Drawbridge 4.0 (December 22, 2003)
----------------------------------
o Initial release
o Changes in dbmgr
The Drawbridge Manager application (dbmgr) has undergone some minor
functionality changes. These changes deal mostly with the removal
of commands and settings that are no longer needed for the netgraph
port.
o Support for syslog is available, but the syslog mask is now set at
compile time and is not changeable. The syslog code is undergoing a
major overhaul for the next release.
o Ported to netgraph
The netgraph version of Drawbridge should work with FreeBSD version
3.4-RELEASE or higher, or any 4.x version of FreeBSD. It will not
work with version 5.x of FreeBSD. A version of Drawbridge for
FreeBSD 5.x will be released soon.
o Removed FDDI support
FDDI support has been removed from version 4.0. If you require FDDI
support, please send a note to drawbridge-owner@net.tamu.edu.
o Removed support for IP addresses on firewall interfaces
A typical Drawbridge box now requires 4 interfaces: inside, outside,
mirror (optional), and management. This was done primarily for
security reasons.
**** Version 3.1 ****
**** CHANGES (since Drawbridge 3.0.2) ****
o Redesigned the data structures for IP address lookup to remove the
IP class restrictions. You can now specify any host address or
range, not just class B or C addresses.
o The behavior of the 'network' command in the filter language has been
slightly modified due to the new data structures. When an address
and mask is specified, the host portion of the address is now
ignored and will generate a warning if it is non zero.
o The filter language commands 'network', 'reject', and 'accept' will now
accept a range of addresses specified using <network> / <bits>
notation.
o Changed the data type of a filter class index from unsigned char to
unsigned short. This removes the limit of 256 maximum filter rule
sets.
o Redesigned the data structures for the Accept, Reject, and Override
tables. This removes the limit of 32 maximum addresses. These
tables now also have a constant time lookup so you can have as
many accepts, rejects, or overrides as you want without degrading
performance.
o New tables are no longer loaded on top of the running 'live' tables. In
previous 3.x versions, the host table and class tables were out of
sync for a split second as new tables were being loaded. The new
tables are now loaded into separate memory and become active as
an atomic operation once all tables have been loaded.
o Added five new port range filter tables: tcp_src_out, udp_dst_out,
udp_src_in, udp_src_out, icmp_type_out. The new tables fill in the
gaps and now allow the same filters for both incoming and outgoing
packets. For example, the rule <src=53/udp in> will now work as
expected.
o Added support to the compiler to handle host names which resolve to
multiple IP addresses. The compiler will now apply the filter
to all of the IP addresses returned by DNS instead of just the
first address.
o The compiler now generates much much smaller files do partly to the new
data structures and partly to implementing simple compression which
gets rid of the null data from the file.
o You can now configure drawbridge to send back a tcp reset (host unreachable)
when a tcp connection is denied by a filter rule. You can separately
configure which denied ports will send back a tcp reset for the inside
and outside interfaces.
o You can now set the global flags Multicast, NonIP, OtherIP, SuspectOffset,
FragmentedICMP, and AttackICMP in the filter configuration file.
They are loaded with the rest of the filter definitions when
db_filters is loaded.
o Added support for flexible port mirroring to a third interface. This is
useful for situations where drawbridge is installed in a full-duplex
environment and there's no other way to install an external traffic
monitor.
o The configuration of the listen interface has been moved from the dbmgr
init command to a dbmgr set command. You can now change which
interface(s) drawbridge will listen to on the fly while drawbridge
is running.
o Added readline support to the dbmgr interface which provides command
history and command completion.
o Dbfc now issues a warning when a host is redefined in the filter config
file.
o Dbfc now issues a warning instead of a fatal error when name resolution
for a host fails.
o Dbfc now issues an error if an include file is not found or not readable.
o Fixed a dbfc bug which caused it to crash when no classes were defined.
o Fixed a bug in the syslog code which caused a MAC layer syslog message
to print incorrectly.
**** Version 3.0.2 ****
**** CHANGES (since Drawbridge 3.0.1) ****
o Fixed a bug in the ep patch (3C509) for 2.2.8 which caused packets
which were not addressed to the Drawbridge host to be discarded
in the driver.
o Modified the Drawbridge start.sh so that it will now correctly bring up
the 3c90x when it is used as the secondary ethernet card.
**** Version 3.0.1 ****
**** CHANGES (since Drawbridge 3.0) ****
o Fixed a bug in the fxp patch (Intel Pro 100+) for 2.2.8 which caused all
packets to be discarded in the driver.
