Version 3.1, published 2011-05-18 This release mainly switches from using Kaskersky to using Avira as the underlying anti-virus engine for HTTP, SMTP, and FTP scanning. Additional changes are: - The /var/tmp directory can now optionally reside on the harddisk (if used) instead of being mounted as tmpfs. This is required when using the Avira engine, as it consumes more space in /tmp (but less system memory compared to Kaspersky). - Bugfixes in the connection-manager to better re-start IPsec connections in some corner cases. - Optimized execution time of main firewall script by removing general loops for chain creation and letting the web interface only create those chains required for the specific rule set. - Recompiled strongswan (IPsec IKEv1 and IKEv2 daemon) to support NAT- traversal for transport mode connections to support VPNs from iPhone and Android mobile devices. - Enabled fail2ban brute-force password cracking protection for the web interface. - Updated jetty JARs to version 4.2.27 to fix CVE-2004-2381 (to prevent potential denial-of-service). Version 3.0, published 2010-01-04 This is a major new release, updating into kernel 2.6 and Debian 5.0 Lenny as base system and splitting the web interface in frontend and backend parts in preparation of centralized management tools. - Full support for IPv6, both in routing, firewall rules, and application level proxies/daemons, including automatic 6to4 and static 6in4 tunnels. Adding globally reachable IPv6 addresses to a local network is now a simple procedure by simply enabling an automatic 6to4 tunnel with almost no manual configuration. - Policy routing setup via web interface (for example source-based routing) with support for multiple default-routes in fail-over as well as (static) load-balancing configurations. This includes Internet connection fail-over handling with a primary and (multiple) backup upstream connections and IPSec tunnel fail-over. - Official support for WLAN interfaces. Gibraltar can now act as a WLAN access point with or without WPA(2) encryption and optionally with a captive portal for guest access. This has been tested with Atheros MiniPCI cards, but should in principle work with any WLAN card supported by the new in-kernel mac80211/nl80211 stack. Also include a madwifi version patched and tested for stability to support older Atheros chipsets not yet supported by ath5k/ath9k. - In preparation for managing multiple firewalls with one user interface, the core modules (network settings, firewall, nat, traffic shaping) have been split into backend and frontend. Remote management support will begin with the next release and will be extended in future versions. - The web interface now more consequently uses aliases for hosts, networks, and services that must be defined before using them in rules. This change helps to maintain better overview in large rule-sets. - Added firewall and NAT rules overview pages that span all input and output interfaces. - Added layer7 match support to mark traffic based on protocols instead of ports. This is not supported for firewall rules, but works well for traffic shaping purposes. - OpenVPN can now be used without client certificates for direct integration with LDAP or Microsoft Active Directory. This allows simple set-up of road-warrior clients: the same OpenVPN configuration can be used on all clients and can therefore be deployed automatically. Users then authenticate with their standard accounts. - Use of kernel 2.6 (currently based on 2.6.30.x with security enhancements). - A fresh and more standardized base system using Debian 5.0 "Lenny". - Multiple PPP dial-in interfaces can be used (for example ADSL and UMTS as backup) with specific interface names. pppd has been patched to support the "ifname" configuration option to rename interfaces on successful connection. This supports specific firewall and NAT rules as well as policy routing for (upstream) PPP links. - Use before-queue instead of after-queue filter for integrating amavisd. This cuts down on bounce mail processing and thus decreases the typical mail queue length. - Using udev instead of devfs. - Using upstart instead of older init package. Combined with udev, this significantly speeds up typcial boot times. - Using initramfs-tools with additional hooks instead of the previous mkinitrd-cd package built especially for Gibraltar. This avoids the requirement to specify root= kernel command line arguments to boot from compact flash or hard disk instead of from CD. It should also save on future development efforts by merging upstream development of initramfs scripts with the ones used by Debian and Ubuntu and also allows to use the same boot options for ISO and appliance/USB bootup. All Gibraltar atomic update functionality has been ported for image updates. - Using mainline squashfs format 4.0 now and dropping own kernel patches. - ISO images now contain a compressed (squashfs) filesystem to make them smaller. - Using aufs overlay mounts instead of only tmpfs for /var and /etc. This minimizes RAM usage and configuration config.tgz size by storing only those files that were changed with regards to the default. In addition to significantly decreasing the size of stored configurations, this change also allows simpler auditing of changes. /system/etc-static and /system/var-static are no longer required, bringing the base system even closer to a standard (but hardened) Debian install. - Harddisks are now mounted unter /var/persistence and will only contain a subset of the whole /var tree to simplify updates between major versions. - Using Debian update-rc.d for enabling/disabling automatic starting of services (init scripts) on bootup instead of older runlevel.conf scheme. - Using rsyslog instead of syslog-ng. - Installed the zabbix-agent package for better integration with the Zabbix monitoring package (we use it extensively both internally and for our customers with good experience in terms of stability and scalability). Include additional checker scripts. - Updated to heartbeat2 for firewall high-availability, although it is still used in compatibility mode. Support for more than 2 nodes will be added in future versions. - Added support for commercial JonDonym cascades with pre-paid vouchers. Drop the anon-proxy version of the JAP/JonDonym client in favor of a special Java version that is directly integrated with the web interface. - Updated squid to version 3. - Using strongswan instead of openswan for mature IKEv2 support. The web interface will support setting IKEv2 for tunnels in a future version, on the shell it can already be used. - Installed *top packages for easier monitoring/debugging support on the shell. - Initial dashboard support to present the most important status information on the entry page. - Added simple mail queue handling in the web interface. Version 2.6, published 2008-07-15 This is a feature release focussing on changes on the interface with few modifications at the base system. This release received the highest amount of in-house testing so far and is thus to be considered stable during the upcoming developments for Gibraltar 3.x. - New web interface module for configuring snort as IDS, which is now officially supported. Please note that we strongly recommend registering with VRT to receive an update code (in either of the free or commercial variants) and that the shipped community rules should only be used when registering is, for some reason, not possible in the specific case. - Puresight is now better supported in its Enterprise version. - SSL Explorer (TM) integration has been changed slightly so that plugins can now be installed via its normal administration interface. - Substantially improved traffic shaping by re-ordering iptables marking rules and improving pre-defined traffic classes. If traffic shaping is in use, we strongly recommend upgrading to this release. - New extensive connection-manager script to support multiple uplinks and alternative IPSec tunnels (currently for fail-over with partial load- balancing support). - Installed hostapd and added web interface support for configuring access point functionality (focussed on madwifi supported cards at the moment). - Virus scanning for HTTP, POP3, and FTP is now possible without requiring a hard disk due to tweaks in config files and careful management of a temporary /var storage area (such as tmpfs). - A new spamassassin module for classifying languages has been included and can be configured using the web interface. - Also installed madwifi-tools and updated kernel modules to version 0.9.4 for better access point capabilities. - Updated ntop to version 3.2. - Updated ppp to version 2.4.4 with additional patch for "ifname" option so that multiple PPP connections can be supported easier (e.g. for multiple concurrent uplinks). - Updated snort to version 2.7.0 and installed its new dependency libpng12. - Updated djbdns to fix resolving from some broken DNS servers. - Updated HAVP to version 0.88. - Updated tor to version 0.1.2.18. - Some minor changes to boot and init scripts to better support our upcoming GSG500 that does not feature any usual console support but has optional WLAN (access point) support. Version 2.5, published 2007-09-08 (Happy 60th Birthday, dad!) This is a feature release, and integrates SSL Explorer and Puresight HTTP content filtering as major new features. Additionally, the traffic shaping interface has been significantly improved and now makes use of IMQ for ingress shaping as well as egress. The fourth major new feature is the integrated user management via LDAP/Radius, either with internal databases or external LDAP or Active Directory servers. - Updated kernel to 2.4.34. This fixes a few security-relevant issues and IDE problems with some harddisks. Additionally added support for SIP connection tracking and NAT and patches to allow network card interrupts to feed the in-kernel random pools. This should fix depletion of kernel entropy, and thus blocking of /dev/random, on systems with high network load but low IDE/SCSI bus activity (and without a hardware random number generator). Updated the Broadcom tg3 driver to version 3.66d. - Updated openswan to version 2.4.6, both the kernel and the user space parts. This fixes more NAT-Traversal corner cases and a pluto memory leak. - Added a watchdog shell script that checks if /var becomes too full and performs automatic cleanup when necessary. This should, due to log rotation, typically not be an issue is thus considered safety-belt code. - The update-rollback script, which is used to switch to the previous version in case the new one has problems, is now more careful not to change the loopback filesystem while it is still mounted (although it is read-only anyways). Rollback is now a two-step process the same way that the update is. update-rollback will only put the files in place, and the actual rollback will happen during the next reboot. - Some minor changes in the default config. - Updated spamassassin to version 3.1.7 and support automatic updating of spamassassin rules with sa-update. - Updated razor to 2.810 and amavisd-new to 2.4.2. - Installed the fuzzyocr3 package from Debian experimental to counter the increasing image spam. Installed required dependencies gifsicle, libldbm-sync-perl, libstring-approx-perl, libungif-bin, and the OCR engine ocrad. - Installed the Pdf plugin for spamassassin and the xpdf-utils package it depends upon (in addition to ocrad). Dependencies for xpdf-utils are xpdf-common and libpaperg. - Added the ulogipac package for writing accounting information of high- speed networks into MySQL databases. This should help ISPs. Also added the libcommoncpp2 package that ulogipac depends upon. - Added the tofrodos package to make it easier to work with text files that have been written on or modified with Windows systems (conversion of line endings). - Changed default behaviour in case of an (hopefully very unlikely) kernel panic: "kernel.panic = 30" in /etc/sysctl.conf for automatic reboot after a 30s delay. - Try to auto-detect IDE controllers and automatically load the respective kernel IDE modules to support DMA transfers. - Now include manual pages in the CF/USB image, even if it makes it bigger by slightly over 11MB. But they are really useful... - Updated the radvd package to version 1.0. - Updated the havp package to version 0.85. - Updated the discover-data package to version 2.2007.05.11 for newer PCI IDs, and its dependency pciutils to version 2.2.4-1. This solves problems with automatic network card detection for new the GSG3000 and GSG2800 appliances. - Installed sslexplorer 0.2.13 community edition from sourceforge with initial integration into the web interface. - Updated sasl2-bin, libsasl2, libsasl2-modules, libsasl2-modules-kerberos-heimdal, and