Version 2.0, published 2004-06-04
- Many changes in the web interface: new configuration modules, enhanced
usability and new features in existing modules. It also has a new license
format, but version 1 licenses are still accepted.
- Updated kernel to version 2.4.26. This is quite similiar to the 2.4.23
version of Gibraltar 1.x, but the security patches from 2.4.24 were applied,
fixing the mremap vulnerability.
- Supply kernel modules for the Conexant ADSL USB modem.
- Supply the P2P match module for netfiler (ipt_ipp2p.o and libipt_ipp2p.so).
- Add kernel modules for: Eagle ADSL USB modem, BCM5700 network cards,
drdb network RAID, Smart Link software modems and Bewan ADSL modems.
- Updated iptables to version 1.2.9-5, enabling use of new match modules.
- Updated freeswan to 2.04-9, which now support dynamic fetching of CRL's
(certificate revocation lists) if proper certificate authorities are used.
It also solves the problem of spurious routes when using %defaultroute in
the ipsec.conf config fil.
- Updated libpcap to major version 0.8 and tcpdump to major 3.8, fixing
security issues CAN-2004-0183 and CAN-2004-0184. This also enables large
file support for both packages and thus allows tcpdump to write and read
dump files larger than 2GB.
- Updated ipvsadm to 1.21release6.
- Updated lftp to fix the security issue.
- Updated perl to fix the information leak in perl-suid.
- Updated the screen package to fix a security issue.
- Updated the libnids1 library to fix a security issue.
- Updated gnupg to fix the potential information leaks with certain keys.
- Updated clamav to version 0.70 and adapted the pattern updater to Gibraltar
(current patterns are shipped with Gibraltar and the updater will replace
symbolic links by updated files).
- Updated the snmp libs, binaries and daemon to 5.1-4.
- Updated quagga to 0.96.4x.
- Installed the Kaspersky Anti-Virus engine and integrated it into
amavisd-new. Virus Patterns from 2004-02-09 are shipped with this version
of Gibraltar and they will be updated automatically. KAV will only work
when a valid license is installed. This license is not bundled with
Gibraltar, but we can provide very cheap licenses due to an OEM agreement
with Kaspersky.
- Updated spamassassin to version 2.61.
- Updated amavisd-new to version 20030615p5. Due to the use of amavsd-new for
the postfix integration, the spamassassin daemon no longer runs by default.
Instead, the amavisd-new daemon is started and in turn uses the
spamassassin module. This is now the default for integration anti-SPAM
measures and virus scanners with the postfix email relay.
- Updated razor to version 2.361.
- Updated ntop to version 2.2c, but still patched to fix the problem with the
zlib handling (which also made the previous version unusable in most
configurations).
- Installed p3scan (and renattach), a transparent, SPAM- and virus-scanning
POP3 proxy. pop3vscan, its unmaintained predecessor, has now been removed.
- Installed Kerberos 5 (MIT implementation) libraries, client tools,
configuration and PAM support for integrating Gibraltar services into
Kerberos 5 authentication structures. This includes the Microsoft Active
Directory, which also uses a variant of Kerberos 5.
- Installed the pwdfile and opie PAM modules for more authentication options.
The Radius PAM module is already available on Gibraltar.
- Installed wget, because it is needed by the Kaspersky signature updater.
- Activated psad by default, it will now just send mail to root if some scan
or attack is detected.
- Installed the bluez user space utilities so that Gibraltar can act as a
Bluetooth access point, either via PAN (using the newer BNEP protocol) or
via LAP (using the classical RFCOMM/PPP combination that most current PDAs
and mobile phones understand).
- Installed the argus-server and argus-client packages for watching the
traffic that passes over a firewall (or on one of its interfaces).
- Installed the curl command line binary (the libraries were already
installed). The current version of freeswan can use it for CRL fetching
when X.509 certificates are used for authentication.
- Installed procmail, renattach needs it (which is in turn needed by p3scan).
- Installed xdelta, a binary diff tool now used by our online-patching script
to get smaller patches.
- Updated postfix to 2.0.18 and updated necessary packages (libpcr3, adduser,
base-passwd). Installed the libdb4.1, libssl0.9.7, libsasl2, libldap2,
libgcrypt1, libgnutls7 and libtasn1-0 packages for the new postfix.
- Installed the sasl2-bin package for pwcheck etc. Also updated the postfix
default config to include SMTP auth options.
- Updated wget to version 1.9.1-4.
- Installed munin and munin-node with the required packages
libhtml-template-perl, librrds-perl and libstorable-perl.
- Installed labrea, a sticky honeypot to greatly slow down worms and the
required libdumbnet1.
Version 1.1, published 2003-12-23
This is the christmas release, with only a few new features, but being a lot
more resistent against buffer overflows and thus more secure due to the use
of the PAX kernel patch.
- Updated the kernel to 2.4.23, which fixed the recently discovered brk()
vulnerability. In addition to the update, the context patch (for virtal
servers), the PAX patch and support for the zorp transparent proxy suite
were added. Minor additions are an AES optimization and cryptoloop.
- Updated the base system to Debian 3.0r2.
- Added a driver for the BCM4400 network cards.
- Installed chpax to select file-based PAX features.
- Installed rcs and blinkenlights.
- Removed cvs in favor of rcs.
- Installed psad, a port scan and attack detector which works by processing
logged rules from the firewall chains. Thus, in the default configuration,
only dropped packets will be processed by psad, which is more performant.
- Installed openvpn.
- Installed winbind and smbclient for user authentication to a Windows domain.
- Added two more boot options: fastboot-usb and fastboot-floppy to skip
searching for floppy devices (and using config from USB) or USB
respectively.
- Updated squid to version 2.5.4, which supports a null disk cache and has
better authentication support. Please note that the authentication options
in squid.conf have changed, please check your configuration !
- Updated debconf.
- Updated shorewall to version 1.4.8.
- Fixed a small bug that could cause network interfaces not to be started
when the system has not been shut down cleanly and a harddisk is used for
/var.
- Reworked the update script so that only files which have changed between
the old and new default configurations are copied to the new config image.
This should avoid creating unnecessary files and thus wasting space and
should also produce less log messages during update.
