====================================================== Changes in KERNUN release 3.6.4 (compared to 3.6.3-h1) ====================================================== General ------- 1/ New: The default contents of the system backup list file (/etc/kernun-fsdb-include) have been marked with comments, which may cause a conflict during the upgrade process. 2/ New: Mail proxies (SMTP, IMAP4, POP3) report into the log also partial spam scores by categories. 3/ Improvement: If the antivirus check is configured with the size limit (maximum size for checking), reading and storing the file is stopped when the limit is reached. 4/ Improvement: Number of current sessions is being displayed in the graphs instead of number of running child processes for the proxy. 5/ Improvement: Deresolving of client/server addresses to names for the monitoring is done by proxy. Thus, monitoring is reasonably faster. 6/ Fix: If the proxy configuration contains hostnames, there is a special process taking care about refreshing the resolution (ACR). This process had incorrectly set signal handler. It should cause killing the proxy instead of incrementing log level etc. The bug was fixed. Configuration ------------- 7/ New: An alternative way of time specification is used in ACLs. The new section TIME-PERIOD-SET can be now used instead of the old set of TIME items. The main advantages are date ranges (e.g. from 24.12. to 3.1.) and negation of the whole time period set. CML --- 8/ Improvement: The date and time displayed when using the KAT.RLOG is shown in local time instead of UTC. ICAP Server ----------- 9/ New: Sending of the response body can be started before the antivirus check is finished (like in the http-proxy). It can prevent the client to time out before the whole file is received by the ICAP server and the antivirus check can be completed. 10/ Improvement: ICAP server response language can be set also in the REQUEST-ACL (besides SESSION-ACL and SERVICE-ACL). HTTP Proxy ---------- 11/ Improvement: HTTP proxy response language (REQUEST-ACL.LANGUAGE) configuration option is now character set independent. All the response pages are now being served in UTF-8 encoding. 12/ Improvement: The design of all response pages has been unified. SMTP proxy ---------- 13/ Fix: Incorrect handling of server-side connection timeout at the end of mail was fixed. ====================================================== Changes in KERNUN release 3.6.3-h1 (compared to 3.6.3) ====================================================== General ------- 1/ Fix: The algorithm for writing syslog messages from proxies was modified so that simultaneous logging from many processes does not overload the system. 2/ Improvement: The OS kernel now supports polling mode for network device drivers. ICAP Server ----------- 3/ Fix: The response body is sent correctly in the case of skipped antivirus check due to message size. ===================================================== Changes in KERNUN release 3.6.3 (compared to 3.6.2) ===================================================== Configuration ------------- 1/ New: The SYSTEM.ADMIN item has now two elems, the first one is used as the "technical" contact to administrators, the second one as the public contact for users. 2/ New: The advbase parameter of a CARP interface is now configurable via a new item ADVBASE of the CLUSTER.CARP-INTERFACE section. DNS Proxy --------- 3/ Fix: Wildcards are now allowed in NSEC responses. 4/ Fix: If the UDP packet with quick-retry query failed to send, the proxy kept sending the quick-retry until request-timeout. Sending error of another query, or reading error (like receiving ICMP error messages) were handled correctly. The bug was fixed. ===================================================== Changes in KERNUN release 3.6.2 (compared to 3.6.1-h1) ===================================================== CML --- 1/ Improvement: CML now considers different revisions (beta, rc, release, hotfix) of the same version compatible and will not show a warning. 2/ Fix: The C3H module error recovery after some types of user errors were fixed. Configuration ------------- 3/ Fix: The item autoreference (i.e. element value "^..." pointing back to the item itself) was incorrectly handled and due to very limited usage possibilities it was denied. General ------- 4/ New: IFRAME tag filtering (clickjacking protection) added to HTML filter module. 5/ Fix: A security vulnerability in the operating system BIND daemon was fixed. GUI --- 6/ Improvement: The View/Edit configuration toolbar button is now disabled until GKAT determines the user id to prevent the configuration from being opened in read-only mode for admin users. 7/ Fix: The upgrade process no longer reports success after failing to apply the configuration. This also prevents rebooting the machine to an unconfigured system. 8/ Fix: The storage location for autosave.cml was changed on Windows to "%LOCALAPPDATA%\Kernun GUI" to avoid relying on UAC virtualization (Program Files contents are read-only for non-elevated applications). 9/ Fix: GUI will no longer fail to connect if SSH is not configured as the default protocol in Putty (Default Settings -> Connection Type -> SSH). HTTP Proxy ---------- 10/ Improvement: A non-transparent http-proxy can be used for handling requests transparently redirected to the proxy by other means than the proxy built-in transparency support. In such situation, the request URI does not contain the server address, which is taken from the Host header. This functionality can be enabled by the request-acl.host-hdr-transp configuration item. ICAP Server ----------- 11/ New: LDAP groups membership for HTTP request user is now available for testing within REQUEST-ACLs. SMTP Proxy ---------- 12/ Fix: If the quoted-printable encoding has found a dot exactly on block boundary, it has doubled the dot. Bug has been fixed. 13/ Fix: The REDIRECT-TO item was ignored for recipients added by a COPY-TO item. The error has been fixed and REDIRECT-TO is fully accepted even for newly added recipients. ===================================================== Changes in KERNUN release 3.6.1-h1 (compared to 3.6.1) ===================================================== General ------- 1/ Fix: Tun interface does not lose IP address upon openvpn restart. ===================================================== Changes in KERNUN release 3.6.1 (compared to 3.6) ===================================================== General ------- 1/ Base OS version changed to the latest release on the FreeBSD 8.2 security branch. ===================================================== Changes in KERNUN release 3.6 (compared to 3.5-h3) ===================================================== General ------- 1/ Base OS version changed to the latest release on the FreeBSD 8.1 security branch. 2/ Improvement: Some space-consuming log dumps (like request-table dump in dns-proxy in case of table exhaustion) can be now limited not to occur more frequently than once within a time period defined by the LOG.DUMP-HOLD-TIME item. 3/ Fix: If no interface has an IPv6 address set, proxies do not try to get AAAA addresses (like if PREFERENCE IPv4 were used). If some IPv6 address is configured, the default resolver PREFERENCE respects setting done via the IPV6-ADDRCTL (RFC3484). 4/ New: Content-type obtained by libmagic is truncated to "type/subtype" before used for matching in ACLs. Configuration ------------- 5/ New: The configuration has strict locking set from now. It means that the RCS file for the configuration (kernun.cml,v) must be locked for current user in order to allow to manipulate with it. The locking procedure is incorporated into standard CML operation, moreover, new options of the cml tool and a new command ./rcs are available for pure locking and unlocking operations. The Kernun GUI has also been updated to implement the locking schema. 6/ Improvement: The algorithm of generating of proxy configuration files has been improved. The files now contain just sections and items actually needed. 7/ Improvement: If the address of reverse NAMESERVER.ZONE covers more reverse domain names, apropriate zones will be generated for all of them. For instance, the address [10.0.0.0/23] represents both 0.0.10.in-addr.arpa and 1.0.10.in-addr.arpa zones. 8/ New: Native lines of a nameserver zone database file can be now defined by the item RAW of apropriate ZONE.GENERATE section. 9/ Fix: Like in the IPv4 case, the zone for IPv6 localhost reverse resolution (0. ... .0.ip6.arpa) is generated by default. 10/ New: The packet-filter configuration was moved from /etc/pf.conf to /usr/local/kernun/etc/pf.conf and missing of the PACKET-FILTER section in the kernun.cml will cause setting pf_enable to "NO" in the /etc/rc.conf file. DNS proxy --------- 11/ Improvement: If the proxy causes (e.g. due to denying requests or filtering responses) sending a response with the NXDomain response code, or the NoError response code and no answer (AN) records, it adds a SOA record with proper TTL for successful negative caching in clients. This behavior can be configured by the NEG-RESP-TTL item of proper REQUEST-ACL. 12/ Improvement: Within the REQUEST-ACL, the QUERY-NAME definition for reverse resolution (i.e. *.in-addr.arpa or *.ip6.arpa subdomains) can be now specified by proper network address instead of string expression. 13/ New: IPv6 addresses (AAAA) can be now faked, too. 14/ Fix: If no interface has an IPv6 address set, the proxy does not use IPv6 nameservers learned durning the resolution process. 15/ New: Restricting the resolving process to IPv4 or IPv6 servers only can be forced by the SERVER-PROTO item. 16/ Fix: In some circumstanes, suspended requests waiting for an equal request were responded without any AN record. This bug was fixed. FTP proxy --------- 17/ New: The filtration of server replies to FEAT command can be now configured by the COMMAND-ACL.FEATURE item. Unknown options are removed, by default. ICAP server ----------- 18/ Fix: Several errors that occured when testing communication with ICAP client in Squid were fixed. ===================================================== Changes in KERNUN release 3.5-h3 (compared to 3.5-h2) ===================================================== General ------- 1/ Fix: Missing command chown was added to the installation system on the Kernun installation CD. 2/ Fix: A missing directory for graphs (/data/graphs) is automatically created during application of the configuration. 3/ Fix: Parameters of the network card driver bce were tuned. 4/ Fix: Logging of user sessions is limited to sessions that create pseudoterminals. See also the note about session logging and .profile in KERNUN-RELNOTES.txt. Configuration ------------- 5/ New: It is possible to add user defined variables for the own carp monitoring script (and omit the standard ones). 6/ Fix: A system backup contains the name of the applied system configuration section. This name is used to apply the correct system when restoring from the backup. FTP proxy --------- 7/ Improvement: Both CML and ftp-proxy check whether the DATA-PORT item is configured properly. It cannot use reserved data ports if the proxy is run under non-root user. ===================================================== Changes in KERNUN release 3.5-h2 (compared to 3.5-h1) ===================================================== General ------- 1/ Fix: A security vulnerability in the operating system OpenSSL library was fixed. 2/ Improvement: Some more L3 protcols can be used in PF configuration. GUI --- 3/ Improvement: A user with audit rights can generate and view graphs of system parameters. ================================================== Changes in KERNUN release 3.5-h1 (compared to 3.5) ================================================== General ------- 1/ Fix: Ownership of files related to DrWeb antivirus was fixed. 2/ Fix: Contents of user and group databases was fixed. ================================================= Changes in KERNUN release 3.5 (compared to 3.4.1) ================================================= General ------- 1/ New: Support of IPv6 was added. Configuration ------------- 2/ Fix: Nameserver directories are owned by the 'kernun' user so that the dowloading of slave zone files can be done properly. GUI --- 3/ Fix: Excessive memory usage when viewing large logs from GUI was fixed. HTTP proxy ---------- 4/ Fix: Bugs in the algorithm for searching the ClearWeb DB were fixed. 5/ Improvement: New configurable options for handling Accept-Encoding and Content-Encoding headers were added. ================================================= Changes in KERNUN release 3.4.1 (compared to 3.4) ================================================= General ------- 1/ Fix: An integer overflow vulnerability in the operating system's bzip2 library was fixed. 