I authored a new book
about pfSense written from scratch.
I found various bugs or issues as I read lots of code and used the
many interfaces.
I may work on adding these to the bug tracker.
As I add the bugs to redmine I will link to them with the redmine
issue numbers.
Also I noticed a few were already fixed so mention that
here but don't report them.
A list of my reported issues is
here.
For more details about my new book see
http://www.reedmedia.net/books/pfsense/ .
How much time does it take to fix a software bug? A common average
estimate is 1.5 days. Even a minor bug takes communication time,
code checkout, verification, code test, fix, run tests, peer-review,
changelog, back-and-forth feedback to reporter, etc. Sadly, I don't have the time to
report let alone fix all these 350+ pfSense bugs:
May 2019 Version: 2.4.4-p1 /etc/inc/acb.inc
The config upload service to
https://acb.netgate.com/save
has
curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0);
hardcoded.
That zero means that curl doesn't care about the
authenticity of acb.netgate.com's certificate.
Maybe a bad precendent for uploads.
The services_acb.php routines do verify.
(The test_connection code does verify the peer.
This is inconsistent.
No user interface for testconnection
and acb_custom_php_validation_command so I assume those are for dev
use only.)
May 2019 Version: 2.4.4-p1 /etc/inc/acb.inc
If upload results in HTTP 500,
it links to
/pkg_edit.php?xml=autoconfigbackup.xml&id=0
but this is not a package anymore but in official pfSense.
May 2019 Version: 2.4.4-p1 /etc/inc/acb.inc
comment says firewall identifier is MD5 has (sic).
but code below shows it is sha256.
Fix the code or fix the comment.
I suspect sha256 is what you want.
Also change "has" to "hash".
May 2019 Version: 2.4.4-p1 services_acb.php
says "the encryption key is neither transmitted, nor known outside
of the firewall" but this is misleading.
It may be part of the configuration itself.
No security issue with that since the encryption key is encrypted.
May 2019 Version: 2.4.4-p1 services_acb.php
deadcode for "myhostname" (see "my")
May 2019 Version: 2.4.4-p1 services_acb_backup.php
My settings have enabled unchecked but I do have a encryption_password.
Backup now: Backup button results in "Backup completed successfully."
displayed.
But the upload_config() code checks for it to be enabled.
("Do noting ... when not enabled".)
It was not successful. Nothing happened.
The logs show that it didn't happen.
And the "Restore" tab shows there is no new backup.
Also when the encryption_password is not set, the acb.inc code
to mention that didn't result in anything as the log_error and
file_notice are commented out.
Again Backup Now says "successful" but I have no encryption_password
in config.xml.
Also maybe consider having a frequency Form_MultiCheckboxGroup
option for manual only. I see code is commented out.
Jan 2018 Version: 2.3.3 /etc/inc//captiveportal.inc
the line
<tr><td colspan="2"><center>{$translated_text2}</td></tr>
is missing the closing </center> tag and firefox may not display it
centered and its view source indicates this error.
Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc
portal_allow() uses $_POST['replacemacpassthru']
but I don't see any form that provides that "replacemacpassthru"
FIXED: Jan 2018 Version: 2.3.3 captive portal
passthrumacaddusername doesn't auto-add without
passthrumacadd also checked.
If passthrumacadd is not checked but passthrumacaddusername is
checked, the captive portal doesn't load.
While it is documented, maybe the passthrumacaddusername
checkbox should not even be allowed to be checked by itself.
NOT FIXED. BUT this was removed in version 2.4.4.
Jan 2019 Version: 2.4.3 services_captiveportal_mac.php
has:
if ($_POST['username']) {
but I cannot find any captive portal related code that submits a name
called "username"
Jan 2019 Version: 2.4.3 captive portal
MAC-based pass-through visitors aren't listed on the
Status - Captive Portal page as logged in
nor in the number of users counter on the zone's page
even if they have working captive portal connectivity.
Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc
in captiveportal_configure_zone()
$errtext = str_replace("\$PORTAL_REDIRURL\$", "#PORTAL_REDIRURL#", $errtext);
is followed by
if ($cpcfg['preauthurl']) {
$errtext = str_replace("\$PORTAL_REDIRURL\$", "{$cpcfg['preauthurl']}", $errtext);
How can that $PORTAL_REDIRURL$ exist if just replaced?
Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc
depending on the context portal_reply_page is called with different
values, so some error / reply pages don't have all the values for
macros. For example some have clientip and some don't.
Jan 2019 Version: 2.4.3 captive portal
have a checkbox option to just use the same template for login and error
reply page. It does work to use the same template.
Jan 2019 Version: 2.4.3 /etc/inc/captiveportal.inc
Use of portal_reply_page() function
with type set to "redir" which also have a message won't use the message.
portal_reply_page($my_redirurl, "redir", "Just redirect the user.");
That message is not used. This is misleading to the developer.
If it is a comment to the developer then just use a comment.
There are other cases where type is set to redir but it is not hardcoded
so maybe okay.
May 2019 Version: 2.4.4-p1 2.2.4 services_captiveportal.php
The grammar for the includeidletime description has mistakes in multiple
places..
"This setting change the stop time that will be send in the Accounting Stop request, when a user get disconnected after exceeding the idle timeout."
This may cause the meaning to be confused.
All the help should be double-checked on this page.
Jan 2018 Version: 2.3.3 using captive portal max rules
set upload bandwidth to 1 and the I was locked out
even from webconfigurator.
Couldn't ping system, but could use console to revert.
I didn't troubleshoot further.
Jan 2018 Version: 2.3.3 captive portal mac blocking.
Why have captive portal login page fields when it says
"This MAC address has been blocked"?
Suggest no welcome line, no input fields, and no submit (Continue) button.
Jan 2018 Version: 2.3.3 csptive portal allowed hostnames
Directions both, from, and to all have same behavior.
Allowing access "to" destination also opens up
access "from" it, and vice-versa.
See the ipfw tables shows them in both tables (3 and 4) regardless.
and the rules allow for both seen in /etc/inc/captiveportal.inc.
Jan 2018 Version: 2.3.3 status_captiveportal_test.php
if an invalid token or an expired token
is entered on the captive portal test
with valid tokens it won't show the "Access granted for ... minutes in total."
line but will show the "Access denied!" line at bottom of the output
instead. I suggest if has valid tokens it should still show the
total minutes and put the access denied message only with the
bad or expired tokens.
Jan 2018 Version: 2.3.3 /status_captiveportal_expire.php
says "Voucher(s) successfully marked." for bogus or unknown entered vouchers.
Aug 2016 Version: 2.3 status_captiveportal.php
SUGGESTION:
show the username in the disconnect popup?
Jan 2018 Version: 2.3.3 captiveportal_disconnect_all()
I used Disconnect All Users from status_captiveportal.php
and the table changed to show 0 (zero) users logged in.
Then the users could use the network without authentication.
To restart I unchecked enable captive portal checkbox, saved,
re-checked and saved.
This Disconnect All Users doesn't do what I would expect
as it opens up full usage. I thought it would make them
authenticate again.
Jan 2018 Version: 2.3.3 various php pages
The ##|*NAME= value doesn't match up to the page's real link naming.
Maybe an audit should be done.
Jan 2018 Version: 2.3.3 captive portal
suggestion: log with captiveportal_syslog when a
zone is disabled.
There are several log lines when enabled, but none when a
captive portal zone is turned off.
Aug 2016 Version: 2.3 services_captiveportal.php
docs link to
https://172.16.1.1/services_captiveportal_mac.php
but that redirects to
/services_captiveportal_zones.php
what is _mac page?
Aug 2016 Version: 2.3 FIXED services_captiveportal.php
If don't select radio button for Authentication method
it stays empty
so no authentication is default.
(auth_method is none.) Show the radio for it -- that is show the
default selection. Then click Continue should just work then. Or
if you really want this to be selected make sure setHelp text says
so. While there the docs links to services_captiveportal_mac.php
but that redirects to services_captiveportal_zones.php (What is
_mac page?) Fix links?
https://redmine.pfsense.org/issues/7591
Jan 2018 Version: 2.3.3 /usr/local/libexec/pfSense-upgrade
saw at boot up twice: gnid: not found
(something like that)
Jan 2018 Version: 2.3.3 system_crlmanager.php
Suggest that the "Add or Import CRL" button only be
"Import CA" for non-internal CA
(see that it is importonly already).
Mar 2019 Version: 2.4.3 services_dhcp.php
SUGGEST: add "ip6-address" as a "type" custom option definition.
Mar 2019 Version: 2.4.3 services_dhcp_edit.php and services_dhcp.php
SUGGESTION: these have lots of duplicated code and forms. This
should be simplified to use a single php script or put the shared
code into a single include file.
Sep 2017 Version: 2.3.3
status_dhcp_leases.php
Leases in Use summary # of leases in use changes based if
"Show all configured leases" button is enabled.
This may be misleading since the column header explanation doesn't change.
I suggest having two columns (that do not change based on the button
at the bottom): # of online leases and total # of leases
Sep 2017 Version: 2.3.3
services_dhcp_relay.php for Destination server
each line has duplicate buttons: Delete Add Delete Add
(and all appear to work the same)
I didn't see on the ipv6 page too, maybe caused by
overriding if I had dhcp enabled already.
Also related the delete button when only have one field
will remove the only field and nothing to bring it back there,
so need to reopen same webpage and enable again.
Apr 2019 Version: 2.4.3 services_dhcpv6.php
suggestion like services_dhcp.php has icons to restart and stop the server,
do the same thing for the DHCPv6 page.
Apr 2019 Version: 2.4.3 services_router_advertisements.php
add icons to start, restart radvd and to the logs (router)
Sep 2017 Version: 2.3.3
services_router_advertisements.php?if=lan
should have the warning displayed if interface
does not have an IPv6 static address. It is just a blank page.
This could happen if changes made and then you have a link
direct to this page.
Also if go to the same page without GET argument ?if= on URI,
it says "Only interfaces configured with a static IP will be shown."
But nothing is shown, so maybe it should have a warning
to be more clear.
Apr 2019 Version: 2.4.3 services_router_advertisements.php
rapreferredlifetime suggest using "number" Form_Input method
like the previous field and following field.
Also the setHelp starts with "Seconds." which is repeated a moment
later. See previous field as a comparison.
Apr 2019 Version: 2.4.3 services_router_advertisements.php
uses Form_IpAddress with 'V6' for the RA Subnets address.
but when saved it is checked with is_alias() for the name
(to know to add the bits or not).
It cannot be an alias if is an IP address.
Apr 2019 Version: 2.4.3 /etc/inc/services.inc
"Use same settings as DHCPv6 server"
rasamednsasdhcp6 setup is incomplete.
When checked it also doesn't define the DNSSL search list string.
If rasamednsasdhcp6 is checked, it should also use
$dhcpv6ifconf['domain']
and
$dhcpv6ifconf['dnsserverdomainsearchlist']
Jun 2016 Version: 2.3 FIXED services_dhcpv6.php
icon for Related log entries for the DHCPv6 Server is
for logfile=dhcp but that doesn't match anything specific and shows
everything "General".
https://redmine.pfsense.org/issues/6700
Mar 2019 Version: 2.4.3 services_dhcpv6.php
it allows a dhcpv6 server configuration without any
interface selected and enabled.
Says "The changes have been applied successfully."
but nothing changed in config.xml.
It did end up in /conf/config.xml.bad
Mar 23 18:19:28 pfSense php-fpm[23877]: /services_dhcpv6.php: XML error: XML_ERR_NAME_REQUIRED at line 243 in /conf/config.xml
See this broken xml:
<dhcpdv6>
...
<>
<range>
...
</>
</dhcpdv6>
Plus it had a <lan> config even though the user interface doesn't show it.
Mar 2019 Version: 2.4.3 services_dhcpv6.php
allowed saving and attempt enabling a dhcpv6 configuration
without even an interface.
"Enable DHCPv6 server on interface" checkbox didn't even list the
interface name.
Available range was not shown.
I am not using IPv6 but was just experimenting with it
I happened to have a PPPOE setup for IPv4 but the DHCPv6 listed it
but was not selected. No message about needing a static IPv6.
The generated config.xml had empty tag for the interface <> and </>.
This resulted in XML_ERR_NAME_REQUIRE and config.xml.bad.
FIXED Mar 2019 Version: 2.4.3 /etc/inc/services.inc and ./services_dhcpv6.php
netmask can be defined if OSLRD
but no code uses it for DHCPv6
I see forms removed in 2.4.4-p2.
Mar 2019 Version: 2.4.3 services_dhcpv6.php
the zone primary address for DDNS for DHCPv6 should not require IPv4
address. If this is a IPv6 only network, please don't force IPv4 only.
Mar 2019 Version: 2.4.3 services_dhcpv6.php FIXED
bootfile doesn't get into the dhcpd.conf.
And it doesn't look like "Enable Network Booting" checkbox does anything
useful.
Maybe it was from some old code prior to "Display Advanced" for the same?
Notice that /etc/inc/services.inc uses "netboot" while services_dhcpv6.php
doesn't have a knob for netboot.
Looks like the fix is to change shownetboot to netboot.
Mar 2019 Version: 2.4.3 services_dhcpv6.php
code has references to tftp, winsserver, and wins
but there is no form for it for dhcpv6 server like there is for dhcp (v4)
Stale code? Missing feature?
Sep 2017 Version: 2.3.3
services_dhcpv6_relay.php has agentoption
configuration, but the services_dhcrelay6_configure() function in
/etc/inc/services.inc does not use it. (That is fine, because -a and -m
are v4 options.)
Renove this setting from the v6 page.
Apr 2019 Version: 2.4.3 services_dhcpv6_relay.php
if no interfaces have IPv6 then DHCPv6 relay makes no sense
and cannot be configured since there will be no choices
and The field Interface is required.
