**** Version 3.0 Release **** **** CHANGES (since Drawbridge 3.0 Beta 2) **** o Fixed a typo in the filter.config file. The sample config for the drawbridge host should have contained "<9-18/icmp in>" instead of "<8-18/icmp in>". o Fixed a bug in the accept/reject/override table logic which prevented the address 0.0.0.0 with a non zero mask to be entered. o Modified all of the supported NIC drivers so that Drawbridge will still work if BPF is enabled. o The ethernet/fddi header length was not being added to the packet byte counters. The header length is now included. o Changed bytes/sec to bits/sec in the aggregate throughput section of the dbmgr monitor page. The preamble, frame check, and inter- packet gap are included in the calculation so the bits/sec display represents the true bandwidth being bridged through the firewall. o Added a check to dbmgr to make sure it's version matches the version of the code in the kernel. This is necessary because they both share some of the same structure definitions which may change between versions. o Created a patch file for FreeBSD 2.2.7-RELEASE and 2.2.8-RELEASE and removed the out of date patch for 2.2.5-RELEASE. The patches for 2.2.6 and 2.2.7 include the patch for CERT advisories FreeBSD-SA-98:07 and CA-98-13-tcp-denial-of-service. o Fixed an oversight in /etc/syslog.conf to prevent Drawbridge logs from being duplicated in /var/log/messages. o Commented out the MAXMEM option from the Drawbridge kernel config file. This option caused problems on some systems. o Fixed an error in the dbmgr builtin help for 'set logmask'. Outgoing via accept and incoming via accept were reversed. o The 'ie' (cards using Intel 82586 chip) and 'wl' (wavelan card) drivers are incompatible with Drawbridge so they have been commented out in the Drawbridge kernel config file. o Fixed a small bug in the grammar definition for the compiler which caused the compiler to not print an error message when the first statement in the filter config file contained a syntax error. o Modified the install script so that it will add the commands necessary to remake the drawbridge device to /dev/MAKEDEV.local. o Added the rsaref port to the ssh-port directory. **** Version 3.0 Beta 2 **** **** CHANGES (since Drawbridge 3.0 Beta) **** o Patched the vx ethernet driver (3com pci ethernet cards) so it would work with Drawbridge. o Added the dropped packet counter to several ethernet drivers that had been overlooked. o Made the changes necessary to build the Drawbridge package on FreeBSD 2.2.6 as well as 2.2.5 **** Version 3.0 Beta **** **** CHANGES (since Drawbridge 3.0 Alpha) **** o Ported from FreeBSD version 2.0.1 to 2.2.5 o Put syslog support back in. This had been left out of the initial port to FreeBSD. o Fixed a bug in the listen interface code. o Added support for incoming ICMP filtering based on the type of ICMP packet and the destination host. This was mainly added to prevent ICMP echo requests to local broadcast addresses. o Renamed the 'allow' table to the 'override' table o Added the 'accept' table to prevent IP spoofing from the inside to the outside. This helps protect the rest of the Internet from malicious users on the local network. o Redesigned the table logic (accept, reject, override) to add the ability to to have inverse rules. o Made all counters 64 bit to prevent rollover. o Added an option to filter certain ICMP attacks and an option to filter fragmented ICMP packets. o Added a breakdown of the filtered packets counter on the monitor screen. Each filter now has it's own counter to make it easier to tell what kinds of packets are being filtered without turning on logging of each filtered packet. o Modified dbfc and dbmgr to support the new features listed above. o Removed the '-b' switch from the filter compiler. The manager now always expects the compiled data files to be in network byte order. o Fixed a bug in the filter compiler that displayed inaccurate min/avg/ max values for the number of table entries for each class in the generated class table. **** Version 3.0 Alpha (not publicly released) **** **** CHANGES (since Drawbridge 2.0.1) **** o This version is a complete rewrite for the FreeBSD 2.0.1 operating system. A lot has changed from version 2.0 so it will be necessary to read all the documentation before setting up version 3.0. Instead of describing all the specific changes, I have listed general changes below. o The Filter program has been completely replaced with a modified FreeBSD kernel. All filtering/bridging is handled inside the kernel at the interface layer. All packet processing is interrupt driven for the best possible speed. o The Filter Manager has been completely rewritten and renamed 'dbmgr' (Drawbridge Manager). The manager now runs on the Drawbridge system instead of on a remote system. Remote management can still be accomplished by using ssh (secure shell) to login to the Drawbridge system to use dbmgr locally. o The Filter Compiler has been renamed to 'dbfc' (Drawbridge Filter Compiler) and can now be run on the Drawbridge system as well as on a remote system. If it is run remotely, the resulting files can be transferred to the Drawbridge system in a secure manner using scp (secure copy). o All Drawbridge management can now be