m0n0wall Changelog

New in version 1.8.1

January 17th, 2014
  • add scheduler ("Croen") service with many different job types (enable/disable interface or shaper rule, Wake on LAN, reboot, reconnect WAN, execute command etc.)
  • improved IPv6 support, including IPsec, DHCPv6-PD, RDNSS and DNSSL, and NDP info on the ARP diagnostic page
  • major overhaul of wireless LAN support. On some cards, it is now also possible to create multiple APs at the same time. To reflect this change, the wireless settings have moved to the Interfaces: assign page, where WLAN subinterfaces can be created much like for VLANs.
  • DNS forwarder: add option to log DNS queries, add aliases (CNAMEs) and MXs
  • Add AES-256, SHA-256/384/512 and additional DH group options to IPsec
  • Make rule moving and deletion on shaper rules page work like for firewall rules.
  • Initial support for USB modems
  • enable CPU hardware crypto support
  • automatically reassign available physical network interfaces if none of the assigned interfaces in the configuration can be found on the system (i.e. for a new installation, or when moving an existing config to new hardware)
  • the "embedded" image is gone; generic-pc-serial should now be used for PC Engines and Soekris boards
  • console speed for serial images is fixed to 9600 baud (no longer tries to use BIOS preset value)
  • introduction of an automated build system that allows one to build m0n0wall from scratch with almost no manual intervention on a standard FreeBSD 8.4 system
  • countless bug fixes and improvements in UI and system configuration code

New in version 1.34 (November 13th, 2012)

  • Backported from beta branch:
  • Eliminate modifying GETs from webGUI pages.
  • Note: the API pages exec_raw.php and uploadconfig.php now require different parameters than before. exec_raw.php now requires the cmd to be given in a POST, and both pages need a valid CSRF magic token, which can be obtained by issuing a GET first without any parameters (see example in exec_raw.php comment).
  • Make rule moving and deletion on shaper rules page work like for firewall rules.
  • Add csrf-magic for CSRF protection in webGUI.
  • Fix potential XSS in diag_ping.php and diag_traceroute.php.
  • Increase key size of auto-generated webGUI certificates to 2048 bits.
  • Update default webGUI certificate/key.
  • Remove domain name handling from dhclient-script and change ARP command not to use sed (not used/available in m0n0wall).
  • Change virtualHW version to 7 for VMWare image to avoid errors in ESX 4

New in version 1.33 Beta 2 (January 31st, 2011)

  • a new image type "generic-pc-serial" has been added; the only difference to generic-pc is that it always uses the serial console (on COM1 at whatever speed the BIOS set it to)
  • reintroduced original FreeBSD if_re driver (to fix missing support for 8139C+) and added Realtek patched driver under a new name (if_rg) with lower priority to ensure that the Realtek patched driver is only used if the stock FreeBSD if_re/if_rl can't handle the device
  • DHCPv6: fixup for sla-id being 0
  • disallow webGUI passwords with colons (:) as mini_httpd has trouble handling them
  • fix broken captive portal sessions when per-user bandwidth limitation is used and changes in the webGUI are made that require reloading the traffic shaper (reported by Robert Solomon)

New in version 1.33 Beta 1 (December 30th, 2010)

  • updated ipfilter to 4.1.33
  • inbound NAT rules can now be added on the LAN interface with the WAN address as a target; this helps with accessing servers on an optional interface from the LAN interface by using m0n0wall's WAN IP address
  • replaced if_re driver by Realtek customized version to support RTL8111C (among others)
  • IPv6 improvements by Andrew White:
  • initial support for LAN IPv6 prefix assignment using DHCP-PD
  • added AICCU to interface status page
  • added IPv6 support for syslog destination
  • added IPv6 support for Diagnostics:Firewall States
  • added error handling to interface status page for AICCU being down
  • fixed DHCPv6 server setup when target interface is configured in 6to4 mode (reported by Brian Lloyd)
  • added support for user-customizable captive portal logout and status page, as well as a password change option for local CP users (contributed by Stephane Billiart)
  • added 'Bind to LAN' option for syslog, so you can syslog over a VPN tunnel
  • fixed dnswatch to deal with changed resolv.conf (for IPsec tunnels to dynamic endpoints)
  • fixed various XSS vulnerabilities in webGUI
  • added option on advanced setup page to defend against DNS rebinding attacks
  • fixed extra slash in captive portal redirect
  • added support for (manually updated) CRLs for IPsec VPN (contributed by Sebastian Lemke)
  • prevent /ext directory from being listed through webGUI (reported by Bernd Strehhuber)
  • fixed typo in system_do_extensions() that broke extensions support (reported by Bernd Strehhuber)
  • added check for DHCP reservation entries for the same MAC address
  • change EDNS to 4096 from default of 1280 for dnsmasq, should help with DNSSEC
  • don't let missing DNS server information keep DHCPD from starting

New in version 1.32 (April 18th, 2010)

  • m0n0wall 1.32 patches an Ethernet bug on ALIX boards (among others) and contains several other small fixes and improvements on IPv6, the DNS forwarder and the hardware monitor.

New in version 1.3 (December 1st, 2009)

  • WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
  • When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image. Other platforms are not affected.
  • fixed DHCP server "deny unknown clients" option with known clients without a statically assigned IP address
  • fixed a security issue in the DHCP client (CVE-2009-0692)

New in version 1.236 (October 1st, 2009)

  • fixed a security issue in the DHCP client (CVE-2009-0692)
  • captive portal fixes (jdegraeve):
  • changed RADIUS timeout/maxtries from 5/3 to 3/2 reducing failover time from 30 to 15 seconds
  • added RADIUS attribute support for: ChilliSpot-Bandwidth-Max-Up/ChilliSpot-Bandwidth-Max-Down
  • fixed concurrent login detection, now case-insensitive
  • fixed Pass-Through MAC addresses in combination with RADIUS MAC authentication
  • SVG fixes for IE7/8
  • properly escape DHCP client hostnames in webGUI

New in version 1.3 Beta 18 (August 17th, 2009)

  • fixed broken IPsec support (missing library)

New in version 1.3 Beta 17 (August 13th, 2009)

  • Known issue: IPsec broken (missing library); 1.3b18 will be released soon
  • WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
  • When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image. Other platforms are not affected.
  • Converted from BRIDGE to if_bridge. Removed multi-interface bridge check, and checkbox under System > Advanced for filtering bridge since member interfaces will now always be filtered
  • fixed a problem with ipnat refusing to create new RDR translation entries in the NAT table if a MAP entry exists for the same port, even though that check is probably only meant to check for existing RDR entries. This fixes issues with SIP communication when there is an inbound NAT mapping for port 5060. (see also http://marc.info/?l=ipfilter&m=121749272404107&w=2)
  • fixed problems when using advanced outbound NAT rules with destination matching (non-FTP connections were processed by the ipnat FTP proxy, leading to slowness, lost connections, rogue ICMP host unreachable messages etc. because ipfilter requires an additional match statement on the destination port when using proxies)
  • fixed DHCP lease page to only show the last lease for a given IP address (see dhcpd.leases(5))
  • fixed for IPv6 pages in user/group manager
  • show IPv4 gateway on Status: Interfaces page (was removed inadvertently)
  • fixed bug with IPv6 subnets in firewall rules
  • added device msk to kernel configuration
  • updated base system to FreeBSD 6.4
  • avoided PEAR dependency and fixed DHCPv6 range check when interface is not configured with a v6 address
  • put logging back in for anti-spoof block rule