Suggestion: don't allow it to be configured or warn up front
that IPv6 is required.
Apr 2019 Version: 2.4.3 services_dhcpv6_relay.php
has form to set agentoption
but services_dhcrelay6_configure doesn't use agentoption
maybe copy and paste from the old dhcrelay code missed it?
Note this is not the historical dhcrelay with FreeBSD. That was removed.
This is the newer dhcrelay that supports DHCPv6.
That version's -a -m flags are only the DHCPv4 mode.
Jun 2016 Version: 2.3 diag_smart FIXED
it appears the diag_smart is broken.
For example, its has
$start_script = "/usr/local/etc/rc.d/smartd.sh";
and it is used once for a stop and start. But that script
doesn't exist. It is at /usr/local/etc/rc.d/smartd (no ".sh" at end).
Anyways, I now see the code there is marked with //FIXME.
The smartd -M test is used to test configuration.
Also in diag_smart, it tries to put email address into
/usr/local/etc/smartd.conf but that file doesn't exist.
Then it does an attempted HUP of smartd but that daemon is not running.
Also the user interface is not intuitive. I'd suggest it
have options to enable the service,
and that the "Send test email" button should be available even
if email address is not saved; I didn't test but I think
can be done like:
echo /dev/sda -m foo@host -M test | smartd -c - -q onecheck
(By the way, it is interesting to have such a detailed
disk monitoring service, so it would be just as important
to have a network device and network in general monitoring service;
I understand sending email may not work, but it could check
for some "predictive" failures and send warning before network is down.)
*** It may be fixed as this code is now gone. ***
See #6393
https://redmine.pfsense.org/issues/6707
Jun 2019 Version: 2.4.4-p3 diag_smart.php
commit ad477ffafc4491ccc7a9c69686cfdb404e6a7bca
was incomplete
as it still had Information and Tests subpage link
even though Config is removed.
See it still has unused code:
pgtitle[] = gettext('Config');
Jun 2019 Version: 2.4.4-p3 diag_smart.php
SUGGESTION: have the Abort, SMART View Logs, Test Results,
and Information pages show the device name on the page.
(The device name is currently selected on previous page
so show it on these output results pages too.)
May 2019 Version: 2.4.4-p1 system_advanced_misc.php
harddiskstandby says "minutes" but the form shows numbers
that look like seconds.
camcontrol standby -t uses seconds.
The opts/vals doesn't seem right at all for
camcontrol standby -t.
For example, I set to 90 which resulted in 7.5
and I have standby state within 10 seconds.
Also I don't see how to revert a change (disable it) as
"Always on" is not numeric, so camcontrol standby not called.
Value 0 disables timer.
But I don't see how that is set.
Even after I put back to "Always on" it was in standby state. So I chose
90 and saved. Then chose Always on and saved. But have:
# while : ; do camcontrol cmd ada0 -a "E5 00 00 00 00 00 00 00 00 00 00 00" -r - ; sleep 1 ; done
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 FF 00
50 00 00 00 00 00 00 00 00 00 00
50 00 00 00 00 00 00 00 00 00 00
50 00 00 00 00 00 00 00 00 00 00
50 00 00 00 00 00 00 00 00 00 00
^C
See the field #10 changed from running FF to standby 00.
I manually turned off with:
camcontrol standby ada0 -t 0
Jun 2016 Version: 2.3 diag_dns.php
press enter when adding a hostname when "add alias" is first
button will cause the entry to be added as a Firewall Alias
even if just wanted to look it up. IN addition, it will
add the alias even if "could not be resolved." My recommendation would
be to have "Lookup" button be first button.
FIXED: Jun 2016 Version: 2.3 diag_dns
SUGGESTION: for the DNS Stuff links in diag_dns could also
add links to DNS research and not just the IP.
Ignore this since those links were removed so no need
to link to anything outside.
Aug 2016 Version: 2.3 services_unbound
has system_domain_local_zone_type type
of redirect but does not have corresponding (second) "local-zone:" line
for it that has the different address record.
And related, when "Redirect" choice is set unbound crashed with:
Aug 11 08:37:20 unbound 27341:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A 172.16.1.4
Aug 11 08:37:20 unbound 27341:0 fatal error: Could not set up local zones
Aug 11 08:38:01 unbound 58991:0 error: local-data in redirect zone must reside at top of zone, not at Wireless_Broadband_Router.office IN A 172.16.1.4
Aug 11 08:38:01 unbound 58991:0 fatal error: Could not set up local zones
BUT no Notices indicated it and no input errors were detected.
When I set System Domain Local Zone Type to Deny or to default Transparent
I get input errors detected:
The generated config file cannot be parsed by unbound. Please correct the following errors:
[1470922977] unbound-checkconf[77900:0] error: local-data in redirect zone must reside at top of zone, not at pfSense.office AAAA fde4:8dba:82e1::
[1470922977] unbound-checkconf[77900:0] fatal error: failed local-zone, local-data configuration
NOTE: it still says "redirect" zone even though using transparent now.
config.xml still had:
<system_domain_local_zone_type>redirect</system_domain_local_zone_type>
meaning I couldn't change it.
I made it so the test subdirectory wasn't removed.
I removed my Host Override entry and applied the change and it was
successful. unbound process still not running so I clicked the
Start Service action icon.
The status_services page said "unbound had been started" but then showed
below "Stopped" status for it.
I used viconfig to remove the bogus system_domain_local_zone_type entry.
Then the Start service action worked.
I recommend that the "redirect" choice be removed until
it can be configured with additional details.
Aug 2016 Version: 2.3 services_unbound.php
has "Register DHCP leases in the DNS Resolver"
unchecked by default but unbound.conf includes dhcpleases_entries.conf
which has them by default.
I played with dnsmasq earlier and it started the
dhcpleases watcher daemon and since unbound was enabled
it included unbound configuration setup.
When I stopped dnsmasq and even though unbound didn't have it enabled,
it still kept running.
The bugs: 1) /etc/inc/system.inc don't configure dhcpleases for unbound
if unbound's regdhcp is not enabled.
2) stop dhcpleases daemon when not used.
3) remove the hostnames from dhcp leases in /dhcpleases_entries.conf
(see comment "dhcpleases automatically entered") when dhcpleases / regdhcp
for unbound is no longer used.
Aug 2016 Version: 2.3 FIXED
maybe I am overlooking it, but I don't see any code
honoring unbound's regdhcpstatic setting. I do see it for dnsmasq.
Aug 2016 Version: 2.3 move services_unbound.php custom_options to
services_unbound_advanced.php.
This is certainly a dangerous feature so move to "Advanced Settings".
Also it makes it more obvious that some features are already
available via the webConfigurator.
Aug 2016 Version: 2.3 services_unbound_advanced.php
this is a trivial bug here and elsewhere,
but checkbox and other form input names are inconsistently
ending with or without trailing periods.
Also some statements begin with capitalized letter and some don't.
Be consistent.
While in services_unbound_advanced.php change "0x-20" to "0x20".
Aug 2016 Version: 2.3 services_unbound_advanced.php has
Number of Queries per Thread and a few other tunable descriptions
that mention "thread" but the number of threads
isn't displayed. Consider showing the value here.
In some cases the default is only "1" (disabled)
so using this terminology doesn't make sense.
Aug 2016 Version: 2.3 services_unbound_advanced.php shows
Number of Queries per Thread has 512 even though I have:
/var/unbound/unbound.conf:num-queries-per-thread: 4096
which is the default in ./etc/inc/unbound.inc
so if you save that page it will reset it to 512.
Probably 512 is okay, but it shouldn't reset its default.
Aug 2016 Version: 2.3 services_unbound_acls.php
allows an access list rule that doesn't have any name.
So if you have no name, and no description
then the table view will just show the action with
blank fields next to it. So you have edit and delete icons
with zero reference to what they are for.
This is not intuitive.
I recommend that the address/net is listed in the table view
to be more obvious.
Then you don't need the Access List Name plus a description.
I suggest this be simplified.
If don't show the address/net in the table, then require
some name or description.
In fact, maybe simplify more to just have the
description per network and not per rule.
Aug 2016 Version: 2.3 services_unbound_acls.php
and /var/unbound/access_lists.conf
access-control:.
I don't know if this is a bug in pfsense or in unbound,
but from various checks it appears that allow and allow_snoop
behave the same.
I am able to see the same cached entries with allow and
also am able to see the local-data: authoritative (aa) entries from
host_entries.conf with allow. According to docs, allow_snoop
is for nonrecursive too, but I see the authoritative data
with out sending recursion-desired bit with "allow" too.
I cannot get the authoritative data when the DNS Resolver access list
is empty so can confirm that opens it.
If I am checking this wrong, please improve the docs to make it more
clear.
Aug 2016 Version: 2.3 services_unbound_acls.php?act=new has
a Delete button for the Networks even if a single entry.
But if you click on it, it has popup "You may not delete the last row!"
It should not offer a Delete button if it cannot be used.
"row" is wrong word for this anyways and is out of context.
If you click "Add network" and then on either "Delete" button,
both "Delete" buttons will disappear. So that is correct
as it shouldn't have a Delete button for a single required entry.
Another BUG there is that when you Delete the entry, it will show the text
"Network/mask Network/mask" (twice) even though there is only one set
of fields for that.
Aug 2016 Version: 2.3 services_unbound.php FIXED
I cannot get any Host Override to be configured with unbound.
/var/unbound/host_entries.conf lists my /etc/hosts entries but
not my override entries.
My config.xml has my <hosts> details for <unbound> but I don't see it
at all in my /var/unbound settings.
I don't see any /etc/inc/unbound.inc code to use it but may be overlooking.
https://redmine.pfsense.org/issues/6712
Maybe this bug no longer exists. Seems to work now as they
are in /var/unbound/host_entries.conf and it works.
I now see code in system_hosts_override_entries in system.inc
and unbound_add_host_entries in unbound.inc.
Apr 2019 Version: 2.4.3 /etc/inc/unbound.inc
domain overrides is not documented that it will do
domain-insecure: by default. This seems like a wrong hidden option
that could have a choice.
While there see comment about "stub-addr:" which has no corresponding code.
Aug 2016 Version: 2.3 the unbound Domain Override versus the dnsmasq
Domain Override have different behavior. It is a different
feature with same name.
Unbound uses stub-zone which queries the defined
auth server and then returns the record from then on from
the resolver cache. This means the unbound answer is not "aa"
and the TTL counts down.
But for the dnsmasq feature, it is always "aa" authoritative
and the TTL never counts down (since dnsmasq re-looks-up
answer in real time each time).
Unbound requires that RD recursion desired bit to set to see
it or it is REFUSED. dnsmasq doesn't refuse it if RD is not set.
This is two very different implementations, but have
same "Domain Override" name.
Either clearly document this. Optionally also change the names
of these pfSense features.
Aug 2016 Version: 2.3 services_unbound_domainoverride_edit.php
"e.g.: testormycompany.localdomainor1.168.192.in-addr.arpa"
I assume spaces were meant for the three examples
in that Form_Input description, like
"e.g.: test or mycompany.localdomain or 1.168.192.in-addr.arpa"
Jul 2016 Version: 2.3 dnsmasq
does it make any sense to use -\-strict-order
(strict_order option) with pfsense's default -\-all-servers ?
maybe the /etc/inc/services.inc conditional should have an
"else" to set -\-all-servers
Aug 2016 Version: 2.3 services_dnsmasq
says "Entries in this section override
individual results from the forwarders. Use these for changing DNS
results" , but the forwarders aren't queried for these overrides
nor does it change DNS results. In the case with Host Overrides,
it is simply an authoritative server. I verified this with tcpdump :)
Aug 2016 Version: 2.3 services_dnsmasq
doesn't have a delete icon
for an Hosts Override alias entry , please add that.
And another related in services_dnsmasq_edit when clicking
Delete on a single alias (additional name) causes a pop-up
"You may not delete the last row!". Please allow removing it.
And third if you delete the parent Hosts Override entry
via the delete icon in the table, it will also remove its
aliases (additional names); I suggest that it keep them since
not obvious.
Jul 2016 Version: 2.3 services_dnsmasq_edit.php
is overly strict.
It uses is_unqualified_hostname() which doesn't allow a period,
so cannot use hostname "foo.bar" and domain "tld" and will error with
"A valid hostname is specified, but the domain name part should be omitted".
Same thing with the "Additional Names" alias.
Jul 2016 Version: 2.3 in services_dnsmasq_edit.php
if click "Add Host Name"
under "Additional Names for this Host" and save, it will error
abou the empty field: "The field Alias Domain is required."
The workaround is to click "Delete" button for that new empty field.
It should just ignore the empty entry if all empty.
Jul 2016 Version: 2.3 services_dnsmasq
the services_dnsmasq Host Overrides are misleading
since it has different fields for Host and Domain,
so someone may configure "www" with "apple.com" and
"www" with "ibm.com" and then the "www" will be resolved
in DNS as a round-robin with both addresses returned.
Also the first match, based on alphabetical order, will be
returned for gethostbyname-type lookups using the /etc/hosts
database. In other words, an admin adding an entirely
different DNS label to the Host Overrides but has same first "Host"
part will break other entry.
My recommendation is to get rid of the "Host" part and just have
a single "DNS name" field; if someone wants the old behavior
they can still add additional entries for it.
Aug 2016 Version: 2.3 services_dnsmasq_domainoverride_edit
mentions "#" (pound sign)
for the dnsmasq special server address to forward as usual.
But the gui interface won't accept it and says "Please
match the requested format." I assume it is because it is
using Form_IpAddress.
Same thing for "!" to not forward.
It won't let it Save.