2/ Fix: Proxies can show their version without a valid license. Configuration ------------- 3/ New: Interface type lagg (aggregation of Ethernet interfaces) in failover mode is now supported in configuration. Physical interfaces are attached to a lagg interface by item INTERFACE.AGGREGATE. 4/ Fix: Having both graphical and textual statistics at the same time no longer causes the "statistics" script to fail with "Cannot create directory" error message. FTP proxy --------- 5/ Fix: A RADIUS authentication bug was fixed. 6/ New: All errorneous server responses are logged at W level. 7/ New: Full support for MLSD and MLST commands was implemented. 8/ New: Server reply to FEAT command is filtered and unimplemented features are removed. HTTP proxy ---------- 9/ New: Detection of patterns in data streams transferred by CONNECT HTTP method was improved by allowing to pass data while performing tests. 10/ Improvement: The accept-gzip option has two new possible values 'client' and 'client-add'. 11/ Fix: Enabling Clear Web DataBase Bypass in the configuration does not automatically enable parsing of response header Set-Cookie. This change prevents failure of requests to servers that send incorrect Set-Cookie headers (which is a widely spread practice accepted by browsers). SIP proxy --------- 12/ New: By default, all rejected sessions are ignored, instead of graceful termination. This feature can prevent against DoS attack by sending unauthorized session requests. The regular session termination can be forced by the REJECT-GRACEFULLY item. TCP proxy --------- 13/ New: Detection of patterns in data streams transferred by the proxy was improved by allowing to pass data while performing tests. ==================================================== Changes in KERNUN release 3.4 (compared to 3.3.2-h1) ==================================================== General ------- 1/ Fix: A bug was fixed in the libmagic library used for file type detection based on magic numbers. If a proxy process tried to detect the type of a compressed file, it could become stuck in an endless loop consuming 100 % CPU time. HTTP proxy ---------- 2/ New: The HTTP proxy now supports categorization of web servers by Clear Web DataBase. The set of categories assigned to a web page can be used as an entry condition in a REQUEST-ACL (item CLEAR-WEB-DB-MATCH). 3/ New: A new condition REFERER was added to the REQUEST-ACL section. It provides selection of a REQUEST-ACL according to the contents of the Referer HTTP header. 4/ New: The error page presented to a user for a request denied by an ACL can be customized (item DENY-MSG of REQUEST-ACL and DOC-ACL). It is possible to configure a message text shown in the error page and a name of a file used as the template of the error page. 5/ Improvement: More information about an HTTP request can be displayed to the user if the request is denied by a REQUEST-ACL or a DOC-ACL. It is newly possible to display the client IP address or host name, the user name of an authenticated user, the name of the denying ACL, a configurable message, and the set of Clear Web DataBase categories (meaningful only if the request has been processed by the Clear Web DataBase). 6/ New: Detection of patterns in data streams transferred by CONNECT HTTP method was implemented. 7/ Fix: Configuration item SESSION-ACL.LINGER-TIME default was changed to 1. This prevents resetting the TCP connection before the client receives a complete error response from the proxy. TCP proxy --------- 8/ New: Detection of patterns in data streams transferred by the proxy was implemented. ====================================================== Changes in KERNUN release 3.3.2-h1 (compared to 3.3.2) ====================================================== General ------- 1/ Fix: A potential vulnerability in the operating system kernel was fixed. 2/ Improvement: Maximum length of the queue of established TCP connections waiting to be processed by a proxy was increased to 16384 (sysctl kern.ipc.somaxconn). 3/ Improvement: Matching patterns for MS Project and Visio files were improved in the libmagic database. FTP proxy --------- 4/ Fix: Panic in the proxy with configured RADIUS authentication was fixed. HTTP proxy ---------- 5/ Improvement: Rules for parsing Set-Cookie and Cookie headers were relaxed, because many web servers do not obey rules for contents of these headers. ====================================================== Changes in KERNUN release 3.3.2 (compared to 3.3.1-h2) ====================================================== General ------- 1/ Improvement: Third-party software packages used by Kernun were updated to recent versions. 2/ Improvement: Patterns for new file formats (PCX images, MS Office and OpenOffice documents) were added to the libmagic file type recognition pattern database. 3/ Fix: Recognition of Ethernet interfaces in the initial configuration script was fixed. 4/ Fix: Active Directory domain membership is retained after a system backup/restore or upgrade. 5/ Fix: Matching of PCX image format was added to the libmagic database file for document type identification in proxies. 6/ Fix: Handling of signals generated by expired internal timeouts in various Kernun software modules was fixed. This correction prevents intermittent processing failures, mainly when a proxy communicates with an external program or database. Configuration ------------- 7/ Improvement: New antivirus status codes were added. Possible outcomes of antivirus checking are FREE, FOUND, SKIPPED, UNKNOWN, and ERROR. Configurable reactions of proxies to the status returned by an antivirus are now more flexible. 8/ Improvement: Application of the configuration to a remote Kernun system (by KAT or GUI) copies all configured SHARED-FILEs to the remote system. 9/ Improvement: Files /boot/loader.conf and /etc/rc.conf.local are now preserved across system backup/restore and upgrade by default. 10/ Fix: Handling of libmagic pattern database files (PROXY.DOCTYPE-IDENTIFICATION.MAGIC) was fixed. 11/ Fix: the order of options generated for the openvpn ccd files was changed: push-reset is generated as the first option FTP proxy ---------- 12/ Improvement: The COMMAND item (defining rules for various FTP commands) occurence within all (accepting) COMMAND-ACLs sections is checked. Thus, incorrect configurations having no COMMAND item are detected in the CML verification phase. HTTP proxy ---------- 13/ Improvement: HTTP proxy now modifies the Accept-Encoding HTTP request header so that only identity and gzip encodings are accepted by default. Proxy understands these encodings and is able to perform data filtration and MIME type detection for data using them. If data processing by proxy is not needed, other encodings may be allowed by setting REQUEST-ACL.ACCEPT-GZIP to NO. 14/ Improvement: Workgroup name for NTLM authentication can be set explicitly, independently of the Active Directory domain name. 15/ Improvement: Communication (related to NTLM authentication) with an Active Directory Domain Controller can be limited to selected network interfaces. 16/ Improvement: More than one Active Directory Domain Controller can be used for NTLM authentication. 17/ Fix: A blacklist database must be specified in the configuration if blacklist matching is configured by REQUEST-ACL or DOC-ACL. 18/ Fix: Terminating of network connections in a HTTP proxy that uses NTLM authentication was fixed. ====================================================== Changes in KERNUN release 3.3.1-h2 (compared to 3.3.1) ====================================================== General ------- 1/ Fix: A buffer overflow vulnerability (other than in 3.3.1-h1) was fixed in the TIFF library, used by the SpamAssassin module FuzzyOcr. 2/ Fix: Superfluous debugging messages were removed from the operating system kernel log on the AMD64 platform. ====================================================== Changes in KERNUN release 3.3.1-h1 (compared to 3.3.1) ====================================================== General ------- 1/ Fix: A buffer overflow vulnerability was fixed in the TIFF library, used by the SpamAssassin module FuzzyOcr. ================================================= Changes in KERNUN release 3.3.1 (compared to 3.3) ================================================= General ------- 1/ Fix: Log messages generated by a proxy via syslog are not lost even during periods of very intensive logging, for example with proxy log level set to TRACE or FULL. 2/ Fix: Signal handling in the file writing module was fixed. This correction prevents intermittent file processing failures, for example when a proxy sends data to an antivirus. 3/ Fix: File system Journaling can sometimes cause kernel panic during periods of heavy disk activity. Therefore journaling is by default switched off on newly installed Kernun system. It can be still enabled during the installation proces. 4/ New: Software watchdog was added to the Kernun kernel. The watchdog can be enabled by adding the line "watchdogd_enable=NO" to /etc/rc.conf.local. It automatically reboots after a serious system failure. 5/ New: Support for X.509 certificates that use SHA256 algorithm was added. 6/ New: New PostSignum CA certificates were added and server certificate matching was updated in configuration of Kernun Bezpecna Schranka (Secure Box). Configuration ------------- 7/ Improvement: In the OpenVPN configuration, in route-pushing to the client(s), a special value [0.0.0.0] (which is also the default value) can be used as the gw address. This address works as the remote endpoint of the tunnel (seen from the client's perspective). 8/ Fix: Setting netmask in configuration of GIF and GRE interface was fixed. 9/ New: Sample include configuration file /usr/local/kernun/conf/samples/include/content-filter.cml now contains directives for blocking Microsoft Silverlight. GUI --- 10/ Improvement: It is possible to abort a running proxy startup/shutdown script. 11/ Improvement: Labels of SIGUSR1 and SIGUSR2 buttons in GKAT were changed to "LogIncr" and "LogDecr". HTTP proxy ---------- 12/ New: Log message REQUEST-DETAILS was added. It logs the HTTP method, the request URI, content of the Referer HTTP request header, the content type as announced by the server and as detected by the proxy, the response status code, and the response size in bytes. 13/ Improvement: Header Content-Length may be repeated with the same value, because some HTTP servers send duplicate Content-Length headers. 14/ Improvement: It is now possible to specify the HTTP status code for an error response returned by the proxy when the a request is denied by ACL. 15/ Fix: If a request is denied by an ACL, the proxy returns status code 403 (Forbidden) instead of 500 (Internal Server Error). 16/ Fix: Handling of header Content-Length with negative value was fixed. 17/ Fix: An internal buffer for NTLM authentication data was enlarged. NTLM authentication now pases also in cases where it failed due to insufficient buffer space. ==================================================== Changes in KERNUN release 3.3 (compared to 3.2.1-h5) ==================================================== General ------- 1/ New: A new authentication method was implemented. It is managed by an external tool (e.g. shell script) called from the proxy. 2/ Improvement: A new format of license files was implemented. It provides a more readable and flexible license file. New features implemented before a subscription expiration date are now automatically licensed without generating a new license file. 3/ New: The packet filter now automatically adds state to packets that match a rule with "tag NOTRANSP". If the state should not be created, an explicit rule without "keep-state" must be defined. 4/ New: Element server-addr was introduced for listen-on.transparent item. By specifying the server address for the transparent connections, only connections with the given server address are processed by the proxy. CML --- 5/ New: Variables used within an include file can have the value assigned not within the file but in the main configuration file. In this case, the variable must be forward declared in the include file via the PARAM directive. 6/ New: SHARED-FILE and SHARED-DIR sections can be now defined within a section variable (macro). 7/ New: Data variables holding IP addresses (full IP address with mask) can now be referenced with content modificators: $variable.host - will strip off the mask $variable.net - will clear host-portion of the address 8/ New: Configuration item SYSTEM.RC-CONF.APPEND-ENV separates the newly added text from the original value of a variable by space. 