Version 1.0, published 2003-11-10
This is the first combined free and commercial release ! We decided to go
for a combined release because it is easier to maintain. For the freeware
version, nothing will change, the web interface just cannot be used without
a valid license key. However, it is advised to simply disable the web
interface for saving RAM (it will not need any processing power when not in
use though) - simply comment it out in /etc/runlevel.conf. A roadmap for the
following release will soon be put up on our web page.
If there is large demand for a version without the web interface code at all
(for saving download time - the web interface takes about 30 MB), we will
try to find a solution for releasing two ISO images without too much
maintenance overhead. However, an online patching mechanism is in the works,
so new ISO images should be released less often (bug-fixes will be delivered
via patches).
- Include the web interface, which needs a license key to work. For more
details, please refer to the main web page at http://www.gibraltar.at/
- Generate CA-signed certificates instead of self-signed ones for IPSec
authentication.
- Remove orbs.dorkslayers.com from the RBL lists to check - it has been down
for the last weeks.
Version 0.99.8a, published 2003-10-25
This minor update mostly solves the problem with syslog by switching back
to old-style syslogd and klogd for the time being.
- Remove syslog-ng again in favor of sysklogd. syslog-ng still has some
problems. However, the changes in the default logging configuration are
kept and have been ported back to the old configuration file format. Only
/var/log/syslog and /var/log/debug are now used by default, and they are
rotated by size to keep /var from filling up.
- NAT Traversal for IPSec now works again due to kernel and freeswan
patching.
- Improved the default configuration for cron jobs, it should now send a lot
less emails in the default configuration.
- The Alcatel Speedtouch USB ADSL modem should now work out of the box.
Just plug it into a USB port and it should immediatly become available for
use in PPPoE and PPPoATM connections, which are now also officially supported.
However, this plug&play support required to start the USB hotplug services by
default which slows down the bootup by about 5-10 seconds if some devices are
connected to the USB bus.
- Installed the screen utility.
- Installed the CIPE tunneling package but currently without respective kernel modules.
PLEASE DO NOT USE THIS if you do not absolutely need to (e.g. because some
tunnel gateway only supports CIPE and you really have to communicate with it).
CIPE, as well as vtun (also included) or tinc (not included) are to be
considered unsafe ! For reference,
http://www.mail-archive.com/cryptography%40metzdowd.com/msg00891.html
is an excellent read. For any serious tunneling, IPSec should be used.
- Installed Zorp, a modular proxy suite. The next major Gibraltar release
will also include the transparent proxy kernel patch for Zorp.
- Installed the vserver package for managing virtual servers (can be used for
sandboxing daemons). Unfortunately, the necessary kernel patch had to be
delayed for the next release because it caused incompatibilities with
other patches. Thus, vserver be useful starting with the next Gibraltar
release.
Version 0.99.8, published 2003-10-05
This is a major update with some new features, but mostly default
configuration updates.
- Updated to kernel 2.4.22, which again fixes some security issues and has
some new features too: it already has the crypto patch and Alcatel USB
speedtouch support (thus the Gibraltar-specific patches for these two
features are no longer needed). The netfilter code has been updated to
2.4.23-preX, because it has some optimizations for ICMP floods, and the
patch for tuning connection tracking parameters is back in. The MPPE
encryption patch has been updated for ppp 2.4.2. Additionally, the WRR
patch for better bandwidth shaping is now included (thanks to Jonas
Smedegaard for the suggestion). The random-PID patch is again included
as in the last Gibraltar kernel) and has been tested more thoroughly to
not break any application. Freeswan IPSec support is now up to version
2.01, but unfortunately without the NAT traversal support, as it still
does not apply cleanly to the freeswan 2.01 source. NAT traversal will
again be available in the next release.
Changed kernel compilation options: ACPI support is now always compiled in,
but the kernel will disabled it if the BIOS support is too old or buggy.
HIGHMEM support is now also available, so up to 4GB of RAM can be used for
storing large connection tracking tables (many thanks to Corey Satten for
this hint !).
- Updated gzip to fix the insecure temporary files handling.
- Updated openssl and libssl to circumvent a timing attack by enabling RSA
blinding and, more recently discovered, a ASN1 parsing bug.
- Replaced the old-style syslogd by syslog-ng, which has more features for
filtering log entries and better support for remote logging (e.g. via TCP).
- Updated heartbeat to 1.0.3.
- Installed clamav. Thanks to Andreas Wöckl for the hint.
- Installed libmysqlclient and libpgsql to enable MySQL and Postgresql
database access.
- Updated snort to version 2.0, which is supposedly faster by some orders of
magnitude. snort is now compiled with MySQL and Postgresql support so that
logging to remote databases can be used.
- Check if a floppy drive is in the system before trying to use in for
loading and saving config.
- Ship postfix with a better default configuration.
- Removed portsentry, which is not used anyways on most firewalls (most will
simply block unwanted traffic so that portsentry will no even notice port
scans).
- Use amavisd-new instead of amavis for integrating anti-virus scanning
engines with the postfix mail relay.
- Updated snort to version 2.0.1.
- Updated pppd to version 2.4.2 with support for PPPoATM and PPPoE. This
_should_ allow PPPoATM with an Alcatel USB Speedtouch ADSL modem without
any further patches. Additionally, 2.4.2 finally includes MPPE support
natively, so the Gibraltar-specific patch is no longer needed.
- Updated iptables to version 1.2.8 and iproute for the new kernel.
- Updated nmap to version 3.27 (with better IPv6 support).
- Installed pop3vscan for an anti-virus scanning POP3 relay.
- Installed quagga instead of zebra, which is actively maintained.
- Installed whois and tethereal for network debugging.
- Installed wvdial as an alternative to diald.
- Installed ebtables.
- Updated PAM to version 0.76 and installed the SMB, radius, mysql and
postgresql authentication modules.
- Installed the Atmel WLAN kernel driver and userspace programs.
- Updated the WLAN hostap driver to version 0.0.3.
- Start the ntp daemon by default to synchronize the local time with a number
of time servers.
- Added a "status" option to most of the /etc/init.d scripts, also for
helping the web interface in figuring out the status of daemons.
- Severely cut down on the squid configuration size by removing comments (the
template file is available under /usr/share/doc/squid) and only putting
options in it that are typically useful on a firewall.
- During automatic configuration of IP addresses for detected network cards,
the configuration is now also written to /etc/network/interfaces. This
serves as an example and allows easy modifications.
Version 0.99.7a, published 2003-04-28
This is a quick bug-fix release to fix the security issue in glibc.