Aug 2016 Version: 2.3 services_dnsmasq_domainoverride_edit
maybe Source IP should use a Form_Select of interfaces
such as done in services_dnsmasq. If not, then better explain this here.
Jul 2016 Version: 2.3 services_dnsmasq_domainoverride_edit.php
Domain Override doesn't require "Apply Changes" button to be used when Saved
and automatically restarts dnsmasq with the -\-server and
-\-rebind-domain-ok switches.
This is different behavior versus the Host Overrides and other
Forwarder options which, when Saved, indicates changes must be
applied to take effect.
Jul 2016 Version: 2.3 services_dnsmasq.php or related ...
the DNS overrides will not be placed into /etc/hosts
until the "Enable DNS forwarder" is set.
But if the "Enable DNS forwarder" is unchecked, saved and applied,
the entries will stay in the /etc/hosts file - no dnsmasq will
be running but local programs like ping will still have access
to them. This is inconsistent - either put them
into /etc/hosts regardless, or remove from /etc/hosts if
dnsmasq is not enabled.
Jan 2018 Version: 2.3.3 /etc/inc/dyndns.class
comment has "dyns.org" but I think that
is dyns.net.
Jan 2018 Version: 2.3.3 FIXED services_dyndns_edit
"Verify SSL peer" checkbox
doesn't show its corresponding form label. It is set to "null".
I suggest it be set to "HTTP API options".
By the way, maybe curl_ssl_verifypeer form should be also
called "HTTP API options" as pfsense users shouldn't have to
know what "CURL" is.
https://redmine.pfsense.org/issues/7588
FIXED Jan 2018 Version: 2.3.3 services_rfc2136_edit.php and services_dnsupdate_process()
suggest allow HMAC-SHA256 too as that is default for newer BIND
key generation tools.
FIXED Jan 2018 Version: 2.3.3 services_rfc2136_edit.php and services_dnsupdate_process()
The Key Type choices don't matter. It is used in services_dnsupdate_process()
to set the flags and protocol for the KEY resource record.
But nsupdate code does not use the key flag nor key protocol.
Jan 2018 Version: 2.3.3 services_checkip.php
more information tip says "... will be used to check IP addresses for
Dynamic DNS services, and RFC 2136 entries that ...".
This is misleading as an admin may think that the Dynamic DNS Clients
feature uses it.
Suggestion: "... will be used to retrieve real IP addresses for
RFC 2136 Clients services that ..."
Also suggest that the services_rfc2136_edit.php
"Use public IP" link to it or mention it.
Sep 2017 Version: 2.3.3
suggestion for firewall_rules.php
if isset($filterent['log'] consider also adding a hyperlink to
the status_logs_filter.php page
Sep 2017 Version: 2.3.3 FIXED firewall_rules.php?if=lan
bytes is negative in states detail
I see this is already reported:
https://redmine.pfsense.org/issues/7075
and fixed six months ago.
Sep 2017 Version: 2.3.3 firewall_rules.php
for printing the gateway, if no description it will use
guiconfig.inc's pprint_port() which will provide an asterisk if no value
or if a number may match a well known port name.
I don't think this is what is meant for the gateway.
If this is meant so it can use the first part of name delimited with a
dash (-) I think there is a more sane way to do it and this existing
way may break in the case of gateway names with a dash in it.
Jul 2018 Version: 2.4.3 firewall_rules_edit.php
code comment says "if user enters an alias and selects "network" then disallow."
and uses is_alias but error message implies "alias" is okay:
$input_errors[] = gettext("Alias entries must be a single host or alias.");
And why not allow a "network" alias with the source or destination "network"?
Note the first time it will complain about missing bit count but then
will auto-define it (like /32) so won't complain the second time.
If it could use the network alias then should get bit count from it?
Aug 2018 Version: 2.4.3 firewall_rules_edit.php
Suggestion: Add "unknown" as a choice for the Source OS
Aug 2018 Version: 2.4.3 dscp
For dscp in advanced firewall options, I chose
chose various codepoints but pfctl -sr didn't show the same numbers as
in filter.inc.
For example from /tmp/rules.debug:
pass in quick on $WAN reply-to ( re0 47.185.49.1 ) inet proto tcp from any to any dscp "8" tracker 1533130107 flags S/SA keep state label "USER_RULE: testing"
and from pfctl -sr:
pass in quick on re0 reply-to (re0 47.185.49.1) inet proto tcp all flags S/SA dscp 0x20 keep state label "USER_RULE: testing"
DON"T REPORT THIS. ALREADY REPORTED?
https://forum.netgate.com/topic/24423/pfctl-sr-results-from-the-diffserv-code-point-wrong/3
Aug 2018 Version: 2.4.3 /etc/inc/filter.inc
should "EF" dscp code be replaces with value 46
(like VA becomes 44)?
Aug 2018 Version: 2.4.3 firewall_rules_edit.php
suggestion: reorder advanced options to put State types before
state options and put "Max. src. states" immediately after
corresponding "Max. src nodes" (and before "Max. connections").
Aug 2018 Version: 2.4.3 firewall_rules_edit.php
SUGGESTION: mobve tha advanced options nopfsync and nosync form fields
next to each other since their use is similar.
Mar 2018 Version: 2.3.3 firewall_aliases_edit.php?tab=port
Mistakenly used dash instead of colon.
entered "55-1255" in the Port field and clicked save
and a popup said "Please match the requested format:
IPv4 address like ..."
This is a "port" but error is about IP address.
May 2016 Version: 2.3 system_advanced_firewall.php
I saw multiple sentences and paragraphs
in the interface
that were verbatim from the pf.conf manual;
the license.php page should list the copyright and license.
(I report this multiple times and have not listed all places.)
May 2016 Version: 2.3 system_advanced_firewall.php
document why pfsense_default_state_size()
assumes each state is 10 kB in size?
May 2016 Version: 2.3 system_advanced_firewall.php
no where else in the code, dead code?
$ipseccfg['dns-interval']
see dns-interval for similar config
Aug 2018 Version: 2.4.3 firewall_schedule.php
Trashcan is available for rules in use and popup is displayed to delete it.
It doesn't delete it. I suggest that the trash can icon be disabled
myybe saying it is in use, and if possible have link to rule.
Also real problem, says "Cannot delete schedule. Currently in use by ."
But the $referenced_by is empty. so sentence is incomplete.
This happened with no descr.
I made mine also show the $rule['tracker'] but would be nice to link to
it too.
Aug 2018 Version: 2.4.3 system_advanced_misc.php
Schedule States checkbox is only about custom pfctl -y.
Schedules at this time is only used by packet filter.
This is on the Miscellaneous page, but makes more
sense to be on the Firewall & NAT page.
Sep 2017 Version: 2.3.3 firewall_virtual_ip_edit.php
setting the CARP password but not the confirm password complains.
<input class="form-control" name="password_confirm" id="password_confirm" type="password" placeholder="Virtual IP Password">
(no value)
But you can immediately save with the bogus unseen
password and confirm there.
See source then has "value" defined.
<input class="form-control" name="password_confirm" id="password_confirm" type="password" value="********" placeholder="Virtual IP Password">
And resulting conf will be:
<password></password>
even though a CARP password is required.
Oct 2017 Version: 2.3.3 status_carp.php
related status shortcut goes to the same page!
Don't have links to oage you are already on.
May 2017 Version: 2.3.3 FIXED diag_pftop.php
has "Size" for sorttype which is not an order type
known by pftop. (sort_size_callback in pftop is "Bytes".)
Size is not a sort option and is same as "none".
https://redmine.pfsense.org/issues/7579
May 2017 Version: 2.3.3 FIXED diag_pftop.php
should not have sort options choices of Peak
and Rate since only useful
if have cached information as available
in interactive mode (see text console version)
to calculate the instantaneous speed and peak speed.
https://redmine.pfsense.org/issues/7580
Apr 2017 Version: 2.3.3 FIXED /etc/pfSense.obsoletedfiles
has wrong path for diag_system_pftop.php
see 1af5edbf04e0e3bbbc55981f6fc404b60ff33f2b
(note different php file now)
https://redmine.pfsense.org/issues/7581
Jun 2016 Version: 2.3 FIXED diag_dump_states.php
clicking the Packets or Bytes
header for sorting is no intelligent nor intuitive.
It doesn't really sort packet counts or bytes considering
they may be formatted using acronyms. Also the sort is for just
one part, but each has two counts in/out.
THIS APPEARS TO BE FIXED.
Apr 2017 Version: 2.3.3 diag_dump_states.php
enter a non-existent but valid IP address and will get a Kill States
button but no states listed. This is not intuitive to remove
states that don't exist.
https://redmine.pfsense.org/issues/7582
Jun 2016 Version: 2.3 diag_resetstate.php
header says "Select States to Reset"
but the docs there says "will remove all entries from the
corresponding tables".
There is nothing to select in this view.
https://redmine.pfsense.org/issues/6709
Jun 2016 Version: 2.3 diag_resetstate.php
if the checkbox is UNchecked,
clicking "Reset" still prompts "Are you sure you wish to Reset?"
and Okay does nothing. This is not intuitive.
Get rid of the checkbox. The pop-up window is good enough.
https://redmine.pfsense.org/issues/6710
Jun 2016 Version: 2.3 FIXED diag_states_summary
is not intuitive as each table has two columns
with same "# States" header.
first is for $ipinfo['seen'];
and second is for $protoinfo['seen'];
Maybe have the header say "Protcol counts" over the last three fields
or add a documentation line at top (or bottom) to explain that.
FIXED https://redmine.pfsense.org/issues/6711
Jun 2016 Version: 2.3 diag_tables
be consistent in naming or add more doc details
to the diag_tables page as custom tables are called "aliases" elsewhere
also it uses the word "database" in some places for
table or aliases too.
https://redmine.pfsense.org/issues/6713
Jun 2016 Version: 2.3 diag_tables
often says "Date of last update of table is unknown."
but table comments at same time shows the date:
last updated 1463027701 (Thu May 12 04:35:01 2016 GMT)
(that was for bogons)
I assume one is for the locate timestamp while the other
is the timestamp as provided in the remote's original file,
but either way using same terminilogy may be confusing,
so maybe should be explained there.
MAYBE FIXED AS I CANNOT SEE THIS ANYMORE
Jun 2016 Version: 2.3 diag_tables
has "Related status" shortcut for "aliases" that
goes to same diag_tables page.
diag_routes and maybe other pages have this too. It was a little
misleading to click through it to realize it was not a
related page. Suggest comparing the target with the link, like
is done for Related settings in shortcuts.inc:
if (!empty($link) && ($_SERVER['REQUEST_URI'] != "/{$link}")) {
(that worked for me)
But maybe there was a reason already this wasn't used?
I didn't notice problem for Related logs, but maybe there too.
Just added to my existing ticket: https://redmine.pfsense.org/issues/6701
Feb 2018 Version: 2.3.3 status_logs_settings.php
SUGGESTION: put all the packet filter related settings
(like filterdescriptions) together in a section with a header for it.
Feb 2018 Version: 2.3.3 status_logs_filter.php
when using the "Display as second row" setting,
then clicking on a column header for the status_logs_filter logs,
it will separate the second rows with the description/labels
from the log entries.
Clicking again to reverse any sort doesn't fix it.
The sorting should keep the description/labels with its corresponding log.
(I know "Display as column" is a workaround.)
Feb 2018 Version: 2.3.3 status_logs_filter_summary.php
The code is there and the output in the HTML source shows it
but with my firefox browser I don't see the
pie charts for the source and destination ports.
The data points are there.
The other pie charts work fine.
May 2016 Version: 2.3 system.php
config is called DNS Forwarder but it is not a
DNS Forwarder; tcpdump showed it doing recursive resolution starting at the
gtld-servers and not using any forwarder
Mar 2017 Version: 2.3.3
The pagenamefirst option (Display page name first in browser tab)
is available for user's customization
(system_usermanager.php or
system_user_settings.php) but is not included
with the same customizations done by admins on system.php.
Instead it is at system_advanced_admin.php.
This is inconsistent. This is a general setting and should be
on the system.php page (and not system_advanced_admin.php).
See gen_pagenamefirst_field.
Apr 2019 Version: 2.4.3 system_advanced_admin.php
althostnames says "to bypass DNS Rebinding Attack checks".
This is for pfSense webpage only, as the two DNS services use their
own "domainoverrides" instead.
This here is misleading, so mention this is for the pfsense interface only.
May 2019 Version: 2.4.4-p1 system_advanced_admin.php
the sshdkeyonly form checkbox became a form. That is fine,
but the field title changed from Authentication Method
to SSHd Key Only. Please change it back to Authentication Method,
since the "key only" is only one of the three Authentication Method choices.
2090516 system_advanced_misc.php
do_not_send_uniqueid is misleading
Even when checked, your
pfSense version is still reported.
This is an information disclosure and will happen for
alias URL downloads too.
For security best practices, disclosing that the IP address
is running pfSense and disclosing a specific pfSense version
is wrong.
Maybe it is okay for HTTPS downloads direct from pfsense, but
not for alias URL or URL table downloads and other non-pfsense URIs.
Aug 2016 Version: 2.3 system_advanced_sysctl.php
allows adding a tunable with
a bogus name or bogus value.
Maybe report sysctl output?
https://redmine.pfsense.org/issues/7576
Aug 2016 Version: 2.3 system_advanced_sysctl.php
SUGGESTION: I'd put the system_advanced_sysctl.php settings
on the corresponding pages instead of several unrelated on a single form.
Jun 2019 Version: 2.4.4-p3 notices.inc
misspelled: smptcount
I don't see any other use of it, so nothing failing due to misspelling.
FIXED Sep 2018 Version: 2.4.3 system_advanced_notifications.php
notifications had Enable STARTTLS checkbox,
but I didn't see smtptls in 2.4.3.