9/ New: Sysctl variables net.inet.ip.forwarding=1 and net.inet.tcp.delayed_ack=0 are set by default. GUI --- 10/ New: the wizard was implemented that inserts the KBS (Secure Box) functionality into an existing Kernun configuration. H.323 proxy ----------- 11/ Improvement: The possibility of media channels source change was implemented. A new item, ALLOW-PEER, permits this. HTTP proxy ---------- 12/ New: The HTTP proxy supports user authentication with Microsoft Windows Active Directory using the NTLM protocol. Kernun Branch Access -------------------- 13/ Fix: Generating RRD graphs was fixed on KBA. 14/ Improvement: Ramdisk size on KBA was enlarged to double capacity (128 MB). DNS proxy --------- 15/ New: The DNS proxy re-searches through the REQUEST-ACLs list whenever a new internal request (for CNAME or NS queries) is created. Thus, the recursive resolving process respects the resolving rules given by the ACL list according to the query name. 16/ New: A new item IGNORE-MISSING-AA is implemented. It allows to fix an incorrect behavior of some servers that do not set the AA flag in CNAME replies. Without this flag set, such answers are ignored. SIP proxy --------- 17/ Fix: Reading of concatenated Via headers was implemented. ========================================================= Changes in KERNUN release 3.2.1-h5 (compared to 3.2.1-h4) ========================================================= General ------- 1/ Improvement: Alternative locking algorithms were implemented for locking child processes waiting for client connections in proxies for protocols based on TCP. This modification eliminates proxy malfunction if the number of child processes exceeds several hundreds. 2/ Fix: A possibility of a denial-of-service attack against the NTP service was eliminated. 3/ Fix: A bug in the DNS server (Bind) was fixed. It could allow a cache poisoning attack by caching unvalidated DNSSEC responses. 4/ Fix: Checking of host ID during license verification was changed to case-insensitive. Host ID obtained from the operating system is now converted to uppercase. These changes prevent license check failure due to lowercase/uppercase mismatch in host ID after an upgrade. Configuration ------------- 5/ Improvement: Key length can be specified for some encryption algorithms in IPsec configuration. 6/ Improvement: Diffie-Hellman groups can be specified by numbers (e.g., 5) in addition to identifiers (e.g., modp1536) in IPsec configuration. HTTP proxy ---------- 7/ Improvement: Compatibility of cookie-related HTTP headers with various servers and clients was improved. 8/ Fix: A bug was fixed in handling the lock of the out-of-band authentication table in the HTTP proxy when used as an OOB authentication server. The bug caused failures during proxy reload operations. 9/ Improvement: Handling of escape sequences in HTTP request URI was changed so that a '%' character not followed by two hexadecimal digits is interpreted as a literal '%' and does not cause an error. ========================================================= Changes in KERNUN release 3.2.1-h4 (compared to 3.2.1-h3) ========================================================= General ------- 1/ Fix: An option SSL-PARAMS.ENABLE-RENEGOTIATION was added. It provides selective enabling of SSL session renegotiation for interoperability with clients and servers that require it (for example, ISDS servers). ========================================================= Changes in KERNUN release 3.2.1-h3 (compared to 3.2.1-h2) ========================================================= General ------- 1/ Fix: Shared libraries required by the DrWeb antivirus were added. 2/ Fix: Various minor corrections were done in the Kernun Bezpecna schranka (Secure Box) configuration and documentation. ========================================================= Changes in KERNUN release 3.2.1-h2 (compared to 3.2.1-h1) ========================================================= General ------- 1/ New: File with list of certificate authority certificates that are usable for authentication of ISDS servers was renamed from postsignum_qca_root.pem to isds_server_ca_certs.pem and Verisign certificates were added to it. 2/ Fix: A possible security hole in SSL connection renegotiation was fixed. 3/ Fix: A bug in the operating system handling of shared libraries when starting set-UID programs was fixed. 4/ Fix: A bug in the Kernun Bezpecna schranka (Data Box) Enterprise initial configuration script was fixed. It caused an endless loop after entering a too short SSH key passphrase. ====================================================== Changes in KERNUN release 3.2.1-h1 (compared to 3.2.1) ====================================================== General ------- 1/ Fix: Configuration of DHCP client by program configure-isds was fixed. ================================================= Changes in KERNUN release 3.2.1 (compared to 3.2) ================================================= General ------- 1/ New: Support for product Kernun Bezpecna schranka (Data Box) Retail was added. 2/ Improvement: Various improvements for Kernun Bezpecna schranka (Data Box) were implemented. 3/ Improvement: The 'I' log level is no more masked from switching off in the configuration. However, if you decide to switch off this level, no statistical data would be produced. FTP proxy --------- 4/ Fix: The active data connections source port forcing (configured via the SESSION-ACL.DATA-PORT item) is fixed. =============================================== Changes in KERNUN release 3.2 (compared to 3.1) =============================================== General ------- 1/ New: A set of new features was implemented to provide higher security when accessing Czech eGovernment platform of data boxes (datove schanky in Czech). 2/ New: Journaling is an option selected by default for all file systems on newly installed Kernun systems. Enabling journaling on existing systems requires complete reinstallation, because of necessary disk repartitioning. Journaling improves system reliability and reduces recovery time after an unclean shutdown, because fsck is not run after reboot. 3/ Improvement: System graphs show min, max and avg value of the main watched parameters. Format of CARP state graphs was changed to show precisely the percentage of master/backup/init state in each moment. RRD databases need to be deleted, see the KERNUN-RELNOTES.txt for further instructions. 4/ Improvement: The system EditLine library has still a bug when loading some history files. The KAT and CML tools have implemented a workaround that overcomes this bug. 5/ Improvement: A failure when reopening log file during log restart is now logged into the formerly opened file before closing it. 6/ Improvement: The default time period for log files rotation was changed to ANYTIME (i.e. hourly, indeed). The meaning of "ROTATE SIZE n;" is now more logical - file is rotated as soon as it reaches the size (at entire hour boundary). 7/ Improvement: The /data/log directory is automatically mounted via nullfs to all chroot directories. 8/ Improvement: The NTP daemon is allowed to synchronize with a time server regardless of the initial clock difference. 9/ Improvement: References to the certificate/private key files in the SSL-PARAMS and LDAP-CLIENT-AUTH.SSL sections were changed to the SHARED-FILE section names. This allows to manage the files via the GUI. 10/ Improvement: Packet filter queue set definition is now checked for more error states that can cause later PF start failure. 11/ Improvement: Packet filter rule to not loose the NOTRANSP tag for NAT-ed traffic is automatically generated into the packet filter configuration. 12/ New: Sysctl component was added to allow reload of the sysctl values from Kernun. 13/ Fix: Prompt for the external interface name was fixed in the initial configuration dialog. 14/ Fix: Collecting data for online graphs displayed in GUI is no more dependent on accessibility of a name server. 15/ Improvement: Rules and rule templates for IPS/IDS can be specified in the Kernun configuration. CML --- 16/ Fix: A bug in MIME type list conversion was fixed in the inter-version configuration convertor. 17/ Fix: A bug in DOC-ACL.REPLACE files to SHARED-FILEs conversion (within chrooted proxies) was fixed in the inter-version configuration convertor. 18/ Fix: A bug in regular expression deallocating after on-line verification was fixed. 19/ Fix: Ignoring of hidden nodes at SYSTEM level during verification was fixed. 20/ Improvement: Hostnames usage denial in the configuration is checked immediately when the value is read. Thus, illegal values are discovered much sooner. HTTP proxy ---------- 21/ New: The HTTP proxy can be configured to not contact a remote server and return a local file or an output of a script instead. 22/ New: The HTTP proxy can be configured to scan bodies of HTTP requests and responses. The proxy can react in various ways to patterns found in request and response data. Reactions include logging alert messages, denying the request, saving parts of data for further processing, and replacing field values in HTML forms. 23/ Fix: A bug was fixed in handling HTTP response header Content-Length combined with HTML filtration. Kernun Branch Access -------------------- 24/ Fix: A bug was fixed in handling contents of the log partition, which caused failures of the log reading/writing ulitily rawlog yielding the system log inaccessible. UDP proxy --------- 25/ New: UDP proxy now provides monitoring of open sessions and online graphs of transferred data volume. 26/ Fix: Source address on client side setting fixed (see the udp-proxy(8) manual page for exact description). 27/ Fix: Handling of the timeouts was corrected. There as a bug occuring occasionally under a heavy traffic. GUI --- 28/ Fix: A bug was fixed in validating the values filled in the wizards. The bug, under certain circumstances, made it impossible to proceed to the next page of the wizard. 29/ Fix: Binary files do not get corrupted when being uploaded to the Kernun from the GUI 'Commit configuration' dialog. 30/ Improvement: Download of rules definitions for IPS/IDS can be explicitly initiated through the Kernun GUI. 31/ Improvement: Wizard to easily generate Certificate Authority and certificates signed by the authority has been added. 32/ Improvement: Certificate and private key for SSL-PARAMS.id sections can be easily generated/uploaded using buttons in the item detail page. 33/ New: Console with ssh connection to Kernun can be opened from GKAT. Admins can add custom commands to be remotely executed and opened in the console. =============================================== Changes in KERNUN release 3.1 (compared to 3.0) =============================================== General ------- 1/ Fix: The YP files (SIP and H.323 maps) are removed during the upgrade. This prevents against problems with proxy starts after the upgrade. 2/ Fix: If the proxy children are started too rapidly, which signalizes some fatal problem, the proxy parent will interrupt the operation. 3/ Fix: Kernun resolver routines select source port for server querying randomly, but from now, they respect SYSCTL.PORTRANGE settings. 4/ Fix: Some errors in co-operation between regular and ACR (configuration resolver) child processes were fixed. 5/ Fix: Some memory initialisation and management errors were fixed. 6/ Fix: Various minor bugs in the installer and the system manager were fixed. 7/ Improvement: The Kernun shutdown was rapidly accelerated by using the KAT.KILL command with an argument in form '*=*'. 8/ Improvement: All mail proxies can filter mail according to mail header contents (using MAIL-ACL.HEADER item). 9/ Improvement: The allowed maximum number of subparts of one MIME document was decreased to 5000. 10/ Improvement: The reference to the document replacement file in the DOC-ACL.REPLACE (in mailing proxies) was changed to the SHARED-FILE section name. It allows to manage the files via the GUI. 11/ Fix: The mail queues of SMTP forwarders in SMTP proxy and in the mailer handling locally originated mail have been moved to /data/var/spool. The queues are now shared by Kernun installed in all system partitions. This ensures correct mail handling after rebooting to different partition (typically after upgrade). 12/ Fix: A bug in generating the list of cloned interfaces in /etc/rc.conf was fixed. Now it is possible to combine GIF/GRE and CARP interface in the configuration and all such interfaces will be created. 13/ Fix: Owner of the home directory and its .ssh subdirectory is now set correctly for audit users. 14/ Fix: A bug in TCP and UDP port allocation was fixed. It caused random "Address already in use" errors under high load. 15/ Fix: Monitoring of the number of proxy child processes during final waiting for termination of all children was fixed. 