Last update:
01/15/2014
Current version:
1.8.1
Latest beta snapshot:
1.8.2b576 |
Change log
- 1.8.x
- Change log highlights (see the SVN change log for the full details):
- add scheduler ("Croen") service with many different job types (enable/disable interface or shaper rule, Wake on LAN, reboot, reconnect WAN, execute command etc.)
- improved IPv6 support, including IPsec, DHCPv6-PD, RDNSS and DNSSL, and NDP info on the ARP diagnostic page
- major overhaul of wireless LAN support. On some cards, it is now also
possible to create multiple APs at the same time. To reflect this
change, the wireless settings have moved to the Interfaces: assign
page, where WLAN subinterfaces can be created much like for VLANs.
- DNS forwarder: add option to log DNS queries, add aliases (CNAMEs) and MXs
- Add AES-256, SHA-256/384/512 and additional DH group options to IPsec
- Make rule moving and deletion on shaper rules page work like for firewall rules.
- Initial support for USB modems
- enable CPU hardware crypto support
- automatically reassign available physical network interfaces if none
of the assigned interfaces in the configuration can be found on the system
(i.e. for a new installation, or when moving an existing config to new
hardware)
- the "embedded" image is gone; generic-pc-serial should now be used for PC Engines and Soekris boards
- console speed for serial images is fixed to 9600 baud (no longer tries to use BIOS preset value)
- introduction of an automated build system that allows one to build m0n0wall from scratch with
almost no manual intervention on a standard FreeBSD 8.4 system
- countless bug fixes and improvements in UI and system configuration code
- 1.34a (01/21/2014)
- Increased firmware upload MFS size to accommodate 1.8.1 images
- 1.34 (11/12/2012)
- Backported from beta branch:
- Eliminate modifying GETs from webGUI pages.
Note: the API pages exec_raw.php and uploadconfig.php now require
different parameters than before. exec_raw.php now requires the cmd to
be given in a POST, and both pages need a valid CSRF magic token,
which can be obtained by issuing a GET first without any parameters
(see example in exec_raw.php comment).
- Make rule moving and deletion on shaper rules page work like for
firewall rules.
- Add csrf-magic for CSRF protection in webGUI.
- Fix potential XSS in diag_ping.php and diag_traceroute.php.
- Increase key size of auto-generated webGUI certificates to 2048 bits.
- Update default webGUI certificate/key.
- Remove domain name handling from dhclient-script and change ARP command not to use sed (not used/available in m0n0wall).
- Change virtualHW version to 7 for VMWare image to avoid errors in ESX 4
- 1.33 (03/16/2011)
- a new image type "generic-pc-serial" has been added; the only difference to generic-pc is that it always uses the serial console (on COM1 at whatever speed the BIOS set it to)
- added Realtek customized network chip driver to support additional chipsets
- updated ipfilter to 4.1.33
- inbound NAT rules can now be added on the LAN interface with the WAN address as a target; this helps with accessing servers on an optional interface from the LAN interface by using m0n0wall's WAN IP address
- IPv6 improvements by Andrew White:
- support for LAN IPv6 prefix assignment using DHCP-PD
- added MTU option for RA
- added AICCU to interface status page
- added IPv6 support for syslog destination
- added IPv6 support for Diagnostics: Firewall States
- added error handling to interface status page for AICCU being down
- fixed DHCPv6 server setup when target interface is configured in 6to4 mode (reported by Brian Lloyd)
- modified "disable port mapping" option so that it will actually avoid port
mapping whenever possible, but fall back to port mapping if another mapping
for the same port already exists
(inspired by a patch submitted by Adam Swift)
- added support for user-customizable captive portal logout and status page, as well as a password change option for local CP users (contributed by Stephane Billiart)
- added 'Bind to LAN' option for syslog, so you can syslog over a VPN tunnel
- fixed dnswatch to deal with changed resolv.conf (for IPsec tunnels to dynamic endpoints)
- fixed various XSS vulnerabilities in webGUI
- added option on advanced setup page to defend against DNS rebinding attacks
- fixed extra slash in captive portal redirect
- added support for (manually updated) CRLs for IPsec VPN (contributed by Sebastian Lemke)
- prevent /ext directory from being listed through webGUI (reported by Bernd Strehhuber)
- fixed typo in system_do_extensions() that broke extensions support (reported by Bernd Strehhuber)
- added check for DHCP reservation entries for the same MAC address
- changed EDNS to 4096 from default of 1280 for dnsmasq, should help with DNSSEC
- don't let missing DNS server information keep DHCPD from starting
- 1.32 (04/17/2010)
- add kernel patch for vr(4) lockups after link flaps (e.g. on ALIX boards)
- make motherboard monitor off by default, and switchable in advanced/misc
- allow both a v4 and a v6 entry for the same host in DNS forwarder overrides
- fix nameserver handling when IPv6 PPP WAN is enabled
- fix auto suggested IPv6 address
- add wildcard information text for DNS forwarder
- add Fahrenheit support for system temperatures
- add support for DNS forwarder wildcard, use * as hostname
- add SixXS interface to traffic graph
- fix IPv6 link local filter rule
- fix DHCPv4 having IPv6 address inserted in dhcpd.conf
- 1.31 (03/06/2010)
- IPv6 improvements
- allow IPv6 addresses for domain overrides in DNS forwarder
- added 'strict order' to DNS forwarder (useful when using SixXS DNS)
- initial support for AYIYA for SixXS tunnels
- fix for DHCPv6 firewall rules
- allow link-local addresses to communicate
- allow input of DUID in MAC address field of a DHCPv6 reservation
- DHCPv6 reservations are now also added to DHCPv4
- fix to WAN DHCP (release/renew button)
- added option to disable spoof check on bridge (use to enable non-m0n0wall DHCP servers
and/or multicast traffic)
- added system fans/temperature monitoring on status page – should work on a reasonable
set of PC hardware (but not on Soekris/PC Engines boards)
- improved handling of accesses to pages that the user is not authorized for
- added fix for OpenSSL session renegotiation vulnerability
- added patch to ISC-DHCP to rewrite lease file every 5 minutes (reduce growth rate and
occurrence of MFS exhaustion)
- 1.3 (11/30/2009)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- fixed DHCP server "deny unknown clients" option with known clients
without a statically assigned IP address
- fixed a security issue in the DHCP client (CVE-2009-0692)
- 1.3b18 (08/16/2009)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- fixed broken IPsec support (missing library)
- 1.236 (09/30/2009)
- fixed a security issue in the DHCP client (CVE-2009-0692)
- captive portal fixes (jdegraeve):
- changed RADIUS timeout/maxtries from 5/3 to 3/2 reducing failover time from 30 to 15 seconds
- added RADIUS attribute support for: ChilliSpot-Bandwidth-Max-Up/ChilliSpot-Bandwidth-Max-Down
- fixed concurrent login detection, now case-insensitive
- fixed Pass-Through MAC addresses in combination with RADIUS MAC authentication
- SVG fixes for IE7/8
- properly escape DHCP client hostnames in webGUI
- 1.3b17 (08/12/2009)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- Converted from BRIDGE to if_bridge. Removed multi-interface bridge check,
and checkbox under System > Advanced for filtering bridge since member
interfaces will now always be filtered
- fixed a problem with ipnat refusing to create new RDR translation entries
in the NAT table if a MAP entry exists for the same port, even though that
check is probably only meant to check for existing RDR entries. This
fixes issues with SIP communication when there is an inbound NAT
mapping for port 5060.
