Ronin Technologies › IPCop Version 1.4.11 Released

IPCop Version 1.4.11 Released
Monday, August 28, 2006 (16:47:55)

Posted by Paul Rimmer

A new version of this great firewall distribution has just been released. More Dynamic DNS providers have been added amongst other things. Check it out here.

Here is the summary of the changes from 1.4.10 to 1.4.11

Web interface
backup.cgi
- new backup supporting usb key, unencrypted backup removed for security
reason
- export of backup.key
key is crypted wit a 'backup' password needed for reinstall,
hostname is include in the exported key file
- backup .dat
now include hostname and the timestamp of the backup
before to reinstall, remove timestamp to the file name you want to use to
restore
a comment field is available for each backup
the comment will be restored on backup upload (if available)
- floppy backup
display used sized,
check that backup is not too big
directly display errors if any (bad floppy)

ddns
- fix typo in local IP network address to fetch real public IP (sf1369617)
- fix GET string during fetch real public IP (sf1396470) and use proxy
settings
- add cjb.net, everydns.net providers and remove hn.org
- move freedns and regfish to https exchanges
- change URL for zoneedit

connections.cgi
- Fix icmp bug (sf1373594)
- add sorting & filtering of the table
- fix minor xhtml compliance issues

dhcp.cgi
- change duplicate dhcp fixed lease detection (Tapani suggestion)
- highlight duplicate MACs
- new option need to be created no space 'code nnn=xyz'
- allow more char in rootpath/filename options (sf1365534)

gui.cgi
- fix minor xhtml compliance issues

ids.cgi
- fix save that erase update signature date
- fix stop of ids in 1.4.11rc1

portfw.cgi
- fix destination range check (sf1226089)

password.cgi
- have an uniform policy in setup and web GUI
space, ' and " are not allowed
6 characters password is the minimal length in both interfaces

pppsetup.cgi
- fix minor xhtml compliance issues

proxy.cgi
- use the proxy port number set in web interface
- support squid extension_methods
- add an option to repair the cache
- fix 'flush cache' option

shutdown.cgi
- allow a programmed shutdown/reboot

update.cgi
- include version number in update log message

VPN
- fix minor xhtml compliance issues
- fix CRL dir and filename
- move randfile and cakey.pem out of /var/ipcop/ca to remove warnings (need
to include in upgrade)
- add leftid/rightid parameters to extend interoperability with other peers
- remove 'raw' debug option, not usable (too much data)
- add overridemtu option
- allow %defaultroute as local name for this side of VPN (sf1418529)
- correctly enable creation of Roadwarriors (sf1436828)
- add subjectAltName (rfe sf1365911)
- add a pkcs12 import while creating a connection
- allow use of DN,FQDN,IP for authentication (sf #1418533)
- compression+vhost can work together: disable check
- set compression off by default for better compatibilty
- Fix unneeded test preventing using more than once a cert (sf1171139)
- add aggressive mode option (rfe sf1359865)
- PFS advanced option was not cleared when saving params in basic GUI
- Integrate vpn-watch from Daniel Berlin (used for net-to-net only)
- Fix certificate export with IE and Opera, now the box to register to disk
really open
- Check the subjectaltname field and filter error output
With access on vpn configuration page controlled by admin password, it
was possible to include html code in this field
html code was executed because of error display without filtering of
subjectaltname.

Connection
- fix reconnection done even in manual and pure RED setting
- fix Ping disable option only working correctly with RED interface up (SF
1373822)
- restart squid during rc.updatered (should fix sf1077113)
- allow selection of only pap or only chap with fritzdsl to be effective

Various
- fix 'single' mode booting used for password recovery (sf1349440)
- fix kernel displaying inexistant partitions with unpartionned fat device
(integrated in 2.4.33)
- fix syslogd and klogd users and start now syslogd as syslogd uid

Building
- support build from precompiled toolchain package
- to work with very old or brand new distribution
- to spare build time
- package available when the building machine is a i586 or a i686
You can upload the corresponding prebuild toolchain with
./make.sh gettoolchain
If you want to build your own package, do
./make.sh clean && ./make.sh toolchain
- supply a collection of all needed packages sources used to build in an .iso
- split compilation log in differents stages log files
- strip from chrooted /tool/strip
- initrd is rebuild every time the installer is more recent
- during compilation, disable ipsec.secrets generation to workaround with a
kernel >2.6.11.x on the running machine for a potential empty entropy pool
problem
- at the end, move .iso and *.tgz from build/install to root dir instead of
coyping to save place on disk

Support Latin-2 for rrdtool
Upgraded packages
- dhcp-3.0.4,
- dnsmasq-2.33 and remove ipv6 support we don't use,
- gnupg-1.4.5 and trim unused features,
- hdparm-6.6 (mainly support ATA7 detection),
- iana-etc 2.10,
- iptables-1.3.5,(pool extension no more available,string extension is
reverted to code in v1.3.3)
- ipac-ng-1.31,
- libpng-1.2.12,
- squid-2.5.STABLE14 plus patch,
- openswan-1.0.10,
- vlan.1.9. (cosmetic)
Fix openssl compiled previously for 486 (sf bug #1363150)

Add Afrikaans,Gujarati,Japanese,Persian (Farsi),Slovak langages to web
interface and installer

Installation
- support installation from usb key
- support restoration from usb key and network (http/ftp)
- display version on first screen message
- no more need of scsi floppy to support scsi cdrom/disk when not booting
from floppy
- explain 'no echo for password' message
- use syslinux-3.11
- fill URL box with http:// as it may not easy to type : on unmapped
keyboard
- keep the URL in case the file is not found (easier to understand what was
previously wrong)
- Fix SiS965L chipset detection
- Fix mptscsih configuration during install

Content received from: Ronin Technologies, http://ronin-tech.com