libsasl2-modules-gssapi-heimdal to version 2.1.19 and compiled with SSL/TLS support. Also updated the dependencies krb5-clients, krb5-doc, krb5-user, libkrb51, libkadm55 to version 1.3.4 and installed the dependency libcomerr2 1.35. - Updated openvpn to version 2.0.9, closing denial of service and other issues. - Updated lsb-base to version 3.1-23.1. - Updated apache to version 1.3.33 (which now depends on apache2-utils) and installed libapache-mod-perl for the Puresight Enterprise management interface. This depends on libdevel-symdump-perl 2.02-1. - Patched dnscache for better (read: correct) CNAME handling with a patch from http://homepages.tesco.net/J.deBoynePollard/FGA/djbdns-problems.html. - Updated the discover-data package to 2.2007.05.11 for better detection of new network cards and its dependencies file to 4.12, libpci2 to 2.1.11, and sed to 4.1.4. Also increased the default maximum cache size for dnscache from 1 to 5MB. - Updated libsasl2 to 2.1.19 and its dependency kerberos libs to 1.3.4. - Updated ntop to version 3.2. - Installed the br2684ctl package for PPPoE via ATM (bridging) mode on ADSL connections (e.g. to iNode with a Speedtouch USB modem). Also installed the dependency libatm1. - Installed squidalyzer for interactive Squid log file analysis with its dependencies libdbi-perl, libcgi-perl, libtime-modules-perl, libgd-text-perl, libgd-graph-perl, and libdbd-mysql-perl. Version 2.4.1, published 2006-08-29 This release includes two main new features: logging respectively monitoring of local system parameters and network usage, and tools for providing anonymity. Although these two aims might seem contradictory, they are not. The anonymity is provided against ISPs, server admins, institutions and governments, while logging is only done locally, under the control of the local admin. In response to the current plans for in-advance logging of communication details within the EU, this release includes software packages for anonymous communication. It is my understanding of the principles of todays republics that freedom of speech is one of the basic civil rights. The behavior of many EU governments is, at least at the moment, contrary to this belief. So please use the provided software for anonymity wisely. We do neither support nor endorse any illegal behavior. Nonetheless, we think that anonymity should be provided by default. If you want to surf the web anonymously (so that neither your ISP nor the web master can trace your habits), you just need to enable the anon-proxy service and select it in the (optionally transparent) HTTP proxy. It will be slower, but it seems important to do so as a political statement. Phil Zimmerman stated it already in 1996 (cf. http://www.philzimmermann.com/EN/essays/Testimony.html) that centralized surveillance is unhealthy for today's societies and can be dangerous: But while technology infrastructures tend to persist for generations, laws and policies can change overnight. Once a communications infrastructure optimized for surveillance becomes entrenched, a shift in political conditions may lead to abuse of this new-found power. Political conditions may shift with the election of a new government, or perhaps more abruptly from the bombing of a Federal building. Let Orwell's 1984 not become a reality too soon! - Security fixes: Updated libssl0.9.6, libssl0.9.7 and clamav packages to fix IDEF1169, IDEF1180, ZDI-CAN-004, CAN-2005-3239, CAN-2005-2920, CAN-2005-2919, CVE-2005-2969, CAN-2004-0975, CAN-2004-0079, CVE-2005-2969 CVE-2006-1989, CVE-2006-1614, CVE-2006-1615, and CVE-2006-1630. Also installed the lsb-base package, which the new clamav-daemon depends upon. - Updated kernel to 2.4.32, which has a few bug fixes. Also added the IMQ patch to now allow real ingress traffic shaping and traffic shaping over multiple network interfaces. iptables has been patched as well to support the IMQ target. This kernel also adds a patch for the KLIPS IPSec part to fix a rare IRQ stack overflow condition for high-bandwidth tunnels. - Tighten the default policies slightly: - Instead of allowing all ICMP packets, only allow echo-request, echo-reply, ttl-exceeded, destination-unreachable. - Set net.ipv4.conf.all.arp_ignore=2 so that ARP requests are only answered when a client comes from the same subnet. The detailed description for this value is "reply only if the target IP address is local address configured on the incoming interface and both with the sender's IP address are part from same subnet on this interface". - Set net.ipv4.icmp_echo_ignore_broadcasts=1. A firewall should not really respond to broadcast pings. - Network cards are now identified by their PCI bus id instead of by their MAC address. This allows to swap a broken network card for another one in the same slot without any reconfiguration. It also allows to use a configuration image on another hardware appliance of the same type without any reconfiguration at all. - Installed anon-proxy, which uses chains of intermediate servers (called mixes) to anonymise HTTP traffic. The mix that has been selected by default in this release is being provided by the University of Dresden in Germany and is known to actively resist companies from trying to get access to user data by suing. It is their policy to not log any data (unless a jury has ordered to log for crime investigation purposes). It depends on the new: libxerces1. - Installed the most recent stable version of freenet (version 5100). Please be aware that you will need enough hard disk space to use freenet efficiently. At least 256MB is recommended, but we recommend to reserve 4GB or more. Freenet can also consume a noticable amount of bandwidth if not throttled. Freenet also uses a lot of system memory, and we recommend more than 256MB RAM for best results. - Installed tor and the libevent1 library and tsocks package that it depends on. tor implements onion routing for anonymization of arbitrary TCP connections. - Installed mixmaster, an anonymous remailer and the libhtml-tree-perl and newer libwww-perl perl packages it requires. - Installed the torrus logging framework and the libraries it depends on: libtemplate-perl, libappconfig-perl, libberkeleydb-perl, libxml-libxml-perl, libproc-daemon-perl, libnet-snmp-perl, libapache-session-perl, libxml2, libxml-sax-perl, libxml-namespacesupport-perl. This release ships with an extensive default configuration for logging local system and network statistics and is integrated with the web interface. - Updated the KasperskyLabs anti virus engine to their most current version 5.5. This necessitates new license files, so please ask office@gibraltar.at for an update of your file if you use Kaspersky already. - No longer use my own squid anti-virus scanning plugin, but switch to the havp proxy server. This gives us more flexibility in filtering the HTTP stream and allows to implement trickling and on-the-fly scanning in a secure manner. - Installed the havp 0.79 package and its dependencies libstdc++3 and gcc-3.0-base. havp is, starting with this upstream version, a fast HTTP anti-virus scanner that can scan while streaming and use multiple scanner engines in parallel. - This release disables clamav by default (i.e. no automatic updates of the database, not enabling it in the web interface anymore), because clamav had many security issues in the last months and keeps changing the API. It can currently not be supported appropriately and in a timely manner. - Added the rng-tools package and auto-start it when a VIA Nehemiah CPU is detected on first bootup. This allows to use the hardware random number generator and thus greatly speed up e.g. Jetty startup, SSH key generation, IPSec key agreement, etc. - Updated the procps package to be able to use "vmstat -s" for getting many CPU statistics. - Updated the Java runtime from Blackdown 1.3 to Sun J2RE 1.5.0. This was necessary for freenet and should generally speed up the web interface. - Updated the amavisd-new package to version 2.4.0, including necessary updates to the libcompress-zlib-perl, libconvert-uulib-perl, libmime-perl_5.420, and libnet-server-perl packages. Also updated the /bin/run-parts tool to a newer version to support the required --list option now. - Installed amavis-stats to log details of the mail relay (i.e. the number of legitimate emails, the number of emails with viruses and the number of SPAM emails) and generate RRD databases for the torrus framework. Also installed the packages it depends on: rrdtool, wwwconfig-common. - Updated the rrdtool, librrd2 and librrds-perl packages. This update needs the libart-2.0-2 and ttf-dejavu packages. - Installed the mailgraph package for logging statistics from postfix, i.e. how many messages have been sent, received, rejected, and bounced. - Installed smokeping for logging and graphing connection latencies and packet losses. It depends on the new packages: fping, echoping, speedy-cgi-perl. - Installed wflogs in favor of fwlogwatch, because it adds more details to its reports and allows to resolve MAC addresses to vendors. - Installed ulogd for more efficient iptables logging. Now that Gibraltar provides support for logging and monitoring, much heavier use is made of iptables logging, making syslog too inefficient. This also allows to send netfilter logs to an external mysql server (postgresql support currently not compiled in). ulogd is not enabled yet by default, you need to enable it manually if you need high-performance logging. Future Gibraltar versions will probably use it by default. - Installed midentd, an ident server with masquerading support for better interoperation with servers that require proper ident responses (i.e. some IRC servers). - Installed squid-prefetch, to allow automatic prefetching of linked web pages for quicker surfing. - Removed the cricket logging framework in favor of the more flexible (but larger) torrus. - Added a slightly modified version of the chillispot hotspotlogin.cgi (which basically reads its uamsecret from the local chilli.conf) to the cgi-bin directory. jetty now serves cgi-bin with its new default configuration so that this is already accessible. In this release, chilli.conf needs to be configured manually for a captive portal, but the next release will include a web interface module for setting it up. - Added new kernel modules "ip_preselect" and "arp_arpfake" that can be used for failover and load-balancing of multiple default routes, i.e. for using multiple Internet connections efficiently. Credit goes to Alexander Stieglecker for these modules, which were created as part of his master thesis ("Diplomarbeit"). - Updated openswan to 2.4.0, which finally fixes a pluto crash under certain circumstances (although it has always been restarted automatically). This update also introduces IPSec aggressive mode in addition to the main mode. Please note that setting aggressive mode can be insecure (it reveals the identity of the IPSec peers) and is not supported by the web interface. - Added the possibility to rename PPP interfaces that are used for dial-out (e.g. for connecting to the Internet via ADSL PPPoE or PPPoA). This makes it easier to distinguish between outgoing (i.e. Internet connection) and incoming (e.g. IPSec/L2TP clients) PPP interfaces. - Added gibraltar-task-* meta packages which just depend on certain Debian packages necessary for some feature. This allows to use deborphan to check which packages are not strictly necessary for the provided features (and which are thus potential candidates for future removal). - Installed powernowd for dynamic CPU speed adjustment depending on the CPU load. This works with every platform supported by the kernel cpufreq subsystem. - Updated snort to version 2.3.2. This version also supports the inline mode for using snort as an IPS instead of an IDS. Installed libnet0, which is needed by the snort inline mode. - Installed oinkmaster for automatic snort rules update and the libio-zlib-perl package it depends on. - Removed the ipac-ng package. It was not flexible enough for consistent IP accounting. Thus, accounting functionality is now implemented with iptables rules written by the web interface and queried with the torrus framework. - Installed fwgold 2.0.12 beta. - Updated spamassassin to 3.1.0a, amavsid-new to 2.3.3 and installed the now necessary support packages libarchive-zip-perl, libconvert-binhex-perl, libhtml-parser-perl, libmailtools-perl, and libmime-perl. This is a major update of the spam filter infrastructure and should now be up-to-date again. It also introduces the sa-update script that is used periodically to update the spamassassin rules database, in should thus stay up to date now. Needed to manually update Time::HiRes from perl CPAN, since it is included with perl 5.8 and thus there is no separate Debian package for it. The same goes for