====================================================== Changes in KERNUN release 3.13 (compared to 3.12.3-h2) ====================================================== General ------- 1/ Base OS version changed to FreeBSD 13.1-RELEASE. OpenVPN: -------- 2/ Added the possibility to use Cisco Duo multi-factor authenticator in OpenVPN. =========================================================== Changes in KERNUN release 3.12.3-h2 (compared to 3.12.3-h1) =========================================================== Adaptive Firewall: ------------------ 1/ Fix: Fixed adaptivity statistics "af-dst" showing the same data as "af-src" statistics. ======================================================== Changes in KERNUN release 3.12.3-h1 (compared to 3.12.3) ======================================================== Antivirus --------- 1/ Fix: Updated to a newer version of ClamAV antivirus engine that fixes its critical security vulnerability (CVE-2023-20032). Kernun Branch Access -------------------- 2/ Improvement: Additional types of a serial console cable are now supported. ======================================================== Changes in KERNUN release 3.12.3 (compared to 3.12.2-h3) ======================================================== Adaptive Firewall: ------------------ 1/ Improvement: The KAT AF SHOW command uses column format and prints column headers as well. 2/ Improvement: PF tables refreshing is now done by ioctl() call, so it could be an "almost atomic" operation, now. 3/ Change: The HTTP ports (80 and 443) are excluded from the honeypot service - connections to these ports are ignored. 4/ New: Adaptivity statistics are added. 5/ Fix: Fixed sporadic crashes of the IDS agent. Antivirus --------- 6/ Change: The support for clamav-net and kav-net was removed. Cluster: -------- 7/ Fix: ICA communication now works even without a working DNS resolving. Openvpn ------- 8/ Change: There are a few changes due to upgrade to version 2.5. New or changed items: block-outside-dns, tls-auth, data-ciphers, data-ciphers-fallback, ifconfig-pool-persist and comp-lzo (the default value). See openvpn(5) and openvpn(8) for more details. PIKE ---- 9/ Improvement: The master sends periodically Gratuitous ARP according to a new item GARP-KEEPALIVE. Auth: ----- 10/ Fix: Utility oobctl can now delete records from the OOB table according to a given username. =========================================================== Changes in KERNUN release 3.12.2-h3 (compared to 3.12.2-h2) =========================================================== General ------- 1/ Fix: Fixed wrong order of PF rules for adaptive-database. =========================================================== Changes in KERNUN release 3.12.2-h2 (compared to 3.12.2-h1) =========================================================== General ------- 1/ Fix: Adaptive-database now works correctly in combination with honeypot that listens on specified ports. Before, it worked correctly only when honeypot that listened on all ports of a given address. 2/ Fix: Fixed Release Notes window in GUI. 3/ Fix: Fixed button called "AF auto-blocklist delete addres". The button was also renamed to "AF blocklist delete address". ======================================================== Changes in KERNUN release 3.12.2-h1 (compared to 3.12.2) ======================================================== General ------- 1/ New: Added tabs in GUI for the Adaptive Firewall component when it is co-operating with the KCS for downloading central threats database. ======================================================== Changes in KERNUN release 3.12.2 (compared to 3.12.1-h6) ======================================================== General ------- 1/ New: The ClamAV antivirus is implemented as a Kernun component. 2/ Fix: KAT restart command kills also proxies in EXITING status. 3/ New: The Adaptive Firewall component can co-operate with the KCS for downloading central threats database and uploading detected approach attempts. =========================================================== Changes in KERNUN release 3.12.1-h6 (compared to 3.12.1-h5) =========================================================== General ------- 1/ Change: Changes necessary for the upgrade of Kernun Clear Web and Kernun Business Intelligence. =========================================================== Changes in KERNUN release 3.12.1-h5 (compared to 3.12.1-h4) =========================================================== General ------- 1/ Fix: Removed a warning message of script reporter_stats. =========================================================== Changes in KERNUN release 3.12.1-h4 (compared to 3.12.1-h3) =========================================================== General ------- 1/ Fix: Log messages sent by syslog over IPv4 were inadvertently truncated to 480 characters per line in 3.12-release. This was fixed to have the previous limit of 1024 characters. =========================================================== Changes in KERNUN release 3.12.1-h3 (compared to 3.12.1-h2) =========================================================== UDP proxy --------- 1/ Fix: Fixed false broadcast detection when udp-proxy is listening on network interface with mask /32. 2/ Fix: KAT now takes care of all instances of ntpd which fixed a bug where KAT falsely in some cases stated that NTP component was not running when it was it fact running. Statistics: ----------- 3/ Fix: Removed unnecessary error message when a log message with a missing numeric attribute was encountered while parsing logs. =========================================================== Changes in KERNUN release 3.12.1-h2 (compared to 3.12.1-h1) =========================================================== General: -------- 1/ Fix: Better handling of a specific error state in SSL/TLS. ======================================================== Changes in KERNUN release 3.12.1-h1 (compared to 3.12.1) ======================================================== General: -------- 1/ Fix: Fixed a bug in SSL/TLS error handling that could cause the proxy to enter an endless loop in rare circumstances. This bug affected smtp-proxy and possibly also http-proxy. Http-proxy ---------- 2/ Fix: Item HTTP-PROXY.SOURCE-ADDRES was fixed. Previously, only item REQUEST-ACL.SOURCE-ADDRES had an effect. =================================================== Changes in KERNUN release 3.12.1 (compared to 3.12) =================================================== General ------- 1/ Fix: Fixed a bug in the initialization of /data/ partition that made core dumps not generate on version 3.12. Configuration: -------------- 2/ Change: The UPDATE.ADAPTIVE-FIREWALL section was split into IPS and IDS-AGENT subsections. 3/ Change: The conditional YES/NO enumeration in the UPDATE and FEEDBACK sections was changed so that the conditional enabling (when particular component is on) is now configured simply by YES and the unconditional enabling is set by ALWAYS value. 4/ Change: It is now possible to configure SSL/TLS ciphers that are considered weak. Such ciphers are not recommended for usage and as such need to be enabled in item SSL-PARAMS.CIPHERS. 5/ Fix: Fixed a bug that made the sending of feedback for ClearWeb depend on the presence of section SYSTEM.FEEDBACK. ATR: ---- 6/ Change: The default value of TTL for negative responses in Adaptive Traffic Routing was lowered from 1 hour to 1 minute. KAT: ---- 7/ Change: The KAT command for downloading IDS agent rules was included under KAT AF command (af download ids-agent-rules). Statistics: ----------- 8/ Fix: A bug that prevented logs from being parsed to the database was fixed. ====================================================== Changes in KERNUN release 3.12 (compared to 3.11.7-h3) ====================================================== General ------- 1/ Change: List of root nameservers in samples/include updated. 2/ Fix: Fixed the default value of SSL-PARAMS.CIPHERS not having any effect. Instead, the default value from OpenSSL was applied when CIPHERS were not defined. 3/ Change: SSL certificate serial cannot be more tested in the SSL-CERT-MATCH item. Configuration: -------------- 4/ New: The SOURCE-ADDRESS item has been changed so that instead of using a physical address of the outgoing interface, also the virtual (cluster) address can be used. 5/ Improvement: Configuration of the update and feedback of ClearWeb database has been moved to new sections UPDATE and FEEDBACK. Adaptive Firewall: ------------------ 6/ Improvement: Configuration sections AK47 and IPS were completely changed to form a new section ADAPTIVE-FIREWALL. It led to renaming other tools such as ak-db.sh -> af-db.sh, kat ak47 -> kat af etc. 7/ Fix: The KAT.AF command has new options for finding and unblocking IP addresses. 8/ Fix: A false positive evaluation of local client communication and blocking the addresses was fixed. DNS: ---- 9/ Fix: An errorneous length of a DNS request caused a crash of a proxy, an ATR monitor etc. This bug was fixed, the request is corrected and normally processed. 10/ Fix: In some cases, dns-proxy failed to correctly sort incorrectly ordered RRs in the answer. Fixed. 11/ Change: DNSSEC is now by default supported but not validated by resolver. DNSSEC validation can be enabled by new item NAMESERVER.DNSSEC.VALIDATE. HTTP: ----- 12/ Fix+Change: The URI-DECODE option didn't work properly in some situations. The bug was fixed and the 'NO' behavior was now defined as a default value so that no changes in URI is initiated by the proxy. 13/ Fix: Item TIMEOUT-UNAUTH used in OOB table and NTLM and Kerberos authentication was fixed. Packet Filter: -------------- 14/ Fix+Change: The LOG item of ACLs in the PACKET-FILTER section has changed the meaning and now it has only two values ON/OFF that controls logging to log-debug and log-stats instead of /dev/log. SMTP: ----- 15/ Change: Since the SPF DNS RR was deprecated, we reverted the order of DNS queries; now the order is TXT RR, SPF RR. =========================================================== Changes in KERNUN release 3.11.7-h3 (compared to 3.11.7-h2) =========================================================== General ------- 1/ Fix: Changed the installer and installation of ZFS to use UEFI instead of BIOS because some newer boards no longer support booting with legacy BIOS. 2/ Improvement: It is now possible to start multiple system components in parallel by adding option -P to KAT invocation. 3/ Improvement: Changed the default list of allowed ciphers in SSL-PARAMS to be more secure. =========================================================== Changes in KERNUN release 3.11.7-h2 (compared to 3.11.7-h1) =========================================================== General: -------- 1/ Improvement: If a listener process fails, the proxy is gracefully shut down so that existing sessions can continue and the admin is warned by an alert about this severe problem. 2/ Fix: Applying Clear Web Bypass on category Unknown was fixed. Alertd: ------- 3/ Fix: Added full path to snmptrap in alertd. DNS: ---- 4/ Improvement: When a client sends a DNSSEC request with CD and a response contains signed CNAME, dns-proxy does not resolve it and sends it to the client for validation. HTTP: ---- 5/ Fix: Fixed sporadic crashes of http-proxy that were caused a bug in OOB table memory management. ======================================================== Changes in KERNUN release 3.11.7-h1 (compared to 3.11.7) ======================================================== General: -------- 1/ Fix: The default value of TCPSERVER.CONN-RATE-PER-IP has been enlarged to accommodate for browsers that aggressively establish many TCP connections. Alertd: ------- 2/ Fix: Fixed erroneous SNMP sending failure recovery in alertd. ===================================================== Changes in KERNUN release 3.11.7 (compared to 3.11.6) ===================================================== General: -------- 1/ Fix: IPS mode of the IPS module was fixed by changing it to use the AK47 module. Configuration: -------------- 2/ Improvement: Configuration of the IPS module has been completely redesigned. KAT: ---- 3/ New: The AK47 command has several new options including an embedded ak-db.sh tool call. ======================================================== Changes in KERNUN release 3.11.6 (compared to 3.11.5-h2) ======================================================== General: -------- 1/ New: A new component ALERTD introduced. It sends SNMP traps about various events in the system (like reaching the maximum children of a proxy). 2/ New: A complete support for DNSSEC validating nameservers and DNSSEC aware dns-proxy was implemented. 3/ New: TCP based proxies can be now configured to limit the connection rate (the number of new connections per second), both per client and globally for the proxy. See TCPSERVER.CONN-RATE-PER-IP and CONN-RATE items. 4/ New: TCP based proxies can be now configured to limit the number of parallel sessions from one client. See TCPSERVER.MAX-CHILDREN-PER-IP item. Configuration: -------------- 5/ Fix: Accepting addresses with formal mask /31. SMTP proxy: ----------- 6/ New: Postfix agents now use STARTTLS by default. =========================================================== Changes in KERNUN release 3.11.5-h2 (compared to 3.11.5-h1) =========================================================== BIRD: ----- 1/ Fix: Fixed sporadic crashes of BIRD. ======================================================== Changes in KERNUN release 3.11.5-h1 (compared to 3.11.5) ======================================================== General: -------- 1/ Fix: Kerberos config files are moved to shared files zone. AK47: ----- 2/ Fix: A memory leak in AK47 honeypot was fixed. SSH: ---- 3/ Change: Removed automatically generating deprecated options RhostsRSAAuthentication and RSAAuthentication. BIRD: ----- 4/ Fix: Fixed sporadic crashes of BIRD. ======================================================== Changes in KERNUN release 3.11.5 (compared to 3.11.4-h4) ======================================================== General: -------- 1/ Fix: Fixed problem with resending some signals to children. 2/ Change: Obsolete and unused DrWeb antivirus was removed. 3/ Change: Obsolete and unused old Kaspersky antivirus engine was removed. AK47: ----- 4/ Fix: Honeypot sockets are added to socket collision check in CML. 5/ Fix: Reloading of the PF component doesn't interrupt the blacklist function. 6/ New: Honeypot statistics are added. DNS proxy: ---------- 7/ Change: The proxy now accepts erroneous responses from servers that only give information about better nameservers but include the AA flag. SMTP proxy: ----------- 8/ Fix: Incorrect status (ACCEPTED) for rejected mails in statistic log was fixed. SSH: ---- 9/ Change: The SSHv1 and obsoleted algorithms were removed. Logging: -------- 10/ Change: USER-GROUPS is now always empty in statistics log messages (888-I) in order to save disk space in deployments where individual users belong to many groups. Message LIBA-700 now contains only the first matched group in order to shorten the debug log as well. Auth: ----- 11/ Improvement: User whose name ends with a dollar sign (i.e. a Windows system user) is not automatically added to the OOB table together with its IP address by HTTP proxy and authentication proxy. Only the user's groups are added to the OOB table. This is to prevent caching Windows system user which would override the actual human user. =========================================================== Changes in KERNUN release 3.11.4-h4 (compared to 3.11.4-h3) =========================================================== General ------- 1/ Fix: Fixed GUI on Windows. =========================================================== Changes in KERNUN release 3.11.4-h3 (compared to 3.11.4-h2) =========================================================== General ------- 1/ Fix: Fixed an error in processing statistic logs. 2/ Removed obsolete and insecure SSHD parameters. 3/ New: Added the possibility to use the number of mail recipients taken from To: and Cc: headers and restricted by the address value according to a STR-SET parameter as an entry condition in MAIL-ACL of SMTP-PROXY. =========================================================== Changes in KERNUN release 3.11.4-h2 (compared to 3.11.4-h1) =========================================================== General ------- 1/ Fix: Fixed an error when downloading ClearWeb database. ======================================================== Changes in KERNUN release 3.11.4-h1 (compared to 3.11.4) ======================================================== General ------- 1/ Fix: Fixed a warning when computing daily statistics. ===================================================== Changes in KERNUN release 3.11.4 (compared to 3.11.3) ===================================================== Cluster: -------- 1/ Daemon icamd can be specified to listen the particular address(es). If ICA-AUTO is used to configure icamd/icasd daemons, wildcard address is no more used. Misc: ----- 2/ OOB files are deleted upon system startup. 3/ Sysctl values net.inet.ipsec.filtertunnel and net.inet6.ipsec6.filtertunnel are set to 1 by default. Proxy-ng: --------- 4/ Change: The port for transparent listen socket is generated automatically. 5/ Change: The index of the listening socket has been replaced by identifier listen-socket-id. General: -------- 6/ Change: Sysctl net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedlow now default to 0 and 1, respectively. 7/ Fix: A new attribute for the minimum TTL value was added to the CONFIGURATION-RESOLUTION item so that TTL values close to zero are handled correctly. 8/ Improvement: The ICAP client in the antivirus module sends to the server more information from (HTTP URI, Content-Type, username). Configuration: -------------- 9/ Change: A minimum TTL for configuration names resolution was added as an elem of the CFG-RESOLUTION item. It prevents ACR to loop too fast for repeated resolution of names with small (e.g. zero) TTL. Now, the default of the minimum TTL is 10 seconds. 10/ New: A new item FAST-IO was added to the OPENVPN configuration. 11/ New: A single interface alias can have both IPv4 and IPv6 address. GUI: ---- 12/ New: File can be downloaded from the UTM using the menu GUI -> File -> Download File. 13/ Change: Copy/Cut + Paste: when pasting copied/cutted part of CML configuration, and if the pasted chunk fits both into and behind the cursor position, it pasted INTO the section, if the section is open (expanded). It is pasted BEHIND the section if the section is closed (collapsed). 14/ Fix: There was a bug in handling the comments (moving / deleting). 15/ New: NTP status tab has been added. 16/ New: Tab with low-level configuration for bird6 17/ Fix: There was a bug in Posftix -> Mail queue tab. When performing commands from the context menu (Delete / Send / Show), and the ID contains the star symbol (e.g., E75D915EAB*), the commands erroneously contained that star. This was fixed. 18/ Fix: On MS Windows, there was a few second laag followed by an error message when connecting to the UTM (even though the connection succeeded). This has been fixed. ===================================================== Changes in KERNUN release 3.11.3 (compared to 3.11.2) ===================================================== General: -------- 1/ Fix: The behavior of SOURCE-ADDRESS item has been reviewed, especially with respect to its functionality in the IPv4 / IPv6 cases. Configuration: -------------- 2/ Change: The name of USERS.USER sections must be in lowercase since this version is later used as the login to the system. Logging: -------- 3/ Change: The semantics for SERVER and SERVER-IP is changed for statistics log messages (888-I). Instead of special value (meaning the special case that proxy didn't connect to any server), the original client's destination is logged as SERVER/SERVER-IP. For example, this takes place in the http-proxy if there is no request in the HTTP session. HTTP: ----- 4/ Change: The policy that selects the IP address for the server connection has changed for transparent sessions. Originally, the proxy used the IP address determined from the HTTP protocol (specifically from the Host header or from the host part of the URI). This behaviour remains the policy for non-transparent sessions. For transparent sessions, the http-proxy uses the destination of the original client TCP connection as the destination IP of the HTTP server from now on. The policy can be changed in SESSION-ACL by the item SERVER-FROM-TCP. ===================================================== Changes in KERNUN release 3.11.2 (compared to 3.11.1) ===================================================== General: -------- 1/ New: The source port of outgoing connections is logged in the MNIO-710-N message. 2/ Improvement: The konvertor uses save-proof commenting out removed lines. 3/ Fix: Under some conditions, a part of data scanned by antivirus in the stream mode, was sent to the target host twice. FTP: ---- 4/ Fix: Under some conditions, after HTTP client failure, the FTP transfer ended up by a panic. 5/ Fix: Data counting for HTTP <-> FTP transfer has been corrected. Packet filter: -------------- 6/ Fix: Under some conditions, unsuccessful DNS resolution of names in a PF table list led to an incorrect content of the list. 7/ Change: FILTER-ACLs are now stateful by default. The KEEP-STATE item was removed and a NO-STATE item was introduced. 8/ Change: The configuration of packets tagging has completely changed. A new item PROCESS now controls further packets processing driven by tag values in a more logical manner. 9/ New: Statistics can be generated for PF traffic. =================================================== Changes in KERNUN release 3.11.1 (compared to 3.11) =================================================== Nameserver: ----------- 1/ New: DNSSEC support for nameserver. 2/ New: Nameserver supports resolving from root DNS servers. SMTP: ----- 3/ Fix: A bug in extended MIME header parameters handling was fixed. General: -------- 4/ New: log-in-vain and blackhole can be turned on/off in sysctl section. 5/ New: XEN tools (guest) support. =================================================== Changes in KERNUN release 3.11 (compared to 3.10.6) =================================================== General: -------- 1/ FreeBSD upgraded to version 11.1. 2/ IPv6 router advertisements are disabled by default. They can be enabled on an interface by the INTERFACE.IPV6-RTADV.ENABLE configuration item. There is a new Kernun component RTADVD with a separate configuration section in CML. 3/ Improvement: Some log messages were moved to the N level for easier debugging network problems (SPF result, Kernun ACR resolution etc.). AK47: ----- 4/ New: Adaptive Kernun 4.7 is a new module that can protect against globally shared list of attacker. It has an Intrusion Detection System (IDS) and Intrusion Protection System (IPS) part at each Kernun and one central server for collecting and distributing the list of suspicious addresses. IDS can collect attacker by the old Honeypot trap and by watching password attacks on a ssh server. Antispam: --------- 5/ Change: The default for the maximum mail size for antispam checking was changed to 0. It means, all mails are checked, now. The maximum size can be changed in the USE-ANTISPAM item. ATR: ---- 6/ New: The ATRMON daemon has now a monitoring enabled. The DNS response module has the same monitoring output like the dns-proxy. The target hosts monitoring (ping) module has a brand new format of monitoring output (see monitoring(7) manual page). Cluster: -------- 7/ New: KAT command CLUSTER has a new option STATUS for showing the current status of our node. 8/ New: The PIKEMON daemon has now a monitoring enabled. Both the current status of the PIKE protocol and the current status of pinging target hosts (newly also the RTT) can be monitored by the monitor(1) tool. 9/ New: Besides the target hosts monitoring by pinging, also the current status of selected interfaces (devices) can be monitored for testing the DOWN/UP status of our node (see VIRTUAL-CLUSTER.INTERFACE item). 