$Id$ *** Note: Please add new entries to the top of this file. *** ------------------------------------------------------------------------------- - L2TP/IPsec option for VPN, as PPTP is not deemed secure anymore - fix aiccu not starting with static wan ipv4 addr - update mini_httpd to 1.21, which disable SSL 3 because of the "poodle" attack. - recognize PC Engines APU - add checkbox to enable HT for 11n WLAN interfaces - automatically add filter rules for DHCP on optional interfaces if the DHCP relay is enabled - fix PPTP client on WAN - fix snmpd for cpu and uptime, and some host mib stuff - fix keep diagnostics in navigation expanded after accessing diagnostics page "CPU Graph" 1.8.1 ----- - always allow required MAC types for WPA authentication in captive portal ipfw config - fix interfaces' status display for interfaces that do not have a mac address like MPD links (reviewed by Andrew White) - fix patching of dnsmasq for ISC leases, dropped when updating dnsmasq to 2.66 - add basic support for run devices IMPORTANT: You have to enforce loading the runfw module on the webinterface page System -> Advanced -> Miscellaneous. Tick the checkbox "Enable Ralink USB wireless devices" and reboot! add runfw to the kernel modules list add function load_kernel_modules() in system.inc which can be used to load kernel modules at an early stage (have a look at rc.bootup) add system -> ralink option to config.xml fix a bug that caused a warning while using the scheduler with an early configuration update a few dates - Fix a regression in the firmware upgrade page Fix a typo in the firmware upgrade instructions - clarify instructions on firmware upgrade page (contributed by Pierre Nast) - DNS forwarder: add option to log DNS queries, add aliases (CNAMEs) and MXs (contributed by Pierre Nast) - upgrade dnsmasq to 2.66, remove TFTP , auth and DHCPv4 options from dnsmasq - update some README text - update go.sh to fix 404 for autconf268 (uses 269 now) - add ippool utility - refactoring to support 8.4-RELEASE (remove redunant patches etc) - Fix Silence RA announce receive log message for WAN interfaces when using dhcp-pd - Silence RA announce receive log message for WAN interfaces when using dhcp-pd - Change Build to use SVN for ports, as CVS is depreciated - Add support for rdnss and dnssl. RA ipv6 announcement will include Recursive DNS server and DNS search list using the same logic as dhcp server does to select these options. - Add AES 256 option to IPSEC - Update timezone.tgz with Freebsd8.3 zoneinfo files - Fix SVG graphs on IE9/10 - Fix IPsec tunnels with endpoint on optional interfaces - Add job "Wake on LAN" to the scheduler - Fix corruption check of the scheduler - Add superficial corruption check forwarder scheduler jobsets - Fix first modem port not showing - Add enable/disable scheduler jobset on 'edit job' page - Add enable/disable scheduler jobsets - Fix changes to the 'Use device polling' state now fire up a 'reboot required' event as expected. Fix changes to the 'Prefer old IPsec SAs' state now trigger an ipsec function call as expected. - Fix disconnecting sessions on captive portal status page. Keep csrf-secret.php from appearing on group manager. - Generate 2048-bit SSL certificates by default and make them valid for 3 instead of 2 years. - Replace expired default certificate/key by new one. - Eliminate modifying GETs from services_croen.php - Update supfile to include ports-base to update Mk or new ports won't build - Disable usbus interfaces (to avoid SNMP ifindex shift). - Add WLAN TX power setting (static list, since querying the supported power settings doesn't appear to be reliable). - Eliminate modifying GETs from webGUI pages (except for services_croen*.php) Note: the API pages exec_raw.php and uploadconfig.php now require different parameters than before. exec_raw.php now requires the cmd to be given in a POST, and both pages need a valid CSRF magic token, which can be obtained by issuing a GET first without any parameters (see example in exec_raw.php comment). - Make rule moving and deletion on shaper rules page work like for firewall rules. - Fix potential XSS in diag_ping.php and diag_traceroute.php. - Add some new SCSI and network drivers to the kernel configs. - Make rule moving and deletion on shaper rules page work like for firewall rules. - Add csrf-magic for CSRF protection in webGUI. Note: all modifying GETs in webGUI still need to be replaced by POSTs for this to be effective. - Fix ip address for modem on status page. - Update build scripts and patches for FreeBSD 8.3 and bump version to 1.8.1 to reflect this relatively major change. - Fix "Modem" appearing as gateway for Ethernet interfaces on status page. - Add support in snmpd for hrSystemUptime - Fix Checkin (include files :) - Initial support for USB modems - Patch fxp driver to disable checksumming for 82559 chipsets and em driver for nokia firewalls (force load) - hide IPv6 addresses on interface status page when IPv6 is disabled (to prevent confusion) - use csup instead of cvsup - use cvsup to make sure port tree is compatible with patches - update ISC patch for dnsmasq 2.60 - add possibility to modify wpa_group_rekey value (via config only: wlans -> wlan -> wpa -> grouprekey = interval in seconds) - fix scheduler ignore empty array jobset - fix scheduler delete jobset if no defined job left - move scheduler functions in services.inc to new include scheduler.inc - scheduler jobs will now be updated if their targets have been modified - fix version of config.xml - minor tweaks of croen daemon - rewrite croen daemon (scheduler) from scratch to handle more than one job at a time and do considerably less php calls - delete obsolete job Enable/Disable WLAN - disable undo feature for jobs - add custom description for jobs - add job Interface: Enable/Disable if all wlan child interfaces of a parent interface have been disabled the parent interface will also be brought down to save power - add job Traffic Shaper: Enable/Disable - add job Traffic Shaper: Enable/Disable rule - add job Traffic Shaper: Set pipe bandwidth of a pipe - add job Traffic Shaper: Set queue weight of a queue - add job Execute command - fix incorrect handling of UDP packets with zero checksum when hardware checksumming is enabled (corrects problems with Cisco VPN and potentially others) - fix captive portal pass-thru MAC handling (could result in expired sessions not being pruned if using captive portal without MAC filtering, i.e. behind a router, when pass-thru MAC entries are also present or have been removed without restarting the captive portal) - fix PHP build process to correctly build RADIUS module - disable "reading /var/db/dhcpd.leases" log messages - keep ngwan0 from appearing in interface assignment - fix IPv6 link-local address configuration error in MPD when IPV6CP comes up after IPCP (error message "IFACE: Adding IPv6 address to ngwan0 failed: File exists" in log) - fix bogus IPv6 DNS server addresses when using PPPoE/PPTP on WAN - change order of reset methods in vm_machdep.c to fix reboot on Nokia IP130 hardware - enable additional hash algorithms (SHA-256/384/512) and DH groups in IPsec configuration - switch back to setkey binary that comes with ipsec-tools, as the stock FreeBSD version still needs to be patched to cope with NAT-T (and the patching causes libipsec troubles during the build process) - hack support for reading ISC leasefile back into Dnsmasq (to make "Register DHCP leases in DNS forwarder" feature work again); better option would be to switch to Dnsmasq for the DHCP server feature as well, but that is considered too intrusive at this stage - enable CPU hardware crypto support by loading appropriate modules - fix IPv6 RA enable/disable JavaScript - fix aborted build when ntpd is running - fix reconnect behaviour of the scheduler to consider that interfaces could be already down add job enable/disable wlan to the scheduler add possibility to undo certain jobs of the scheduler that have already been executed - add scheduler ("Croen") service, contributed by Lennart Grahl current possible actions: reboot, reconnect WAN interface - automatically reassign available physical network interfaces if none of the assigned interfaces in the configuration can be found on the system (i.e. for a new installation, or when moving an existing config to new hardware) - use UFS1 instead of UFS2 for image (UFS2 does not give an advantage here and may give problems when upgrading directly from old versions) - fix MPD error when PPTP VPN is enabled and IPv6 DNS servers are configured - fix captive portal input/output bytes accounting when traffic shaper is on - show current WAN IP on console - change aiccu syslog facility to daemon instead of local7 - fix embedded platform display - port dummynet+ipnat double processing fix from 6.4 - add ipfilter fix (from PR kern/106438) for pseudo header checksum handling on NICs that support hardware checksumming, but not on the pseudo header (e.g. Intel 82559) - fix issue with PPPoE/PPTP assigned DNS servers on WAN (new mpd up-script argument formatting) - update MPD to version 5 (mpd4 is no longer in FreeBSD ports) - add missing voucher binary (for captive portal voucher support) - update ISC-DHCP client/relay/server to 4.1 (3.1 is no longer in FreeBSD ports) - ensure AICCU is really killed before attempting to restart it again - start NTP client before dynamic DNS updater - fix hard disk standby feature by replacing ataidle with atacontrol - fix inadvertent assignment that caused new IPv4 rules not to be applied even though the apply button was clicked in the webGUI - add backport of r222728 with new sysctl added to allow default route to be installed in route table even if ipv6 forwarding is enabled - remove stray raflags output in webGUI - re-enable traffic shaper for IPv6 