(see also http://marc.info/?l=ipfilter&m=121749272404107&w=2)
- fixed problems when using advanced outbound NAT rules with destination
matching (non-FTP connections were processed by the ipnat FTP proxy,
leading to slowness, lost connections, rogue ICMP host unreachable
messages etc. because ipfilter requires an additional match statement
on the destination port when using proxies)
- fixed DHCP lease page to only show the last lease for a given IP address
(see dhcpd.leases(5))
- fixed for IPv6 pages in user/group manager
- show IPv4 gateway on Status: Interfaces page (was removed inadvertently)
- fixed bug with IPv6 subnets in firewall rules
- added device msk to kernel configuration
- updated base system to FreeBSD 6.4
- avoided PEAR dependency and fixed DHCPv6 range check when interface is not configured with a v6 address
- put logging back in for anti-spoof block rule
- 1.3b16 (04/11/2009)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- opened firewall rules for link-local IPv6 addresses on optional and LAN interfaces
- initial basic support for secondary IP addresses
- added DHCPv6 support
- added additional RA options for LAN and Optional interfaces, required for DHCPv6
- added all-servers option to dnsmasq and removed overlap check as having multiple
nameservers per domain is a valid configuration
- changed interface status page to list all IP addresses on an interface
- allow RA support on WAN interface, and add feature to automatically
suggest an IPv6 address for the LAN interface, based on an RA received
from WAN/ISP (contributed by Andrew White)
- added IPv6 support to mini_httpd (for the webGUI)
- allow IPv6 addresses for DNS servers on System: General setup page, and
for hosts on the DNS forwarder setup page
(contributed by Andrew White)
- allow the remote syslog port to be changed (requested by Martin Desormeaux
for m0n0log project)
- added kernel security patch FreeBSD-SA-08:11.arc4random
- added support for Broadcom BCM5722 NIC
(suggested by Sebastian Lemke)
- fixed display of firewall rules and static routes pages in group manager
(reported by Peter Allgeyer)
- 1.3b15 (10/11/2008)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- added support for AICCU (a tool for dynamically configuring IPv6 tunnels
from SixXS, allowing
users with dynamic WAN IP addresses to use tunnels)
Note that only heartbeat tunnels are supported at this time (no AYIYA)
- updated kernel to 6.3-RELEASE-p5 (ICMPv6 denial of service fix; IPv6
NDP routing vulnerability fix)
- fixed IPv6-ICMP firewall rule type matching
- added patch to enable custom next-server and filename options for
static mappings in DHCP server (by Stephen Erisman)
- made PPPoE MTU on WAN configurable
- removed SIP proxy logging remnants
- 1.235 (09/04/2008)
- fixed DNS forwarder override domain feature
- fixed a long standing bug with regenerating firewall rules (including automatically generated ones)
that reference the WAN interface when the WAN IP address changes
- added a map rule for port 53 to avoid problems with clashes between inbound NAT
rules and Dnsmasq random port selection
- 1.3b14 (08/23/2008)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- consolidated net45xx, net48xx and wrap images into a single "embedded"
image
- an official VM for VMware is now provided with this and all future versions
- modified boot loader for embedded images to use the serial speed set by
the BIOS (and no longer a fixed speed as soon as the kernel boots),
as in 1.2x releases
- imported "install on Hard Drive" feature (console menu) from AskoziaPBX; this
allows one to install an image on HD/CF by first booting with the cdrom
version of m0n0wall
- removed SIP proxy (not much feedback from users; used a considerable amount of
space)
- imported ipnat source port randomization patch from FreeBSD CVS
(important when running DNS servers behind m0n0wall with NAT turned on);
added new option to System: Advanced page to control the port range used
for random source port allocation during outbound NAT (default is
1024 - 64535; portrange sysctls have been adjusted accordingly)
- fixed a long standing bug with regenerating firewall rules (including
automatically generated ones) that reference the WAN interface when the
WAN IP address changes
- changed ZoneEdit update server name to dynamic.zoneedit.com
- show driver names for network interfaces (obtained from dmesg) when
assigning interfaces to make it a bit easier for the user to choose
- updated Dnsmasq to 2.45
- fixed broken time zones (hard links in zoneinfo.tgz)
- added kernel patch to fix ATA on some Cyrix/Geode based boards
(see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/dev/pci/pci.c#rev1.343)
(suggested by Konrad Jopek)
- fixed "RSA Cert Subject" choice for My Identifier on IPsec VPN Mobile Client
setup page (reported by rdnzl)
- don't allow the interface's network or broadcast address to be used in
the DHCP client range, and also make sure that the interface's own
address does not fall within the range
- made behavior of Interfaces: LAN page more intelligent (only disable
DHCP server if the IPv4 address has actually changed; do not require
reboot if only IPv6 address changed)
- updated PHP to 4.4.9
- 1.234 (08/08/2008)
- added source port randomization for ipnat
- updated Dnsmasq to 2.45 (source port randomization)
- updated PHP to 4.4.9
- bumped MFS size for firmware upgrades to 10 MB
- changed ZoneEdit update server name to dynamic.zoneedit.com
- 1.3b13 (07/13/2008)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- added support for IPv6-in-IPv4 tunnels on WAN (for use with tunnel brokers)
- added support for IPv6 over PPPoE/PPTP (WAN)
- fixed issue where firewall rules on PPTP VPN (and access to m0n0wall's own
services, like ping or DNS, from a PPTP VPN client) wouldn't work if incoming
GRE packets were matched by a traffic shaper rule on WAN
- for wrap image, show whether we're running on a WRAP or ALIX board on
the system status page
- updated Dnsmasq to 2.43 (query source port randomization)
- fixed "Register DHCP leases in DNS forwarder" option
- 1.3b12 (07/07/2008)
- Known bug: DNS forwarder doesn't work when "Register DHCP leases in DNS forwarder" option is enabled
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- added initial IPv6 support (based on code contributed by Michael Hanselmann in 2005) -
see here for some explanations and instructions
- removed IPv6 tunneling option
- automatically generate self-signed SSL certificate when switching from
HTTP to HTTPS (CN = current hostname); also add a button to generate a
self-signed certificate on demand on the System: Advanced page
- make captive portal "disable concurrent logins" function compare usernames
in a case-insensitive manner
- fix polling setting on optional interfaces
- add ipnat fix (from ipfilter mailing list) to prevent a (rare) case of
kernel panic when ipnat sees a fragment of a TCP packet, and that
fragment is not the first one
- remove PPPoE/PPTP dial-on-demand feature. Still doesn't work properly,
nobody has enough interest in it to fix it, and most people probably
don't need it anyway
- remove bpalogin - looks like it's dead
- updated Dnsmasq to 2.42
- don't run captive portal reauthentication (if enabled) for MAC
pass-through clients (patch by Peter Allgeyer)
- repeat banner each time the console menu is displayed
- 1.3b11 (04/05/2008)
- WARNING: this version (any platform) no longer fits on 8 MB CF cards! (>= 16 MB required)
- When upgrading from generic-pc 1.2x, you must install 1.3b7 first before you install this image.
Other platforms are not affected.
- fixed IPsec to prefer new SAs over old SAs by default (should solve problems with tunnels not working after an interruption or peer IP address change)
- added DPD (Dead Peer Detection) option to IPsec tunnels (default off as before)
- added asn1dn option to IPsec identifier types to be compatible with what Openswan expects when using certs instead of PSKs
(contributed by Wes Morgan)
- fixed SVG traffic/CPU graphs under IE7 (by Daniel S. Haischt)
- 1.3b10 (03/01/2008)
- allow fragmented ESP and NAT-T encapsulated IPsec packets when using the integrated IPsec support (should solve MTU issues)
- added patch to make mini_httpd accept intermediate SSL CA certificates
- use NTP vendor pool zone for m0n0wall instead of pool.ntp.org (this will also be automatically replaced
in existing installations on the first boot)
- fix MSNTP to properly handle server hostnames that start with a digit
- updated base system to FreeBSD 6.3-RELEASE-p1
- copied dhclient-script from m0n0wall 1.233 (in an attempt at solving the sporadic DHCP renewal problems reported by some users)
- fix MPD WAN PPPoE/PPTP auto-reconnect issue
- webGUI HTML tidyness fixes by Daniel S. Haischt
- put IPSTEALTH in kernel config so that it can be enabled via sysctl if needed
- updated ipsec-tools to 0.7
- 1.233 (01/23/2008)
- fixed PPP secondary DNS reject issue with AT&T/Bellsouth
- updated PHP to 4.4.8
- 1.3b9 (01/15/2008)
- added patch for trap 12 kernel panics on Nokia IP110/IP120/IP130
- increased MFS root size by 1 MB to avoid problems with large configs
- fixed bridging with interfaces that support hardware TX checksumming (by turning it off for bridged interfaces)
- 1.3b8 (01/12/2008)
- DHCP next-server and filename settings are now exposed through the webGUI
- upgraded MPD to version 4.4 (also fixes PPP secondary DNS reject issue with AT&T/Bellsouth)
- PPTP VPN RADIUS IP setting removed (always enabled in MPD 4)
- updated PHP to 4.4.8
- 1.3b7 (12/26/2007)
- fixed kernel panic when using IPsec and the traffic shaper at the same
time (see FreeBSD PR kern/119036)
- fixed SIP proxy when using PPPoE/PPTP mode on WAN interface
- 1.3b6 (12/22/2007)
- known issue: having both the traffic shaper and IPsec VPN enabled
can lead to kernel panics – see this mailing post for a
description and fixed pre-release images
- added support for IPsec tunnels with (possibly dynamic) remote host names
(instead of fixed IP addresses); the host name is polled at regular intervals
(default 60 seconds), and if the IP address that it maps to changes, IPsec
is reconfigured. Note that this will also cause other (non-dynamic) tunnels
to be briefly interrupted.