10/ Change: The Finite State Machine of PIKE protocol has changed so that the preemptive mode of switching works also in the case when both the systems have some network in DOWN state. DHCP: ----- 11/ Improvement: A few more configuration checks were added to CML. FTP: ---- 12/ Fix: A bug when client data connection is reset exactly in between server 226 response resding and processing, was fixed. GUI: ---- 13/ New: Log-In-Vain is displayed in the GUI. 14/ New: Packet Filter log messages are displayed in the GUI. 15/ New: Low-level configuration files are displayed in the GUI for the following components: pf, postfix, openvpn, sshd, named, ntpd, racoon, snmpd, dhcpd, router. SIP: ---- 16/ Fix: Portscan to SIP port range sometimes lead to infinite loop of the sip-proxy. The bug was fixed. SMTP: ----- 17/ New: The SPF/IPv6 implementation was completed. 18/ Change: The system of approving/denying various RFC violations was changed so that most of them is now ignored or fixed by default. 19/ Fix: Fixing various RFC violations in DKIM signed mails was suppresed so that most of them should traverse without signature invalidation. 20/ Fix: In some situations, client's RST and EOF during SMTP STARTTLS command execution led to infinite loop. The bug was fixed. SNMPD: ------ 21/ New: In SNMPD configuration, it is now possible to select various cryptographic algorithms and switch on data encryption. OpenVPN: -------- 22/ Change: The default cipher is now AES-256-CBC. 23/ Change: The semantics of the column "Time" in OpenVPN logs in statistics as well as in Kernun Business Intelligence module was unified with the semantics of the column in other Kernun logs. Before it meant the start time of the session while now it means the end time of the session. HTTP proxy: ----------- 24/ Improvement: Section TLS termination was added to the handbook. It describes how to configure a reverse HTTPS proxy. ======================================================== Changes in KERNUN release 3.10.6 (compared to 3.10.5-h3) ======================================================== General ------- 1/ New: The Report Unused Rules tools is implemented. It collects data from ACL searching and prepares XLS sheets with proxies/ACL/addresses usage. The first phase is now automatically added into default crontab content (samples/include/crontab.cml), the XLS creation invokes by a new KAT command RUR. 2/ New: VMware tools (guest) support. 3/ Improvement: VirtualBox additions for FreeBSD guests services are started automatically, if VirtualBox environment is detected. Configuration: -------------- 4/ Improvement: The peer verification in SSL-PARAMS can be explicitly disabled by using VERIFY-PEER DISABLE. This can avoid CML warning of missing VERIFY-PEER item. Antivirus: ---------- 5/ New: Kaspersky AV engine has been integrated to the CML configuration. ATR: ---- 6/ New: Adaptive Traffic Routing supports EDNS queries. Auth: ----- 7/ New: Cisco ACS is now supported as the source for the OOB authentication. 8/ Fix: Utility oobctl no more reports expired records from the OOB table. DHCP: ----- 9/ Change: The domain names search list configuration was unified in DHCPv4 and DHCPv6. In both cases, a repeatable item DOMAIN is used. In the DHCPv4 case, the old style with more space separated domains within one string is still supported but deprecated. 10/ New: The failover system of DHCP server can be configured. 11/ Fix: The bug in DHCPv6 configuration file generating was fixed. DNS proxy: ---------- 12/ Fix: When a server responded by QD=1, but it sent no RR, the proxy failed. Fixed. 13/ New: A new DNS RR type (CAA) support was added. 14/ New: It is possible to globally force the clients to use the SafeSearch functionality for Google, YouTube and Bing by using samples/include/safe-search.cml. Honeypot: --------- 15/ Improvement: The SAVE-DELAY item in the configuration controls transaction flow - all operations before this period expiration are grouped to a single transaction, not committed till the end of the period, or database refreshment. 16/ New: A client address is added to the database already when the SYN packet is seen, but no packet filter restriction is started (due to risk of faked source addresses). 17/ Improvement: The hp-bl.sh script has more capabilities. SIP proxy: ---------- 18/ Fix: The proxy handled incorrectly an error during accept(). Fixed. SMTP proxy: ----------- 19/ Change: The proxy does not work with email addresses having an IP address in the domain part. This addresses are considered to be deprecated and they are marked as an IP-ADDRESS SMTP error. 20/ Improvement: The Delivery Status Notification messages generated by the proxy are better identified in log (new request ID, sender as KERNUN/DSN). 21/ Fix: When sending the DSN message, the proxy ignores SOURCE-ADDRESS CLIENT setting (since the proxy is an originator of the mail). 22/ Change: The proxy does not react to the (un)successful delivery of the DSN message - the mail body response is 250 in any case. 23/ Improvement: When doing a whitelist check, the proxy can handle cases when the domain itself has no SPF, however, its mail exchangers belong to a domain having an SPF. Using this feature substantially increases the probability of whitelist check success. =========================================================== Changes in KERNUN release 3.10.5-h3 (compared to 3.10.5-h2) =========================================================== HTTP proxy: ----------- 1/ Change: HTTP proxy no longer sends response header 'Connection: close' in successful response to the request method CONNECT. Some user agents (for example, certain versions of skype) were confused by that response header. ======================================================== Changes in KERNUN release 3.10.5-h2 (compared to 3.10.5) ======================================================== Configuration: -------------- 1/ Fix: The filename for postfix transport map is generated correctly (without the .db suffix) and some other misspellings were fixed. DNS proxy: ---------- 2/ Fix: When a server did not respond to one query in time and did respond to another query errorneously and meanwhile, the irregular cache cleanup started, the proxy failed. Fixed. 3/ Fix: Proxy recognizes unimplemented operations (like UPDATE) before trying to parse the message. Thus, its behavior can be easier checked in the log. SMTP proxy: ----------- 4/ Fix: When a refused recipient was present in a quarantined mail, the proxy failed. Fixed. OpenVPN: -------- 5/ Fix: The deprecated item TLS-REMOTE was substituted with new item VERIFY-X509-NAME. GUI: ---- 6/ Fix: Loading recent version of the CML configuration to the GCML is possible again. ======================================================== Changes in KERNUN release 3.10.5 (compared to 3.10.4-h1) ======================================================== Configuration: -------------- 1/ Improvement: More RANGEs allowed in DHCP SUBNETs. 2/ Improvement: Meaningles regexps in ACL.FROM and ACL.TO are denied. 3/ Change: Due to change of approach to understanding of TLDs, the NON-FQDN error in SMTP proxy was removed. General: -------- 4/ Change: Listener process in TCP based proxies is switched on, by default. Due to this change, CML sets the kern.ipc.somaxconn value according to the maximum from MAX-CHILDREN in proxies. This value can be set also by a new SYSCTL section item. HTTP proxy: ----------- 5/ Improvement: OOB authentication server definitions is now checked for name collisions. 6/ Improvement: The old SHA1 faked certificates in cache are ignored and thus their new SHA256 version creation is enforced. Mail handling proxies: ---------------------- 7/ Improvement: The new form of native MIME header setting is now tested against MIME definition directly in CML, not only at proxy startup. Postfix ------- 8/ New: In the SMTP-AGENT section, additional settings for transport maps configuration can be specified (see smtp-proxy(5) manual page). There are a few automatic modes that can help to make a map according to the appropriate domain names set for the particular forwarder and also the relay and fallback hosts. For achieving this goal, the elem of the SMTP-FORWARDER.DOMAIN item was changed from STR-SET to STR-LIST. 9/ New: In the SMTP-AGENT section, additional options for the TLS support can be specified using the TLS section. 10/ New: In the SMTP-AGENT section, additional options for the smtpd call in the master.cf file can be specified using the SMTPD-OPTION item. 11/ New: In the SMTP-AGENT section, additional settings for the main.cf file can be now specified: MYHOSTNAME, MYDESTINATIONS, MYNETWORKS, INET-PROTOCOL, RELAY-DOMAINS (see smtp-proxy(5) manual page for full list). ======================================================== Changes in KERNUN release 3.10.4-h1 (compared to 3.10.4) ======================================================== General: -------- 1/ Fix: Handling of more than 3 nameservers in a RESOLVER section was fixed. BIRD: ----- 2/ Fix: Omitting the OSPF section is now possible (for configuring static routes only). Configuration: -------------- 3/ Improvement: The ./paste operation of clipboard with multiple nodes was reimplemented so that it hides nodes that cannot be pasted (e.g. due to duplicite nodes). 4/ Improvement: The ./cut operation was reimplemented so that it can be used also for multi-member content of clipboard. 5/ Fix: The CML configuration converter does not remove empty lines after section end. DNS: ---- 6/ New: If a server responds by FormErr but without QUERY section, or it adds OPT RR without adding it to the RR number in the header, the DNS proxy ignores this RFC violation. SMTP proxy: ----------- 7/ Fix: If client resets the connection in the SSL establishment phase, the proxy ends up gracefully, instead of a panic. GUI: ---- 8/ New: It is possible to traverse the recent versions of the configuration file(s) among all systems connected via icamd/icasd if they share the configuration (SYSTEM.CONFIG-SYNC) 9/ New: It is possible to view annotated configuration (aka blame). 10/ New: Multiple nodes can be pasted through clipboard. ======================================================== Changes in KERNUN release 3.10.4 (compared to 3.10.3-h2) ======================================================== Configuration: -------------- 1/ Fix: The CML configuration converter does not rename variables which name equals to a section name. General: -------- 2/ Improvement: icamd/icasd daemons have been introduced for controling more systems. 3/ Improvement: Item SYSTEM.CONFIG-SYNC has been introduced for sharing configuration among several systems. 4/ Improvement: Resolver routines used in Kernun components use the EDNS0 for querying nameservers. 5/ Improvement: A check was added when adding an interface alias, whether the interface contains a base address of the same protocol version. 6/ Fix: The antivirus module in some cases crashed at the end due to bad synchronization of operations. Fixed. 7/ Fix: The administrator's sessions are logged to file again. GUI: ---- 8/ Improvement: Multiple systems can be managed from a single GUI connection if they are interconnected via icamd/icasd. Bird: ----- 9/ Change: The DIRECT section is generated to the bird configuration file only if particular section is present in CML. 10/ Improvement: The AREA ID definition possibilities extended by the dotted IPv4-like form. 11/ Improvement: The IFACE item is now required within any AREA.INTERFACE section (to avoid unintentional forgetting it). The meaning of "all" interfaces must be now defined explicitly by "IFACE ANY". 12/ Fix: A meaningless check of AREA 0 definition missing was removed. Cluster: -------- 13/ Improvement: The Backup node takes Master role when HELLO timeout fires regardless of its state (even if its network is DOWN) since the timeout in this state means that Master is DEAD. DNS: ---- 14/ Change: The EDNS support is switched on, by default. 15/ Fix: The response originator evaluation is improved. In the case of request failure, the last responding, or queried server is logged. Mail handling proxies: ---------------------- 16/ New: If a MIME header is encoded according to the RFC 2047 or 2231, it is first decoded before ACL matching. The original encoded form can be still matched by the RAW form of HEADER item. 17/ New: If the tested pattern for MIME header matching is using another charset than ISO-8859-2 (or convertible ones), it can be written in the MIME encoding format, in the CML (see HEADER item description). 18/ New: All the common forms of filename specification for a MIME node are implemented so that a FILENAME attribute of MIME nodes can be matched in DOC-ACLs. 19/ Fix: The VIRUS status was incorrectly marked as ERROR in the case of antivirus check switched off. Fixed. Packet filter: -------------- 20/ Fix: The ANTISPOOF feature was fixed so that it does not void other packet filter rules and packet processing. SMTP: ----- 21/ Fix: The first line sent to the antispam engine was completed by the HELO name and deresolved client name to eliminate a positive score penalisation due lack of this information. Statistics: ----------- 22/ Legacy statistics have been discontinued. Only reporter-generated statistics can be used. 23/ Change: Only programs with enabled statistics are imported into the reporter database. =========================================================== Changes in KERNUN release 3.10.3-h2 (compared to 3.10.3-h1) =========================================================== DNS: ---- 1/ Change: The sample configuration file samples/shared/dns-bad-boys-list has been removed in favor of samples/include/dns-dirty-domains.cml. See RELNOTES for more details SSH: ---- 2/ Change: The SSH RSA host key for the Kernun machine may change with upgrading to 3.10.3-h2 or above. See RELNOTES for more details PIKEMON: -------- 3/ Fix: The upgrade failure of the configuration of PIKEMON was fixed. ======================================================== Changes in KERNUN release 3.10.3-h1 (compared to 3.10.3) ======================================================== HTTP proxy: ----------- 1/ Fix: NTLM authentication was fixed. 2/ Fix: A request that was fails in the session-acl phase of HTTPS inspection has now its statistics logged even though no request happened yet. 3/ Fix: A stats log message is logged by http-proxy in the captured-connect session which fails before first request. 4/ Fix: http-proxy request-acl items capture-connect and auth-req, hand-off, plug-to, file-response, program-response, library-response are mutually exclusive. 5/ Change: The HTTP header 'Location' is permitted repetitively if all occurences share the same value. SSH: ---- 6/ Change: Option HostKey is no more automatically generated to the sshd configuration file. GUI: ---- 7/ New: "Highlight relevant nodes" srolls the list to the particular proxy. 8/ Fix: The bug in cluster/pikemon commands has been fixed. GENERAL: -------- 9/ Fix: The file names for archived log files are generated correctly for systems with long hostname. ===================================================== Changes in KERNUN release 3.10.3 (compared to 3.10.2) ===================================================== General ------- 1/ Fix: Fixed incorrect matching of hostnames (with resolved IP addresses) against a list containing IPv4 range. Cluster ------- 2/ New: A new KAT command CLUSTER was introduced. In the first version it can be used for forcible switching of Master role. 3/ Improvement: The PIKE protocol now can be secured by the HMAC-SHA256, a shared secret is set in the PIKE.HMAC item. 4/ Improvement: When reloaded in Master mode, PIKEMON verifies and resets (if needed) the interface memberships. DNS: ---- 5/ New: The EDNS0 with increased UDP payload was implemented. 6/ Fix: DNS/TCP per-request statistics were corrected. Logging: -------- 7/ Change: The format of the filename for archived logs has changed. The file name now contains the timestamp of the birth time of the log file. The file name also contains the name of the system. 8/ Change: New programs log-ts, grep-stats and grep-debug are introduced for viewing the log. Programs greplog.sh and commands KAT.greplog and KAT.showlog has been removed. GUI: ---- 9/ Improvement: Some improvements for displaying on high DPI monitors (better layout for some dialogs, possibility to zoom the graph images, option for thicker rows, ...) 10/ Improvement: F3 and Shift+F3 for search next/previous in GCML. 11/ Improvement: Search results are highlighted in GCML. HTTP proxy ---------- 12/ Fix: Content-Type detection method magic is skipped when the response is partial and does not contain its beginning. 13/ Change: HTTP request header Range is not deleted by default. A new item delete-req-hdr-range is introduced. 14/ New: Inspection of Server Name Identification from TLS is available to obtain server hostname and to validate SSL/TLS Client-Hello message. 15/ Improvement: Default error document for deny in doc-acl is added. Mail proxies ------------ 16/ Fix: Incomplete lines in BASE64 encoding are now accepted. ===================================================== Changes in KERNUN release 3.10.2 (compared to 3.10.1) ===================================================== 1/ Improvement: Default support of TLSv1.1 and TLSv1.2 was added, using of deprecated SSL protocols leads to a warning, in the CML. 2/ Improvement: option prefer_server_ciphers can be defined for SSL/TLS in server role. Default is yes. 3/ Improvement: SSL/TLS in server role supports TLS session tickets. Use item SSL-PARAMS.USE-TICKET. Default is yes. General ------- 4/ Fix: Nested lists in configuration used in some specific places were expanded erroneously. 5/ Fix: Fixed an issue that prevented information about email attachments to be collected when generating SMTP proxy statistics. 6/ Fix: Fixed a bug in GUI when entering some types of (initially empty) items - the verification of them was failing. 7/ Improvement: rrdcached is used for saving disk usage. 8/ Change: item MIME-TYPE in doc level of ACL (recognized MIME type) changed: unknown type is now reported as application/octet-stream instead of empty type. Moreover, if MAGIC recognition method returns application/octet-stream, it is considered as unrecognized and the next recognition method is used. 9/ Improvement: For every ping target host (in ATR or PIKE configuration), source address used in ICMP ECHO packet can be specified. 10/ Improvement: A proxy can optionally accept connections from clients by a separate process, which passes accepted connections to child processes for handling. This mode of operation can be enabled by item TCPSERVER.LISTENER. It improves proxy performance with many child processes, which is especially usefull for the HTTP proxy configured to handle thousands of parallel requests. Configuration ------------- 11/ Fix: A few bugs in CML verification were fixed. GUI --- 12/ New: rrd graphs for state of cluster members (pike) have been introduced. Asynchro Paralel Resolver ------------------------- 13/ Fix: The DISABLE-DERESOLUTION item is now respected also in UDP based proxies using APR. 14/ Change: The RESOLVER section was redesigned so that it is a subsection of the NS-LIST section, now. Thus, there can be more servers with more addresses and the APR can honor difference between different addresses of a single server and different servers when selecting next server to query. 15/ Change: Maximum number of RR in answer received from forwarders was increased from 10 to 100. DNS proxy --------- 16/ Fix: The real domain names of nameservers sending the final response are now logged as SERVER names in the statistic log. HTTP proxy ---------- 17/ Improvement: The proxy reads contents of its document-root directory when starting. Hence the error documents will be served from memory and need not be read from disk repeatedly. HTTP proxy and ICAP server -------------------------- 18/ Fix: The DOC-ACL.MIME-TYPE is interpreted correctly when only type is given (without type/subtype). 19/ Fix: Some rare errors in SSL shutdown led to PANIC. This bug was fixed. Packet Filter ------------- 20/ Fix: A bug in deleting a record from honeypot database by hp-bl.sh was fixed. SSH --- 21/ Change: The support of cipher and MAC algorithms in ssh server is now restricted, by default. This default can be changed by CIPHERS and MACS items. ====================================================== Changes in KERNUN release 3.10.1 (compared to 3.10.h5) ====================================================== General ------- 1/ Fix: The default SESSION-ACL.IDLE-TIMEOUT in UDP based proxies was by mistake changed to "unlimited". It was reset to previous default value. 2/ Improvement: When parsing logs into the reporter database, oldest records are automatically removed from the database so that the size of used space in the database does not exceed 70% of available space on the data partition. ATR --- 3/ New: A new component, Adaptive Traffic Routing was added. It allows to alter DNS names resolution according to the current network status and configured strategy. CML --- 4/ Improvement: The clipboard can now contain more than a single member (item or subsection) from a section. More members can be added by the ./copy +N command. PIKE ---- 5/ Improvement: The PIKEMON algorithm is more robust. It can overcome serious timeshifts caused by pikemon process blocking by the system. Also, the log reporting is more detailed. 6/ Improvement: The most important operation log messages were identified and moved to log level Normal. 7/ Improvement: The logging algorithm was changed so that it does not increase waiting time for the write operation and retries the write operation immediately. 8/ Change: The default value for HELLO protocol timeout was changed to 10. 9/ Change: The default values for preemption and realtime priority were changed to YES. SMTP proxy ---------- 10/ Fix: Binary files encoded with Quoted-Printable encoding are forwarded without linebreaks, i.e. with all LFs encoded as =0A. It can decrease the probability of misinterpreting mixture of LFs and linebreaks in received files. TCP proxy --------- 11/ Change: The default value for the IDLE-TIMEOUT was changed to 2 days. Openvpn ------- 12/ New: a special value 'none' for the comp-lzo mode has been introduced. By selecting this value in the CML configuration, the row 'comp-lzo' is not generated to the openvpn configuration at all. ======================================================= Changes in KERNUN release 3.10.h5 (compared to 3.10.h3) ======================================================= GUI --- 1/ Fix: The the completer for the "Server side filter (grep)" in the "Open log" dialogs has been changed to case sensitive mode, so the letter can be changed from lower to upper case a vice versa. 2/ New: "Server side filter (grep)" in log search is case-insensitive by default. It can be changed to case-sensitive mode by the checkbox. TCP proxy --------- 3/ Fix: The session idle-timeout was incorrectly evaluated. This bug was fixed. Packet Filter ------------- 4/ Change: Altq over lagg interface can only be used in failover lagg mode. ======================================================= Changes in KERNUN release 3.10.h4 (compared to 3.10.h3) ======================================================= General ------- 1/ Improvement: Traffic shaping via altq can be used in conjunction with igb network interfaces. Packet filter ------------- 2/ Fix: Output of the pfctl command call refreshing PF tables is now read properly even for very large tables. PIKE ---- 3/ Improvement: New N and W log level messages reporting state changes were added. 4/ Improvement: The bridge interface MAC address is no more needed to be set in the configuration. By default, the pikemon daemon creates it by itself from the interface virtual IP address. 5/ Improvement: More interface combination checks were added to prevent some configuration errors. 