Digest::MD5, Convert::UUlib, and Compress::Zlib. Thus, the libtime-hires-perl, libdigest-md5-perl, libconvert-uulib-perl, and libcompress-zlib-perl are no longer really used, but just fulfill dpkg dependencies right now (the updated modules are under /usr/local/lib/). - Added the SMTP submission port (587) to the postfix master.cf to allow road warriors to use Gibraltar as an SMTP host. This port is opened by default by the postfix process now (in addition to the SMTP port 25), but is of course not opened by firewall rules - this needs to be done by the administrator. This port only accepts TLS secured connections and accepts emails only after successful authentication. - Updated pptpd package to version 1.2.1. This version has been changed to support a maximum of 1024 instead of 100 concurrent connections, i.e. IP addresses. - Installed the hddtemp package. - Installed libnet1, which is required for tools like arp-sk. - Updated the speedtouch package to a custom compiled version 1.2, which adds support for the SpeedTouch 330 series of ADSL USB modems. Also updated the USB hotplug script for speedtouch to a version taken from the 1.3.1 package and adapted it slightly to Gibraltar. Version 1.3.1 of modem_run does not work, but this version does. Alcatel gave us permission to redistribute their firmware 2 years ago, so both versions of the SpeedTouch firmware (for the old and the new modem revisions) are included with the distribution. It should work out of the box by just plugging the modem into an USB slot and configuring your ADSL connection via the web interface. - Updated the siproxd package to version 0.5.11-1. SIP proxying is now officially supported (web interface support pending). Version 2.3, published 2005-08-09 This is a feature release with two major new features now being fully supported by the web interface: briding (a.k.a. as transparent firewalling) and traffic shaping. Both can be enabled with the respective modules in the web interface. Other changes in the web interface include a quick config save link, new service definitions that can now span different protocols (e.g. an IPSec service that include UDP, ESP and AH), the possibility to configure an email relay (e.g. a smart host by the ISP), and some enhancements when integrating a HDD for /var. Another enhancement is the possibility to update the whole system image when booting the USB version from a writable media, e.g. a CompactFlash card in a hardware appliance. The USB version of Gibraltar uses squashfs images, which are read-only on a file system level. New shell scripts and a web interface module now facilitate the update of such a system image with a single reboot and the possibility to switch back to the previous version. The respective scripts should even deal with resets or power failures while the update is in progress, so that this update should not be as fragile as the dreaded firmware updates of typical hardware components. It needs free space for the new system image though. At the moment, a 256 MB USB or CF medium will be enough to hold two system images and thus allow for such an update. Changes in the Gibraltar base system are: - SECURITY FIX: The squid anti-virus plugins for clamav and Kaspersky kav have been modified to scan the whole files instead of only sliding windows over the data streams. For some larger viruses, it turned out that neither clamav nor Kaspersky kav were able to detect them when the file header was not included in the scan window (although the virus itself should have fitted in the scanned blocks. To overcome these issues, the HTTP streams are now saved in temporary files, which are continuously scanned until the download is either complete or the file grows larger than a (configurable) maximum file size. When a virus signature is found, the download is aborted. This change leads to a significant performance hit when the maximum file size is choosen too large (e.g. >500kB), but will not let viruses pass that are smaller than the chosen maximum file size. - SECURITY FIX: Updated heimdal kerberos packages due to some possible buffer overflows. - Updated kernel to 2.4.31 level, fixing a few upstream bugs. - Added a kernel patch to support the VIA padlock crypto functions. They can be used to speed up AES, e.g. for IPSec tunnels. - Added kernel support for the newer squashfs filesystem (version 2.1-r2). - Recompiled iptables to work with the newer kernel and enabled a few extensions (ROUTE, mark, physdev). - The USB/CF images are now squashfs instead of cramfs images, yielding better compression and thus smaller image sizes - they again fit onto a 128 MB medium. This also removes the limit of roughly 256 MB uncompressed image size, which was already reached by the last release. - This release also adds scripts and modifies the initrd image so that USB/CF image can be updated (nearly) atomically. Just pass the new script update-system the new format of Gibraltar USB/CF images to its stdin, reboot and the image will get updated upon the first reboot. If anything happens during uploading the image or during checking the image, the update will not be performed. The new syslinux labels "old", "cf*_s1" and "cf*_s2" can be used to boot the old version again, in case the update failed. Therefore, such "firmware" updates should not be able to bring the system into an unbootable state where the boot media would need to be rewritten. This is important for updating appliances that boot from internal CF media. - Switched to using ifrename instead of the interface renaming code in /etc/network/if.d/ now. This decouples the renaming of network interfaces from their configuration, which is needed for bridge interfaces, VLAN handling etc. where virtual interfaces are created from physical ones. It is also more elegant. - Fixed the scripts for configuring bridge interfaces: /etc/network/if-up.d/05bridge and /etc/network/if.d/address. Also included a sample configuration block in /etc/network/interfaces that shows how to configure a bridge. - Updated the /etc/alternatives/editor link to point to fte instead of vim, because vim is excluded from the USB/CF variant of the Gibraltar image. - Modified syslogd.conf to not print any messages to logged in users, which was mostly confusing and did not offer any benefits (it is not to be expected that users are logged into the firewall too often to notice such emergency messages). - Added the Atheros 802.11a/b/g cards to the PCI hardware list. They are handled by the madwifi driver (including support for master, i.e. access point mode). - Installed cpio, lha, unarj, unrar, unzip and zoo, lzop packages to enable amavisd-new to unpack various compressed attachments for checking them. - Removed packages libdiscover1 and libxml2 since they are no longer needed. - Updated the samba packages to fix an issue with the integration of winbind (Active Directory authentication) and sasl2. - Updated the sasl2 libraries to fix a (potential) security issue. Also installed the slapd openldap server for the integrated user database that is currently being developed. - Installed the libdb4.2 libraries and utils, since they are required by the updated sasl2 and openldap2.2 packages. Also installed libnet-ldap-perl to enable ldap access from perl scripts. - Installed the freeradius package and the ldap and eaptls plugins. This is also for the integrated user database. - Installed the libslp1, libltdl3 and libcomerr2 packages, which are necessary for freeradius and the new openldap2.2 packages. - Updated openvpn to major version 2.0 due to user request. - Updated ppp to major version 2.4.3. This package brings working radius and winbind plugins, which enables remote authentication of PPTP and L2TP users, e.g. against an Active Directory. - Installed radiusclient1 and libradius1, which are needed by the ppp radius plugin. - Installed cricket and libsnmp-session-perl, which will be used for system monitoring and graphing in the future. The cron jobs are disabled until we properly support configuring it. - Installed chillispot (1.0RC2), a captive portal that has performed well in our lab setups. - Removed the hwdata package, which is no longer necessary. - Removed the cipe and vtun packages for VPNs. They are insecure (c.f. http://www.mail-archive.com/cryptography%40metzdowd.com/msg00891.html for all the gory details). Some people might still use them, but I do no longer want to support insecure VPNs, which are worse than no VPN because they give a false sense of security. If you need a VPN, please use IPSec (the use of openswan should be really easy now with our web interface) or openvpn (which is very easy to set up). [vtun is not really gone, but needs to be manually reactivated if somebody really needs it. It might go away in future releases though.] - Run ntpdate each bootup so that the system clock gets synchronized immediately to three randomly chosen, public NTP servers. This is necessary for hardware clocks that are far off the real time, because the ntpd daemon will refuse to start synchronizing if the clock is off by more than an hour. However, the synchronization will not be started when there is no default route to prevent delaying unconfigured boots. - Increased maximum password length from 8 to 20 characters - this was way too short. - Updated razor to 2.610. - Updated clamav to version 0.86. - Installed bld, a general black list daemon that is now used for black listing SSH and other (currently web interface) password bruce force attacks. The bld daemon and a new bld-submitter process are now started by default and log all failed login attempts to the blacklist. After a configurable amount of failed retries in a given time frame, the respective IP address is added to the blacklist. A cron job periodically adds all blacklisted IP addresses to the iptables chains to block them completely. If you really do not want this feature, then please comment the two lines in /etc/runlevel.conf or deactivate the service via the web interface. - Stop the DHCP client from overwriting the domain name set in /etc/resolv.conf (by commenting out make_resolv_conf in /etc/dhcp3/dhclient-script). - Installed ddrescue, a small dd replacement that does not abort on errors. This helps getting data off a faulty drive (e.g. a failing HDD). - Fixed the certificate chain for the Jetty webserver that serves the web interface. Now just importing the root Gibraltar CA certificate from https://www.gibraltar.at/ca-root.crt should create a valid certificate chain for all browsers. Therefore the confirmation box should no longer be displayed upon connecting to the web interface. - Changed the behavior of the clamav virus scanning plugin for squid slightly, so that errors in the clamav library do not yield to blocking the respective files. This made it impossible to download updates from windowsupdate.com, since the CAB files could not be extracted properly by the clamav library. In such cases, the files will now pass the scanner, but a warning will be logged to the squid cache.log. - Removed the libidn11 package, which is no longer needed (the last clamav version does not need it). - Removed the libsmbclient package, which is also no longer needed. Version 2.2a, published 2005-05-01 - Updated the IPSec kernel part to openswan KLIPS 2.3.1 from version 2.3.0 that has been used earlier. This fixes a bug with IPSec tunnels in transport mode in combination with NAT traversal. This was unfortunately triggered by Windows XP clients connecting via L2TP/IPSec to Gibraltar, so this update is necessary for Windows XP interoperability. - Updated the netfilter ipp2p match module for bug fixes. - Updated clamav to version 0.84-rc1 and the virus signatures to the version from 2005-04-20. This necessitated an update of libcurl3 to version 7.13 and the installation of libidn11. - Fixed a bug in the clamav virus scanning plugin for squid, which was caused by the last clamav update to 0.81. Since this clamav release, the method to scan internal memory buffers for viruses is defunct (without this being documented somewhere...) and just (unsafely!) returns that no virus has been found even if the memory block is infected. This version of the plugin thus falls back to the same method used in the KAV plugin, i.e. to create temporary files in the RAM disk which are then scanned with the appropriate method for file scanning. This is of course slower due to the overhead of creating, writing, reading, and removing temporary files, but currently seems to be the only way to use clamav. - Also fixed a potential memory leak in the KAV plugin for squid. - Fixed a slight inconsistency in the headers added to emails by the anti-SPAM gateway. We need to set the score threshold both in amavisd.conf and in the spamassassin local.cf so that the email headers print the same score that