This option was removed in c8c46e5a8e9551db0172b79aae1fee4553b3bf7d
in 2016.
Aug 2016 Version: 2.3 system_advanced_notifications.php
has a button to test
growl, but no indication locally if used or not. In
particular shouldn't it warn if the IP address and password is blank?
In addition, there is no indication locally if the
Test SMTP Settings button did anything.
Since it says uses the currently stored configurations,
it should show what they are here just in case changed above,
or when the test is done it could display what settings were used.
or could use multiple submit buttons and call this one
Save and Test SMTP Settings?
https://redmine.pfsense.org/issues/7577
Sep 2018 Version: 2.4.3 /etc/inc/notices.inc
As far as I can tell nothing uses "notification_name".
It is configurable but not used.
I assume it was meant to be used for the growl "title".
Oct 2018 Version: 2.4.3 /etc/rc.filter_synchronize
has code for exclusions for
['aliases']['alias'][$x]['nosync']
['dnsmasq']['hosts'][$x]['nosync']
['ipsec']['tunnel'][$x]['nosync']
but I don't see how nosync can be set for aliases, dnsmasq, nor ipsec.
Aug 2018 Version: 2.4.3
Recover config.xml:
If it cannot find the file or there is some error, the messages
will display too fast to read and will take you back to the
main welcome menu.
Aug 2018 Version: 2.4.3
text installer prompts twice at end about using the shell.
Once a yes/no and other as reboot/shell choices. This is
redundant.
Aug 2018 Version: 2.4.3
After did Revert & Exit from the bsdinstall partedit
back to the shell, I couldn't type in lowercase.
So "exit" became "sh: EXIT: not found".
and Ctrl-D just showed a "D".
I had to reboot to install again.
Aug 2018 Version: 2.4.3 bsdinstaller
NO SEE my bug details above ***
Needs 2g disk for geli even if encrypt disks and
encrypt swap are both set to NO.
Aug 2018 Version: 2.4.3 bsdinstaller
zfs disk info curses window in installer
showed 30% but couldn't scroll in the output
using normal up and down arrow keys.
Page up/down and home/end did work.
I recommend that up and down arrow keys should work
as some may not notice additional content.
Jan 2016 Version: 2.3 install
why untar kernel from cd if already was copied to /mnt disk
tar xzpf /kernels/kernel_*SMP*.gz -C /mnt/boot/
why not just untar it from /mnt
tar xzpf /mnt/kernels/kernel_*SMP*.gz -C /mnt/boot/
Feb 2016 Version: 2.3 custom install
why /etc/rmt link to non-existent /usr/sbin/rmt ?
May 2019 Version: 2.4.4-p1
2.4.4-p1 installer
says there is not enough free space to install
"1.0 GB free, 1.0 GB required"
Jul 2017 Version: 2.3.3
status_ipsec.php print_ipsec_body()
suggestion: instead of printing value of esn (1) maybe show "ESN"?
Feb 2018 Version: 2.3.3 /etc/inc/ipsec.inc
why both $ipsec_log_cats and $ipsec_loglevels arrays
that are the same? I don't see $ipsec_loglevels used.
Nov 2018 Version: 2.4.3 /etc/inc/ipsec.inc
$ipsec_loglevels list is redundant and not needed.
See $ipsec_log_cats which is used.
Apr 2018 Version: 2.3.3 vpn_ipsec_mobile.php
I don't see any code in /etc/inc/vpn.inc that uses group_source
what is it for? maybe group_source setting is no longer used?
Dec 2018 Version: 2.4.3 vpn_ipsec_settings.php
this uses verbatim content from strongSwan without any copyright mention
or attribution.
Dec 2018 Version: 2.4.3 vpn_ipsec_settings.php
add a space: "Enable IPCompression" checkbox
or reword to "Enable IPComp compression"
Jun 2017 Version: 2.3.3
vpn_ipsec_phase1.php
selected Internet Protocol: IPv6 and the Remote Gateway
had an IPv4 address (192.168.1.50). This mismatch caused
the following input error:
"A valid remote gateway IPv4 address must be specified or protocol needs to be changed to IPv6"
This error message is reversed.
Selecting IPv4 and entering an IPv6 address results in the wrong
"A valid remote gateway IPv6 address must be specified or protocol needs to be changed to IPv4".
The error messages doesn't make sense as it implies an invalid
address is okay as long as the protocol is changed.
Note that the input allows entering a hostname.
I suggest that the checks be removed.
Jun 2017 Version: 2.3.3
vpn_ipsec_phase1.php has
'rekey_enable',
'Disable rekey',
and
'reauth_enable',
'Disable Reauth'
This is not a bug but a coding style issue or
a user interface oddity. Note they both have
variable called "enable" but the corresponding checkbox is disabled.
Use a variable name like "_disable" that implies what it is really means.
Or make it more user friendly by rewording and using existing variable names
with checkboxes are checked by default.
Jun 2017 Version: 2.3.3 vpn_ipsec_phase1.php
I think the whole configuration for this specific Phase 1 disappears
when this splitconn is checked when there is no corresponding Phase2.
Jun 2017 Version: 2.3.3
vpn_ipsec_phase1.php
editing an exiting phase1 key exchange version from IKEv2 to Auto
or IKEv1 (and applying changes) makes no changes under /var/etc/ipsec/
(even though changes make it to config.xml)
May 2019 Version: 2.4.4-p1 vpn_ipsec_phase2.php
choose "Routed (VTI)" mode after a tunnel mode default was selected
shows the Remote Network Address field.
But if you first look at Tunnel mode then Routed mode,
the Remote Network fields are not displayed.
I think "vti" it is missing a
hideClass('opt_remoteid', false);
Jun 2017 Version: 2.3.3 ipsec
what is purpose of pre-shared key in the phase 1 if no file
is touched, but use Pre-Shared Keys page it is added and used?
Dec 2018 Version: 2.4.3 interfaces.php
has Scripts as plural for the DHCPv6 advanced options.
It is just a single script so be singular?
Dec 2018 Version: 2.4.3 /etc/inc/interfaces.inc
The check for adv_dhcp6_key_info_statement_expire has
"/((([0-9]{4}-)?[0-9]{2}[0-9]{2} )?[0-9]{2}:[0-9]{2})||(foreever)/"
I think this is missing a required dash (-) between the month and day
(mm-dd) per the manual
https://www.freebsd.org/cgi/man.cgi?query=dhcp6c.conf
Apr 2019 Version: 2.4.3 interfaces.php
check for a valid IPv6 prefix for prefix-6rd
before using it.
For example this was "ab:cd" as prefix-6rd:
Apr 4 15:21:35 pfSense php-fpm[23877]: /interfaces.php: The command '/sbin/ifconfig opt1_stf inet6 2921:2120::/' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Invalid argument'
Apr 2019 Version: 2.4.3 /etc/inc/interfaces.inc
interface_6rd_configure() log_error has
"address ... is not public"
but doesn't use is_private_ip()
I assume this was a copy and paste from other sections in same code,
but check for private IP wasn't needed but forgot to change the log
output.
Apr 2019 Version: 2.4.3 /etc/inc/interfaces.inc
interface_6to4_configure() twice uses the deprecated 192.88.99.1.
See
https://tools.ietf.org/html/rfc7526
"Deprecating the Anycast Prefix for 6to4 Relay Routers"
Apr 2019 Version: 2.4.3 interfaces.php
Track IPv6: IPv6 Prefix ID
setHelp has: from 0 to %3$s)
but the %3$s argument is
'<span id="track6-prefix-id-range"></span>'
resulting in:
from 0 to )
Something is missing there.
Other times it has a number like 3:
(hexadecimal from 0 to 3)
Make sure the output is clear.
Apr 2019 Version: 2.4.3 system_advanced_network.php
Allow IPv6 has a note which is wrong. Multiple IPV6 features are disabled
by not setting ipv6allow beyond just PF rules,
like NTP status, IPv6 gateways, Unbound DNS resolver.
Apr 2019 Version: 2.4.3 ./system_advanced_network.php
for ipv6duiden_id says "variable length" but RFC3315 says is eight octets
and /etc/inc/util.inc is_duid() checks for a specific byte count
and length (which includes the two-byte vendor number and the DUID type).
Apr 2019 Version: 2.4.3 /etc/inc/util.inc
is_duid() checks for duid type 3 to be a specific size and length,
but RFC3315 says the DUID-LL is a "variable length" for the link-layer
address.
Apr 2019 Version: 2.4.3 interfaces.php
when applying changes to save for an interface, unbound
is started even though already running:
Apr 5 00:11:46 pfSense php-fpm[23877]: /interfaces.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1554423106] unbound[71846:0] warning: too many file descriptors requested. The builtinmini-event cannot handle more than 1024. Config for less fds or compile with libevent [1554423106] unbound[71846:0] warning: continuing with less udp ports: 465 [1554423106] unbound[71846:0] error: bind: address already in use [1554423106] unbound[71846:0] fatal error: could not open ports'
It didn't use the "reload" option or stop it first.
Oct 2017 Version: 2.3.3 load balancer relay
layer 7 is for DNS over UDP only!
it is broken as cannot even do DNSSEC even if over UDP.
It is limited to ancient DNS, non-EDDNS0.
Oct 2017 Version: 2.3.3 load_balancer_pool.php
it sets TCP options for dns proto which listens on UDP
these "tcp" are not even used!
Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php
has code for mode but it cannot change so maybe this is old
and not removed yet? (It is a hidden value.)
also ./load_balancer_virtual_server.php references mode but unused
also /etc/inc/vslb.inc has a check for that mode == 'relay"
which doesn't exist and even the old was called "relay_mode"
but no way to set that either.
I think code for relay_mode is old.
Looks like old code or incomplete?
If is old, then add a comment to these places in code to explain that.
Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php
A couple times I have created different pools
with the same name. So two lbpool entries in config.xml with same name.
This happens with the first pool (0).
The code checks with:
($i != $id)
which is 0 != "" which are equivalent empty values in PHP loose comparison.
Using a strict comparison !== is not right because later
checks for number $i versus string $id would make it so can't edit then save.
Please check this differently.
Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php
The Monitor drop down is in the "Add Item to the Pool" section.
Move it two places up, so is right before its corresponding Retry
value.
Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php
input error says "The field Server List is required."
but there is no field described as "Server List".
Maybe change $reqdfieldsn to have instead:
gettext("Enabled Pool Member") or something like that.
Oct 2017 Version: 2.3.3 load_balancer_pool_edit.php
a blank entry got into the enabled server list, resulting
in vague " is not a valid IP address or IPv4 subnet (in "enabled" list)."
I could see and remove the blank line and continue successfully.
Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php
input error says "is not a valid IP address, IPv4 subnet, or alias."
but doesn't give the name of the field. See it starts with
lowercase and usually these input errors are complete
sentences starting with a subject.
Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php
Port says an alias may be specified, but the port's Form_Input is for a
'number' so no text may be entered.
The /etc/inc/vslb.inc code indicates this virtual server port
can be an alias so change this to 'text'.
Oct 2017 Version: 2.3.3 load balancer
I have lots of relayd logging of "unused protocol: dnsproto".
At one time I did have that relay type configured
but now using TCP but relayd.conf still has it defined but unused.
Oct 2017 Version: 2.3.3 load_balancer_virtual_server_edit.php
changing an existing and working virtual server with relay protocol
from TCP to use DNS may continue to have the pf rdr rule in place
as seen with "pfctl -a relayd/FOO -vvsn" even though the relayd.conf
has relay (instead of redirect) now (implying the apply happened).
Restarting the service fixes it by removing the rdr translation rule.
I didn't see the problem changing from DNS to TCP though.
Oct 2017 Version: 2.3.3
suggest more clear descriptions for default monitor ICMP ping
and Generic SMTP service ready greeting check
But where are these defined? are they even in a new install?
I only see in an upgrade at /etc/inc/upgrade_config.inc
Oct 2017 Version: 2.3.3 load_balancer_setting.php
doesn't show what is set by default.
And even after defining all three values and saving
(which end up in relayd.conf (timeout, interval, prefork)
the Relayd Global Settings page has three blank fields.
So if you click save again there it will lose your settings.
Apr 2019 Version: 2.4.3 load_balancer_setting.php
prefork says default is 5 processes
but manpage documents as 3 processes.
If there is a custom code change for 5, maybe document that in the
php script.
The startup starts one "parent", three "ca", one "pfe", one "hce",
and three "relay" processes for relayd.
(On that note, maybe the "ca" processes aren't needed?)
Dec 2018 Version: 2.4.3 status_lb_pool.php
The Reset button prompts if okay to reset
and then reloads page to the previous enabled checkboxes.
It makes no changes to system so no reason to have the btn-danger popup.
If it did make changes to system it would next have the Apply Changes
button to activate.
Oct 2017 Version: 2.3.3 status_lb_pool.php and /etc/inc/vslb.inc
Enabled. Member Pool may contain a subnet.
This is converted to a relayd.conf table of multiple IP addresses.
The status page shows the subnet as a single entry and indicates
all are down (red).
The relayctl show hosts shows one of the hosts is up like
"11 host 98.139.183.24 100.00% up"
The get_lb_summary() function would see it,
but status_lb_pool.php uses the server value from lbpool configuration.
They won't match.
98.139.183.24 is not 192.168.1.0/26.
The redirection works. relayd is working.
It is just that the status_lb_pool.php doesn't indicate individual
parts of subnets, so shows is all down (red color).
It also doesn't show the percentage.
Feb 2018 Version: 2.3.3 status_logs_settings.php
nginx errors can be seen in /var/log/nginx/error.log
The log setting checkbox for "Web Server Log" is checked. It says
"will appear in the main system log." This is confusing since
is not in the main system log which would be the pfSense "General" default
log.
nginx configuration when checked logs to local5 which is /var/log/nginx.log
and there is no way to view that with the status_logs.php logfile view.