6/ Improvement: Added support for SIGINFO handling - pikemon daemon logs internal status of ping groups when receiving this signal. GUI --- 7/ Fix: The the completer for the login dialog has been changed to case sensitive mode, so the user-name letter can be changed from lower to upper case a vice versa. ======================================================= Changes in KERNUN release 3.10.h3 (compared to 3.10.h1) ======================================================= General ------- 1/ Fix: All IPv4 host addresses used in place of subnets have the mask (/32) printed explicitly. It fixes a bug in BIRD configuration. 2/ Change: Sysctl kern.maxfiles is no more set to 50.000 by Kernun. Since 3.10.h3, the default value is the default value from the FreeBSD OS. Openvpn ------- 3/ Fix: A bug has been fixed that caused openvpn config provider to crash occasionally. ==================================================== Changes in KERNUN release 3.10.h1 (compared to 3.10) ==================================================== General ------- 1/ Sample include file 'dns-dirty-domains' has been updated 2/ Fix: IPv6 addresses configuration in rc.conf were fixed for FreeBSD 10. GUI --- 3/ Fix: Configuration is now correctly displayed as plaintext in the "Cfg" tab. Configuration ------------- 4/ New: The pikemon daemon can be started with realtime priority, see the PIKEMON.PRIORITY item. ====================================================== Changes in KERNUN release 3.10 (compared to 3.8.5.h1) ====================================================== General ------- 1/ Improvement: All components were converted to the same system of configuring the listening sockets like proxies, i.e. there is the LISTEN-ON section with repeatable items for all sockets (with the possibility of using interface names instead od addresses, range of ports etc.). As a new feature, you can also specify IP version and L4 protocol (TCP/UCP) for every socket (where it makes sense). 2/ Improvement: A new possibility for matching of MIME headers in ACLs was added - matching of unencoded header text. The header encoding according to the RFC 2047 (=?charset?coding?text?=) is first decoded and then the header content is being matched. See DOC-ACL.HEADER item. 3/ Improvement: Timeouts for UDP based proxies were broken to logically bound groups and converted to the model similar to TCP one. There are the SESSION-TIMEOUT, IDLE-TIMEOUT and IDLE-TIMEOUT-PEER items, now. 4/ Tool 'blame' (annotates the RCS file) has been added to the distribution 5/ Improvement: TLS requires a close notify alert to be sent before closing the underlying TCP connection, in order to detect a truncation attack. In reality, many web servers just close the TCP connection without prior close notify. Now it is possible to accept this behavior by adding item SSL-PARAMS.TCP-EOF YES. 6/ Fix: The RUR logging evaluated incorrectly situation when a single item (e.g. SERVER) matching results differ for the address and the port. This bug was fixed and the log messages are correct, now. 7/ Fix: The Clear Web Bypass can be activated only by pressing "Get Access" button, not just by refreshing the page in browser. Configuration ------------- 8/ New: PIKE has been introduced for implementing high availability clusters. 9/ Change: The support for CARP in the Kernun configuration has been discontinued in favor of PIKE. 10/ Fix: The RAW lines in DHCP server configuration will be no more terminated with a semicolon by CML itself. The line has to be written verbatim - like it should occur in the low level cfg file. 11/ Fix: The static routes are not generated to /etc/rc.conf in the case of running the BIRD routing daemon. They are only in BIRD configuration. 12/ Improvement: Several new configuration options are added to the BIRD configuration section. HTTP proxy ---------- 13/ Improvement: The directory of faked certificates is cleared not only in the case of changing the configuration, but also in the case of changing the Kernun CA certificate (kept under the same filename). Packet filter ------------- 14/ Improvement: The logging of PF events was changed so that all blocking events are logged by default while passing events are not. The LOG item in PF ACLs was changed so that admin can override this default behavior by specifying ON/OFF. 15/ New: Two new items for SCRUB options were added: NO-DF and MAX-MSS. 16/ Fix: ICMP type specification which is not allowed in NAT and RDR rules is now also denied in Kernun configuration. ====================================================== Changes in KERNUN release 3.8.5.h1 (compared to 3.8.5) ====================================================== 1/ Improvement: TLS requires a close notify alert to be sent before closing the underlying TCP connection, in order to detect a truncation attack. In reality, many web servers just close the TCP connection without prior close notify. Now it is possible to accept this behavior by adding item SSL-PARAMS.TCP-EOF YES. 2/ Fix: Creation of files needed for postfix agents was restored. ====================================================== Changes in KERNUN release 3.8.5 (compared to 3.8.4-h5) ====================================================== General ------- 1/ Improvement: added two new commands to reporter engine: info (prints basic information about reporter database) and vacuum (performs command VACUUM FULL on reporter database). 2/ Improvement: The AUTH-CERT item for trusted CA certificates is now repeatable, so that Kernun distribution file can be simply combined with site own CA certificates. 3/ Improvement: All proxies check and potentially create path to the files used for logging when logging to file. 4/ Improvement: The CARP interfaces are generated with their own masks from configuration instead of the mask 255.255.255.255. Configuration ------------- 5/ New: A new type of interface, VLAN was implemented. 6/ New: In a LAGG interface definition, the aggregation protocol can be now specified. 7/ New: In an OPENVPN configuration, the TOPOLOGY can be defined. 8/ New: The BIRD routing daemon was included among Kernun components (see ROUTER section in CML). 9/ New: The DOC-ACL in mail-handling proxies has a new item, HEADER allowing to decide according to the MIME document header lines. 10/ Improvement: The checking of relevance of CML nodes was improved so that it can solve more situations inside section variables. DNS --- 11/ Fix: Wrong checking of authoritative nameservers within a response with an incomplete CNAME chain was fixed. KAT --- 12/ Fix: The GREPLOG command calls greplog.sh with the -f option which causes flushing found lines so that $PAGER can read them immediately. 13/ Improvement: The GREPLOG has two new options, -r (searching by request IDs) and -x (show rotated log file name only). Packet filter ------------- 14/ New: The functions of PFCONFD and PFLOGGER daemons were put together with controlling of the packet filter enabling itself. The PF Kernun component is now represented by a real process enabling the pf at the beginning and disabling it at the end, the process controls resolution of names in the pf configuration and logs pf events. 15/ Improvement: The TIME-PERIOD-SET section (in the same form like it is in proxies' ACLs) was added to the packet filter ACLs, too. 16/ New: A new feature called HONEYPOT is added to the packet filter. It checks TCP connection attempts to a special set of unused IP addresses and places guilty clients to a special blacklist with total denial to approach Kernun firewall at all (for a configured time). SMTP ---- 17/ Fix: Wrong handling of server response after establishing the SSL channel led to misfunction of a configuration with required SSL support. This handling was fixed, se REQUIRED option is possible. 18/ Improvement: The fact that client or server side connection was established over SSL is now also marked in Received header and logged into log-debug. ========================================================= Changes in KERNUN release 3.8.4-h5 (compared to 3.8.4-h4) ========================================================= General ------- 1/ Fix: Fixed a rarely occurring bug in log parser which could cause minor inconsistency in the database, which in turn could cause errors when generating reports. 2/ Fix: Fixed the handling of SMTP proxy log records with erroneous attachment information. Such records will no longer cause warning messages when parsed. 3/ Improvement: The implicit advskew for CARP master was changed to 10 to allow enforcing change the backup to be the master in emergency. 4/ Improvement: callhome service now preserve its previous state after upgrade to higher Kernun version. HTTP proxy ---------- 5/ Improvement: During the HTTPS inspection, the proxy sends not only the newly generated "server" certificate, but also the local CA one. Thus, it is possible to make a local CA signed by generally recognized CA across the entire protected network. ========================================================= Changes in KERNUN release 3.8.4-h4 (compared to 3.8.4-h3) ========================================================= General ------- 1/ Fix: Fixed issue with parsing logs into reporter engine, which could result in database records sometimes having incorrect year assigned. 2/ Fix: Fixed issue with parsing logs into reporter engine, when record contained extremely large integer. 3/ Improvement: Reporter engine will import only logs from logfiles that should be kept in database. 4/ Fix: Fixed issue when upgrading reporter on a system where does not exist /data/log directory. 5/ Fix: Some Perl scripts reported warnings about using smartmatch features when not necessary. 6/ Improvement: Sample configuration file with domains that should be typically extracted from HTTPS inspection was updated. 7/ Fix: Fixed license check when hostid value is less than 32 characters long. GUI --- 8/ Fix: Fixed few possible GUI crashes when working with statistics. ========================================================= Changes in KERNUN release 3.8.4-h3 (compared to 3.8.4-h2) ========================================================= General ------- 1/ Base OS version updated to the latest release (p23) of the FreeBSD 8.4 security branch. ========================================================= Changes in KERNUN release 3.8.4-h2 (compared to 3.8.4-h1) ========================================================= General ------- 1/ Base OS version updated to the latest release (p22) of the FreeBSD 8.4 security branch. Also packages with security vulnerabilities were updated. 2/ Fix: bad working with logfiles in reporter after latest change (line number inaccuracy). Also all files that do not contain any usable records are ignored and not reported in database at all. 3/ New: smartd is now enabled by default and sends regular email reports to Kernun administrator if any problem with any system disk occurs. 4/ Improvement: Added standard way how to modify current running system during upgrade procedure. This is a feature that should provide more flexible environment for automatic system upgrades. 5/ Fix: Helper program monitor-dump used by KAT and GUI to get current session monitoring information from proxies has been optimized for configurations with thousands of proxy processes. ====================================================== Changes in KERNUN release 3.8.4-h1 (compared to 3.8.4) ====================================================== General ------- 1/ Base OS version updated to the latest release (p20) of the FreeBSD 8.4 security branch. Also packages with security vulnerabilities were updated. 2/ Improvement: few more fixes in callhome service were fixed which may caused that connection was lost and not re-established when link connection was interrupted for a while. 3/ Improvement: working with logfiles in reporter engine was changed so now IDs of two distinct logs should not match even if they do not contain any Kernun log record. 4/ Fix: A bug with IPv6 clients and Clear Web Bypass table has been fixed. DNS --- 5/ The SSHFP RR support implemented. HTTP ---- 6/ Fix: When performing Kerberos authentication, access to the keytab file is locked, so the keytab can be read by at most one process at a time. This improves performance when there are many (hundreds or thousands) processes doing Kerberos authentication simultaneously. 7/ The default value of maximal header line in request length has been changed from 4KiB to 12KiB. ICAP ---- 8/ The default value of maximal header line in request length has been changed from 4KiB to 12KiB. =================================================== Changes in KERNUN release 3.8.4 (compared to 3.8.3) =================================================== General ------- 1/ Base OS version updated to the latest release (p19) of the FreeBSD 8.4 security branch, userspace utilities and also all installed ports were updated too. 2/ Improvement: Deprecated system of FreeBSD pkg_* tools were replaced by new FreeBSD pkg (also known as pkgng) packaging tool. Since now all operations with packages installed on Kernun should be done via this tool and is highly discouraged to use the old packaging tools. 3/ Fix: A bug in antivirus checking of zero-length files was fixed. 4/ Improvement: The NTP daemon uses the old ntp.conf configuration in the case when new one is not available due to DNS resolution problems. 5/ Improvement: The callhome service now detects when connection fails and tries to re-establish connection automatically without need to restart service itself manually by administrator. SMTP ---- 6/ New: Handling of header lines longer than allowed maximum was extended by means of a new LONG-HEADER item. It is now possible to configure wrapping of such lines and also a reaction to the case when wrapping fails (keeping or removing the line, or rejecting the mail). 7/ New: A new log message summarizing command argument parser result for simpler investigation of DELIVERY-ACL decision (SMTR-749) was made. SQL*Net proxy ------------- 8/ Improvement: The new encoding introduced in version 3.14 of the SQL*Net Protocol was implemented. UDP proxy --------- 9/ Fix: Errorneous handling of session table overrun was fixed. ====================================================== Changes in KERNUN release 3.8.3 (compared to 3.8.2-h4) ====================================================== Configuration ------------- 1/ Improvement: The DHCP server configuration was extended by an option of RAW line setting both on global and subnet level. 2/ Improvement: The CML VERIFY command checkes ACL sections usage. If there is an ACL with SERVICE list matching no component, a warning is logged. General ------- 3/ Fix: A bug in R.U.R. logging, when some mixture of ACL.TO TRANSPARENT and NON-TRANSPARENT items occur, was fixed. 4/ Fix: Added a boot loader parameter to prevent kernel panic during boot on some SuperMicro boards. Packet filter ------------- 5/ New: Packet filter events can be now logged in Kernun manner by a new component PFLOGGER. SMTP ---- 6/ Fix: SMTP proxy handles correctly the case when a domain name tested for the SPF resource record is an alias and the canonical name has no SPF records. ========================================================= Changes in KERNUN release 3.8.2-h4 (compared to 3.8.2-h3) ========================================================= General ------- 1/ Fix: Bug in new disk partitioning setup for 4096 B physical sectors. ========================================================= Changes in KERNUN release 3.8.2-h3 (compared to 3.8.2-h2) ========================================================= General ------- 1/ Fix: Disk partitioning in the Kernun installer now supports proper partition alignment on disks with Advanced Format (4096 B physical sectors). ========================================================= Changes in KERNUN release 3.8.2-h2 (compared to 3.8.2-h1) ========================================================= OVPN ---- 1/ Improvement: BYTES-CIN and BYTES-COUT values are now 64-bit so they are less about to overflow. General ------- 2/ Base OS version changed to the latest release on the FreeBSD 8.4 security branch. ====================================================== Changes in KERNUN release 3.8.2-h1 (compared to 3.8.2) ====================================================== OVPN ---- 1/ Fix: A bug in a memory pool initialization that could cause lost of configuration file has been fixed. =================================================== Changes in KERNUN release 3.8.2 (compared to 3.8.1) =================================================== Configuration ------------- 1/ Improvement: completely redesigned configuration of IDS/IPS system based on Snort. 2/ Improvement: If no localhost items are in the HOSTS-TABLE, the default settings for 127.0.0.1 and ::1 is added to the /etc/hosts file. 3/ Fix: A bug in interface tagging was fixed. 4/ Fix: Nameserver database files were moved to /var/run directory. Thus, the slave zones are not removed during kat.apply command. 5/ The IPS/IDS configuration has been updated. Pulledpork is now used for downloading the rules. 6/ New: The SNMP daemon has been incorporated into CML and KAT as a new component named SNMPD. 7/ New: The HTTP-CACHE component has been incorporated into CML and KAT. Currently, it is implemented using the Squid. 8/ Improvement: All the timeouts in the RESOLVER section can now have values in seconds, but with up to three decimal digits (i.e. msec) after decimal point allowed. General ------- 9/ Fix: A bug in monitoring was fixed that could cause to show wrong category and URL of the connection. 10/ New: Web server whose categories are not found in the Clear Web database can be categorized automatically. A web page with unknown categories is downloaded and passed to a categorization engine. Its result is stored in a local database and will be used for future accesses to the web server until in emerges in some update of the Clear Web database. 11/ New: A new database engine can be used for processing statistical reports. 12/ Improvement: Extra category 'Internal servers' was added. Into this cathegory now belongs all servers with RFC1918 IP addresses. Also custom domain names may be configured that should be included too. 13/ New: Statistic information about active OpenVPN connections is tracked continuously and is reported in the statistic log. 14/ Improvement: In HTTP, ICAP and FTP, the traffic shaping was extended for use also in layer 3 ACLs (doc-acl). 15/ Improvement: The ICAP antivirus client can accept 200 OK server response with a pure document in the response body as a negative answer (like e.g. Kaspersky does). The item ANTIVIRUS.ICAP-PASS-200-WITH-PURE-BODY switches this behavior on. 16/ New: A new antivirus check mode (stream mode) was implemented. It can slow down receipt of data from source in the case of slow transfer rate to the destination. 17/ Improvement: The RESOLVER.INITIAL-TIMEOUT values are now entered as an integer number with up to three decimal digits (i.e. msec) after the decimal point allowed. 18/ Improvement: The RULE token in statistics messages is filled by ACL name responsible for the final decision in the case of no explicite RULE item is configured in the ACL. 19/ Improvement: The ntp.conf generated by CML was extended to cover several DoS attack risks. DNS proxy --------- 20/ New: The RESPONSE-TIMEOUT with values in seconds, but with up to three decimal digits (i.e. msec) after decimal point allowed, was introduced. If a request resolution lasts more than this timeout, the response is not sent. HTTP proxy ---------- 21/ New: The HTTPS inspection was implemented. 22/ Improvement: Kerberos authentication in Active Directory environment can distinguish between users and groups with the same names in different domain. 23/ Fix: Kerberos authentication of users belonging to only one (the primary) group was fixed. 24/ Fix: Handling of timeouts during LDAP requests for groups membership of authenticated users was fixed. 25/ Fix: Default server port number for HTTP requests redirected to the HTTP proxy from a router was fixed. ICAP server ----------- 26/ Improvement: The ClearWeb category of a request is logged prior to read the whole request so that it will be logged also in case of a late request failure. KAT --- 27/ Fix: The reload command properly waits for releasing of all resources. Packet filter ------------- 28/ Fix: The PFCONFD component needs proper access rights to the /dev/pf device. The installation process of the devfs.rules file was fixed to guarantee them. 29/ Fix: A bug in automatic packet filter tables generation optimization was fixed. 30/ Fix: A bug in antispoof rules on firewall cluster was fixed. SIP proxy --------- 31/ Fix: New SIP registration refreshes all data stored in SIP YP. Thus, when e.g. outer IP address changes, the new registration works properly. SMTP proxy ---------- 32/ Change: Due to very commonly used violation of RFC, the default value of MIME encoded line maximum length was increased from 76 to 77. We hope that it will not cause any problem on recipient side. TCP proxy --------- 33/ Improvement: Besides direction specific idle-timeouts, also the general one was added (into both proxy-level and session-acl-level). The general timeout has lower priority than side-specific ones. GUI --- 34/ New: The Cfg tab has been introduced for proxies which displays the low level configuration of the particular proxy. 35/ New: The Postfix 'Mail queue' tab has been introduced which displays the list of pending mails. 36/ New: Statistic files can be now downloaded right from the GUI as a one result .html file. 37/ Fix: Bug that could cause GUI crash by removing cluster parameter in configuration. 38/ Fix: A bug that could lead to freeze of upgrade while viewing configuration was fixed. 39/ Fix: Ctrl+L shortcut is now bind correctly again. 40/ The linux GUI is compiled for Ubuntu 14.04 41/ The linux GUI is no longer provided for 32bit systems ================================================= Changes in KERNUN release 3.8.1 (compared to 3.8) ================================================= General ------- 1/ Change: All system files having data source in the CML configuration are now generated regardless of presence or absence of proper sections in the configuration. E.g. the /etc/hosts file is always generated, if the HOSTS-TABLE section is missing, the file will be empty. The change concerns to the following files: resolv.conf, dhcpd(6).conf, hosts, ipsec.conf, racoon/*, krb5.conf, periodic.conf and pf.conf. 2/ Fix: The 'named' daemon had unknown problems with slave database files access permissions. Thus, all those files was moved to en extra folder with full access for everyone. Configuration ------------- 3/ Fix: The lagg interfaces caused generating of wrong antispoof rules into pf.conf. This bug was fixed. HTTP proxy ---------- 4/ New: The HTTP proxy supports user authentication with Microsoft Windows Active Directory using the Kerberos protocol. 5/ Fix: Some FTP servers reject anonymous connection immediately after receiving the USER command and the HTFTP module pro proxying the FTP service over HTTP protocol handled this reaction improperly. This bug was fixed and proxy sends now proper authentication request to clients. 6/ Fix: After some types of errors, the HTTP proxy providing also the antivirus checking ended by a panic. This bug was fixed and proxy ends now properly. GUI --- 7/ Fix: a bug has been fixed that caused that the system graphs did not work in version 3.8. SMTP proxy ---------- 8/ Fix: In some circumstances, the SPF check caused the proxy to panic. The bug was fixed. ================================================= Changes in KERNUN release 3.8 (compared to 3.7.2) ================================================= General ------- 1/ Change: the stats log has been introduced, the debug log has been moved from /var/log/kernun to /var/log/kernun.debug. See logging(7) for more information. Please, see KERNUN-RELNOTES for information on converting the existing log. 2/ Fix: The openvpn now distinguishes the ' ', '.' and '_' in the common name of the client certificate if specified in the ovpn-ccd.cn item correctly, as specified in openvpn(5). 