- added firewall support for decapsulated IPsec packets (new pseudo-interface
"IPsec" in firewall rule editor); this is on by default, but the default
configuration contains a "pass all" rule on the new IPsec pseudo-
interface (and this is also added automatically for existing configurations),
which can then be deleted to actually filter IPsec VPN traffic
- enabled larger client subnet sizes (= more concurrent connections) for
PPTP VPN server (up to 256); change subnet size on PPTP VPN
setup page if desired
- fixed filtering bridge when used in conjunction with traffic shaper
- captive portal reliability fixes
- ensure that the pruning process is always run on all active users
- properly handle sessions that have not passed any traffic by the time they end
- improve locking
- updated timezone data
- stop discriminating against nge(4) (National Semiconductor PCI Gigabit Ethernet) adapters
- fix DHCP release button on interface status page
- updated FreeBSD to 6.2-RELEASE-p9
- updated ipfilter to 4.1.28 (fixes lockup issues from 1.3b5)
- 1.232 (12/16/2007)
- captive portal reliability fixes
- ensure that the pruning process is always run on all active users
- properly handle sessions that have not passed any traffic by the time they end
- improve locking
- fixed FIN handling in ipnat FTP proxy
- updated timezone data
- 1.3b5 (11/23/2007)
- known issue: enabling the traffic shaper (or the captive portal) while filtered bridging is also enabled
causes bridged packets not to be filtered
- known issue: the system can lock up under heavy load due to a bug in ipfilter 4.1.23 –
see this mailing list post for a description and fixed pre-release images
- added siproxd for transparent SIP proxying/masquerading and
simple registrar service (by mwiget)
- added vr(4) driver VLAN fix (for ALIX etc.)
- sisX interface names are now automatically changed to vrX when running on ALIX
- added reset button driver for ALIX
- upgraded ipfilter to 4.1.23
- fixed FIN handling in ipnat FTP proxy
- changed logo/license/footer to include registered trademark sign
- 1.3b4 (08/25/2007)
- captive portal voucher fixes: idle timeout, allow voucher authentication
starting with &apos-' (by mwiget)
- console speed for WRAP image is now 38400 as this has always been the
default for new WRAP (and ALIX) boards anyway
- modified WRAP image kernel to also work with ALIX.2 (added vr device and
USB EHCI + CPU soft reset patches to wrap kernel; tested on prototype board)
- for ALIX, interfaces need to be re-assigned (vr* instead of sis*)
- patched hostapd to support writing PID file; start hostapd with -B
flag (fixes problem with wireless interfaces that have WPA enabled
not being initialized properly on boot)
- recompiled MPD with current MSS/dial-on-demand patches (also fixes idle timeout bug)
- removed code that auto-selects subnet mask on LAN and OPT setup
pages (it"s confusing and doesn"t necessarily get it right)
- recompiled PHP, this time with radius extension
- 1.3b3 (08/01/2007)
- known issue: WPA may not work properly after boot until hostapd is restarted
- added voucher support to captive portal (mwiget)
- wireless LAN improvements
- WPA-PSK and WPA-Enterprise (in hostap mode)
- hide SSID option
- allow dashes in alias names
- added hidden option to disable auto-generation of PPTP rules on WAN
(<nofwrulegen/> in <pptpd> section)
- fixed ATA HD spin down feature (using ataidle - needs testing)
- ipfilter TCP window scaling bug fix
(see here)
- synced with changes from 1.23 branch
- increased mfsroot size to 14 MB (from 13 MB)
- updated base system to FreeBSD 6.2-RELEASE-p6
- updated PHP to 4.4.7
- updated ipsec-tools to 0.6.7
- updated isc-dhcpd to 3.0.5
- updated Dnsmasq to 2.39
- added kernel patch for fragment bug in ipfilter (contributed by Frank Edwards)
- modified kernel patch to handle ipnat+dummynet in ip_input -> should fix problems
with captive portal not reporting downloaded data per user properly when the
traffic shaper is on, and also makes per-user bandwidth limits work again
- added ural(4) to list of recognized wireless NICs
- removed "-P" option from boot.config again (doesn't work properly with USB keyboards)
- added kbdmux to kernel config of generic-pc(-cdrom) -> should fix problems with USB keyboards
- use setkey from ipsec-tools now that we use NAT-T
- 1.231 (04/07/2007)
- fixed PPTP VPN idle timeout and WAN PPPoE/PPTP dial-on-demand
- minor change in behavior for both WAN PPPoE/PPTP dial-on-demand and
PPTP VPN idle timeout: once the link is up, all packets sent to the PPP peer are
counted towards the idle timeout, not just those that match the
(hardcoded) dial-on-demand filter (or, as was the case with 1.23,
only TCP SYNs). This makes behavior similar to mpd-4.1 (although only
outbound packets are counted).
- fixed file download via exec.php for Internet Explorer when using HTTPS
- 1.23 (03/10/2007)
- added support for hardware button on WRAP (if pressed during boot, it will
trigger a reset to factory defaults)
- updated PHP to 4.4.6
- updated default webGUI SSL certificate
- 1.23b4 (02/17/2007)
- update time zone data to reflect US/Canada DST changes
- captive portal:
- fix bug: the RADIUS authentication/No authentication options worked the opposite way around
- fix RADIUS login when only one RADIUS server is specified
- 1.23b3 (01/27/2007)
- known issue: captive portal RADIUS authentication doesn't work properly
- added support for Framed-IP-Address attribute from RADIUS server for PPTP VPN (i.e. allow the RADIUS server to assign the client IP address)
- added watchdog support for WRAP (this is off by default and can be enabled on the System: Advanced page)
- fixed "Register DHCP leases in DNS forwarder" feature
- fixed ipnat FTP proxy to properly handle RST packets from an active mode FTP client behind m0n0wall
- SNMP "sysDescr" now identifies m0n0wall, including version and platform
- 1.23b2 (01/13/2007)
- known issue: "Register DHCP leases in DNS forwarder" feature doesn't work
(DNS forwarder doesn't start if it's enabled)
- back-ported MSS clamping fix from MPD 4.0b5 to MPD 3.18 (fixes MTU
issues with some PPTP clients during uploads from the PPTP
client to a remote server)
- changes in Captive portal (jdegraeve):
- add pfSense ideas (slightly differently implemented):
- redirect both HTTP and HTTPS to the Captive Portal keeping in mind an SSL error (cert mismatch)
- add preliminary support for WPA and PPPoE pass-through
- RADIUS accounting: now sends session-time in interim accounting
- internal/DB handling improvements
- disabled core dumping by default
- updated base system to FreeBSD 4.11-RELEASE-p22
- updated Dnsmasq to 2.35 (bugfixes)
- updated ISC-DHCPD to 3.0.5 (bugfixes)
- updated ipsec-tools to 0.6.6 (fixes memory leak)
- updated PHP to 4.4.4
- added netstat -m/-s and kldstat to status.php
- fix extensions support in webGUI
- 1.3b2 (12/23/2006)
- known issue: IPsec SAD diagnostics page doesn't work properly
- WARNING: the generic-pc image no longer fits on 8 MB CF cards! (>= 10 MB required)
- enabled NAT-T support for IPsec VPN (enable via webGUI)
- compiled SNMP agent with support for memory usage information MIB
- back-ported MSS clamping fix from MPD 4.0b5 to MPD 3.18 (fixes MTU problems with PPPoE client)
- enabled hostap for wireless cards supported by the ral(4) driver
- forced PIO mode for ATA driver to work around problems with quirky hardware (IDE controllers, CF cards)
- automatic keyboard detection for generic-pc(-cdrom); fallback to serial console if no keyboard found
- enabled AES for IPsec phase 1
- Captive portal fix (jdegraeve): now always sends the session time in RADIUS accounting messages
instead of only sending it within an Accounting-Stop.
