Logo
About Us
Partners
Product Information
Latest News
Support
FAQs
Administrator's Manual
Links & Resources
Product Announcements
Howto Guides
Site Map

Technical difficulties
or feedback:
webmaster@cequrux.com 		  Home Contact Us You are already here!

VERSION CHANGES


View individual changelog file for version

What follows is a list of new features in the 4.0 and the 4.1 version line.
 

New features in 4.0 :

  • Registration can now be done automatically over the Internet.
    Before registration, the admin program can still be used to configure the hardware, interface types and addresses, name service, and the internal static routes.

  • The `can_relay' variable in the /usr/local/custom/recvmail.ini file can now take three values: 0 implies no relaying at all, 1 allows relaying if the sender claims to be from one of the firewall's domains, and 2 allows anyone to use the firewall as a relay.
    The default value remains zero. The variable can also now be configured from the Mail Setup screen in fwadmin.

  • The installation CD-ROM is now bootable, on machines whose BIOSes support the El Torito CD-ROM boot extensions.

  • cdsgw will now detect FTP PORT commands on the inside that attempt to open up a privileged port accessible to the external FTP server.
    This is an attack that can be exploited by insiders, possibly innocently via malicious Java applets downloaded from the external server.

  • Unacceptable connections from outside will now not be reset or responded to with ICMP errors by cdsgw. This is to help prevent DoS attacks against cdsgw caused by flooding it with unsolicited packets from outside.
    The only exception is tcp/auth, which should be rejected with a TCP reset to prevent external mail servers from blocking unnecessarily.

  • Logging using WELF (WebTrends Enhanced Log Format) is now supported for certain log message types.
    The report program can handle both the old and the new formats, so reports will be unchanged by this. You can also specify the IP address of a WebTrends log server; any WELF format messages will also be logged to this server (but not other format messages).

  • Splitdns will now tweak MX record lookups for external hosts so that the firewall is returned as the primary mail exchanger.
    This should allow mailers on the inside to work without requiring reconfiguration when the firewall is installed.

  • Portscans are now logged with the date and time of each match, the source and destination ports, and, for TCP, the FIN and SYN flag settings.

  • If there is no mail server, a default rule will be added to get sendmail to send mail that it otherwise has no delivery rule for, back to recvmail for a second round of processing.
    This can be useful for error notification messages generated by sendmail itself. If the message is still undeliverable after the second loop, the new loop detection in recvmail will cause it to bounce.

  • The local list of spammers can now have individual mail addresses, not just domains or hostnames, so that you can block mail from a single mail address.

  • A new feature, `seamless DNS', has been added. If enabled, then DNS lookups sent from internal hosts to external servers will be transparently proxied, so that no reconfiguration of internal resolvers is needed.
    Furthermore, the firewall will modify MX record lookup responses so that it is seen as the mail exchanger for all external hosts.
    Together, these mean a firewall can be deployed without internal hosts needing any reconfiguration of their mail or DNS settings.

  • You can now specify up to three external NTP servers, and also have the NTP server on the firewall use broadcasts to pass time information to internal servers.

  • The fwadmin program now supports copying and pasting of data fields (but not toggle fields). To copy a field, use ESC-C; to paste the copied value in another field use ESC-P.
    Before pasting, field type checking will be performed; if the value being pasted is of the wrong type it will not be pasted.

  • There is a new `send-pr' command for submitting bug reports.

  • Splitdns now does smart block checking and IP address caching for CNAMEs as well.

  • Smart blocks are now configured from within the admin program, rather than by hand-editing /usr/local/custom/smartblocks.

  • cdsgw can now handle multiple concurrent fragmented packets per session.

  • You can now specify the NetBIOS hostname of a host that should receive Windows popups in the Log Setup screen, and simply specify the custom action `popup' to create a log filter that does a popup.
    At a later stage these will be added as separate log filter actions rather than having to be configured using the custom action field; we havebn't done this yet as the Windows remote admin program will then no longer be able to handle the log filters.
    When the Windows program is brought back in sync with fwadmin, this process will be completed.

  • Kernels should now support ISA P'n'P cards.

  • Added separate smart blocks for URLs. If any of these are present, then web access must be via a caching proxy.
    Pseudo-transparency will be used if a TCP gateway for HTTP is specified; however, this will only work for access to servers on port 80.
    Thus it is recommended that proxy access be used. As we now support Squid instead of CERN httpd, proxy web access is a good idea anyway.

