CHANGES FROM VERSION 4.1.0 TO VERSION 4.3.0 Version 4.3.0 is the first release in the 4.3 line. Subsequent maintenance releases in the 4.3 line will be numbered starting from 4.3.1, and will not have significant new features. Version 4.3.0 contains several new features that are not in the 4.0 or 4.1 lines of development. (Version 4.2.0 was never released, and there is no 4.2 line of development.) Version 4.3.0 includes all new features and bug fixes that were added to the 4.0 line up to and including version 4.0.5, or the 4.1 line up to and including version 4.1.16. The following major new features have been added in version 4.3.0, and are not present in the 4.1 line: * It is now possible to disable NAT for ALL gatewayed services. Previously, it was possible to disable NAT only for NetBIOS gatewaying. [PR 606] * If NAT is disabled, then it is now possible to set up incoming TCP and UDP gateways. [PR 618]. * Service entries (gateways, proxies, and servers) now allow ranges of ports to be specified, instead of only one port per service entry. This can help reduce the number of service entries and thus ease administration, especially in larger sites. [PR 455] * Service entries (gateways, proxies, and servers) now include a "Log As" field. Usually you would leave this blank, but it allows you to assign a new name to a service for logging purposes if you wish. The service name will appear in the "proto=" part of log messages in WebTrends format. This may be especially useful with services that require a range of many ports to be opened. [PR 455] * Service entries (gateways, proxies, and servers) now include a new "Location" toggle field, which allows you to specify the location of the clients; this can be set to "None", "Inside", "Outside", or "Any". This provides additional security and helps guard against mistakes, especially now that incoming gateways can be configured. Setting it to "None" provides an easy way to disable a service entry temporarily, without actually having to delete it. [PR 618] * Gateways now also allow destination address and netmask restrictions. This was added to increase security primarily when setting up incoming gateways. [PR 618] * Outgoing proxies and outgoing gateways on the same port are now allowed. [PR 816, 976] * It is now possible to have UDP proxies. Previously, only TCP proxies were possible. [PR 236, 733] * The "Accept Recipients"/"Reject Recipients" handling in the mail subsystem has been replaced by a new set of "Email Sender/Recipient Filters", which can be used to allow or deny sender or recipient email addresses using wildcard patterns. This is a more general and powerful mechanism, and is easier to use. [PR 604, 740] * It is now possible to use IPsec/IKE with a single pre-shared key which will be shared by all clients regardless of what identifier the remote client sends. This is done by using "*" instead of an IP address or FQDN in the psk.txt file. [PR 789] * Firewalls that are licensed on a rental basis will automatically attempt to extend their registration, starting about 10 days before the registration expiry date. This is configurable on the registration screen, and defaults to a month-by-month extension. [PR 978] * The underlying operating system has been upgraded from FreeBSD-2.2.x to FreeBSD-4.x. This greatly improves support for modern hardware. [PR 467] * SMP (symmetric multi-processor) systems are now supported. After installation, "kernel.smp" must be selected instead of "kernel.generic". [PR 654] The following minor new features have been added in version 4.3.0, and are not present in the 4.1 line: * NetBIOS can now be NATed like other protocols. [PR 206] * POP3 maildrops can now be configured for e-mail addresses in virtual mail domains. [PR 251] * Mail postboxes can now be set up for users in virtual domains. [PR 353] * The gateway will now log outgoing packets that have invalid source IP addresses (that is, source IP addresses that are not from any of the known inside networks). This will help to prevent the launch of anonymous Denial of Service attacks from behind the firewall, and will also help diagnose some types of incorrect configuration. [PR 193] * It is now possible to configure the inetd rate limit from the system setup screen. [PR 250] * The idle timeout for POP3 is now separately configurable. [PR 386] * Blocked newsgroups can now take a trailing dollar sign to specify that an exact match (rather than just a prefix match) is required for the group to be blocked. [PR 334] * Added more .ini keywords for logwww, including ones which can be used to enabled various types of content filtering. Also added the ability to filter OBJECT tags based on the classid attribute. This means that we can now also filter Macromedia Flash content. At present, this can only be enabled by creating a line "no_flash 1" in the file /usr/local/custom/http.ini. [PR 394] * Mail subject filters can now be configured in the admin program, rather than having to be edited by hand. [PR 472] * When viruses are detected in email messages, it