Whether or not it is checked I see errors in /var/log/nginx/error.log
and also in /var/log/system.log. 404 error pages are in /var/log/nginx.log.
I suggest fixing the explanation on where is it supposed
to log when checked and when not checked. I suggest adding a way to view too.
Also check if this /var/log/nginx/error.log is correct.
Feb 2018 Version: 2.3.3 status_logs_settings.php
SUGGESTION: move the setHelp about port 514 earlier
to the "Remote log servers" group.
Feb 2018 Version: 2.3.3 /etc/inc/rrd.inc
cellular (ppp 3g) rrd data is for comma-delimited fields 2, 8, and 9.
Which I assume is: rssi, upstream (bwupstream), downstream (bwdownstream)
But the /usr/local/bin/3gstats.php comment and header indicates that
mode has a comma so has a submode. Either that is wrong or the
rrd.inc should use fields 2 and 9 and 10 instead.
Feb 2018 Version: 2.3.3 status_monitoring.php
When selecting None for the graph category (left axis), and clicking
Update Graphs, the graph disappears (as expected) but the
Data Summary is still shown for an undefined graph.
It shows the Data Summary for the previous category.
If none, it shouldn't have a Data Summary especially since it has
no explanation of the view it is for.
Oct 2017 Version: 2.3.3 ./js/pfSenseHelpers.js and ./firewall_nat.php and ./firewall_rules.php
the separator
save button should be renamed to "Add" as it is not saved!
fa-save change to fa-plus
and rename svtxt to addtxt and set to <?=gettext("Add")?>
Oct 2017 Version: 2.3.3 firewall_nat.php
Delete button shouldn't prompt to remove if nothing is selected
Oct 2017 Version: 2.3.3 firewall_nat_edit.php
SUGGESTION:
top headers and title say Add instead of Edit if new,
but this may be true for many forms.
Oct 2017 Version: 2.3.3 firewall_nat_1to1_edit.php
If not set, error shows:
The field External subnet is required.
but that should say "External subnet IP"
as the subnet part is from other setting.
Also error:
The field Source address is required.
is invalid as the page doesn't say "Source".
but on the page it is Internal IP Address/mask.
May 2016 Version: 2.3 just for code /etc/inc/filter.inc
s/ftp_proxy_entry/tftp_proxy_entry/
because it is TFTP not FTP
no behavior change
By the way, why does xinetd listen on port 6969 and fork tftp-proxy
by default, even if not used?
xinetd logs about "readjusting" this every 15 minutes even if not used.
Oct 2017 Version: 2.3.3 firewall_nat_npt_edit.php
error has:
The field Source prefix is required.
but the page doesn't have "Source".
as it is the Internal IPv6 Prefix Address.
Also the error:
The field Destination prefix is required.
is wrong too as it is the
Destination IPv6 Prefix Address.
Also it allows IPv4 addresses. Consider checking and restricting this
to IPv6 only.
Jul 2018 Version: 2.4.3 firewall_nat_npt_edit.php
The "srcnot" checkbox is confusingly labeled as
"Internal IPv6 prefix". That is for this section, but maybe this
should be worded more clearly or identified better.
Same as the "Destination".
Jul 2018 Version: 2.4.3 firewall_nat_npt_edit.php
allows IPv4 addresses with IPv6 /128 style prefixes.
Maybe the interface should explain what it is for or the
code should restrict what is accepted.
Note that it will self-correct to /32 after saving if using IPv4.
Apr 2019 Version: 2.4.3 /usr/local/pkg/miniupnpd.inc
only sets bitrate_up and bitrate_down if both
download and upload are set.
There is no explanation that one is unused if the other is blank.
Just allow one to be used or document reason.
Apr 2019 Version: 2.4.3 /usr/local/pkg/miniupnpd.xml
SUGGESTION: overridewanip setting should use amenu to select from existing
IP addresses like virtual IPs,
like other menus do instead of manually typing an existing IP in.
suggest using a menu for this?
Apr 2019 Version: 2.4.3 /usr/local/pkg/miniupnpd.xml
SUGGESTION: upnpqueue setting should use a menu to select from existing queues
like other menus do instead of manually typing a queue name in.
suggest using a menu for this?
May 2017 Version: 2.3.3
diag_packet_capture.php
link to tcpdump manpage is different version than FreeBSD version.
I did a quick look with wdiff and the manuals are about 6% different.
May 2017 Version: 2.3.3 diag_packet_capture.php
The reverse dns lookup help suggests that the packet capturing
may perform a reverse DNS lookup.
This is misleading. This reverse lookup is only done
when pfSense is viewing the results.
Maybe change the help to:
"Convert addresses and port numbers to names
when viewing the captured packets. This option may
cause delays when viewing large packet captures."
I am fine with keeping same name even though it is not just about DNS.
Jun 2016 Version: 2.3 FIXED diag_sockets.php
the diag_sockets.php info says sockstat uses -L
when using the -l.
It does not use -L and it does show the
the loopback addresses (::1 or 127.0.0.0/8).
Also why there don't use the man page details verbatim, so exclude
the unnecessary ADDRESS and other UNIX sockets documentation.
FIXED https://redmine.pfsense.org/issues/6708
Jun 2016 Version: 2.3 diag_testport
It may be useful to run netcat with -v
and provide that output, like "No route to host" or "Succeeded!".
Jun 2016 Version: 2.3 diag_testport
1) can output error "Cannot connect to an IPv6
address using IPv4." (and vice-versa) But that
is_ipaddrv4 / is_ipaddrv6 is for IP addresses. The "host" field
may be a hostname, so a hostname like ipv6.test-ipv6.com
returns only AAAA, and doesn't give that "Cannot connect" error.
This is misleading. I do understand that the hostname is passed
direct to netcat.
2) In addition, diag_testport has confusing documentation about
mix of IPv4 and AAAA, but I can set IP Protocol to IPv6
and I have NO IPv6 and a test will return "successful."
Also it uses the word "forced" but IPv4 and IPv6 are only options
so one must be selected.
3) since the IP Protocol list only has two choices, maybe
just display as radio instead of drop-down menu
4) the diag_testport code suggests that -4 or -6 should be used,
but that is only done if the host is an IP number and not a hostname.
It is interesting that the code has many checks for setting this
-4 or -6, but the IP Protocol selection is not even used unless
the host is an IP number. If -6 is used on an IPv4 network, even
the getaddrinfo() will fail and netcat will indicate that (but
diag_testport won't do that).
5) Actually the IP Protocol selection as a choice makes no
sense: diag_testport is smart enough to detect that it is
mismatched and smart enough to see an optional sourceip's protocol,
then it is smart enough to select the protocol on its own.
But if it would honor the ipprotocol for hostnames (no IP number),
then maybe a value of having that IP Protocol selection is valid.
diag_testport It may be useful to run netcat with -v and provide that output, like "No route to host" or "Succeeded!".
https://redmine.pfsense.org/issues/6714
Jun 2016 Version: 2.3 diag_traceroute.php
misspelling for "number":
'Maximum nuber of hops'
ALREADY FIXED
Jun 2016 Version: 2.3 diag_traceroute.php
the max hops for FreeBSD IPv6 traceroute6 is
255, which the max allowed IPv6 "hops limit". Maybe it should
allow that? Then again, the nginx may Time-out beyond 64?
Jun 2016 Version: 2.3 diag_traceroute.php
the IPv4 traceroute when
resolving IPs to hostnames outputs both,
but the IPv6 traceroute6 only shows the hostnames and not the
address. My suggestion is to use -l when ipv6 when not using -n.
The max hops for FreeBSD IPv6 traceroute6 is 255, which the max allowed IPv6 "hops limit". Maybe it should allow that? Then again, the nginx may Time-out beyond 64?
https://redmine.pfsense.org/issues/6715
Oct 2017 Version: 2.3.3 services_snmp.php
Bind Interface drop-down had a couple empty entries:
<option value="_vip59cd5846137fa"> </option><option value="_vip59cd593b899e8"> </option>
If these _vip entries should be there, they should have some identifier
there.
Apr 2018 Version: 2.3.3 interfaces.php
suggest change of Description label to "Name"
Apr 2018 Version: 2.4.3 interfaces.php and interfaces.inc
Speed/Duplex passes along wrong values to ifconfig:
setting it on a wireless indicated it changed and accepted changes
but next view of configuration showed back to default.
Logs had:
Apr 27 14:17:49 pfSense php-fpm[312]: /interfaces.php: The command '/sbin/ifconfig 'ath0_wlan0' media 'DS/5.5Mbps' mediaopt 'mode'' returned exit code '1', the output was 'ifconfig: SIOCSIFMEDIA (media): Device not configured'
<option value="DS/5.5Mbps mode autoselect">DS/5.5Mbps mode autoselect</option>
It should not have had "mediaopt mode".
see interface_configure()
Also where is "media" set. I only see mediaopt.
I think the Speed and Duplex should be renamed to "Media Types and Options"
and whatever supported media (ifconfig -m) string is used probably could be
used on ifconfig arguments verbatim.
Oct 2018 Version: 2.4.3 interfaces.php
when using the DHCP Client Configuration option
the Hostname field disappears per:
if (ovr) {
hideInput('dhcphostname', true);
But interfaces.inc uses it for its substitution:
/* Apply Hostname Substitutions */
$dhclientconf = str_replace("{hostname}", $ifcfg['dhcphostname'], $dhclientconf);
To fix this don't hide the input field OR if it is meant to be the
system hostname substitute with $config['system']['hostname'] instead
Apr 2018 Version: 2.4.3 status_interfaces.php
pressing SPACEBAR to attempt to scroll down on this page may toggle
the first DHCP "Release" button without realizing it.
I suggest that pressing SPACE on this page doesn't disable DHCP.
Nov 2017 Version: 2.3.3 status_interfaces.php
"In/out packets" is redundant with ""In/out packets (pass)".
They have the same information.
See /etc/inc/pfsense-utils.inc where they have the same settings.
$ifinfo['inpkts'] = $in4_pass_packets + $in6_pass_packets;
$ifinfo['outpkts'] = $out4_pass_packets + $out6_pass_packets;
$ifinfo['inpktspass'] = $in4_pass_packets + $in6_pass_packets;
$ifinfo['outpktspass'] = $out4_pass_packets + $out6_pass_packets;
Feb 2019 Version: 2.4.3 interfaces_bridge_edit.php
FreeBSD docs verbatim copied
of multiple sentences without reference to FreeBSD copyright or license
Mar 2018 Version: 2.3.3 interfaces_vlan_edit.php
priority for VLAN "pcp" is passed to pfSense_vlan_create
but I don't see where pfSense_vlan_create() uses it.
Maybe this is related to https://forum.pfsense.org/index.php?topic=123889.0
and
https://redmine.pfsense.org/issues/4133#change-16438
for example I don't see
https://redmine.pfsense.org/attachments/download/1096/pf_pcp_tools.diff
applied
Apr 2019 Version: 2.4.3 system_advanced_network.php
has dead code for old FreeBSD for flowtable.
This flowtable value isn't used.
Apr 2017 Version: 2.3.3 diag_arp.php
probably shouldn't have a delete action for
a "permanent" entry for an IP address of a configured interface
since it will indicate success thatw as deleted but really is still there.
Oct 2017 Version: 2.3.3 ./widgets/widgets/wake_on_lan.widget.php
suggestion: shows link for dhcp leases if dhcpif is enabled.
So maybe show for dhcpv6 too to be consistent.
Or just get rid of this link for DHCP from the WoL widget.
(By the way, the dhcp leases page has send WoL packet feature for offline
leases but the dhcpv6 page does not.)
SUGGESTION Oct 2017 Version: 2.3.3 services_igmpproxy.php
table suggest Name changed to "Interface"
and suggest Values changes to "Alternate Network Sources"
or "Alt. Sources" or "Networks" or "Subnets".
Also suggestion: have a column for TTL Threshold.
Oct 2017 Version: 2.3.3 services_igmpproxy.php
Save button does nothing? Why Save button?
Mar 2018 Version: 2.3.3 services_igmpproxy_edit.php
Seven sentences from the igmpproxy.conf.5 man page are used verbatim.
It is GPL2 licensed but no mention of this in the php source file.
Mar 2018 Version: 2.3.3 services_igmpproxy_edit.php
SUGGESTION: only allow threshold to be an integer in 1 to 255.
Also maybe don't use "text" input form but "number"
with the min and max attributes and default of 1.
Mar 2018 Version: 2.3.3 services_igmpproxy_edit.php
The networks address form uses Form_IpAddress
but I was able to accidently typo an IP address with two consecutive dots.
This caused igmpproxy to complain about
"Unable to parse address token",
and "Unable to parse subnet address", and
"Unknown token".
Maybe the Form_IpAddress routine can check for typos like that better
or otherwise something to prevent that bogus address getting into
the configuration.
Nov 2017 Version: 2.3.3 services_ntpd.php
complain if orphan mode is invalid.
It should not allow an invalid tos orphan -1200 for example.
Also the code checks if less than 17, but docs say less than 16.
I see some implementations may default to 16, but I think
15 is upper limit for normal stratum
and 16 means is unsynchronized.
Apr 2018 Version: 2.3.3 status_ntpd.php
doesn't show the status if acl default noquery is set.
It should allow status if that is set
but the localhost 127.0.0.1 acl allows it.
So instead of checking for noquery, could just check for
"***Request timed out".
Apr 2018 Version: 2.3.3 status_ntpd.php
error if noquery says "NTP service settings" and links to
services_ntpd.php. It should say "NTP ACL settings" and link to
services_ntpd_acls.php and maybe indicate it is about "noquery".
