Version 2.3, published 2005-08-09
This is a feature release with two major new features now being fully
supported by the web interface: briding (a.k.a. as transparent firewalling)
and traffic shaping. Both can be enabled with the respective modules in the
web interface. Other changes in the web interface include a quick config
save link, new service definitions that can now span different protocols
(e.g. an IPSec service that include UDP, ESP and AH), the possibility to
configure an email relay (e.g. a smart host by the ISP), and some
enhancements when integrating a HDD for /var.
Another enhancement is the possibility to update the whole system image when
booting the USB version from a writable media, e.g. a CompactFlash card in
a hardware appliance. The USB version of Gibraltar uses squashfs images,
which are read-only on a file system level. New shell scripts and a web
interface module now facilitate the update of such a system image with a
single reboot and the possibility to switch back to the previous version.
The respective scripts should even deal with resets or power failures while
the update is in progress, so that this update should not be as fragile as
the dreaded firmware updates of typical hardware components. It needs free
space for the new system image though. At the moment, a 256 MB USB or CF
medium will be enough to hold two system images and thus allow for such an
update.
Changes in the Gibraltar base system are:
- SECURITY FIX: The squid anti-virus plugins for clamav and Kaspersky kav
have been modified to scan the whole files instead of only sliding windows
over the data streams. For some larger viruses, it turned out that neither
clamav nor Kaspersky kav were able to detect them when the file header was
not included in the scan window (although the virus itself should have
fitted in the scanned blocks. To overcome these issues, the HTTP streams
are now saved in temporary files, which are continuously scanned until the
download is either complete or the file grows larger than a (configurable)
maximum file size. When a virus signature is found, the download is
aborted. This change leads to a significant performance hit when the
maximum file size is choosen too large (e.g. >500kB), but will not let
viruses pass that are smaller than the chosen maximum file size.
- SECURITY FIX: Updated heimdal kerberos packages due to some possible
buffer overflows.
- Updated kernel to 2.4.31 level, fixing a few upstream bugs.
- Added a kernel patch to support the VIA padlock crypto functions. They can
be used to speed up AES, e.g. for IPSec tunnels.
- Added kernel support for the newer squashfs filesystem (version 2.1-r2).
- Recompiled iptables to work with the newer kernel and enabled a few
extensions (ROUTE, mark, physdev).
- The USB/CF images are now squashfs instead of cramfs images, yielding
better compression and thus smaller image sizes - they again fit onto a
128 MB medium. This also removes the limit of roughly 256 MB uncompressed
image size, which was already reached by the last release.
- This release also adds scripts and modifies the initrd image so that
USB/CF image can be updated (nearly) atomically. Just pass the new script
update-system the new format of Gibraltar USB/CF images to its stdin,
reboot and the image will get updated upon the first reboot. If anything
happens during uploading the image or during checking the image, the
update will not be performed. The new syslinux labels "old", "cf*_s1" and
"cf*_s2" can be used to boot the old version again, in case the update
failed. Therefore, such "firmware" updates should not be able to bring the
system into an unbootable state where the boot media would need to be
rewritten. This is important for updating appliances that boot from
internal CF media.
- Switched to using ifrename instead of the interface renaming code in
/etc/network/if.d/ now. This decouples the renaming of network interfaces
from their configuration, which is needed for bridge interfaces, VLAN
handling etc. where virtual interfaces are created from physical ones. It
is also more elegant.
- Fixed the scripts for configuring bridge interfaces:
/etc/network/if-up.d/05bridge and /etc/network/if.d/address. Also included
a sample configuration block in /etc/network/interfaces that shows how to
configure a bridge.
- Updated the /etc/alternatives/editor link to point to fte instead of vim,
because vim is excluded from the USB/CF variant of the Gibraltar image.
- Modified syslogd.conf to not print any messages to logged in users, which
was mostly confusing and did not offer any benefits (it is not to be
expected that users are logged into the firewall too often to notice such
emergency messages).
- Added the Atheros 802.11a/b/g cards to the PCI hardware list. They are
handled by the madwifi driver (including support for master, i.e. access
point mode).