is now possible to specify that a copy of the message should be sent to a responsible person. A new "CC: infected messages to" field on the Delivery Rules setup screen controls this feature. [PR 514] * It is now possible to configure how long the firewall should wait before sending a mail message sender a warning message informing them that their mail has not yet been delivered. [PR 470] * authd denial log messages have been made more informative. [PR 530] * CEQURUX proprietary VPNs now support Rijndael, the new AES encryption standard. [PR 558] * A new screen saver has been implemented. This screen saver will display the contents of the first console (i.e the output of logwatch) on the current console, until a key is pressed. [PR 568] * CEQURUX proprietary VPN IP tunnels no longer have a domain associated with each one; instead a separate table associating domains with tunnels has been added, so that multiple domains can be associated with a single tunnel (or, conversely, a tunnel need not be associated with any domain). This gives greater flexibility in configuring how splitdns decides about tunnelling A record lookups across VPNs. [PR 615] * The date and time setup screen now continuously updates the displayed time, and has been made easier to use. It should now be considerably less likely that users accidentally set the wrong time. [PR 695, 696] * The logwww program now adds an X-Forwarded-For header to requests that it forwards to the squid caching web proxy, and squid (package version squid-2.4.cequrux4.3.9 or later) now uses the X-Forwarded-For header to find the IP address of the internal client. (Previously, squid saw all requests as coming from IP address 127.0.0.1.) As a consequence of this, access controls in the squid.conf file can give different permissions to different internal IP addresses, and the squid access log shows the internal IP address for each request. [PR 817] * Several new .ini keywords have been added to cdsgw. The new "mapportrange" keyword can be used to control ports used for outgoing connections. Several "*_drop_*_ports" parameters can be used to ignore traffic on certain ports. The "outside_drop_dst_addrs" parameter can be used to ignore traffic to certain IP addresses. [PR 882, 885, 887] * The "-c inifile" command line option used by many programs has been extended to "-c {inifile | servicename | inifile:servicename}". It can now be used to specify the name of the inifile, or the servicename, or both. [PR 893] * The cdsgw program now takes a "-c {inifile | servicename | inifile:servicename}" command line option, which works just like the corresponding option in many other programs. The old "-c" command line argument, which was used for debugging, has been renamed to "-C". [PR 893] * The fwadmin program will now invoke /usr/local/custom/fwadmin.before and /usr/local/custom/fwadmin.after scripts, if they exist. [PR 892] * The custom extensions for /etc/daily1, /etc/daily2, /etc/weekly, /etc/monthly, and /etc/security, have all been split into ".before" and ".after" components. Also, the /usr/local/custom/daily file is no longer used; custom extensions that were previously stored in that file should be moved to /usr/local/custom/daily1.after. [PR 907] * There is now an automated method for converting an older configuration file to the new format required by current versions of the firewall. This conversion is performed when importing a configuration from floppy disk, when upgrading from CD-ROM, and when upgrading from a cequrux.tgz package. [PR 468, 659] * When an email message contains viruses, it is now possible to delete the entire message. Previously, the infected attachment could be deleted, but the remainder of the message would nevertheless be delivered. [PR 941] * Rudimentary support for gatewaying the GRE protocol has been added. This is enabled by setting "dogre 1" in the /etc/cequrux.cfg file. When this switch is enabled, all internal hosts are allowed to create GRE sessions to all external hosts. [PR 945] * The mechanism that was used for renaming *.vbs email attachments has been extended to handle several more types of files, including files that have CLSID extensions, such as ".{00020C01-0000-0000-C000-000000000046}". [PR 942, 957] * A DHCP server package is now included. It is configured by editing /usr/local/custom/dhcpd.conf and /usr/local/custom/rc.local. [PR 932] * The HTTP interception proxy function is no longer implicit, but has to be enabled explicitly. [PR 965] * A new authentication type has been added for NT Domains. [PR 810, 815] * A new option has been added to the virtual domain configuration, to control whether or not the firewall attempts to provide primary DNS information for the virtual domain. [PR 956] * The firewall will now continue working for 7 days after the expiry date. This grace period is intended to accommodate delays in the banking system as experienced by monthly rental customers. [PR 972] * Firewalls that are licensed on a rental basis will automatically attempt to extend their registration, starting