Apr 2019 Version: 2.4.3 services_ntpd_gps.php
if don't have /dev/cua device (gpsport) then indicate on the page
that this feature is not enabled and not available.
Apr 2018 Version: 2.3.3 services_ntpd_pps.php
ppsfudge1 / fudge1 input form is "text".
SUGGEST: Add some check to make sure is a T_Double or T_Integer (in NTP terminology).
SUGGEST: And ppsrefid / refid add a check to make sure is only
four characters. Not sure, but probably shouldn't have spaces
since /etc/inc/system.inc just dumps it as is into configuration.
Apr 2018 Version: 2.3.3 /etc/inc/system.inc
does not use ntpd pps stratum as seen in the config.xml.
It is defined with a form in services_ntpd_pps.php
$config['ntpd']['pps']['stratum'] = $_POST['ppsstratum'];
but this is not used.
I do see code for it for "gps" but not "pps".
So it defaults to 0.
SUGGEST: also consider using "number" instead of "text" for its input field
and restrict it to 0 to 15.
Also the code checks for stratum less than 17, but I think the numbers are
0 to 15, so check should be less than 16.
Unless 16 is to mean unsynchronized. I don't even know if all NTPs support 16.
Apr 2018 Version: 2.3.3 services_ntpd_pps.php
and /etc/inc/system.inc
both have code for
$config['ntpd']['pps']['noselect'])
which would be $_POST['ppsselect'])
but there is no addInput form for it. No way to configure it.
May 2017 Version: 2.3.3
vpn_openvpn_server.php
server table list for Description has:
<?=htmlspecialchars(sprintf('%s (%s)', $server['description'], $server['dev_mode']))?>
but if dev_mode is not set it is empty so displays ().
in this case the config.xml doesn't have the dev_mode set because
it was created using the wizard.
Maybe set it to tun as is the default.
or don't display the empty () parenthesis.
May 2017 Version: 2.3.3
openvpn_validate_port() has:
if (empty($value ...
so when passing zero to it complains
(because empty(0) is FALSE):
"The field 'Local port' must contain a valid port, ranging from 0 to 65535"
While I would want it to check for not 0,
the above says zero is okay and the
vpn_openvpn_server.php addInput form for it allows it.
make fix in both places.
https://redmine.pfsense.org/issues/7565
May 2017 Version: 2.3.3 FIXED /etc/inc/openvpn.inc
used vpn_openvpn_server.php to set dh_length
but only three /etc/dh-parameters.NUM files are available,
but drop-down allows others resulting in:
openvpn[34890]: Options error: - -dh fails with '/etc/dh-parameters.3072': No such file or directory
Note that code for other dh-parameters is commented out.
https://redmine.pfsense.org/issues/7566
May 2019 Version: 2.4.4-p3 /etc/inc/openvpn.inc
openvpn_get_curvelist() uses sort
for the openvpn show-curves option
but it has mixed-case.
Maybe use natcasesort() or SORT_FLAG_CASE.
May 2017 Version: 2.3.3 vpn_openvpn_server.php
see function mode_change()
it has two switch (value) blocks that can be merged.
And see it has mistakes that aren't even used,
like server_tls has:
hideInput('shared_key', false);
but autokey_change() hides it anyways.
This code needs to be cleaned up.
May 2017 Version: 2.3.3 FIXED vpn_openvpn_server.php
Address Pool
sets pool_enable.
I don't see any code that uses it, like not in /etc/inc/openvpn.inc
What uses this code?
https://redmine.pfsense.org/issues/7567
May 2017 Version: 2.3.3 FIXED vpn_openvpn_server.php
d44942d3477c609e37794dc31c36fcd5c4435fbb
configures client_mgmt_port
but as far as I can tell this number is not used
and the management is using a Unix domain socket and not a TCP port.
https://redmine.pfsense.org/issues/7568
May 2017 Version: 2.3.3 FIXED wizards/openvpn_wizard.xml
7120ef411c122e67f6585be13fb89daa9df9a152
This is a wizards behavior which can cause confusion or mistake.
A wizard saves its settings to config.xml
and if you use the wizard again it may prepopulate fields.
So if you use the wizard once to setup an LDAP server
the later setup a RADIUS server, it may have the 389 port number
(for LDAP) for the RADIUS port setup. Even though it has
the correct number in note below, the common usage for pfSense is
to prepopulate with defaults. In this case, the field is wrong.
https://redmine.pfsense.org/issues/7569
May 2017 Version: 2.3.3
openvpn_wizard.xml
skipped creating a cert and when finished it took me back to
select or add a certificate. After creating one.
it took me to next wizard screen but still has error message
"Please choose a Certificate." at top.
https://redmine.pfsense.org/issues/7570
May 2017 Version: 2.3.3 vpn_openvpn_server.php and vpn_openvpn_csc.php
and /etc/inc/openvpn.inc
have code related to NetBIOS Data Distribution Server
nbdd_server_enable and nbdd_server1
but I don't see any code or GUI to configure it or display it.
Maybe is stale code?
May 2017 Version: 2.3.3 vpn_openvpn_csc.php
allows creating new configurations for existing
configurations by using the same Common Name
and local OpenVPN server name,
The most recent CSC entry edited or added takes precedence.
This could result in a confusing setup if the pfSense
admin added many CSC and didn't realize this happened.
May 2017 Version: 2.3.3
vpn_openvpn_csc.php
has netbios_ntype and netbios_scope
but openvpn_add_dhcpopts() in etc/inc/openvpn.inc
has dhcp_nbttype and dhcp_nbtscope
I noticed this when configuring a CSC, but I also
see the mismatch names in vpn_openvpn_server.php
I see ./etc/inc/upgrade_config.inc has the variable names
but opposite of etc/inc/openvpn.inc.
While here a second the scope id is missing the 'Scope ID' label
as the form has "null" for it.
May 2017 Version: 2.3.3
be consistent for vpn pages for disabled view.
For openvpn server and clients it uses the disabled class with 50% opacity
but the CSC overrides view has a "Disabled" column that says "Yes".
For ipsec it has Disable/Enable toggle button
and also uses the 50% opacity view.
The main thing that I don't like is that when disabled
even the "Actions" icons are translucent which seems to imply
that they aren't clickable even though they are.
May 2017 Version: 2.3.3
vpn_openvpn_client.php has Related settings shortcut to
vpn_openvpn_server.php
but that is misleading and for normal pfSense use it is not
"Related".
As an example, the server's page doesn't have a related settings
shortcut pointing to clients (as it should not).
https://redmine.pfsense.org/issues/7571
May 2017 Version: 2.3.3
vpn_openvpn_client.php and /etc/inc/openvpn.inc
Has checkbox to enable "Infinitely resolve server"
but the resolv-retry infinite config is used also if is a client.
This is a client. In addition, OpenVPN 2.3 has this enabled
by default. I don't see anything here to set it to 0 (zero) to
disable. To explain a different way, the config.xml has:
<resolve_retry></resolve_retry> while the openvpn$NUM.conf still has:
"resolv-retry infinite".
I suggest getting rid of it of the feature since is default behavior
and is always set here.
Or if you keep make it so unchecked means is "0" and don't set by
default for client too.
https://redmine.pfsense.org/issues/7572
May 2017 Version: 2.3.3
vpn_openvpn_client.php
shows the Peer Certificate Revocation list option
when non-TLS shared key server mode is selected but not when TLS
mode is selected.
See the hideLabel definitions for it. Is this reversed?
See vpn_openvpn_server.php as the (correct) opposite approach.
If this is already as desired, add some hint why it is useful that way.
While there consider having this option displayed after the certref option.
May 2017 Version: 2.3.3 FIXED vpn_openvpn_client.php
473f7ec48f7510a60ade574ef32b09f4abaa6b9a
text for Tunnel Networks says "The second network address will be assigned".
It uses openvpn_get_interface_ip() which uses gen_subnetv4()
and then ip_after(). This misleadiing as it could be considered
that the first address is the address returned by gen_subnetv4()
so really the "third" network address will be assigned by some
understandings.
Some say the first is the "network address" but that is the
terminology used here and the second is the "first IP".
My recommendation is simply to clarify the help text.
This may be needed for IPV6 and the other openvpn pages too.
https://redmine.pfsense.org/issues/7573
May 2017 Version: 2.3.3
vpn_openvpn_client.php
compression defaults to No Preference so "comp-lzo" is not
set in configuration.
But the openvpn manual says "make sure the client-side config file
enables selective compression by having at least one - -comp-lzo
directive ... this will ... allow a future directive push from the
server to dynamically change the on/off/adaptive setting."
The manpage is confusing as also hints that adaptive is the default.
I recommend you change the user interface default to
"adaptive" so it sets "comp-lzo adaptive" to make sure.
"No Preference" seems to imply there is a preference
so maybe reword or fix this (in /etc/inc/openvpn.inc and for
vpn_openvpn_server.php too).
PROBABLY FIXED IN a4b3624650 bug #7064
May 2017 Version: 2.3.3
/etc/inc/openvpn.inc
The openvpn manual says:
Note: Using - -topology subnet changes the interpretation of the
arguments of - -ifconfig to mean "address netmask", no longer "local
remote".
And also says:
TUN devices in - -topology subnet mode (which create virtual
"multipoint networks"), - -ifconfig is used to set an IP address
and subnet mask ...
(The manual example also shows it.)
But openvpn.inc when using tun still sets ifconfig (conf option)
using $ip1 for client and $ip2 for server instead of the $mask.
I didn't test this but doesn't follow the docs.
This may need fixed so second argument is the mask.
I did read
https://forum.pfsense.org/index.php?topic=103331.0
https://redmine.pfsense.org/issues/7574
May 2017 Version: 2.3.3 FIXED vpn_openvpn_client.php
85d564f0fd278d27f1a2ff89214bf297676bfd0c
Does the route_no_exec feature for "Don't add/remove routes"
even work? I don't see any use of route-up script.
Also while here see the setHelp text shows "- -route-upscript"
which should have a space between up and script.
This text is just verbatim from the man page (which has the space).
https://redmine.pfsense.org/issues/7575
Nov 2017 Version: 2.3.3 pkg_mgr_install.php
not really a bug but a suggestion:
the package installation output shouldn't be editable;
for example pressing space or return in it may happen
to scroll but really it enters that content.
Nov 2017 Version: 2.3.3 pkg_mgr_installed.php
The key after the list of installed packages is misleading
as it says "Newer version available"
and "Package is configured but not (fully) installed"
These may be misinterpreted to imply that is applicable to the last
or some package that is listed above.
Suggest: Say "Key".
Also suggest having an associated icon with the test.
Currently no icon is displayed with those two links in the key.
Nov 2017 Version: 2.3.3 pkg_mgr_installed.php
for the Package Dependencies it links to:
href="https://freshports.org/' . $pdep['origin']
which assumes it is a real FreeBSD package.
The "bind" package's dependency links to
https://www.freshports.org/dns/bind-pfsense
which does not exist.
maybe if "pfsense" is part of the name don't link to freshports?
May 2017 Version: 2.3.3
pkg_mgr.php
The table shows Version for the package then
the dependencies show same package name with different version.
This is confusing.
For example shows: arping 1.2.2_1 depenrds on arping-2.15_1
To clarify, I recommend the Version column be renamed to
"pfSense pkg Version"
and the "Package Dependencies:" be changed to "FreeBSD Package Dependencies:"
(I assume all are from FreeBSD packages.)
https://redmine.pfsense.org/issues/7583
I NO LONGER recommend that since they aren't always FreeBSD packages.
MY new recommendation is to list FreeBSD Package Dependencies versus
pfSense Package Dependencies.
pfsense packages names contain "pfsense-".
By the way, why do some packages have "-pkg-" as part of the name
and some don't (like pfsense-bind911-9.11.1P1)?
And why are some packages with capital "S" in pfSense and some don't?
And why does check_reload_status name not contain "pfsense"?
Oct 2017 Version: 2.3.3 services_pppoe_edit.php
error says: "The field Remote start address is required."
This is for remoteip, but the form field is called
"Remote Address Range".
May 2018 Version: 2.4.3 services_pppoe_edit.php
pppoe_dns1 allows junk, maybe should use Form_IpAddress for it
set ipcp dns 8987 7987 gfdsjg 797u @ ; ``
May 2018 Version: 2.4.3 services_pppoe_edit.php
I don't see any code using $pppoecfg['radius']['acct_update']
The "set auth acct-update" is not configured.
Is the "RADIUS Accounting Update" even used?
Add to /etc/inc/vpn.inc a check for acct_update and add
""set auth acct-update" to the mpd configuration.
May 2018 Version: 2.4.3 services_pppoe_edit.php
the radiussecret (and secret2) kept on disappearing so had to enter again.
I was able to reproduce this several times.
I assume this has to do with the DMYPWD usage and the existing
password not being retrieved and re-saved.
May 2018 Version: 2.4.3 services_pppoe_edit.php
When saving and it errors
(like "The field RADIUS shared secret is required"), then the
form loses the User Table entries.
Having to re-enter users details is frustrating.
This is caused by the $pconfig = $_POST; during the save.
Later used with $usernames = $pconfig['username']; which does not exist
(after the save).
The form uses the colon-delimited username. The POST does not.
(It only converts to colon-delimited when no errors to save.)
The config.xml stores as single "username"
but the form uses username0, password0, ip0, username1, password1, ip1,
username2, password2, ip2, etc.
See the ~14 lines of code when no error and saving which populates
the $pppoecfg['username'].
That idea can be reused to set $pconfig['username'] if POSTing (and there
was an error).
I MADE A PATCH FOR THIS.
May 2018 Version: 2.4.3 /etc/inc/vpn.inc and services_pppoe_edit.php
I don't see any code to use the pppoe radius server2 (or server2 secret2)
settings.
I set it and do see in config.xml but not in its /var/etc/pppoe1-vpn/mpd.conf
file.