16/ Fix: Minor bug fixes in tool rrd. 17/ Improvement: Command "rrd update" refuses to run more than once at the same time. 18/ New: The license file format was changed. A new license file (/usr/local/kernun/license.dat) is needed, the old license file from 3.0 will not work. 19/ Improvement: ICMP ECHO requests are handled non-transparently 20/ Improvement: Graph of used memory now displays two values. "All used memory" is the percentage of memory that is used by the system in any way. "Heavily used memory" is the percetage of memory that cannot be easily freed if more memory is needed. 21/ Improvement: Sysctl net.inet.ip.auto_reuse_port_addr was removed. The kernel was modified so that it now allows running a server and a transparent proxy on the same port without this sysctl. 22/ New: System backup (and also upgrade) now stores only files named in file /etc/kernun-fsdb-include. 23/ Fix: More checks of values entered by the administrator were added to the installer: swap size cannot be 0, host name can contain only a limited set of characters. 24/ Fix: Minor bug fixes in sysmgr and related tools. 25/ Improvement: More parameters are now watched by system graphs (two levels of memory usage) and CARP graphs (CARP interface state in addition to its priority). GUI --- 26/ Improvement: FreeBSD package and Windows setup improvements. 27/ Fix: It is possible to append nodes next to the include node in GCML. 28/ Fix: Problem with uploading the configuration to the Kernun from GUI running on Windows was fixed. 29/ Improvement: Completer for CML improved in Windows. 30/ Fix: Alternating colors bug in markers fixed for sorted list 31/ Fix: Problem with downloading the private key upon the Kernun initialization from GUI when running on Windows was fixed. 32/ Fix: Reconnect function bug fixed on Windows. 33/ New: System log can be displayed in GUI. 34/ Improvement: Errors in configuration are displayed directly in GCML "Constraints" list . 35/ Fix: Numbers, IP addresses, etc. are handled correctly in sorted lists. 36/ Fix: tables in the output of pf are displayed correctly. 37/ Fix: Bug fixed that could cause the GUI crash upon creating the range in the CML elements. 38/ Fix: Problems with displaying the Help window on Windows fixed. 39/ Improvement: Custom browser can be specified to be open for displaying help. CML --- 40/ New: It is possible (and recommended) to specify the target Kernun product, which a configuration will be applied to. Configuration verification then checks whether the configured component can be run on the target system. 41/ Improvement: The listening addresses of local nameserver(s) are checked against the set of interfaces to prevent a run-time error. 42/ Improvement: The NTP daemon listening addresses and ports were added into collision detection set. 43/ Improvement: Names in the NTP configuration are resolved prior to start the daemon due to configuration consistency. 44/ Improvement: If the NTP is configured, the 'ntpd_enable=NO' line is generated into rc.conf file in order to suppress effect of possible by-hand setting of the variable in rc-conf.set-env. 45/ Fix: Remote apply access for non-root users was fixed. 46/ Fix: A bug in variable application was fixed in the inter-version configuration convertor. 47/ Fix: A bug in on-line verification within section variable with reference was fixed. 48/ Improvement: The CML inter-version configuration convertor does not prepend a single space to each line (like before), thus the number of changes stored into RCS after upgrade rapidly decreases. 49/ Fix: An error when entering a number instead of global section name was fixed. 50/ Fix: The 'relayhost' setting format in Postfix main.cf files was fixed. 51/ Fix: The Postfix main.cf files generated by the CML contain host name defined in the configuration, not the current system one. 52/ Fix: The closing comment line is no more appended to the /etc/aliases file each time it is modified. 53/ Fix: The ./INFO command ignores unavailable (excluded) items and sections. 54/ Fix: Some minor bugs in C3H and pasting within SWITCHES were fixed. Configuration ------------- 55/ New: The DHCP-style of configuration is now allowed. One of interfaces can be declared as DHCP driven (by the DHCP-CLIENT item) and also routes and local nameserver forwarders can be affected by this setting. 56/ New: Configuration of virtual private networks via OpenVPN was integrated into the Kernun configuration. 57/ New: Configuration of virtual private networks via IPsec was integrated into the Kernun configuration. 58/ Improvement: Kernun configuration contains new items in the SYSCTL section that allows setting of the sysctl net.inet.ip.portrange.* variables. The values are also respected when checking transparent proxy LISTEN-ON collisions. 59/ Improvement: The 'myorigin' variable of the Postfix main.cf file can be set explicitly (by default, the official hostname is still used). 60/ Improvement: Besides a pure setting of a variable in RC-CONF, the value can be just extended by appending a new text (RC-CONF.APPEND-ENV). 61/ New: The 'tagged' option of the packet filter configuration file (pf.conf) was added into the PACKET-FILTER section definition. 62/ New: The full-log packet data limitation can be now set at proxy global level (in the LOG section). This valus is used a default and can be reset for particular data channel. DNS proxy --------- 63/ New: The REQUEST-ACL.IGNORE-VOID-RR option now affects also regarding of CNAMEs within the Authority (NMSERV) section. 64/ Improvement: The REQUEST-ACL.IGNORE-VOID-RR flag is now inherited into all internal requests generated by the original request from the client. 65/ Fix: In some circumstances, responses to clients in transparent cases were sent with the Kernun address, not the server one. 66/ Fix: The 'ps' process title in the transparent mode was fixed. 67/ Fix: Searching of glue records with coincidency of invalid Authority (NMSERV) section RRs was fixed. FTP proxy --------- 68/ Fix: The proxy handles correctly buffered client commands even after session rejection by security policy. 69/ Fix: Some minor improvements in data connection timeout handling has been made. HTTP proxy ---------- 70/ Fix: A bug in HTTP proxy was fixed. Now persistent connections to HTTP servers can be reused for multiple requests even when SOURCE-ADDRESS is set in the configuration. 71/ Improvement: Log message REQUEST-END in HTTP proxy now contains a reason while a request has been rejected. 72/ Fix: Request URI sent to the web filter now contains also the query part (an optional part after a question mark). KAT --- 73/ Fix: The KAT.APPLY parameter check was improved. 74/ New: A new option -d (dead) is available in the KILL command. It causes killing of such components only, that are no more in configuration. 75/ Fix: The packet filter optimization was disabled. In some cases, there were problems during PF restart. 76/ Improvement: The packet filter tables for static routes are generated only if they are later referenced. This decreases number of situations when PF reload is said by KAT to be required. SIP proxy --------- 77/ New: REQUEST-ACL contains REQUEST-METHOD item - entry condition for filtering requests by type. 78/ Fix: REQUEST-ACL rejection logging error fixed. SMTP proxy ---------- 79/ Improvement: The grey-listing method has implemented verifying clients not by a single address, but by a set of ones given by network mask (or number of bits). This feature allows correct function even for MTAs using a cluster of several machines with several IP addresses. 80/ Improvement: The grey-listing databases are cleaned by cron every night, by default. 81/ Improvement: The grey-listing database manipulation tool (triplicator) has new operations implemented: backup, restore, purge (backup+restore). SQL*Net proxy ------------- 82/ Improvement: The default RD (redirect) packet processing was changed. Now, the RD data is respected even if the proper SESSION-ACL contains the PLUG-TO directive. The old behavior can be forced by the IGNORE option of the SESSION-ACL.REDIRECTIONS item. UDP proxy --------- 83/ New: The proxy was reimplemented. The main reason was to be able to process protocols using IP broadcasts, i.e. the proxy must both receive and send broadcast datagrams. The second important feature is an ability to force source ports toward servers. 84/ New: The full-log packet data limitation was moved from the UDPSERVER section to the LOG section. This feature is now identical in all proxies. =============================================== Changes in KERNUN release 3.0 (compared to 2.5) =============================================== General ------- 1/ Base OS version changed to the latest release on the FreeBSD 6.3 security branch. 2/ Ports/packages bundled with Kernun have been updated. 3/ New: Kernun now features new tools for installation, upgrade, backup, and restore. 4/ New: Kernun requires a valid license file for operation. A component, e.g., a proxy, antivirus, antispam, or web filter module, that is not properly licensed, cannot be used. 5/ New: Several new components were integrated to Kernun configuration and management, namely: - An IDS/IPS based on Snort ("snort" component and "IPS" section) - An NTP daemon ("ntpd" component and "NTP" section) - A DHCP server ("dhcpd" component and "DHCP-SERVER" section) - Local nameservers ("named" component and "NAMESERVER" section) - Packet filter ("pf" component and "PACKET-FILTER" section) 6/ New: Kernun has extended administrator management. Now, two types of administrators can be defined, the first type are root-equivalent users, the second are "auditors" that can only view configuration and log files. 7/ New: The Kernun components write hash of their configuration into /var/run directory so that the KAT tool is able to show components running with outdated configuration and needed to be reloaded. 8/ New: Various operating system (processor, memory, disk usage, etc.), network interface (numbers of tranferred bytes and packets), and proxy (transferred bytes, number of child processes) parameters are being continuously monitored and their values during some time interval (day, month, year) can be displayed as graphs. 9/ New: Shell sessions of administrators are logged into files /var/log/session-USER-DATE-HOST.log.gz. 10/ Improvement: A new kernel support for transparent communication was implemented. Transparent proxies no more dynamically create packet filter rules. 11/ Improvement: It is possible to specify (via a tag) a set of Kernun components that will be controlled (stopped and started) when the cluster monitoring script switches CARP interfaces down and up. 12/ New: In UDP based proxies, the name resolution is done asynchronously by an extra child process called APR. 13/ Improvement: Kernun proxies (logging to a file) are now able to react to logfile rotation. A special command (that can be scheduled to cron) LOG was added to KAT to ease it. 14/ Improvement: Several changes to server selection algorithm (in the dns-engine, i.e. dns-proxy and APR child) was done to increase the robustness of its operation. CML --- 15/ Fix: Displaying of meaningless error messages during on-line verification of a proxy in a section variable with parameters was suppressed. 16/ Improvement: When generating the output files, the CML tries to guess whether a particular global section is needed for the file (e.g. for the particular proxy). If it is absolutely sure that the section is not needed, skip its output so that the resulting files are not full of irrelevant data. Configuration ------------- 17/ New: A new command pair SWITCH/CASE was added to facilitate flexible configurations possibilities. 18/ New: Several new types of INTERFACE section was added (gre, gif...). 19/ New: Several operating system configuration files was added among those generated by the CML or modified by KAT.APPLY: - /etc/hosts are generated from the SYSTEM.HOSTS-TABLE section (if used) - /etc/periodic.conf are generated from the SYSTEM.PERIODIC-CONF section (if used) - /etc/passwd, /etc/group etc. are modified to contain Kernun users defined in SYSTEM.USER section - /etc/aliases are modified to contain SYSTEM.ADMIN address as an alias for root - /usr/local/kernun/etc/newsyslog.conf are generated from the original /etc/newsyslog.conf according to SYSTEM.ROTATE-LOG sections; this file can serve as the configuration file for the newsyslog daemon. 20/ New: Kernun components can have assigned several TAG keywords, the KAT tool then allows to operate with component subsets using these TAGs. 21/ New: For the purpose of local mail delivery, a new clon of SMTP forwarding agent was included into SYSTEM section. Its name is LOCAL-MAILER and configuration possibilities are very similar to the regular SMTP-FORWARDER.AGENT section. 