- Installed cpio, lha, unarj, unrar, unzip and zoo, lzop packages to enable
amavisd-new to unpack various compressed attachments for checking them.
- Removed packages libdiscover1 and libxml2 since they are no longer needed.
- Updated the samba packages to fix an issue with the integration of winbind
(Active Directory authentication) and sasl2.
- Updated the sasl2 libraries to fix a (potential) security issue. Also
installed the slapd openldap server for the integrated user database that
is currently being developed.
- Installed the libdb4.2 libraries and utils, since they are required by
the updated sasl2 and openldap2.2 packages. Also installed
libnet-ldap-perl to enable ldap access from perl scripts.
- Installed the freeradius package and the ldap and eaptls plugins. This is
also for the integrated user database.
- Installed the libslp1, libltdl3 and libcomerr2 packages, which are
necessary for freeradius and the new openldap2.2 packages.
- Updated openvpn to major version 2.0 due to user request.
- Updated ppp to major version 2.4.3. This package brings working radius and
winbind plugins, which enables remote authentication of PPTP and L2TP
users, e.g. against an Active Directory.
- Installed radiusclient1 and libradius1, which are needed by the ppp radius
plugin.
- Installed cricket and libsnmp-session-perl, which will be used for system
monitoring and graphing in the future. The cron jobs are disabled until we
properly support configuring it.
- Installed chillispot (1.0RC2), a captive portal that has performed well in
our lab setups.
- Removed the hwdata package, which is no longer necessary.
- Removed the cipe and vtun packages for VPNs. They are insecure (c.f.
http://www.mail-archive.com/cryptography%40metzdowd.com/msg00891.html for
all the gory details). Some people might still use them, but I do no
longer want to support insecure VPNs, which are worse than no VPN because
they give a false sense of security. If you need a VPN, please use IPSec
(the use of openswan should be really easy now with our web interface) or
openvpn (which is very easy to set up).
[vtun is not really gone, but needs to be manually reactivated if somebody
really needs it. It might go away in future releases though.]
- Run ntpdate each bootup so that the system clock gets synchronized
immediately to three randomly chosen, public NTP servers. This is
necessary for hardware clocks that are far off the real time, because the
ntpd daemon will refuse to start synchronizing if the clock is off by more
than an hour. However, the synchronization will not be started when there
is no default route to prevent delaying unconfigured boots.
- Increased maximum password length from 8 to 20 characters - this was way
too short.
- Updated razor to 2.610.
- Updated clamav to version 0.86.
- Installed bld, a general black list daemon that is now used for black
listing SSH and other (currently web interface) password bruce force
attacks. The bld daemon and a new bld-submitter process are now started
by default and log all failed login attempts to the blacklist. After a
configurable amount of failed retries in a given time frame, the
respective IP address is added to the blacklist. A cron job periodically
adds all blacklisted IP addresses to the iptables chains to block them
completely. If you really do not want this feature, then please comment
the two lines in /etc/runlevel.conf or deactivate the service via the web
interface.
- Stop the DHCP client from overwriting the domain name set in
/etc/resolv.conf (by commenting out make_resolv_conf in
/etc/dhcp3/dhclient-script).
- Installed ddrescue, a small dd replacement that does not abort on errors.
This helps getting data off a faulty drive (e.g. a failing HDD).
- Fixed the certificate chain for the Jetty webserver that serves the web
interface. Now just importing the root Gibraltar CA certificate from
https://www.gibraltar.at/ca-root.crt should create a valid certificate
chain for all browsers. Therefore the confirmation box should no longer
be displayed upon connecting to the web interface.
- Changed the behavior of the clamav virus scanning plugin for squid
slightly, so that errors in the clamav library do not yield to blocking
the respective files. This made it impossible to download updates from
windowsupdate.com, since the CAB files could not be extracted properly by
the clamav library. In such cases, the files will now pass the scanner,
but a warning will be logged to the squid cache.log.
- Removed the libidn11 package, which is no longer needed (the last clamav
version does not need it).
- Removed the libsmbclient package, which is also no longer needed.