- Updated the glibc package to the version from security.debian.org.
- Recompiled a number of packages with the updated library (e.g. freeswan,
postfix, iproute, iptables, libldap2, libapache-mod-ssl and a few more).
- Updated the pptpd package to fix another remotely exploitable buffer
overflow. If you use pptpd, then please update as soon as possible !
- Installed ipvsadm.
- Upgraded the heartbeat packages to a current version (1.0.2), which
includes a fix for usage in Gibraltar - now a heartbeat instance can
correctly perform its replay-attack-checks even with read-only /usr trees
(which did not work in earlier versions). Thanks to Markus Oswald for
reporting the problem and getting the upstream maintainers to fix it :-)
- Tweaked syslog.conf and logrotate.conf so that log files take less space on
the /var RAM disk. Expect more tweaks and even better defaults for the next
versions.
- Added a new "usb" target to the save-config script which tries to save
configuration to USB mass storage devices. The "source" target, which saves
to where the configuration was loaded from and is the new default target
since version 0.99.7, now tries "usb" and "floppy" targets if the source
location is not available (e.g. on first boot into unconfigured mode).
- Reworked the USB mass storage device detection routine. It should now work
faster and more reliable.
- There is one important and user-visible change in this release: enabling
services is no longer done in /etc/runlevel.conf (which enables all services
by default now), but in /etc/gibraltar/services.conf. This switch will
confuse some long-time Gibraltar users, but definitely makes it easier for
new users. /etc/runlevel.conf does no longer need to be touched, leaving out
the details of start levels etc.
Version 0.99.7, published 2003-04-15
This is a feature and bug-fix release at the same time. Due to fixing the
kernel security issue (information leak), it is recommended to upgrade as
soon as possible.
- Recompiled the kernel with many patches, now fixing the recently discovered
information leak in multiple Ethernet card modules (see
http://www.kb.cert.org/vuls/id/412115) and the ptrace vulnerability (see
http://marc.theaimsgroup.com/?l=linux-kernel&m=104791735604202&w=2).
The new kernel is also patched with newer wireless extensions for better
WLAN access point functionality. It also uses a few options of the
GRSecurity patch, namely the IP-ID randomization to make it impossible to
count the number of hosts behind a NAT gateway from the outside (see
http://www.research.att.com/~smb/papers/fnat.pdf for details).
Fixes bug #114
Fixes bug #111
- Implemented another, very useful option for saving configuration: USB
storage devices. This enables to use of those nifty USB sticks, which I am
currently using to almost completely replace floppy disks. The current
search order for existing configuration is the following:
- floppy disks
- USB mass storage devices
- all harddisk partitions
If nothing is found at first try, Gibraltar (in the default boot
procedure, i.e. without the options "fastboot" or "defaultconfig") will
wait 5 times for a floppy disk to be inserted or a USB mass storage
device to be connected.
- Gibraltar now uses the new isolinux mode offered by the syslinux boot
loader when booting from CD-ROM (the boot floppy images still use the
normal method). This allows tu use larger initrd images because the whole
boot image is no longer restricted to 2.88 MB.
- Updated the freeswan package, now enabling NAT traversal support for IPSec.
Fixes bug #105
- Updated the iproute package to fully support the HTB queuing discipline.
Fixes bug #106
- Removed the linux-wlan-ng WLAN modules and support package because the
hostap modules now seem stable enough for general use, are more powerful
than linux-wlan-ng (you can create a WLAN access point) and use the
standard kernel interfaces and user-space tools instead of own ones.
- Installed the l2tpd package to enable Layer 2 Tunnelling Protocol support.
- Added some default rules for logcheck so that less messages are sent to the
administrator.
- Use a newer version of libkudzu and update the PCI device database. This
should allow Gibraltar to detect newer devices and also fix some older
detection problems.
- Updated the cvs package to fix the recently discovered security issue.
- Updated the dhcp3 packages to also fix another security issue (hopefully
the last one for dhcp).
- Updated the openssl package, also to fix a security issue.
- Updated the apache packages to fix a security issue. Re-installed the
mod_ssl module for apache, now with complete IPv6 support.
- Updated openssh to a new version with some new features (most notably
privilege separation).
- Installed more packages for complete LDAP support: now authenticating users
against an LDAP server is possible in PAM, and apache. An NSS LDAP module
is now also installed. Additionally, installed LDAP command line tools to
query servers. The libldap2 library has also been recompiled with TLS
support.
- Updated webalizer, now also with IPv6 support.
Fixes bug #107
- Fixed the postfix permissions.
Fixes bug #109
- More logcheck rules updates.
Fixes bug #108
Version 0.99.6a, published 2003-01-22
This is a quick bugfix-release because of the recently discovered dhcp3
server problem, which is security relevant. It is therefore recommended
to upgrade immediately.
- Updated dhcp3, libldap2 and CUPS libraries because of security issues.
- Updated ntop to fix the libpng problem - creating graphs should now work.
(This also required a complete recompile of libpng3 and libgd2 to make it
work.)
Fixes bug #101
- Updated shorewall to a version that is a lot faster.
- Removed the following packages due to cleanup of old stuff that is no
longer needed or is superseded by newer / better alternatives. This is
part of the cleanup for Gibraltar version 1.0.
libxaw6, ldso, make, mysql-common, atftp, update
- Disabled some cron scripts that are not needed when the respective services
do not run. This is also part of the cleanup to make Gibraltar boot
blazingly fast and be lean but powerful afterwards :)
snort, aris-extractor, man-db, calendar
The can easily be re-enabled by setting their execution bit (chmod +x).
Other script are still enabled and will be run by cron, but are well-
behaved in the sense that they don't do anything when the service they
belong to is not active.
Fixes bug #96)
- Disabled the portsentry ip-up.d and ip-down.d scripts (also chmod -x).
- Added an alias for the non-existent 3c90x module to point to 3c59x, now
hopefully fixing the long-standing bug that some 3COM network cards were
not correctly auto-detected.
Fixes bug #97
- Created /var/cache/diald
Fixes bug #99
- Made the default configuration for spamassassin (in
/etc/default/spamassassin) a bit more robust in terms of ressource usage.
Now at most 10 processes are started, which should prevent spamassassin
from bringing the system down. When you have a high volume of emails and
enough memory, it is recommended to increase this limit. With the current
setting, the emails are just delayed if more than 10 processes would be
required.