22/ Improvement: Due to much more complicated configuration structure caused by adding large number of new sections with mutual references, global sections need not more be defined prior to their reference. 23/ Improvement: The maximal length of configuration atoms was increased to 4kB. This allows e.g. using of longer ssh keys. 24/ Improvement: Multiline comments can be written in form of "structured" comment, i.e. as a block of comment lines grouped between a pair of special parenthesis #{ and #}. This group can be edited en block by an external editor. 25/ Improvement: Block of comment lines can be stored into the clipboard and pasted at once. 26/ Improvement: It is possible to use an external source for any list in the configuration file (so called "in-line file"). 27/ Fix: Branching elements of items must be written directly by a proper enumeration keyword, variables or path references are no more valid. This absolutely rarely used feature was a significant source of problems during inter-version configuration conversion. 28/ Improvement: The KERNUN-ROOT item is now facultative, the default value of the path is /usr/local/kernun. 29/ Improvement: In the dns-proxy and smtp-proxy, the SOURCE-ADDRESS item is now allowed, but ignored with warning log message. Thus, it is now possible to have a general ACL used in many proxies with SOURCE-ADDRESS valid only in some of them. Dns-proxy --------- 30/ Improvement: The default depth of internal requests was increased so that some queries to Microsoft domains that were rejected in former versions will succeed. 31/ Improvement: A new item IGNORE-VOID-RR was added into REQUEST-ACL. It allows to permit occurence of irrelevant additional records in server reponses for particular domains. 32/ New: Basic support for DNSSEC (RR types DNSKEY, RRSIG, NSEC and DS) was implemented. GUI --- 33/ Fix: Configuration edit lines are limited to the proper length. 34/ Fix: Bug fixed that could cause GUI crash when loading saved markers/filters. 35/ Fix: Bug fixed that could cause GUI crash when displaying forward reference of the section variable. 36/ New: Compound comments ( #{, ##{ ) are supported by GUI. 37/ New: Cut, Copy and paste works with comments. 38/ New: Common parent for proxies root, system root and network root in GKAT. 39/ Fix: Only these directories in /usr/local/etc/openvpn are considered to be Kernun OVPN (and are displayed in the GUI) that contain subdirectory ccd. 40/ New: Audit user support: user with UID!=0 is allowed to watch but not to change. 41/ NAT manipulation removed from GUI (as a result of the change in the transparency implementation). 42/ Fix: Under certain circumstances, processes executed on Kernun remained hanging after gui has disconnected. This problem has been fixed. 43/ New: Multiple node selection in GCML. Multiple nodes can be hidden, unhidden, removed, expanded and collapsed. Expanded configuration is displayed for all the selected nodes. 44/ Fix: TCP/UDP port names are correctly recognized in GUI under MS Windows. 45/ New: Support for statistics display in GUI. 46/ Improvement: It is possible to sort items displayed in the lists in GCML (process list etc.) by clicking the column header. 47/ New: Tags can be used for start/stop/restart/reload -ing multiple applications. Multiple applications can also be easily synchronized with the configuration using new synchronization dialog. 48/ Improvement: Layout of the item details was improved in GCML. 49/ Improvement: The way how section variable reference can be fixed after the number of parameters was changed in the section variable definition was improved. 50/ Improvement: The way how OpenVPN offers unused addresses and how it validates the addresses was improved. 51/ Improvement: Main menu was added for GKAT. 52/ New: About Qt dialog. 53/ Improvement: CPU demands were lowered. 54/ New: Relevant sections (especially ACLs) may be highlighted for proxies in GCML. 55/ New: Shared-Files can be edited directly from the GCML. RCS system is used to store their history. 56/ New: Tools for installation, upgrade, backup and restore can be easily accesed via GUI. 57/ New: Graphs (traffic, temperature, etc.) are accessible in GKAT. Http-proxy ---------- 58/ Improvement: The SSL-SESSION-CACHE section was moved from the SYSTEM level of configuration into the HTTP-PROXY one. This allows you to specify ssl caching parameters on per-proxy base (like this works with other proxies). WARNING: CML inter-version convertor does not support this feature, so you have to move global SSL-SESSION-CACHE section to HTTP-PROXY by hand. 59/ New: The http-proxy provides URL filtration using an external web filter. Individual requests are accepted or rejected according to categorization of request URI by a web filter database. KAT --- 60/ Fix: Displaying of a plenty of error messages when searching for proper log by the GREPLOG command was suppressed. 61/ Improvement: The GREPLOG command can search even within unzipped log files. 62/ New: A new command LOG will be added to ease proxy logging control. Sip-proxy --------- 63/ Improvement: The "compact" form of headers was implemented. 64/ Fix: Data channel offer within server provisional reply are implemented. Smtp-proxy ---------- 65/ Improvement: According to the general practice, the local part of an email address is processed in case-insensitive manner when it is processed for the grey-listing method. 66/ Improvement: The MAIL-ACL.PREFIX-SUBJECT item is now allowed despite using of DENY. The reason is that it will apply for COPY-TO addressees. 67/ New: A new MAIL-ACL.REDIRECT-TO item was added to ease forwarding based on MAIL-ACL entry conditions (e.g. spam score). ======================================================== Changes in KERNUN firewall release 2.5 (compared to 2.4) ======================================================== General ------- 1/ Improvement: summarization scripts (sum-http, sum-smtp, sum-proxy, sum-dns) create output in .csv format. 2/ Improvement: In some cases, resetting of TCP connection by a peer causes non-documented error states returned by FreeBSD library. Now, Kernun handles them as a regular end of communication. 3/ Improvement: When source-address is used in the configuration, the proxy first tries binding this address. Only if bind fails, a NAT rule is created. This improves performance if the source address is one of IP addresses of the firewall. 4/ Improvement: Proxy initialization has been changed so that proxies perform as much as possible initialization actions before entering daemon mode. This makes detection of proxy startup failures easier. 5/ Improvement: If proxy needs a directory for its working files (for example, to create lock files) and the directory does not exist, it is automatically created upon proxy startup. 6/ Fix: If a proxy communicating via UDP terminates a transparent session and deletes NAT rules related to the session, it also flushes the corresponding states. This allows clients to continue communication after a proxy restart. 7/ Improvement: Transparent UDP-based proxies flush NAT states corresponding to NAT rules created by a proxy when the proxy deletes the rules. 8/ Fix: Configuration item AUTH now selects the right OOB-AUTH section. 9/ New: Startup/shutdown scripts for individual proxies (rc-scripts) have been replaced by a single rc-script. It takes information about configured programs (proxies) from /usr/local/kernun/etc/component.lst. Start of all proxies are now repeated in a loop until either all proxies run, or a loop iteration brought no progress. 10/ New: All Kernun "applications" (proxies, ssh servers, postfix forwarders and CARP monitors) can have a PHASE number assigned, according to which the order of their start during Kernun startup is set. 11/ Improvement: Resolution of IP addresses specified by names in the configuration is periodically repeated in order to reflect changes in DNS. Resolution parameters are set by the configuration item CFG-RESOLUTION. 12/ Improvement: Configuration files for SSH daemons contain LogLevel VERBOSE. Configuration ------------- 13/ Fix: Configuration WORD size has been increased to 64 bytes (from 32). 14/ Improvement: The CONTENT-TYPE item was added to DOC-ACL prototype. This item allows to set a special behavior for documents not detected properly by magic library - according to the original Content-Type header. 15/ Improvement: Testing programs test-xxx have better error recovery and manual page (test-expr(5)). 16/ New: Kernun now features a configuration converter cml-cnv.sh that converts the configuration from older version for use by the current Kernun version. The converter is called automatically by the installation process. 17/ Improvement: It is now possible to configure a transparent proxy and a non-transparent proxy/server on the same port and interface. The required PF rules are automatically generated. This is used in the initial configuration created after firewall installation. It contains a SSH server listening on the internal interface on port 22 and a tcp-proxy that handles SSH communication from the internal to the external interface on port 22. 18/ Improvement: Transparent proxies can be configured to listen on a range of ports by a single listen-on configuration item. 19/ Improvement: ACL.SERVICE is now a STR-SET, which allows wildcards. 20/ New: For OOB authentication, it is possible to specify in the configuration that authentication is required (a session without valid authentication is always denied) or allowed (a session without valid authentication can continue if permitted by ACLs). 21/ Improvement: The C-language character escape sequences are allowed within configuration strings (e.g. "\r\n"). Cml/Kat ------- 22/ Improvement: Several configuration checks were changed to be able to be executed immediately when proper item/section is entered in the CML. 23/ Fix: When APPLYing remotely, the target tree is first cleared before the tar-file is extracted. 24/ Improvement: When APPLYing remotely, the kernun.cml and all included files are copied to the target machine, too. 25/ New: A new parameter FIND added to ./INFO command. It allows to find a configuration item/section by a (part of) name without knowing the exact localisation of it. 26/ Fix: Integer variables (like $_run_) can be a part of string expression even if used in a place of a string value. 27/ Fix: C3H incompleteness within section variables has been fixed. 28/ Fix: Incorrectly configured LISTEN-ON addresses are skipped when checking address collisions. 29/ Fix: The local postfix configuration files generation (according to the SMTP-FORWARDER.AGENT data) has fixed some minor bugs. 30/ Improvement: The local postfix daemons are incorporated among "Kernun applications" in the sense of KAT commands PS, KILL, START, STOP etc. 31/ Improvement: CML checks correctness and accessibility of the CFGPATH command argument. 32/ Improvement: Syntax of variable names in RC-CONF.SET-ENV configuration item is checked. 33/ Improvement: C3H offers proxy names in ACL.SERVICE. 34/ New: ./undelete command restores also ./cut-ted nodes. 35/ Improvement: Command ./generate deletes all SYSTEM-name directories (with both lowercase and uppercase names). 36/ New: CML interface to RCS for managing versions of the configuration (option -r) has been introduced. 37/ New: CML can manipulate the configuration file without checking in new versions in RCS, but RCS checking is required before ./generate. 38/ New: KAT.RLOG and KAT.RCSDIFF commands were added to facilitate the Kernun configuration RCS versions management. 39/ Improvement: KAT.GREPLOG command selects the proper (even zipped) log file according to the -d/-D date option. 40/ Improvement: KAT.KILL command with a "proxy=*" parameter kills also proxies in EXITING state. 41/ New: There is a new command KAT.TEST to facilitate running of the configuration testing test-* programs. 42/ Improvement: If monitoring is invoked via the KAT.MONITOR command, the directory containing monitoring data is selected automatically according to the proxy configuration. 43/ New: Hidden sections are omitted (not offered) by C3H. 44/ Fix: KAT.MONITOR takes chroot into account. 45/ Fix: Pager settings (in $PAGER environment variable) is used more consistently. 46/ Improvement: KAT.PS accepts parent PID as an argument (ps PROXY=PID). 47/ Fix: Proxies configured as NODAEMON are skipped by the KAT.START command. 48/ New: There are new KAT commands LSSTATE and RMSTATE for listing and selective deleting of packet filter states. Ftp-proxy --------- 49/ Fix: Several minor bugs in handling of non-standard session termination cases have been fixed (some of them causing PANIC). 50/ Improvement: A server final response 221/421 is logged at N-level. 51/ Fix: A network error is properly logged as SESSION-END FAILED. 