**** Version 3.0 ****
**** CHANGES (since Drawbridge 3.0 Beta 2) ****
o Fixed a typo in the filter.config file. The sample config for the
drawbridge host should have contained "<9-18/icmp in>" instead
of "<8-18/icmp in>".
o Fixed a bug in the accept/reject/override table logic which prevented
the address 0.0.0.0 with a non zero mask to be entered.
o Modified all of the supported NIC drivers so that Drawbridge will still
work if BPF is enabled.
o The ethernet/fddi header length was not being added to the packet byte
counters. The header length is now included.
o Changed bytes/sec to bits/sec in the aggregate throughput section of
the dbmgr monitor page. The preamble, frame check, and inter-
packet gap are included in the calculation so the bits/sec
display represents the true bandwidth being bridged through the
firewall.
o Added a check to dbmgr to make sure it's version matches the version of
the code in the kernel. This is necessary because they both share
some of the same structure definitions which may change between
versions.
o Created a patch file for FreeBSD 2.2.7-RELEASE and 2.2.8-RELEASE and
removed the out of date patch for 2.2.5-RELEASE. The patches for
2.2.6 and 2.2.7 include the patch for CERT advisories FreeBSD-SA-98:07
and CA-98-13-tcp-denial-of-service.
o Fixed an oversight in /etc/syslog.conf to prevent Drawbridge logs from
being duplicated in /var/log/messages.
o Commented out the MAXMEM option from the Drawbridge kernel config file.
This option caused problems on some systems.
o Fixed an error in the dbmgr builtin help for 'set logmask'. Outgoing
via accept and incoming via accept were reversed.
o The 'ie' (cards using Intel 82586 chip) and 'wl' (wavelan card) drivers
are incompatible with Drawbridge so they have been commented out
in the Drawbridge kernel config file.
o Fixed a small bug in the grammar definition for the compiler which
caused the compiler to not print an error message when the first
statement in the filter config file contained a syntax error.
o Modified the install script so that it will add the commands necessary
to remake the drawbridge device to /dev/MAKEDEV.local.
o Added the rsaref port to the ssh-port directory.
**** Version 3.0 Beta 2 ****
**** CHANGES (since Drawbridge 3.0 Beta) ****
o Patched the vx ethernet driver (3com pci ethernet cards) so it would
work with Drawbridge.
o Added the dropped packet counter to several ethernet drivers that had
been overlooked.
o Made the changes necessary to build the Drawbridge package on FreeBSD
2.2.6 as well as 2.2.5
**** Version 3.0 Beta ****
**** CHANGES (since Drawbridge 3.0 Alpha) ****
o Ported from FreeBSD version 2.0.1 to 2.2.5
o Put syslog support back in. This had been left out of the initial
port to FreeBSD.
o Fixed a bug in the listen interface code.
o Added support for incoming ICMP filtering based on the type of ICMP
packet and the destination host. This was mainly added to
prevent ICMP echo requests to local broadcast addresses.
o Renamed the 'allow' table to the 'override' table
o Added the 'accept' table to prevent IP spoofing from the inside
to the outside. This helps protect the rest of the Internet
from malicious users on the local network.
o Redesigned the table logic (accept, reject, override) to add
the ability to to have inverse rules.
o Made all counters 64 bit to prevent rollover.
o Added an option to filter certain ICMP attacks and an option to
filter fragmented ICMP packets.
o Added a breakdown of the filtered packets counter on the monitor
screen. Each filter now has it's own counter to make it
easier to tell what kinds of packets are being filtered
without turning on logging of each filtered packet.
o Modified dbfc and dbmgr to support the new features listed above.
o Removed the '-b' switch from the filter compiler. The manager now
always expects the compiled data files to be in network byte
order.
o Fixed a bug in the filter compiler that displayed inaccurate min/avg/
max values for the number of table entries for each class in
the generated class table.
**** Version 3.0 Alpha (not publicly released) ****
**** CHANGES (since Drawbridge 2.0.1) ****
o This version is a complete rewrite for the FreeBSD 2.0.1 operating
system. A lot has changed from version 2.0 so it will be
necessary to read all the documentation before setting up
version 3.0. Instead of describing all the specific changes,
I have listed general changes below.
o The Filter program has been completely replaced with a modified
FreeBSD kernel. All filtering/bridging is handled inside
the kernel at the interface layer. All packet processing
is interrupt driven for the best possible speed.
o The Filter Manager has been completely rewritten and renamed 'dbmgr'
(Drawbridge Manager). The manager now runs on the Drawbridge
system instead of on a remote system. Remote management can
still be accomplished by using ssh (secure shell) to login to
the Drawbridge system to use dbmgr locally.
o The Filter Compiler has been renamed to 'dbfc' (Drawbridge Filter
Compiler) and can now be run on the Drawbridge system as well
as on a remote system. If it is run remotely, the resulting
files can be transferred to the Drawbridge system in a secure
manner using scp (secure copy).
o All Drawbridge management can now be done from the console while the
system is running. No packet loss will result from management
operations because all packet filtering and forwarding is done
at the interrupt level in the FreeBSD kernel. If desired,
remote access can be completely disabled for added security.