is actually used by amavisd-new. Version 2.2, published 2005-04-06 This is the "speed" release, improving the speed of the web interface significantly and also solving a previous issue with license checks on high- volume systems. - Updated kernel to 2.4.30-rc4 (which has been released as 2.4.30 with no changes) with the usual patches. New features: arptables, tcp-window-tracking, tproxy, geoip and unionfs modules (now for testing, they might get used in a future release). This release also adds the ndiswrapper and rt2400 modules. - Replaced freeswan by openswan. This also needs the ipsec-tools package. - Updated l2tpd to make it work flawlessly with the L2TP/IPSec client integrated into Windows 2000 and XP. - Updated openssl, gzip, login, passwd, host, dnsutils, net-acct, libgd1, libgd2, libpng2, libpng3, sudo, libmysqlclient, libpgsql2, xutils, xlibs, ipx, perl, mc, kerberos libraries, and telnet-ssl due to various bug fixes. - Updated clamav to 0.81 due to security issues and changes in the database update code. - Switched from kudzu to discover as a hardware auto-detection library. This should make the USB controller auto-detection in initrd work again and thus enables the official release of Gibraltar-on-USB in addition to the CD-ROM ISO images starting from this version. - Call the clamav and kav clients no longer directly from p3scan but only via simple shell wrapper scripts. These return only two error codes and ignore some of the errors of the kav and clamav clients that confused p3scan (e.g. that certain archives could not be unpacked for checking - these cases are now simply ignored). - Do not let freshclam notify clamd, since this produces a (cron) error message when clamd is not running. Instead, clamd periodically checks for new signatures. - Also shut up common webalizer messages that were sent periodically by the cron job - most of them are warnings that can safely be ignored. - Increase the maximum size of the /tmp RAM disk to 32 MB in the default configuration, since p3scan uses it to store emails temporarily. This means that on machines with less than 128 MB RAM, the /tmp and /var RAM disks could possibly use too much memory if some process generates temporary files without deleting them (this should not happen anyway). For systems with limited RAM, it is recommended to decrease this (maximum) size to 8 MB (in /etc/gibraltar/config). - Corrected old/unknown UIDs for some files in the default config. - Add a timestamp to the "common name" (CN) file of the automatically generated X.509 certificates for IPSec and SMTP services. This makes it easier to deal with multiple auto-generated certificates from different Gibraltar firewalls. - Updated frox to 0.7.17. - Updated ntop to 3.0-5 with newer libfreetype6 and libgd2-noxpm packages. It should now (again) be fully functional. - Installed the arptables package to control the new kernel ARP tables. - Installed the ifrename package as an alternative to interface renaming with the "scripted" method in /etc/network/interfaces. This has the advantage that all interfaces are renamed prior to calling ifup during the boot process and that the order of interfaces thus no longer matters. - Finalized the update of zorp to 2.0.9. Removed python2.1 completely now since no package depends on it any longer. Version 2.1, published 2004-11-18 - SECURITY FIX: Fixed the certificate chain check in freeswan, which can lead to a security compromise. This is the fix that was distributed via the online patches for Gibraltar 2.0. - Updated kernel to 2.4.27 with the usual patches. Also compiled modules for the Dell Megaraid2 SCSI controllers and additional modules for AT76C503A based USB WLAN adapters. - Updated freenet6, fixing a minor security issue. - Installed ucarp, an inplementation of the CARP protocal as alternative to the currently patent-encumbered VRRP. - Installed siproxd, which is a proxy/masquerading daemon for the SIP protocol, and its support library libosip2. SIP is currently the most common voice-over-IP protocol and is the one that is supported by major phone companies/ISPs. This also necessitated an update of adduser. - Installed SPF support packages: libnet-spf-query-perl, libnet-cidr-lite-perl and libnet-dns-perl. - Installed the fprobe and flow-tools packages for generating, collecting and processing NetFlow streams. - Installed p0f, a passive OS fingerprinting tool. - Updated ebtables to version 2.0.6 for setting up real fail-over systems that also get mirrored traffic. - Updated the Kerberos libraries to fix a security issue. - Updated rsync to fix a security issue. - Updated spamassassin to version 2.64, which should again improve the detection rate. - Updated postfix to new major version 2.1, which includes policy checks (currently used for SPF checking) and address verification, for sender as well as recipient addresses. These postfix packages also support IPv6 and TLS. The default configuration has been significantly extended to support and configure the new features, including SPF and sender and recipient address verification. - Added auto-generation of SMTP-TLS X.509 certificates during first bootup. They are also signed by the same CA that signs the IPSec host certificate. Enabled TLS support in postfix by default now; if the other SMTP server supports it, it will send and receive email encrypted via TLS. This also was a prerequisite for enabling secure (and interoperable) SMTP authentication in this release. - Updated the wireless-tools package to 0.27pre21 to support newer kernel feature with regards to wireless network interfaces. - Updated libcurl2. - Updated iptraf to new major version 2.7, which now supports renamed interfaces. - Updated python from 2.1 to newer major 2.2 upon user request. - Updated zorp to 2.0.9. - Updated privoxy and ntop to the newest upstream versions upon user request. - Updated shorewall to 2.0.7. - Updated clamav to major new release 0.80, which also uses a new format for the virus signature database. - Removed aris-extractor, nobody seemed to use it anyways. - Removed the libtiff3g, libgd2-noxpm, libatm1 and libcupsys2 libraries since they are no longer used by any other package. Version 2.0, published 2004-06-04 - Many changes in the web interface: new configuration modules, enhanced usability and new features in existing modules. It also has a new license format, but version 1 licenses are still accepted. - Updated kernel to version 2.4.26. This is quite similiar to the 2.4.23 version of Gibraltar 1.x, but the security patches from 2.4.24 were applied, fixing the mremap vulnerability. - Supply kernel modules for the Conexant ADSL USB modem. - Supply the P2P match module for netfiler (ipt_ipp2p.o and libipt_ipp2p.so). - Add kernel modules for: Eagle ADSL USB modem, BCM5700 network cards, drdb network RAID, Smart Link software modems and Bewan ADSL modems. - Updated iptables to version 1.2.9-5, enabling use of new match modules. - Updated freeswan to 2.04-9, which now support dynamic fetching of CRL's (certificate revocation lists) if proper certificate authorities are used. It also solves the problem of spurious routes when using %defaultroute in the ipsec.conf config fil. - Updated libpcap to major version 0.8 and tcpdump to major 3.8, fixing security issues CAN-2004-0183 and CAN-2004-0184. This also enables large file support for both packages and thus allows tcpdump to write and read dump files larger than 2GB. - Updated ipvsadm to 1.21release6. - Updated lftp to fix the security issue. - Updated perl to fix the information leak in perl-suid. - Updated the screen package to fix a security issue. - Updated the libnids1 library to fix a security issue. - Updated gnupg to fix the potential information leaks with certain keys. - Updated clamav to version 0.70 and adapted the pattern updater to Gibraltar (current patterns are shipped with Gibraltar and the updater will replace symbolic links by updated files). - Updated the snmp libs, binaries and daemon to 5.1-4. - Updated quagga to 0.96.4x. - Installed the Kaspersky Anti-Virus engine and integrated it into amavisd-new. Virus Patterns from 2004-02-09 are shipped with this version of Gibraltar and they will be updated automatically. KAV will only work when a valid license is installed. This license is not bundled with Gibraltar, but we can provide very cheap licenses due to an OEM agreement with Kaspersky. - Updated spamassassin to version 2.61. - Updated amavisd-new to version 20030615p5. Due to the use of amavsd-new for the postfix integration, the spamassassin daemon no longer runs by default. Instead, the amavisd-new daemon is started and in turn uses the spamassassin module. This is now the default for integration anti-SPAM measures and virus scanners with the postfix email relay. - Updated razor to version 2.361. - Updated ntop to version 2.2c, but still patched to fix the problem with the zlib handling (which also made the previous version unusable in most configurations). - Installed p3scan (and renattach), a transparent, SPAM- and virus-scanning POP3 proxy. pop3vscan, its unmaintained predecessor, has now been removed. - Installed Kerberos 5 (MIT implementation) libraries, client tools, configuration and PAM support for integrating Gibraltar services into Kerberos 5 authentication structures. This includes the Microsoft Active Directory, which also uses a variant of Kerberos 5. - Installed the pwdfile and opie PAM modules for more authentication options. The Radius PAM module is already available on Gibraltar. - Installed wget, because it is needed by the Kaspersky signature updater. - Activated psad by default, it will now just send mail to root if some scan or attack is detected. - Installed the bluez user space utilities so that Gibraltar can act as a Bluetooth access point, either via PAN (using the newer BNEP protocol) or via LAP (using the classical RFCOMM/PPP combination that most current PDAs and mobile phones understand). - Installed the argus-server and argus-client packages for watching the traffic that passes over a firewall (or on one of its interfaces). - Installed the curl command line binary (the libraries were already installed). The current version of freeswan can use it for CRL fetching when X.509 certificates are used for authentication. - Installed procmail, renattach needs it (which is in turn needed by p3scan). - Installed xdelta, a binary diff tool now used by our online-patching script to get smaller patches. - Updated postfix to 2.0.18 and updated necessary packages (libpcr3, adduser, base-passwd). Installed the libdb4.1, libssl0.9.7, libsasl2, libldap2, libgcrypt1, libgnutls7 and libtasn1-0 packages for the new postfix. - Installed the sasl2-bin package for pwcheck etc. Also updated the postfix default config to include SMTP auth options. - Updated wget to version 1.9.1-4. - Installed munin and munin-node with the required packages libhtml-template-perl, librrds-perl and libstorable-perl. - Installed labrea, a sticky honeypot to greatly slow down worms and the required libdumbnet1. Version 1.1, published 2003-12-23 This is the christmas release, with only a few new features, but being a lot more resistent against buffer overflows and thus more secure due to the use of the PAX kernel patch. - Updated the kernel to 2.4.23, which fixed the recently discovered brk() vulnerability. In addition to the update, the context patch (for virtal servers), the PAX patch and support for the zorp transparent proxy suite were added. Minor additions are an AES optimization and cryptoloop. - Updated the base system to Debian 3.0r2. - Added a driver for the BCM4400 network cards. - Installed chpax to select file-based PAX features. - Installed rcs and blinkenlights. - Removed cvs in favor of rcs. - Installed psad, a port scan and attack detector which works by processing logged rules from the firewall chains. Thus, in the default configuration, only dropped packets will be processed by psad, which is more performant. - Installed openvpn. - Installed winbind and smbclient for user authentication to a Windows domain. - Added two more boot options: fastboot-usb and fastboot-floppy to skip searching for floppy devices (and using config from USB) or USB respectively. - Updated squid to version 2.5.4, which supports a null disk cache and has better authentication support. Please note that the authentication options in squid.conf have changed, please check your configuration ! - Updated debconf. - Updated shorewall to version 1.4.8. - Fixed a small bug that could cause network interfaces not to be started when the system has not been shut down cleanly and a harddisk is used for /var. - Reworked the update script so that only files which have changed between the old and new default configurations are copied to the new config image. This should avoid creating