52/ Fix: SESSION-END log message contains CLIENT/SERVER instead of FROM/TO. GUI --- 53/ New: GUI now supports connection to a newly installed Kernun firewall. Authentication is done using a password entered on the firewall console during initial post-instalation configuration. GUI downloads and stores a SSH key for further access to the firewall. 54/ New: Open VPN management was integrated into GUI. 55/ Fix: Problem, when (under certain circumstances) GUI sets incorrect column to the atom when creating marker by dragging from the list, was fixed. 56/ Fix: Problem when Snapshot function did not provide a complete data under certain circumstances has been fixed. 57/ Fix: Under some circumstances, more than one progress bar was displayed upon connecting to the firewall. 58/ Fix: GUI does not announce download failure, when (for example due to limiting filter) downloads an empty log. GUI now correctly removes the progressbar under the same circumstances. 59/ Fix: Proper reaction to full buffer when downloading log into memory buffer. 60/ Improvement: Remove button has been added to each list/set member in the configuration editor. 61/ Fix: Fixed problems with dock widgets showing/hiding under MS Windows 62/ Qt library was upgraded to version 4.3.1. 63/ Qt library is linked statically on MS Windows 64/ Fix: When committing configuration to the firewall, detection of system names has been improved. 65/ Fix: When commiting the configuration to the firewall, certain other sections than section "system" was presented in the "Apply" combo box. 66/ Fix: Under certain circumstances, pressing "Ctrl+plus" (recursively expand the tree structure) led to gui crash. 67/ Fix: Deleting the very-root node of filter or marker tree by pressing "del" key is not possible any more. 68/ Improvement: The C3H list behaviour was improved. 69/ Improvement: Enter hides the C3H list. If some item is selected, it is copied into the input widget. 70/ Fix: The format of the path that is displayed in the cml item detail widget was unified. 71/ Fix: Fixed the problems that could cause GUI crash when "Remove" action was triggered very quickly for a period. 72/ Improvement: Section variable parameters are displayed in its definition also as a tree nodes. It is therefore possible to reorder the parameters in the section variable definition. 73/ Fix: It is possible to move the include node upwards/downwards. 74/ Fix: Hiding nodes within the include (and therefore being read-only) is not possible any more. 75/ Improvement: Misc and Top tabs remember the scrollbar position upon content refresh. 76/ Fix: Pasting into section variable parameter, into include, and into item is not possible any more. 77/ New: Postfix management has been integrated into GUI. 78/ Improve: Refreshment of the error state was improved in the configuration editor. 79/ New: It is possible to copy the contents of the log viewer (and other windows based on the same class) into clipboard or save it to file. 80/ Improvement: Hotkey (Ctrl+I) for "Append section/item next to this node" action in the GUI cml editor was added. 81/ Fix: Parsing of the PID column log files was improved. 82/ New: It is possible to forward ssh agent through the ssh connection. It is useful for applying configuration among cluster members. 83/ Fix: Correct error message in "Show Error Messages" box when obligatory element left empty. 84/ Improvement: GCML is able to add and/or edit comments. Other fixes have been done concerning multiline comments. 85/ Improvement: Search dialog in log viewer (and other windows based on the same class) has been added. 86/ Fix: GUI revisions (i.e., "KERNUN-2_4b-RELEASE") are accepted without warning if the major and minor version are correct ("KERNUN-2_4-RELEASE" in the given example). 87/ New: Systray icon in MS Windows (Quick connect, access to key management) has been added. 88/ Improvement: Ssh-key management was improved in MS Windows (GUI can automatically unload key from pageant when key is not used for given period). 89/ Fix: Hidden/Visible flags for columns in Log (and other similar windows) are correctly propagated to the Snapshot-ed windows. 90/ Fix: Parsing of the top command output was improved. 91/ Improvement: Log viewer displays manual pages (right click on the log viewer row). A man page can be displayed either "inline" in GUI or in the default web browser. 92/ New: Monitor windows for a single proxy and for all proxies that share the same communication directory was added. 93/ Improvement: Special icons for proxies and ACLs (deny/accept/unknown) in configuration editor has been added in order to increase readability. 94/ Fix: On UNIX system, ssh-agent is detected only by checking the environmental variable SSH_AUTH_SOCK (test of SSH_AGENT_PID was removed since it made impossible to run GUI remotelly with agent forwarded by ssh). 95/ Improvement: It is possible to change order of columns in log viewer (and other similar windows). 96/ Improvement: Algorithm to guess what sections to open upon load of configuration was improved. 97/ Improvement: Function "cut to clipoard" was implemented to the configuration editor. 98/ Improvement: Ctrl+C or Ctrl+Ins is the shortcut for copy sections/items in the configuration editor. Ctrl+V or Shift+Ins is the shortcut for paste in sections/items in the configuration editor. Ctrl+X or Shift+Del is the shortcut for cut in the configuration editor. 99/ New: Configuration editor can display changes that were made to the configuration. On UNIX, coloured output of diff is displayed as default, on MS Windows, program ExamDiff.exe is used as default. Custom diff viewer can be configured in Preferences. 100/ New: Function "Show Expanded" displays expanded version of the configuration. It can be used for current subtree or for the whole configuration. 101/ New: Path to the current node can be displayed in the title bar of the configuration editor, if set so in Preferences. 102/ Improvement: When the filter definition gets dirty (i.e., after it has been changed), button "Apply Filter" appears in order to stress the fact that it must be applied in order to take effect. 103/ Improvement: It is possible to negate the set member and toggle range from the set member by the context menu (right-click) of the element editor. 104/ Fix: Variables of type IP are offered when filling element of type Socket. 105/ Improvement: In "online" log viewers, it is possible to clear the contents of the window. 106/ New: It is possible to display RCS (Revision Control System) history of the configuration file. The log messages and diffs between versions of the configuration file can be displayed, old versions can also be loaded to the configuration editor (and potentially commited to the firewall). 107/ Improvement: Configuration editor has the Undelete function. 108/ Improvement: It is possible to store/load filter/marker definitions to/from file/settings (registry on windows, .config/tns/gui.conf on UNIX). It is possible to mark stored marker to be loaded automatically, when displaying this type of view. 109/ Improvement: Function "Snapshot" is not limited to log viewer any more. 110/ Improvement: Minor changes in rc scripts (start/stop/restart/reload) output formating has been made. 111/ Improvement: GUI displays a warning message when calling certain dangerous rc scripts that may render the firewall unaccessible by ssh (for example when manipulating with the ssh server) are about to be called. 112/ Improvement: Rc scripts are being executed via special ssh connection (they do not share the ssh connection with the gkat tree refresh tasks any more, since the rc scripts might be quite lengthy). The connection is established upon first rc script call. 113/ Improvement: A modal dialog is displayed when calling a rc script (start/stop/restart/reload) on the whole firewall. It prevents user from making other actions on the firewall, until the operation finishes. 114/ Improvement: In the configuration editor, there is a button "Manual to ..." for each proxy section. 115/ New: Network management was integrated into GUI. It is possible to start/stop interfaces and routing, link state of configured interfaces is watched. Output of several variants of ifconfig, netstat, sockstat is displayed. 116/ Fix: Hidden nodes were displayed as positions of errors in the configuration editor under certain circumstances. 117/ Fix: Speed up of loading the proxy-tree for firewalls with many proxies. 118/ Improvement: Refresh interval for checking proxy state (running/stopped etc.) can be configured in Preferences. 119/ Fix: It is possible to fix up the section variable application, when there was a change in its definition's parameters count/order. 120/ New: RSS channel news (www.kernun.com/news.rss) can be displayed in the main window. 121/ Improvement: When downloading the configuration from the firewall, GUI first checks whether the configuration (file /usr/local/kernun/conf/kernun.cml) is properly stored in the RCS system on the firewall. If not, GUI offers the check-in. 122/ Fix: Stability issues with incorrect settings file were fixed in the connection dialog. 123/ Improvement: If exists, the default value is displayed in the tooltip for the given element. 124/ Improvement: After creating a new parameter to the section variable definiton, the newly created parametr is given keyboard focus. 125/ New: A window for displaying (and deleting) pf rules (see kat lsnat, kat rmnat) has been added. 126/ New: A window for displaying (and deleting) pf states (see kat lsstate, kat rmstate) has been added. 127/ New: It is possible to create bookmarks in the log viewer and in the configuration editor. Http-proxy ---------- 128/ Fix: Request header Range is deleted from HTTP requests by default. Using ranges can defeat document type identification and filtration features of http-proxy. If ranges are needed, passing of the Range header can be explicitly permitted by request-acl.allow-req-hdr. Imap4-proxy ----------- 129/ Fix: Document type identification has been fixed (an obsoleted MIME-TYPES configuration item has been removed). 130/ Fix: Unwanted resets of TCP connections have been eliminated. Pop3-proxy ---------- 131/ Fix: Document type identification has been fixed (an obsoleted MIME-TYPES configuration item has been removed). 132/ Fix: Unwanted resets of TCP connections have been eliminated. Sip-proxy --------- 133/ New: Sip-proxy has been implemented. It handles SIP/SDP/RTP protocols in extent covering common VoIP devices. This is the very first version and some features are not implemented, for now. Smtp-proxy ---------- 134/ Fix: Several minor bugs in handling of non-standard session termination cases have been fixed (some of them causing PANIC). 135/ New: Generation and sending of the Delivery Status Notification can be now disabled by a new configuration item OMIT-DSN in the MAIL-ACL. 136/ Improvement: Spam score has been added as an entry condition of DOC-ACL. 137/ Improvement: Spam score is recorded in quarantine control files. 138/ Improvement: Antispam gets header lines "From ..." and "Received ..." to be able to incorporate their values to score computing. 139/ Fix: MAIL END message is logged even when the proxy is terminated by a signal during mail processing. 140/ Improvement: KAT.QUARC can select messages by client address (using a new option -c). 141/ Fix: The Enhanced Status Codes with zero value can be now defined in the configuration ("reject 550 0 0" means 550 5.0.0 response code). ======================================================== Changes in KERNUN firewall release 2.4 (compared to 2.3) ======================================================== General ------- 1/ Base OS version changed to FreeBSD 6.2-RELEASE. 2/ Ports/packages bundled with Kernun have been updated. 3/ New: Log messages contain the session id when applicable. The session id is logged together with process id: [PID.SID] instead of [PID]. 4/ Improvement: UDP-based proxies run in parent-child mode. The real work is done by the child process. The parent process only manages the child and restarts the child if it terminates unexpectedly. This improves interaction between the UDP-based proxies and the KAT. 5/ Fix: The resolver now uses the searchlist correctly. 6/ Fix: An empty file is not sent to the antivirus any more. This increases effectivity and removes the problem with DrWeb which errorneously used method DRWEB-FILE instead of DRWEB-NET for empty files, regardless of the configuration. It then caused "File not found" errors by DrWeb, if the antivirus and the proxy were running on different machines. 7/ Fix: A lock is used while accessing /dev/pf in order to prevent simultaneous ruleset manipulations by several transparent proxy processes. 