Version 3.0, published 2010-01-04
This is a major new release, updating into kernel 2.6 and Debian 5.0 Lenny as
base system and splitting the web interface in frontend and backend parts in
preparation of centralized management tools.
- Full support for IPv6, both in routing, firewall rules, and application
level proxies/daemons, including automatic 6to4 and static 6in4 tunnels.
Adding globally reachable IPv6 addresses to a local network is now a simple
procedure by simply enabling an automatic 6to4 tunnel with almost no manual
configuration.
- Policy routing setup via web interface (for example source-based
routing) with support for multiple default-routes in fail-over as well as
(static) load-balancing configurations. This includes Internet connection
fail-over handling with a primary and (multiple) backup upstream connections
and IPSec tunnel fail-over.
- Official support for WLAN interfaces. Gibraltar can now act as a WLAN
access point with or without WPA(2) encryption and optionally with a
captive portal for guest access. This has been tested with Atheros MiniPCI
cards, but should in principle work with any WLAN card supported by the
new in-kernel mac80211/nl80211 stack. Also include a madwifi version
patched and tested for stability to support older Atheros chipsets not yet
supported by ath5k/ath9k.
- In preparation for managing multiple firewalls with one user interface,
the core modules (network settings, firewall, nat, traffic shaping) have been
split into backend and frontend. Remote management support will begin with
the next release and will be extended in future versions.
- The web interface now more consequently uses aliases for hosts, networks,
and services that must be defined before using them in rules. This change
helps to maintain better overview in large rule-sets.
- Added firewall and NAT rules overview pages that span all input and output
interfaces.
- Added layer7 match support to mark traffic based on protocols instead of
ports. This is not supported for firewall rules, but works well for
traffic shaping purposes.
- OpenVPN can now be used without client certificates for direct integration
with LDAP or Microsoft Active Directory. This allows simple set-up of
road-warrior clients: the same OpenVPN configuration can be used on all
clients and can therefore be deployed automatically. Users then
authenticate with their standard accounts.
- Use of kernel 2.6 (currently based on 2.6.30.x with security enhancements).
- A fresh and more standardized base system using Debian 5.0 "Lenny".
- Multiple PPP dial-in interfaces can be used (for example ADSL and UMTS as
backup) with specific interface names. pppd has been patched to support
the "ifname" configuration option to rename interfaces on successful
connection. This supports specific firewall and NAT rules as well as
policy routing for (upstream) PPP links.
- Use before-queue instead of after-queue filter for integrating amavisd.
This cuts down on bounce mail processing and thus decreases the typical
mail queue length.
- Using udev instead of devfs.
- Using upstart instead of older init package. Combined with udev, this
significantly speeds up typcial boot times.
- Using initramfs-tools with additional hooks instead of the previous
mkinitrd-cd package built especially for Gibraltar. This avoids the
requirement to specify root= kernel command line arguments to boot from
compact flash or hard disk instead of from CD. It should also save on
future development efforts by merging upstream development of initramfs
scripts with the ones used by Debian and Ubuntu and also allows to use
the same boot options for ISO and appliance/USB bootup. All Gibraltar
atomic update functionality has been ported for image updates.
- Using mainline squashfs format 4.0 now and dropping own kernel patches.
- ISO images now contain a compressed (squashfs) filesystem to make
them smaller.
- Using aufs overlay mounts instead of only tmpfs for /var and /etc. This
minimizes RAM usage and configuration config.tgz size by storing only
those files that were changed with regards to the default. In addition to
significantly decreasing the size of stored configurations, this change
also allows simpler auditing of changes.
/system/etc-static and /system/var-static are no longer required, bringing
the base system even closer to a standard (but hardened) Debian install.
- Harddisks are now mounted unter /var/persistence and will only contain a
subset of the whole /var tree to simplify updates between major versions.
- Using Debian update-rc.d for enabling/disabling automatic starting of
services (init scripts) on bootup instead of older runlevel.conf scheme.
- Using rsyslog instead of syslog-ng.
- Installed the zabbix-agent package for better integration with the Zabbix
monitoring package (we use it extensively both internally and for our
customers with good experience in terms of stability and scalability).
Include additional checker scripts.
- Updated to heartbeat2 for firewall high-availability, although it is still
used in compatibility mode. Support for more than 2 nodes will be added in
future versions.
- Added support for commercial JonDonym cascades with pre-paid vouchers.
Drop the anon-proxy version of the JAP/JonDonym client in favor of a
special Java version that is directly integrated with the web interface.
- Updated squid to version 3.
- Using strongswan instead of openswan for mature IKEv2 support. The web
interface will support setting IKEv2 for tunnels in a future version, on
the shell it can already be used.
- Installed *top packages for easier monitoring/debugging support on the
shell.
- Initial dashboard support to present the most important status
information on the entry page.
- Added simple mail queue handling in the web interface.