3/ Change: The default behaviour of proxies in the case of logging failure was changed. Instead of STOPping themselves, the proxies IGNORE the lack of logging capability and restore logging when available. All reactions (including the FILE one) are still configurable. This change was motivated by several occurences of very slow restart of the syslog facility causing failure of all proxies. 4/ New: Support of Dead Peer Detection (DPD) added to IPsec. 5/ Fix: An error in LDAP session cache cleanup operation was fixed. 6/ Fix: An error in LDAP connection reinitialization was fixed. 7/ Fix: It is now possible to combine packet filter rules with IPsec VPN links, a colliding condition has has been removed. 8/ New: The STATIC-PORT option of NAT rules in the packetfilter configuration was added. 9/ Fix: Handling of TCP delayed acknowledgements and Nagle's algorithm was fixed, which improves TCP latency in proxies. Antivirus --------- 10/ New: Antivirus checking is changed so that more engines can be contacted to check documents by parallel channels. This brings several advantages, e.g. better engine backup propeties, lower dependency on virus databases content etc. 11/ New: Every antivirus engine can be configured with a timeout for receiving the answer (ANTIVIRUS.TIMEOUT). After its expiration, the engine returns virus status ERROR. 12/ Improvement: If the size limit is configured for the antivirus checking, the admin can decide between skipping oversized files, or checking just the initial part of given size. 13/ New: The ICAP protocol was fully implemented for antivirus ICAP engines contacting. This feature is successfully checked against the Symantec, Kaspersky, Sophos et al. 14/ Fix: A combined result in DrWeb antivirus engine response is handled properly. If there are both VIRUS_FOUND and some of error status flags set, the VIRUS_FOUND has a priority. Configuration ------------- 15/ New: Client and server addresses deresolution can be disabled at all using the RESOLVER.DISABLE-DERESOLUTION item. 16/ Improvement: All items referring to a SSL-PARAMS section were renamed to be unified throughout all the kernun.cml. Parameters for connection to the client are now in all components referred to by an item named CLIENT-SSL and server-side parameters use name SERVER-SSL. 17/ Improvement: A new integrity test was added into the traffic shaping configuration. If the PRIQ scheduler is used then queue priorities have to be unique. This condition is now tested. 18/ Fix: User-defined options for sshd servers are generated to the beginning of the sshd config file, so they can override the default ones. 19/ New: Log rotation configuration now supports also pid-file name and signal number setting. 20/ New: The IKE-FRAG and ESP-FRAG items were added to IPSec remote section. FTP --- 21/ Fix: When using keepalive mode in antivirus checking (sending a part of unchecked document to destination), the upload was not correctly aborted in the case of found virus. This bug was fixed. 22/ Fix: In some cases, the FTPT-890-I DATA-END log message didn't contain the final data command response code and message from the server. This bug was fixed. HTTP ---- 23/ New: Using of usernames during a ftp transfer is fully supported. The http-proxy now reacts to authentication error reported by the ftp-proxy by sending the WWW-Authenticate header in the response. Thus, the client asks user for a username and password that are then forwarded to the ftp-proxy. 24/ Fix: The HTTP proxy no longer times out during processing by antivirus and subsequent sending to client of large files. 25/ Improvement: If the REQUEST-ACL selected for a request contains HOST-HDR-TRANSP then the proxy checks that it does not connect back to itself, unless such connections are enabled by ENABLE-LOOPBACK. 26/ Fix: The HTTP proxy does not check DOC-ACL for responses that do not contain a response body. These are response to HEAD requests and responses with status codes 1xx, 204, 205, and 304. 27/ Improvement: Headers defined by REQUEST-ACL.ADD-RESP-HDR are added also to local file responses, which can be invoked by REQUEST-ACL.FILE-RESPONSE. 28/ New: The request URI rewriting mechanism triggered by REQUEST-ACL.REWRITE can generate an HTTP permanent redirect (status code 301) or temporary redirect (status code 302). 29/ Fix: The request URI matched by REQUEST-ACL.REWRITE is now the same as the URI matched by REQUEST-ACL.REQUEST-URI. It includes the "http://server" part even in a transparent proxy setup. 30/ Improvement: EOF and RESET from client between requests is treated as normal end of session; the session is now ACCEPTED, not FAILED. H.323 ----- 31/ Improvement: The data channel peer address check was changed so that in the case of a plug-to connection, the address offered by the server can be either the original, or the new (plug-to) address. However, the connection is always targeted to the new address. ICAP ---- 32/ Fix: ICAP server did not check DOC-ACL.CONTENT-TYPE entry condition. This bug was fixed. 33/ Improvement: When the antivirus check is configured with the keepalive option and the check fails after some data was sent to the destination, the DOC-ACL selected previously is again checked whether it contains proper VIRUS-STATUS item. See icap-server(8) and antivirus(7) for more details. Packet filter ------------- 34/ New: Hostnames in the packet filter configuration are handled properly. I.e. if the configuration contains names, an extra component PFCONFD is started to refresh periodically name resolutions and actualize the real configuration of the packet filter. 35/ Fix: Incorrect blocking of local traffic on CARP interfaces when using antispoof rules was fixed. SMTP ---- 36/ Improvement: The ESMTP DSN extension was implemented in full extent, i.e. the clients' additional attributes of SMTP commands are processed and forwarded to forwarders, and the Relayed DSN messages (besides the Failed ones) are now generated, if requested, when a letter is sent to a forwarder without DSN support. 37/ Fix: The SIZE attribute of MAIL-ACL was unintentionally ignored in previous versions. The bug was fixed and this entry attribute is fully valid, now. Also, in mail access proxies (POP3 and IMAP4), this entry attribute was denied, now. 38/ Fix: An error in the quarantine saving of a document positively checked by an antivirus but without any virus name was fixed. 39/ Fix: An error in white-listing (Sender Policy Framework) processing was fixed. 40/ New: Mails containing base64 and quoted-printable encoded lines longer than RFC allows (76 characters) can be now permited by the ENC-LINE-LEN item in MAIL-FILTER section. ===================================================== Changes in KERNUN release 3.7.2 (compared to 3.7.1) ===================================================== General ------- 1/ New: XZ compressed installation (full & patch) images are now supported by Kernun in addition to bzip2. 2/ Fix: Linux support package (emulators/linux_base-f10) along with /compat/linux/sys and /compat/linux/proc entries from /etc/fstab have been removed. It was previously required by sysutils/linux-megacli, which has been replaced by FreeBSD native sysutils/megacli. FTP --- 3/ New: Command CLNT support has been added. GUI --- 4/ New: GUI has been updated to support both XZ and bzip2 compressed installation images. 5/ Fix: Broken IPSec Wizard has been removed. 6/ Fix: GUI no longer crashes after applying the filter in the log view. ICAP ---- 7/ New: If the client sends (in the X-Client-Username header) HTTP client usernames with domains, the domains can be used in selection process among more LDAP servers. 8/ New: The LDAP search results can be now stored into a special cache (see the LDAP-CACHE section). ===================================================== Changes in KERNUN release 3.7.1 (compared to 3.7-h1) ===================================================== General ------- 1/ Base OS version changed to the latest release on the FreeBSD 8.3 security branch. 2/ Improvement: The FileTimeout value in DrWeb configuration has been increased to 60 seconds to allow larger files to be checked. 3/ Fix: sysmgr resolve now handles filenames containing spaces correctly. 4/ Fix: Empty directories were not included in the system backup. This problem was fixed. DNS --- 5/ Fix: In some situations, dns-proxy coredumped when internal request originator expired. This bug was fixed. Statistics ---------- 6/ Improvement: A separate category has been added for greylisted emails. 7/ Fix: Hitparade charts could be displayed incorrectly if the text on the x-axis was too long (e.g. domain names with multiple nested subdomains). This problem was fixed. 8/ Fix: Mail attachment processing has been fixed (SPAM and REJECTED status is now inherited from the whole mail). GUI --- 9/ New: GUI now takes advantage of the Windows 7 Jump List to display a list of recent connections for quick access. 10/ Improvement: The tree widget in the Statistics viewer has been improved by only showing the 10 most recent items and nesting the others by year/week, year/month or year/month/day according to the period. 11/ Fix: The conflict resolution dialog now handles filenames containing spaces correctly. ====================================================== Changes in KERNUN release 3.7-h1 (compared to 3.7) ====================================================== Configuration ------------- 1/ Fix: The configuration upgrade script now handles duplicate SUM-STAT daily/weekly/monthly items correctly. HTTP Proxy ---------- 2/ Fix: Macros $3$ (URI) and $4$ (admin contact) for error documents, etc. containing garbage content under certain circumstances have been fixed. GUI --- 3/ Fix: GUI no longer crashes while performing configuration verification after inserting INTERFACES into the CARP-MONITOR section. ====================================================== Changes in KERNUN release 3.7 (compared to 3.6.4) ====================================================== General ------- 1/ New: The installer CD-ROM ISO image has been discontinued and replaced by USB flash drive image (IMG with corresponding VMDK file for easy use in virtual machines such as VirtualBox or VMware Workstation). 2/ New: Utility clear-web-db uses the default Clear Web database file /data/var/clear-web-db/clear-web.db if the database file name is not specified on the command line. 3/ New: Packages net-snmp and squid have been added to Kernun. 4/ Improvement: The initial timeout for deresolving clients and servers was changed to 200 msec (from 1 sec) in order to start quickly even if the host has problems with deresolution. This default can be changed in the configuration to any time interval in msec. 5/ Fix: Updates of the Clear Web database are properly detected and the new database is used. In the previous versions, database updates were not detected in rare circumstances, which caused using an outdated database. 6/ Fix: The FLOWTABLE option has been disabled in FreeBSD kernel configuration to prevent the "[flowtable] flowcleaner 100% cpu's core load" issue as described in http://www.freebsd.org/cgi/query-pr.cgi?pr=146792. 7/ Improvement: The TARGET of current protocol unit has been added to monitoring data of every proxy. The semantics of it depends on particular proxy - e.g. for the http-proxy it is URI, for the ftp-proxy remote user, server and file, for the smtp-proxy list of recipients, for the dns-proxy query type and name etc. 8/ Improvement: The ALTQ definition must now have the BANDWIDTH item specified. Without it, the pf was not able to start in some cases. 9/ Improvement: The PHASE1 section of IPSEC section was moved to the SYSTEM configuration level and renamed to IPSEC-REMOTE. The reason is that racoon configuration file has similar structure for every such section. This section is recognized by the remote host address and must be unique. In the old Kernun configuration format this was nontrivial for admin to keep in mind. Now, the verification operation checks whether for every IPSEC there is proper IPSEC-REMOTE section. Cluster ------- 10/ Improvement: The CLUSTER section was removed. All its members were move one level up in the configuration. Thus, all cluster interfaces are now regular interfaces, all monitors are regular Kernun components (with all consequences, e.g. starting, stopping, using iface addresses for listening, etc.). The configuration convertor is able to make this changes in ordinary (not very much complicated) configurations. WARNING: If you use your own carp-monitoring script and you check carefully the parameters, please, take in account adding an extra parameter '(carp-monitor)' at the end of them when calling the script. 11/ Improvement: The method of changing a CARP node state (MASTER/BACKUP) was changed. Instead of switching the interfaces on/off, they will now be kept on-line, and just the value of 'advbase' will be increased by a fixed value defined in the configuration (ADVBASE-INCR item). The CARP-CONTROL (starting and stopping tagged Kernun component) is now linked to current state of all interfaces reported by ifconfig. 12/ Improvement: The method of detecting network reachability was changed. Instead of pinging to a set of hosts where every unreachable host will cause the state change, now a set of group of host can be defined where any host answer from every group is considered to be a success. 13/ New: The CARP monitoring script activity is logged to /var/log/kernun. Configuration ------------- 14/ New: For clarification of the meaning of integer constant suffixes, the IEC standard was adopted, i.e. the suffixes K, M, G, and T have decadic meanings (10^3, 10^6, 10^9, 10^12) and newly added suffixes Ki, Mi, Gi, and Ti have binary meanings (2^10, 2^20, 2^30, 2^40). Old configurations will be converted during upgrade. 15/ New: The set of configurable parameters of Postfix mail forwarders was extended by SMTP-HELO-NAME (postfix main.cf smtp_helo_name variable value) and SET-ENV (generic main.cf variable) ITEMS. 16/ Improvement: The MAC address setting is now accepted in all three well-known common formats (xx:xx:xx:xx:xx:xx, xx-xx-xx-xx-xx-xx and xxxx.xxxx.xxxx). An incorrect setting is reported as an error. DNS Proxy --------- 17/ Improvement: Traffic statistics are changed to be similar to other proxies - the REQUEST-END message contains the server-side counters, the SESSION-END one the client-side counters. FTP Proxy --------- 18/ Fix: The connection reset done by the server when uploading a file is correctly handled. 19/ New: After a data connection error, both error messages (from us and from the server) are incorporated into error message for the client. 20/ Fix: In the HTTP <-> FTP module, handling of unexpected server "421" response was fixed. 21/ Improvement: In the HTTP <-> FTP module, duplicate sending of ABOR to server was avoided, because some servers was not able to handle this correctly. HTTP Proxy ---------- 22/ New: Results of NTLM authentication can be cached for subsequent out-of-band authentication of the same client. This can substantially decrease the load of the Active Directory controller generated by NTLM-related traffic from the proxy. 23/ New: New macros $5$ (Kernun product type), $6$ (session id), and $7$ (request start date/time) have been added to the http-proxy. Message specific macros had to be renumbered to begin with $8$ instead of $5$. The default error documents supplied with Kernun have been updated to reflect this change. However, custom pages will have to be updated manually. 24/ Improvement: The default error documents now display session id and request start date/time in the footer to simplify the troubleshooting process between users and the firewall administrator. The "Contact the administrator" mailto: links have also been enhanced to populate the e-mail subject and body automatically with relevant information. 25/ Improvement: The http-proxy assigns content type application/octet-stream (instead of no content type) to files received from the ftp-proxy for ftp scheme requests. 26/ Fix: Reading of request body by AProxy now handles properly a packet boundary encountered in the initial part of the body where an AProxy session cookie is expected. ICAP Server ----------- 27/ Improvement: The Preview processing was fully implemented. The server chooses proper preview model (whether to use it or not and what size of the preview block is preferred) and advertises it to the client by the OPTIONS response. During the operation, the server waits for the complete preview block, makes a decision and responds by the 100 Continue or some error response. 28/ New: If the client sends (in the X-Client-Username header) HTTP client usernames with domains, the domains can be stripped off from further processing using the STRIP-USER-DOMAIN item. 29/ New: The summary of HTTP session parameters as were announced by the ICAP client is now logged by the new ICAR-818 message. 30/ Fix: The output of the list of groups in the LIBA-700 message is fixed. KAT --- 31/ Improvement: Restart/reload warning displays number of components the command will concern. SMTP ---- 32/ Improvement: When a client stops sending a mail after rejecting all RCPTs without an attempt to send the DATA command, the final MAIL-END message contains more appropriate status REJECTED. Statistics ---------- 33/ Improvement: The old single-purpose statistics scripts (sum-proxy, sum-http, sum-smtp, ...) have been replaced by a single universal sum-stats script that supports multiple proxy types. 34/ Improvement: The HTML output has been redesigned to be simpler and more interactive. Pages are dynamically generated by JavaScript from JSON data files, which are produced by sum-stats. GUI --- 35/ Improvement: The Statistics viewer has been updated to use QtWebKit, which is necessary to display the new interactive statistics (JavaScript + SVG). 36/ Fix: Grep no longer stays running on Kernun after aborting a large log view download under rare circumstances (a restrictive filter that produces sparse output). ====================================================== Changes in KERNUN release 3.6.4 (compared to 3.6.3-h1) ====================================================== General ------- 1/ New: The default contents of the system backup list file (/etc/kernun-fsdb-include) have been marked with comments, which may cause a conflict during the upgrade process. 2/ New: Mail proxies (SMTP, IMAP4, POP3) report into the log also partial spam scores by categories. 3/ Improvement: If the antivirus check is configured with the size limit (maximum size for checking), reading and storing the file is stopped when the limit is reached. 4/ Improvement: Number of current sessions is being displayed in the graphs instead of number of running child processes for the proxy. 5/ Improvement: Deresolving of client/server addresses to names for the monitoring is done by proxy. Thus, monitoring is reasonably faster. 6/ Fix: If the proxy configuration contains hostnames, there is a special process taking care about refreshing the resolution (ACR). This process had incorrectly set signal handler. It should cause killing the proxy instead of incrementing log level etc. The bug was fixed. Configuration ------------- 7/ New: An alternative way of time specification is used in ACLs. The new section TIME-PERIOD-SET can be now used instead of the old set of TIME items. The main advantages are date ranges (e.g. from 24.12. to 3.1.) and negation of the whole time period set. CML --- 8/ Improvement: The date and time displayed when using the KAT.RLOG is shown in local time instead of UTC. ICAP Server ----------- 9/ New: Sending of the response body can be started before the antivirus check is finished (like in the http-proxy). It can prevent the client to time out before the whole file is received by the ICAP server and the antivirus check can be completed. 10/ Improvement: ICAP server response language can be set also in the REQUEST-ACL (besides SESSION-ACL and SERVICE-ACL). HTTP Proxy ---------- 11/ Improvement: HTTP proxy response language (REQUEST-ACL.LANGUAGE) configuration option is now character set independent. All the response pages are now being served in UTF-8 encoding. 12/ Improvement: The design of all response pages has been unified. SMTP Proxy ---------- 13/ Fix: Incorrect handling of server-side connection timeout at the end of mail was fixed. ====================================================== Changes in KERNUN release 3.6.3-h1 (compared to 3.6.3) ====================================================== General ------- 1/ Fix: The algorithm for writing syslog messages from proxies was modified so that simultaneous logging from many processes does not overload the system. 2/ Improvement: The OS kernel now supports polling mode for network device drivers. ICAP Server ----------- 3/ Fix: The response body is sent correctly in the case of skipped antivirus check due to message size. ===================================================== Changes in KERNUN release 3.6.3 (compared to 3.6.2) ===================================================== Configuration ------------- 1/ New: The SYSTEM.ADMIN item has now two elems, the first one is used as the "technical" contact to administrators, the second one as the public contact for users. 2/ New: The advbase parameter of a CARP interface is now configurable via a new item ADVBASE of the CLUSTER.CARP-INTERFACE section. DNS Proxy --------- 3/ Fix: Wildcards are now allowed in NSEC responses. 4/ Fix: If the UDP packet with quick-retry query failed to send, the proxy kept sending the quick-retry until request-timeout. Sending error of another query, or reading error (like receiving ICMP error messages) were handled correctly. The bug was fixed. ===================================================== Changes in KERNUN release 3.6.2 (compared to 3.6.1-h1) ===================================================== CML --- 1/ Improvement: CML now considers different revisions (beta, rc, release, hotfix) of the same version compatible and will not show a warning. 2/ Fix: The C3H module error recovery after some types of user errors were fixed. Configuration ------------- 3/ Fix: The item autoreference (i.e. element value "^..." pointing back to the item itself) was incorrectly handled and due to very limited usage possibilities it was denied. General ------- 4/ New: IFRAME tag filtering (clickjacking protection) added to HTML filter module. 5/ Fix: A security vulnerability in the operating system BIND daemon was fixed. GUI --- 6/ Improvement: The View/Edit configuration toolbar button is now disabled until GKAT determines the user id to prevent the configuration from being opened in read-only mode for admin users. 7/ Fix: The upgrade process no longer reports success after failing to apply the configuration. This also prevents rebooting the machine to an unconfigured system. 8/ Fix: The storage location for autosave.cml was changed on Windows to "%LOCALAPPDATA%\Kernun GUI" to avoid relying on UAC virtualization (Program Files contents are read-only for non-elevated applications). 9/ Fix: GUI will no longer fail to connect if SSH is not configured as the default protocol in Putty (Default Settings -> Connection Type -> SSH). HTTP Proxy ---------- 10/ Improvement: A non-transparent http-proxy can be used for handling requests transparently redirected to the proxy by other means than the proxy built-in transparency support. In such situation, the request URI does not contain the server address, which is taken from the Host header. This functionality can be enabled by the request-acl.host-hdr-transp configuration item. ICAP Server ----------- 11/ New: LDAP groups membership for HTTP request user is now available for testing within REQUEST-ACLs. SMTP Proxy ---------- 12/ Fix: If the quoted-printable encoding has found a dot exactly on block boundary, it has doubled the dot. Bug has been fixed. 