This should make most prepaid systems work again.
- 1.3b1 (12/16/2006)
- Note: a bug has been identified in MPD 3.18 (TCP MSS clamping is only applied to inbound and
not outbound packets). This affects PPPoE users, who are advised to wait for the next beta version (1.3b2).
- changed base system to FreeBSD 6.2-RC1 (final 1.3 version will be based on FreeBSD 6.2-RELEASE)
- WARNING: the generic-pc image no longer fits on 8 MB CF cards! (>= 10 MB required)
- added support for new wireless features in FreeBSD 6
- Atheros cards are finally supported!
- channel selection on interface setup page now reflects actual capabilities of card
- wireless status page shows scanned APs in client mode and associated stations in hostap mode
- WPA support is expected in the next release
- for generic-pc-cdrom, the configuration may now also be stored on an USB memory stick
(instead of a floppy disk). m0n0wall will automatically probe for an USB stick with
an FAT file system first, and if this fails, fall back to the floppy drive.
Note that this release can also be booted directly from a USB memory stick on most PCs
(simply install the generic-pc image to your USB memory stick with physdiskwrite),
so generic-pc-cdrom is now only for machines that either don't have USB at all or
that can't boot from USB due to BIOS limitations.
- removed MTU option from Interfaces: WAN page. This used to control TCP MSS
adjustment, but since the non-NAT-dependent MSS fixup patch kludged into ipnat
has not been ported to ipfilter 4 (and is an ugly hack at best anyway), MSS
fixup is now automatically applied for PPPoE connections (where it is actually
needed) using MPD's integrated feature and shouldn't be necessary in other cases
- a rather intrusive kernel patch was required to make concurrent traffic shaping + NAT on the
WAN interface possible; if you rely on this feature, please test it well and report any problems
- 1.23b1 (06/05/2006)
- added support for 3rd party extensions in the group management and dynamic menu system (ptaylor)
- changes in captive portal (jdegraeve)
- fixed a bug in the way we handle authentication mechanisms (potentially allowing double logins and faulty locking)
- add support for different MAC address formatting styles
- add support for per-user bandwidth limitation (using well-known WISPr RADIUS attributes)
- do not generate anti-spoof rules for optional interfaces that have other interfaces
bridged to them (as opposed to being bridged to another interface, which was already
handled properly) when the filtering bridge is on (mkasper)
- updated base system to FreeBSD 4.11-RELEASE-p18 (mkasper)
- recompiled ipsec-tools without FreeBSD patch to use "security" syslog
facility instead of "daemon" -> should get rid of excess debug messages
from racoon (mkasper)
- 1.22 (04/02/2006)
- added Role-based Access to WebGUI (ptaylor)
- added Group and User Manager pages
- updated menu system to be dynamic depending upon permissions of active user
- added support for tertiary DNS server (jdegraeve)
- changes in Captive portal (jdegraeve)
- cleanup and code added to allow future stuff like volume limits etc. to be implemented
- added per-user volume stats in captive portal status page
- RADIUS MAC authentication now works on local subnet even if "Disable MAC filtering" is activated
- firewall rule numbers now uses a more intelligent pool, this fixes a bug where a
rule number could have been used even if it had already been assigned
- fixed bug in RADIUS Session-Timeout handling so it'll work even if reauthentication is disabled
- updated RADIUS accounting to PECL
- now sends NAS-IP-Address (based on actual WAN address) and NAS-Identifier cleanly
- each gigawords value now counts as 4GB instead of 2GB (See RFC 2866 section 5)
- added "disable port mapping" option to advanced outbound NAT (helps with certain IPsec
VPN gateways that insist on the IKE source port being 500) (mkasper)
- added option to System: Advanced page to allow IPsec/ESP-encrypted IP fragments to be passed (mkasper)
- added DHCP/interface route fix for UK ADSL half-bridge modems (DSL-300T, X-modem) (mkasper)
- fixed check for overlapping external port ranges when editing inbound NAT entries (mkasper)
log captive portal logins even when authentication is disabled (mkasper)
- updated PHP to 4.4.2 (mkasper)
- updated ipsec-tools to 0.6.5 (fixes problem with /32 subnets) (mkasper)
- updated base system to FreeBSD 4.11-RELEASE-p16 (mkasper)
- updated Dnsmasq to 2.27 (mkasper)
1.21 (01/01/2006)
- the captive portal has been modified to always issue a redirect to m0n0wall's
own IP address first (even in HTTP mode). This means that all login forms MUST
contain the "redirurl" hidden field now, otherwise they won't work anymore!
- mini_httpd has been improved to increase stability of the captive portal and webGUI
- when the maximum number of connections has been reached, it no longer
attempts to send a 503 message to the client, as that itself could have caused
the parent process to block (and, due to a bug in SIGALRM handling, even exit)
if the client fails to acknowledge the data. Instead, the connection is simply closed.
- new feature: the number of connections per client IP address can now be
limited to prevent one misbehaved user from tying up the server. The default
limit for the captive portal is now 4 connections per client, and 16 in total (can be adjusted on captive portal
setup page)
- captive portal file manager
(If you already have element files from inofficial builds, it isn't enough
to simply delete all the files that were uploaded to the system. Before
upgrading, you manually have to delete the whole
"<element>...</element>" part in your config and restore that changed config.)
- imported Jonathan de Graeve's captive portal RADIUS improvements
- improved RADIUS authentication using PHP's built-in PECL RADIUS support
- secondary RADIUS server support
- RADIUS MAC authentication
- RADIUS URL redirection attribute support
- RADIUS Session-Timeout support
- disable concurrent user login option
- RADIUS Idle-Timeout support
- RADIUS Acct-Terminate-Cause support
- WISPr RADIUS attributes are now supported as well as Nomadix attributes
(Redirection-URL, Session-Terminate-Time)
- on idle timeout, the time of last activity is used in calculating the Session-Time
- notes field on index page
- new option for SNMP agent: bind to LAN interface only
(avoids problem with VPN tunnel to LAN subnet terminated on WAN; see
http://doc.m0n0.ch/handbook/faq-snmpovervpn.html)
- fixed CPU and traffic graph SVG for Firefox 1.5
- captive portal RADIUS accounting stop packets are now sent before rebooting after a firmware upgrade
- when restoring config.xml via the webGUI, XML validation is done on the file before it is installed
- updated base system to FreeBSD 4.11-RELEASE-p13
- updated PHP to 4.4.1
- updated Dnsmasq to 2.23
- updated racoon to the ipsec-tools 0.6.4 version
- added device nodes for /dev/ad4-7
- fixed stopping/restarting racoon
- fixed typo in services_captiveportal.php
- increased CF partition size to 7 MB
1.2 (10/09/2005)
- fixed HD standby to use minutes, not seconds
- fixed DNS forwarder domain override feature
- Diagnostics: ARP page now allows entries to be deleted
- made Ping/Traceroute pages tabbed
- captive portal RADIUS accounting now sends Gigawords
- fixed PPPoE dial-on-demand to not use 10.0.0.1/10.0.0.2 internally
- removed OpenVPN
If you've been using OpenVPN in earlier 1.2b versions, make very sure
after upgrading that all your rules still point to the right interfaces
(the OpenVPN pseudo-interfaces will be removed). Better yet, restore the
configuration backup you made before you enabled OpenVPN (as per the
suggestion in the webGUI) prior to upgrading.