packets. The webGUI still needs to be modified to allow IPv6 address input etc. - fix interface status display (new netstat format) Reported by: Stefan Buckmann - modify build scripts as not to clobber the host system (as far as possible - see TODO). Removing /usr/m0n0wall/build82 should now leave things clean enough for another build. This is done mostly by undoing patches to ports after they've been built, using a separate working and DB directory for ports (-> env variable) and making a copy of the kernel source tree before patching/compiling. Also, autoconf has a handy wrapper that can be used to choose the version without removing links. - automatically tag image version with subversion revision if '%' character found in "version" file - add copies of various source code packages (PHP etc.) to repository, as some of them are obsolete versions, and who knows when they're gone from their official web locations. - unify syslogd.c patches - ndp/arp page fixup - hide "ipfw*" and "bridge*" virtual interfaces from assign interfaces list - add kernel patch for dummynet on IPv6 packets - add ndp support to arp diagnostic page (ipv6 arp equivilent). silence rc if deleteing syslinux symlinks that maynot exist. Add ndp_get_mac_by_ip() and get_mac_by_ip() - fix rc for syslinux symlinks, fix setkey to /sbin, remove rc script from build directory, add some build script exit messages - installing from cdrom will try from /dev/acd0 then /dev/cd0. Install works via remote ISO mapping on hp servers now. - Add Manuel Kaspers ip6_input.c patch for ipsec6, add ipv6 support to ipsec tunnels set sysctl for net.enc.in.ipsec_filter_mask in rc - fix syslinux not doing ttys in chroot properly (fixs console) , update todo - update todo - syslinux changes: microfs used for mfsroot, then chroot the FAT32 mount (experimental, symlinks won't work on FAT32 with freebsd needs fixing etc) - fixup buildscripts and pfkey patch (whitespaces yet again) - fixup crypto display in index.php and setkey patch for whitespaces, add syslinux image - patch setkey for bin/147887 (gives 'invalid extension') - fix empty 6RD patch, and fixup stage 4 - add 6RD patch to stf from http://people.allbsd.org/~hrs/FreeBSD/stf_6rd_20100923-1.diff no code yet to utilitse 6RD in m0n0wall - change locking for filter_reconfigure() ,and ipv4 only option - move amd64 kernel to a conf instead of patch (easier to maintain) - add aesni crypto device for Xeon Processor AES offload as kernel module and move glxsb padlock and aesni to modules. Fix crypto regex in index.php - make rc.newwanip6 have file lock and only reconfig ipv6 rules - update kernel for amd64, remove non amd64 devices and build in acpi - fixup go.sh to find svn (yet again !) - amd64 builds; now use wol from ports (amd64 fails to compile in previous method) ipf path removed ref to i386, kernel build removed i386 from path patch kernel to make amd64 if uname -m is amd64 append amd64 to image names - change dhcp-pd to be /64 by default - fixup go.sh to find svn (again) and stage 2 to use tmp for php and minihttpd and stage 5 mfsroot for iso filename change - move system version number to file /version - fix DHCPv6 server wouldn't start - circumvent shaper and captive portal for IPv6 for the time being, since it doesn't work properly (dummynet IPv6 support is broken, and captive portal has no explicit support for it). This gives CP users the option to either simply not configure v6 on the CP interface, or to configure it and have IPv6 traffic pass regardless of whether the client is authenticated. - fix copy&paste bugs surrounding ipv6ramtu and make it optional - remove ipfw.ko dependency on libalias.ko - take port options out of .tgz for easier maintenance - remove stray "nat_iterator" printf from ipnat - remove ip_input/dummynet/mbuf patches; dummynet + bridging appears to work fine now with 8.2 - add ucd-snmp sysDescr patch back in - remove filtering bridge reminder on System: Advanced page - can't keep this forever - fixup go.sh to find svn and stage 3 to not exit on strip harmless errors - major overhaul of wireless LAN support: in FreeBSD 8, it is always necessary to create subinterfaces (wlanX) attached to the actual physical interfaces (e.g. athX). On some cards, it is now also possible to create multiple APs at the same time. To reflect this change, the wireless settings have moved to the Interfaces: assign page, where WLAN subinterfaces can be created much like for VLANs. Older configurations are converted automatically. To do: test with 802.11n, test with multiple radios in the same system; figure out a way to detect multi-BSSID capability on radio - introduce generic-pc-serial image - stop patching bootloader: it's kind of hopeless to try and reuse the BIOS preset serial baudrate; some BIOSes don't even set it, and on ALIX it doesn't work properly either. A fixed 9600 baud is probably the lesser evil. - add regdomain.xml (required for proper WLAN support) - drop uath from kernel - requires firmware download program, probably not worth the hassle since it can't do hostap anyway - add kernel support for 3g modems with u3g - fixup go.sh for csh instead of bashisms - patch sixxs-aiccu port makefile not to use gnutls (it's too big) - sync up M0N0WALL_GENERIC kernel config with current state of GENERIC config in FreeBSD 8.2 (most importantly: add uart driver for serial console support) - move newbuild stuff to build/scripts and put the patches in the appropriate subdirs of build/patches - make go.sh smarter: if it finds that it's been run from within a working copy, it will use the current working copy. Otherwise it will attempt to install subversion and check out the current repo automatically - remove old kernel patches - atareinit is not needed anymore - update ipfstat patch and modify build scripts so that the patch is used in stage 2 (and not in stage 3 anymore) - introduce environment variable "$MW_BUILDPATH" to avoid hard-coding /usr/m0n0wall/build82 in all the scripts - major changes to build scripts: scripts no longer attempt to check out anything from the repository or directly download (curl/wget) from it. Instead, the user is expected to do an svn checkout to a local directory first and invoke go.sh from inside the local working copy. This makes it possible to apply local changes to the working copy and create a build from it easily prior to checking in changes. The working copy is exported to /usr/m0n0wall/build82 (so any new files need to be "svn add"ed first, or they won't get exported - no commit necessary though). Accordingly, all files (config.xml, loader.rc etc.) are now taken from the (exported) working copy. - update scripts etc. for FreeBSD 8.2 - add check for existing programs before installing packages - add "set -e" to all scripts to exit on any errors to avoid them going unnoticed - remove dev.tgz - it's not necessary since we have devfs - remove debug.mpsafenet from loader.rc - dummynet + IPv6 should no longer needs this in 8.2 according to the man page (needs testing though) - remove bpalogin - has become obsolete long ago - add kernel patch for ipfilter 4.1.34 and modify build scripts to install userland components (/sbin/ipf etc.) from ipfilter distribution rather than FreeBSD base - add ip_fil4.1.34.tar.gz source to repo as it's pretty hard to find on the web (original and most mirror FTP sites down), and who knows when it will go away - fix mklibs.pl not to output "ot found" lines, but warn instead if a library is missing - remove setkey from ipsec-tools as the stock FreeBSD one should work fine now that NAT-T is in the standard distribution - remove vm_machdep, ehci_pci, geode and if_vr kernel patches - no longer required - remove vfs_mount patch - now handled by /etc/rc - fix syslogd ipv6 patch line breaks - add cpu geode/soekris to kernel - add padlock and glxsb hardware crypto support to kernel - add printf and sed and setkey (.libs) as required by IPSEC - remove domain name handling from dhclient-script; it's not used and looks suspicious in light of CVE-2011-0997 - fix GEOM patch (again) - update rc.firmware and php.ini for larger firmware image - fix setkey location for racoon - fix wan page javascript - remove lan ipv6 suggest from UI. - remove wan ipv6 RA from UI. - add accept_rtadv flags to interfaces for dhcp or ppp on WAN for ipv6 , and disable for opt and lan. - change ipv6 RA UI to dropdown (if previous config had both set, display as 'Managed'). - change password fields in wan to type=password html tag. - add system date to status page,add info for via padlock, cpu info , cpu utilisation and change bar graph style - move cpu graph to diagnostics - add dhcp-pd to optional interfaces - move enable ipv6 from advanced (no support) to setup page - update GEOM patch to hide more errors about slice types etc. - fix rtadvd.conf to use prefix length instead of rtplen - add kernel patch to hide GEOM error about slice - remove wget's as this is in svn.m0n0.ch now, so no need when we have a svn co in the script - add autodetect lan interface when using a default config (first if that is UP) 1.8.b00 ----- - branch of freebsd6 to freebsd8 freebsd6 is now frozen except for major fixes - newbuild scripts within build directory patches to freebsd 8.1 and creates working iso based on same filesytem type as freebsd6 / 1.33 1.33 ----- - Add MTU option for ipv6 RA ipv6 RA uses configured subnet length instead of default /64 - Fix DHCPv6 server filter problem for opt interface if dhcpdv4 is not enabled - modify "disable port mapping" option so that it will actually avoid port mapping whenever possible, but fall back to port mapping if another mapping for the same port already exists (inspired by a patch submitted by Adam Swift) 1.33b2 ------ - fix broken captive portal sessions when per-user bandwidth limitation is used and changes in the webGUI are