- Wrote a small auto-detection routine for PCMCIA controllers (which at
least works on my development notebook) and thus enabled PCMCIA support
by default. If there is a PCI-based PCMCIA controller in your system, it
should now be detected and activated automatically. If there is no
controller in your system, this should not change anything.
Version 0.99.6, published 2003-01-11
This is mainly a bugfix release to fix the problems with automatic
configuration update in version 0.99.5 The main change is to increase the
default value for the maximum /etc ramdisk size to allow the update to
finish. Additionally, a few more sanity and validity checks are done in
the maintainance scripts.
- Update the kernel to version 2.4.20, which fixes the local denial
of service bug which was discovered a few weeks ago. Since no normal user
accounts should exist on a Gibraltar firewall, this bug was not critical
for Gibraltar.
The new kernel also contains the bridge-nf patch, allowing to build a
completely transparent (and possibly invisible) firewall by applying
bridging while also filtering packets via netfilter.
This kernel also includes support for H.323 connections over NAT.
- Update all packages that have changed in the Debian "stable" tree,
including security updates: apache, heartbeat, j2re1.3, linux-wlan-ng.
Due to the newly available j2re1.3 package, it is no longer necessary to
have the complete Java 2 SDK installed, making the CDROM image about 19 MB
smaller.
- Installed sanitizer, spamassassin and razor to allow for efficient
anti-SPAM operation of the mail relay (postfix). A default configuration
on how to use these powerful features is enabled in postfix.
- Installed iptstate and dnsmasq.
Fixes bug #86
- Installed ntop.
- Installed the sharutils package (which includes uuencode)
- Installed the dhcp3 packages instead of the older versions. Now they
should be more stable and have more features. One noteable feature is
that the dhcp server and the dhcp relay do no longer conflict and are
therefore now both available.
Fixes bug #85
- Updated apache to make it work again (problem with libdb2 linking). This
update also introduces apache IPv6 support again.
Also fixes bug #93
- Updated iptables, shorewall, transproxy, freeswan and linux-wlan-ng to
newest versions.
- Modified logcheck to create /var/tmp/logcheck if it doesn't exist.
Really fixes bug #90 (prior #70) and #92
- Fixed the following bugs from the Gibraltar bug tracking system:
#87 (Create /var/cache/ddclient)
#94 (Missing entries in /etc/modutils/aliases)
Version 0.99.5, published 2002-09-30
This release updates Gibraltar to the final, released Debian 3.0 base
packages. It contains some new functionality (e.g. full wireless LAN
support) and also fixes some bugs.
- Update all packages that have changed in Debian since 0.99.4. The source
for synchronization with Debian is now again the "stable" tree in contrast
to "testing" which had to be used for recent releases. This means that the
core packages won't need to be updated frequently (only for security
fixes).
- Provide full support for wireless LANs (802.11b): Gibraltar provides all
three possible modes:
1. Acting as an access point using the included hostap driver (for the
Prism2/2.5/3 chipsets).
2. Acting as a client to any access point (using the standard Linux
kernel drivers).
3. Using ad-hoc mode for peer to peer networking without access points.
- Installed the following new packages:
6tunnel (for IPv4/IPv6 translation)
amavis-postfix (preparation for integrating a virus scanner with the
mail relay).
ddclient (for updating dynamic DNS services)
grub
gshield (an alternative, strict and configurable firewall script)
hdparm
kismet (a wireless network sniffer)
mtools
ndiff (report nmap scan differences)
ntpd (for actively synchronizing the clock)
nwatch (a passive port scanner)
privoxy (a privacy enhancing proxy, the successor of junkbuster)
vlan
- Updated the following important packages explicitely:
apache (security fixes)
freeswan (better IPSec road warrior support)
postfix (now standard Debian version, Gibraltar specific patches are no
longer needed).
ssh (security fixes, privilege separation)
tomcat
- Made the boot process a bit quieter - some uninteresting messages are no
longer printed (but there are still too many left).
- The login message now tells about the key mapping and how it can be
switched to an English one.
- Removed discover from the default runlevel.rc, it just slowed the boot
process down. Now, due to the changed boot process, runlevel S can be
completely customized; therefore it is easy to reactivate it in
/etc/runlevel.conf.
- pcmcia support is now also disabled by default.
- The SSH daemon now only accepts protocol 2 in the default configuration,
because protocol 1 has some (although currently mostly theoretical) flaws.
- save-config via scp should now work correctly: the spurious /tmp/etc.gz
file is no longer created and /tmp/etc.tgz is removed after transfer.
- Allow automatic call of save-config to be disabled via
/etc/gibraltar_config
- Made make-var-ramdisk more robust: When a /var filesystem is mounted,
but not correctly populated with subdirs, then do that automatically.
Therefore it is no longer necessary to do the manually at all - just
specify the filesystem to use in /etc/fstab, (format it), reboot and
everything will be allright.
- Unmount the initrd image at a later time during bootup (this should
actually make it work....). Therefore the initial RAM disk is freed and
more RAM space is left after bootup.
- Made linuxrc in mkinitrd-cd capable of booting from a UML hostfs
filesystem (allowing to boot inside UML with accessing files on the host
system).
- Added a script for automatically creating a X.509 certificate for IPSec
during the first bootup (in "unconfigured" mode).
- Use an updated PCI device list, therefore the 3COM network cards should
now be detected correctly.
- Fixed the following bugs from the Gibraltar bug tracking system:
#60 (iptraf directories were missing from /var)
#70 (/var/tmp/logcheck was missing)
#71 (/var/lib/dhcp was missing)
#76 (supervise now uses the directory /etc/svcan; therefore new services
like tinydns can easily be configured)
Version 0.99.4, published 2002-04-18
This is a bugfix and minor feature release. It mostly makes some
maintainance stuff (/tmp handling, etc save and restore) more robust.
- Changed save-etc so that it does not stop running services anymore.
Instead, it now checks for changed files after saving.
- Made save-config more robust (to not fail when /tmp ist not mountable).
- Added support for the automatic creation of a ramdisk for /tmp.
- Made the init procedure in runlevel S modifiable by starting init
after prepareroot has been called. This is now possible because pivot_root
is called and therefore linuxrc has control over how init is called (and
what is done before init is called).