- RFC 1918 block rule is now listed on the Firewall: Rules page for WAN as an uneditable rule (gray background)
1.2b10 (09/11/2005)
- updated base system to FreeBSD 4.11-RELEASE-p11
- upgraded PHP to 4.4.0
- updated dhcpd to 3.0.3
- updated racoon to 20050510a
- removed psm0 from generic-pc/cdrom kernel config as there have been reports of exotic machines that lock up with it and it serves no use anyway
- fixed bug on DNS forwarder page where sometimes the wrong entry would be edited/deleted
- fixed name resolution on firewall logs page
- fixed PPTP interface display on firewall logs page
- redirect after clearing logs to avoid reposting on next refresh in browser
- allow current tab to be clicked to refresh log page for all logs (not just firewall log)
- allow source interface to be selected on Diagnostics: Ping page
- DNS forwarder: entire domains may be overridden by specifying a DNS server to be queried for them
- cleaned up captive portal local user manager to be consistent with other
user databases in config.xml (i.e. don't store usernames in XML tag names anymore)
-> existing users won't be converted and will have to be manually entered again!
(since this is a beta version and there has never been a release with
the captive portal local user manager before)
- added ARP table diagnostics page
- added Traceroute diagnostics page
- added firewall states diagnostics page
- fixed filter rule generator to generate rules for DHCP on optional interfaces
if the DHCP server is enabled on the interface that the optional interface in
question is bridged to (e.g. OPT1 bridged to LAN and DHCP server running on LAN
-> clients on OPT1 can now use the DHCP server on LAN as well). Note: the interface
that the DHCP server is running on must have a link for this to work
(cf. FreeBSD PR kern/41632 - there's a fix, but it's too intrusive)
- fixed problem with racoon not updating the expiration timer of
dynamically generated policies (for mobile clients) upon rekeying
- allow server/port to be specified for DynDNS client
- many OpenVPN fixes/improvements
1.2b9 (06/19/2005)
- IPsec certificate support
- improved firewall log page: it is now possible to filter by action, protocol, interface, source and destination port
- reauthentication option for captive portal (checks connected clients against RADIUS server every minute)
- 32 bpf devices for DHCP server (instead of just 16)
- fixed captive portal crash in HTTPS mode
- includes /bin/mv
- experimental DELAY patch for wireless cards that use the wi driver (timeout in wi_seek etc.) - see this post
- fixed: hard disk standby isn't enabled on boot
- update xl driver to support 3C920B-EMB-WNM
- added TITLE attribute for add/edit/delete buttons
- captive portal status page now shows usernames
- device polling can now be controlled on the System: Advanced page
- swapped Acct-Input-Octets/Packets and Acct-Output-Octets/Packets in captive portal RADIUS accounting messages to reflect the correct meaning as per RFC 2866
1.2b8 (05/29/2005)
- WARNING: this release does not include support for Atheros-based wireless NICs!
- switched base system back to FreeBSD 4.11
- merged ifstats.cgi and cpustats.cgi into stats.cgi
- updated PHP to 4.3.11
- only log the first passed packet, and not every packet in the same session
- back out captive portal per-user bandwidth patches for the time being as they're buggy and not currently maintained
- fix captive portal logout
- return ICMP port unreachable instead of protocol unreachable (ipfilter default) for rejected UDP packets
- auto-add proxy ARP option for new 1:1 NAT mappings
- auto-establish IPsec tunnel option removed for the time being (no good way of making it work actually)
- the IPsec SA preferral policy can be changed on the System: Advanced page
(default: prefer new SAs after 30 seconds)
- captive portal: logout popup window is no longer enabled implicitly when using authentication
- kernel is now built with polling support; default is disabled, but it can be enabled using "sysctl kern.polling.enable=1" (see also "man polling")
- updated ipfilter window scaling and ICMP NAT checksum adjustment fixes
- updated DP83815 short cable bug workaround in sis driver
1.2b7 (03/20/2005)
- read this if you're trying to upgrade a pre-1.2b6 generic-pc version through the webGUI
- beta images are now digitally signed too
- show lease start/end time on DHCP leases page in local time instead of GMT
- added logging for the captive portal
- changed the generic-pc HD standby timer feature to use ataidle
- captive portal support for local user database
- apply new version of captive portal RADIUS per-user bandwidth patches
- updated wireless status page for FreeBSD 5.3 and ath
- add some common 11a wireless channels as a temporary solution until we can query the actual list of available channels using ifconfig
- ipfilter window scaling patch
- allow "WAN IP address" as source/destination in firewall rules; reload firewall rules when the WAN IP address changes
- the previous change also solves the PPTP VPN server + traffic shaper problem
(no more NAT redirection to localhost)
- set link0 flag for fxp interfaces (interrupt moderation)
1.2b6 (03/01/2005)
- fixed inbound NAT + traffic shaper bug (kernel patch; see FreeBSD PR kern/76539)
- fixed: filtering bridge doesn't filter while the traffic shaper is enabled; traffic shaping for bridged links is disabled for the time being though (see FreeBSD PR kern/78090)
- packet loss rate/queue size options for traffic shaper pipes
- per-user bandwidth restrictions for captive portal users (according to special attributes returned by the RADIUS server
- removed CPU meter from main webGUI page (causes 1 second delay and fluctuates too much); replaced by SVG CPU graph
- MAC addresses with dashes instead of colons now work too
- static mappings can now be added by clicking a button on the DHCP leases page
- several small HTML fixes (mainly for Firefox)
1.2b5
(02/22/2005)
- upgraded base system to FreeBSD 5.3
- support Atheros based wireless cards
- fixed: DHCP relay won't start automatically on reboot
- fixed display of SSIDs with spaces in them on Status: Interfaces
- turned on ipfw bridge filtering when the filtering bridge is on (traffic shaper)
- improved firewall rule selection (feedback with background color; the entire rule can be clicked to toggle the selection of a rule too); visual feedback on where rules would be moved when the mouse is over a rule move button
- hidden config.xml option to override DNS servers that are assigned to PPTP VPN clients
- IPsec: /0 remote network mask now allowed
- the filter is no longer bypassed for traffic that enters and leaves through the same interface (due to static routes) by default. This is now a configurable option on the advanced setup page
- it is now possible to have separate TCP and UDP NAT mappings for the same port
- fix filter timeouts (half-seconds instead of seconds)
- modified nsupdate syntax for BIND 9
- updated dnsmasq to 2.20
- don't mount proc filesystem anymore (not needed in 5.3)
- anti-spoof rules are omitted on optional interfaces and on LAN if any other interface is bridged to it while the filtering bridge is on (to make other subnets work)
- fixed input validation for "0" values
- rearranged checkbox/buttons on firewall rule page
- reduced redundancy in webGUI pages by putting more HTML in header/footer
- upgraded to PHP 4.3.10
- fixed ping function (no more stripping of dashes)
- fixed warning in vpn.inc with mobile client IPsec but no static tunnels configured
- execute DHCP/PPP up-scripts in background for faster link startup
1.2b4
1.2b3 (12/05/2004)
- filter rule page now has one tab per interface
- much better rule move procedure: multiple rules can be selected and moved to any position in the rule list at once (relative order is preserved)
- multiple rules can now be deleted at once too
- other minor GUI cleanups
- RFC 2136 DNS updater (Services: Dynamic DNS)
- unparsed (as generated by scripts) ipnat/ipf/ipfw rulesets are shown on status.php
- proxy ARP is now supported on LAN and optional interfaces too
- auto-assigned DNS servers (PPP/DHCP) are shown on Status: Interfaces
- PPPoE/PPTP sessions on WAN can be manually disconnected and reconnected, and DHCP leases may be released/renewed (Status: Interfaces)
- captive portal: POST to real m0n0wall IP in HTTP mode too (not "") -> $PORTAL_REDIRURL$ is now required even in HTTP mode
- added note to filter rule edit page about src port != dst port in most cases
- skip m0n0wall's own IP address in static routing bypass
- support for point-to-point links on WAN (with "ispointtopoint" set in config.xml)
- support for an rc.early file in extensions
- ez-ipupdate security fix
- renamed "System logs" to "Logs" (misnomer)
- omit req-dns for PPPoE/PPTP if DNS override option is not checked because of problem reports with a few ISPs
- PPTP dial-on-demand fix
- filter UDP ack timeout is now 240 instead of 24 seconds to make SIP work properly
1.2b2
- be sure to get the version with build time 23:57 if you use PPPoE/PPTP on WAN
- experimental OpenVPN support -> this will modify the optional interfaces configuration in your config.xml - backup first!