13/ Fix: The REDIRECT-TO item was ignored for recipients added by a COPY-TO item. The error has been fixed and REDIRECT-TO is fully accepted even for newly added recipients. ===================================================== Changes in KERNUN release 3.6.1-h1 (compared to 3.6.1) ===================================================== General ------- 1/ Fix: Tun interface does not lose IP address upon openvpn restart. ===================================================== Changes in KERNUN release 3.6.1 (compared to 3.6) ===================================================== General ------- 1/ Base OS version changed to the latest release on the FreeBSD 8.2 security branch. ===================================================== Changes in KERNUN release 3.6 (compared to 3.5-h3) ===================================================== General ------- 1/ Base OS version changed to the latest release on the FreeBSD 8.1 security branch. 2/ Improvement: Some space-consuming log dumps (like request-table dump in dns-proxy in case of table exhaustion) can be now limited not to occur more frequently than once within a time period defined by the LOG.DUMP-HOLD-TIME item. 3/ Fix: If no interface has an IPv6 address set, proxies do not try to get AAAA addresses (like if PREFERENCE IPv4 were used). If some IPv6 address is configured, the default resolver PREFERENCE respects setting done via the IPV6-ADDRCTL (RFC3484). 4/ New: Content-type obtained by libmagic is truncated to "type/subtype" before used for matching in ACLs. Configuration ------------- 5/ New: The configuration has strict locking set from now. It means that the RCS file for the configuration (kernun.cml,v) must be locked for current user in order to allow to manipulate with it. The locking procedure is incorporated into standard CML operation, moreover, new options of the cml tool and a new command ./rcs are available for pure locking and unlocking operations. The Kernun GUI has also been updated to implement the locking schema. 6/ Improvement: The algorithm of generating of proxy configuration files has been improved. The files now contain just sections and items actually needed. 7/ Improvement: If the address of reverse NAMESERVER.ZONE covers more reverse domain names, apropriate zones will be generated for all of them. For instance, the address [10.0.0.0/23] represents both 0.0.10.in-addr.arpa and 1.0.10.in-addr.arpa zones. 8/ New: Native lines of a nameserver zone database file can be now defined by the item RAW of apropriate ZONE.GENERATE section. 9/ Fix: Like in the IPv4 case, the zone for IPv6 localhost reverse resolution (0. ... .0.ip6.arpa) is generated by default. 10/ New: The packet-filter configuration was moved from /etc/pf.conf to /usr/local/kernun/etc/pf.conf and missing of the PACKET-FILTER section in the kernun.cml will cause setting pf_enable to "NO" in the /etc/rc.conf file. DNS proxy --------- 11/ Improvement: If the proxy causes (e.g. due to denying requests or filtering responses) sending a response with the NXDomain response code, or the NoError response code and no answer (AN) records, it adds a SOA record with proper TTL for successful negative caching in clients. This behavior can be configured by the NEG-RESP-TTL item of proper REQUEST-ACL. 12/ Improvement: Within the REQUEST-ACL, the QUERY-NAME definition for reverse resolution (i.e. *.in-addr.arpa or *.ip6.arpa subdomains) can be now specified by proper network address instead of string expression. 13/ New: IPv6 addresses (AAAA) can be now faked, too. 14/ Fix: If no interface has an IPv6 address set, the proxy does not use IPv6 nameservers learned durning the resolution process. 15/ New: Restricting the resolving process to IPv4 or IPv6 servers only can be forced by the SERVER-PROTO item. 16/ Fix: In some circumstanes, suspended requests waiting for an equal request were responded without any AN record. This bug was fixed. FTP proxy --------- 17/ New: The filtration of server replies to FEAT command can be now configured by the COMMAND-ACL.FEATURE item. Unknown options are removed, by default. ICAP server ----------- 18/ Fix: Several errors that occured when testing communication with ICAP client in Squid were fixed. ===================================================== Changes in KERNUN release 3.5-h3 (compared to 3.5-h2) ===================================================== General ------- 1/ Fix: Missing command chown was added to the installation system on the Kernun installation CD. 2/ Fix: A missing directory for graphs (/data/graphs) is automatically created during application of the configuration. 3/ Fix: Parameters of the network card driver bce were tuned. 4/ Fix: Logging of user sessions is limited to sessions that create pseudoterminals. See also the note about session logging and .profile in KERNUN-RELNOTES.txt. Configuration ------------- 5/ New: It is possible to add user defined variables for the own carp monitoring script (and omit the standard ones). 6/ Fix: A system backup contains the name of the applied system configuration section. This name is used to apply the correct system when restoring from the backup. FTP proxy --------- 7/ Improvement: Both CML and ftp-proxy check whether the DATA-PORT item is configured properly. It cannot use reserved data ports if the proxy is run under non-root user. ===================================================== Changes in KERNUN release 3.5-h2 (compared to 3.5-h1) ===================================================== General ------- 1/ Fix: A security vulnerability in the operating system OpenSSL library was fixed. 2/ Improvement: Some more L3 protcols can be used in PF configuration. GUI --- 3/ Improvement: A user with audit rights can generate and view graphs of system parameters. ================================================== Changes in KERNUN release 3.5-h1 (compared to 3.5) ================================================== General ------- 1/ Fix: Ownership of files related to DrWeb antivirus was fixed. 2/ Fix: Contents of user and group databases was fixed. ================================================= Changes in KERNUN release 3.5 (compared to 3.4.1) ================================================= General ------- 1/ New: Support of IPv6 was added. Configuration ------------- 2/ Fix: Nameserver directories are owned by the 'kernun' user so that the dowloading of slave zone files can be done properly. GUI --- 3/ Fix: Excessive memory usage when viewing large logs from GUI was fixed. HTTP proxy ---------- 4/ Fix: Bugs in the algorithm for searching the ClearWeb DB were fixed. 5/ Improvement: New configurable options for handling Accept-Encoding and Content-Encoding headers were added. ================================================= Changes in KERNUN release 3.4.1 (compared to 3.4) ================================================= General ------- 1/ Fix: An integer overflow vulnerability in the operating system's bzip2 library was fixed. 2/ Fix: Proxies can show their version without a valid license. Configuration ------------- 3/ New: Interface type lagg (aggregation of Ethernet interfaces) in failover mode is now supported in configuration. Physical interfaces are attached to a lagg interface by item INTERFACE.AGGREGATE. 4/ Fix: Having both graphical and textual statistics at the same time no longer causes the "statistics" script to fail with "Cannot create directory" error message. FTP proxy --------- 5/ Fix: A RADIUS authentication bug was fixed. 6/ New: All errorneous server responses are logged at W level. 7/ New: Full support for MLSD and MLST commands was implemented. 8/ New: Server reply to FEAT command is filtered and unimplemented features are removed. HTTP proxy ---------- 9/ New: Detection of patterns in data streams transferred by CONNECT HTTP method was improved by allowing to pass data while performing tests. 10/ Improvement: The accept-gzip option has two new possible values 'client' and 'client-add'. 11/ Fix: Enabling Clear Web DataBase Bypass in the configuration does not automatically enable parsing of response header Set-Cookie. This change prevents failure of requests to servers that send incorrect Set-Cookie headers (which is a widely spread practice accepted by browsers). SIP proxy --------- 12/ New: By default, all rejected sessions are ignored, instead of graceful termination. This feature can prevent against DoS attack by sending unauthorized session requests. The regular session termination can be forced by the REJECT-GRACEFULLY item. TCP proxy --------- 13/ New: Detection of patterns in data streams transferred by the proxy was improved by allowing to pass data while performing tests. ==================================================== Changes in KERNUN release 3.4 (compared to 3.3.2-h1) ==================================================== General ------- 1/ Fix: A bug was fixed in the libmagic library used for file type detection based on magic numbers. If a proxy process tried to detect the type of a compressed file, it could become stuck in an endless loop consuming 100 % CPU time. HTTP proxy ---------- 2/ New: The HTTP proxy now supports categorization of web servers by Clear Web DataBase. The set of categories assigned to a web page can be used as an entry condition in a REQUEST-ACL (item CLEAR-WEB-DB-MATCH). 3/ New: A new condition REFERER was added to the REQUEST-ACL section. It provides selection of a REQUEST-ACL according to the contents of the Referer HTTP header. 4/ New: The error page presented to a user for a request denied by an ACL can be customized (item DENY-MSG of REQUEST-ACL and DOC-ACL). It is possible to configure a message text shown in the error page and a name of a file used as the template of the error page. 5/ Improvement: More information about an HTTP request can be displayed to the user if the request is denied by a REQUEST-ACL or a DOC-ACL. It is newly possible to display the client IP address or host name, the user name of an authenticated user, the name of the denying ACL, a configurable message, and the set of Clear Web DataBase categories (meaningful only if the request has been processed by the Clear Web DataBase). 6/ New: Detection of patterns in data streams transferred by CONNECT HTTP method was implemented. 7/ Fix: Configuration item SESSION-ACL.LINGER-TIME default was changed to 1. This prevents resetting the TCP connection before the client receives a complete error response from the proxy. TCP proxy --------- 8/ New: Detection of patterns in data streams transferred by the proxy was implemented. ====================================================== Changes in KERNUN release 3.3.2-h1 (compared to 3.3.2) ====================================================== General ------- 1/ Fix: A potential vulnerability in the operating system kernel was fixed. 2/ Improvement: Maximum length of the queue of established TCP connections waiting to be processed by a proxy was increased to 16384 (sysctl kern.ipc.somaxconn). 3/ Improvement: Matching patterns for MS Project and Visio files were improved in the libmagic database. FTP proxy --------- 4/ Fix: Panic in the proxy with configured RADIUS authentication was fixed. HTTP proxy ---------- 5/ Improvement: Rules for parsing Set-Cookie and Cookie headers were relaxed, because many web servers do not obey rules for contents of these headers. ====================================================== Changes in KERNUN release 3.3.2 (compared to 3.3.1-h2) ====================================================== General ------- 1/ Improvement: Third-party software packages used by Kernun were updated to recent versions. 2/ Improvement: Patterns for new file formats (PCX images, MS Office and OpenOffice documents) were added to the libmagic file type recognition pattern database. 3/ Fix: Recognition of Ethernet interfaces in the initial configuration script was fixed. 4/ Fix: Active Directory domain membership is retained after a system backup/restore or upgrade. 5/ Fix: Matching of PCX image format was added to the libmagic database file for document type identification in proxies. 6/ Fix: Handling of signals generated by expired internal timeouts in various Kernun software modules was fixed. This correction prevents intermittent processing failures, mainly when a proxy communicates with an external program or database. Configuration ------------- 7/ Improvement: New antivirus status codes were added. Possible outcomes of antivirus checking are FREE, FOUND, SKIPPED, UNKNOWN, and ERROR. Configurable reactions of proxies to the status returned by an antivirus are now more flexible. 8/ Improvement: Application of the configuration to a remote Kernun system (by KAT or GUI) copies all configured SHARED-FILEs to the remote system. 9/ Improvement: Files /boot/loader.conf and /etc/rc.conf.local are now preserved across system backup/restore and upgrade by default. 10/ Fix: Handling of libmagic pattern database files (PROXY.DOCTYPE-IDENTIFICATION.MAGIC) was fixed. 11/ Fix: the order of options generated for the openvpn ccd files was changed: push-reset is generated as the first option FTP proxy ---------- 12/ Improvement: The COMMAND item (defining rules for various FTP commands) occurence within all (accepting) COMMAND-ACLs sections is checked. Thus, incorrect configurations having no COMMAND item are detected in the CML verification phase. HTTP proxy ---------- 13/ Improvement: HTTP proxy now modifies the Accept-Encoding HTTP request header so that only identity and gzip encodings are accepted by default. Proxy understands these encodings and is able to perform data filtration and MIME type detection for data using them. If data processing by proxy is not needed, other encodings may be allowed by setting REQUEST-ACL.ACCEPT-GZIP to NO. 14/ Improvement: Workgroup name for NTLM authentication can be set explicitly, independently of the Active Directory domain name. 15/ Improvement: Communication (related to NTLM authentication) with an Active Directory Domain Controller can be limited to selected network interfaces. 16/ Improvement: More than one Active Directory Domain Controller can be used for NTLM authentication. 17/ Fix: A blacklist database must be specified in the configuration if blacklist matching is configured by REQUEST-ACL or DOC-ACL. 18/ Fix: Terminating of network connections in a HTTP proxy that uses NTLM authentication was fixed. ====================================================== Changes in KERNUN release 3.3.1-h2 (compared to 3.3.1) ====================================================== General ------- 1/ Fix: A buffer overflow vulnerability (other than in 3.3.1-h1) was fixed in the TIFF library, used by the SpamAssassin module FuzzyOcr. 2/ Fix: Superfluous debugging messages were removed from the operating system kernel log on the AMD64 platform. ====================================================== Changes in KERNUN release 3.3.1-h1 (compared to 3.3.1) ====================================================== General ------- 1/ Fix: A buffer overflow vulnerability was fixed in the TIFF library, used by the SpamAssassin module FuzzyOcr. ================================================= Changes in KERNUN release 3.3.1 (compared to 3.3) ================================================= General ------- 1/ Fix: Log messages generated by a proxy via syslog are not lost even during periods of very intensive logging, for example with proxy log level set to TRACE or FULL. 2/ Fix: Signal handling in the file writing module was fixed. This correction prevents intermittent file processing failures, for example when a proxy sends data to an antivirus. 3/ Fix: File system Journaling can sometimes cause kernel panic during periods of heavy disk activity. Therefore journaling is by default switched off on newly installed Kernun system. It can be still enabled during the installation proces. 4/ New: Software watchdog was added to the Kernun kernel. The watchdog can be enabled by adding the line "watchdogd_enable=NO" to /etc/rc.conf.local. It automatically reboots after a serious system failure. 5/ New: Support for X.509 certificates that use SHA256 algorithm was added. 6/ New: New PostSignum CA certificates were added and server certificate matching was updated in configuration of Kernun Bezpecna Schranka (Secure Box). Configuration ------------- 7/ Improvement: In the OpenVPN configuration, in route-pushing to the client(s), a special value [0.0.0.0] (which is also the default value) can be used as the gw address. This address works as the remote endpoint of the tunnel (seen from the client's perspective). 8/ Fix: Setting netmask in configuration of GIF and GRE interface was fixed. 9/ New: Sample include configuration file /usr/local/kernun/conf/samples/include/content-filter.cml now contains directives for blocking Microsoft Silverlight. GUI --- 10/ Improvement: It is possible to abort a running proxy startup/shutdown script. 11/ Improvement: Labels of SIGUSR1 and SIGUSR2 buttons in GKAT were changed to "LogIncr" and "LogDecr". HTTP proxy ---------- 12/ New: Log message REQUEST-DETAILS was added. It logs the HTTP method, the request URI, content of the Referer HTTP request header, the content type as announced by the server and as detected by the proxy, the response status code, and the response size in bytes. 13/ Improvement: Header Content-Length may be repeated with the same value, because some HTTP servers send duplicate Content-Length headers. 14/ Improvement: It is now possible to specify the HTTP status code for an error response returned by the proxy when the a request is denied by ACL. 15/ Fix: If a request is denied by an ACL, the proxy returns status code 403 (Forbidden) instead of 500 (Internal Server Error). 16/ Fix: Handling of header Content-Length with negative value was fixed. 17/ Fix: An internal buffer for NTLM authentication data was enlarged. NTLM authentication now pases also in cases where it failed due to insufficient buffer space. ==================================================== Changes in KERNUN release 3.3 (compared to 3.2.1-h5) ==================================================== General ------- 1/ New: A new authentication method was implemented. It is managed by an external tool (e.g. shell script) called from the proxy. 2/ Improvement: A new format of license files was implemented. It provides a more readable and flexible license file. New features implemented before a subscription expiration date are now automatically licensed without generating a new license file. 3/ New: The packet filter now automatically adds state to packets that match a rule with "tag NOTRANSP". If the state should not be created, an explicit rule without "keep-state" must be defined. 4/ New: Element server-addr was introduced for listen-on.transparent item. By specifying the server address for the transparent connections, only connections with the given server address are processed by the proxy. CML --- 5/ New: Variables used within an include file can have the value assigned not within the file but in the main configuration file. In this case, the variable must be forward declared in the include file via the PARAM directive. 6/ New: SHARED-FILE and SHARED-DIR sections can be now defined within a section variable (macro). 7/ New: Data variables holding IP addresses (full IP address with mask) can now be referenced with content modificators: $variable.host - will strip off the mask $variable.net - will clear host-portion of the address 8/ New: Configuration item SYSTEM.RC-CONF.APPEND-ENV separates the newly added text from the original value of a variable by space. 9/ New: Sysctl variables net.inet.ip.forwarding=1 and net.inet.tcp.delayed_ack=0 are set by default. GUI --- 10/ New: the wizard was implemented that inserts the KBS (Secure Box) functionality into an existing Kernun configuration. H.323 proxy ----------- 11/ Improvement: The possibility of media channels source change was implemented. A new item, ALLOW-PEER, permits this. HTTP proxy ---------- 12/ New: The HTTP proxy supports user authentication with Microsoft Windows Active Directory using the NTLM protocol. Kernun Branch Access -------------------- 13/ Fix: Generating RRD graphs was fixed on KBA. 14/ Improvement: Ramdisk size on KBA was enlarged to double capacity (128 MB). DNS proxy --------- 15/ New: The DNS proxy re-searches through the REQUEST-ACLs list whenever a new internal request (for CNAME or NS queries) is created. Thus, the recursive resolving process respects the resolving rules given by the ACL list according to the query name. 16/ New: A new item IGNORE-MISSING-AA is implemented. It allows to fix an incorrect behavior of some servers that do not set the AA flag in CNAME replies. Without this flag set, such answers are ignored. SIP proxy --------- 17/ Fix: Reading of concatenated Via headers was implemented. ========================================================= Changes in KERNUN release 3.2.1-h5 (compared to 3.2.1-h4) ========================================================= General ------- 1/ Improvement: Alternative locking algorithms were implemented for locking child processes waiting for client connections in proxies for protocols based on TCP. This modification eliminates proxy malfunction if the number of child processes exceeds several hundreds. 2/ Fix: A possibility of a denial-of-service attack against the NTP service was eliminated. 3/ Fix: A bug in the DNS server (Bind) was fixed. It could allow a cache poisoning attack by caching unvalidated DNSSEC responses. 4/ Fix: Checking of host ID during license verification was changed to case-insensitive. Host ID obtained from the operating system is now converted to uppercase. These changes prevent license check failure due to lowercase/uppercase mismatch in host ID after an upgrade. Configuration ------------- 5/ Improvement: Key length can be specified for some encryption algorithms in IPsec configuration. 6/ Improvement: Diffie-Hellman groups can be specified by numbers (e.g., 5) in addition to identifiers (e.g., modp1536) in IPsec configuration. HTTP proxy ---------- 7/ Improvement: Compatibility of cookie-related HTTP headers with various servers and clients was improved. 8/ Fix: A bug was fixed in handling the lock of the out-of-band authentication table in the HTTP proxy when used as an OOB authentication server. The bug caused failures during proxy reload operations. 9/ Improvement: Handling of escape sequences in HTTP request URI was changed so that a '%' character not followed by two hexadecimal digits is interpreted as a literal '%' and does not cause an error. ========================================================= Changes in KERNUN release 3.2.1-h4 (compared to 3.2.1-h3) ========================================================= General ------- 1/ Fix: An option SSL-PARAMS.ENABLE-RENEGOTIATION was added. It provides selective enabling of SSL session renegotiation for interoperability with clients and servers that require it (for example, ISDS servers). ========================================================= Changes in KERNUN release 3.2.1-h3 (compared to 3.2.1-h2) ========================================================= General ------- 1/ Fix: Shared libraries required by the DrWeb antivirus were added. 2/ Fix: Various minor corrections were done in the Kernun Bezpecna schranka (Secure Box) configuration and documentation. ========================================================= Changes in KERNUN release 3.2.1-h2 (compared to 3.2.1-h1) ========================================================= General ------- 1/ New: File with list of certificate authority certificates that are usable for authentication of ISDS servers was renamed from postsignum_qca_root.pem to isds_server_ca_certs.pem and Verisign certificates were added to it. 2/ Fix: A possible security hole in SSL connection renegotiation was fixed. 3/ Fix: A bug in the operating system handling of shared libraries when starting set-UID programs was fixed. 