about 10 days before the registration expiry date. This is configurable on the registration screen, and defaults to a month-by-month extension. [PR 978] The following new features have been added in version 4.3.0, and also appeared in version 4.1.1: * If the firewall's anti-virus feature is enabled, and if any user inside the firewall receives an anti-virus alert email message from Sophos, then the firewall will automatically fetch the "IDE" file mentioned in the alert message. In the past, the firewall fetched updated IDE files once per day; with this new feature, the firewall will fetch an updated IDE file almost immediately (provided a user inside the firewall is subscribed to the Sophos alert mailing list; see http://www.sophos.com/virusinfo/notifications). [PR 367] * When viruses are found in email messages, the name of the virus is now recorded both in the firewall's log and in the email message passed on to the recipient. Previously, the name of the virus was included in the email message but not in the firewall log. [PR 79, 853] * The firewall is able to act as an NFS client, with suitable custom configuration. [PR 950] * Firewalls that are licensed on a rental basis can automatically extend their own registration by a configurable number of months at a time. (Previously, this functionality was not configurable.) Email messages will be sent to report success or failure. [PR 974, 978] The following new features have been added in version 4.3.0, and also appeared in version 4.1.2: * Mail delivery failure messages now include a Subject line that lists the reason for the failure. [PR 384] The following new features have been added in version 4.3.0, and also appeared in version 4.1.3: * The registration activation screen now displays a phonetic alphabet, and displays the activation key in groups of 4 characters (instead of as a long string without any spaces). These changes should make it easier to communicate registration and activation keys over a telephone connection. [PR 462] * Improved the log messages associated with URL blocks and smartblocks. Log messages now identify which rule was responsible for an HTTP transaction being blocked. [PR 463] * The flush_mailq command can now pass additional options to the underlying sendmail processes. For example "flush_mailq -v" will pass the "-v" (verbose) flag to the sendmail processes. [PR 481] * fwadmin now defaults to non-destructive operation (as if the "-n" flag had been specified) if it is run on a system that is not a CEQURUX firewall. A new "-m" command line option overrides this. This feature is intended for CEQURUX internal use. [PR 200] * Splitdns low logs more information about bad DNS requests. [PR 512] * When using the non-WebTrends format logging, the client port will now be logged in service exit messages (it already was being logged when WebTrends format was enabled). [PR 519] * The scripts that update the SAVI anti-virus library and data files now use the wget command if it is available. If a connection fails, wget will retry up to 20 times. [PR 515] * Failed PTR lookups of internal IP addresses will now not be tunnelled or forwarded to the external server, as this is almost certain to be futile and causes a performance hit for all internal machines that are not in the DNS databases. [PR 529] * A new version of the SAVI anti-virus library is now included. This is necessary because Sophos has changed the procedure for fetching SAVI updates. [PR 548] * Several email messages can now be processed in parallel by the postmail program's anti-virus scanner. This improves email delivery performance. [PR 543] * The "Show Active Sessions" option in gwchat now includes VPN sessions. [PR 563] The following new features have been added in version 4.3.0, and also appeared in version 4.1.4: [none] The following new features have been added in version 4.3.0, and also appeared in version 4.1.5: * Aliased IP addresses on the outside (for virtual domains) can now be pinged (i.e. ICMP echo requests will be allowed to reach the external interface on these addresses). [PR 569] The following new features have been added in version 4.3.0, and also appeared in version 4.1.6: * Added a new "-rd" option to the report program, and corresponding new checkboxes to the webadmin reporting interfaces, to restrict reports to certain directions of traffic. Traffic source and destination are each classified as one of Inside, Outside, DMZ, of the Firewall itself. The four source classifications and four destination classifications result in 16 possible directions. Reports may be restricted to any one or more of the 16 directions. [PR 617] * If the connecting mail client know how to speak ESMTP (opens with an EHLO command), then recvmail will send a SIZE keyword reporting the maximum message size that we will accept. [PR 712] The following new features have been added in version 4.3.0, and also appeared in version 4.1.7: * The squid caching web proxy package is now based on squid version 2.4.STABLE2, and includes support for the (not yet