unnecessary files and thus wasting space and should also produce less log messages during update. Version 1.0, published 2003-11-10 This is the first combined free and commercial release ! We decided to go for a combined release because it is easier to maintain. For the freeware version, nothing will change, the web interface just cannot be used without a valid license key. However, it is advised to simply disable the web interface for saving RAM (it will not need any processing power when not in use though) - simply comment it out in /etc/runlevel.conf. A roadmap for the following release will soon be put up on our web page. If there is large demand for a version without the web interface code at all (for saving download time - the web interface takes about 30 MB), we will try to find a solution for releasing two ISO images without too much maintenance overhead. However, an online patching mechanism is in the works, so new ISO images should be released less often (bug-fixes will be delivered via patches). - Include the web interface, which needs a license key to work. For more details, please refer to the main web page at http://www.gibraltar.at/ - Generate CA-signed certificates instead of self-signed ones for IPSec authentication. - Remove orbs.dorkslayers.com from the RBL lists to check - it has been down for the last weeks. Version 0.99.8a, published 2003-10-25 This minor update mostly solves the problem with syslog by switching back to old-style syslogd and klogd for the time being. - Remove syslog-ng again in favor of sysklogd. syslog-ng still has some problems. However, the changes in the default logging configuration are kept and have been ported back to the old configuration file format. Only /var/log/syslog and /var/log/debug are now used by default, and they are rotated by size to keep /var from filling up. - NAT Traversal for IPSec now works again due to kernel and freeswan patching. - Improved the default configuration for cron jobs, it should now send a lot less emails in the default configuration. - The Alcatel Speedtouch USB ADSL modem should now work out of the box. Just plug it into a USB port and it should immediatly become available for use in PPPoE and PPPoATM connections, which are now also officially supported. However, this plug&play support required to start the USB hotplug services by default which slows down the bootup by about 5-10 seconds if some devices are connected to the USB bus. - Installed the screen utility. - Installed the CIPE tunneling package but currently without respective kernel modules. PLEASE DO NOT USE THIS if you do not absolutely need to (e.g. because some tunnel gateway only supports CIPE and you really have to communicate with it). CIPE, as well as vtun (also included) or tinc (not included) are to be considered unsafe ! For reference, http://www.mail-archive.com/cryptography%40metzdowd.com/msg00891.html is an excellent read. For any serious tunneling, IPSec should be used. - Installed Zorp, a modular proxy suite. The next major Gibraltar release will also include the transparent proxy kernel patch for Zorp. - Installed the vserver package for managing virtual servers (can be used for sandboxing daemons). Unfortunately, the necessary kernel patch had to be delayed for the next release because it caused incompatibilities with other patches. Thus, vserver be useful starting with the next Gibraltar release. Version 0.99.8, published 2003-10-05 This is a major update with some new features, but mostly default configuration updates. - Updated to kernel 2.4.22, which again fixes some security issues and has some new features too: it already has the crypto patch and Alcatel USB speedtouch support (thus the Gibraltar-specific patches for these two features are no longer needed). The netfilter code has been updated to 2.4.23-preX, because it has some optimizations for ICMP floods, and the patch for tuning connection tracking parameters is back in. The MPPE encryption patch has been updated for ppp 2.4.2. Additionally, the WRR patch for better bandwidth shaping is now included (thanks to Jonas Smedegaard for the suggestion). The random-PID patch is again included as in the last Gibraltar kernel) and has been tested more thoroughly to not break any application. Freeswan IPSec support is now up to version 2.01, but unfortunately without the NAT traversal support, as it still does not apply cleanly to the freeswan 2.01 source. NAT traversal will again be available in the next release. Changed kernel compilation options: ACPI support is now always compiled in, but the kernel will disabled it if the BIOS support is too old or buggy. HIGHMEM support is now also available, so up to 4GB of RAM can be used for storing large connection tracking tables (many thanks to Corey Satten for this hint !). - Updated gzip to fix the insecure temporary files handling. - Updated openssl and libssl to circumvent a timing attack by enabling RSA blinding and, more recently discovered, a ASN1 parsing bug. - Replaced the old-style syslogd by syslog-ng, which has more features for filtering log entries and better support for remote logging (e.g. via TCP). - Updated heartbeat to 1.0.3. - Installed clamav. Thanks to Andreas W�kl for the hint. - Installed libmysqlclient and libpgsql to enable MySQL and Postgresql database access. - Updated snort to version 2.0, which is supposedly faster by some orders of magnitude. snort is now compiled with MySQL and Postgresql support so that logging to remote databases can be used. - Check if a floppy drive is in the system before trying to use in for loading and saving config. - Ship postfix with a better default configuration. - Removed portsentry, which is not used anyways on most firewalls (most will simply block unwanted traffic so that portsentry will no even notice port scans). - Use amavisd-new instead of amavis for integrating anti-virus scanning engines with the postfix mail relay. - Updated snort to version 2.0.1. - Updated pppd to version 2.4.2 with support for PPPoATM and PPPoE. This _should_ allow PPPoATM with an Alcatel USB Speedtouch ADSL modem without any further patches. Additionally, 2.4.2 finally includes MPPE support natively, so the Gibraltar-specific patch is no longer needed. - Updated iptables to version 1.2.8 and iproute for the new kernel. - Updated nmap to version 3.27 (with better IPv6 support). - Installed pop3vscan for an anti-virus scanning POP3 relay. - Installed quagga instead of zebra, which is actively maintained. - Installed whois and tethereal for network debugging. - Installed wvdial as an alternative to diald. - Installed ebtables. - Updated PAM to version 0.76 and installed the SMB, radius, mysql and postgresql authentication modules. - Installed the Atmel WLAN kernel driver and userspace programs. - Updated the WLAN hostap driver to version 0.0.3. - Start the ntp daemon by default to synchronize the local time with a number of time servers. - Added a "status" option to most of the /etc/init.d scripts, also for helping the web interface in figuring out the status of daemons. - Severely cut down on the squid configuration size by removing comments (the template file is available under /usr/share/doc/squid) and only putting options in it that are typically useful on a firewall. - During automatic configuration of IP addresses for detected network cards, the configuration is now also written to /etc/network/interfaces. This serves as an example and allows easy modifications. Version 0.99.7a, published 2003-04-28 This is a quick bug-fix release to fix the security issue in glibc. - Updated the glibc package to the version from security.debian.org. - Recompiled a number of packages with the updated library (e.g. freeswan, postfix, iproute, iptables, libldap2, libapache-mod-ssl and a few more). - Updated the pptpd package to fix another remotely exploitable buffer overflow. If you use pptpd, then please update as soon as possible ! - Installed ipvsadm. - Upgraded the heartbeat packages to a current version (1.0.2), which includes a fix for usage in Gibraltar - now a heartbeat instance can correctly perform its replay-attack-checks even with read-only /usr trees (which did not work in earlier versions). Thanks to Markus Oswald for reporting the problem and getting the upstream maintainers to fix it :-) - Tweaked syslog.conf and logrotate.conf so that log files take less space on the /var RAM disk. Expect more tweaks and even better defaults for the next versions. - Added a new "usb" target to the save-config script which tries to save configuration to USB mass storage devices. The "source" target, which saves to where the configuration was loaded from and is the new default target since version 0.99.7, now tries "usb" and "floppy" targets if the source location is not available (e.g. on first boot into unconfigured mode). - Reworked the USB mass storage device detection routine. It should now work faster and more reliable. - There is one important and user-visible change in this release: enabling services is no longer done in /etc/runlevel.conf (which enables all services by default now), but in /etc/gibraltar/services.conf. This switch will confuse some long-time Gibraltar users, but definitely makes it easier for new users. /etc/runlevel.conf does no longer need to be touched, leaving out the details of start levels etc. Version 0.99.7, published 2003-04-15 This is a feature and bug-fix release at the same time. Due to fixing the kernel security issue (information leak), it is recommended to upgrade as soon as possible. - Recompiled the kernel with many patches, now fixing the recently discovered information leak in multiple Ethernet card modules (see http://www.kb.cert.org/vuls/id/412115) and the ptrace vulnerability (see http://marc.theaimsgroup.com/?l=linux-kernel&m=104791735604202&w=2). The new kernel is also patched with newer wireless extensions for better WLAN access point functionality. It also uses a few options of the GRSecurity patch, namely the IP-ID randomization to make it impossible to count the number of hosts behind a NAT gateway from the outside (see http://www.research.att.com/~smb/papers/fnat.pdf for details). Fixes bug #114 Fixes bug #111 - Implemented another, very useful option for saving configuration: USB storage devices. This enables to use of those nifty USB sticks, which I am currently using to almost completely replace floppy disks. The current search order for existing configuration is the following: - floppy disks - USB mass storage devices - all harddisk partitions If nothing is found at first try, Gibraltar (in the default boot procedure, i.e. without the options "fastboot" or "defaultconfig") will wait 5 times for a floppy disk to be inserted or a USB mass storage device to be connected. - Gibraltar now uses the new isolinux mode offered by the syslinux boot loader when booting from CD-ROM (the boot floppy images still use the normal method). This allows tu use larger initrd images because the whole boot image is no longer restricted to 2.88 MB. - Updated the freeswan package, now enabling NAT traversal support for IPSec. Fixes bug #105 - Updated the iproute package to fully support the HTB queuing discipline. Fixes bug #106 - Removed the linux-wlan-ng WLAN modules and support package because the hostap modules now seem stable enough for general use, are more powerful than linux-wlan-ng (you can create a WLAN access point) and use the standard kernel interfaces and user-space tools instead of own ones. - Installed the l2tpd package to enable Layer 2 Tunnelling Protocol support. - Added some default rules for logcheck so that less messages are sent to the administrator. - Use a newer version of libkudzu and update the PCI device database. This should allow Gibraltar to detect newer devices and also fix some older detection problems. - Updated the cvs package to fix the recently discovered security issue. - Updated the dhcp3 packages to also fix another security issue (hopefully the last one for dhcp). - Updated the openssl package, also to fix a security issue. - Updated the apache packages to fix a security issue. Re-installed the mod_ssl module for apache, now with complete IPv6 support. - Updated openssh to a new version with some new features (most notably privilege separation). - Installed more packages for complete LDAP support: now authenticating users against an LDAP server is possible in PAM, and apache. An NSS LDAP module is now also installed. Additionally, installed LDAP command line tools to query servers. The libldap2 library has also been recompiled with TLS support. - Updated webalizer, now also with IPv6 support. Fixes bug #107 - Fixed the postfix permissions. Fixes bug #109 - More logcheck rules updates. Fixes bug #108 Version 0.99.6a, published 2003-01-22 This is a quick bugfix-release because