made that require reloading the traffic shaper (reported by Robert Solomon) - disallow webGUI passwords with colons (:) as mini_httpd has trouble handling them - add additional image type "generic-pc-serial"; same as generic-pc but with forced serial console (at the speed that the BIOS set it to) - reintroduced original FreeBSD if_re driver (to fix missing support for 8139C+) and added Realtek patched driver under a new name (if_rg) with probe return value set to BUS_PROBE_VENDOR to ensure that the Realtek patched driver is only used if the stock FreeBSD if_re/if_rl can't handle the device - Fixup for sla-id being 0 1.33b1 ------ - add LAN NAT and NAT target of WAN IP options - updated kernel patch for ipfilter 4.1.33 - fix dnswatch to deal with changed resolv.conf - Fix for DHCP-PD, missing function. add sla-id and sla-len option for dhcp-pd (ipv6). Add AICCU to interface status page. add error handling to interface status page for AICCU being down. - fixed DHCPv6 server setup when target interface is configured in 6to4 mode (reported by Brian Lloyd) - fixed various XSS vulnerabilities in webGUI - add ipv6 support for syslog destination - add ipv6 support for Diagnostics:Firewall States - initial support for dhcp-pd ipv6 lan assignment , requires /usr/local/sbin/dhcp6c and /etc/dhcp6c-exit-hooks - fix typo in dns-rebind description - change dns-rebind to off by default, updated text description of this feature - fix extra slash in captive portal redirect - replaced if_re driver by Realtek customized version to support RTL8111C (among others) - add support for (manually updated) CRLs for IPsec VPN (contributed by Sebastian Lemke) - prevent /ext directory from being listed through webGUI (reported by Bernd Strehhuber) - fix typo in system_do_extensions() that broke extensions support (reported by Bernd Strehhuber) - make dnsmasq use --stop-dns-rebind by default to increase security and protect against dns rebind attacks that are scheduled to announce - add check for DHCP reservation entries for the same MAC address - add 'Bind to LAN' option for syslog, so you can syslog over a vpn tunnel. - change edns to 4096 from default of 1280 for dnsmasq, should help with DNSSEC - add support for user-customizable captive portal logout and status page, as well as a password change option for local CP users (contributed by Stephane Billiart) - don't let missing DNS server information keep DHCPD from starting 1.32 ---- - allow both a v4 and a v6 entry for the same host in DNS forwarder overrides - fix nameserver handling when IPv6 PPP WAN is enabled - Fix auto suggested ipv6 address. - add wildcard information text for dns forwarder - add Farenheit support for system temperatures. - add kernel patch for vr(4) lockups after link flaps (e.g. on ALIX boards) - Add support for dns forward wildcard, use * as hostname - Add SixXS interface to traffic Graph --- - Update text for WAN RA, to suggest this is normally off - Fix ipv6 link local filter rule, missing newline - Fix dhcpv4 having ipv6 address inserted in dhcpd.conf - Make motherboard monitor off by default, and switchable in advanced/misc. 1.31 ---- - added patch to ISC-DHCPD to rewrite lease file every 5 minutes instead of every hour - added fix for OpenSSL session renegotiation vulnerability --- - tidy page description in group manager for interfaces_secondaries.php - change auth.inc so when reaching an authorized page you get a message before redirect to /index.php more intuitive, especially when sub pages are denied as the links to them are are displayed. --- - add mbmon system fans/temp monitoring, requires /usr/local/bin/mbmon will work with a reasonable % of pc hardware, won't work on soekris/alix etc. --- - add option to disable spoof check on Bridge, removal of filtered bridge causes non-m0n0wall dhcp servers to break, and some multicast traffic. --- - fix to WAN dhcp, cleanup dhclient pid and specify dhclient-script location. --- - fix to adding dhcpv6 reservation is also added to dhcpv4 - allow input of duid in mac address field to a dhcpv6 reservation --- - fix to allow linklocal addresses to communicate --- - fix for dhcpdv6 firewall rule --- - added log :-) --- - add initial support for AYIYA in aiccu for Sixxs tunnels --- - add 'strict order' to DNS forwarder. Useful when using Sixxs DNS. Use Sixxs as primary and isp as secondary, Then when tunnel is up, you get google via ipv6. see http://www.sixxs.net/tools/dnscache/ , you must have isp or similar dns as tunnel won't come up without working dns. - Allow ipv6 addresses for domain overrides in Dns Forwarder options. - Add note about using /48's for LAN ip's, typical when using Sixxs. 1.3 --- - fixed DHCP server "deny unknown clients" option with known clients without a statically assigned IP address - fixed a security issue in the DHCP client (CVE-2009-0692) 1.3b18 ------ - fix broken IPsec support (missing library) 1.3b17 ------ - Convert from BRIDGE to if_bridge. Remove multi-interface bridge check, and checkbox under System > Advanced for filtering bridge since member interfaces will always be filtered. - fix a problem with ipnat refusing to create new RDR translation entries in the NAT table if a MAP entry exists for the same port, even though that check is probably only meant to check for existing RDR entries. This fixes issues with SIP communication when there is an inbound NAT mapping for port 5060. (see also http://marc.info/?l=ipfilter&m=121749272404107&w=2) - fixed problems when using advanced outbound NAT rules with destination matching (non-FTP connections were processed by the ipnat FTP proxy, leading to slowness, lost connections, rogue ICMP host unreachable messages etc. because ipfilter requires an additional match statement on the destination port when using proxies) - fix DHCP lease page to only show the last lease for a given IP address (see dhcpd.leases(5)) - fix for IPv6 pages in user/group manager - show IPv4 gateway on Status: Interfaces page (was removed inadvertently) - fixed bug with IPv6 subnets in firewall rules - added device msk to kernel configuration - updated base system to FreeBSD 6.4 - avoid PEAR dependency and fix DHCPv6 range check when interface is not configured with a v6 address - put logging back in for anti-spoof block rule 1.3b16 ------ - Open firewall rules for link-local ipv6 addresses on opt and lan interfaces Initial basic support for secondary ip addresses Suggested ipv6 addr fix and dhcpv6 fix - Add DHCPv6 support. requires dhcp6sd in /usr/local/sbin. Also modified is_ipaddr6 to return false if there is a prefix in the address - fix RA flags on opt interfaces - added additional RA options for lan and opt interfaces , required for DHCPv6 - added all-servers option to dnsmasq and removed overlap check as having multiple nameservers per domain is a valid configuration - added function is_ipaddr4or6 updated dnsmasq_edit and System setup page to use this function change to status_interfaces to list all ips on an interface fix to status_interfaces to display nameservers from resolv.conf not nameservers.conf - allow RA support on WAN interface, and add feature to automatically suggest an IPv6 address for the LAN interface, based on an RA received from WAN/ISP (contributed by Andrew White) - added IPv6 support to mini_httpd (for the webGUI) - allow IPv6 addresses for DNS servers on System: General setup page, and for hosts on the DNS forwarder setup page (contributed by Andrew White) - allow the remote syslog port to be changed (requested by Martin Desormeaux for m0n0log project) - added kernel security patch FreeBSD-SA-08:11.arc4random - add support for Broadcom BCM5722 NIC (suggested by Sebastian Lemke) - fix display of firewall rules and static routes pages in group manager (reported by Peter Allgeyer) 1.3b15 ------ - make PPPoE MTU on WAN configurable - add patch to enable custom next-server and filename options for static mappings in DHCP server (by Stephen Erisman) - fixed IPv6-ICMP firewall rule type matching - added support for AICCU (a tool for dynamically configuring IPv6 tunnels from SixXS, allowing users with dynamic WAN IP addresses to use tunnels) Note that only heartbeat tunnels are supported at this time (no AYIYA). - updated kernel to 6.3-RELEASE-p5 (ICMPv6 denial of service fix; IPv6 NDP routing vulnerability fix) 1.3b14 ------ - updated PHP to 4.4.9 - modify boot loader for embedded images to use the serial speed set by the BIOS (and no longer a fixed speed as soon as the kernel boots), as in 1.2x releases - add VMware .vmx config file (for "official" VM release) - import "install on Hard Drive" feature (console menu) from AskoziaPBX; this allows one to install an image on HD/CF by first booting with the cdrom version of m0n0wall - *** consolidate net45xx, net48xx and wrap images into a single "embedded" image. Users should download the "embedded" image and rename it to reflect their current platform so that it can be used to upgrade previous versions - fix a long standing bug with regenerating firewall rules (including automatically generated ones) that reference the WAN interface when the WAN IP address changes - change ZoneEdit update server name to dynamic.zoneedit.com - remove SIP proxy (not much feedback from users; used a considerable amount of space) - show driver names for network interfaces (obtained from dmesg) when assigning interfaces to make it a bit easier for the user to choose - import ipnat source port randomization patch from FreeBSD CVS (see http://docs.freebsd.org/cgi/getmsg.cgi?fetch=427148+0+current/cvs-src) (important when running DNS servers behind m0n0wall with NAT turned on); add new option to System: Advanced page to control the port range used for random source port allocation during outbound NAT (default is 1024 - 64535; portrange sysctls have been adjusted accordingly); reorganize