» Home » Security » Firewalls » Drawbridge » Drawbridge Changes
Drawbridge Changes
Drawbridge 4.0 (December 22, 2003)
----------------------------------
o Initial release
o Changes in dbmgr
The Drawbridge Manager application (dbmgr) has undergone some minor
functionality changes. These changes deal mostly with the removal
of commands and settings that are no longer needed for the netgraph
port.
o Support for syslog is available, but the syslog mask is now set at
compile time and is not changeable. The syslog code is undergoing a
major overhaul for the next release.
o Ported to netgraph
The netgraph version of Drawbridge should work with FreeBSD version
3.4-RELEASE or higher, or any 4.x version of FreeBSD. It will not
work with version 5.x of FreeBSD. A version of Drawbridge for
FreeBSD 5.x will be released soon.
o Removed FDDI support
FDDI support has been removed from version 4.0. If you require FDDI
support, please send a note to drawbridge-owner@net.tamu.edu.
o Removed support for IP addresses on firewall interfaces
A typical Drawbridge box now requires 4 interfaces: inside, outside,
mirror (optional), and management. This was done primarily for
security reasons.
**** Version 3.1 ****
**** CHANGES (since Drawbridge 3.0.2) ****
o Redesigned the data structures for IP address lookup to remove the
IP class restrictions. You can now specify any host address or
range, not just class B or C addresses.
o The behavior of the 'network' command in the filter language has been
slightly modified due to the new data structures. When an address
and mask is specified, the host portion of the address is now
ignored and will generate a warning if it is non zero.
o The filter language commands 'network', 'reject', and 'accept' will now
accept a range of addresses specified using <network> / <bits>
notation.
o Changed the data type of a filter class index from unsigned char to
unsigned short. This removes the limit of 256 maximum filter rule
sets.
o Redesigned the data structures for the Accept, Reject, and Override
tables. This removes the limit of 32 maximum addresses. These
tables now also have a constant time lookup so you can have as
many accepts, rejects, or overrides as you want without degrading
performance.
o New tables are no longer loaded on top of the running 'live' tables. In
previous 3.x versions, the host table and class tables were out of
sync for a split second as new tables were being loaded. The new
tables are now loaded into separate memory and become active as
an atomic operation once all tables have been loaded.
o Added five new port range filter tables: tcp_src_out, udp_dst_out,
udp_src_in, udp_src_out, icmp_type_out. The new tables fill in the
gaps and now allow the same filters for both incoming and outgoing
packets. For example, the rule <src=53/udp in> will now work as
expected.
o Added support to the compiler to handle host names which resolve to
multiple IP addresses. The compiler will now apply the filter
to all of the IP addresses returned by DNS instead of just the
first address.
o The compiler now generates much much smaller files do partly to the new
data structures and partly to implementing simple compression which
gets rid of the null data from the file.
o You can now configure drawbridge to send back a tcp reset (host unreachable)
when a tcp connection is denied by a filter rule. You can separately
configure which denied ports will send back a tcp reset for the inside
and outside interfaces.
o You can now set the global flags Multicast, NonIP, OtherIP, SuspectOffset,
FragmentedICMP, and AttackICMP in the filter configuration file.
They are loaded with the rest of the filter definitions when
db_filters is loaded.
o Added support for flexible port mirroring to a third interface. This is
useful for situations where drawbridge is installed in a full-duplex
environment and there's no other way to install an external traffic
monitor.
o The configuration of the listen interface has been moved from the dbmgr
init command to a dbmgr set command. You can now change which
interface(s) drawbridge will listen to on the fly while drawbridge
is running.
o Added readline support to the dbmgr interface which provides command
history and command completion.
o Dbfc now issues a warning when a host is redefined in the filter config
file.
o Dbfc now issues a warning instead of a fatal error when name resolution
for a host fails.
o Dbfc now issues an error if an include file is not found or not readable.
o Fixed a dbfc bug which caused it to crash when no classes were defined.
o Fixed a bug in the syslog code which caused a MAC layer syslog message
to print incorrectly.
**** Version 3.0.2 ****
**** CHANGES (since Drawbridge 3.0.1) ****
o Fixed a bug in the ep patch (3C509) for 2.2.8 which caused packets
which were not addressed to the Drawbridge host to be discarded
in the driver.
o Modified the Drawbridge start.sh so that it will now correctly bring up
the 3c90x when it is used as the secondary ethernet card.
**** Version 3.0.1 ****
**** CHANGES (since Drawbridge 3.0) ****
o Fixed a bug in the fxp patch (Intel Pro 100+) for 2.2.8 which caused all
packets to be discarded in the driver.
**** Version 3.0 ****
**** CHANGES (since Drawbridge 3.0 Beta 2) ****
o Fixed a typo in the filter.config file. The sample config for the
drawbridge host should have contained "<9-18/icmp in>" instead
of "<8-18/icmp in>".
o Fixed a bug in the accept/reject/override table logic which prevented
the address 0.0.0.0 with a non zero mask to be entered.
o Modified all of the supported NIC drivers so that Drawbridge will still
work if BPF is enabled.
o The ethernet/fddi header length was not being added to the packet byte
counters. The header length is now included.
o Changed bytes/sec to bits/sec in the aggregate throughput section of
the dbmgr monitor page. The preamble, frame check, and inter-
packet gap are included in the calculation so the bits/sec
display represents the true bandwidth being bridged through the
firewall.
o Added a check to dbmgr to make sure it's version matches the version of
the code in the kernel. This is necessary because they both share
some of the same structure definitions which may change between
versions.
o Created a patch file for FreeBSD 2.2.7-RELEASE and 2.2.8-RELEASE and
removed the out of date patch for 2.2.5-RELEASE. The patches for
2.2.6 and 2.2.7 include the patch for CERT advisories FreeBSD-SA-98:07
and CA-98-13-tcp-denial-of-service.
o Fixed an oversight in /etc/syslog.conf to prevent Drawbridge logs from
being duplicated in /var/log/messages.
o Commented out the MAXMEM option from the Drawbridge kernel config file.
This option caused problems on some systems.
o Fixed an error in the dbmgr builtin help for 'set logmask'. Outgoing
via accept and incoming via accept were reversed.
o The 'ie' (cards using Intel 82586 chip) and 'wl' (wavelan card) drivers
are incompatible with Drawbridge so they have been commented out
in the Drawbridge kernel config file.
o Fixed a small bug in the grammar definition for the compiler which
caused the compiler to not print an error message when the first
statement in the filter config file contained a syntax error.
o Modified the install script so that it will add the commands necessary
to remake the drawbridge device to /dev/MAKEDEV.local.
o Added the rsaref port to the ssh-port directory.
**** Version 3.0 Beta 2 ****
**** CHANGES (since Drawbridge 3.0 Beta) ****
o Patched the vx ethernet driver (3com pci ethernet cards) so it would
work with Drawbridge.
o Added the dropped packet counter to several ethernet drivers that had
been overlooked.
o Made the changes necessary to build the Drawbridge package on FreeBSD
2.2.6 as well as 2.2.5
Last Updated: Mon, Jun 29, 2009