Nov 2017 Version: 2.3.3 system_gateways_edit.php
if have a mistake with IP, the Interface change will be reset back to previous
even though it was changed.
Apr 2019 Version: 2.4.3 system_gateways_edit.php
force_down is misleading.
It is still set in routing table as default
and dpinger still running for it.
Why does status page say "offline" when really is not offline?
So basically the only change is to make the gateway selection
for firewall rules to be a no-op, so no policy-routing.
Make it more clear on the interface webpage.
Because it is up but marked "offline" on status page, that is misleading too.
Apr 2019 Version: 2.4.3 system_gateways_edit.php
Suggestion: check for max data_payload size since dpinger checks it.
Maybe is 65487 bytes for IPv4 and 65507 bytes for IPv6?
Mar 2018 Version: 2.3.3 /etc/inc/gwlb.inc
return_gateway_groups_array() compares trigger with strings
"loss" or "latency" but system_gateway_groups_edit.php and config.xml
has them as digits.
Note "loss" if is meant to match a string would be two triggers
("Packet Loss" or "Packet Loss or High latency") and
same for latency it would match two triggers ('Packet Loss" too).
These checks versus the configuration don't make sense.
Jun 2016 Version: 2.3 FIXED? system_advanced_misc.php
https://github.com/pfsense/pfsense/pull/2868
system_advanced_misc.php has:
$config['system']['srctrack'] = $_POST['source-tracking-timeout'];
but as far as I see no source-tracking-timeout sent
shouldn't it be same as
$pconfig['srctrack'] ?
Jun 2016 Version: 2.3 diag_routes
"Rows to display" is off by one as it includes
the header line too. If you choose 10 you would want ten lines of results
data to display
https://redmine.pfsense.org/issues/6705
Jun 2016 Version: 2.3 diag_routes
"Use a regular expression to filter IP address or hostnames" actually works to match any field like flags, mtu, netif; I suggest it is kept the way it works and fix the description to not limit to just the address or hostname
https://redmine.pfsense.org/issues/6706
Jun 2016 Version: 2.3
syntax error in the PHP execution in Command Prompt menu
should not cause a crash detection to suggest reporting to pfSense
https://redmine.pfsense.org/issues/6702
Jun 2016 Version: 2.3
suggestion for the Edit File have the input box have some
description or label like "Path name" or "File name or directory"
https://redmine.pfsense.org/issues/6703
Apr 2017 Version: 2.3.3
diag_edit.php will give warning "Loading a directory is not supported."
but after clicking Browse and getting a directory listing, that
warning is not cleared; it still displays same warning even though is now
irrelevant
Maybe update print_info_box after successes.
https://redmine.pfsense.org/issues/7589
Jun 2016 Version: 2.3
Edit File "Go to Line" selection box allows negative numbers and
line numbers longer than the file contains
https://redmine.pfsense.org/issues/6704
Apr 2017 Version: 2.3.3
diag_edit.php
if you are browsing directory hiererchy, and enter a filename
and click save, it will write a zero byte file to that filename.
Note there was no data to write but the edit display was showing
the directory layout.
I suggest if a browse directory view is displayed then
the Save button should be disabled
or the save should indicate no data to save while in directory
browsing view and to not do anything.
https://redmine.pfsense.org/issues/7590
Apr 2017 Version: 2.3.3
top is missing the CPU: header like
CPU: 3.9% user, 0.0% nice, 2.4% system, 0.4% interrupt, 93.3% idle
This is a limitation in the top implementation on FreeBSD
(seen outside of pfsense).
In it filled out in interactive mode after the rest of the display
is draw, but in batch mode the line is blank.
I filed a bug report against it in FreeBSD:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218889
Jun 2019 Version: 2.4.4-p3 status_graph_cpu.php
nothing graphed anymore, but it used to work.
It now just shows an empty graph with a huge number continually
increasing like 709637894%
Nov 2017 Version: 2.3.3 miniupnpd is not a package?
The get_services() function in etc/inc/service-utils.inc
has miniupnpd as installedpackages feature.
Now I see that is how status_upnp.php and various /etc/inc/
code does it that way.
It is not a pfSense package but core pfSense, so this is somewhat confusing.
The /usr/local/pkg/miniupnpd.xml is "pkg".
This appears to be only "pkg" style feature in system that is not
a package.
If this is the way things are moving to, then this is okay,
but please document it.
Or maybe because it was easier to use pkg_edit for it? Still explain.
If this is not the future, then add comments to code or change
code so developers aren't confused that miniupnpd is a package.
Nov 2017 Version: 2.3.3 etc/inc/service-utils.inc
The get_services() function is missing some network services:
dhcpdv6 (using dhcpd -6),
pppoe server (using mpd4),
and
l2tp (using mpd4).
(Could consider filterdns too?)
Sep 2018 Version: 2.4.3 /etc/rc.initial.setlanip
if enter a blank DHCP starting address, it aborts
and goes back to the menu without any error message.
If this is desired then previously say "if blank this exits" or
something like that.
Note that a bogus value will just prompt again for the start address.
Sep 2018 Version: 2.4.3 /etc/rc.initial.setlanip
if enter a default gateway for the LAN and later for the WAN,
only the LAN one will be there.
If you use this #2 again and leave the LAN gateway blank (just
press enter), the <gateway_item> for it in the config.xml is not
removed and the netstat -rn still shows it too.
May 2016 Version: 2.3 console shell
using exec sh causes exit from shell to also close the ssh:
Enter an option: read: read error: Input/output error
Also "exec sh" at the tcsh prompt works at console, but when exiting
the menu redisplays but then says "You have stopped jobs" and
"[1] + Stopped (tty input) /etc/rc.initial" and you are back the sh
prompt.
May 2016 Version: 2.3 developer shell
ctrl-c in the Developer Shell shouldn't exit ssh session
May 2016 Version: 2.3 /usr/local/sbin/pfSsh.php contains
$tccommands[] = "master";
$tccommands[] = "RELENG_1_2";
but this code is unused
also what uses tccommands?
May 2016 Version: 2.3 developer shell
in pfSsh = does nothing as the currentline is replaced
May 2016 Version: 2.3 developer shell
"exec" all exclamation marks are escaped if first character has it
May 2016 Version: 2.3 developer shell
listpkg
Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11
May 2016 Version: 2.3 developer shell
disabledhcpd name is inconsistent: why disabled vs disable?
May 2016 Version: 2.3 developer shell
why does it do this twice:
unset($config["interfaces"]["wan"]["blockbogons"]);
unlink_if_exists("/tmp/config.cache");
...
unlink_if_exists("/tmp/config.cache");
unset($config['interfaces']['wan']['blockbogons']);
May 2016 Version: 2.3 developer shell
externalconfiglocator
cannot run twice since
Cannot redeclare get_boot_disk()
via the include of /etc/ecl.php
May 2016 Version: 2.3 developer shell
can this even work?
$locations_to_check = array("/", "/config");
foreach ($locations_to_check as $ltc) {
$tocheck = "/tmp/mnt/cf{$ltc}config.xml";
checks for /tmp/mnt/cf/config.xml and /tmp/mnt/cf/configconfig.xml
but the file would be at /tmp/mnt/cf/conf/config.xml
May 2016 Version: 2.3 developer shell
also get_boot_disk and get_swap_disks don't work
since modern systems use ufsid labels but later try to compare
with device names
May 2016 Version: 2.3 developer shell
listpkg does not work, references an array that doesn't exist
Playback of file listpkg started.
Installed packages:
Warning: Invalid argument supplied for foreach() in /usr/local/sbin/pfSsh.php(345) : eval()'d code on line 11
I checked with:
if (!is_array($config['installedpackages']['package'])) {
echo "not an array\n";
return;
}
It appears to be fixed in 2.4.3
May 2016 Version: 2.3 developer shell
"svc" cannot run twice in the developer shell since
Cannot redeclare usage()
Aug 2018 Version: 2.4.3 /etc/rc.initial
has internal choice "100" to use links text browser
but that isn't usable at all with the pfsense webgui.
It may say successful login but the menu panel nor dashboard
does not appear.
Suggestion: if this is to verify the webConfigurator is up
then have it go to some webpage for that.
Maybe put a testing php page under /usr/local/www for this?
Feb 2019 Version: 2.4.3 /etc/inc/shaper.inc
FAIRQ hogs "Bandwidth limit for hosts to not saturate link"
should use the normal bandwidth and bandwidth type like form
as user won't know to enter "1Kb" for example.
Feb 2019 Version: 2.4.3 firewall_shaper.php
some content is verbatim to pf.conf(5) but no license about it.
Feb 2018 Version: 2.3.3 firewall_shaper.php
For a child queue, it accepts a missing name.
So when the shaper list has an icon with no name.
And clicking "By Queue" may say "No Queue Configured/Selected"
with an icon below it and the icon may be overlooked or misundestood.
SUGGEST: that the queue name be required (don't allow it to be empty).
That is a common requirement for many places in pfsense.
Feb 2019 Version: 2.4.3 firewall_rules_edit.php
Please re-order the ackqueue and defaultqueue selections
since they are used in opposite order and the first one (currently)
cannot even be used unless the second one is defined.
Jan 2019 Version: 2.4.3 ./wizards/traffic_shaper_wizard_dedicated.inc
displayname has "Interface \& Scheduler"
but should be separate "Interface" and then "Scheduler" for the
respective inputs.
Also section header says "connection speed"
but that is not there for all interfaces.
Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml
scheduler types
drop-down are marked as "Local interface" and "WAN interface".
Change to also say "Schedule Type".
While there note that "interface" is started with lowercase "i"
in some uses and uppercase "I" in other uses.
Also maybe add "speed" or "rate" and maybe "measurement" or "units"
for the upload and download parameters.
Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml
minor bug; the traffic_shaper_wizard_dedicated.xml
page has both Penalty Box and PenaltyBox (no space); be consistent?
Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml
doesn't have a check
to make sure at least the P2P catchall or a specific protocol is selected
Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml
minor bug, the traffic_shaper_wizard_dedicated.xml
P2P page has a mix of "Peer to Peer" (no dashes), "Peer-to-Peer",
"p2p" (lowercase) and "P2P"; be consistent?
Jun 2016 Version: 2.3 traffic_shaper_wizard_dedicated.xml
"other Applications"
says "raise or lower ... higher than most". That grammar of "lower...
higher" doesn't read well. Maybe just end the sentence at "protocols."
Feb 2018 Version: 2.3.3 firewall_rules_edit.php
config says "In / Out pipe" but error says "In and Out Queue"
May 2019 Version: 2.4.4-p1 ./src/etc/inc/shaper.inc
consider adding parameters for FQ_PIE for flow, limit, and quantum
like the FQ_CODEL feature options in pfsense.
There are sysctls for them too.
net.inet.ip.dummynet.fqpie.quantum: 1514
net.inet.ip.dummynet.fqpie.limit: 10240
net.inet.ip.dummynet.fqpie.flows: 1024
Jun 2016 Version: 2.3 the Traffic Shaper / Limiters page has the
the "By Interface" info help that is about tree, queues,
buttons. But there is no "tree" by default. Also maybe "Limiters" should
be explained. Maybe from /etc/inc/shaper.inc
Jan 2019 Version: 2.4.3 firewall_shaper_vinterface.php
child queue config for Packet Loss Rate menu is there,
but setting it does nothing.
get rid the option here?
but manpage says plr can be configured for queues.
By the way buckets for a queue is not displayed with ipfw pipe show
nor ipfw queue show, but is in the /tmp/rules.limiter.
(It is there for a pipe.)
Feb 2018 Version: 2.3.3 firewall_shaper_vinterface.php
if you have a limiter in use and then uncheck the Enable button,
save, and then apply changes, "ipfw pipe show" still shows that limiter.
The /tmp/rules.limiter may not list it but the ipfw config is still
there as it is not deleted.
The Enable button does work to enable, but unchecked means nothing once
was loaded.
Delete Limiter button does work though - the ipfw pipe disappears.
Jan 2019 Version: 2.4.3 firewall_shaper_vinterface.php
clicking Delete Limiter button pops up
"The last row may not be deleted." alert.
This happens to me every time.
See ./js/pfSenseHelpers.js
I don't think the context makes sense when deleting a limiter.
Or needs more explanation.
Jan 2019 Version: 2.4.3 firewall_shaper_vinterface.php
When clicked "Delete this queue" button and okayed it,
I saw repeated 8 times:
"This pipe/queue is referenced in filter rules, please remove references from there before deleting."
But I already removed it and was not used by any filter rule.
I think it was caused by having no Name. Name was empty.
The child queue didn't get deleted.
And it is unable to edit to add the child's name.
Aug 2016 Version: 2.3 FIXED firewall_shaper_vinterface.php
action item should link to diag_limiter_info.php for Related Status.
And the diag_limiter_info.php should NOT have a Related status
action item pointing to itself.
May 2019 Version: 2.4.4-p3 firewall_shaper_vinterface.php
My logs showed:
/rc.filter_configure_sync: The command '/sbin/ipfw /tmp/rules.limiter' returned exit code '65', the output was 'Line 4: 2 <= queue size <= 100'
That config had: queue 1 config pipe 1 queue 102 ...
My Queue length (qlimit) was set to 102.
Don't allow a qlimit outside of the allowed range.
Mar 2018 Version: 2.3.3 interfaces_qinq_edit.php
autoadjustmtu is referenced in code but I don't see it used anywhere.
Mar 2019 Version: 2.4.3 interfaces_ppps_edit.php
help doc hints are verbatim from mpd documentation without
the copyright and license referenced
Mar 2018 Version: 2.3.3 interfaces_ppps_edit.php
advanced options toggle button on PPP or PPPoE types
introduces new settings above the button while also
a new section titled Advanced Configuration appears below the button.