8/ Fix: OOB authentication helper script ooba-samba is now copied to /usr/local/kernun/bin during installation. 9/ Fix: Various fixes of the OOB authentication support. 10/ Improvement: Support for the antivirus/antispam statistic script sum-avas has been added to the switchlog sample configuration file switchlog.cfg. 11/ Improvement: Statistics scripts sum-http and sum-proxy compute maximum and average request/session time instead of the sum of times of all sessions/requests. 12/ Improvement: The post-install interactive configuration script performs syntax checking of values entered by the user. 13/ Fix: The installer correctly installs the lib32 distribution on AMD64. 14/ Fix: Timeout in the initial installer menu has been removed. The installer waits until the user chooses either automatic or manual installation. 15/ Fix: Signal handling has been fixed in TCP-based proxies in state "exiting", that is, after receiving SIGHUP (graceful termination request). 16/ Fix: Any incorrect session termination causes TCP connection reset. This informs clients and servers about errors and prevents sockets stuck in FIN_WAIT_2 state. 17/ Fix: An error, which left some processes running even after a termination signal, has been fixed in TCP-based proxies. 18/ Fix: Commands "kat rmnat" have been removed from the proxy startup scripts. These commands were rarely needed and their removal greatly improves proxy restart times. Antispam -------- 19/ New: If the antispam program is not running, SPAM-SCORE UNKNOWN is reported. This new meta-value can be matched in acl conditions. Cml --- 20/ New: The CML tool uses regular logging system like other Kernun applications. By default, it logs using syslog, logging can be managed by (enhanced) /DBG command. 21/ New: The complete configuration definition has been built into the CML program. Configuration definition files (CDF) are not needed by CML any more (so as the -c option). 22/ New: The low-level parser routines for integrity checking are now called on-line automatically during CML editing (on-line verification). 23/ Improvement: Verification error messages in CML report the "CML-path" to the point of configuration where the error occured. 24/ New: It is possible to execute on-line verification for a part of the configuration by the VERIFY command. 25/ Improvement: The unhide and undelete commands execute on-line verification. 26/ Improvement: The online help in CML has been amended. 27/ Improvement: The section variable with path ($var.path) can be applied into node with the same context (as $var.path) with the meaning: apply all subnodes of the referenced node ($var.path) here ("container" type of application). 28/ Fix: LDAP sections are corectly generated for all proxies that use OOB authentication. 29/ Fix: Error detection in included configuration files has been fixed. 30/ Improvement: It is possible to define aliases for CARP interfaces. 31/ Improvement: Various minor improvements in CML user interaction. 32/ Fix: Configuration files for hidden SSH servers are not generated more. 33/ Improvement: The load command detects repeated occurences of nonrepeatable sections and items as an error. 34/ Fix: Failure of the load command stops generating (in the batch call with -g option). 35/ Improvement: The show command allows to display repeatable and hidden directives by using the index in brackets. The CDF type of node (as a filter for displaying) can be now specified as an extra parameter. Dns-proxy --------- 36/ Fix: Handling of non-standard CNAME record order has been fixed. 37/ Fix: A bug in idle and request timeout handling in TCP communication has been fixed. It caused an endless loop when a timeout expired. 38/ Improvement: Unsuccesfull QUERY/NOTIFY items searching within request-acl are reported by a new log message (DNSP-610-A). Ftp-proxy --------- 39/ Improvement: ACL phase 3 informational log message now reports the direction of data transfers. 40/ Fix: A superfluous PANIC message has been removed from the module which provides FTP services for http-proxy. GUI --- 41/ Improvement: Kernun now has a graphical user interface (GUI) for remote administration. It is distributed in binary executable format for FreeBSD and Windows. The FreeBSD version of the GUI is built for the same OS version as the rest of the firewall and requires X11 on the administrator's station. X11 is not required for GUI on the firewall. The GUI is distributed also as source code and it should work on any platform where GCC, the Qt/X11 toolkit, and X11 are available. H323-proxy ---------- 42/ Fix: Handling of special cases in opening logical communication channels has been fixed. Http-proxy ---------- 43/ Fix: A bug which prevented more than one user to be authenticated via OOB authentication has been fixed. 44/ Fix: HTTP method CONNECT now works correctly when combined with hand-off. 45/ Fix: Http-proxy now returns an error page if connection to the remote server via the CONNECT method fails. 46/ Improvement: Statisctic script sum-http allows the choice of HTTP-authenticated or AProxy-authenticated users when generating per-user values. 47/ Fix: AProxy handles logout attempts of users not logged in properly. Kat --- 48/ New: The KAT tool uses regular logging system like other Kernun applications. By default, it logs using syslog, logging can be managed by a new DBG command. 49/ Improvement: A new SHOWAPP command has been implemented. It displays the list of all configured applications (proxies, SSH servers). 50/ Improvement: A new PS command option -a displays all proxy child processes. 51/ Improvement: A new PS command option -d displays running proxies which have been deleted from the configuration. 52/ New: Log viewing in KAT is done by two commands. The SHOWLOG command display live growing log online (like the tail -f command). The GREPLOG command displays an existing log file (even zipped) and allow to browse in it (using a pager defined in the $PAGER environment variable). Both commands provides selection of log messages by various criteria (in the same manner). 53/ Improvement: New variants of selecting target processes have been added to the KILL command. 54/ Improvement: A new TRIPLICATOR command has been added as a wrapper for the triplicator tool calls. Smtp-proxy ---------- 55/ Fix: The proxy respects original destination address for acl search. 56/ Fix: End-of-file detection during mail processing has been fixed. 57/ Fix: Utility QUARC.SH now works in directories containing large numbers of files, more than fits on a shell command line. 58/ Improvement: Utility QUARC.SH provides mail selection by proxy name in the case of quarantine shared by several proxies. 59/ Improvement: The grey-listing database has changed the format and records contain all future time limits. Thus, it is possible to use different time parameters for different request-acls within one proxy configuration. Sqlnet-proxy ------------ 60/ Fix: A new type of ERROR server responses is recognized by the proxy. ======================================================== Changes in KERNUN firewall release 2.3 (compared to 2.2) ======================================================== General ------- 1/ Base OS version changed to FreeBSD 6.0-RELEASE. 2/ Kernun integrated into the port/package system. 3/ Distribution both in source code and as binary packages for faster installation. 4/ A new installer installs the operating system together with Kernun. 5/ The default installation mode requires minimum user interaction. 6/ Automatic post-installation configuration. 7/ A new User Manual containing detailed installation instructions, tutorial, and reference documentation. The manual is distributed in HTML and PDF formats, the reference part also as manual pages. 8/ IPSEC was excluded from the default kernel (made during installation process automatically) as it can cause performance degradation. 9/ Improvement: Item CARP changed to section CARP-INTERFACE in order to allow referring to its contents. 10/ Improvement: Bad MIME header parameters are accepted by using keep-bad-header-params item. 11/ Improvement: LDAP authentication. 12/ Improvement: Out of band authentication. 13/ Fix: Interface mediaopt generated correctly to rc.conf. 14/ Fix: Monitoring communication directory is a usual string, not a shared-dir. 15/ Fix: Software packages distributed with Kernun were upgraded to recent versions. 16/ Fix: Quarantine processing tool now respects chrooted directories. 17/ Fix: Better handling of some signals. 18/ Fix: Relaxed handling of some errors generated by closing a socket. Antispam -------- 19/ Fix: Antispam module sends instead of at the end of lines. Antivirus --------- 20/ Improvement: If viruses are found, their names are added in form of a special header. Dns-proxy --------- 21/ Improvement: Ability to transfer zones (througn both AXFR and IXFR) added. 22/ Improvement: New resource records implemented: TXT, SPF, HINFO. Ftp-proxy --------- 23/ Fix: A bug has been fixed which caused PANIC if server had sent the final 226 control message before the data transfer has started. 24/ Fix: Several minor bugs in HTFTP module have been fixed (some of them causing PANIC). 25/ Fix: Fixed behavior when session is interrupted before connection to the actual server. 26/ Fix: Better handling of network IO errors (e.g. DNS resolution). 27/ Fix: PANIC of ftp-proxy in htftp mode avoided. H323-proxy ---------- 28/ Improvement: New H.323 protocol feature allowing the use of URLs instead of H.323 identifiers has been implemented. Http-proxy ---------- 29/ Improvement: If two Content-Type headers are received and they differ in the existence of parameters after semicolon (not in the value itself), the response is accepted and only the longer header is sent to client. 30/ Improvement: Headers Etag and Last-Modified can be repeated. 31/ Fix: A bug in chunked transfer encoding end-of-file handling has been fixed. It caused PANIC when chunked encoding was used together with antivirus processing or magic content type identification. Imap4-proxy ----------- 32/ Fix: After a format error or deny action in ACL, proxy could sometimes send the malicious data in a response for the next command. Kat/Cml ------- 33/ Improvement: Option '-p' in KAT.SHOWLOG command (meaning process id). 34/ Improvement: Socket collisions are handled in early stage in CML. 35/ Improvement: Default value of "kernun" has been introduced for items proxy.proxy-user. 36/ Improvement: Command `goto' now accepts prefix `=', followed by name of section or item. 37/ Fix: Changed behavior of `apply' command: remote application is triggered only by item APPLY-HOST in configuration. 38/ Fix: A message warning that a referenced section does not exist while reading CML file is suppressed. 39/ Fix: On some error conditions, a section was erroneously deleted in CML. 40/ Fix: Fixed a bug causing crash of CML under rare conditions. 41/ Fix: Item `server' has been excluded from section `acl'. Monitor ------- 42/ Improvement: The monitor utility allows to customize title bar color and caption in HTML output. Pop3-proxy ---------- 43/ Fix: When filtering mails (no-mail-scanning item is not used), the proxy was not able to process messages larger than an internal buffer limit. 44/ Fix: The "TOP n 0" command does not cause error messages due to MIME boundaries that are not found. Smtp-proxy ---------- 45/ Improvement: TLS implementation. 46/ Improvement: DNS based black-listing (e.g. ORDB.ORG). 47/ Improvement: Grey-listing (see http://projects.puremagic.com/greylisting/ for more information). 48/ Improvement: White-listing (Sender Policy Framework). 49/ Improvement: More information logged when sender/recipient is rejected. 50/ Improvement: Implemented a configuration parameter mail-line-len, allowing to accept messages exceeding the line length limit of 1000 bytes defined by RFC. 51/ Fix: Corrected forwarder cleanup after mail has been processed in a proxy process. 52/ Fix: Repeated "mail from:" command handled. 53/ Fix: Corrected recognition of EHLO options, regardless of case. Sqlnet-proxy ------------ 54/ Improvement: New form of server error message encoding implemented. Statistics ---------- 55/ Improvement: Statistics for antivirus and antispam engines have been introduced. 56/ Fix: Corrected per-hour statistics graphical output for SMTP proxy. ======================================================== Changes in KERNUN firewall release 2.2 (compared to 2.0) ======================================================== General ------- 1/ Base OS version changed to FreeBSD 5.4-RELEASE. 2/ New: Support for 64-bit AMD64 architecture has been added. 3/ New: Pop3-proxy has been implemented. I handles POP3 protocol (including POP3S), can do antivirus, antispam and content checking. 