standardised) WebDAV "SEARCH" method, and for delay pools. Delay pools can be used to limit bandwidth usage, but this requires custom configuration (in /usr/local/custom/squid.conf). [PR 724, 725, 726, 727, 729, 735, 951] * Added the ability to generate user traffic reports with less detail. The "User Activity Report" form presented by the webadmin interface now has a new "Level of detail" toggle, which allows a choice between "Totals only" or "Details and totals". In the past, the details could not be suppressed. [PR 742] * Added a new "Local user traffic summary for current day" report to the webadmin interface. This is equivalent to a User Activity Report for the current day, with a low level of detail, restricted to local users, and with default values for all the other options. [PR 744] The following new features have been added in version 4.3.0, and also appeared in version 4.1.8: * The logwww and publogwww programs now log the HTTP "Referer:" and "User-Agent:" fields, using ref= and agent= keywords in the relevant log messages. [PR 776] The following new features have been added in version 4.3.0, and also appeared in version 4.1.9: [none] The following new features have been added in version 4.3.0, and also appeared in version 4.1.10: [none] The following new features have been added in version 4.3.0, and also appeared in version 4.1.11: [none] The following new features have been added in version 4.3.0, and also appeared in version 4.1.12: [none] The following new features have been added in version 4.3.0, and also appeared in version 4.1.13: * During an upgrade from CD-ROM, if the firewall had any non-standard additional file systems, the upgrade process now attempts to preserve them. This includes preserving symbolic links that point to directories in the additional file systems, provided that the link target matches the pattern "/extra*". For example, if there is a symbolic link from /usr/log to /extra1/log, then it will be preserved across upgrades. [PR 217, 613, 920] The following new features have been added in version 4.3.0, and also appeared in version 4.1.14: * IDE disk drives can now be accessed using LBA mode, which allows disks larger than about 31.5GB to be used. Previously, IDE disk drives were used only in CHS mode, and their effective size was artificially limited to 30GB. [PR 790, 879] The following new features have been added in version 4.3.0, and also appeared in version 4.1.15: [none] The following new features have been added in version 4.3.0, and also appeared in version 4.1.16: * The uuencode and uudecode programs can now handle base64 encoding as well as the original uuencode format. [PR 949] The following features have been removed: * telnet2fw, the un-encrypted telnet service, is no longer allowed. Instead, if you want to do remote logins to your firewall, you MUST use ssh, which is much more secure. * It is no longer possible to specify that the hardware or BIOS clock works in local time. This option was more confusing than useful. [PR 695] * The "Treat ports>1023 as HTTP" option in the Access Control setup screen has been removed. Instead, if you wish to allow outgoing access on a large range of ports, you must explicitly configure a service (such as a gateway or a web proxy permission entry) with the desired port range. In the past, it was not possible to configure services with port ranges, and the "Treat ports>1023 as HTTP" option was a way of achieving part of the functionality that is now available. [PR 455, 861] The following limits have been changed: * SPEKE can now be used in all countries for remote administration authentication by password. SPEKE was previously disabled in the USA due to patent issues. [PR 343] * The allowed outgoing UDP destination port ranges for traceroutes have been expanded to a range of 90 ports, up from 32 (still starting at port 33434). This corresponds better to the default behaviour of most UNIX traceroute programs. [PR 572] The following defaults have been changed: * Logging is now done in WebTrends compatible format by default. The old format is still supported but is deprecated; support for the old format will be dropped in future releases. [PR 544] * The default DNS blackhole list for spam filtering (RBL domain name) has been changed from rbl.maps.vix.com to blackholes.mail-abuse.org. [PR 636] * When internal web server is down, the firewall no longer logs 'CEQURUX WWW Error', but rather logs 'WWW Error'. [PR 713] * The "Disable Mail Subsystem" option now defaults to "Yes", which means that the firewall will not accept SMTP mail connections from internal or external hosts. The firewall will still try to handle mail that originates on the firewall itself (such as daily reports). [PR 866] * The postmail program now defaults to processing mail messages as fast as possible. Previously, it defaulted to delaying for 1 second after each message. The previous behaviour can be obtained by placing "stagger 1" in /usr/local/custom/postmail.ini. [PR 900] * Core dumps (from programs that encounter internal errors) are