4/ Fix: A bug in the Kernun Bezpecna schranka (Data Box) Enterprise initial configuration script was fixed. It caused an endless loop after entering a too short SSH key passphrase. ====================================================== Changes in KERNUN release 3.2.1-h1 (compared to 3.2.1) ====================================================== General ------- 1/ Fix: Configuration of DHCP client by program configure-isds was fixed. ================================================= Changes in KERNUN release 3.2.1 (compared to 3.2) ================================================= General ------- 1/ New: Support for product Kernun Bezpecna schranka (Data Box) Retail was added. 2/ Improvement: Various improvements for Kernun Bezpecna schranka (Data Box) were implemented. 3/ Improvement: The 'I' log level is no more masked from switching off in the configuration. However, if you decide to switch off this level, no statistical data would be produced. FTP proxy --------- 4/ Fix: The active data connections source port forcing (configured via the SESSION-ACL.DATA-PORT item) is fixed. =============================================== Changes in KERNUN release 3.2 (compared to 3.1) =============================================== General ------- 1/ New: A set of new features was implemented to provide higher security when accessing Czech eGovernment platform of data boxes (datove schanky in Czech). 2/ New: Journaling is an option selected by default for all file systems on newly installed Kernun systems. Enabling journaling on existing systems requires complete reinstallation, because of necessary disk repartitioning. Journaling improves system reliability and reduces recovery time after an unclean shutdown, because fsck is not run after reboot. 3/ Improvement: System graphs show min, max and avg value of the main watched parameters. Format of CARP state graphs was changed to show precisely the percentage of master/backup/init state in each moment. RRD databases need to be deleted, see the KERNUN-RELNOTES.txt for further instructions. 4/ Improvement: The system EditLine library has still a bug when loading some history files. The KAT and CML tools have implemented a workaround that overcomes this bug. 5/ Improvement: A failure when reopening log file during log restart is now logged into the formerly opened file before closing it. 6/ Improvement: The default time period for log files rotation was changed to ANYTIME (i.e. hourly, indeed). The meaning of "ROTATE SIZE n;" is now more logical - file is rotated as soon as it reaches the size (at entire hour boundary). 7/ Improvement: The /data/log directory is automatically mounted via nullfs to all chroot directories. 8/ Improvement: The NTP daemon is allowed to synchronize with a time server regardless of the initial clock difference. 9/ Improvement: References to the certificate/private key files in the SSL-PARAMS and LDAP-CLIENT-AUTH.SSL sections were changed to the SHARED-FILE section names. This allows to manage the files via the GUI. 10/ Improvement: Packet filter queue set definition is now checked for more error states that can cause later PF start failure. 11/ Improvement: Packet filter rule to not loose the NOTRANSP tag for NAT-ed traffic is automatically generated into the packet filter configuration. 12/ New: Sysctl component was added to allow reload of the sysctl values from Kernun. 13/ Fix: Prompt for the external interface name was fixed in the initial configuration dialog. 14/ Fix: Collecting data for online graphs displayed in GUI is no more dependent on accessibility of a name server. 15/ Improvement: Rules and rule templates for IPS/IDS can be specified in the Kernun configuration. CML --- 16/ Fix: A bug in MIME type list conversion was fixed in the inter-version configuration convertor. 17/ Fix: A bug in DOC-ACL.REPLACE files to SHARED-FILEs conversion (within chrooted proxies) was fixed in the inter-version configuration convertor. 18/ Fix: A bug in regular expression deallocating after on-line verification was fixed. 19/ Fix: Ignoring of hidden nodes at SYSTEM level during verification was fixed. 20/ Improvement: Hostnames usage denial in the configuration is checked immediately when the value is read. Thus, illegal values are discovered much sooner. HTTP proxy ---------- 21/ New: The HTTP proxy can be configured to not contact a remote server and return a local file or an output of a script instead. 22/ New: The HTTP proxy can be configured to scan bodies of HTTP requests and responses. The proxy can react in various ways to patterns found in request and response data. Reactions include logging alert messages, denying the request, saving parts of data for further processing, and replacing field values in HTML forms. 23/ Fix: A bug was fixed in handling HTTP response header Content-Length combined with HTML filtration. Kernun Branch Access -------------------- 24/ Fix: A bug was fixed in handling contents of the log partition, which caused failures of the log reading/writing ulitily rawlog yielding the system log inaccessible. UDP proxy --------- 25/ New: UDP proxy now provides monitoring of open sessions and online graphs of transferred data volume. 26/ Fix: Source address on client side setting fixed (see the udp-proxy(8) manual page for exact description). 27/ Fix: Handling of the timeouts was corrected. There as a bug occuring occasionally under a heavy traffic. GUI --- 28/ Fix: A bug was fixed in validating the values filled in the wizards. The bug, under certain circumstances, made it impossible to proceed to the next page of the wizard. 29/ Fix: Binary files do not get corrupted when being uploaded to the Kernun from the GUI 'Commit configuration' dialog. 30/ Improvement: Download of rules definitions for IPS/IDS can be explicitly initiated through the Kernun GUI. 31/ Improvement: Wizard to easily generate Certificate Authority and certificates signed by the authority has been added. 32/ Improvement: Certificate and private key for SSL-PARAMS.id sections can be easily generated/uploaded using buttons in the item detail page. 33/ New: Console with ssh connection to Kernun can be opened from GKAT. Admins can add custom commands to be remotely executed and opened in the console. =============================================== Changes in KERNUN release 3.1 (compared to 3.0) =============================================== General ------- 1/ Fix: The YP files (SIP and H.323 maps) are removed during the upgrade. This prevents against problems with proxy starts after the upgrade. 2/ Fix: If the proxy children are started too rapidly, which signalizes some fatal problem, the proxy parent will interrupt the operation. 3/ Fix: Kernun resolver routines select source port for server querying randomly, but from now, they respect SYSCTL.PORTRANGE settings. 4/ Fix: Some errors in co-operation between regular and ACR (configuration resolver) child processes were fixed. 5/ Fix: Some memory initialisation and management errors were fixed. 6/ Fix: Various minor bugs in the installer and the system manager were fixed. 7/ Improvement: The Kernun shutdown was rapidly accelerated by using the KAT.KILL command with an argument in form '*=*'. 8/ Improvement: All mail proxies can filter mail according to mail header contents (using MAIL-ACL.HEADER item). 9/ Improvement: The allowed maximum number of subparts of one MIME document was decreased to 5000. 10/ Improvement: The reference to the document replacement file in the DOC-ACL.REPLACE (in mailing proxies) was changed to the SHARED-FILE section name. It allows to manage the files via the GUI. 11/ Fix: The mail queues of SMTP forwarders in SMTP proxy and in the mailer handling locally originated mail have been moved to /data/var/spool. The queues are now shared by Kernun installed in all system partitions. This ensures correct mail handling after rebooting to different partition (typically after upgrade). 12/ Fix: A bug in generating the list of cloned interfaces in /etc/rc.conf was fixed. Now it is possible to combine GIF/GRE and CARP interface in the configuration and all such interfaces will be created. 13/ Fix: Owner of the home directory and its .ssh subdirectory is now set correctly for audit users. 14/ Fix: A bug in TCP and UDP port allocation was fixed. It caused random "Address already in use" errors under high load. 15/ Fix: Monitoring of the number of proxy child processes during final waiting for termination of all children was fixed. 16/ Fix: Minor bug fixes in tool rrd. 17/ Improvement: Command "rrd update" refuses to run more than once at the same time. 18/ New: The license file format was changed. A new license file (/usr/local/kernun/license.dat) is needed, the old license file from 3.0 will not work. 19/ Improvement: ICMP ECHO requests are handled non-transparently 20/ Improvement: Graph of used memory now displays two values. "All used memory" is the percentage of memory that is used by the system in any way. "Heavily used memory" is the percetage of memory that cannot be easily freed if more memory is needed. 21/ Improvement: Sysctl net.inet.ip.auto_reuse_port_addr was removed. The kernel was modified so that it now allows running a server and a transparent proxy on the same port without this sysctl. 22/ New: System backup (and also upgrade) now stores only files named in file /etc/kernun-fsdb-include. 23/ Fix: More checks of values entered by the administrator were added to the installer: swap size cannot be 0, host name can contain only a limited set of characters. 24/ Fix: Minor bug fixes in sysmgr and related tools. 25/ Improvement: More parameters are now watched by system graphs (two levels of memory usage) and CARP graphs (CARP interface state in addition to its priority). GUI --- 26/ Improvement: FreeBSD package and Windows setup improvements. 27/ Fix: It is possible to append nodes next to the include node in GCML. 28/ Fix: Problem with uploading the configuration to the Kernun from GUI running on Windows was fixed. 29/ Improvement: Completer for CML improved in Windows. 30/ Fix: Alternating colors bug in markers fixed for sorted list 31/ Fix: Problem with downloading the private key upon the Kernun initialization from GUI when running on Windows was fixed. 32/ Fix: Reconnect function bug fixed on Windows. 33/ New: System log can be displayed in GUI. 34/ Improvement: Errors in configuration are displayed directly in GCML "Constraints" list . 35/ Fix: Numbers, IP addresses, etc. are handled correctly in sorted lists. 36/ Fix: tables in the output of pf are displayed correctly. 37/ Fix: Bug fixed that could cause the GUI crash upon creating the range in the CML elements. 38/ Fix: Problems with displaying the Help window on Windows fixed. 39/ Improvement: Custom browser can be specified to be open for displaying help. CML --- 40/ New: It is possible (and recommended) to specify the target Kernun product, which a configuration will be applied to. Configuration verification then checks whether the configured component can be run on the target system. 41/ Improvement: The listening addresses of local nameserver(s) are checked against the set of interfaces to prevent a run-time error. 42/ Improvement: The NTP daemon listening addresses and ports were added into collision detection set. 43/ Improvement: Names in the NTP configuration are resolved prior to start the daemon due to configuration consistency. 44/ Improvement: If the NTP is configured, the 'ntpd_enable=NO' line is generated into rc.conf file in order to suppress effect of possible by-hand setting of the variable in rc-conf.set-env. 45/ Fix: Remote apply access for non-root users was fixed. 46/ Fix: A bug in variable application was fixed in the inter-version configuration convertor. 47/ Fix: A bug in on-line verification within section variable with reference was fixed. 48/ Improvement: The CML inter-version configuration convertor does not prepend a single space to each line (like before), thus the number of changes stored into RCS after upgrade rapidly decreases. 49/ Fix: An error when entering a number instead of global section name was fixed. 50/ Fix: The 'relayhost' setting format in Postfix main.cf files was fixed. 51/ Fix: The Postfix main.cf files generated by the CML contain host name defined in the configuration, not the current system one. 52/ Fix: The closing comment line is no more appended to the /etc/aliases file each time it is modified. 53/ Fix: The ./INFO command ignores unavailable (excluded) items and sections. 54/ Fix: Some minor bugs in C3H and pasting within SWITCHES were fixed. Configuration ------------- 55/ New: The DHCP-style of configuration is now allowed. One of interfaces can be declared as DHCP driven (by the DHCP-CLIENT item) and also routes and local nameserver forwarders can be affected by this setting. 56/ New: Configuration of virtual private networks via OpenVPN was integrated into the Kernun configuration. 57/ New: Configuration of virtual private networks via IPsec was integrated into the Kernun configuration. 58/ Improvement: Kernun configuration contains new items in the SYSCTL section that allows setting of the sysctl net.inet.ip.portrange.* variables. The values are also respected when checking transparent proxy LISTEN-ON collisions. 59/ Improvement: The 'myorigin' variable of the Postfix main.cf file can be set explicitly (by default, the official hostname is still used). 60/ Improvement: Besides a pure setting of a variable in RC-CONF, the value can be just extended by appending a new text (RC-CONF.APPEND-ENV). 61/ New: The 'tagged' option of the packet filter configuration file (pf.conf) was added into the PACKET-FILTER section definition. 62/ New: The full-log packet data limitation can be now set at proxy global level (in the LOG section). This valus is used a default and can be reset for particular data channel. DNS proxy --------- 63/ New: The REQUEST-ACL.IGNORE-VOID-RR option now affects also regarding of CNAMEs within the Authority (NMSERV) section. 64/ Improvement: The REQUEST-ACL.IGNORE-VOID-RR flag is now inherited into all internal requests generated by the original request from the client. 65/ Fix: In some circumstances, responses to clients in transparent cases were sent with the Kernun address, not the server one. 66/ Fix: The 'ps' process title in the transparent mode was fixed. 67/ Fix: Searching of glue records with coincidency of invalid Authority (NMSERV) section RRs was fixed. FTP proxy --------- 68/ Fix: The proxy handles correctly buffered client commands even after session rejection by security policy. 69/ Fix: Some minor improvements in data connection timeout handling has been made. HTTP proxy ---------- 70/ Fix: A bug in HTTP proxy was fixed. Now persistent connections to HTTP servers can be reused for multiple requests even when SOURCE-ADDRESS is set in the configuration. 71/ Improvement: Log message REQUEST-END in HTTP proxy now contains a reason while a request has been rejected. 72/ Fix: Request URI sent to the web filter now contains also the query part (an optional part after a question mark). KAT --- 73/ Fix: The KAT.APPLY parameter check was improved. 74/ New: A new option -d (dead) is available in the KILL command. It causes killing of such components only, that are no more in configuration. 75/ Fix: The packet filter optimization was disabled. In some cases, there were problems during PF restart. 76/ Improvement: The packet filter tables for static routes are generated only if they are later referenced. This decreases number of situations when PF reload is said by KAT to be required. SIP proxy --------- 77/ New: REQUEST-ACL contains REQUEST-METHOD item - entry condition for filtering requests by type. 78/ Fix: REQUEST-ACL rejection logging error fixed. SMTP proxy ---------- 79/ Improvement: The grey-listing method has implemented verifying clients not by a single address, but by a set of ones given by network mask (or number of bits). This feature allows correct function even for MTAs using a cluster of several machines with several IP addresses. 80/ Improvement: The grey-listing databases are cleaned by cron every night, by default. 81/ Improvement: The grey-listing database manipulation tool (triplicator) has new operations implemented: backup, restore, purge (backup+restore). SQL*Net proxy ------------- 82/ Improvement: The default RD (redirect) packet processing was changed. Now, the RD data is respected even if the proper SESSION-ACL contains the PLUG-TO directive. The old behavior can be forced by the IGNORE option of the SESSION-ACL.REDIRECTIONS item. UDP proxy --------- 83/ New: The proxy was reimplemented. The main reason was to be able to process protocols using IP broadcasts, i.e. the proxy must both receive and send broadcast datagrams. The second important feature is an ability to force source ports toward servers. 84/ New: The full-log packet data limitation was moved from the UDPSERVER section to the LOG section. This feature is now identical in all proxies. =============================================== Changes in KERNUN release 3.0 (compared to 2.5) =============================================== General ------- 1/ Base OS version changed to the latest release on the FreeBSD 6.3 security branch. 2/ Ports/packages bundled with Kernun have been updated. 3/ New: Kernun now features new tools for installation, upgrade, backup, and restore. 4/ New: Kernun requires a valid license file for operation. A component, e.g., a proxy, antivirus, antispam, or web filter module, that is not properly licensed, cannot be used. 5/ New: Several new components were integrated to Kernun configuration and management, namely: - An IDS/IPS based on Snort ("snort" component and "IPS" section) - An NTP daemon ("ntpd" component and "NTP" section) - A DHCP server ("dhcpd" component and "DHCP-SERVER" section) - Local nameservers ("named" component and "NAMESERVER" section) - Packet filter ("pf" component and "PACKET-FILTER" section) 6/ New: Kernun has extended administrator management. Now, two types of administrators can be defined, the first type are root-equivalent users, the second are "auditors" that can only view configuration and log files. 7/ New: The Kernun components write hash of their configuration into /var/run directory so that the KAT tool is able to show components running with outdated configuration and needed to be reloaded. 8/ New: Various operating system (processor, memory, disk usage, etc.), network interface (numbers of tranferred bytes and packets), and proxy (transferred bytes, number of child processes) parameters are being continuously monitored and their values during some time interval (day, month, year) can be displayed as graphs. 9/ New: Shell sessions of administrators are logged into files /var/log/session-USER-DATE-HOST.log.gz. 10/ Improvement: A new kernel support for transparent communication was implemented. Transparent proxies no more dynamically create packet filter rules. 11/ Improvement: It is possible to specify (via a tag) a set of Kernun components that will be controlled (stopped and started) when the cluster monitoring script switches CARP interfaces down and up. 12/ New: In UDP based proxies, the name resolution is done asynchronously by an extra child process called APR. 13/ Improvement: Kernun proxies (logging to a file) are now able to react to logfile rotation. A special command (that can be scheduled to cron) LOG was added to KAT to ease it. 14/ Improvement: Several changes to server selection algorithm (in the dns-engine, i.e. dns-proxy and APR child) was done to increase the robustness of its operation. CML --- 15/ Fix: Displaying of meaningless error messages during on-line verification of a proxy in a section variable with parameters was suppressed. 16/ Improvement: When generating the output files, the CML tries to guess whether a particular global section is needed for the file (e.g. for the particular proxy). If it is absolutely sure that the section is not needed, skip its output so that the resulting files are not full of irrelevant data. Configuration ------------- 17/ New: A new command pair SWITCH/CASE was added to facilitate flexible configurations possibilities. 18/ New: Several new types of INTERFACE section was added (gre, gif...). 19/ New: Several operating system configuration files was added among those generated by the CML or modified by KAT.APPLY: - /etc/hosts are generated from the SYSTEM.HOSTS-TABLE section (if used) - /etc/periodic.conf are generated from the SYSTEM.PERIODIC-CONF section (if used) - /etc/passwd, /etc/group etc. are modified to contain Kernun users defined in SYSTEM.USER section - /etc/aliases are modified to contain SYSTEM.ADMIN address as an alias for root - /usr/local/kernun/etc/newsyslog.conf are generated from the original /etc/newsyslog.conf according to SYSTEM.ROTATE-LOG sections; this file can serve as the configuration file for the newsyslog daemon. 20/ New: Kernun components can have assigned several TAG keywords, the KAT tool then allows to operate with component subsets using these TAGs. 21/ New: For the purpose of local mail delivery, a new clon of SMTP forwarding agent was included into SYSTEM section. Its name is LOCAL-MAILER and configuration possibilities are very similar to the regular SMTP-FORWARDER.AGENT section. 22/ Improvement: Due to much more complicated configuration structure caused by adding large number of new sections with mutual references, global sections need not more be defined prior to their reference. 23/ Improvement: The maximal length of configuration atoms was increased to 4kB. This allows e.g. using of longer ssh keys. 24/ Improvement: Multiline comments can be written in form of "structured" comment, i.e. as a block of comment lines grouped between a pair of special parenthesis #{ and #}. This group can be edited en block by an external editor. 25/ Improvement: Block of comment lines can be stored into the clipboard and pasted at once. 26/ Improvement: It is possible to use an external source for any list in the configuration file (so called "in-line file"). 27/ Fix: Branching elements of items must be written directly by a proper enumeration keyword, variables or path references are no more valid. This absolutely rarely used feature was a significant source of problems during inter-version configuration conversion. 28/ Improvement: The KERNUN-ROOT item is now facultative, the default value of the path is /usr/local/kernun. 29/ Improvement: In the dns-proxy and smtp-proxy, the SOURCE-ADDRESS item is now allowed, but ignored with warning log message. Thus, it is now possible to have a general ACL used in many proxies with SOURCE-ADDRESS valid only in some of them. Dns-proxy --------- 30/ Improvement: The default depth of internal requests was increased so that some queries to Microsoft domains that were rejected in former versions will succeed. 31/ Improvement: A new item IGNORE-VOID-RR was added into REQUEST-ACL. It allows to permit occurence of irrelevant additional records in server reponses for particular domains. 32/ New: Basic support for DNSSEC (RR types DNSKEY, RRSIG, NSEC and DS) was implemented. GUI --- 33/ Fix: Configuration edit lines are limited to the proper length. 34/ Fix: Bug fixed that could cause GUI crash when loading saved markers/filters. 35/ Fix: Bug fixed that could cause GUI crash when displaying forward reference of the section variable. 36/ New: Compound comments ( #{, ##{ ) are supported by GUI. 37/ New: Cut, Copy and paste works with comments. 38/ New: Common parent for proxies root, system root and network root in GKAT. 39/ Fix: Only these directories in /usr/local/etc/openvpn are considered to be Kernun OVPN (and are displayed in the GUI) that contain subdirectory ccd. 40/ New: Audit user support: user with UID!=0 is allowed to watch but not to change. 41/ NAT manipulation removed from GUI (as a result of the change in the transparency implementation). 42/ Fix: Under certain circumstances, processes executed on Kernun remained hanging after gui has disconnected. This problem has been fixed. 43/ New: Multiple node selection in GCML. Multiple nodes can be hidden, unhidden, removed, expanded and collapsed. Expanded configuration is displayed for all the selected nodes. 