This may be confusing as the admin may not notice the new
displayed options in both places.
Since there are few advanced options for the some link types only,
suggest these are displayed always for them specifically.
Feb 2018 Version: 2.3.3 /etc/inc/interfaces.inc
interface_gre_configure() has:
if (isset($gre['link1']) && $gre['link1']) {
but it is a checkbox with
<link1></link1>
so it may be defined but has no value so the action of the if conditional
never happens.
Mar 2018 Version: 2.3.3 easypass
firewall logs showed gif0 entries. Easy pass allowed it
"Interface: GIF0"
but when tried to save it failed with:
"Invalid interface for pass rule"
Easy pass shouldn't get that far or it should provide some assistance
or firewall rules should allow FreeBSD devices like gif0.
(My workaround was to create a new OPT2 interface for
gif0 and enable it.)
Mar 2018 Version: 2.3.3 head.inc
SUGGEST: include all the interface types (like QinQs, GREs, etc)
in $interfaces_menu if they are defined.
Apr 2019 Version: 2.4.3 pkg_mgr_install.php
setting fwbranch to devel on update settings page and save
go to the main system update page it shows branch as devel,
but the latest base version number is the stable version
instead of the long date-stamped experimental version number.
May 2019 Version: 2.4.4-p1 system_update_settings.php
Suggestion for ./widgets/widgets/system_information.widget.php
If disablecheck still have an icon to show
the latest version on the dashboard's System Information widget.
Just have disablecheck not auto update the package list
and download the pfSense-repo packages
unless the admin specifically clicks a button to do a one-time
version check.
It can still show when last checked (manually).
Apr 2019 Version: 2.4.3 /etc/phpshellsessions/gitsync
"Remove files that we do not want to overwrite the system with"
list has /etc/fstab twice.
Mar 2017 Version: 2.3.3
my user has
page-diagnostics-dns privilege which provides DNS lookups
but also allowed the user to create an alias
"Created from Diagnostics-> DNS Lookup".
But now the user cannot see this alias nor has any way to remove it
(because needs page-firewall-aliases privilege).
I'd suggest that capability to do DNS lookups diagnostics shouldn't
also allow addition of aliases.
https://redmine.pfsense.org/issues/7584
Mar 2017 Version: 2.3.3 system_usermanager.php
it allowed creating a user starting with a dash.
So the user is created but was not added to /etc/passwd.
For FreeBSD, "The login name must not begin with a hyphen (`-')".
I didn't see any logging about this failure.
pw useradd complains: "pw: invalid character `-' at position 0 in userid/group name".
I suggest the preg_match in system_usermanager.php reject username
starting with a dash.
Also recommend if pw fails, then capture and log and report that
failure.
Mar 2017 Version: 2.3.3 system_usermanager.php
using firefox 48.0
pressing enter on the System> User Manager > Users page
will trigger the Delete and will prompt to delete users
even if no users are selected.
My suggestion is not have pressing Enter do anything and especially not
Delete.
Mar 2017 Version: 2.3.3 system_usermanager.php
I entered an ampersand & in the Full name
and it got expanded to master.passwd and /etc/passwd to
&
note this is HTML entity encoding, done twice.
This is also shown in the Users table.
Mar 2017 Version: 2.3.3 FIXED system_usermanager.php
fc1913fef29fbc7f90e8e2fe9374b761411f09ae
The checkbox for showcert "Click to create a user certificate"
when adding a new user does nothing, the cert-options class is not displayed.
Or what is that checkbox supposed to do?
https://redmine.pfsense.org/issues/7585
Sep 2018 Version: 2.4.3 system_usermanager.php?act=new
when adding a new user and you click save missing some details
like password, the form will be displayed again.
But (if you have a CA), the previously displayed checkbox
"Click to create a user certificate" is not displayed again.
Sep 2018 Version: 2.4.3 system_usermanager.php?act=new
when adding a new user
and when the "Click to create a user certificate" checkbox is
clicked and you save without a "Descriptive name"
it should complain. This is required to add a new certificate
and since the checkbox is checked this implies you wanted to add it.
Maybe prepopulate it with the username entry?
Mar 2017 Version: 2.3.3 system_usermanager.php
User Certificates view is missing the "Action" table header.
Also as a feature request have link to the
certificate management page to actually see the cert details
(and maybe remove the certificate).
Mar 2017 Version: 2.3.3
feature request
system_certmanager.php?act=new&userid=n
when adding a certificate specifically assigned to a user,
have the system_certmanager.php page say the username at the top.
(Especially since it is different than when the page is not
for a userid.)
Mar 2017 Version: 2.3.3
system_certmanager.php?act=new&userid=n
when selecting method of choose "existing",
the descr field is not used (and is ignored and confusing since is different).
Maybe only display the descr input box for the forms that need it.
Mar 2017 Version: 2.3.3 FIXED system_usermanager_addprivs.php
feature request: system_usermanager_addprivs.php
should say what user and fullname is having the privileges added to
for the userid (like the system_groupmanager_addprivs.php does)
easy fix: $section = new Form_Section('User Privileges for '. $a_user['name']);
https://redmine.pfsense.org/issues/7586
Mar 2017 Version: 2.3.3
new users are part of the "nobody group".
If multiple real users are part of same group, it lowers
security since now they are not a "nobody". You have no idea
what tool's umask or group modes may be set later (even default
is group read) so users may be able to access others' files.
While it is common to use a shared group, "nobody" may be used
for some network services or other program and now the users may
have new privileges related to things that the pfSense developers
may not imagine. If you really want to use some single group,
don't use "nobody".
Mar 2017 Version: 2.3.3 system_usermanager.php:
feature request:
add the username to the Are you sure you wish to delete user? prompt
(didn't check recently but maybe for vpn_l2tp_users.php too?)
Mar 2017 Version: 2.3.3
feature request
system_groupmanager.php
allow configuring the Assigned Privileges for a new "Add" group
and not just when editing an existing group
Mar 2017 Version: 2.3.3
feature request
system_groupmanager.php via is ?act=edit view
when deleting a single privileges go back to the edit view
so you can see the change.
Currently it takes you back to the all groups view where you have to
click edit again to see the privilege changed.
Mar 2017 Version: 2.3.3
system_groupmanager.php via is ?act=edit view
when removing a provilege it uses a local privid
which gets reassigned each time a list of privilegs for a group
changes.
So if an pfsense admin mistakenly presses a back button in browser
or otherwise reloads the same delpriv action webpage, it may have a
consequence of removing an unrelated privilege (because has new privid).
(If the privid is the last number then it wouldn't matter then.)
This simple mistake could lock out some pfsense user
or make them lose some capability that is not noticed for some time.
(I didn't check if this problem exists of the user view too.)
My suggestion is to use the unique identifiers that
already exist (like "page-xmlrpclibrary") instead of an arbitrary
number that changes.
Mar 2017 Version: 2.3.3 FIXED system_groupmanager_addprivs.php
feature request.
Please sort the list of privileges in the form
like is done in the system_usermanager_addprivs.php form using
uasort and its admusercmp function.
There is a comment saying "sort it" but does not appear to be done.
https://redmine.pfsense.org/issues/7587
Mar 2017 Version: 2.3.3 system_authservers.php
feature request
system_authservers.php
change order of LDAP Server Settings
so Transport
is before
Port value
since it changes the Port value.
Note that selecting the transport resets any custom port also.
Mar 2017 Version: 2.3.3
feature request
system_authservers.php
the text-danger feedback from "Select a container"
such as "Could not connect ..."
will go to bottom of the page and mayi be overlooked.
Suggest having that output go next to the button.
Mar 2017 Version: 2.3.3
system_authservers.php field has "Group naming attribute" to
set ldap_attr_group (which is preset to cn for all three templates).
It is also in ./wizards/openvpn_wizard.inc
I don't see ldap_attr_group (NOT "obj" postfix) anywhere.
The field is required but doesn't appear to used.
Jun 2016 Version: 2.3
the diag_authentication "related status" icon links to same page :)
https://redmine.pfsense.org/issues/6701 THIS WAS RESOLVED BUT ONLY ONE PART WAS FIXED. SHOULD I OPEN NEW TICKET?
May 2017 Version: 2.3.3
vpn_l2tp_configure in /etc/inc/vpn.inc
has killbypid and sleep(8) even if starting it for first time.
I suggest it should check if file_exists() first.
Note that killbypid via sigkillbypid does check for that
but wrap both with it since the sleep(8) is done regardless.
May 2017 Version: 2.3.3 FIXED vpn_l2tp_configure in /etc/inc/vpn.inc
can use $l2tpcfg['wins'] for NetBIOS name server (NBNS) information
but that "wins" is not configured anywhere.
If it is not desired, then remove that stale code?
(I did see similar for vpn_pptp.php but this bug is about l2tp.)
May 2017 Version: 2.3.3 FIXED vpn_l2tp.php
recommend confirming that DNS servers l2tp_dns1 and l2tp_dns2
are IP addresses. Check this right in vpn_l2tp.php
since vpn_l2tp_configure silently checks it.
Also while there complain if l2tp_dns2 is set but l2tp_dns1
is not, since vpn_l2tp_configure won't use it if the first is not set.
May 2017 Version: 2.3.3 FIXED vpn_l2tp.php
says when RADIUS is set "The local user database will
not be used."
and vpn_l2tp_users.php also shows:
"RADIUS is enabled. The local user database will not be used."
I don't see any configuration to turn "internal" off
(like "set auth disable internal").
It is not clear if this is about what type of users
like L2TP mdp.secrets or what?
But if is about mdp.secrets then that is used after RADIUS
and is enabled by default.
(see http://mpd.sourceforge.net/doc/mpd31.html#31)
https://redmine.pfsense.org/issues/7561
May 2017 Version: 2.3.3
in vpn_l2tp.php
Remote address range remoteip is required even if
RADIUS issued IPs radiusissueips is set.
Per vpn_l2tp_configure remoteip is not used if radiusissueips is set.
(as it sets to undocumented 0.0.0.0/0 peer).
Is remoteip really required?
While there only set clientip is not radiusissueips
https://redmine.pfsense.org/issues/7562
May 2017 Version: 2.3.3
vpn_l2tp_users.php
Suggestion: consider allowing IP/Subnet for the user.
mtp supports this for restricting to a range
instead of a specific IP.
https://redmine.pfsense.org/issues/7563
Feb 2018 Version: 2.3.3 status_logs_vpn.php?logfile=l2tps&vpntype=l2tp
Click Time column header to sort and the Time column reversed
but the Log Message fields stayed the same.
Click it again and all fields change and
click it again and all fields change back.
Seems like the first use of the sorting is broken.
I don't see this problem with status_logs.php.
May 2017 Version: 2.3.3 FIXED
the logging shortcuts for vpn_l2tp.php and vpn_l2tp_users.php
and vpn_l2tp_users_edit.php all go to same:
status_logs_vpn.php?vpntype=l2tp which does not exist.
and takes you to default PPPoE Logins view (instead of best L2TP).
the fix in shortcuts.inc is:
-$shortcuts['l2tps']['log'] = "status_logs_vpn.php?vpntype=l2tp";
+$shortcuts['l2tps']['log'] = "status_logs_vpn.php?logfile=l2tps&vpntype=l2tp";
You could have a new shortcut configuration for the users vs. config
but I think it is fine as is.
https://redmine.pfsense.org/issues/7564
Aug 2018 Version: 2.4.3
If don't do the setup_wizard quickly enough on the first attempt,
then your session will expire. Then
when you log back in you no longer get the setup wizard.
It should go back to the setup_wizard automatically
if hasn't been done yet
or at least have a way to say it is needed.
(I do know you can go to it via menu, but a first time admin may not know.)
Jan 2016 Version: 2.3
Click "here" was broken for me on installation wizard screen.
since didn't have my port number.
That appears to be FIXED in 2.3.5
but I can click on logo to get to the default Dashboard display.
Jun 2019 Version: 2.4.4-p3 head.inc
SUGGESTION: for no privilege, set the $system_menu link text in head.inc
to "User Password" (instead of "User Manager")
for the link to /system_usermanager_passwordmg.php.
Oct 2017 Version: 2.3.3
inconsistency of pppoe in vpn logging
but not in vpn menu?
Jun 2016 Version: 2.3 head.inc
SUGGESTION: if there is a crash, maybe add to the Diagnostics menu:
Crash Reporter
Also misspelling: enountered on crash_reporter.php
Jun 2019 Version: 2.4.4-p3 head.inc and index.php
SUGGESTION: have the crash detection on every head.inc page
instead of just dashboard index.php.
Nov 2017 Version: 2.3.3 status_wireless.php
Info details at bottom have flags.
The
"A = authorized, E = Extended Rate (802.11g), P = Power saving"
are wrong for scan list.
This may be confusing and need two keys?
NOTE: I see this was based on bugs in FreeBSD manual. I reported there
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223794
Actually it has "P" twice. The second one is correct.
Don't get the flags/capabilities confused.
Flags are the first character string of single letter flags.
The later ones are capabiltities which are always multi-letter
acronyms.
Get rid of "Capabilities:" from this info details.
Nov 2017 Version: 2.3.3 status_wireless.php
Nearby table header has RSSI, but this is not the single calculated
receive signal strength indicator. This is both signal and noise (S:N).
The FreeBSD source code shows it is converted back from RSSI:
(sr->isr_rssi/2)+sr->isr_noise, sr->isr_noise
Change the table to what ifconfig shows "S:N".
Nov 2017 Version: 2.3.3 status_wireless.php
The status page header for associated shows: ERP
but the ifconfig list sta output has "FLAG" for that field.
Please change to FLAG.
Buy the pfSense Essentials book from
Amazon,
Barnes&Noble,
or your favorite book store.