**** Version 2.0.1 ****
**** CHANGES (since Drawbridge 2.0) ****
o Ported fm and fc to Linux.
**** Version 2.0 ****
**** CHANGES (since Drawbridge 2.0 Beta) ****
o Changed the behavior of fm when not reading from a terminal. It used
to throw all output except stderr away. Now it does not throw
output away. If you wish the output to go to /dev/null use a
shell redirection.
o Changed the behavior of the -b switch on fc. Since the tools are
endian clean now, the only use for the switch is for sneakernet
transfer of the files to Filter. Therefore Filter Compiler now
also modifies the filenames of the output files when -b is
specified so that they are the filenames that Filter expects.
o Removed some definitions that prevented Filter from compiling under
Borland C++ version 3.
o Made the Makefiles more portable. You now invoke them with the
platform desired to build fc and fm. Thanks go to Ralph
Mitchell for providing patches for compilation on AIX.
o Added in syslog support. Thanks go to Klaus-Peter Kossakowski
and Uwe Ellermann at DFN-CERT for providing much of the
implementation.
o Cleaned up the syslog support and added in the LogMask. Some
of the syslogging may get tortuous depending on the kind
of traffic on the network that Drawbridge is attached to.
o Added optional filtering of TCP IP fragments with suspicious
offsets and optional filtering of IP protocols other than
TCP/UDP/ICMP. Thanks go to Klaus-Peter Kossakowski and
Uwe Ellermann at DFN-CERT for some of this code.
**** Version 2.0 Beta ****
**** CHANGES (since Drawbridge 2.0 Alpha) ****
o NDIS 2.1 from Microsoft rather than NDIS 2.0 from 3Com is now
included. Thanks go to Alex Li for giving me the pointer to the
newer version.
o Patches have been made so that fc and fm will now run on little
endian machines. If you can get fc and fm to compile,
endianness should not be a problem. Thanks go to Danny Thomas
for generating the fixes for fc. (Note that due to the
extensive amount of changes required, fc and fm do not and will
not any time soon run on 64 bit architectures (e.g. Alpha).)
o An uptime statistic has been added to the statistics reporting.
o The original paper covering the entire TAMU security package has been
updated to cover Drawbridge 2.0. It is still not up to date on
Tiger and Netlog but will be soon.
o Added "retries" and "timeout" variables to the fm user interface.
When managing a Drawbridge installation that uses floppy disk
for the storage of the tables, a write can easily timeout. The
default values are 3 retries and 3 seconds.
**** Version 2.0 Alpha ****
**** CHANGES (since Drawbridge 1.1) ****
o Filter now supports FDDI to FDDI filtering. Note however that
due to the inherent limitations with bridging on FDDI,
Filter will only work under a very specific and limited
configuration. This is documented in the file doc/FILTER.
Please send email to drawbridge@net.tamu.edu if you have
further questions.
o Filter now uses NDIS 2.01 DOS drivers. Therefore any Ethernet
cards or FDDI cards with adequate NDIS drivers can be
used with Drawbridge 2.0.
o Filter now has an IP protocol stack and the management occurs
via UDP. This allows the Filter Manager to run on just
about any Unix platform that has BSD sockets. (Note
that currently I haven't ported it to platforms other
than Solaris 2.3.)
o Filter now uses an (as far as we know) exportable Pseudo One
Time Pad cryptographic scheme for authentication and
privacy over the management channel.
o Filter now provides statistics from both the console and
Filter Manager. Both Filter specific and NDIS
statistics are reported.
o Filter is now interrupt driven rather than polling (forced
because of NDIS) and performance is better. With the
previously recommended setup Filter now produces peak
transfer rates of approximately 5.5 Mb/sec versus the
previously measured peak of 3.5 Mb/sec. 10 Mb/sec on
ethernet should be easily achieved with faster cards,
buses and CPUs.
Under FDDI with a 60MHz Pentium and two EISA Network
Peripherals FDDI cards, data rates up to 18Mb/sec have
been measured. The actual limit is higher but we do
not have a reliable testbed capable of generating and
measuring higher data rates at this time.
o Filter now uses XMS to store the network tables in extended
memory. A cache is kept in low memory.
o Filter has a new switch which controls whether or not packets
other than IP/ARP/RARP are transparently bridged.
o Filter Compiler (and Filter) is backward source and binary
compatible. Other than bug fixes, no changes have
been made to the Filter Compiler.
For Filter, the DES key file is no longer used and
a new file PASSWORD is maintained. Also Filter
Manager no longer uses .fmkey.* files.
o The GNU Copyleft has been removed. This material is now
covered under a Berkeley/MIT style copyright. I.E.
you can do anything you want with the code but must
credit us. See the file COPYING.
o A few commands have been added/changed in the Filter
Manager. The changes are documented under the help
system.