- Dial-On-Demand for PPPoE and PPTP on WAN
- added DHCP relay service
- ICMP type matching for filter rules
- PPTP VPN login/logout logging
- captive portal: a unique/random session ID is now generated for RADIUS accounting, and MAC filtering can be disabled for special topologies (e.g. routed clients); RADIUS accounting port can be specified
- increased filter state table size to 30000 entries
- RADIUS accounting for PPTP VPN
- HTML page titles now show the host name
- NAT table reset on WAN IP change
- changed racoon proposal_check back to obey after many problem reports; only remaining difference to 1.1 now: new SAs are preferred after 30 seconds -> please test and report
- magic shaper src/dst port fix
- TCP idle timeout for the filter is now 2.5 hours instead of the ipfilter default of 10 days (!) to keep the state table from filling up with dead connections; this value can be modified on the advanced setup page
- config backup: file name now contains FQDN and date/time
- fixed maxproc bug in mini_httpd that would manifest itself sometimes with the captive portal in HTTPS mode
- config.xml hidden options for interface media/mediaopt
- new hidden option "dnsserver" for DHCP service
- changed mfsroot size to 11 MB to accomodate DHCP relay and OpenVPN binaries
- updated ISC DHCP server to 3.0.1.r14
- updated PHP to 4.3.9
- updated racoon to racoon-20040818a
1.2b1
- captive portal HTTPS login and custom redirection support
- CPU/memory usage display on main webGUI page
- IPsec kernel fix to prefer newer SAs over older ones after 30 seconds (dead SA problem), racoon proposal_check changed from obey -> claim, auto-establishment option (ping - note: this is broken and does not work)
- console speed is no longer fixed to 9600 bps for net45xx/net48xx/WRAP; instead, the value that was set by the BIOS is used, so it should work at whatever speed the BIOS is set to
- IDE hard disk standby option for generic-pc (System: Advanced page)
- last configuration change timestamp is recorded and displayed in webGUI
- new advanced setup option: "Keep diagnostics in navigation expanded"
- added more Ethernet drivers (esp. Gigabit Ethernet) for generic-pc/cdrom
- netgraph protocol field compression fix
- set kernel HZ to 1000 for smoother traffic shaping
- webGUI anti-lockout rule on LAN can be disabled (System: Advanced page)
- static routes can now be defined on the WAN interface
- "earlyshellcmd" tag in config.xml is now supported (such commands are executed before most of the system configuration is done)
- VLAN parent interfaces are now always configured "up"
- default hash algorithm for IPsec is now SHA1
- ping option in console menu
- hidden DHCP options (config.xml only): gateway, domain, next-server, filename
- fixed turning off PPTP VPN (NAT rules)
- the webGUI now checks user input for control characters that are not allowed in XML
1.11 (11/11/2004)
- fixed a security hole in ez-ipupdate (see this)
1.1 (08/22/2004)
- turned off DMA for all platforms (problem with some CF cards; no real performance improvement)
- improved hifn detection (with old messages in dmesg buffer)
- disabled windowing for PPTP client on WAN
- RADIUS accounting port fix
1.1b17
- captive portal: RADIUS accounting support (with logout window)
- fixed mini_httpd bug that could cause the webGUI server to exit when a connection is closed while it's still in the listen queue (such as when nmap'ing m0n0wall)
- updated racoon to 20040617a; patch for racoon-generated SP timeouts
- fix for optional interfaces bridged with WAN set to DHCP/PPP
- sis driver: fixed IRQ handling on stopped interfaces (see http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/pci/if_sis.c#rev1.93)
- fixed ipfilter/ipnat ICMP checksum adjustment bug
- increased max. concurrent connections for the webGUI from 8 to 16
- disabled ATA DMA for net48xx to fix problems with certain CF cards
- merged ng_pptpgre.c/.h windowing control support from -STABLE; recompiled MPD 3.18 -> delayed ACK is now enabled for PPTP VPN, while windowing is still disabled (due to packet loss issues)
- fixed uptime display on index page
- magic shaper P2P improvements
- errors/collisions display on interface status page
- replaced "alt" attributes in img tags with "title" for proper tooltip behavior
- shaper: pipe/queue descriptions are now shown
- removed IPsec auto-establishment feature for the time being (racoon "keepalive" option is a no-op and ping patch is ugly)
1.1b16
- got rid of kludgy table-based tab navigation bars - replaced with CSS
- 802.1Q VLAN support (see the hardware page for a list of supported NICs)
- magic shaper
- DHCP server: option to deny leases to unknown clients
- IPsec: user FQDNs now allowed
- IPsec: auto-establishment/keep-alive option
- simplified filter log display
- fix for optional interfaces bridged with disabled optional interfaces
- shorten MPD link labels for PPTP VPN to avoid netgraph problems
- route/pass traffic between statically routed subnets on an interface and the m0n0wall subnet on the same interface unconditionally to handle more complicated routing topologies
- updated PHP to 4.3.8
1.1b15
- inbound NAT: local port range is now verified (cannot exceed 65535)
- NAT: fixed problem with invalid ipnat rules being generated if one or more interfaces were bridged
- mini_httpd: fix for concurrency limit
1.1b14
- fixed DNS servers assigned by PPTP/PPPoE on WAN (change in MPD 3.18)
- fix for ipfilter window scaling bug
- generic-pc kernel now includes SCSI and USB mass storage drivers
- added TOS matching for shaper rules
- no IPsec processing for packets between LAN subnet and m0n0wall's LAN IP address to prevent webGUI lockout
- uncompressed image size is now 6 MB for all platforms (generic-pc kernel has grown due to SCSI support)
1.1b13
- fixed JavaScript on traffic shaper rule edit page (allow ports with protocol = any)
- HTTP server now has a limit on the maximum number of concurrent connections
- HTTP server no longer sends a "Server:" response-header field
- IGMP can now be selected as a protocol for filter/shaper rules
- all disks known to the kernel are now probed for the config file, which should make USB and SCSI disks work
- hostname is now shown in the header of all webGUI pages
- NAS-Port-Type attribute is now sent with RADIUS requests for the captive portal
1.1b12
- captive portal on LAN fixed
1.1b11
- problem with DHCP on WAN and automatically assigned DNS servers fixed
- disabled filter/shaper rules are now shown with gray text
- load average display on main page corrected
1.1b10
- upgraded base system to FreeBSD 4.10
- added Wake on LAN client
- webGUI error page no longer shows the name "m0n0wall"
- shaper rules can now be temporarily enabled/disabled too
- filter and shaper rules enable/disable status may be toggled by clicking the action/direction icon
- updated MPD to 3.18
1.1b9
- captive portal RADIUS authentication
- firmware version check may be disabled
1.1b8
- captive portal: MAC address exclusion, proper idle timeouts, portal page completely customizable
1.1b7
1.1b1
- new kernel patch that should solve the dreaded XP PPTP VPN timeout/packet loss problem once and for all
- new SVG-based traffic grapher
- updated system to FreeBSD 4.9-RELEASE-p4 (security updates)
- updated PHP to 4.3.5
- updated ipfilter to 3.4.33
- updated racoon to version 20040116a
- DNS servers assigned via PPPoE/PPTP are now used if the "allow override" option is set
- local subnet mask of /0 now allowed in IPsec tunnels
- disabled hardware TX checksumming for 3com cards (xl driver) due to buggy chips
- unsupported support for extensions
1.0 (02/15/2004)
- fixed port validation on filter, shaper and NAT pages, and fixed ranges that include 1 or 65535
- fixed configuration backup download problem with Internet Explorer
- fixed typo on general setup page
- show hostname on system status page
- traffic shaping now works on bridged interfaces
- added note about proxy ARP to NAT pages
- changed DNS override description on system setup page (DNS servers
assigned via PPP on WAN don't work)
- imported modified version of choparp that supports IP address ranges;
modified webGUI to allow proxy ARP with ranges
- uploaded images are now verified using public-key cryptography - if the
digital signature is not correct, a warning is displayed (the user is allowed
to continue anyway though). The format of the signed images can be found
here, and the public key used to verify the images is here.