System: Advanced page slightly at the same time - update Dnsmasq to 2.45 - add kernel patch to fix ATA on some Cyrix/Geode based boards (see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/pci/pci.c#rev1.343) (suggested by Konrad Jopek) - fix "RSA Cert Subject" choice for My Identifier on IPsec VPN Mobile Client setup page (reported by rdnzl) - don't allow the interface's network or broadcast address to be used in the DHCP client range, and also make sure that the interface's own address does not fall within the range - make behavior of Interfaces: LAN page more intelligent (only disable DHCP server if the IPv4 address has actually changed; do not require reboot if only IPv6 address changed) - fix broken time zones (hard links in zoneinfo.tgz) 1.3b13 ------ - add support for IPv6-in-IPv4 tunnels on WAN (for use with tunnel brokers) - for wrap image, show whether we're running on a WRAP or ALIX board on the system status page - updated Dnsmasq to 2.43 - fix issue where firewall rules on PPTP VPN (and access to m0n0wall's own services, like ping or DNS, from a PPTP VPN client) wouldn't work if incoming GRE packets were matched by a traffic shaper rule on WAN - add support for IPv6 over PPPoE/PPTP (WAN) - fix "Register DHCP leases in DNS forwarder" option 1.3b12 ------ - add initial IPv6 support (based on code contributed by Michael Hanselmann in 2005) - removed IPv6 tunneling option - automatically generate self-signed SSL certificate when switching from HTTP to HTTPS (CN = current hostname); also add a button to generate a self-signed certificate on demand on the System: Advanced page - make captive portal "disable concurrent logins" function compare usernames in a case-insensitive manner - fix polling setting on optional interfaces - add ipnat fix (from ipfilter mailing list) to prevent a (rare) case of kernel panic when ipnat sees a fragment of a TCP packet, and that fragment is not the first one - remove PPPoE/PPTP dial-on-demand feature. Still doesn't work properly, nobody has enough interest in it to fix it, and most people probably don't need it anyway - remove bpalogin - looks like it's dead - updated Dnsmasq to 2.42 - don't run captive portal reauthentication (if enabled) for MAC pass-through clients (patch by Peter Allgeyer) 1.3b11 ------ - fix IPsec "prefer old SA" option, specifically when it is disabled (in which case old SAs were preferred anyway in 1.3b10 because net.key.preferred_oldsa was set to -30, but that doesn't work with the current implementation and is a relict from FreeBSD 4.11/m0n0wall 1.23, where we used a more elaborate custom kernel patch for this that also allowed a number of seconds to be specified) - add DPD (Dead Peer Detection) option to IPsec tunnels (default off as before) - added asn1dn option to IPsec identifier types to be compatible with what Openswan expects when using certs instead of PSKs (contributed by Wes Morgan) - fix SVG SVG traffic/CPU graphs under IE7 (by Daniel S. Haischt) 1.3b10 ------ - allow fragmented ESP and NAT-T encapsulated IPsec packets when using the integrated IPsec support (should solve MTU issues) - added patch to make mini_httpd accept intermediate SSL CA certificates (contributed by Bernie O'Connor) - use NTP vendor pool zone for m0n0wall instead of pool.ntp.org (this will also be automatically replaced in existing installations on the first boot) - fix MSNTP to properly handle server hostnames that start with a digit - updated base system to FreeBSD 6.3-RELEASE-p1 - copied dhclient-script from m0n0wall 1.233 (in an attempt at solving the sporadic DHCP renewal problems reported by some users) - fix MPD WAN PPPoE/PPTP auto-reconnect issue - webGUI HTML tidyness fixes by Daniel S. Haischt - put IPSTEALTH in kernel config so that it can be enabled via sysctl if needed - updated ipsec-tools to 0.7 1.3b9 ----- - added patch for trap 12 kernel panics on Nokia IP110/IP120/IP130 (thanks to Bruce Walter) - increased MFS root size by 1 MB to avoid problems with large configs - fixed bridging with interfaces that support hardware TX checksumming (by turning it off) 1.3b8 ----- - updated MPD to 4.4 (also fixed AT&T/Bellsouth secondary DNS reject problem) - removes RADIUS IP option - updated PHP to 4.4.8 - exposed DHCP next-server and filename options via webGUI 1.3b7 ----- - fixed kernel panic when using IPsec and the traffic shaper at the same time (see FreeBSD PR kern/119036) - fixed SIP proxy when using PPPoE/PPTP mode on WAN interface 1.3b6 ----- - fixed filtering bridge when used in conjunction with traffic shaper - enabled larger client subnet sizes (= more concurrent connections) for PPTP VPN server (up to 256) - updated timezone data - captive portal reliability fixes (locking, treatment of sessions that have not passed any traffic by the time they end, skipping sessions sometimes during periodic pruning runs) - thanks to Janåke Rönnblom - added support for IPsec tunnels with (possibly dynamic) remote host names (instead of fixed IP addresses); the host name is polled at regular intervals (default 60 seconds), and if the IP address that it maps to changes, IPsec is reconfigured. Note that this will also cause other (non-dynamic) tunnels to be briefly interrupted. - added firewall support for decapsulated IPsec packets (new pseudo-interface "IPsec" in firewall rule editor); this is on by default, but the default configuration contains a "pass all" rule on the new IPsec pseudo- interface (and this is also added automatically for existing configurations), which can then be deleted to actually filter IPsec VPN traffic - stop discriminating against nge(4) (National Semiconductor PCI Gigabit Ethernet) adapters - fix DHCP release button on interface status page - updated FreeBSD to 6.2-RELEASE-p9 - updated ipfilter to 4.1.28 1.3b5 ----- - automatically change sisX interface names to vrX when running on ALIX - add vr(4) driver VLAN fix (for ALIX etc.) - added reset button driver for ALIX - change logo/license/footer to include registered trademark sign - upgraded ipfilter to 4.1.23 (from FreeBSD CVS); note: kernel patch in build/patches/kernel/kernel-6.patch still reflects ipfilter changes to stock 4.1.13 - fix FIN handling in ipnat FTP proxy - siproxd added. Offers transparent SIP proxy/masquerading and simple registrar service. See http://siproxd.sourceforge.net/ 1.3b4 ----- - console speed for WRAP image is now 38400 as this has always been the default for new WRAP (and ALIX) boards anyway - modified WRAP image kernel to also work with ALIX.2 (added vr device and USB EHCI + CPU soft reset patches to wrap kernel; tested on prototype board) -> for ALIX, interfaces need to be re-assigned (vr* instead of sis*) - patched hostapd to support writing PID file; start hostapd with -B flag (fixes problem with wireless interfaces that have WPA enabled not being initialized properly on boot) - recompiled MPD with current MSS/dial-on-demand patches (also fixes idle timeout bug) - removed code that auto-selects subnet mask on LAN and OPT setup pages (it's confusing and doesn't necessarily get it right) - recompiled PHP, this time with radius extension 1.3b3 ----- - wireless LAN improvements - hide SSID option - WPA-PSK and WPA-Enterprise (in hostap mode) - allow dashes in alias names - added hidden option to disable auto-generation of PPTP rules on WAN ( in section) - fix ATA HD spin down feature (using ataidle - needs testing) - ipfilter TCP window scaling bug fix (see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/ipfilter/netinet/ip_state.c#rev1.38) - sync in changes from 1.23 branch - increased mfsroot size to 14 MB (from 13 MB) - updated base system to FreeBSD 6.2-RELEASE-p6 - updated PHP to 4.4.7 - updated ipsec-tools to 0.6.7 - updated isc-dhcpd to 3.0.5 - updated Dnsmasq to 2.39 - add kernel patch for fragment bug in ipfilter (contributed by Frank Edwards) - voucher login error messages for invalid and expired vouchers configurable via GUI Captive Portal -> Voucher (mwiget) - added voucher support to captive portal (mwiget) - modified kernel patch to handle ipnat+dummynet in ip_input -> should fix problems with captive portal not reporting downloaded data per user properly when the traffic shaper is on, and also makes per-user bandwidth limits work again - add ural(4) to list of recognized wireless NICs - removed "-P" option from boot.config again (doesn't work properly with USB keyboards) - add kbdmux to kernel config of generic-pc(-cdrom) -> should fix problems with USB keyboards (hopefully) - use setkey from ipsec-tools now that we use NAT-T (mkasper) 1.3b2 ----- - enabled AES for IPsec phase 1 (mkasper) - bumped MFS size in rc.firmware to 10 MB (mkasper) - set "-P" option in boot.config for generic-pc and generic-pc-cdrom to automatically probe for a keyboard and use the serial port if no keyboard is found (mkasper) - compiled SNMP agent with support for memory usage information MIB (mkasper) - enabled NAT-T support for IPsec tunnels -> new option on IPsec webGUI pages (mkasper) - back-ported MSS clamping fix from MPD 4.0b5 to MPD 3.18 (fixes MTU problems with PPPoE client) (mkasper) - enabled hostap for wireless cards supported by the ral(4) driver (mkasper) - forced PIO mode for ATA driver to work around problems with quirky hardware (IDE controllers, CF cards) (mkasper) - changes in Captive Portal (jdegraeve): - Always sent the session-time instead of only sending it within a stop. This will cause most prepaid systems to work again. 