44/ Fix: TCP/UDP port names are correctly recognized in GUI under MS Windows. 45/ New: Support for statistics display in GUI. 46/ Improvement: It is possible to sort items displayed in the lists in GCML (process list etc.) by clicking the column header. 47/ New: Tags can be used for start/stop/restart/reload -ing multiple applications. Multiple applications can also be easily synchronized with the configuration using new synchronization dialog. 48/ Improvement: Layout of the item details was improved in GCML. 49/ Improvement: The way how section variable reference can be fixed after the number of parameters was changed in the section variable definition was improved. 50/ Improvement: The way how OpenVPN offers unused addresses and how it validates the addresses was improved. 51/ Improvement: Main menu was added for GKAT. 52/ New: About Qt dialog. 53/ Improvement: CPU demands were lowered. 54/ New: Relevant sections (especially ACLs) may be highlighted for proxies in GCML. 55/ New: Shared-Files can be edited directly from the GCML. RCS system is used to store their history. 56/ New: Tools for installation, upgrade, backup and restore can be easily accesed via GUI. 57/ New: Graphs (traffic, temperature, etc.) are accessible in GKAT. Http-proxy ---------- 58/ Improvement: The SSL-SESSION-CACHE section was moved from the SYSTEM level of configuration into the HTTP-PROXY one. This allows you to specify ssl caching parameters on per-proxy base (like this works with other proxies). WARNING: CML inter-version convertor does not support this feature, so you have to move global SSL-SESSION-CACHE section to HTTP-PROXY by hand. 59/ New: The http-proxy provides URL filtration using an external web filter. Individual requests are accepted or rejected according to categorization of request URI by a web filter database. KAT --- 60/ Fix: Displaying of a plenty of error messages when searching for proper log by the GREPLOG command was suppressed. 61/ Improvement: The GREPLOG command can search even within unzipped log files. 62/ New: A new command LOG will be added to ease proxy logging control. Sip-proxy --------- 63/ Improvement: The "compact" form of headers was implemented. 64/ Fix: Data channel offer within server provisional reply are implemented. Smtp-proxy ---------- 65/ Improvement: According to the general practice, the local part of an email address is processed in case-insensitive manner when it is processed for the grey-listing method. 66/ Improvement: The MAIL-ACL.PREFIX-SUBJECT item is now allowed despite using of DENY. The reason is that it will apply for COPY-TO addressees. 67/ New: A new MAIL-ACL.REDIRECT-TO item was added to ease forwarding based on MAIL-ACL entry conditions (e.g. spam score). ======================================================== Changes in KERNUN firewall release 2.5 (compared to 2.4) ======================================================== General ------- 1/ Improvement: summarization scripts (sum-http, sum-smtp, sum-proxy, sum-dns) create output in .csv format. 2/ Improvement: In some cases, resetting of TCP connection by a peer causes non-documented error states returned by FreeBSD library. Now, Kernun handles them as a regular end of communication. 3/ Improvement: When source-address is used in the configuration, the proxy first tries binding this address. Only if bind fails, a NAT rule is created. This improves performance if the source address is one of IP addresses of the firewall. 4/ Improvement: Proxy initialization has been changed so that proxies perform as much as possible initialization actions before entering daemon mode. This makes detection of proxy startup failures easier. 5/ Improvement: If proxy needs a directory for its working files (for example, to create lock files) and the directory does not exist, it is automatically created upon proxy startup. 6/ Fix: If a proxy communicating via UDP terminates a transparent session and deletes NAT rules related to the session, it also flushes the corresponding states. This allows clients to continue communication after a proxy restart. 7/ Improvement: Transparent UDP-based proxies flush NAT states corresponding to NAT rules created by a proxy when the proxy deletes the rules. 8/ Fix: Configuration item AUTH now selects the right OOB-AUTH section. 9/ New: Startup/shutdown scripts for individual proxies (rc-scripts) have been replaced by a single rc-script. It takes information about configured programs (proxies) from /usr/local/kernun/etc/component.lst. Start of all proxies are now repeated in a loop until either all proxies run, or a loop iteration brought no progress. 10/ New: All Kernun "applications" (proxies, ssh servers, postfix forwarders and CARP monitors) can have a PHASE number assigned, according to which the order of their start during Kernun startup is set. 11/ Improvement: Resolution of IP addresses specified by names in the configuration is periodically repeated in order to reflect changes in DNS. Resolution parameters are set by the configuration item CFG-RESOLUTION. 12/ Improvement: Configuration files for SSH daemons contain LogLevel VERBOSE. Configuration ------------- 13/ Fix: Configuration WORD size has been increased to 64 bytes (from 32). 14/ Improvement: The CONTENT-TYPE item was added to DOC-ACL prototype. This item allows to set a special behavior for documents not detected properly by magic library - according to the original Content-Type header. 15/ Improvement: Testing programs test-xxx have better error recovery and manual page (test-expr(5)). 16/ New: Kernun now features a configuration converter cml-cnv.sh that converts the configuration from older version for use by the current Kernun version. The converter is called automatically by the installation process. 17/ Improvement: It is now possible to configure a transparent proxy and a non-transparent proxy/server on the same port and interface. The required PF rules are automatically generated. This is used in the initial configuration created after firewall installation. It contains a SSH server listening on the internal interface on port 22 and a tcp-proxy that handles SSH communication from the internal to the external interface on port 22. 18/ Improvement: Transparent proxies can be configured to listen on a range of ports by a single listen-on configuration item. 19/ Improvement: ACL.SERVICE is now a STR-SET, which allows wildcards. 20/ New: For OOB authentication, it is possible to specify in the configuration that authentication is required (a session without valid authentication is always denied) or allowed (a session without valid authentication can continue if permitted by ACLs). 21/ Improvement: The C-language character escape sequences are allowed within configuration strings (e.g. "\r\n"). Cml/Kat ------- 22/ Improvement: Several configuration checks were changed to be able to be executed immediately when proper item/section is entered in the CML. 23/ Fix: When APPLYing remotely, the target tree is first cleared before the tar-file is extracted. 24/ Improvement: When APPLYing remotely, the kernun.cml and all included files are copied to the target machine, too. 25/ New: A new parameter FIND added to ./INFO command. It allows to find a configuration item/section by a (part of) name without knowing the exact localisation of it. 26/ Fix: Integer variables (like $_run_) can be a part of string expression even if used in a place of a string value. 27/ Fix: C3H incompleteness within section variables has been fixed. 28/ Fix: Incorrectly configured LISTEN-ON addresses are skipped when checking address collisions. 29/ Fix: The local postfix configuration files generation (according to the SMTP-FORWARDER.AGENT data) has fixed some minor bugs. 30/ Improvement: The local postfix daemons are incorporated among "Kernun applications" in the sense of KAT commands PS, KILL, START, STOP etc. 31/ Improvement: CML checks correctness and accessibility of the CFGPATH command argument. 32/ Improvement: Syntax of variable names in RC-CONF.SET-ENV configuration item is checked. 33/ Improvement: C3H offers proxy names in ACL.SERVICE. 34/ New: ./undelete command restores also ./cut-ted nodes. 35/ Improvement: Command ./generate deletes all SYSTEM-name directories (with both lowercase and uppercase names). 36/ New: CML interface to RCS for managing versions of the configuration (option -r) has been introduced. 37/ New: CML can manipulate the configuration file without checking in new versions in RCS, but RCS checking is required before ./generate. 38/ New: KAT.RLOG and KAT.RCSDIFF commands were added to facilitate the Kernun configuration RCS versions management. 39/ Improvement: KAT.GREPLOG command selects the proper (even zipped) log file according to the -d/-D date option. 40/ Improvement: KAT.KILL command with a "proxy=*" parameter kills also proxies in EXITING state. 41/ New: There is a new command KAT.TEST to facilitate running of the configuration testing test-* programs. 42/ Improvement: If monitoring is invoked via the KAT.MONITOR command, the directory containing monitoring data is selected automatically according to the proxy configuration. 43/ New: Hidden sections are omitted (not offered) by C3H. 44/ Fix: KAT.MONITOR takes chroot into account. 45/ Fix: Pager settings (in $PAGER environment variable) is used more consistently. 46/ Improvement: KAT.PS accepts parent PID as an argument (ps PROXY=PID). 47/ Fix: Proxies configured as NODAEMON are skipped by the KAT.START command. 48/ New: There are new KAT commands LSSTATE and RMSTATE for listing and selective deleting of packet filter states. Ftp-proxy --------- 49/ Fix: Several minor bugs in handling of non-standard session termination cases have been fixed (some of them causing PANIC). 50/ Improvement: A server final response 221/421 is logged at N-level. 51/ Fix: A network error is properly logged as SESSION-END FAILED. 52/ Fix: SESSION-END log message contains CLIENT/SERVER instead of FROM/TO. GUI --- 53/ New: GUI now supports connection to a newly installed Kernun firewall. Authentication is done using a password entered on the firewall console during initial post-instalation configuration. GUI downloads and stores a SSH key for further access to the firewall. 54/ New: Open VPN management was integrated into GUI. 55/ Fix: Problem, when (under certain circumstances) GUI sets incorrect column to the atom when creating marker by dragging from the list, was fixed. 56/ Fix: Problem when Snapshot function did not provide a complete data under certain circumstances has been fixed. 57/ Fix: Under some circumstances, more than one progress bar was displayed upon connecting to the firewall. 58/ Fix: GUI does not announce download failure, when (for example due to limiting filter) downloads an empty log. GUI now correctly removes the progressbar under the same circumstances. 59/ Fix: Proper reaction to full buffer when downloading log into memory buffer. 60/ Improvement: Remove button has been added to each list/set member in the configuration editor. 61/ Fix: Fixed problems with dock widgets showing/hiding under MS Windows 62/ Qt library was upgraded to version 4.3.1. 63/ Qt library is linked statically on MS Windows 64/ Fix: When committing configuration to the firewall, detection of system names has been improved. 65/ Fix: When commiting the configuration to the firewall, certain other sections than section "system" was presented in the "Apply" combo box. 66/ Fix: Under certain circumstances, pressing "Ctrl+plus" (recursively expand the tree structure) led to gui crash. 67/ Fix: Deleting the very-root node of filter or marker tree by pressing "del" key is not possible any more. 68/ Improvement: The C3H list behaviour was improved. 69/ Improvement: Enter hides the C3H list. If some item is selected, it is copied into the input widget. 70/ Fix: The format of the path that is displayed in the cml item detail widget was unified. 71/ Fix: Fixed the problems that could cause GUI crash when "Remove" action was triggered very quickly for a period. 72/ Improvement: Section variable parameters are displayed in its definition also as a tree nodes. It is therefore possible to reorder the parameters in the section variable definition. 73/ Fix: It is possible to move the include node upwards/downwards. 74/ Fix: Hiding nodes within the include (and therefore being read-only) is not possible any more. 75/ Improvement: Misc and Top tabs remember the scrollbar position upon content refresh. 76/ Fix: Pasting into section variable parameter, into include, and into item is not possible any more. 77/ New: Postfix management has been integrated into GUI. 78/ Improve: Refreshment of the error state was improved in the configuration editor. 79/ New: It is possible to copy the contents of the log viewer (and other windows based on the same class) into clipboard or save it to file. 80/ Improvement: Hotkey (Ctrl+I) for "Append section/item next to this node" action in the GUI cml editor was added. 81/ Fix: Parsing of the PID column log files was improved. 82/ New: It is possible to forward ssh agent through the ssh connection. It is useful for applying configuration among cluster members. 83/ Fix: Correct error message in "Show Error Messages" box when obligatory element left empty. 84/ Improvement: GCML is able to add and/or edit comments. Other fixes have been done concerning multiline comments. 85/ Improvement: Search dialog in log viewer (and other windows based on the same class) has been added. 86/ Fix: GUI revisions (i.e., "KERNUN-2_4b-RELEASE") are accepted without warning if the major and minor version are correct ("KERNUN-2_4-RELEASE" in the given example). 87/ New: Systray icon in MS Windows (Quick connect, access to key management) has been added. 88/ Improvement: Ssh-key management was improved in MS Windows (GUI can automatically unload key from pageant when key is not used for given period). 89/ Fix: Hidden/Visible flags for columns in Log (and other similar windows) are correctly propagated to the Snapshot-ed windows. 90/ Fix: Parsing of the top command output was improved. 91/ Improvement: Log viewer displays manual pages (right click on the log viewer row). A man page can be displayed either "inline" in GUI or in the default web browser. 92/ New: Monitor windows for a single proxy and for all proxies that share the same communication directory was added. 93/ Improvement: Special icons for proxies and ACLs (deny/accept/unknown) in configuration editor has been added in order to increase readability. 94/ Fix: On UNIX system, ssh-agent is detected only by checking the environmental variable SSH_AUTH_SOCK (test of SSH_AGENT_PID was removed since it made impossible to run GUI remotelly with agent forwarded by ssh). 95/ Improvement: It is possible to change order of columns in log viewer (and other similar windows). 96/ Improvement: Algorithm to guess what sections to open upon load of configuration was improved. 97/ Improvement: Function "cut to clipoard" was implemented to the configuration editor. 98/ Improvement: Ctrl+C or Ctrl+Ins is the shortcut for copy sections/items in the configuration editor. Ctrl+V or Shift+Ins is the shortcut for paste in sections/items in the configuration editor. Ctrl+X or Shift+Del is the shortcut for cut in the configuration editor. 99/ New: Configuration editor can display changes that were made to the configuration. On UNIX, coloured output of diff is displayed as default, on MS Windows, program ExamDiff.exe is used as default. Custom diff viewer can be configured in Preferences. 100/ New: Function "Show Expanded" displays expanded version of the configuration. It can be used for current subtree or for the whole configuration. 101/ New: Path to the current node can be displayed in the title bar of the configuration editor, if set so in Preferences. 102/ Improvement: When the filter definition gets dirty (i.e., after it has been changed), button "Apply Filter" appears in order to stress the fact that it must be applied in order to take effect. 103/ Improvement: It is possible to negate the set member and toggle range from the set member by the context menu (right-click) of the element editor. 104/ Fix: Variables of type IP are offered when filling element of type Socket. 105/ Improvement: In "online" log viewers, it is possible to clear the contents of the window. 106/ New: It is possible to display RCS (Revision Control System) history of the configuration file. The log messages and diffs between versions of the configuration file can be displayed, old versions can also be loaded to the configuration editor (and potentially commited to the firewall). 107/ Improvement: Configuration editor has the Undelete function. 108/ Improvement: It is possible to store/load filter/marker definitions to/from file/settings (registry on windows, .config/tns/gui.conf on UNIX). It is possible to mark stored marker to be loaded automatically, when displaying this type of view. 109/ Improvement: Function "Snapshot" is not limited to log viewer any more. 110/ Improvement: Minor changes in rc scripts (start/stop/restart/reload) output formating has been made. 111/ Improvement: GUI displays a warning message when calling certain dangerous rc scripts that may render the firewall unaccessible by ssh (for example when manipulating with the ssh server) are about to be called. 112/ Improvement: Rc scripts are being executed via special ssh connection (they do not share the ssh connection with the gkat tree refresh tasks any more, since the rc scripts might be quite lengthy). The connection is established upon first rc script call. 113/ Improvement: A modal dialog is displayed when calling a rc script (start/stop/restart/reload) on the whole firewall. It prevents user from making other actions on the firewall, until the operation finishes. 114/ Improvement: In the configuration editor, there is a button "Manual to ..." for each proxy section. 115/ New: Network management was integrated into GUI. It is possible to start/stop interfaces and routing, link state of configured interfaces is watched. Output of several variants of ifconfig, netstat, sockstat is displayed. 116/ Fix: Hidden nodes were displayed as positions of errors in the configuration editor under certain circumstances. 117/ Fix: Speed up of loading the proxy-tree for firewalls with many proxies. 118/ Improvement: Refresh interval for checking proxy state (running/stopped etc.) can be configured in Preferences. 119/ Fix: It is possible to fix up the section variable application, when there was a change in its definition's parameters count/order. 120/ New: RSS channel news (www.kernun.com/news.rss) can be displayed in the main window. 121/ Improvement: When downloading the configuration from the firewall, GUI first checks whether the configuration (file /usr/local/kernun/conf/kernun.cml) is properly stored in the RCS system on the firewall. If not, GUI offers the check-in. 122/ Fix: Stability issues with incorrect settings file were fixed in the connection dialog. 123/ Improvement: If exists, the default value is displayed in the tooltip for the given element. 124/ Improvement: After creating a new parameter to the section variable definiton, the newly created parametr is given keyboard focus. 125/ New: A window for displaying (and deleting) pf rules (see kat lsnat, kat rmnat) has been added. 126/ New: A window for displaying (and deleting) pf states (see kat lsstate, kat rmstate) has been added. 127/ New: It is possible to create bookmarks in the log viewer and in the configuration editor. Http-proxy ---------- 128/ Fix: Request header Range is deleted from HTTP requests by default. Using ranges can defeat document type identification and filtration features of http-proxy. If ranges are needed, passing of the Range header can be explicitly permitted by request-acl.allow-req-hdr. Imap4-proxy ----------- 129/ Fix: Document type identification has been fixed (an obsoleted MIME-TYPES configuration item has been removed). 130/ Fix: Unwanted resets of TCP connections have been eliminated. Pop3-proxy ---------- 131/ Fix: Document type identification has been fixed (an obsoleted MIME-TYPES configuration item has been removed). 132/ Fix: Unwanted resets of TCP connections have been eliminated. Sip-proxy --------- 133/ New: Sip-proxy has been implemented. It handles SIP/SDP/RTP protocols in extent covering common VoIP devices. This is the very first version and some features are not implemented, for now. Smtp-proxy ---------- 134/ Fix: Several minor bugs in handling of non-standard session termination cases have been fixed (some of them causing PANIC). 135/ New: Generation and sending of the Delivery Status Notification can be now disabled by a new configuration item OMIT-DSN in the MAIL-ACL. 136/ Improvement: Spam score has been added as an entry condition of DOC-ACL. 137/ Improvement: Spam score is recorded in quarantine control files. 138/ Improvement: Antispam gets header lines "From ..." and "Received ..." to be able to incorporate their values to score computing. 139/ Fix: MAIL END message is logged even when the proxy is terminated by a signal during mail processing. 140/ Improvement: KAT.QUARC can select messages by client address (using a new option -c). 141/ Fix: The Enhanced Status Codes with zero value can be now defined in the configuration ("reject 550 0 0" means 550 5.0.0 response code). ======================================================== Changes in KERNUN firewall release 2.4 (compared to 2.3) ======================================================== General ------- 1/ Base OS version changed to FreeBSD 6.2-RELEASE. 2/ Ports/packages bundled with Kernun have been updated. 3/ New: Log messages contain the session id when applicable. The session id is logged together with process id: [PID.SID] instead of [PID]. 4/ Improvement: UDP-based proxies run in parent-child mode. The real work is done by the child process. The parent process only manages the child and restarts the child if it terminates unexpectedly. This improves interaction between the UDP-based proxies and the KAT. 5/ Fix: The resolver now uses the searchlist correctly. 6/ Fix: An empty file is not sent to the antivirus any more. This increases effectivity and removes the problem with DrWeb which errorneously used method DRWEB-FILE instead of DRWEB-NET for empty files, regardless of the configuration. It then caused "File not found" errors by DrWeb, if the antivirus and the proxy were running on different machines. 7/ Fix: A lock is used while accessing /dev/pf in order to prevent simultaneous ruleset manipulations by several transparent proxy processes. 8/ Fix: OOB authentication helper script ooba-samba is now copied to /usr/local/kernun/bin during installation. 9/ Fix: Various fixes of the OOB authentication support. 10/ Improvement: Support for the antivirus/antispam statistic script sum-avas has been added to the switchlog sample configuration file switchlog.cfg. 11/ Improvement: Statistics scripts sum-http and sum-proxy compute maximum and average request/session time instead of the sum of times of all sessions/requests. 12/ Improvement: The post-install interactive configuration script performs syntax checking of values entered by the user. 13/ Fix: The installer correctly installs the lib32 distribution on AMD64. 14/ Fix: Timeout in the initial installer menu has been removed. The installer waits until the user chooses either automatic or manual installation. 15/ Fix: Signal handling has been fixed in TCP-based proxies in state "exiting", that is, after receiving SIGHUP (graceful termination request). 16/ Fix: Any incorrect session termination causes TCP connection reset. This informs clients and servers about errors and prevents sockets stuck in FIN_WAIT_2 state. 17/ Fix: An error, which left some processes running even after a termination signal, has been fixed in TCP-based proxies. 