- Made the automatic ramdisk creation for /var a bit more robust. Now a
ramdisk is also created if there is an entry in /etc/fstab for mounting
/var, but the mounting did not work.
- Due to these changes, some script locations have changed.
prepareroot is now under /sbin
make-var-ramdisk is now called mountvar and is in /system/etc-static/init.d
- Changed the name of the created RSA host key for the ssh daemon to match
the new default values.
- Added the SuSE FTP proxy suite as an alternative to frox (they have a
different feature list).
- Added the ettercap sniffer tools for network diagnose purposes
- Updated various system tools and libraries.
- Updated ssh (to 3.0.2p1).
- Installed rsync (e.g. for mirroring DNS zone files for tinydns).
- Installed wavemon.
- Installed the Java development kit 1.3 in preparation for the upcoming
web administration interface.
- Installed aris extractor for reporting security incidents to CERT. It is
disabled by default, so you need to enable it if you want to use it.
- Installed idswakeup for testing network security.
- Installed the shorewall firewalling script because of user requests.
Version 0.99.3a, published 2002-01-16
This is a quick bugfix-release.
- Re-added the /usr/local/bin link for custom additions.
- Fixed automatic loading of the IPSec kernel module on IPSec startup.
Version 0.99.3, published 2002-01-08
This is mainly a feature-release with the newly added SOCKS and DNS servers,
support for the ext3 filesystem and updates of major system software
packages. A bugfix-release will follow this one, correcting already reported
bugs. I just wanted to get this one out of the door so that people can use
the new features.
It is also the first release (and maybe the first firewall at all) that
supports native IPv6-only networks.
- Updated kernel to 2.4.16, including all the usual patches and XFS and ext3
filesystem support. The next Gibraltar kernel will include the new HTB
qdisc for traffic shaping (which is a lot easier to use than the commonly
used CBQ qdisc). Gibraltar can be used as a full traffic shaper, for both
outgoing and incoming traffic.
- Reverted the change of installing syslinux with the "safe, slow and stupid"
option because it resulted in very slow bootup on some systems. Therefore,
some old and buggy hardware might not work with this release, but I think
this is justified by the other 99% of the systems that can now boot a lot
faster.
- Re-installed squidguard for filtering requests that run over the proxy.
Also installed chastity-list, a protection list for schools and other
public places (only optional!).
- Installed urlredir for Squid redirection (so that squid can easily act as
a frontend for an internal WWW server, protecting it from direct accesses).
- Installed tinyproxy, a very small HTTP proxy that can also remove HTTP
headers (and thus be used for anonymizing).
- Installed httpf, a web filtering engine that only allows those HTML tags
that have been specifically configured. Therefore it can be used for
securing web access by filtering out possibly dangerous HTML tags (such
as active content).
- Installed dante, a SOCKS v4 and v5 proxy server to enable SOCKS support on
Gibraltar.
- Installed frox, a transparent FTP proxy.
- Installed cryptcat, dhcping and nbtscan for debugging network problems.
- Installed scanssh for collecting ssh public keys from ssh servers. This
can be used to save a "known good" state of ssh public keys and therefore
defeat man-in-the-middle attacks when accessing ssh other servers.
- Installed the full djbdns suite instead of dnscache only. Therefore
Gibraltar can now act as a DNS server for the local network, altough with
limited functionality (no DNSSec, dynamic DNS, ...). But it might be enough
for local reverse lookup, a full-features DNS-Server should not run on a
firewall anyway. The suite has been patched for IPv6 support, so that
native IPv6 DNS lookups become possible. Therefore Gibraltar might well be
the first firewall fully supporting IPv6 for building native IPv6-only
networks without the need for IPv4.
- Installed binutils so that the strings command is available.
- Updated logcheck, freeswan (to 1.92), squid (to 2.4.3),
apache (to 1.3.22 with IPv6 support), ssh (currently only 3.0.1p1, but a
secured version without the bug) and ulogd to newer versions.
- Deactivated automatic starting of hotplug by default, since a firewall
should normally not use any USB devices. The hotplug support is still
there in case you need USB devices such as the ADSL modem used by the
Austrian telecom.
Version 0.99.2, published 2001-11-19
This is primarily a bug-fix release, but it also includes some new features
and software packages.
- Updated kernel to 2.4.13, this time including all the usual stuff (MPPE
encryption for PPTP, IPSec support, TTL match, IRC connection tracking,
ULOG target) and XFS support.
- Updated some packages: system libraries, squid, isdnutils and openssh.
- Installed ethtool for configuring network cards.
- Installed pppoeconf for configuring PPP over ethernet.
- Installed freenet6 for builing IPv6 over IPv4 tunnels to the world-wide
IPv6 test network "6bone" easily.
- Installed ipac-ng for IP accounting.
- Installed tomcat including the necessary packages (JRE 1.1.8, jikes).
- Updated postfix, now with IPv6 and SSL/TLS support.
- Re-added the perl base64 module to support the uw-setup script written by
Corey Satten.
- Added the netfilter-init package, which can construct iptables filter
rules from a set of configuration files. If you do not like this, simply
you can simply continue to use your existing iptables scripts. But I can
only recommend to have a look on it because it makes things a lot easier.
- Fixed a cosmetical bug in save-config: after formatting and
creating a config disk, the correct message is displayed.
- SAVE_AUTOFORMAT is no longer case sensitive.
- Now an empty disk is not reformatted, it is simply used.
- save-config now accepts parameters "--target" and "--to".
This is a new feature for everybody who saves the configuration data not
only to the default location in /etc/gibraltar_config, but also to some
other place whenever big changes are done. I am always doing this (in case
the floppy disk gets corrupted, the hard disk crashes or anything other
happens to the firewall, I still have my configuration saved on another
host).
- save-config will not unmount a harddisk partition anymore if tha partition
is to be used as a target (it is simply used on its current mount point
instead of being unmounted and remounted somewhere else, leaving the old
mount point invalid).
- During converting a configuration from the old to the new format, the
RAM disk is now created without a size limit so that the conversion has
enough free space to complete successfully.
Version 0.99.1, published 2001-09-24
This is an experimental release, please use with care. The whole Debian base
of this release has been updated from the current Debian stable (version 2.2)
to the current Debian testing (future version 3.0) release. This affects
many system libraries and base system programs, so some things may break in
this release.