1.3b1 ----- - changed base system to FreeBSD 6.2-RC1 (final 1.3 version will be based on FreeBSD 6.2-RELEASE) - WARNING: the generic-pc image no longer fits on 8 MB CF cards! (>= 10 MB required) - for generic-pc-cdrom, the configuration may now also be stored on an USB memory stick (instead of a floppy disk). m0n0wall will automatically probe for an USB stick with an FAT file system first, and if this fails, fall back to the floppy drive - added support for new wireless features in FreeBSD 6 - Atheros cards are finally supported! - channel selection on interface setup page now reflects actual capabilities of card - wireless status page shows scanned APs in client mode and associated stations in hostap mode - WPA support is expected in the next release - removed MTU option from Interfaces: WAN page. This used to control TCP MSS adjustment, but since the non-NAT-dependent MSS fixup patch kludged into ipnat has not been ported to ipfilter 4 (and is an ugly hack at best anyway), MSS fixup is now automatically applied for PPPoE connections (where it is actually needed) using MPD's integrated feature and shouldn't be necessary in other cases - a rather intrusive kernel patch was required to make concurrent traffic shaping + NAT on the WAN interface possible; if you rely on this feature, please test it well and report any problems 1.23b2 ------ - changes in Captive portal (jdegraeve): - add PfSense ideas (slighty different implemented): * Import CP SSL idea from PfSense: Redirect both HTTP and HTTPS to the Captive Portal keeping in mind a SSL error (cert mismatch) * Add preliminary support for WPA and PPPoE pass-through 1.23b1 ------ - updated base system to FreeBSD 4.11-RELEASE-p18 (mkasper) - recompiled ipsec-tools without FreeBSD patch to use "security" syslog facility instead of "daemon" -> should get rid of excess debug messages from racoon (mkasper) - do not generate anti-spoof rules for optional interfaces that have other interfaces bridged to them (as opposed to being bridged to another interface, which was already handled properly) when the filtering bridge is on (mkasper) - added support for 3rd party extensions in the group management and dynamic menu system. (ptaylor) - Thanks to Leo Fante for code modifications - changes in Captive portal (jdegraeve): - Fixes a bug in the way we handle authentication mechanism. (Potentially allowing double logins and faulty locking) - Add support for different MAC formatting styles. - Add support for per user bandwidth limitation. 1.22 ---- - updated base system to FreeBSD 4.11-RELEASE-p16 (mkasper) - updated Dnsmasq to 2.27 - added Role-based Access to WebGUI (ptaylor) - added Group and User Manager pages - updated menu system to be dynamic depending upon permissions of active user - added "support for 3rd DNS server" (jdegraeve) - updated radius_accounting.inc to PECL (jdegraeve) - Now sends NAS-IP-Address (based on actual WAN-address) and NAS-Identifier cleanly - Each gigawords value now counts as 4GB instead of 2GB (See RFC 2866 section 5) - changes in Captive portal (jdegraeve): - Cleanup and code added to allow FUTURE stuff like volume limits etc. to be implemented - Added User Volume Stats in captive portal status page - RADIUS mac authentication now works on local subnet even if "Disable MAC filtering" is activated - Firewall ruleno now uses a more intelligent pool, this fixes a bug where a ruleno could be used even if it is already been assigned - Fixed bug in RADIUS Session-Timeout handling so it'll also work even if reauthentication is disabled - added "disable port mapping" option to advanced outbound NAT (helps with certain IPsec VPN gateways that insist on the IKE source port being 500) (mkasper) - updated PHP to 4.4.2 (mkasper) - updated ipsec-tools to 0.6.5 (fixes problem with /32 subnets) (mkasper) - added option to System: Advanced page to allow IPsec/ESP-encrypted IP fragments to be passed (mkasper) - added DHCP/interface route fix for UK ADSL half-bridge modems (DSL-300T, X-modem) (mkasper) - fixed check for overlapping external port ranges when editing inbound NAT entries (mkasper) - log captive portal logins even when authentication is disabled (mkasper) 1.21 ---- X updated base system to FreeBSD 4.11-RELEASE-p13 X updated PHP to 4.4.1 X updated Dnsmasq to 2.23 X updated racoon to the ipsec-tools 0.6.4 version X mini_httpd has been improved to increase stability of the captive portal and webGUI: - when the maximum number of connections has been reached, it no longer attempts to send a 503 message to the client, as that itself may cause the parent process to block (and, due to a bug in SIGALRM handling, even exit) if the client fails to acknowledge the data. Instead, the connection is simply closed. - new feature: the number of connections per client IP address can now be limited to prevent one misbehaved user from tying up the server. default limit is now 4 connections per client, and 16 in total (can be adjusted on captive portal setup page) X new option for SNMP agent: bind to LAN interface only (avoids problem with VPN tunnel to LAN subnet terminated on WAN; see http://doc.m0n0.ch/handbook/faq-snmpovervpn.html) X added device nodes for /dev/ad4-7 X fixed CPU and traffic graph SVG for Firefox 1.5 X captive portal RADIUS accounting stop packets are now sent before rebooting after a firmware upgrade X when restoring config.xml via the webGUI, XML validation is done on the file before it is installed X imported Jonathan de Graeve's captive portal RADIUS improvements - improved RADIUS authentication using PHP's built-in PECL RADIUS support - secondary RADIUS server support - RADIUS MAC authentication - RADIUS URL redirection attribute support - RADIUS Session-Timeout support - disable concurrent user login option (b3:) X fixed stopping/restarting racoon X the captive portal has been modified to always issue a redirect to m0n0wall's own IP address first (even in HTTP mode). This means that all login forms MUST contain the "redirurl" hidden field now, otherwise they won't work anymore!!! X fixed typo in services_captiveportal.php X increased CF partition size to 7 MB (b4:) X mini_httpd: support for "-cpelement" option: path to directory that contains files, and own host name/port X RADIUS Idle-Timeout support X RADIUS Acct-Terminate-Cause support X captive portal file manager -> If you already have element files from inofficial builds, it isn't enough to simply delete all the files that were uploaded to the system. Before upgrading, you manually have to delete the whole "..." part in your config and restore that changed config. X notes field on index page - captive portal: - WISPr RADIUS attributes are now supported as well as Nomadix attributes (Redirection-URL, Session-Terminate-Time) - on idle timeout, the time of last activity is used in calculating the Session-Time 1.2 --- X fixed HD standby to use minutes, not seconds X fixed DNS forwarder domain override feature X Diagnostics: ARP page now allows entries to be deleted X made Ping/Traceroute pages tabbed X captive portal RADIUS accounting now sends Gigawords X fixed PPPoE dial-on-demand not to use 10.0.0.1/10.0.0.2 internally X removed OpenVPN --> if you've been using OpenVPN in earlier 1.2b versions, make very sure after upgrading that all your rules still point to the right interfaces (the OpenVPN pseudo-interfaces will be removed). Better yet, restore the configuration backup you made before you enabled OpenVPN (as per the suggestion in the webGUI) prior to upgrading. X RFC 1918 block rule is now listed on the Firewall: Rules page for WAN as an uneditable rule (gray background) 1.2b10 ------ X updated base system to FreeBSD 4.11-RELEASE-p11 X upgraded PHP to 4.4.0 X updated dhcpd to 3.0.3 X updated racoon to 20050510a X removed psm0 from generic-pc/cdrom kernel config as there have been reports of exotic machines that lock up with it and it serves no use anyway X fixed bug on DNS forwarder page where sometimes the wrong entry would be edited/deleted X fixed name resolution on firewall logs page X fixed PPTP interface display on firewall logs page X redirect after clearing logs to avoid reposting on next refresh in browser X allow current tab to be clicked to refresh log page for all logs (not just firewall log) X allow source interface to be selected on Diagnostics: Ping page X DNS forwarder: entire domains may be overridden by specifying a DNS server to be queried for them X cleaned up captive portal local user manager to be consistent with other user databases in config.xml (i.e. don't store usernames in XML tag names anymore) --> existing users won't be converted and will have to be manually entered again! (since this is a beta version and there has never been a release with the captive portal local user manager before) X added ARP table diagnostics page X added Traceroute diagnostics page X added firewall states diagnostics page X fixed filter rule generator to generate rules for DHCP on optional interfaces if the DHCP server is enabled on the interface that the optional interface in question is bridged to (e.g. OPT1 bridged to LAN and DHCP server running on LAN -> clients on OPT1 can now use the DHCP server on LAN as well). Note: the interface that the DHCP server is running on must have a link for this to work (cf. FreeBSD PR kern/41632 - there's a fix, but it's too intrusive) X fixed problem with racoon not updating the expiration timer of dynamically generated policies (for mobile clients) upon rekeying - allow server/port to be specified for DynDNS client - many OpenVPN fixes/improvements 1.2b9 ----- - IPsec certificate support (by Enrique Maldonado) -> not tested, feedback wanted! - improved firewall log page: it is now possible to filter by action, protocol, interface, source and destination port (by Peter Allgeyer) - reauthentication option for captive portal (checks connected clients against RADIUS server every minute) - 32 bpf devices for DHCP server (instead of just 16) - fixed captive portal crash in HTTPS mode - includes /bin/mv - experimental DELAY patch for wireless cards that use the wi driver (timeout in wi_seek etc.) - see http://www.monkey.org/freebsd/archive/freebsd-mobile/200401/msg00114.html - fixed: hard disk