4/ New: Imap4-proxy has been implemented. I handles IMAP4 protocol (including IMAP4S), can do antivirus, antispam and content checking. 5/ New: Kernun now uses PF filter instead of IPFILTER for redirection of transparent connections to proxies. See transparency(7) manual page for more information. 6/ New: It is possible to use several methods for document type identification, namely content type header, filename extension and magic library (on Unix like systems, this is the method used by the 'file' program). See doctype-identification(7) manual page for more information. 7/ New: FreeBSD native CARP in-kernel implementation is preferred to the former VRRP deamon to build hot-standby firewall clusters. See carp(4) manual page for more information. 8/ New: An independent resolver has been implemented. Standard system resolver is not used any more. One of the main advantages is the possibility to set up independent timeouts for resolution of names for the sake of logging and for critical resolutions, e.g. server name that the proxy is about to connect to. See resolving(7) manual page for more information. 9/ New: Proxies can use traffic shaping for outcoming communication. Traffic shaping rules can be used deep in ACL rules, allowing fine-grain bandwidth management. See traffic-shaping(7) manual page for more information. 10/ New: Telnet-proxy support has been discontinued, and the proxy has been removed from distribution. It is recommended to use tcp-proxy instead. 11/ New: Proxies can write current connection status data (including client, server, amount of data transferred, user name etc.) to a shared memory area. A monitoring tool reads those data and make a top X view on them (either in text mode or as a HTML file). See monitor(1) manual page for more information. 12/ Fix: The fwpasswd command preserves group names. 13/ Fix: It is now possible to specify SSH v2 RSA keys in ssh-keys. 14/ Fix: Several logging messages were fixed. 15/ Fix: Process list titles were fixed. 16/ Fix: Waiting for child processes after signal in parent corrected. 17/ Fix: Under rare conditions, proxy using SSL could loop forever. 18/ Fix: Sometimes, connections to servers were failing with EADDRINUSE error. 19/ Fix: TCP reset is treated as a communication error. 20/ Fix: Source-address mapping rule does strictly use the same port number as bound locally. Antivirus/Antispam ------------------ 21/ New: Support for ClamAV antivirus has been added. 22/ New: Support for NOD32 antivirus has been added. 23/ Improvement: Heuristic analysis for DrWeb switched on. 24/ Improvement: Antivirus checking module sends a few bytes of unchecked data to client to avoid timeouts. 25/ Fix: Handling of DrWeb return codes. 26/ Fix: Correct file name sent to DrWeb when communication takes place over network socket (drweb-net). 27/ Fix: Communication with DrWeb over network fixed. 28/ Fix: Antispam module now correctly handles scores less than zero. Dns-proxy --------- 29/ Improvement: Resource record type SRV has been added. 30/ Fix: Correct behavior when nameserver cache is full. 31/ Fix: Under some circumstances, nameserver could be cleaned up too early. 32/ Fix: Several minor bugs have beed fixed. Ftp-proxy --------- 33/ Fix: When user enters an invalid server, proxy now behaves correctly. 34/ Fix: Access control according to real server destination address fixed. 35/ Fix: Data-port setting in session-acl. 36/ Fix: Corrected behavior after communication error with antivirus deamon. 37/ Fix: Fixed behavior when virus was found, added message in control connection to client. 38/ Fix: When an error occurs on a connection to antivirus, proxy now does not block. 39/ Fix: Treatment of file names with special characters fixed. H323-proxy ---------- 40/ Improvement: Support of video capabilities H.262 and H.263 had been added. 41/ Improvement: Support of extended version of Q.931 protocol has been added. 42/ Fix: Panic when IP address found where not expected. 43/ Fix: Processing of Connect packet has been fixed. Http-proxy ---------- 44/ New: By adding DOC-ACL level, the proxy now has a deeper structure of its ACL rules and can handle individual documents in a more granular fashion. 45/ New: Improved security checks of request line, headers, cookies etc. 46/ Improvement: Redundant status line in response from server is ignored (some servers do that). 47/ Improvement: Unicode sequences in form %uHHHH are recognized. 48/ Improvement: Status code had been added to REQUEST-END log message. 49/ Improvement: Handling of misconfigured header sets, including both Content-Length: and Transfer-Encoding: chunked headers. 50/ Improvement: Http host and URI can be matched independently in ACLs. 51/ Improvement: Aproxy authenticated user can be matched in ACLs. 52/ Fix: Persistent connections to server are correctly closed after client has closed the connection. 53/ Fix: Fixed panic in network I/O module when header line is too long. 54/ Fix: Correct closing of data connection in HTFTP mode. 55/ Fix: Fixed error in communication with some FTP servers that could lead to empty directory listings. 56/ Fix: HTML filter applies correctly on all pages, regardless of transfer type. 57/ Fix: No more data are fetched after connection to client has been closed. 58/ Fix: Processing of NTLM authentication scheme fixed. 59/ Fix: Combination of Aproxy and server authentication fixed. 60/ Fix: Status line added to REQUEST-END message for Aproxy. 61/ Fix: Transparent connections with hand-off server are processed correctly. 62/ Fix: Parsing of cookies for Aproxy fixed. Kat/Cml ------- 63/ Improvement: Command completion in CML for enumerations, named types, keyed types and parent acl sections. 64/ Improvement: Command /show in CML displays line numbers. 65/ Improvement: New commands hide/unhide allow to comment out whole items and/or sections while not deleting them. 66/ Fix: When applying configuration, system names may overlap. 67/ Fix: The 'apply' action does not delete chroot directories. 68/ Fix: After several unsuccessful attempts of sending -HUP, KAT kill sends -TERM signal. This corrects reload behavior of UDP based proxies. 69/ Fix: Corrected bad signal handling in KAT, added SIGINFO. Smtp-proxy ---------- 70/ New: A tool for handling quarantined messages has been implemented. It allows to drop the message or to resend it, using specific actions (remove attachments, check against viruses again etc.). 71/ New: The proxy can send Delivery Status Notification (DSN) messages. 72/ Improvement: Because many MUAs create non RFC compliant messages, a set of configuration directives has been added and programmed to allow administrators to permit those messages. The se directives include: sessoin-acl.accept-8bit-header session-acl.correct-bad-char session-acl.correct-8bit-body session-acl.treat-binary-as-8bit session-acl.correct-boundary Further, the proxy corrects automatically several problems in non RFC compliant messages, for example: missing semicolon in MIME headers, white spaces at the end of commands and headers, 8bit in quoted-printable documents. 73/ Improvement: Proxy now recognizes ID in responses from MS Exchange. 74/ Improvement: When a rfc822 mail message is attached, it is possible to treat it as a text. If it contains errors, proxy will refuse to send such a message, but this may be intentious as rfc822 attachments are used to inform users of a delivery failure. This is achieved with the directive session-acl. treat-rfc822-as-text 75/ Improvement: Missing quoting of headers can be corrected (with configuration directive 'correct-quoting'). 76/ Improvement: Antispam calling can be limited to messages not exceeding a specific size. 77/ Improvement: Multipart signed messages may be left untouched with the 'treat-signed-as-text' configuration directive. 78/ Fix: More rigorous check of line lengths. 79/ Fix: Treating of at the end of non--terminated quoted-printable attachment. 80/ Fix: Double in MUL MIME. 81/ Fix: Correct check of MAX_ADDR_SIZE even when domain is not present. 82/ Fix: Under rare conditions, proxy could hang forever while communicating to client. 83/ Fix: Under some circumstances, proxy stopped talking to server and a timeout fired. 84/ Fix: Resending of error codes and messages from forwarder to client. 85/ Fix: Fixed antivirus status for multipart and message MIME types. 86/ Fix: Several minor fixes erroneously formatted messages. Sqlnet-proxy ------------ 87/ Improvement: Session-acl now includes plug-to and source-address directives. 88/ Improvement: Support for server running on 64-bit architecture added. 89/ Fix: Handling of redirect divided into two separate packets. 90/ Fix: Corrected redirect packet processing. 91/ Fix: Access control check of destination server within transparent connections was fixed. 92/ Fix: Handling of TNS ping packets. Statistics ---------- 93/ Fix: When generating statistics, memory is allocated more efficiently. Tcp-proxy --------- 94/ New: The proxy can use TLS independently on both communication channels (with client and server). 95/ Improvement: Indepent timeouts for half-closed connections. Udp-proxy --------- 96/ Fix: Increased precision for timeouts from 1s to 1us. ======================================================== Changes in KERNUN firewall release 2.0 (compared to 1.x) ======================================================== General ------- 1/ KERNUN firewall version 2.0 has come through a huge number of changes. We do not cover every single modification in this document. For detailed description of individual functions, please read the documentation (starting with general document kernun(7) ). To the most important innovations belong the new configuration system, the new modular system that enables to share code among proxies (e.g. html filtering, network IO, antivirus, etc.), and the capabilities of virus and spam detection. 2/ Base OS version changed to FreeBSD 5.3-RELEASE. Configuration ------------- 3/ The configuration mechanism of KERNUN firewall has been replaced. Instead of the former KC system consisting of a kernun.conf file and a set of kc* commands (kcverify, kccommit, kcreload, etc.), there is a command-line interface to basic administration tasks called KAT (Kernun Administration Tool, see kat(8) ) and a command-line interface to the configuration itself called CML (Configuration Management Language, see cml(8) ). The reference manual of the new configuration system can be found in the kernun.cml(5) manual page. The most important changes in configuration are: a/ IP addresses must be enclosed in square brackets [], including network mask specification. Examples: [1.2.3.4], [10.0.0.0/8], [192.168.0.0/255.255.255.0] b/ List elements must be separated with a colon. Example: { [192.168.0.0/24], [192.168.1.0/24] } c/ The configuration in CML should resist in new directory /usr/local/kernun/conf . Aproxy ------ 4/ Aproxy has been completely integrated in http-proxy. Dns-proxy --------- 5/ No fundamental modifications have been made to dns-proxy. Ftp-proxy --------- 6/ Ftp-proxy has been rewritten to adapt to the new modular system. It is possible to trigger the same html filtering engine on data transferred within FTP protocol. Also, virus detection is available. H323-proxy ---------- 7/ No fundamental modifications have been made to h323-proxy. Http-proxy ---------- 8/ Http-proxy version 2.0 is a complete rewrite. Apache code is not used any more. As a consequence, its configuration is adapted to the rest of the firewall. Virus detection is possible for data passing through http-proxy. Smtp-proxy ---------- 9/ Smtp-proxy version 2.0 is a complete rewrite. It is not based on Postfix any more. However, it assumes a working SMTP forwarder available all the time. Specifically, smtp-proxy does not implement mail queue. If client contacts smtp-proxy, the proxy immediately opens a connection to its forwarder. As a consequence, if a forwader is out of order, smtp-proxy does not accept any single mail. The best solution is to use locally installed MTA program (we strongly recommend Postfix) as a forwarder. The alternate option is to use forwarders "close" to the firewall system, e.g. one internal forwarder for inbound mails and one external forwarder that takes care of outbound mails. Smtp-proxy adopts the new modular system and is capable to apply the same html filtering rules as http-proxy. Also, virus detection is available, as well as spam detection system. Sqlnet-proxy ------------ 10/ Sqlnet-proxy now understands TNS protocol version 3.13. Tcp-proxy --------- 11/ Tcp-proxy has been rewritten to adapt to the new modular system. Telnet-proxy ------------ 12/ No fundamental modifications have been made to telnet-proxy. Udp-proxy --------- 13/ No fundamental modifications have been made to udp-proxy.