Please note the change in the version numbering scheme. As the number of
Gibraltar releases incresed steadily, I am now using a three-level version
numbering with the same system the Linux kernel is using. This means that
the first number denotes the major version, it will be increased if there
are major new features (such as support for stateful firewalling) or
incompatibilities with older releases. The second number denotes the minor
version, indicating minor new features that are compatible with older
releases (updating is possible without manual intervention). The third
number denotes the release and will be increased for bug fixes, patches,
changed default configurations or other minor changes that do not qualify
as new features. Furthermore, stable releases always have an even second
number, unstable / development releases have an odd second number (therefore
this is 0.99.1, i.e. an development release).
- This release introduces resizable ramdisks for /etc and /var. No need to
change their size anymore, they will grow (and shrink) automatically. But
the maximum sizes can be changed in /etc/gibraltar_config (these settings
are activated at boot-time, but can also be applied by remounting the
filesystems).
- The format of the save configuration data has changed - now simple tar.gz
files are used. Old configuration data is automatically converted to the
new format on the first reboot with this new release.
- Searching for configuration data is now a bit more powerful - Gibraltar
now also searches for configuration disks in all available floppy drives,
not only the first one.
Still todo: loading configuration data from a TFTP server. I want to
implement this suggested feature, but this release should go out of the
door first....
- Saving configuration data with the command 'save-config' is now possible
to various targets: floppy, harddisk partition and remote host via scp.
This is configurable via /etc/gibraltar_config
- And yes: the old standing, long irritating man-bug is now fixed due to
this upgrade. The 'man' command now works without any problems.
- This should also fix the bug that ifup crashes with more than 4 interfaces
listed in /etc/network/interfaces.
- Cleanup: Removed squidguard, because it did not work very well anyways.
I may add it again if it works better.
- The boot image loader (syslinux) is now written with the "safe" option,
making booting from floppy slower but maybe enabling more machines to boot
Gibraltar from CD-ROM.
- Removed some packages that are unneeded with kernel 2.4.x: ipfwadm,
ipautofw
- Other cleanups, removed now unneeded system libraries.
- Updated the kernel to 2.4.9, including the MPPE patches with the
compression fix (the reported problems with MPPE and compression should
now be gone). This kernel is heavily patches, including support for IPSec
(freeswan), MPPE, IRC masquerading, TTL and ULOG targets for netfilter and
LIDS. Handle with care...... :-)
- The new kernel has been compiled with token ring drivers. Please try it
out and tell me if it works (I don't have any token ring equipment to try
it on).
- Installed (generating semi-random packages for network tests).
- Installed fwanalog for creating nice firewall logs viewable with a web
browser.
- Installed ipfm (traffic monitoring tool).
- Installed nemesis (packet creating suite).
- Installed the mii-diag package for configuring network cards.
- Installed lynx-ssl and tftp so that Gibraltar can get some files via HTTP
of TFTP.
- Installed dhcp-client (the DHCP client from ISC) as an alternative to the
already installed pump. Some people reported problems with pump and
various ADSL providers. Please try it again with this DHCP client.
- Installed telnet-ssl instead of telnet so that telnet via SSL can be used
(from the client side, the telnet-ssl server is not installed).
- Installed ulogd for logging firewall packets.
- Installed lidsadm as preparation for the upcoming LIDS support.
- Installed snmpd, but disabled.
- Updated the ppp package to version 2.4.1 (including the MPPE patches).
- Updated the freeswan package, now including support for X509 certification
authorities and opportunistic encryption via secure DNS.
Version 0.98c, published 2001-05-06, 23:00
- Updated squid to version 2.4.1 because the old version had some problems
with the available number of swap file (documented in the squid FAQ).
- Updated the man-db package from Debian proposed-updates
- Some small fixes in the init scripts:
- Made the check for open files on /etc before saving the config floppy
faster.
- Made the timeout and the number of tries for searching a configuration
disk (for saving) configurable.
Version 0.98b, not published officially
- Updated to kernel 2.4.3. It should include support for MPPE encryption
(for PPTP client and server) again, although this has not been tested.
- Now Gibraltar searches on all known harddisk partitions for configuration
data. Therefore floppyless usage is now possible.
The save-config script will be adapted to be able to save to the harddisk
partition too, but at the moment this has to be done manually (by mounting
the partition to /mnt and calling "save-etc /etc /mnt/etc.gz").
- Installed syslinux so that a bootsector can be written to a harddisk
partition if booting from the CD-ROM does not work and a boot disk is
undesirable.
- Updated freeswan (the IPSec implementation) to version 1.9. Now the kernel
part and the key management daemon are in sync again (the kernel part was
taken from freeswan snapshot versions until now because freeswan 1.8 did
not work with kernel 2.4.x).
Version 0.98a3, not published officially
- Updated to kernel 2.4.2 because the ipsec support in 2.4.1 was broken.
Version 0.98a2, not published officially
- Installed php4 in preparation of the upcoming Gibraltar web administration
interface, currently being written by ViaNova.
Version 0.98a, not published officially
- Installed nmap and iptraf packages.
- Updated the ssh package.
- Updated the sudo package from the Debian security archives.
- Installed webalizer for squid log parsing.
- Installed apache 1.3.14 with IPv6 support.
Version 0.98, published 2001-02-16
- Updated to kernel 2.4.1, which now includes reiserfs upstream (no patching
necessary for the Gibraltar kernel). This kernel has been compiled with
freeswan (IPSec) support and the kerneli patches applied.
Support for MPPE encryption (used for encryption of data transmitted in a
PPTP tunnel) is gone now, because I could not find a working patch for the
2.4.x kernels and I am not familiar enough with this code to do it myself.
Thus ppp now works again (it did not work with 0.98pre versions), but MPPE
encryption will not.
- Updated the ssh package (only minor packaging bugs fixed, the upstream
version is still the same). This version is not vulnerable to the bugs
recently posted on BugTraq.
- Updated the logcheck package.
- Updated the freeswan package.
- Updated the postfix package, now with support for IPv6 and SSL encryption.
It can be set up so that SMTP connections to other mail servers supporting
SSL (such as all new versions of sendmail) are automatically encrypted.
- Installed updates from Debian security and proposed updates archives:
man-db, libc, squid, cron, tcpdump, mc
Version 0.98pre2, published 2001-01-24, 21:00 GMT+1
This releases fixes the bug that made 0.98pre unbootable on IDE CD-ROM
drives.