  • Proxy web access now has improved authentication. Instead of authenticating the service `www' when a connection is received, authentication is deferred until the URL has been specified.
    Authentication is then done for the port/service implied by the URL. Thus, to allow users access to HTTP via a TCP proxy, you now enter `http' as the service instead of `www'.
    You can separately configure access to other browser accessible services such as https and gopher.

  • `?' can be used to get drop-down list boxes in the TCP proxy and TCP/UDP gateway setup screens in the service, user, source address and the when allowed fields.

  • DNS serial numbers now have the form YYYYMMDDXX, where XX is a two digit change number.

  • It is now possible to specify hosts that are allowed to do zone transfers but are *not* secondary DNS servers.

  • The SMS interface for log filters has been generalised so that it can support other GSM networks as well as other devices such as pagers.
    There is a /usr/local/pagers directory which has sample scripts for Vodacom and MTN cellular telephone networks. The names of these scripts will appear as possible choices for the service in the Logging Setup Screen. You can also specify additional arguments to be passed to the scripts (in the case of the example scripts these are the cellular phone number).
    If you add scripts for pager or GSM services that are not already present, please let us have a copy so that we can add these to the ones distributed with the firewall.

  • Enabling SSH access to your firewalls for CEQURUX support staff can now be done by toggling a single field in the Remote Admin Setup screen.

 

  New features in 4.1 :

  • Firewall-to-firewall VPN tunnels can be configured using IPsec in tunnel mode with IKE.
    For each tunnel, the two endpoints use their IP addresses as identifiers, and they need to share a secret password.

  • Client-to-firewall IPsec connections can be configured using IPsec in transport mode with IKE. Each client identifies itself to the firewall using an FQDN (which looks like a domain name but can be chosen by the client user and the firewall administrator), the firewall identifies itself to the client using an FQDN (which is the domain name of the firewall), and each client needs to share a secret password with the firewall. Clients that connect in this way will not have direct access to hosts inside the firewall, but will have access to TCP proxies on the firewall. The TCP proxies can be configured for use only by IPsec clients (not by outsiders who do not make authenticated IPsec connections).

  • It is still possible to configure firewall-to-firewall tunnels using IPsec transport mode with preassigned SPIs (instead of using IKE). In this configuration, the encryption and authentication algorithms were previously hard coded (to des-cbc and md5) but are now configurable.

  • If the firewall's anti-virus feature is enabled, and if any user inside the firewall receives an anti-virus alert email message from Sophos, then the firewall will automatically fetch the "IDE" file mentioned in the alert message.
    In the past, the firewall fetched updated IDE files once per day; with this new feature, the firewall will fetch an updated IDE file almost immediately (provided a user inside the firewall is subscribed to the Sophos alert mailing list; see http://www.sophos.com/virusinfo/notifications). [PR 367]

  • NetBIOS can now be NATed like other protocols. The Gateway Setup screen has a Yes/No toggle to allow NAT to be enabled or disabled for NetBIOS services. [PR 206]

  • Support for 8-bit MIME messages has been added to recvmail and postmail.

  • A new "seamless mail" option has been added. If enabled, the firewall will intercept any TCP connections from internal clients to external servers on port 25 (SMTP), and process these itself using recvmail. This is to allow mail to work seamlessly without changing internal host mail client settings.

  • Protocol maps can now be defined for SMTP as a logical service. This allows the firewall to run SMTP services on non-standard ports. In addition to the protocol maps, TCP proxies will have to be defined for the physical ports to enable these services. These TCP proxy entries can have the usual authentication mechanisms applied. The aim is to allow SMTP mail services which allow arbitrary mail relaying but require authentication. The default behaviour for such services is to allow relaying provided the sender address is in our domains (equivalent to setting the can_relay .ini variable to have the value 1).

  • It is now possible to have a cacheing web proxy service at the same time as having HTTP and HTTPS TCP gateways. (Previously, either a cacheing web proxy or an HTTP or HTTPS gateway could be configured, but not at the same time.) Users can then configure their browsers to use the proxy or to use a "direct connection". In both cases the connections will go via the caching server. The only advantage of configuring a browser to explicitly use the caching proxy is that this will work for servers on ports other than 80 and 443, whereas the transparent access will work for these two ports only.

  • Outgoing traceroutes are now supported.

  • Virtual domains now support FTP, NNTP, HTTPS and POP3 services as well.

  • The chat scripts used for PPP can now be customised in a very basic way (namely, the strings used to scan for the user name and password prompts can be specified, instead of defaulting to "ogin:" and "assword:").