standby isn't enabled on boot - update xl driver to support 3C920B-EMB-WNM (contributed by Michael Jones) - added TITLE attribute for add/edit/delete buttons - captive portal status page now shows usernames - device polling can now be controlled on the System: Advanced page - swapped Acct-Input-Octets/Packets and Acct-Output-Octets/Packets in captive portal RADIUS accounting messages to reflect the correct meaning as per RFC 2866 1.2b8 ----- **** ath won't work anymore! **** **** focus is stability, not lots of new features **** - switched base system back to FreeBSD 4.11 - merged ifstats.cgi and cpustats.cgi into stats.cgi - updated PHP to 4.3.11 - only log the first passed packet, and not every packet in the same session - back out captive portal per-user bandwidth patches for the time being as they're buggy and not currently maintained - fix captive portal logout - return ICMP port unreachable instead of protocol unreachable (ipfilter default) for rejected UDP packets - auto-add proxy ARP option for new 1:1 NAT mappings - auto-establish IPsec tunnel option removed for the time being (no good way of making it work actually) - the IPsec SA preferral policy can be changed on the System: Advanced page (default: prefer new SAs after 30 seconds) - captive portal: logout popup window is no longer enabled implicitly when using authentication - kernel is now built with polling support; default is disabled, but it can be enabled using "sysctl kern.polling.enable=1" (see also "man polling") - updated ipfilter window scaling and ICMP NAT checksum adjustment fixes (by Fred Wright) - updated DP83815 short cable bug workaround in sis driver (by Fred Wright) 1.2b7 ----- - beta images are now digitally signed too - show lease start/end time on DHCP leases page in local time instead of GMT - added logging for the captive portal - changed the generic-pc HD standby timer feature to use ataidle - captive portal support for local user database - apply new version of Keycom's captive portal RADIUS per-user bandwidth patches - updated wireless status page for FreeBSD 5.3 and ath - add some common 11a wireless channels as a temporary solution until we can query the actual list of available channels using ifconfig - ipfilter window scaling patch - allow "WAN IP address" as source/destination in firewall rules; reload firewall rules when the WAN IP address changes - the previous change also solves the PPTP VPN server + traffic shaper problem (no more NAT redirection to localhost) - set link0 flag for fxp interfaces (interrupt moderation) 1.2b6 ----- - fixed inbound NAT + traffic shaper bug (kernel patch; see FreeBSD PR kern/76539) - fixed: filtering bridge doesn't filter while traffic shaper is enabled by disabling traffic shaping for bridged links for the time being (see kern/78090) - packet loss rate/queue size options for traffic shaper pipes - per-user bandwidth restrictions for captive portal users (according to special attributes returned by the RADIUS server) - removed CPU meter from main webGUI page (causes 1 second delay and fluctuates too much); replaced by SVG CPU graph - MAC addresses with dashes instead of colons now work too - static mappings can now be added by clicking a button on the DHCP leases page - several small HTML fixes (mainly for Firefox) 1.2b5 ----- - fixed: DHCP relay won't start automatically on reboot - fixed display of SSIDs with spaces in them on Status: Interfaces - turned on ipfw bridge filtering when the filtering bridge is on (traffic shaper) - improved firewall rule selection (feedback with background color; the entire rule can be clicked to toggle the selection of a rule too); visual feedback on where rules are moved when the mouse is over a rule move button - hidden config.xml option to override DNS servers that are assigned to PPTP VPN clients - IPsec: /0 remote network mask now allowed - the filter is no longer bypassed for traffic that enters and leaves through the same interface (due to static routes) by default. This is now a configurable option on the advanced setup page - it is now possible to have separate TCP and UDP NAT mappings for the same port - fix filter timeouts (half-seconds instead of seconds) - support Atheros based wireless cards - modified nsupdate syntax for BIND 9 - updated dnsmasq to 2.20 - upgraded base system to FreeBSD 5.3 (recompiled kernel and all binaries) - don't mount proc filesystem anymore (not needed in 5.3) - anti-spoof rules are omitted on optional interfaces and on LAN if any other interface is bridged to it while the filtering bridge is on (to make other subnets work) - fixed input validation for "0" values - rearranged checkbox/buttons on firewall rule page - reduce redundancy in webGUI pages by putting more HTML in header/footer - upgraded to PHP 4.3.10 - fixed ping function (no more stripping of dashes) - fixed warning in vpn.inc with mobile client IPsec but no static tunnels configured (thanks to Brian Zushi for reporting this) - execute DHCP/PPP up-scripts in background for faster link startup 1.2b3 ----- * filter rule page now has one tab per interface * much better rule move procedure: multiple rules can be selected and moved to any position in the rule list at once (relative order is preserved) * multiple rules can now be deleted at once too * other minor GUI cleanups * RFC 2316 DNS updater (Services: Dynamic DNS) * unparsed (as generated by scripts) ipnat/ipf/ipfw rulesets are shown on status.php * proxy ARP is now supported on LAN and optional interfaces too * auto-assigned DNS servers (PPP/DHCP) are shown on Status: Interfaces * PPPoE/PPTP sessions on WAN can be manually disconnected and reconnected, and DHCP leases may be released/renewed (Status: Interfaces) * captive portal: POST to real m0n0wall IP in HTTP mode too (not "") -> $PORTAL_REDIRURL$ is now required even in HTTP mode * added note to filter rule edit page about src port != dst port in most cases * skip m0n0wall's own IP address in static routing bypass * support for point-to-point links on WAN (with "ispointtopoint" set in config.xml) * support for an rc.early file in extensions * ez-ipupdate security fix * renamed "System logs" to "Logs" (misnomer) * omit req-dns for PPPoE/PPTP if DNS override option is not checked because of problem reports with a few ISPs (-> document) * PPTP dial-on-demand fix * filter UDP ack timeout is now 240 instead of 24 seconds to make SIP work properly 1.2b2 ----- - changed racoon proposal_check back to obey after many problem reports; only remaining difference to 1.1 now: new SAs are preferred after 30 seconds -> PLEASE TEST AND REPORT - changed mfsroot size to 11 MB to accomodate DHCP relay and OpenVPN binaries - ICMP type matching for filter rules - EXPERIMENTAL OpenVPN support (contributed by Peter Curran) -> THIS WILL MESS UP THE OPTIONAL INTERFACES IN YOUR CONFIG.XML - BACKUP FIRST! - Dial-On-Demand for PPPoE and PPTP on WAN (contributed by Peter Allgeyer) - added DHCP relay service (contributed by Justin Ellison) - updated ISC DHCP server to 3.0.1.r14 - updated PHP to 4.3.9 - updated racoon to racoon-20040818a - PPTP VPN login/logout logging - TCP idle timeout for the filter is now 2.5 hours instead of the ipfilter default of 10 days (!) to keep the state table from filling up with dead connections; this value can be modified on the advanced setup page - fixed maxproc bug in mini_httpd that would manifest itself sometimes with the captive portal in HTTPS mode - captive portal: a unique/random session ID is now generated for RADIUS accounting, and MAC filtering can be disabled for special topologies (e.g. routed clients); RADIUS accounting port can be specified - HTML page titles now show the host name - config backup: file name now contains FQDN and date/time - config.xml options for interface media/mediaopt - increased filter state table size to 30000 entries - RADIUS accounting for PPTP VPN - NAT table reset on WAN IP change - magic shaper src/dst port fix - new hidden option "dnsserver" for DHCP service 1.2b1 ----- - captive portal HTTPS login support - captive portal custom redirection support - CPU/memory usage display on main webGUI page - IPsec kernel fix to prefer newer SAs over older ones after 30 seconds (dead SA problem), racoon proposal_check changed from obey -> claim, auto-establishment option (ping) - console speed is no longer fixed to 9600 bps for net45xx/net48xx/WRAP; instead, the value that was set by the BIOS is used, so it should work at whatever speed the BIOS is set to - IDE hard disk standby option for generic-pc (System: Advanced page) - last configuration change timestamp is recorded and displayed in webGUI - full interface names displayed for optional interfaces on Interfaces: Assign page - new advanced setup option: "Keep diagnostics in navigation expanded" - added more Ethernet drivers (esp. Gigabit Ethernet) for generic-pc/cdrom - netgraph protocol field compression fix - set kernel HZ to 1000 for smoother traffic shaping - webGUI anti-lockout rule on LAN can be disabled (System: Advanced page) - static routes can now be defined on the WAN interface - "earlyshellcmd" tag in config.xml is now supported (such commands are executed before most of the system configuration is done) - VLAN parent interfaces are now always configured "up" - default hash algorithm for IPsec is now SHA1 - ping option in console menu - hidden DHCP options (config.xml only): gateway, domain, next-server, filename - fixed turning off PPTP VPN (NAT rules) - the webGUI now checks user input for control characters that are not allowed in XML 1.1 --- - (fixed JS error on captive portal page interface -> cinterface) - turned off DMA for all platforms (problem with some CF cards; no real performance improvement) - improved hifn detection (when old messages in dmesg buffer) - disabled windowing for PPTP client on WAN - RADIUS accounting port fix 1.1b17 ------ - captive portal: RADIUS accounting support (with logout window) (Dinesh Nair) - fixed mini_httpd bug that could cause the webGUI server to exit when a connection is closed while it's still in the listen queue (such as when nmap'ing m0n0wall) - updated racoon to 20040617a; patch for racoon-generated SP timeouts - fix for optional interfaces bridged with WAN set to DHCP/PPP - sis driver: fixed IRQ handling on stopped interfaces (see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/pci/if_sis.c#rev1.93) - fixed ipfilter/ipnat ICMP checksum adjustment bug (Fred Wright) - increased max. concurrent connections for the webGUI from 8 to 16 - disabled ATA DMA for net48xx to fix problems with certain CF cards - merged ng_pptpgre.c/.h windowing control support from -STABLE; recompiled MPD 3.18 -> delayed ACK is now enabled for PPTP VPN, while windowing is still disabled (due to packet loss issues) - fixed uptime display on index page - magic shaper P2P improvements - errors/collisions display on interface status page - replaced "alt" attributes in img tags with "title" for proper tooltip behavior - shaper: pipe/queue descriptions shown - removed IPsec auto-establishment feature for the time being (racoon "keepalive" option is a no-op and ping patch is ugly) 1.1b16 ------ - got rid of kludgy table-based tab navigation bars - replaced with CSS; tested with all major browsers (IE, Mozilla, Firefox, Opera) -> if tabs appear messed up, try clearing the browser cache (an old CSS file may be cached) and restarting the browser - 802.1Q VLAN support (can be configured via the webGUI assign interfaces page; add VLANs first, then use them like a physical interface; limited VLAN configuration support on the console is also available) - magic shaper (by Justin Ellison) - DHCP server: option to deny leases to unknown clients (Justin Ellison); IP address no longer has to be specified for known clients (if not specified, it will be dynamically allocated from the pool) - IPsec: user FQDNs now allowed (Justin Ellison) - IPsec: auto-establishment/keep-alive option (Justin Ellison) - simplified filter log display (default; raw filter logs may be turned back on using the log settings page) - fix for optional interfaces bridged with disabled optional interfaces - shorten MPD link labels for PPTP VPN to avoid netgraph problems - route/pass traffic between statically routed subnets on an interface and the m0n0wall subnet on the same interface unconditionally to handle more complicated routing topologies - updated PHP to 4.3.8 1.1b15 ------ - inbound NAT: local port range is now verified (cannot exceed 65535) - NAT: fixed problem with invalid ipnat rules being generated if one or more interfaces were bridged - mini_httpd: fix for concurrency limit 1.1b14 ------ - fixed DNS servers assigned by PPTP/PPPoE on WAN (change in MPD 3.18) - ipfilter fix for window scale bug (research and patch by Fred Wright) - generic-pc kernel now includes SCSI and USB mass storage drivers - added TOS matching for shaper rules (by Justin Ellison) - no IPsec processing for packets between LAN subnet and m0n0wall's LAN IP address to prevent webGUI lockout - uncompressed image size is now 6 MB for all platforms (generic-pc kernel has grown due to SCSI support) 1.1b13 ------ - fixed JavaScript on traffic shaper rule edit page (allow ports with protocol = any) - HTTP server now has a limit on the maximum number of concurrent connections (patch by Dinesh Nair) - HTTP server no longer sends a "Server:" response-header field - patches for extension support (by Jason Crowley) - IGMP can now be selected as a protocol for filter/shaper rules - all disks known to the kernel are now probed for the config file, which should make USB and SCSI disks work (patch by Dinesh Nair) - hostname is now shown in the header of all webGUI pages - NAS-Port-Type attribute is now sent with RADIUS requests for the captive portal 1.1b11 ------ - problem with DHCP on WAN and automatically assigned DNS servers fixed - disabled filter/shaper rules are now shown with gray text - load average display on main page corrected 1.1b10 ------ - webGUI error page no longer shows the name "m0n0wall" - added Wake on LAN client - shaper rules can now be temporarily enabled/disabled as well - filter and shaper rules enable/disable status may be toggled by clicking the action/direction icon - upgraded base system to FreeBSD 4.10 - updated MPD to 3.18 1.1b9 ----- - added option to disable firmware version check on System: Advanced page - captive portal RADIUS authentication 1.1b7/8 ------- - changed wording of external address option for inbound NAT - if the DNS forwarder is enabled, the DHCP server now issues the IP address of the corresponding interface to clients (instead of the LAN IP address) - captive portal support 1.1b6 ----- - updated MPD to 3.17 - MSS clamping now works even when packets are not NATed - MSS fixup is used for PPTP VPN - this should correct problems when accessing the Internet via a PPTP VPN tunnel - made PPTP VPN page tabbed - NAT on optional interfaces (Kurt Inge Smådal) - generate NAT rules for the PPTP VPN subnet and static routes when advanced outbound NAT is disabled - IP address can be specified on a per-user basis for PPTP VPN (Steven Honson) - DNS servers assigned via PPPoE/PPTP are now used if the "allow override" option is set - local subnet mask of /0 now allowed in IPsec tunnels - new SVG-based traffic grapher - bpalogin support - updated racoon to version 20040408a - updated system to FreeBSD 4.9-RELEASE-p4 - updated PHP to 4.3.6 - updated ipfilter to 3.4.33 - disabled hardware TX checksumming for 3com cards due to buggy chips - new kernel patch that should solve PPTP VPN timeout/packet loss problems once and for all 1.0 --- * fixed port validation on filter, shaper and NAT pages, and fixed ranges which included 1 or 65535 * fixed configuration backup download problem with IE and SSL * traffic shaping now works on bridged interfaces * added note to NAT pages about proxy ARP * changed DNS override description on system setup page (DNS servers assigned via PPP on WAN don't work) * imported modified version of choparp that supports IP address ranges; modified webGUI to allow proxy ARP with ranges * uploaded images are now verified using public-key cryptography - if the digital signature is not correct, a warning is displayed (the user is allowed to continue anyway though). The format of the signed images can be found , and the public key used to verify the images is . The first release has not been signed to avoid problems when upgrading older versions (it wouldn't make sense anyway because pb versions do not verify it). pb27 ---- - disabled MSCHAPv1 (insecure) and CHAP-MD5 (no use with MPPE encryption anyway) - IP aliases are no longer added automatically to the WAN interface for 1:1 NAT and server NAT mappings (use proxy ARP if required) - renamed "internal" and "external subnet" to source and destination, respectively, on the advanced outbound NAT page (to reduce confusion) - added field to advanced outbound NAT page to allow entering the target (external) address for the mapping - added interface auto detection to "assign network ports" console menu item - fixed bug: failed to resync ipfilter on PPTP VPN linkup (- removed users figure from uptime) - added headers to webGUI pages to ensure pages are not cached - config file read/write locking to avoid race conditions - added "Clear log" button to log pages - added more BPF devices to fix problem with dhcpd on machines with more than 4 interfaces - made webGUI username configurable - it is now possible to map entire subnets in 1:1 NAT (they may not overlap with other server NAT entries, advanced outbound NAT entries or the WAN IP address) - added proxy ARP service pb26 ---- - rxxx: fixed IPsec startup race condition with dynamic WAN IP address - r610: added option to disable individual IPsec tunnels - r610: moved firmware and advanced setup page to System section (instead of Diagnostics) - r610: filter and traffic shaper rules can now be duplicated - the parsed XML configuration file is now cached in PHP's native binary serialized form to reduce webGUI page load times on slow platforms (486-based in particular) where parsing the XML configuration is relatively expensive - added file up- and download via HTTP to exec.php - renamed "Log blocked packets by default" option on System logs: Settings page to "Log packets blocked by the default rule" and changed its behavior: it only controls whether packets that got blocked by an automatically generated rule (usually the default-to-block rule in absence of a matching pass rule) are logged. Logging of packets that are blocked by user-defined block rules is now no longer affected and only controlled by the per-rule log option. Logging for pass rules remains unchanged. - changed policy level for IPsec VPN tunnels to "unique" (was "require") to solve a problem with multiple tunnels to the same endpoint - fixed FQDN "my identifier" for mobile clients - kernel patch for problem with traffic shaper rules for inbound packets on WAN (FreeBSD kernel bug, see FreeBSD PR kern/61685). - IPsec GUI fixed (((forgot FQDN, domain name validation, apply changes))) - added "Disable console menu" option to advanced setup page - firmware upload now uses HTTP instead of FTP; the FTP server has been removed (uploading files for diagnostic purposes may be done via exec.php) - the firmware upload page now checks for new versions of m0n0wall online (and displays the results, if available, on the firmware upload page). Timeout is 3 seconds, and the following information is sent to the server: platform and current m0n0wall version. - added interface menu to IPsec tunnel edit page (local endpoint does no longer have to be the WAN