of the recently discovered dhcp3 server problem, which is security relevant. It is therefore recommended to upgrade immediately. - Updated dhcp3, libldap2 and CUPS libraries because of security issues. - Updated ntop to fix the libpng problem - creating graphs should now work. (This also required a complete recompile of libpng3 and libgd2 to make it work.) Fixes bug #101 - Updated shorewall to a version that is a lot faster. - Removed the following packages due to cleanup of old stuff that is no longer needed or is superseded by newer / better alternatives. This is part of the cleanup for Gibraltar version 1.0. libxaw6, ldso, make, mysql-common, atftp, update - Disabled some cron scripts that are not needed when the respective services do not run. This is also part of the cleanup to make Gibraltar boot blazingly fast and be lean but powerful afterwards :) snort, aris-extractor, man-db, calendar The can easily be re-enabled by setting their execution bit (chmod +x). Other script are still enabled and will be run by cron, but are well- behaved in the sense that they don't do anything when the service they belong to is not active. Fixes bug #96) - Disabled the portsentry ip-up.d and ip-down.d scripts (also chmod -x). - Added an alias for the non-existent 3c90x module to point to 3c59x, now hopefully fixing the long-standing bug that some 3COM network cards were not correctly auto-detected. Fixes bug #97 - Created /var/cache/diald Fixes bug #99 - Made the default configuration for spamassassin (in /etc/default/spamassassin) a bit more robust in terms of ressource usage. Now at most 10 processes are started, which should prevent spamassassin from bringing the system down. When you have a high volume of emails and enough memory, it is recommended to increase this limit. With the current setting, the emails are just delayed if more than 10 processes would be required. - Wrote a small auto-detection routine for PCMCIA controllers (which at least works on my development notebook) and thus enabled PCMCIA support by default. If there is a PCI-based PCMCIA controller in your system, it should now be detected and activated automatically. If there is no controller in your system, this should not change anything. Version 0.99.6, published 2003-01-11 This is mainly a bugfix release to fix the problems with automatic configuration update in version 0.99.5 The main change is to increase the default value for the maximum /etc ramdisk size to allow the update to finish. Additionally, a few more sanity and validity checks are done in the maintainance scripts. - Update the kernel to version 2.4.20, which fixes the local denial of service bug which was discovered a few weeks ago. Since no normal user accounts should exist on a Gibraltar firewall, this bug was not critical for Gibraltar. The new kernel also contains the bridge-nf patch, allowing to build a completely transparent (and possibly invisible) firewall by applying bridging while also filtering packets via netfilter. This kernel also includes support for H.323 connections over NAT. - Update all packages that have changed in the Debian "stable" tree, including security updates: apache, heartbeat, j2re1.3, linux-wlan-ng. Due to the newly available j2re1.3 package, it is no longer necessary to have the complete Java 2 SDK installed, making the CDROM image about 19 MB smaller. - Installed sanitizer, spamassassin and razor to allow for efficient anti-SPAM operation of the mail relay (postfix). A default configuration on how to use these powerful features is enabled in postfix. - Installed iptstate and dnsmasq. Fixes bug #86 - Installed ntop. - Installed the sharutils package (which includes uuencode) - Installed the dhcp3 packages instead of the older versions. Now they should be more stable and have more features. One noteable feature is that the dhcp server and the dhcp relay do no longer conflict and are therefore now both available. Fixes bug #85 - Updated apache to make it work again (problem with libdb2 linking). This update also introduces apache IPv6 support again. Also fixes bug #93 - Updated iptables, shorewall, transproxy, freeswan and linux-wlan-ng to newest versions. - Modified logcheck to create /var/tmp/logcheck if it doesn't exist. Really fixes bug #90 (prior #70) and #92 - Fixed the following bugs from the Gibraltar bug tracking system: #87 (Create /var/cache/ddclient) #94 (Missing entries in /etc/modutils/aliases) Version 0.99.5, published 2002-09-30 This release updates Gibraltar to the final, released Debian 3.0 base packages. It contains some new functionality (e.g. full wireless LAN support) and also fixes some bugs. - Update all packages that have changed in Debian since 0.99.4. The source for synchronization with Debian is now again the "stable" tree in contrast to "testing" which had to be used for recent releases. This means that the core packages won't need to be updated frequently (only for security fixes). - Provide full support for wireless LANs (802.11b): Gibraltar provides all three possible modes: 1. Acting as an access point using the included hostap driver (for the Prism2/2.5/3 chipsets). 2. Acting as a client to any access point (using the standard Linux kernel drivers). 3. Using ad-hoc mode for peer to peer networking without access points. - Installed the following new packages: 6tunnel (for IPv4/IPv6 translation) amavis-postfix (preparation for integrating a virus scanner with the mail relay). ddclient (for updating dynamic DNS services) grub gshield (an alternative, strict and configurable firewall script) hdparm kismet (a wireless network sniffer) mtools ndiff (report nmap scan differences) ntpd (for actively synchronizing the clock) nwatch (a passive port scanner) privoxy (a privacy enhancing proxy, the successor of junkbuster) vlan - Updated the following important packages explicitely: apache (security fixes) freeswan (better IPSec road warrior support) postfix (now standard Debian version, Gibraltar specific patches are no longer needed). ssh (security fixes, privilege separation) tomcat - Made the boot process a bit quieter - some uninteresting messages are no longer printed (but there are still too many left). - The login message now tells about the key mapping and how it can be switched to an English one. - Removed discover from the default runlevel.rc, it just slowed the boot process down. Now, due to the changed boot process, runlevel S can be completely customized; therefore it is easy to reactivate it in /etc/runlevel.conf. - pcmcia support is now also disabled by default. - The SSH daemon now only accepts protocol 2 in the default configuration, because protocol 1 has some (although currently mostly theoretical) flaws. - save-config via scp should now work correctly: the spurious /tmp/etc.gz file is no longer created and /tmp/etc.tgz is removed after transfer. - Allow automatic call of save-config to be disabled via /etc/gibraltar_config - Made make-var-ramdisk more robust: When a /var filesystem is mounted, but not correctly populated with subdirs, then do that automatically. Therefore it is no longer necessary to do the manually at all - just specify the filesystem to use in /etc/fstab, (format it), reboot and everything will be allright. - Unmount the initrd image at a later time during bootup (this should actually make it work....). Therefore the initial RAM disk is freed and more RAM space is left after bootup. - Made linuxrc in mkinitrd-cd capable of booting from a UML hostfs filesystem (allowing to boot inside UML with accessing files on the host system). - Added a script for automatically creating a X.509 certificate for IPSec during the first bootup (in "unconfigured" mode). - Use an updated PCI device list, therefore the 3COM network cards should now be detected correctly. - Fixed the following bugs from the Gibraltar bug tracking system: #60 (iptraf directories were missing from /var) #70 (/var/tmp/logcheck was missing) #71 (/var/lib/dhcp was missing) #76 (supervise now uses the directory /etc/svcan; therefore new services like tinydns can easily be configured) Version 0.99.4, published 2002-04-18 This is a bugfix and minor feature release. It mostly makes some maintainance stuff (/tmp handling, etc save and restore) more robust. - Changed save-etc so that it does not stop running services anymore. Instead, it now checks for changed files after saving. - Made save-config more robust (to not fail when /tmp ist not mountable). - Added support for the automatic creation of a ramdisk for /tmp. - Made the init procedure in runlevel S modifiable by starting init after prepareroot has been called. This is now possible because pivot_root is called and therefore linuxrc has control over how init is called (and what is done before init is called). - Made the automatic ramdisk creation for /var a bit more robust. Now a ramdisk is also created if there is an entry in /etc/fstab for mounting /var, but the mounting did not work. - Due to these changes, some script locations have changed. prepareroot is now under /sbin make-var-ramdisk is now called mountvar and is in /system/etc-static/init.d - Changed the name of the created RSA host key for the ssh daemon to match the new default values. - Added the SuSE FTP proxy suite as an alternative to frox (they have a different feature list). - Added the ettercap sniffer tools for network diagnose purposes - Updated various system tools and libraries. - Updated ssh (to 3.0.2p1). - Installed rsync (e.g. for mirroring DNS zone files for tinydns). - Installed wavemon. - Installed the Java development kit 1.3 in preparation for the upcoming web administration interface. - Installed aris extractor for reporting security incidents to CERT. It is disabled by default, so you need to enable it if you want to use it. - Installed idswakeup for testing network security. - Installed the shorewall firewalling script because of user requests. Version 0.99.3a, published 2002-01-16 This is a quick bugfix-release. - Re-added the /usr/local/bin link for custom additions. - Fixed automatic loading of the IPSec kernel module on IPSec startup. Version 0.99.3, published 2002-01-08 This is mainly a feature-release with the newly added SOCKS and DNS servers, support for the ext3 filesystem and updates of major system software packages. A bugfix-release will follow this one, correcting already reported bugs. I just wanted to get this one out of the door so that people can use the new features. It is also the first release (and maybe the first firewall at all) that supports native IPv6-only networks. - Updated kernel to 2.4.16, including all the usual patches and XFS and ext3 filesystem support. The next Gibraltar kernel will include the new HTB qdisc for traffic shaping (which is a lot easier to use than the commonly used CBQ qdisc). Gibraltar can be used as a full traffic shaper, for both outgoing and incoming traffic. - Reverted the change of installing syslinux with the "safe, slow and stupid" option because it resulted in very slow bootup on some systems. Therefore, some old and buggy hardware might not work with this release, but I think this is justified by the other 99% of the systems that can now boot a lot faster. - Re-installed squidguard for filtering requests that run over the proxy. Also installed chastity-list, a protection list for schools and other public places (only optional!). - Installed urlredir for Squid redirection (so that squid can easily act as a frontend for an internal WWW server, protecting it from direct accesses). - Installed tinyproxy, a very small HTTP proxy that can also remove HTTP headers (and thus be used for anonymizing). - Installed httpf, a web filtering engine that only allows those HTML tags that have been specifically configured. Therefore it can be used for securing web access by filtering out possibly dangerous HTML tags (such as active content). - Installed dante, a SOCKS v4 and v5 proxy server to enable SOCKS support on Gibraltar. - Installed frox, a transparent FTP proxy. - Installed cryptcat, dhcping and nbtscan for debugging network problems. - Installed scanssh for collecting ssh public keys from ssh servers. This can be used to save a "known good" state of ssh public keys and therefore defeat man-in-the-middle attacks when accessing ssh other servers. - Installed the full djbdns suite instead of dnscache only. Therefore Gibraltar can now act as a DNS server for the local network, altough with limited functionality (no DNSSec, dynamic DNS, ...). But it might be enough for local reverse lookup, a full-features DNS-Server should not run on a firewall anyway. The suite has been patched for IPv6 support, so that native IPv6 DNS lookups become possible. Therefore Gibraltar might well be the first firewall fully supporting IPv6 for building native IPv6-only networks without the