This release has not been signed to avoid problems when upgrading older
versions (it wouldn't make sense anyway because pb versions do not
verify it).
pb27 (02/07/2004)
- it is now possible to map entire subnets in 1:1 NAT (they may not overlap with
other server NAT entries, advanced outbound NAT entries or the WAN IP address)
- added proxy ARP service
- IP aliases are no longer added automatically to the WAN interface for 1:1 NAT and server NAT mappings (use proxy ARP if required)
- added interface auto detection to "assign network ports" console menu item
- the target (external) address for the mapping can now be specified on the advanced outbound NAT page
- added "Clear log" button to log pages
- config file read/write locking to avoid race conditions
- made webGUI username configurable
- added more BPF devices to fix problem with dhcpd on machines with more than
4 interfaces
- added headers to webGUI pages to ensure that they are not cached
- fixed bug: failed to resync ipfilter on PPTP VPN linkup
- renamed "internal" and "external subnet" to source and destination, respectively, on the advanced outbound NAT page (to reduce confusion)
- disabled MSCHAPv1 (insecure) and CHAP-MD5 (no use with MPPE encryption anyway) in PPTP VPN server
pb26 (01/24/2004)
- r614: fixed IPsec startup race condition with dynamic WAN IP address
- r610: added option to disable individual IPsec tunnels
- r610: moved firmware and advanced setup page to "System"
section (instead of diagnostics)
- r610: clicking the "+" button next to a filter or traffic
shaper rule now brings up the edit page in clone mode; the new rule
is inserted after the cloned one (completely new rules may still
be created with the "+" button at the very bottom of the
page)
- new feature: "server NAT"; makes it possible to map
ports on multiple WAN IP addresses to different servers (instead
of just 1:1)
- the parsed XML configuration file is now cached in PHP's native
binary serialized form to reduce webGUI page load times on slow
platforms (486-based in particular) where parsing the XML configuration
is relatively expensive
- added "Disable console menu" option to advanced setup
page
- firmware upload now uses HTTP instead of FTP; the FTP server has
been removed (uploading files for diagnostic purposes may be done
via exec.php)
- the firmware upload page now checks for new versions of m0n0wall
online (and displays the results, if available, on the firmware
upload page). Timeout is 3 seconds, and the following information
is sent to the server: platform and m0n0wall version
- added interface menu to IPsec tunnel edit page (local endpoint
does no longer have to be the WAN interface)
- "reject" type filter rules are now supported (returns
TCP RST or ICMP port unreachable for UDP)
- added file up- and download via HTTP to exec.php
- renamed "Log blocked packets by default" option on System
logs: Settings page to "Log packets blocked by the default
rule" and changed its behavior: it only controls whether packets
that got blocked by an automatically generated rule (usually the
default-to-block rule in absence of a matching pass rule) are logged.
Logging of packets that are blocked by user-defined block rules
is now no longer affected and only controlled by the per-rule log
option. Logging for pass rules remains unchanged.
- changed policy level for IPsec VPN tunnels to "unique"
(was "require") to solve a problem with multiple tunnels
to the same endpoint
- fixed FQDN "my identifier" for IPsec mobile clients
- kernel patch for problem with traffic shaper rules for inbound
packets on WAN (FreeBSD kernel bug, see FreeBSD
PR kern/61685)
- various IPsec GUI fixes
pb25 (01/17/2004)
- mobile IPsec VPN clients (i.e. with a dynamic IP address) are
now supported. They have to share a common policy (P1/P2 proposal),
but may use different pre-shared keys (with domain names or e-mail
addresses as the identifier in aggressive mode). See this
tutorial for an example
- new diagnostics page to view and delete entries in the IPsec SAD
and SPD
- traffic shaper rules can now be applied to the WAN interface (kernel
patch)
- added <shellcmd> tag to <system> section which can
be used to run arbitrary shell commands after the initial boot setup
completes
- modified exec.php to always show the last command in the input
field
- added exec_raw.php to execute a command and return the output
in text/plain format without any HTML formatting (use like http://m0n0wall-ip/exec_raw.php?cmd=...
- command needs to be URL-encoded of course)
- filter rule generator has been modified: outgoing packets that
do not yet have a state table entry are now always allowed to pass
and create a state; this implies that the firewall itself can now
access any host on all networks that are attached to it. This change
was necessary to allow IPsec traffic from mobile users out and to
remove a very ugly rule that had been put in place to allow decrypted
IPsec traffic in on WAN without being able to verify that it had
indeed come from an IPsec tunnel (there's no way of verifying that
in an ipfilter rule)
- added a note about not being able to access NATed services using
the WAN IP address from within LAN or optional networks to the inbound
NAT page
- removed IPSEC_FILTERGIF from kernel config to correspond with
the changes in the filter rule generator - if you have a custom
kernel and use IPsec, rebuild it without that option!
- reversed processing order of ipfilter and ipfw in ip_output.c
to make things symmetric with ip_input.c (ipfw needs to see outgoing
packets before ipnat)
- upgraded racoon to 20030826a
pb24 (01/11/2004)
- reworked traffic shaper with separate rules, pipes and queues;
the old configuration is automatically converted to the new model
and should retain the same behavior, with one exception:
IMPORTANT: rule processing behavior for the traffic
shaper has changed: only the action (pipe/queue) of the first rule
to match a packet will be executed, instead of all rules that match
a packet. As such, rule order is now important (and may be modified).
- upgraded to IPFW2
- changed behavior of the "add rule" button (+): when
clicked next to a rule, adds the new rule before the current rule.
When clicked at the very bottom of the page, appends the rule to
the end of the relevant interfaces' rule list
- added new field to General setup to allow the webGUI port to be
specified
- syslogd is no longer bound to the LAN interface's IP address -
this fixes problems with logging to servers on optional interfaces
- symbols are now allowed in webGUI passwords
pb23 (01/01/2004)
- fixed "Log blocked packets by default" option
- NFS booting should work again
- host name may be omitted when setting up DNS forwarder overrides
- host name/client identifier to be sent when requesting a DHCP
lease can be configured
- removed watchdog support for net45xx
- removed DynDNS password check (special characters)
- the XML "spoofmac" element is now supported for LAN
and optional interfaces, too (even though the option is not offered
in the webGUI)
- added DHCP lease view page to diagnostics section
- updated mini_httpd to 1.19
- updated Dnsmasq to 1.18
- added a custom mini_httpd error page
pb22 (12/13/2003)
- host and network aliases are now supported for filter, NAT and
traffic shaper rules
- filter rules with logging enabled have an icon in the rule list
to reflect this fact
- default logging of blocked packets may be turned off on the log
settings page
- "diagnostics" category on navigation bar is shown collapsed
by default (to get most pages to fit at 1024x768 without scrolling,
and also to reflect the fact that diagnostics functions are for
advanced users and shouldn't need to be used so often); added a
JavaScript to expand it on demand
- updated ez-ipupdate to 3.0.11b8 (DynDNS.org is blocking 3.0.11b7
because it has been incorrectly implemented in a Linksys product
that is now flooding the DynDNS servers)
pb21 (12/7/2003)
- added "assign network ports" page to webGUI (note: the
link in the navigation bar may be disabled by adding <noassigninterfaces/>
in config.xml in the /m0n0wall/system/webgui section.