Version 0.98pre, published 2001-01-23, 23:45 GMT+1
This is the first pre-release including kernel 2.4.0, therefore the first
release with real stateful firewalling support. Please do not use it to
replace your already running Gibraltar version for production uses. Try it
first and if it works for you, use it. This should be very easy with
Gibraltar in general: if you don't like a version, just put the old CD-ROM
back in, reboot and you are up and running again.
WARNING: pptp support is broken in this release. I hope to get it fixed
really soon (it seems to be a kernel problem), but do not use this release
if you need a running pptp support !
- Included kernel 2.4.0 with freeswan and mppe patches.
The kernel 2.4.0 also has been patched with the international kernel
patch, so all crypto modules are there and can be used (e.g. for loopback
device encryption, but I have not tried it).
- Removed spf package (not needed anymore, because we now have kernel
support for this).
- Updated ssh package to version 2.3.0p1. Now we have full ssh protocol
version 2 and IPv6 support in ssh.
- ssh host keys are now automatically generated when the firewall boots in
unconfigured mode. This was a security hole if the administrator did not
create own host keys.
- Updated iptables package, now featuring IPv6 firewalling support.
- Updated reiserfsprogs package, the old mkreiserfs did not work anymore
with newer kernels.
- Updated modutils package so that kernel 2.4.0 module paths are recognized.
- Switched /etc/init.d/save-etc-disk and /sbin/save-config. Previously,
/etc/init.d/save-etc-disk was the real script and /sbin/save-config was a
link to it, but this caused problems when /etc/init.d has been copied to
the /etc ramdisk. Now it is the other way around, with
/etc/init.d/save-etc-disk being a link to /sbin/save-config. This should
work in any case.
- Got rid of the "gibraltar kernel: kmod: failed to exec /sbin/modprobe -s
-k nls_cp437, errno = 2" error message during bootup.
- Fixed a small bug in the update-config script.
- Updated pptpd, postfix, gnupg and vtun packages.
- Patched and recompiled ppp daemon 2.4.0 for use with mppe encryption.
- Removed the fwctl package since it is only for ipchains and has no
iptables support (yet).
- Updated the kudzu hardware detection library from RedHat.
Version 0.91b, not published (internal testing release)
This is also a minor bugfix release.
- Included the TUN/TAP kernel module so that the vtun package should
actually work.
- Updated freeswan to version 1.8
- Included the pcmcia kernel modules again (they have been left out
unintentionally).
Version 0.91a, published 2000-11-29, 20:00 GMT+1
This is a minor bugfix release that includes an updated ed (the older one
had a security hole) and fixes a problem with the default configuration
(/etc/terminfo should be a link, but wasn't).
- Included the vtun package due to an user request (version from woody).
Version 0.91, published 2000-11-27, 22:00 GMT+1
This is a bugfix release that also has a few new features. It should be the
last major release (bugfix-only releaes might still happen if there are
security-relevant or otherwise grave bugs) based on kernel 2.4.x.
- Based on kernel 2.2.17, which fixes a few security-relevant bugs.
- Updated all packages for which there were proposed updates for the current
stable Debian distribution (potato).
- Updated some package from the current unstable Debian distribution (woody)
which have new features.
- Installed the heartbeat package for fail-over capability. The package has
only been installed but I did not play with it. Therefore there is not
sensible default configuration at the moment. Please play with it and tell
me if it works at all.
- Added IPSec support: There is now a current freeswan package including the
x509 patches installed and kernel support is also present. It should work,
please tell me if you have problems. Due to the x509 patches, it should be
interoperable with Windows 2000 and PGPNet clients.
- Added script-hooks in the bootup-script. Now it should be possible to
create special master / maintainance disks that contain scripts for
special purposes (e.g. manipulating the config file during bootup,
preparing the config disk media before loading the configuration image
from it, ...)
- Got rid of the message "modprobe: Can't locate module /dev/ttyS0" during
bootup.
- Do not calculate the module dependencies on bootup anymore. Since the
modules are on the CD-ROM, the dependency information will not change.
This means that Gibraltar boots faster, but also that you will have to
call "depmod -a" manually when you add modules.
- Set default for portsentry to not block anything, but only log hosts that
appear to be port-scanning. Some users reported that trusted hosts have
been blocked because portsentry was not configured properly. This can be
annoying, so the default is now that portsentry will not actively block
hosts. After properly configuring it, the behaviour should be changed.
- Corrected a bug in the save-etc script: under certain cirumstances it
happened that during shutdown not all programs are killed. Therefore
save-etc asked if it should stop these programs (they have to be stopped
before saving the configuration image) and therefore halted the shutdown
process. Now save-etc will stop the processes automatically when it is
called during shutdown, thus now hindering the shutdown/reboot.
- Most of the files in the home directory of "root" are now links to
/etc/local/root. Therefore they can be changed and will be stored on the
configuration disks. One example are RSA public keys for SSH
authentication, which have to be stored in /root/.ssh (which is linked to
/etc/local/root/.ssh).
- /usr/local/bin and /usr/local/sbin are now linked to /etc/local/sbin and
/etc/local/sbin, therefore the administrator can copy scripts to these
locations and call them in a standard way.
- The environment variable "EDITOR" is now set to "vi" by default.
- There is now a "fastboot" option which skips waiting for the config disk.
- There is also a first version of an update-config script that should be
able to automatically update your existing Gibraltar 0.90 configuration
disks with the new default values of Gibraltar versions >= 0.91. It
updates files that were not been modified by the administrator but have
changed in the default configuration. New files are created, old files
(that are no longer used and were not changed by the administrator) are
moved to a trash directory (/etc/deleted_files) for later deletetion.
Additionally the new default configuration files are copied as
that the administrator can manually update his files.
As mentioned above, this is the first version of the update-config script.
Please tell me if it works for you. At the moment it is rather
conservative, which means that it does not change any files when it is not
perfectly sure that they can be overwritten without distroying something,
leaving more work for the administrator.
- A new version of the isdnutils has been installed, because this one was
split into different packages from which those dependent on X-Windows
libraries have not been installed. Therefore the X-Windows libraries are
now gone.
- Some cleanups: Removed mime-construct and mimedecode because there are
better packages for this purpose. Removed the reportbug package (and all
python packages because only reportbug needed them), because ViaNova might
soon have an own bug tracking system for Gibraltar.