need for IPv4. - Installed binutils so that the strings command is available. - Updated logcheck, freeswan (to 1.92), squid (to 2.4.3), apache (to 1.3.22 with IPv6 support), ssh (currently only 3.0.1p1, but a secured version without the bug) and ulogd to newer versions. - Deactivated automatic starting of hotplug by default, since a firewall should normally not use any USB devices. The hotplug support is still there in case you need USB devices such as the ADSL modem used by the Austrian telecom. Version 0.99.2, published 2001-11-19 This is primarily a bug-fix release, but it also includes some new features and software packages. - Updated kernel to 2.4.13, this time including all the usual stuff (MPPE encryption for PPTP, IPSec support, TTL match, IRC connection tracking, ULOG target) and XFS support. - Updated some packages: system libraries, squid, isdnutils and openssh. - Installed ethtool for configuring network cards. - Installed pppoeconf for configuring PPP over ethernet. - Installed freenet6 for builing IPv6 over IPv4 tunnels to the world-wide IPv6 test network "6bone" easily. - Installed ipac-ng for IP accounting. - Installed tomcat including the necessary packages (JRE 1.1.8, jikes). - Updated postfix, now with IPv6 and SSL/TLS support. - Re-added the perl base64 module to support the uw-setup script written by Corey Satten. - Added the netfilter-init package, which can construct iptables filter rules from a set of configuration files. If you do not like this, simply you can simply continue to use your existing iptables scripts. But I can only recommend to have a look on it because it makes things a lot easier. - Fixed a cosmetical bug in save-config: after formatting and creating a config disk, the correct message is displayed. - SAVE_AUTOFORMAT is no longer case sensitive. - Now an empty disk is not reformatted, it is simply used. - save-config now accepts parameters "--target" and "--to". This is a new feature for everybody who saves the configuration data not only to the default location in /etc/gibraltar_config, but also to some other place whenever big changes are done. I am always doing this (in case the floppy disk gets corrupted, the hard disk crashes or anything other happens to the firewall, I still have my configuration saved on another host). - save-config will not unmount a harddisk partition anymore if tha partition is to be used as a target (it is simply used on its current mount point instead of being unmounted and remounted somewhere else, leaving the old mount point invalid). - During converting a configuration from the old to the new format, the RAM disk is now created without a size limit so that the conversion has enough free space to complete successfully. Version 0.99.1, published 2001-09-24 This is an experimental release, please use with care. The whole Debian base of this release has been updated from the current Debian stable (version 2.2) to the current Debian testing (future version 3.0) release. This affects many system libraries and base system programs, so some things may break in this release. Please note the change in the version numbering scheme. As the number of Gibraltar releases incresed steadily, I am now using a three-level version numbering with the same system the Linux kernel is using. This means that the first number denotes the major version, it will be increased if there are major new features (such as support for stateful firewalling) or incompatibilities with older releases. The second number denotes the minor version, indicating minor new features that are compatible with older releases (updating is possible without manual intervention). The third number denotes the release and will be increased for bug fixes, patches, changed default configurations or other minor changes that do not qualify as new features. Furthermore, stable releases always have an even second number, unstable / development releases have an odd second number (therefore this is 0.99.1, i.e. an development release). - This release introduces resizable ramdisks for /etc and /var. No need to change their size anymore, they will grow (and shrink) automatically. But the maximum sizes can be changed in /etc/gibraltar_config (these settings are activated at boot-time, but can also be applied by remounting the filesystems). - The format of the save configuration data has changed - now simple tar.gz files are used. Old configuration data is automatically converted to the new format on the first reboot with this new release. - Searching for configuration data is now a bit more powerful - Gibraltar now also searches for configuration disks in all available floppy drives, not only the first one. Still todo: loading configuration data from a TFTP server. I want to implement this suggested feature, but this release should go out of the door first.... - Saving configuration data with the command 'save-config' is now possible to various targets: floppy, harddisk partition and remote host via scp. This is configurable via /etc/gibraltar_config - And yes: the old standing, long irritating man-bug is now fixed due to this upgrade. The 'man' command now works without any problems. - This should also fix the bug that ifup crashes with more than 4 interfaces listed in /etc/network/interfaces. - Cleanup: Removed squidguard, because it did not work very well anyways. I may add it again if it works better. - The boot image loader (syslinux) is now written with the "safe" option, making booting from floppy slower but maybe enabling more machines to boot Gibraltar from CD-ROM. - Removed some packages that are unneeded with kernel 2.4.x: ipfwadm, ipautofw - Other cleanups, removed now unneeded system libraries. - Updated the kernel to 2.4.9, including the MPPE patches with the compression fix (the reported problems with MPPE and compression should now be gone). This kernel is heavily patches, including support for IPSec (freeswan), MPPE, IRC masquerading, TTL and ULOG targets for netfilter and LIDS. Handle with care...... :-) - The new kernel has been compiled with token ring drivers. Please try it out and tell me if it works (I don't have any token ring equipment to try it on). - Installed (generating semi-random packages for network tests). - Installed fwanalog for creating nice firewall logs viewable with a web browser. - Installed ipfm (traffic monitoring tool). - Installed nemesis (packet creating suite). - Installed the mii-diag package for configuring network cards. - Installed lynx-ssl and tftp so that Gibraltar can get some files via HTTP of TFTP. - Installed dhcp-client (the DHCP client from ISC) as an alternative to the already installed pump. Some people reported problems with pump and various ADSL providers. Please try it again with this DHCP client. - Installed telnet-ssl instead of telnet so that telnet via SSL can be used (from the client side, the telnet-ssl server is not installed). - Installed ulogd for logging firewall packets. - Installed lidsadm as preparation for the upcoming LIDS support. - Installed snmpd, but disabled. - Updated the ppp package to version 2.4.1 (including the MPPE patches). - Updated the freeswan package, now including support for X509 certification authorities and opportunistic encryption via secure DNS. Version 0.98c, published 2001-05-06, 23:00 - Updated squid to version 2.4.1 because the old version had some problems with the available number of swap file (documented in the squid FAQ). - Updated the man-db package from Debian proposed-updates - Some small fixes in the init scripts: - Made the check for open files on /etc before saving the config floppy faster. - Made the timeout and the number of tries for searching a configuration disk (for saving) configurable. Version 0.98b, not published officially - Updated to kernel 2.4.3. It should include support for MPPE encryption (for PPTP client and server) again, although this has not been tested. - Now Gibraltar searches on all known harddisk partitions for configuration data. Therefore floppyless usage is now possible. The save-config script will be adapted to be able to save to the harddisk partition too, but at the moment this has to be done manually (by mounting the partition to /mnt and calling "save-etc /etc /mnt/etc.gz"). - Installed syslinux so that a bootsector can be written to a harddisk partition if booting from the CD-ROM does not work and a boot disk is undesirable. - Updated freeswan (the IPSec implementation) to version 1.9. Now the kernel part and the key management daemon are in sync again (the kernel part was taken from freeswan snapshot versions until now because freeswan 1.8 did not work with kernel 2.4.x). Version 0.98a3, not published officially - Updated to kernel 2.4.2 because the ipsec support in 2.4.1 was broken. Version 0.98a2, not published officially - Installed php4 in preparation of the upcoming Gibraltar web administration interface, currently being written by ViaNova. Version 0.98a, not published officially - Installed nmap and iptraf packages. - Updated the ssh package. - Updated the sudo package from the Debian security archives. - Installed webalizer for squid log parsing. - Installed apache 1.3.14 with IPv6 support. Version 0.98, published 2001-02-16 - Updated to kernel 2.4.1, which now includes reiserfs upstream (no patching necessary for the Gibraltar kernel). This kernel has been compiled with freeswan (IPSec) support and the kerneli patches applied. Support for MPPE encryption (used for encryption of data transmitted in a PPTP tunnel) is gone now, because I could not find a working patch for the 2.4.x kernels and I am not familiar enough with this code to do it myself. Thus ppp now works again (it did not work with 0.98pre versions), but MPPE encryption will not. - Updated the ssh package (only minor packaging bugs fixed, the upstream version is still the same). This version is not vulnerable to the bugs recently posted on BugTraq. - Updated the logcheck package. - Updated the freeswan package. - Updated the postfix package, now with support for IPv6 and SSL encryption. It can be set up so that SMTP connections to other mail servers supporting SSL (such as all new versions of sendmail) are automatically encrypted. - Installed updates from Debian security and proposed updates archives: man-db, libc, squid, cron, tcpdump, mc Version 0.98pre2, published 2001-01-24, 21:00 GMT+1 This releases fixes the bug that made 0.98pre unbootable on IDE CD-ROM drives. Version 0.98pre, published 2001-01-23, 23:45 GMT+1 This is the first pre-release including kernel 2.4.0, therefore the first release with real stateful firewalling support. Please do not use it to replace your already running Gibraltar version for production uses. Try it first and if it works for you, use it. This should be very easy with Gibraltar in general: if you don't like a version, just put the old CD-ROM back in, reboot and you are up and running again. WARNING: pptp support is broken in this release. I hope to get it fixed really soon (it seems to be a kernel problem), but do not use this release if you need a running pptp support ! - Included kernel 2.4.0 with freeswan and mppe patches. The kernel 2.4.0 also has been patched with the international kernel patch, so all crypto modules are there and can be used (e.g. for loopback device encryption, but I have not tried it). - Removed spf package (not needed anymore, because we now have kernel support for this). - Updated ssh package to version 2.3.0p1. Now we have full ssh protocol version 2 and IPv6 support in ssh. - ssh host keys are now automatically generated when the firewall boots in unconfigured mode. This was a security hole if the administrator did not create own host keys. - Updated iptables package, now featuring IPv6 firewalling support. - Updated reiserfsprogs package, the old mkreiserfs did not work anymore with newer kernels. - Updated modutils package so that kernel 2.4.0 module paths are recognized. - Switched /etc/init.d/save-etc-disk and /sbin/save-config. Previously, /etc/init.d/save-etc-disk was the real script and /sbin/save-config was a link to it, but this caused problems when /etc/init.d has been copied to the /etc ramdisk. Now it is the other way around, with /etc/init.d/save-etc-disk being a link to /sbin/save-config. This should work in any case. - Got rid of the "gibraltar kernel: kmod: failed to exec /sbin/modprobe -s -k nls_cp437, errno = 2" error message during bootup. - Fixed a small bug in the update-config script. - Updated pptpd, postfix, gnupg and vtun packages. - Patched and recompiled ppp daemon 2.4.0 for use with mppe encryption. - Removed the fwctl package since it is only for ipchains and has no iptables support (yet). - Updated the kudzu hardware detection library from RedHat. Version 0.91b, not published (internal testing release) This