Release Notes: ============== 05/17/2003 (v0.82) No one's complained seriously about the nightly lately, so we're releasing it for lack for anything better to do! Not sure how it got to be ten months since the last minor version. Oops. Here's some of the stuff that's been added since then. * Added DESTDIR option to Makefile to assist with packaging. * Added auth source support for NIS and IMAP, and made substantial improvements to the RADIUS, LDAP, and PAM support, almost entirely due to patches sent by our amazing users. You guys rock. PAM support is still a little flaky, apparently. We're still working on it. * Made logging to disk optional again. * Gateway now resets log files on SIGHUP if it's logging locally. This can be used in conjunction with log rotation schemes. * Added IgnoreMAC gateway option, if the NoCat gateway isn't connected to the internal network at Layer 2. * Added DNS autoconfiguration via /etc/resolv.conf, using a patch from DJ Gregor. * Altered authserv.conf to support pgsql out of the box and to document the enhanced RADIUS support. * NoCatAuth now features a setuid firewall wrapper so that the gateway can be run as a user other than root. Run "make suid-gateway" to build NoCat with the suid wrapper. You will need a copy of gcc handy for this step. All praise Terry Schmidt for dreaming up the idea in the first place. * Open mode g/w now automatically parses any HTML files it delivers for $whatnot type variables. This will permit the NYCWireless folks to have the login page be different from the splash page. * Added -F command-line option to gateway, to prevent daemonization. -=-=-=-=-=-=-=- 07/07/2002 (v0.81) *** IMPORTANT *** If you're upgrading from 0.80, Read the README!!! *** IMPORTANT *** Lots of nifty updates for 0.81. New features: * Samba, LDAP, and PAM authentication sources are now supported (and, in some cases, greatly improved.) Thanks to Scott Lemon (for his deadly ninja LDAP fu), Martin Davidsson (for Radius.pm fixes). * Greatly improved pf support, largely due to contributions from Richard Lotz and DJ Gregor. * Completely rewritten firewall scripts for iptables. The new method sets NoCat_* chains and manipulates them, and adds a single jump out to them. This makes it much easier to run the gateway on an existing firewall, without mangling your firewall rules. The gateway script also cleans itself up on exit, (theoretically) leaving your original firewall rules as they were. * Status page support in Captive/Passive mode (http://gateway:5280/status now works, just like it did in Open mode.) The following bugs were hopefully squashed: * Passwords are once again hashed before being stuck into MySQL (big oops in v0.80). * IE6 redirect problems are all resolved. * Auto discovery of network devices and network numbers should be a bit more stable. * Diagnostic mode (-D) shouldn't eat all resources anymore * AllowedWebHosts and RouteOnly should now work as advertised. * Fixed a nasty situation where a user who changed their IP got caught in a capture loop. -=-=-=-=-=-=-=- 05/06/2002 (v0.80) Ugh, two months since our last release... :-( Well, a number of factors have intervened to make thorough testing temporarily difficult, and there have been some particularly pesky bugs that we wanted to knock out before continuing on our merry way. Some really exciting things have transpired since then, however. Fixed in this release: * Bugginess in network autoconfiguration has been fixed. Autoconfig should do the right thing if you've only got two network interfaces; otherwise, bet on having to at least set your InternalDevice. * The dreaded IE5/6 incompatibility with Passive mode appears to have been fixed. Other browsers, such as OmniWeb, appear to be a lot happier with Passive mode, now, too. New in this release: * Basic packetfilter support added for OpenBSD, thanks to Richard Lotz! This support has NOT YET been thoroughly tested, so your feedback would really be appreciated. * New Open mode status page, based on patches from Don Park and Michael Codanti, and recommendations from Andrew Woods. Way cool. * Loopback firewall mode, which should in theory permit testing of the NoCat gateway and authservice all on a single machine running iptables with no network. You can set up loopback mode by doing an ordinary "make gateway", followed by "bin/detect-fw.sh loopback bin/" from /usr/local/nocat. Please don't use this unless you really know what you're doing. * Added LDAP support, using a NoCat::Source driver written by Nathan Zorn. We don't have an LDAP server, so you'll have to test this and let us know if it works, and send patches if it doesn't. :-) * Added RADIUS support, based on sample code submitted by Jan-Patrick Perisse. We don't have a RADIUS server, either, so please let me know if this works! :-) * The NoCat gateway now by default uses a post-forking model to handle incoming client requests, which appears to have made the gateway significantly more stable on PersonalTelco's public nodes. You can turn this off (don't ask me why you'd want to, but you can) by adding "ForkOff 0" to your nocat.conf. -=-=-=-=-=-=-=-=-=- 03/07/2002 (v0.78) Major bug fixes. * Captive mode fixed. (Oops.) * Passive mode really works now. If you run an authservice, it will need the new renew_pasv.html form, plus a PassiveRenewForm directive that points to it. See the latest authserv.conf for an example. I haven't tested passive mode with every available browser, so the login renewal may not work with every JavaScript implementation. If not, patches welcome. :-) The basic gist, though, is that, using passive mode, you can now run NoCatAuth from behind a NAT'ed firewall. (Hooray!) * Automatic network discovery has been added! Through the magic of ifconfig and netstat, NoCatAuth can now detect most gateway configurations automatically. This makes InternalDevice, ExternalDevice, and LocalNetwork optional in your nocat.conf, *unless* NoCat can't figure out what's going on. * Due to popular demand, you can now (once again?) run your gateway and your authservice on the same machine. They should be installed to separate directories, however. Of course, use of this feature is not recommended for security reasons, but it will let you try out NoCatAuth without having to set up multiple machines.