done from the console while the system is running. No packet loss will result from management operations because all packet filtering and forwarding is done at the interrupt level in the FreeBSD kernel. If desired, remote access can be completely disabled for added security. **** Version 2.0.1 **** **** CHANGES (since Drawbridge 2.0) **** o Ported fm and fc to Linux. **** Version 2.0 **** **** CHANGES (since Drawbridge 2.0 Beta) **** o Changed the behavior of fm when not reading from a terminal. It used to throw all output except stderr away. Now it does not throw output away. If you wish the output to go to /dev/null use a shell redirection. o Changed the behavior of the -b switch on fc. Since the tools are endian clean now, the only use for the switch is for sneakernet transfer of the files to Filter. Therefore Filter Compiler now also modifies the filenames of the output files when -b is specified so that they are the filenames that Filter expects. o Removed some definitions that prevented Filter from compiling under Borland C++ version 3. o Made the Makefiles more portable. You now invoke them with the platform desired to build fc and fm. Thanks go to Ralph Mitchell for providing patches for compilation on AIX. o Added in syslog support. Thanks go to Klaus-Peter Kossakowski and Uwe Ellermann at DFN-CERT for providing much of the implementation. o Cleaned up the syslog support and added in the LogMask. Some of the syslogging may get tortuous depending on the kind of traffic on the network that Drawbridge is attached to. o Added optional filtering of TCP IP fragments with suspicious offsets and optional filtering of IP protocols other than TCP/UDP/ICMP. Thanks go to Klaus-Peter Kossakowski and Uwe Ellermann at DFN-CERT for some of this code. **** Version 2.0 Beta **** **** CHANGES (since Drawbridge 2.0 Alpha) **** o NDIS 2.1 from Microsoft rather than NDIS 2.0 from 3Com is now included. Thanks go to Alex Li for giving me the pointer to the newer version. o Patches have been made so that fc and fm will now run on little endian machines. If you can get fc and fm to compile, endianness should not be a problem. Thanks go to Danny Thomas for generating the fixes for fc. (Note that due to the extensive amount of changes required, fc and fm do not and will not any time soon run on 64 bit architectures (e.g. Alpha).) o An uptime statistic has been added to the statistics reporting. o The original paper covering the entire TAMU security package has been updated to cover Drawbridge 2.0. It is still not up to date on Tiger and Netlog but will be soon. o Added "retries" and "timeout" variables to the fm user interface. When managing a Drawbridge installation that uses floppy disk for the storage of the tables, a write can easily timeout. The default values are 3 retries and 3 seconds. **** Version 2.0 Alpha **** **** CHANGES (since Drawbridge 1.1) **** o Filter now supports FDDI to FDDI filtering. Note however that due to the inherent limitations with bridging on FDDI, Filter will only work under a very specific and limited configuration. This is documented in the file doc/FILTER. Please send email to drawbridge@net.tamu.edu if you have further questions. o Filter now uses NDIS 2.01 DOS drivers. Therefore any Ethernet cards or FDDI cards with adequate NDIS drivers can be used with Drawbridge 2.0. o Filter now has an IP protocol stack and the management occurs via UDP. This allows the Filter Manager to run on just about any Unix platform that has BSD sockets. (Note that currently I haven't ported it to platforms other than Solaris 2.3.) o Filter now uses an (as far as we know) exportable Pseudo One Time Pad cryptographic scheme for authentication and privacy over the management channel. o Filter now provides statistics from both the console and Filter Manager. Both Filter specific and NDIS statistics are reported. o Filter is now interrupt driven rather than polling (forced because of NDIS) and performance is better. With the previously recommended setup Filter now produces peak transfer rates of approximately 5.5 Mb/sec versus the previously measured peak of 3.5 Mb/sec. 10 Mb/sec on ethernet should be easily achieved with faster cards, buses and CPUs. Under FDDI with a 60MHz Pentium and two EISA Network Peripherals FDDI cards, data rates up to 18Mb/sec have been measured. The actual limit is higher but we do not have a reliable testbed capable of generating and measuring higher data rates at this time. o Filter now uses XMS to store the network tables in extended memory. A cache is kept in low memory. o Filter has a new switch which controls whether or not packets other than IP/ARP/RARP are transparently bridged. o Filter Compiler (and Filter) is backward source and binary compatible. Other than bug fixes, no changes have been made to the Filter Compiler. For Filter, the DES key file is no longer used and a new file PASSWORD is maintained. Also Filter Manager no longer uses .fmkey.* files. o The GNU Copyleft has been removed. This material is now covered under a Berkeley/MIT style copyright. I.E. you can do anything you want with the code but must credit us. See the file COPYING. o A few commands have been added/changed in the Filter Manager. The changes are documented under the help system.