interface) - "reject" type filter rules are now supported (returns TCP RST or ICMP port unreachable for UDP) - contributed by Peter Allgeyer - new feature: "server NAT"; makes it possible to map ports on multiple WAN IP addresses to different servers (instead of just 1:1) pb25 ---- - mobile IPsec VPN clients (i.e. dynamic IP address) are now supported. They need to share a common policy (P1/P2 proposal), but may use different pre-shared keys (with domain names or e-mail addresses as the identifier in aggressive mode). - upgraded racoon to 20030826a - added tag to section which can be used to run arbitrary shell commands after the initial boot setup completes - modified exec.php to always show the last command in the input field - added exec_raw.php to execute a command and return the output in text/plain format without any HTML formatting (use like http://m0n0wall-ip/exec-raw.php?cmd=... - command needs to be URL-encoded of course) - added note about not being able to access NATed services using the WAN IP address from within LAN or optional networks to the inbound NAT page - filter rule generator has been modified: outgoing packets that do not yet have a state table entry are now always allowed to pass and create a state; this implies that the firewall itself can now access any host on all networks that are attached to it. This change was necessary to allow IPsec traffic from mobile users out and to remove a very ugly rule that had been put in place to allow decrypted IPsec traffic in on WAN without being able to verify that it had indeed come from an IPsec tunnel (there's no way of verifying that in an ipfilter rule). - traffic shaper rules can now be applied to the WAN interface (see below) - removed IPSEC_FILTERGIF from kernel config to correspond with the changes in the filter rule generator - if you have a custom kernel and use IPsec, rebuild it without that option!! - reversed processing order of ipfilter and ipfw in ip_output.c to make things symmetric with ip_input.c (ipfw needs to see outgoing packets before ipnat) pb24 ---- - new traffic shaper pipes/queues blabla... In good old m0n0wall tradition, your old configuration is automatically converted to the new model (separate rules/pipes) and should retain the same behavior, with one exception: ... IMPORTANT: rule processing behavior for the traffic shaper has changed: only the action (pipe/queue) of the first rule to match a packet will be executed, instead of all rules that match a packet. As such, rule order is now important (and may be modified). - upgraded to IPFW2 - changed behavior of the "add rule" button (+): when clicked next to a rule, adds the new rule before the current rule. When clicked at the very bottom of the page, appends the rule to the end of the relevant interfaces' rule list. - added new field to General setup to allow webGUI port to be specified - syslogd is no longer bound to the LAN interface's IP address. This fixes problems with logging to servers on optional interfaces. - symbols are now allowed in webGUI passwords pb23 ---- - removed watchdog support for net45xx - fixed "Log blocked packets by default" option - NFS booting should be fixed (if /etc/fstab is already present, it is left alone and devices are not probed for the config.xml file) - host name may be omitted in DNS forwarder overrides - host name/client identifier to be sent when requesting a DHCP lease can be configured (patch thanks to Pauline Middelink) - removed DynDNS password check (special characters) - the XML "spoofmac" element is now supported for LAN and optional interfaces, too (even though the option is not offered in the webGUI) (- fixed abs. widths in NAT/DHCP/Log menus) - added DHCP lease view page to diagnostics section (contributed by Björn Pålsson) - updated mini_httpd to 1.19 - updated Dnsmasq to 1.18 - made a custom mini_httpd error page pb22 ---- - host and network aliases are now supported for filter, NAT and traffic shaper rules - updated ez-ipupdate to 3.0.11b8 (DynDNS.org is going to block 3.0.11b7 starting from 12/15/03 because it has been incorrectly implemented in a Linksys product that is now flooding the DynDNS servers) - filter rules with logging enabled now have an icon in the rule list to reflect this fact - default logging of blocked packets may be turned off on the log settings page - "diagnostics" on navigation bar is shown collapsed by default (to get most pages to fit at 1024x768 without scrolling); added a JavaScript to expand it on demand r55x: - boot device probing (.....) - fixed UI display glitch on IPsec VPN page (local subnet) - upgraded mini_httpd to 1.18 - fixed tables to use relative widths only, removed forced line breaks to improve compatibility with some browsers and systems that do not have the intended font (Tahoma) installed - added webGUI assign network ports page () - changed "assign network ports" to "Interfaces: assign network ports" in console menu (for clarity) pb20 ---- - net4801 port available - DHCP server: default/max lease time and WINS servers configurable (per interface) default default-lease-time changed to 7200, default max-lease-time changed to 86400 - it is now possible to use dynamically assigned DNS servers on WAN (from DHCP or PPP) for m0n0wall itself. This is now enabled in the default configuration, but old configuration will retain the old behavior (i.e. the feature must be enabled manually on the system setup page). Note that dynamically assigned DNS servers are not redistributed to clients by the DHCP server, because this would cause reloading of the DHCP server each time the DHCP release is renewed. You may use the DNS forwarder, though. - DNS forwarder now enabled in the default configuration - replaced exec.php with more advanced version - replaced cgi-bin/status.cgi by status.php - upgraded PHP to 4.3.4 pb19 ---- - block rules are now supported, the rule order can be changed, logging can be enabled per rule and rules may be disabled individually - fixed interface status display when 1:1 NAT mappings are defined (subnet mask) - static routes are no longer lost when modifying 1:1 NAT entries - fixed ping/syslog to hosts on optional interfaces - destination for advanced outbound NAT is not configurable - removed ng_bridge code, always use BRIDGE - added a "filtering bridge" option to the advanced setup page - print a warning on the console if a newer configuration file version is found than the current m0n0wall version was designed for - upgraded system to FreeBSD 4.9 - upgraded MPD to 3.14 - some cosmetic HTML fixes pb18 ---- - revised webGUI look to reflect required and optional input fields (required = bold) pb17 ---- - the DHCP server can now also serve clients on optional interfaces - the webGUI password is no longer stored in plaintext (existing configuration files will be automatically updated) - upgraded mini_httpd to 1.17beta1 (security issues) - incorporated patch from FreeBSD security advisory 03:18 - in the CD-ROM version, the default config.xml is now automatically copied to the floppy disk if not found - other minor/cosmetic fixes (e.g. help text in console LAN IP setup to explain subnet bit counts) pb15 ---- - IPsec tunnels now work with a dynamic WAN IP address (DHCP/PPPoE/PPTP); IPsec clients with dynamic IP addresses cannot be accepted, though! - PPTP client + server enabled at the same time should work now - the PPTP server will now assign the DNS server address to clients just like the DHCP server does (m0n0wall LAN IP if DNS forwarder is on, DNS servers from system configuration otherwise) - racoon has been updated to 20030711a - DynDNS user name syntax check has been relaxed to allow for dynamic DNS services which use e-mail addresses as the user name - fixed XML parser when spaces are used instead of tabs between tags pb13r450 -------- - outbound NAT is now configurable ("advanced outbound NAT") want no NAT -> turn on advanced NAT and add no rules (NAT still only on WAN, though) - static routes supported (with all the goo like automatically reconfiguring the anti-spoof rules in the filter rule generator) -> guide to use a secondary network on LAN (NAT, filter rules) - removed syscons and atkbdc support from net45xx kernel - boot sector patch for "Read error" with some CF cards should finally work - dnsmasq -> 1.13 (update license) pb13 ---- - allow the firewall access to DNS servers on optional interfaces (e.g. for DynDNS) pb10 ---- - mount CF/floppy with -o sync pb9 --- - MAC address spoofing on WAN - fix for RADIUS to work regardless of whether the RADIUS server is on LAN, WAN or DMZ - NO_SWAPPING in kernel config pb8 --- - RADIUS support for PPTP server pb5 --- - upgraded to MPD 3.13 - upgraded to FreeBSD 4.8-RELEASE - upgraded to PHP 4.3.1 pb4 --- - dual wireless cards should now work - Wireless BSS (infrastructure) and IBSS (ad-hoc) mode are now supported - Wireless interface is no longer put in promiscuous mode with hostap - Cisco Aironet cards are now supported in BSS and IBSS mode - a new wireless status page has been added to display the signal strength cache and the list of associated stations (in hostap mode) for cards supported by the wi(4) driver (not for Aironet) pb3 --- - LAN IP is now shown in console banner - Wireless support! (hostap only at the moment) - non-present interfaces no longer show up in navigation bar pb2 (02/22/2003) ---------------- - changed navigation bar ("System" is no longer a link and has got a subitem named "General setup") - modified firmware upgrade facility so the normal gzip'ed CF images can be used - added configuration backup/restore - added new console menu item to allow LAN/WAN/DMZ <-> network interface assignment - improved bootup banner to show current port configuration - added PPTP client support on WAN interface (EXPERIMENTAL) pb1 (2/15/2002) --------------- - Initial release.