now written to the /var/tmp directory. [PR 948] The following changes have been made to packages that are bundled with the firewall. New packages are included on new CD-ROM media, and may be downloaded separately for installation on existing firewalls: * The fetchmail package is now included. Any use of this package will require custom scripting. [PR 922] The following minor changes are required for compatibility with changes made by third parties: The following changes do not add any visible new features but improve reliability, performance, or usability: * The lifetime of DNS information has been extended. [PR 376] * recvmail/postmail log more information to make it easier to trace the progress of a specific mail message through the mail subsystem. [PR 395] * checkdaemons will now be restarted by cron if it stops running for some reason. [PR 510] * cdsgw will now not block when doing ARP lookups; this should prevent it from stalling if a packet is sent to a non-existent host over a proprietary VPN tunnel. [PR 566] * References to /usr/log or /usr/tmp have been replaced with references to /var/log and /var/tmp (these in turn are symlinks to /usr/log and /usr/tmp, so there should be no change in behaviour, but this is more consistent with the usual UNIX semantics). [PR 578] * The asynchronous DNS cache used by cdsgw now takes into account the time-to-live of DNS responses and expires old entries; previously it would replace old entries when new forward lookups were done but not otherwise. Note that this has both good and bad effects - it can prevent some DNS lookup errors, but it can also reduce the efficacy of smart blocking. [PR 602] * When you use proxies from internal clients, or from external clients with reverse DNS lookups not enforced, the proxies will now do reverse DNS lookups asynchronously. This should improve performance by eliminating the delay at the start when a proxy would block while doing a reverse lookup of the client's address. [PR 603] * The pi.construct script is now a bit more careful during upgrades about what changes it makes to the config file. [PR 614] * The minimum allocated swap space will now be 200Mb. [PR 624] * Saving the configuration should be faster in some cases. [PR 682] * If there is an attempt to initiate an FTP data connection from an unexpected IP source address or port, but to the expected IP destination address and port, then an informative message will be logged. This is intended to help track down misconfigured FTP servers. Note that the "Allow FTP Callback Address Change" toggle on the Transparent Gateway setup screen can be used to allow interoperation with misconfigured servers, provided that the server uses the correct port number. [PR 828] The following minor changes are intended for CEQURUX internal use and are mentioned here only for completeness: * Changed the way the fwadmin -n option works. [PR 802] The following problems have been fixed: * Improved the way recvmail checks for mail loops. [PR 272] * Recvmail will now tolerate multiple From: headers in mail bodies. [PR 233]. * Fixed a bug in the FTP proxies for virtual domains. The data connection callbacks were binding to INADDR_ANY instead of to the specific aliased IP address, which resulted in them not working with some FTP clients. [PR 241]. * Fixed a bug in the gateway's handling of FTP data connection callbacks from FTP servers using active mode. The gateway would allow the callback provided the source and destination ports matched, even if the server address changed. The correct behaviour is for the gateway to check the server address as well, unless the "allow FTP server callback address change" option is enabled. [PR243] * Changed the wording on some screens to be more precise. [PR 293] * The "Treat ports > 1023 as HTTP" setting is supposed to apply to outgoing TCP sessions on high ports, except those high ports that have their own explicitly configured gateways, or that have their own explicitly configured outgoing proxies for services that do not run on the firewall itself. There was a bug that caused explicitly configured incoming proxies and explicitly configured proxies for services that run on the firewall itself to interfere with the gatewaying implied by the "Treat ports > 1023 as HTTP" setting. [PR 311] * Fixed a bug which caused the FTP proxy to erroneously log possible tunnel exploits when the NLST command was handled. [PR 332] * genrelays that are used for relaying SMTP will now issue 441 responses if access is denied or the relay connection failed. [PR 335] * The maximum allowed line length in mail messages has been increased from 2kb to 4kb, and headers that are too long will now cause the mail to be rejected by sendmail rather than bounced by postmail. [PR 325] * Restoring a backed-up configuration file now also recreates users' home directories if they are not present. [PR 340] * publogwww will now better handle URLs that are pathnames that don't have leading slashes. These violate the HTTP spec but seem to occur in practice with some rogue