Version 0.90, published 2000-09-02, 2:00 GMT+1
It is mostly equal to release 0.90pre3, but with a few new packages
installed and prepared for seamless updates to the next major release.
During pre-releases, I will not put much effort in update procedures, but
the major releases (such as this one) should be updateable with no problems
(only putting in the new CD-ROM and config files should be updated
automatically upon the next reboot).
- On the default etc image, there are now the files etc-defaults.list and
etc-defaults.md5sums.
etc-defaults.list includes a list of all files distributed in the default
etc image, one per line with a few data added (link target, permissions,
file/group owner, ...).
etc-defaults.md5sums includes a list of MD5 checksums of all normal files
on the etc image so that changed files can be detected easily during an
update.
I am working on an update script that is able to update an existing config
disk with the new default values coming with the updated Gibraltar
release. Hopefully this will be ready for the next release, but it is a
must for the next major release.
- The system utilities stat, memstat and setcd are now included. setcd will
be used for handling the locking / unlocking of the CD-ROM tray as soon as
I can figure out how to do this for root filesystems. The other utilities
should help in debugging et.al.
- reportbug is included as a helper for reporting bugs on Debian packages
- mime-construct and mimedecode are included so that the firewall itself
will be able to send MIME formatted messages. I am currently planning to
write some scripts that send MIME messages to the administrator, so these
tools will be needed.
- raidtools2 is included, although the current kernel does not include
support for new-style RAID arrays now. But since I am planning to use a
2.4.x kernel for the 1.0 release and am planning to patch the 2.2.16
kernel util 2.4.x is ready, I include it now. Maybe the next release will
include a kernel with new-style RAID support.
- fwctl is now included due to suggestions from users
- dnscache is reintroduced in this version because the last mail I got from
John White said that it should be ok to distribute dnscache the way I do
it with Gibraltar. If somebody with a good understanding of Dan
Bernstein's license could comment on the situation, then please let me
know.
- The script /etc/firewall-script.sh is now started *before* network
interfaces are brought up. This makes the system more secure, but you have
to notice that DNS lookups are not possible in this script. If you use
names for hosts listed in firewall rules, then you have to enter them into
/etc/hosts or it will not work.
Version 0.90pre3, published 2000-08-23, 23:00 GMT+1
There are some new features in this release:
- midnight commander is now included due to demand from users
- parted is also included so that partitions can be manipulated better
- superformat is included for better handling of floppy disks
- dhclient is now the default dhcp client instead of pump, because it has
support for calling scripts when the address changes (e.g. for applying
firewalling rules with the new address)
- a preliminary freeswan package is now also included - please try ipsec
and tell me if it works
- included the upsd package for handling clean shutdowns with UPS
- the Gibraltar-specific scripts are now in the binary package
'gibraltar-bootsupport'
- a major update of the netbase package (the version taken from the unstable
Debian tree has been installed)
- libsafe is now included to prevent common stack-overflow exploits
- ntpdate client is included for synchronizing the system clock with NTP
servers. However, I do not recommend to do this per cron script, because
somebody might perform a man-in-the-middle attack to set your firewall
system clock to bad values. It can be useful for setting the clock during
the initial setup.
- The firewall script is now started in runlevel S, earlier than before.
This makes the time where network interfaces are configured, but firewall
rules are not in place, shorter and thus the boot procedure a bit safer.
Version 0.90pre2, published 2000-08-03, 21:00 GMT+1
This is a clean-up release, it makes the system work on smaller systems and
fixes some important bugs. You should definitely update if you can.
- some tweaks to make Gibraltar work with 16 MB RAM and no swap partition:
- do not start ippl, arpwatch, net-acct and snort by default (although I
recommend everybody to start them if there are 32 MB RAM or more
available - they can help to secure your system)
- there is a new setup.d script now: 'minimal-system' takes care of not
starting webmin when only 16 MB are available (you should be fine with
24 MB)
- the ISO images will now come with a GPG-signature file
- oops, my certificate authority expired on 2000-08-01. I created a new one
and signed the distributed SSL key certificate with the new CA key.
- I am creating a Debian package containing the boot scripts now. in
preparation of this all of the boot scripts were automatically re-created
from pieces. there might be some differences, but I did not recognize any
during testing them.
- I found out that my extensions to the webmin useradmin module that allow
changing the PAM system password of a user might contain a bug and are
incomplete. therefore I deactivated webmin in the distribution for the
moment. it will be put reactivated as soon as I am sure that my patches
are complete.
- the initrd ramdisk was not freed properly after it finished. this should
be fixed now.
- fixed a bug in the 00network-cards script that detects all network cards
and brings them up. when there was a blank space in the network card
description, it did not work. now it should be fixed.
- fixed a bug that prevented using a harddisk partition as /var: no modules
could be loaded before /var was writeable, but modules are needed to load
/var ....
I hope that it is fixed now.
- upgraded openssh to version 2.1.1p4 from woody. it now includes support
for the ssh version 2 protocol.
- unfortunately I had to remove dnscache from the distribution. it seems that
Dan Bernstein's license does not allow the dnscache binary to be
distributed alone, without the other binaries from his djbdns package.
I will have to wait for Dan Bernstein himself to clarify the situation, I
sent him a mail over 2 weeks ago and am waiting for the response now.
hopefully I will be allowed to distribute dnscache soon because it is a
real security enhancement to not depend on (maybe broken) external DNS
server. and no, I do not want to include bind just for resolving DNS names.
Because of the current dnscache situation, you need to upgrade to this
version. Until Dan Bernstein allows me to include dnscache in Gibraltar, it
conflicts with his license. Please stop using the old release immediately, it
might get me in trouble because I redistributed the dnscache binary (although
I thought that this redistribution was allowed. It seems that it is not).
A general note: I want to publish new releases as soon as I fix bugs,
therefore it might happen that there are 4 releases in a week or no release
for 2 weeks. Generally, I recommend the usage of CD-RW media to work with
Gibraltar until the version number goes close to 1.0. Doing so, you can
follow new releases quickly without wasting CD-R media.
Version 0.90pre1, published 2000-07-31, 4:00 GMT+1
- first public release, probably some bugs
- the basics should be rather complete for the 0.90 relase, only details will
change
- it works on my IDE and SCSI systems, please tell me if it boots on others
- you can report any bugs / suggestions / wishes to the gibraltar mailing
list at [email protected]