Documentation
Support
Downloads
Links

24 April 2006

NuFW 2.0-beta1, one step before 2.0

The NuFW Core Team is proud to announce the availability of NuFW 2.0-beta1.

This new release adds a bunch of new exiting functionnalities :
- Support of ICMP Reject message : user can now be warned when a packet has been blocked by NuFW.
- Expiration of connections and TRUE time based acls : one can now define a 8am-6pm time period and link it with an acl. Connections can start during this interval and are automatically killed at 6pm.
- Better X509 support thanks to Eole sponsoring.
- Support of multiple iterations of a module, each iteration with a specific config file : nuauth can log in two different MySQL databases for example, or get auth from two distinct LDAP directories...
- Better libnuclient : It now has an error handling structure.
- More endian friendly protocol between client and nuauth
- Massive code cleaning and documentation (written by and for developpers but existing anyway ;-)

Extensive changelog is as follows :
- nuauth : bugfix on the PostGreSQL log module thanks to Julian Reich
- nuauth :fix bug in max client number test
- nuauth|nufw : really close socket in all cases now
- nuauth : certificate checking improvement
- nuauth : separate sasl and tls code
- nufw: cleaning of tls end of session
- libnuclient : introduce nu_client_global_init to avoid multiple global initialisation of gnutls and sasl
- define protocol version 3 : protocol version 2 with a fix on endianess
- nuauth : fix crash when multiple logging modules are used (if one of them is mysql)
- libnuclient : free connection table
- libnuclient : fix multithreaded code
- nuauth: store user identifiers in 32 bits (and not 16), but still send user ID in 16 bits to nufw (with a warning)
- new configure option: —with-perf-display, display benchmark of user authentification
- nuauth: fixes about buffer underflow, check that received packet are big enough before casting them to structure
- nufw and nuauth: fix possible buffer overflow : replace strncpy with the new macro SECURE_STRNCPY which always write ’\0’ on last position, and replace call like sscanf(..., "%10s", ...) with SECURE_STRNCPY
- nufw: whole code is documented using doxygen syntax
- nufw and nuauth: use shorter syntax to display debug messages
- nufw and nuauth: fixes to make them compile in strict ANSI mode with gcc (using -ansi option)
- nufw and nuauth: fix memory leaks, some of them detected with the great tool Valgrind
- nuauth: reorganize source code, split big functions in small sub-functions and move some functions in new files
- nufw and nuauth: remove dead code and unused variables/macros
- nufw and nuauth: use more explicit names for variables and structures, rename for example ’c’ to ’socket’
- nuauth, module script: fix a security bug, quote script arguments
- small changes to make flawfinder and rats tools happy
- replace obsolete usleep() with nanosleep()
- Introduce lock in tls code because gnuTLS is NOT really threadsafe (does NOT support thread sending on the same TLS session)
- stronger security in mysql and postgresql modules: use secure_sprintf() instead of classic sprintf() and quote all user strings
- stronger security in script module: quote all arguments
- fix some minor bugs detected by Valgrind
- check inet_ntop() and inet_addr() errors
- small changes to make nufw and nuauth source code ANSI C compliant
- fix gcc compilation flags: use -O0 in bug mode instead of -02, and detect all warnings with -Wextra (or -W for gcc < 4.0)
- use pointer and not object during logging
- bugfix: nuauth: don’t crash anymore if configuration file doesn’t exist
- nuauth: fix gnutls problem (multithread writing and reading)
- nuauth: multiple modules with separate conf
- nuauth: stop threads (and thread pools) before exiting NuAuth. Use a mutex to ask a thread to stop. Each thread uses timeout of one second, and doesn’t use any blocking function anymore (use function with timeout instead: eg. use g_async_queue_timed_pop() instead of g_async_queue_pop())
- nuauth: port of system_convert_username_to_lowercase option (from 1.0)
- NuFW : ICMP reject via decision 3.
- xml_defs : new module for periods definition
- nuauth : add nuauth_module_certificate_check and nuauth_module_certificate_to_uid configuration variables (work sponsorised by EOLE)
- x509_std : new module with standard check and function for nuauth_module_certificate_check and nuauth_module_certificate_to_uid
- nuauth : modify config file parsing to avoid memory leak
- nuauth : add option nuauth_debug_area to be able to specify logging area
- nuauth: add Prelude IDS module which can log packet events and user session.
- nuauth : new nuauth_reject_authenticated_drop option to choose if we drop or reject ACL that match IPV4 header but when user is not in the group.
- nuauth : period checking is now done in main code (not in module anymore) to avoid problem with cache.
- move conffile.h from src/nuauth/include to src/nuauth and suppress src/nuauth/include