make sure at least the P2P catchall or a specific protocol is selected

BUG: minor bug, the traffic_shaper_wizard_dedicated.xml P2P page has a mix of "Peer to Peer" (no dashes), "Peer-to-Peer", "p2p" (lowercase) and "P2P"; be consistent?

BUG: the traffic_shaper_wizard_dedicated.xml "other Applications" says "raise or lower ... higher than most". That grammar of "lower... higher" doesn't read well. Maybe just end the sentence at "protocols."

BUG: the Traffic Shaper / Limiters page has the the "By Interface" info help that is about tree, queues, buttons. But there is no "tree" by default. Also maybe "queues" should be called "Limiters". Maybe from /etc/inc/shaper.inc

BUG: Click "here" was broken for me on installation wizard screen. since didn't have my port number. but I can click on logo to get to the default Dashboard display.

BUG: config is called DNS Forwarder but it is not a DNS Forwarder; tcpdump showed it doing recursive resolution starting at the gtld-servers and not using any forwarder


BUG: firewall_shaper_vinterface.php action item should link to diag_limiter_info.php for Related Status. And the diag_limiter_info.php should NOT have a Related status action item pointing to itself.