is also a minor bugfix release. - Included the TUN/TAP kernel module so that the vtun package should actually work. - Updated freeswan to version 1.8 - Included the pcmcia kernel modules again (they have been left out unintentionally). Version 0.91a, published 2000-11-29, 20:00 GMT+1 This is a minor bugfix release that includes an updated ed (the older one had a security hole) and fixes a problem with the default configuration (/etc/terminfo should be a link, but wasn't). - Included the vtun package due to an user request (version from woody). Version 0.91, published 2000-11-27, 22:00 GMT+1 This is a bugfix release that also has a few new features. It should be the last major release (bugfix-only releaes might still happen if there are security-relevant or otherwise grave bugs) based on kernel 2.4.x. - Based on kernel 2.2.17, which fixes a few security-relevant bugs. - Updated all packages for which there were proposed updates for the current stable Debian distribution (potato). - Updated some package from the current unstable Debian distribution (woody) which have new features. - Installed the heartbeat package for fail-over capability. The package has only been installed but I did not play with it. Therefore there is not sensible default configuration at the moment. Please play with it and tell me if it works at all. - Added IPSec support: There is now a current freeswan package including the x509 patches installed and kernel support is also present. It should work, please tell me if you have problems. Due to the x509 patches, it should be interoperable with Windows 2000 and PGPNet clients. - Added script-hooks in the bootup-script. Now it should be possible to create special master / maintainance disks that contain scripts for special purposes (e.g. manipulating the config file during bootup, preparing the config disk media before loading the configuration image from it, ...) - Got rid of the message "modprobe: Can't locate module /dev/ttyS0" during bootup. - Do not calculate the module dependencies on bootup anymore. Since the modules are on the CD-ROM, the dependency information will not change. This means that Gibraltar boots faster, but also that you will have to call "depmod -a" manually when you add modules. - Set default for portsentry to not block anything, but only log hosts that appear to be port-scanning. Some users reported that trusted hosts have been blocked because portsentry was not configured properly. This can be annoying, so the default is now that portsentry will not actively block hosts. After properly configuring it, the behaviour should be changed. - Corrected a bug in the save-etc script: under certain cirumstances it happened that during shutdown not all programs are killed. Therefore save-etc asked if it should stop these programs (they have to be stopped before saving the configuration image) and therefore halted the shutdown process. Now save-etc will stop the processes automatically when it is called during shutdown, thus now hindering the shutdown/reboot. - Most of the files in the home directory of "root" are now links to /etc/local/root. Therefore they can be changed and will be stored on the configuration disks. One example are RSA public keys for SSH authentication, which have to be stored in /root/.ssh (which is linked to /etc/local/root/.ssh). - /usr/local/bin and /usr/local/sbin are now linked to /etc/local/sbin and /etc/local/sbin, therefore the administrator can copy scripts to these locations and call them in a standard way. - The environment variable "EDITOR" is now set to "vi" by default. - There is now a "fastboot" option which skips waiting for the config disk. - There is also a first version of an update-config script that should be able to automatically update your existing Gibraltar 0.90 configuration disks with the new default values of Gibraltar versions >= 0.91. It updates files that were not been modified by the administrator but have changed in the default configuration. New files are created, old files (that are no longer used and were not changed by the administrator) are moved to a trash directory (/etc/deleted_files) for later deletetion. Additionally the new default configuration files are copied as . when the are not updated automatically so that the administrator can manually update his files. As mentioned above, this is the first version of the update-config script. Please tell me if it works for you. At the moment it is rather conservative, which means that it does not change any files when it is not perfectly sure that they can be overwritten without distroying something, leaving more work for the administrator. - A new version of the isdnutils has been installed, because this one was split into different packages from which those dependent on X-Windows libraries have not been installed. Therefore the X-Windows libraries are now gone. - Some cleanups: Removed mime-construct and mimedecode because there are better packages for this purpose. Removed the reportbug package (and all python packages because only reportbug needed them), because ViaNova might soon have an own bug tracking system for Gibraltar. Version 0.90, published 2000-09-02, 2:00 GMT+1 It is mostly equal to release 0.90pre3, but with a few new packages installed and prepared for seamless updates to the next major release. During pre-releases, I will not put much effort in update procedures, but the major releases (such as this one) should be updateable with no problems (only putting in the new CD-ROM and config files should be updated automatically upon the next reboot). - On the default etc image, there are now the files etc-defaults.list and etc-defaults.md5sums. etc-defaults.list includes a list of all files distributed in the default etc image, one per line with a few data added (link target, permissions, file/group owner, ...). etc-defaults.md5sums includes a list of MD5 checksums of all normal files on the etc image so that changed files can be detected easily during an update. I am working on an update script that is able to update an existing config disk with the new default values coming with the updated Gibraltar release. Hopefully this will be ready for the next release, but it is a must for the next major release. - The system utilities stat, memstat and setcd are now included. setcd will be used for handling the locking / unlocking of the CD-ROM tray as soon as I can figure out how to do this for root filesystems. The other utilities should help in debugging et.al. - reportbug is included as a helper for reporting bugs on Debian packages - mime-construct and mimedecode are included so that the firewall itself will be able to send MIME formatted messages. I am currently planning to write some scripts that send MIME messages to the administrator, so these tools will be needed. - raidtools2 is included, although the current kernel does not include support for new-style RAID arrays now. But since I am planning to use a 2.4.x kernel for the 1.0 release and am planning to patch the 2.2.16 kernel util 2.4.x is ready, I include it now. Maybe the next release will include a kernel with new-style RAID support. - fwctl is now included due to suggestions from users - dnscache is reintroduced in this version because the last mail I got from John White said that it should be ok to distribute dnscache the way I do it with Gibraltar. If somebody with a good understanding of Dan Bernstein's license could comment on the situation, then please let me know. - The script /etc/firewall-script.sh is now started *before* network interfaces are brought up. This makes the system more secure, but you have to notice that DNS lookups are not possible in this script. If you use names for hosts listed in firewall rules, then you have to enter them into /etc/hosts or it will not work. Version 0.90pre3, published 2000-08-23, 23:00 GMT+1 There are some new features in this release: - midnight commander is now included due to demand from users - parted is also included so that partitions can be manipulated better - superformat is included for better handling of floppy disks - dhclient is now the default dhcp client instead of pump, because it has support for calling scripts when the address changes (e.g. for applying firewalling rules with the new address) - a preliminary freeswan package is now also included - please try ipsec and tell me if it works - included the upsd package for handling clean shutdowns with UPS - the Gibraltar-specific scripts are now in the binary package 'gibraltar-bootsupport' - a major update of the netbase package (the version taken from the unstable Debian tree has been installed) - libsafe is now included to prevent common stack-overflow exploits - ntpdate client is included for synchronizing the system clock with NTP servers. However, I do not recommend to do this per cron script, because somebody might perform a man-in-the-middle attack to set your firewall system clock to bad values. It can be useful for setting the clock during the initial setup. - The firewall script is now started in runlevel S, earlier than before. This makes the time where network interfaces are configured, but firewall rules are not in place, shorter and thus the boot procedure a bit safer. Version 0.90pre2, published 2000-08-03, 21:00 GMT+1 This is a clean-up release, it makes the system work on smaller systems and fixes some important bugs. You should definitely update if you can. - some tweaks to make Gibraltar work with 16 MB RAM and no swap partition: - do not start ippl, arpwatch, net-acct and snort by default (although I recommend everybody to start them if there are 32 MB RAM or more available - they can help to secure your system) - there is a new setup.d script now: 'minimal-system' takes care of not starting webmin when only 16 MB are available (you should be fine with 24 MB) - the ISO images will now come with a GPG-signature file - oops, my certificate authority expired on 2000-08-01. I created a new one and signed the distributed SSL key certificate with the new CA key. - I am creating a Debian package containing the boot scripts now. in preparation of this all of the boot scripts were automatically re-created from pieces. there might be some differences, but I did not recognize any during testing them. - I found out that my extensions to the webmin useradmin module that allow changing the PAM system password of a user might contain a bug and are incomplete. therefore I deactivated webmin in the distribution for the moment. it will be put reactivated as soon as I am sure that my patches are complete. - the initrd ramdisk was not freed properly after it finished. this should be fixed now. - fixed a bug in the 00network-cards script that detects all network cards and brings them up. when there was a blank space in the network card description, it did not work. now it should be fixed. - fixed a bug that prevented using a harddisk partition as /var: no modules could be loaded before /var was writeable, but modules are needed to load /var .... I hope that it is fixed now. - upgraded openssh to version 2.1.1p4 from woody. it now includes support for the ssh version 2 protocol. - unfortunately I had to remove dnscache from the distribution. it seems that Dan Bernstein's license does not allow the dnscache binary to be distributed alone, without the other binaries from his djbdns package. I will have to wait for Dan Bernstein himself to clarify the situation, I sent him a mail over 2 weeks ago and am waiting for the response now. hopefully I will be allowed to distribute dnscache soon because it is a real security enhancement to not depend on (maybe broken) external DNS server. and no, I do not want to include bind just for resolving DNS names. Because of the current dnscache situation, you need to upgrade to this version. Until Dan Bernstein allows me to include dnscache in Gibraltar, it conflicts with his license. Please stop using the old release immediately, it might get me in trouble because I redistributed the dnscache binary (although I thought that this redistribution was allowed. It seems that it is not). A general note: I want to publish new releases as soon as I fix bugs, therefore it might happen that there are 4 releases in a week or no release for 2 weeks. Generally, I recommend the usage of CD-RW media to work with Gibraltar until the version number goes close to 1.0. Doing so, you can follow new releases quickly without wasting CD-R media. Version 0.90pre1, published 2000-07-31, 4:00 GMT+1 - first public release, probably some bugs - the basics should be rather complete for the 0.90 relase, only details will change - it works on my IDE and SCSI systems, please tell me if it boots on others - you can report any bugs / suggestions / wishes to the gibraltar mailing list at gibraltar@vianova.at