18/ Fix: Commands "kat rmnat" have been removed from the proxy startup scripts. These commands were rarely needed and their removal greatly improves proxy restart times. Antispam -------- 19/ New: If the antispam program is not running, SPAM-SCORE UNKNOWN is reported. This new meta-value can be matched in acl conditions. Cml --- 20/ New: The CML tool uses regular logging system like other Kernun applications. By default, it logs using syslog, logging can be managed by (enhanced) /DBG command. 21/ New: The complete configuration definition has been built into the CML program. Configuration definition files (CDF) are not needed by CML any more (so as the -c option). 22/ New: The low-level parser routines for integrity checking are now called on-line automatically during CML editing (on-line verification). 23/ Improvement: Verification error messages in CML report the "CML-path" to the point of configuration where the error occured. 24/ New: It is possible to execute on-line verification for a part of the configuration by the VERIFY command. 25/ Improvement: The unhide and undelete commands execute on-line verification. 26/ Improvement: The online help in CML has been amended. 27/ Improvement: The section variable with path ($var.path) can be applied into node with the same context (as $var.path) with the meaning: apply all subnodes of the referenced node ($var.path) here ("container" type of application). 28/ Fix: LDAP sections are corectly generated for all proxies that use OOB authentication. 29/ Fix: Error detection in included configuration files has been fixed. 30/ Improvement: It is possible to define aliases for CARP interfaces. 31/ Improvement: Various minor improvements in CML user interaction. 32/ Fix: Configuration files for hidden SSH servers are not generated more. 33/ Improvement: The load command detects repeated occurences of nonrepeatable sections and items as an error. 34/ Fix: Failure of the load command stops generating (in the batch call with -g option). 35/ Improvement: The show command allows to display repeatable and hidden directives by using the index in brackets. The CDF type of node (as a filter for displaying) can be now specified as an extra parameter. Dns-proxy --------- 36/ Fix: Handling of non-standard CNAME record order has been fixed. 37/ Fix: A bug in idle and request timeout handling in TCP communication has been fixed. It caused an endless loop when a timeout expired. 38/ Improvement: Unsuccesfull QUERY/NOTIFY items searching within request-acl are reported by a new log message (DNSP-610-A). Ftp-proxy --------- 39/ Improvement: ACL phase 3 informational log message now reports the direction of data transfers. 40/ Fix: A superfluous PANIC message has been removed from the module which provides FTP services for http-proxy. GUI --- 41/ Improvement: Kernun now has a graphical user interface (GUI) for remote administration. It is distributed in binary executable format for FreeBSD and Windows. The FreeBSD version of the GUI is built for the same OS version as the rest of the firewall and requires X11 on the administrator's station. X11 is not required for GUI on the firewall. The GUI is distributed also as source code and it should work on any platform where GCC, the Qt/X11 toolkit, and X11 are available. H323-proxy ---------- 42/ Fix: Handling of special cases in opening logical communication channels has been fixed. Http-proxy ---------- 43/ Fix: A bug which prevented more than one user to be authenticated via OOB authentication has been fixed. 44/ Fix: HTTP method CONNECT now works correctly when combined with hand-off. 45/ Fix: Http-proxy now returns an error page if connection to the remote server via the CONNECT method fails. 46/ Improvement: Statisctic script sum-http allows the choice of HTTP-authenticated or AProxy-authenticated users when generating per-user values. 47/ Fix: AProxy handles logout attempts of users not logged in properly. Kat --- 48/ New: The KAT tool uses regular logging system like other Kernun applications. By default, it logs using syslog, logging can be managed by a new DBG command. 49/ Improvement: A new SHOWAPP command has been implemented. It displays the list of all configured applications (proxies, SSH servers). 50/ Improvement: A new PS command option -a displays all proxy child processes. 51/ Improvement: A new PS command option -d displays running proxies which have been deleted from the configuration. 52/ New: Log viewing in KAT is done by two commands. The SHOWLOG command display live growing log online (like the tail -f command). The GREPLOG command displays an existing log file (even zipped) and allow to browse in it (using a pager defined in the $PAGER environment variable). Both commands provides selection of log messages by various criteria (in the same manner). 53/ Improvement: New variants of selecting target processes have been added to the KILL command. 54/ Improvement: A new TRIPLICATOR command has been added as a wrapper for the triplicator tool calls. Smtp-proxy ---------- 55/ Fix: The proxy respects original destination address for acl search. 56/ Fix: End-of-file detection during mail processing has been fixed. 57/ Fix: Utility QUARC.SH now works in directories containing large numbers of files, more than fits on a shell command line. 58/ Improvement: Utility QUARC.SH provides mail selection by proxy name in the case of quarantine shared by several proxies. 59/ Improvement: The grey-listing database has changed the format and records contain all future time limits. Thus, it is possible to use different time parameters for different request-acls within one proxy configuration. Sqlnet-proxy ------------ 60/ Fix: A new type of ERROR server responses is recognized by the proxy. ======================================================== Changes in KERNUN firewall release 2.3 (compared to 2.2) ======================================================== General ------- 1/ Base OS version changed to FreeBSD 6.0-RELEASE. 2/ Kernun integrated into the port/package system. 3/ Distribution both in source code and as binary packages for faster installation. 4/ A new installer installs the operating system together with Kernun. 5/ The default installation mode requires minimum user interaction. 6/ Automatic post-installation configuration. 7/ A new User Manual containing detailed installation instructions, tutorial, and reference documentation. The manual is distributed in HTML and PDF formats, the reference part also as manual pages. 8/ IPSEC was excluded from the default kernel (made during installation process automatically) as it can cause performance degradation. 9/ Improvement: Item CARP changed to section CARP-INTERFACE in order to allow referring to its contents. 10/ Improvement: Bad MIME header parameters are accepted by using keep-bad-header-params item. 11/ Improvement: LDAP authentication. 12/ Improvement: Out of band authentication. 13/ Fix: Interface mediaopt generated correctly to rc.conf. 14/ Fix: Monitoring communication directory is a usual string, not a shared-dir. 15/ Fix: Software packages distributed with Kernun were upgraded to recent versions. 16/ Fix: Quarantine processing tool now respects chrooted directories. 17/ Fix: Better handling of some signals. 18/ Fix: Relaxed handling of some errors generated by closing a socket. Antispam -------- 19/ Fix: Antispam module sends instead of at the end of lines. Antivirus --------- 20/ Improvement: If viruses are found, their names are added in form of a special header. Dns-proxy --------- 21/ Improvement: Ability to transfer zones (througn both AXFR and IXFR) added. 22/ Improvement: New resource records implemented: TXT, SPF, HINFO. Ftp-proxy --------- 23/ Fix: A bug has been fixed which caused PANIC if server had sent the final 226 control message before the data transfer has started. 24/ Fix: Several minor bugs in HTFTP module have been fixed (some of them causing PANIC). 25/ Fix: Fixed behavior when session is interrupted before connection to the actual server. 26/ Fix: Better handling of network IO errors (e.g. DNS resolution). 27/ Fix: PANIC of ftp-proxy in htftp mode avoided. H323-proxy ---------- 28/ Improvement: New H.323 protocol feature allowing the use of URLs instead of H.323 identifiers has been implemented. Http-proxy ---------- 29/ Improvement: If two Content-Type headers are received and they differ in the existence of parameters after semicolon (not in the value itself), the response is accepted and only the longer header is sent to client. 30/ Improvement: Headers Etag and Last-Modified can be repeated. 31/ Fix: A bug in chunked transfer encoding end-of-file handling has been fixed. It caused PANIC when chunked encoding was used together with antivirus processing or magic content type identification. Imap4-proxy ----------- 32/ Fix: After a format error or deny action in ACL, proxy could sometimes send the malicious data in a response for the next command. Kat/Cml ------- 33/ Improvement: Option '-p' in KAT.SHOWLOG command (meaning process id). 34/ Improvement: Socket collisions are handled in early stage in CML. 35/ Improvement: Default value of "kernun" has been introduced for items proxy.proxy-user. 36/ Improvement: Command `goto' now accepts prefix `=', followed by name of section or item. 37/ Fix: Changed behavior of `apply' command: remote application is triggered only by item APPLY-HOST in configuration. 38/ Fix: A message warning that a referenced section does not exist while reading CML file is suppressed. 39/ Fix: On some error conditions, a section was erroneously deleted in CML. 40/ Fix: Fixed a bug causing crash of CML under rare conditions. 41/ Fix: Item `server' has been excluded from section `acl'. Monitor ------- 42/ Improvement: The monitor utility allows to customize title bar color and caption in HTML output. Pop3-proxy ---------- 43/ Fix: When filtering mails (no-mail-scanning item is not used), the proxy was not able to process messages larger than an internal buffer limit. 44/ Fix: The "TOP n 0" command does not cause error messages due to MIME boundaries that are not found. Smtp-proxy ---------- 45/ Improvement: TLS implementation. 46/ Improvement: DNS based black-listing (e.g. ORDB.ORG). 47/ Improvement: Grey-listing (see http://projects.puremagic.com/greylisting/ for more information). 48/ Improvement: White-listing (Sender Policy Framework). 49/ Improvement: More information logged when sender/recipient is rejected. 50/ Improvement: Implemented a configuration parameter mail-line-len, allowing to accept messages exceeding the line length limit of 1000 bytes defined by RFC. 51/ Fix: Corrected forwarder cleanup after mail has been processed in a proxy process. 52/ Fix: Repeated "mail from:" command handled. 53/ Fix: Corrected recognition of EHLO options, regardless of case. Sqlnet-proxy ------------ 54/ Improvement: New form of server error message encoding implemented. Statistics ---------- 55/ Improvement: Statistics for antivirus and antispam engines have been introduced. 56/ Fix: Corrected per-hour statistics graphical output for SMTP proxy. ======================================================== Changes in KERNUN firewall release 2.2 (compared to 2.0) ======================================================== General ------- 1/ Base OS version changed to FreeBSD 5.4-RELEASE. 2/ New: Support for 64-bit AMD64 architecture has been added. 3/ New: Pop3-proxy has been implemented. I handles POP3 protocol (including POP3S), can do antivirus, antispam and content checking. 4/ New: Imap4-proxy has been implemented. I handles IMAP4 protocol (including IMAP4S), can do antivirus, antispam and content checking. 5/ New: Kernun now uses PF filter instead of IPFILTER for redirection of transparent connections to proxies. See transparency(7) manual page for more information. 6/ New: It is possible to use several methods for document type identification, namely content type header, filename extension and magic library (on Unix like systems, this is the method used by the 'file' program). See doctype-identification(7) manual page for more information. 7/ New: FreeBSD native CARP in-kernel implementation is preferred to the former VRRP deamon to build hot-standby firewall clusters. See carp(4) manual page for more information. 8/ New: An independent resolver has been implemented. Standard system resolver is not used any more. One of the main advantages is the possibility to set up independent timeouts for resolution of names for the sake of logging and for critical resolutions, e.g. server name that the proxy is about to connect to. See resolving(7) manual page for more information. 9/ New: Proxies can use traffic shaping for outcoming communication. Traffic shaping rules can be used deep in ACL rules, allowing fine-grain bandwidth management. See traffic-shaping(7) manual page for more information. 10/ New: Telnet-proxy support has been discontinued, and the proxy has been removed from distribution. It is recommended to use tcp-proxy instead. 11/ New: Proxies can write current connection status data (including client, server, amount of data transferred, user name etc.) to a shared memory area. A monitoring tool reads those data and make a top X view on them (either in text mode or as a HTML file). See monitor(1) manual page for more information. 12/ Fix: The fwpasswd command preserves group names. 13/ Fix: It is now possible to specify SSH v2 RSA keys in ssh-keys. 14/ Fix: Several logging messages were fixed. 15/ Fix: Process list titles were fixed. 16/ Fix: Waiting for child processes after signal in parent corrected. 17/ Fix: Under rare conditions, proxy using SSL could loop forever. 18/ Fix: Sometimes, connections to servers were failing with EADDRINUSE error. 19/ Fix: TCP reset is treated as a communication error. 20/ Fix: Source-address mapping rule does strictly use the same port number as bound locally. Antivirus/Antispam ------------------ 21/ New: Support for ClamAV antivirus has been added. 22/ New: Support for NOD32 antivirus has been added. 23/ Improvement: Heuristic analysis for DrWeb switched on. 24/ Improvement: Antivirus checking module sends a few bytes of unchecked data to client to avoid timeouts. 25/ Fix: Handling of DrWeb return codes. 26/ Fix: Correct file name sent to DrWeb when communication takes place over network socket (drweb-net). 27/ Fix: Communication with DrWeb over network fixed. 28/ Fix: Antispam module now correctly handles scores less than zero. Dns-proxy --------- 29/ Improvement: Resource record type SRV has been added. 30/ Fix: Correct behavior when nameserver cache is full. 31/ Fix: Under some circumstances, nameserver could be cleaned up too early. 32/ Fix: Several minor bugs have beed fixed. Ftp-proxy --------- 33/ Fix: When user enters an invalid server, proxy now behaves correctly. 34/ Fix: Access control according to real server destination address fixed. 35/ Fix: Data-port setting in session-acl. 36/ Fix: Corrected behavior after communication error with antivirus deamon. 37/ Fix: Fixed behavior when virus was found, added message in control connection to client. 38/ Fix: When an error occurs on a connection to antivirus, proxy now does not block. 39/ Fix: Treatment of file names with special characters fixed. H323-proxy ---------- 40/ Improvement: Support of video capabilities H.262 and H.263 had been added. 41/ Improvement: Support of extended version of Q.931 protocol has been added. 42/ Fix: Panic when IP address found where not expected. 43/ Fix: Processing of Connect packet has been fixed. Http-proxy ---------- 44/ New: By adding DOC-ACL level, the proxy now has a deeper structure of its ACL rules and can handle individual documents in a more granular fashion. 45/ New: Improved security checks of request line, headers, cookies etc. 46/ Improvement: Redundant status line in response from server is ignored (some servers do that). 47/ Improvement: Unicode sequences in form %uHHHH are recognized. 48/ Improvement: Status code had been added to REQUEST-END log message. 49/ Improvement: Handling of misconfigured header sets, including both Content-Length: and Transfer-Encoding: chunked headers. 50/ Improvement: Http host and URI can be matched independently in ACLs. 51/ Improvement: Aproxy authenticated user can be matched in ACLs. 52/ Fix: Persistent connections to server are correctly closed after client has closed the connection. 53/ Fix: Fixed panic in network I/O module when header line is too long. 54/ Fix: Correct closing of data connection in HTFTP mode. 55/ Fix: Fixed error in communication with some FTP servers that could lead to empty directory listings. 56/ Fix: HTML filter applies correctly on all pages, regardless of transfer type. 57/ Fix: No more data are fetched after connection to client has been closed. 58/ Fix: Processing of NTLM authentication scheme fixed. 59/ Fix: Combination of Aproxy and server authentication fixed. 60/ Fix: Status line added to REQUEST-END message for Aproxy. 61/ Fix: Transparent connections with hand-off server are processed correctly. 62/ Fix: Parsing of cookies for Aproxy fixed. Kat/Cml ------- 63/ Improvement: Command completion in CML for enumerations, named types, keyed types and parent acl sections. 64/ Improvement: Command /show in CML displays line numbers. 65/ Improvement: New commands hide/unhide allow to comment out whole items and/or sections while not deleting them. 66/ Fix: When applying configuration, system names may overlap. 67/ Fix: The 'apply' action does not delete chroot directories. 68/ Fix: After several unsuccessful attempts of sending -HUP, KAT kill sends -TERM signal. This corrects reload behavior of UDP based proxies. 69/ Fix: Corrected bad signal handling in KAT, added SIGINFO. Smtp-proxy ---------- 70/ New: A tool for handling quarantined messages has been implemented. It allows to drop the message or to resend it, using specific actions (remove attachments, check against viruses again etc.). 71/ New: The proxy can send Delivery Status Notification (DSN) messages. 72/ Improvement: Because many MUAs create non RFC compliant messages, a set of configuration directives has been added and programmed to allow administrators to permit those messages. The se directives include: sessoin-acl.accept-8bit-header session-acl.correct-bad-char session-acl.correct-8bit-body session-acl.treat-binary-as-8bit session-acl.correct-boundary Further, the proxy corrects automatically several problems in non RFC compliant messages, for example: missing semicolon in MIME headers, white spaces at the end of commands and headers, 8bit in quoted-printable documents. 73/ Improvement: Proxy now recognizes ID in responses from MS Exchange. 74/ Improvement: When a rfc822 mail message is attached, it is possible to treat it as a text. If it contains errors, proxy will refuse to send such a message, but this may be intentious as rfc822 attachments are used to inform users of a delivery failure. This is achieved with the directive session-acl. treat-rfc822-as-text 75/ Improvement: Missing quoting of headers can be corrected (with configuration directive 'correct-quoting'). 76/ Improvement: Antispam calling can be limited to messages not exceeding a specific size. 77/ Improvement: Multipart signed messages may be left untouched with the 'treat-signed-as-text' configuration directive. 78/ Fix: More rigorous check of line lengths. 79/ Fix: Treating of at the end of non--terminated quoted-printable attachment. 80/ Fix: Double in MUL MIME. 81/ Fix: Correct check of MAX_ADDR_SIZE even when domain is not present. 82/ Fix: Under rare conditions, proxy could hang forever while communicating to client. 83/ Fix: Under some circumstances, proxy stopped talking to server and a timeout fired. 84/ Fix: Resending of error codes and messages from forwarder to client. 85/ Fix: Fixed antivirus status for multipart and message MIME types. 86/ Fix: Several minor fixes erroneously formatted messages. Sqlnet-proxy ------------ 87/ Improvement: Session-acl now includes plug-to and source-address directives. 88/ Improvement: Support for server running on 64-bit architecture added. 89/ Fix: Handling of redirect divided into two separate packets. 90/ Fix: Corrected redirect packet processing. 91/ Fix: Access control check of destination server within transparent connections was fixed. 92/ Fix: Handling of TNS ping packets. Statistics ---------- 93/ Fix: When generating statistics, memory is allocated more efficiently. Tcp-proxy --------- 94/ New: The proxy can use TLS independently on both communication channels (with client and server). 95/ Improvement: Indepent timeouts for half-closed connections. Udp-proxy --------- 96/ Fix: Increased precision for timeouts from 1s to 1us. ======================================================== Changes in KERNUN firewall release 2.0 (compared to 1.x) ======================================================== General ------- 1/ KERNUN firewall version 2.0 has come through a huge number of changes. We do not cover every single modification in this document. For detailed description of individual functions, please read the documentation (starting with general document kernun(7) ). To the most important innovations belong the new configuration system, the new modular system that enables to share code among proxies (e.g. html filtering, network IO, antivirus, etc.), and the capabilities of virus and spam detection. 2/ Base OS version changed to FreeBSD 5.3-RELEASE. Configuration ------------- 3/ The configuration mechanism of KERNUN firewall has been replaced. Instead of the former KC system consisting of a kernun.conf file and a set of kc* commands (kcverify, kccommit, kcreload, etc.), there is a command-line interface to basic administration tasks called KAT (Kernun Administration Tool, see kat(8) ) and a command-line interface to the configuration itself called CML (Configuration Management Language, see cml(8) ). The reference manual of the new configuration system can be found in the kernun.cml(5) manual page. The most important changes in configuration are: a/ IP addresses must be enclosed in square brackets [], including network mask specification. Examples: [1.2.3.4], [10.0.0.0/8], [192.168.0.0/255.255.255.0] b/ List elements must be separated with a colon. Example: { [192.168.0.0/24], [192.168.1.0/24] } c/ The configuration in CML should resist in new directory /usr/local/kernun/conf . Aproxy ------ 4/ Aproxy has been completely integrated in http-proxy. Dns-proxy --------- 5/ No fundamental modifications have been made to dns-proxy. Ftp-proxy --------- 6/ Ftp-proxy has been rewritten to adapt to the new modular system. It is possible to trigger the same html filtering engine on data transferred within FTP protocol. Also, virus detection is available. H323-proxy ---------- 7/ No fundamental modifications have been made to h323-proxy. Http-proxy ---------- 8/ Http-proxy version 2.0 is a complete rewrite. Apache code is not used any more. As a consequence, its configuration is adapted to the rest of the firewall. Virus detection is possible for data passing through http-proxy. Smtp-proxy ---------- 9/ Smtp-proxy version 2.0 is a complete rewrite. It is not based on Postfix any more. However, it assumes a working SMTP forwarder available all the time. Specifically, smtp-proxy does not implement mail queue. If client contacts smtp-proxy, the proxy immediately opens a connection to its forwarder. As a consequence, if a forwader is out of order, smtp-proxy does not accept any single mail. The best solution is to use locally installed MTA program (we strongly recommend Postfix) as a forwarder. The alternate option is to use forwarders "close" to the firewall system, e.g. one internal forwarder for inbound mails and one external forwarder that takes care of outbound mails. Smtp-proxy adopts the new modular system and is capable to apply the same html filtering rules as http-proxy. Also, virus detection is available, as well as spam detection system. Sqlnet-proxy ------------ 10/ Sqlnet-proxy now understands TNS protocol version 3.13. Tcp-proxy --------- 11/ Tcp-proxy has been rewritten to adapt to the new modular system. Telnet-proxy ------------ 12/ No fundamental modifications have been made to telnet-proxy. Udp-proxy --------- 13/ No fundamental modifications have been made to udp-proxy.