- fixed UI display glitch on IPsec VPN page (local subnet)
- upgraded mini_httpd to 1.18
- fixed settings tables to use relative widths only, removed forced
line breaks to improve compatibility with some browsers as well
as systems that do not have the intended font (Tahoma) installed
- renamed "assign network ports" to "Interfaces:
assign network ports" in console menu (for clarity)
pb20 (11/22/2003)
- r555: for all versions except CD-ROM,
the device with the configuration file is now automatically probed
for
(primary/secondary IDE, master/slave)
- net4801 port available
- DHCP server: default/max lease time and WINS servers are now configurable
(per interface)
- "default" default lease time changed to 7200 seconds,
default max lease time changed to 86400 seconds
- m0n0wall can now use dynamically assigned DNS servers on WAN (assigned
by DHCP or PPP) for itself. This is now enabled in the default configuration
(but must be enabled manually for existing configurations). Note
that dynamically assigned DNS servers are not redistributed to clients
by the DHCP server, because that would cause reloading of the DHCP
server each time the DHCP release is renewed. The DNS forwarder
may be used, though.
- DNS forwarder now enabled in the default configuration
- replaced exec.php with a more advanced version
- replaced /cgi-bin/status.cgi by /status.php
- upgraded PHP to 4.3.4
pb19 (11/3/2003)
- r536: fixed IPsec tunnels (new handling
of IPSEC_FILTERGIF in FreeBSD 4.9)
- block rules are now supported, the rule order can be changed,
logging may be enabled per rule
and rules may be disabled individually
- filtering bridge support (see Diagnostics: Advanced page)
- destination for advanced outbound NAT rule is now configurable
- removed ng_bridge code, always use bridge(4)
- fixed ping/syslog to hosts on optional interfaces
- fixed interface status display when 1:1 NAT mappings are defined
(subnet mask)
- static routes are no longer lost when modifying 1:1 NAT entries
- print a warning on the console if a newer configuration file version
is found than
the current m0n0wall version was designed for
- upgraded system to FreeBSD 4.9
- upgraded MPD to 3.14
- some cosmetic HTML fixes
pb18 (10/11/2003)
- SNMP support
- updated Dnsmasq to 1.17
pb17 (10/9/2003)
- r517: fixed problem with DHCP server not starting when the DNS
forwarder was enabled
- r517: fixed sluggishness in webGUI with HTTPS enabled
- the DHCP server now also serves clients on optional interfaces
- the webGUI password is no longer stored in plaintext (one-way
encryption)
- in the CD-ROM version, the default config.xml is now automatically
copied to the floppy disk if not found
(i.e. a blank floppy disk may be used)
- upgraded mini_httpd to 1.17beta1 (security issues)
- incorporated patch from FreeBSD security advisory SA-03:18
- other minor/cosmetic fixes (e.g. help text in console LAN IP setup
to explain subnet bit counts)
pb16 (10/2/2003)
- r501: fixed security issue with status.cgi
- hostnames of DHCP clients may be automatically registered with
the DNS forwarder
- MTU can be specified for MSS clamping
- fixed status.cgi
- upgraded Dnsmasq to 1.16
- incorporated patches for three FreeBSD security advisories (SA-03:08,
SA-03:09
and SA-03:14)
pb15 (09/04/2003)
- r497: HTTPS support for the webGUI (replaced thttpd by mini_httpd)
- r497: updated PHP to 4.3.3
- r497: the local subnet can now be specified for IPsec tunnels
(no longer fixed to the LAN subnet)
- remote syslog'ing
- IPsec tunnels now work with a dynamic WAN IP address (tunnels
to other dynamic IP endpoints cannot be accepted, though)
- PPTP client + server operating at the same time fixed
- PPTP server will now assign m0n0wall's LAN IP address as the DNS
server to clients if the DNS forwarder is enabled
- racoon has been updated to 20030711a
- DynDNS user name syntax relaxed to allow for dynamic DNS services
which use e-mail addresses as the user name
- fixed XML parser when spaces are used instead of tabs between
tags
pb14 (08/02/2003)
- static routes supported
- outbound NAT is now configurable and can also be turned off completely
- syscons/atkbdc support removed from net45xx kernel
- "Read error" on Soekris net45xx with some CF cards should
finally be fixed
- r458 (net45xx only): fixed /boot/loader for broken CF cards bug
pb13 (06/29/2003)
- allow m0n0wall access to DNS servers on optional interfaces (e.g.
for DynDNS)
- timezone support
- NTP client support
pb12 (06/15/2003)
- fixed XML parser to allow special characters like &, <
or > in description fields
- DHCP service now supports static IP <--> MAC address mappings
- DHCP logging added (based on a contribution by Michael Mee)
pb11 (05/29/2003)
- completely reworked DMZ/WLAN support (new concept of "optional"
interfaces - number no longer limited)
- wireless interfaces can now be used in any function (including
LAN and WAN)
- r401: fixed XML parser bug (beginning of field values was occasionally
truncated)
- r409: fixed boot loader for net45xx version (read errors with
some CF cards)
- r409: added watchdog support for net45xx version
- r409: generic-pc (CF/IDE HD) version released
- r409: JavaScript bug fixed on traffic shaper: edit page
pb10 (05/24/2003)
- 1:1 NAT support
- CD-ROM/floppy disk version for generic PCs released
- CF card (or floppy disk) is no longer remounted (for writing)
with mount -u ..., but instead completely unmounted and remounted
again
(as mount -ur does not flush the cache properly and sync doesn't
help either)
pb9 (05/17/2003)
- IPsec VPN tunnel support
- MAC address spoofing support on WAN
- PPTP VPN RADIUS server support fix
- turned off swapping code in kernel
pb8 (04/30/2003)
- caching DNS forwarder
- RADIUS server support for PPTP VPN
- fixed a bug in ipfilter's MSS clamping code (in use when PPPoE
on WAN is enabled)
pb7 (04/20/2003)
- MPD/DHCP/etc. crashes fixed
- Ping function in webGUI (contributed by Bob Zoller)
- WLAN: channel autoselect now possible (contributed by Bob Zoller)
pb6 (04/13/2003)
- PPTP server (VPN) support
pb5 (04/06/2003)
- MPD upgraded to version 3.13
- FreeBSD upgraded to 4.8-RELEASE
- PHP upgraded to 4.3.1
pb4 (03/09/2003)
- wireless BSS (infrastructure) and IBSS (ad-hoc) modes are now
supported
- Cisco Aironet cards are now supported (in BSS and IBSS mode)
- wireless interfaces are no longer put in promiscuous mode with
hostap
- a new wireless status page has been added to display the signal
strength cache and the list of associated stations (in hostap mode)
for cards supported by the wi(4) driver (not for Cisco Aironet)
- dual wireless cards should now work (pccard.conf fixed up)
pb3 (03/01/2003)
- r247 -> r248: just a small fix for a PHP warning in Interfaces:
WLAN in the webGUI
- wireless support (up to 2 cards, PCI or PCMCIA), in hostap mode
(wi driver only), routed or bridged
Note: bridging between two wireless cards should be possible, but
is untested
- PPTP client: local/remote IP address can now be specified
- some messages about what is currently being done are now displayed
on the console while booting
- added a very simple script (/exec.php) to the webGUI to allow
advanced users to execute commands on the m0n0wall for testing/diagnostic
purposes.
pb2 (02/23/2003)
- changed navigation bar ("System" is no longer a link
and has now got a subitem named "General setup")
- modified firmware upgrade facility so the normal gzip'ed CF images
can be used
- added configuration backup/restore
- added new console menu item to allow LAN/WAN/DMZ <-> network
interface assignment
- improved bootup banner to show current port configuration
- added PPTP client support on WAN interface
pb1 (02/15/2003)
|