web browser clients. Previously publogwww would log the file name as the destination host, but it now logs the destination host correctly. [PR 338] * Fixed a bug in the log file rotation of Squid web caching logs. [PR 320] * Specifying an end time in reports now causes the report to end at exactly that time; previously it ended 59 seconds past that time (so specifying an end time of 24:00 effectively meant 24:00:59 but now means 24:00:00). [PR 316, 317] * Fixed a potential deadlock when updating the key database. [PR 310] * Fixed a bug in the POP3 server which could cause it to block indefinitely instead of timing out if the TCP connection is not closed. [PR 288] * Fixed a bug in the code which checks whether addresses are in proprietary VPNs; this caused splitdns to periodically dump core in 4.1.0 if CEQURUX proprietary VPNs were configured. [PR 359] * Fixed a bug which prevented mail for POP3 users in virtual domains from being accepted if the virtual domain entry had no mail server specified and the "Convert to primary domain" option was set to "No". [PR 361]. * Specifying logical-HTTP TCP proxies with restricted destination servers now works; the http:// part of requested URLs is stripped before the URL is relayed to the destination server. [PR 363] * The nblookup program could wait indefinitely if a timeout of less than six seconds was used; this is fixed. The manual page has also been changed to note that the timeout is approximate only (the reasons why are too complex and irrelevant to go into here). [PR 360] * The routine which gets the name servers for an address has had a slight change made in its failure mode handling which should prevent some mail addresses from being erroneously rejected as spammers. [PR 362] * Fixed some glitches in the generation of external DNS records for servers in virtual domains, and added generation of internal DNS records for these servers. The internal server addresses should appear in the internal host lists or a warning will be issued when saving the config. [PR 371] * logwww can now handle URLs up to 4kB in length, whereas before it was limited to 1kB. [PR 370] * cdsgw can now handle multiple pings from internal hosts to the same external host (the only requirement now being that the process IDs used by the internal hosts are different). [PR 388] * Fixed a bug which could cause recvmail to log a buffer overrun if a transient DNS failure occurred. [PR 389] * Fixed a problem with file locking by recvmail that could occasionally result in mail messages being truncated. [PR 375] * Fixed a bug which prevented cdsgw from correctly gatewaying UDP packets with no checksums. [PR 387] * Fixed a bug which caused the list of active sessions to include some garbage if any URL blocks were defined. [PR 385] * DNS lookups of internal names from clients in the DMZ are now directed to the internal name server; previously any and all DNS lookups from DMZ clients were sent to the external name server. [PR 392] * There is an off-by-one error in the authentication time fields in the Access Setup Screen. The very last field value gets stored as the authentication timeout, with all of the success/failure caching time fields being shifted up one (so the value displayed on the screen as the authentication timeout field was being saved as the cipher failure cache time, and so on). This has been fixed. [PR 396] * The URL blocks weren't working - the smartblocks were being loaded instead of the URL blocks. [PR 431] * 4.x firewalls logged the amount of data in/out for the webadmin service incorrectly; this is fixed. [PR 427] * When new anti-virus IDE files or libraries are available, postmail should be sent a SIGHUP signal, which makes postmail re-read its configuration file and re-initialise anti-virus processing. The daily task which fetches new IDE files was not signalling postmail at all, and the task that fetches new IDE files on demand was sending a SIGTERM instead of a SIGHUP signal. [PR 446] * SMTP TCP proxy entries which specify relay servers should translate into genrelay entries in /etc/cdsinetd.conf, not recvmail entries. This has been fixed. [PR 433] * Similarly, ssh TCP proxy entries with relay servers should translate into genrelay entries, not cdssshd entries. [PR 438] * The SOA DNS records were being expired after about 3 days, instead of 30 days. [PR 422] * logwww can currently only handle URLs of up to 4096 byte in length. Previously if this was exceeded, it would log a buffer overrun and truncate the URL. It now sends back an HTML error message instead. [PR 430] * webadmin and keyadmin now will exit upon idle timeouts of 60 seconds. [PR 415] * cdsshd was ignoring SIGHUP even after forking a shell, which prevented child processes running in the background from being terminated when exiting an SSH session. [PR 445] * Many idle timeouts can now be set to as long as a week, where they were previously mostly limited to 30 minutes. [PR 440] * Fixed the problem of sendmail complaining about failed gethostbyaddr lookups for aliased virtual domain