Softpedia >Linux >Linux Distributions >Gibraltar Firewall >  Changelog

Gibraltar Firewall Changelog

What's new in Gibraltar Firewall 3.1

Aug 22, 2014
  • The /var/tmp directory can now optionally reside on the harddisk (if used) instead of being mounted as tmpfs. This is required when using the Avira engine, as it consumes more space in /tmp (but less system memory compared to Kaspersky).
  • Bugfixes in the connection-manager to better re-start IPsec connections in some corner cases.
  • Optimized execution time of main firewall script by removing general loops for chain creation and letting the web interface only create those chains required for the specific rule set.
  • Recompiled strongswan (IPsec IKEv1 and IKEv2 daemon) to support NAT- traversal for transport mode connections to support VPNs from iPhone and Android mobile devices.
  • Enabled fail2ban brute-force password cracking protection for the web interface.
  • Updated jetty JARs to version 4.2.27 to fix CVE-2004-2381 (to prevent potential denial-of-service).

New in Gibraltar Firewall 3.0 (Feb 6, 2010)

  • This is a major new release, updating into kernel 2.6 and Debian 5.0 Lenny as base system and splitting the web interface in frontend and backend parts in preparation of centralized management tools.
  • Full support for IPv6, both in routing, firewall rules, and application level proxies/daemons, including automatic 6to4 and static 6in4 tunnels. Adding globally reachable IPv6 addresses to a local network is now a simple procedure by simply enabling an automatic 6to4 tunnel with almost no manual configuration.
  • Policy routing setup via web interface (for example source-based routing) with support for multiple default-routes in fail-over as well as (static) load-balancing configurations. This includes Internet connection fail-over handling with a primary and (multiple) backup upstream connections and IPSec tunnel fail-over.
  • Official support for WLAN interfaces. Gibraltar can now act as a WLAN access point with or without WPA(2) encryption and optionally with a captive portal for guest access. This has been tested with Atheros MiniPCI cards, but should in principle work with any WLAN card supported by the new in-kernel mac80211/nl80211 stack. Also include a madwifi version patched and tested for stability to support older Atheros chipsets not yet supported by ath5k/ath9k.
  • In preparation for managing multiple firewalls with one user interface, the core modules (network settings, firewall, nat, traffic shaping) have been split into backend and frontend. Remote management support will begin with the next release and will be extended in future versions.
  • The web interface now more consequently uses aliases for hosts, networks, and services that must be defined before using them in rules. This change helps to maintain better overview in large rule-sets.
  • Added firewall and NAT rules overview pages that span all input and output interfaces.
  • Added layer7 match support to mark traffic based on protocols instead of ports. This is not supported for firewall rules, but works well for traffic shaping purposes.
  • OpenVPN can now be used without client certificates for direct integration with LDAP or Microsoft Active Directory. This allows simple set-up of road-warrior clients: the same OpenVPN configuration can be used on all clients and can therefore be deployed automatically. Users then authenticate with their standard accounts.
  • Use of kernel 2.6 (currently based on 2.6.30.x with security enhancements).
  • A fresh and more standardized base system using Debian 5.0 "Lenny".
  • Multiple PPP dial-in interfaces can be used (for example ADSL and UMTS as backup) with specific interface names. pppd has been patched to support the "ifname" configuration option to rename interfaces on successful connection. This supports specific firewall and NAT rules as well as policy routing for (upstream) PPP links.
  • Use before-queue instead of after-queue filter for integrating amavisd. This cuts down on bounce mail processing and thus decreases the typical mail queue length.
  • Using udev instead of devfs.
  • Using upstart instead of older init package. Combined with udev, this significantly speeds up typcial boot times.
  • Using initramfs-tools with additional hooks instead of the previous mkinitrd-cd package built especially for Gibraltar. This avoids the requirement to specify root= kernel command line arguments to boot from compact flash or hard disk instead of from CD. It should also save on future development efforts by merging upstream development of initramfs scripts with the ones used by Debian and Ubuntu and also allows to use the same boot options for ISO and appliance/USB bootup. All Gibraltar atomic update functionality has been ported for image updates.
  • Using mainline squashfs format 4.0 now and dropping own kernel patches.
  • ISO images now contain a compressed (squashfs) filesystem to make them smaller.
  • Using aufs overlay mounts instead of only tmpfs for /var and /etc. This minimizes RAM usage and configuration config.tgz size by storing only those files that were changed with regards to the default. In addition to significantly decreasing the size of stored configurations, this change also allows simpler auditing of changes. /system/etc-static and /system/var-static are no longer required, bringing the base system even closer to a standard (but hardened) Debian install.
  • Harddisks are now mounted unter /var/persistence and will only contain a subset of the whole /var tree to simplify updates between major versions.
  • Using Debian update-rc.d for enabling/disabling automatic starting of services (init scripts) on bootup instead of older runlevel.conf scheme.
  • Using rsyslog instead of syslog-ng.
  • Installed the zabbix-agent package for better integration with the Zabbix monitoring package (we use it extensively both internally and for our customers with good experience in terms of stability and scalability). Include additional checker scripts.
  • Updated to heartbeat2 for firewall high-availability, although it is still used in compatibility mode. Support for more than 2 nodes will be added in future versions.
  • Added support for commercial JonDonym cascades with pre-paid vouchers. Drop the anon-proxy version of the JAP/JonDonym client in favor of a special Java version that is directly integrated with the web interface.
  • Updated squid to version 3.
  • Using strongswan instead of openswan for mature IKEv2 support. The web interface will support setting IKEv2 for tunnels in a future version, on the shell it can already be used.
  • Installed *top packages for easier monitoring/debugging support on the shell.
  • Initial dashboard support to present the most important status information on the entry page.
  • Added simple mail queue handling in the web interface.