addresses. [PR 410] * When one session reaches its maximum duration limit and is terminated by cdsgw, other sessions that have not reached their maximum duration or idle time limits could be terminated incorrectly. [PR 442] * If outgoing pings are disabled, any in-progress ping sessions will now be forcibly terminated. [PR 524] * The public web server, if any, was using custom extensions from the file /usr/local/custom/httpd.conf, but should instead have been using /usr/local/custom/pubhttpd.conf; this has been corrected, together with a related error in the manual. [PR 541] * Custom extensions (in the /usr/local/custom directory) to the httpd.conf and pubhttpd.conf files were not properly incorporated into the live configuration files. [PR 541] * Custom .ini files will now be added to the appropriate /etc/cequrux.ini section before (rather than after) generated entries, so that they can override generated entries if desired. [PR 574] * The script that is used to convert log messages into CSV or similar files for importing into third party spreadsheets or databases did not work if WebTrends format logging was used; this has been fixed. It also now supports the messages generated by servers such as recvmail and pop3; previously these were omitted. [PR 576] * Demand-dial kernel-mode PPP would drop the link after an idle time of at most two minutes, instead of the time specified in the config. This has been fixed. [PR 128] * Fixed a bug in the tunnelling of DNS requests which could cause requests to be sent over the wrong tunnel, or cause splitdns to dump core, in certain configurations. [PR 599] * Previously, if content or banner ad filtering was enabled and a TCP gateway was configured for HTTPS (port 443), then HTTPS didn't actually work. It was being handled by a transparent proxy but packet filters were blocking the server responses. The code has been changed so that port 443 will be handled by a cdsgw gateway instead, which will not only eliminate this problem but should also be more efficient. [PR 609] * Logwatch mail filters broke on log messages longer than about 450 characters; they should now handle log messages of any length. [PR 149] * Disabling the mail subsystem and adding SMTP relays that require authentication previously did not work properly, in that authentication was not done; instead the firewall allowed anyone to access the SMTP relays. This has been fixed. [PR 619] * If you attempt to downgrade to an older version, the upgrade script and the do_upgrade script will now display warnings, in case you did not intend to do that. [PR 710] * Improved handling of expiry times in cdsgw's persistent ARP cache. Previously, entries in the ARP cache did not expire, but now they expire after 15 minutes. [PR 503] * Improved handling of expiry times in splitdns's IP address to name cache. This cache is used to construct answers to DNS "PTR" record requests when the desired information does not exist in the DNS but can be inferred from the answers to previously encountered "A" record requests. Previously, entries in this cache did not expire, but now they expire after a time determined from the TTL field in the DNS records that were encountered, as well as some other considerations. [PR 757] * Fixed a problem with the way www-deny.txt and related files are installed. These files are now copied from /usr/local/custom to /usr/local/etc and /usr/local/proxy/usr/local/etc, if the custom files exist. [PR 936, 937] * Made some improvements to the way temporary file or directory names are chosen. [PR 753] * Made some improvements to that way Sophos SAVI libraries are updated. [PR 884] * The "lifetime byte" option in IKE negotiation is no longer used. [PR 804] * IKE negotiation now prefers main mode, but also accepts aggressive mode and base mode, for compatibility with other IPsec implementations. [PR 933] * Email messages in which the header contains raw CR or LF characters will be modified to use CR+LF pairs instead. [PR 957] * Email messages in which the blank line between the header and the body is missing will now have the missing blank line inserted. [PR 957] * If virus scanning is disabled, then we no longer attempt to download updates to the anti-virus libraries or data files. [PR 959] * When multiple hosts have the same IP address, we now give each of them an "A" record in the DNS zone files. Previously, we gave one host an "A" record, and we gave all other hosts a "CNAME" record. [PR 864, 960] * DNS dynamic update requests are now refused. [PR 964] * The postmail program now performs a more comprehensive self-test of the virus scanner, and refuses to run if the self test fails. [PR 832, 957] * Several more types of compressed or encoded content are now scanned for viruses. [PR 957] * Password-protected files are no longer treated as if they contain viruses. [PR 966] * Fixed some problems in the automated remote registration process. [PR 969] * Fixed an error in netbiosd's timeout handling, which previously led to splitdns reporting "no more space for DNS requests". [PR 977]