Multi-Tech RouteFinder VPN Family (RF660VPN and RF600VPN) Contents ======== - Introduction - Hardware Description - How to perform Live Update - Revision History - Support Options - Copyrights and Trademarks Introduction ============ This document provides procedures on how to perform update. It also include information regarding all the changes and fixes within the product. Should there be any further recommendations, please contact with the Local Multi-Tech Systems office listed as below. Hardware Description ==================== RF660VPN and RF600VPN Hardware description : ------------------------------- - Firewall / VPN with 10/100 Mbps LAN, WAN and DMZ ports How to perform Live Update ========================== - Make sure your RouteFinder is on the internet - Webadmin into the RouteFinder - Click on Tracking - Click on Update Services - Click on Start button for the Update System - Click on Update-Livelog for the status of the update - Make sure the livelog shows "RPM RF660-x-xx installation successful" before perform any other tasks in Webadmin - Click on the Home to make sure the new version is displayed. Revisions History ================= Changes, Bugs Fixed in Version 3.05 (July 14, 2003) =================================================== Processes restarted and changes that will be done to the existing configurations: --------------------------------------------------------------------------------- 1. SNORT will be restarted. 2. If SNORT rules update is in progress, it will be stopped before the system update. Changes: -------- 1. SNORT binary and rules have been updated to the latest version (Version 2.0) 2. The weekly snort rule update has been removed. 3. The port scan livelog does not show the protocol used for scanning. 4. new /etc/cron.daily/tmpwatch is executed after update to 3.05 version. Fixes: ------ 1) Fix SNORT vulnerability 2) New weekly update rules were not compatiable with Old version of SNORT 3) new /etc/cron.daily/tmpwatch file to clean up /tmp directory Changes, Bugs Fixed in Version 3.03 (May 21, 2003) ================================================== Processes restarted and changes that will be done to the existing configurations: --------------------------------------------------------------------------------- 1. SOCKS proxy will be restarted. 2. PPTP will be restarted. 3. IPSec will be restarted. 4. Kaspersky’s Antivirus daemon will be restarted. 5. DHCP server will be restarted. 6. If DHCP server is enabled and a rule is present for that in ALLOW_PORTS, the rule will get deleted and two rules will get added, one in AUTO_INPUT and one in AUTO_OUTPUT chains. 7. IPSec The AH and ESP keys for manual connections have been changed such that user has to enter ascii values instead of hexadecimal numbers. If there are there are already existing manual connections, the AH and ESP keys will be intact. But, if these connections are edited and saved and if the keys get mapped to ascii characters which do not fall in the <32 – 127> range, it will give problems. However, users can reenter the keys in ascii and save them. Changes: -------- 1. Mail notification is sent when WAN Ethernet is down and dial backup is activated and vice versa. 2. An option to save backup file to local drive has been provided in the Tracking -> Backup page. 3. The AH, ESP (encryption and authentication) keys cannot be entered as hexadecimal numbers any more. They have to be entered as ascii characters. Fixes: ------ 1. Yahoo messenger was not working with SOCKS proxy version 5 and authentication enabled. Fixed the problem. 2. SOCKS log messages include details about the data that is being transferred. Removed printing those log messages. 3. In SMTP Proxy -> SMTP routes, an entry adldata.com cannot be added if there is an entry mail.adldata.com already present. 4. Kaspersky’s configuration files has been included in backup 5. 255 was not allowed in the second and third octets of IP addresses. That has been fixed now. 6. The IP address of pppd shown in ps aux was not matching with pptpuser file 7. pptpd was getting restarted suddenly. Fixed the problem. 8. IPTable rule for DHCP was not present by default even if DHCP server is enabled by default. Added it. Also, if DHCP server is enabled and if the rule is not present, it will be added now. 9. DHCP server was not giving DNS address to clients if DNS proxy is enabled in RF660. 10. PPP dial backup - If the backup link is up, and at that time, factory defaults are restored, the changes are not happening properly. This has been fixed. 11. SMTP proxy stops working after virus key expires. This has been fixed. 12. IPTables was getting wiped out in some machines suddenly. 13. Connecting from a Win XP PPTP client to a SQL database in the PPTP server’s LAN was not working properly because of MTU problems. That has been fixed. 14. IPSec tunnels do not come up properly after IPSec subsystem restarts Pluto – this has been fixed. 15. IPSec “DH secret has leading zero….” Problem – fixed. 16. Restarting gets stuck (problem with removing the ip_conntrack module) – fixed. 17. Virus database update – the last update, execute time was not getting displayed properly. Fixed this. 18. The validation checks for PPPoE user name have been removed. Except for <, >, “, anything can be configured. The length of the user name has been fixed to 50 characters. 19. Changes in factory defaults for the above. Changes and Bug Fixes in Version 3.02 (March 19, 2003) ====================================================== NOTE: After update 3.02 is completed, if you have DNS proxy enable, you must disable and enable DNS Proxy manually. Processes will be restarted and changes that will be done to the existing configurations: ----------------------------------------------------------------------------------------- 1. IPTable ALLOW rules for ports 2049 (NFS), 2401 (CVS), 113 (identd), 139 (NetBIOS), 1812-1813 (RADIUS), 69 (TFTP) will be removed from the chain ALLOW_PORTS. Instead the rules for ports 2401, 139, 1812, 1813 will be added in the AUTO_OUTPUT chain. This is to send CVS, SMB authentication, RADIUS packets from the RF660. 2. If Virus Scanner is enabled, the REDIRECT rule for POP3 Virus Scanner will be moved to the first position in the DNAT chain. Changes: -------- 1. Special characters are allowed in the passwords for Root user, SSH user, Webadmin user, PPP, PPPoE, CVS, other users (in user authentication page), and RADIUS secret. 2. Before stopping IPSec, the Pluto database is cleared of all connections. 3. Packet Filters - Added a configurable option to enable / disable logging of packets that are destined to the RF660 and are discarded. This will allow packet filter livelog to display all the packets that are being dropped 4. Logon page - The logo and version number in the initial logon page can be displayed / hidden with a configurable option in the Administration -> Web Admin page. Fixes: ------ 1. IPTable ALLOW rules for ports 2049 (NFS), 2401 (CVS), 113 (identd), 139 (NetBIOS), 1812-1813 (RADIUS), 69 (TFTP) will be removed from the chain ALLOW_PORTS. Instead the rules for ports 2401, 139, 1812, 1813 will be added in the AUTO_OUTPUT chain. This is to send CVS, SMB authentication, RADIUS packets from the RF660. 2. 0 was not allowed in the 2nd and 3rd positions of the IP address for Gateway, WINS address, SAM PDC, SAM BDC, SMTP Proxy->SMTP routes. Fixed it. 3. Fixed a validation problem for Accepted Incoming Domains in SMTP Proxy. 4. Services: - In Services page, the source port for DNS and SSH has been changed from 1024:65535 to 1:65535. - While editing a service and changing the protocol, the ports will vanish. Fixed this problem. Now, for TCP, UDP, TCP+UDP is a group and AH, ESP is a group – if the services is edited and the protocol is changed within a group, the source port and destination port fields or the SPI values will remain intact - Changed the alert message displayed if the service name added already exists in the services / service groups lists. 5. After update 3.01, PPTP had to be restarted from web GUI for adding users in the local database. Fixed the problem. 6. If DHCP client is not able to get an IP address, after it finishes trying, the IPSec route for eth1 was getting removed. Fixed it. 7. Virus Scanner - Two separate controls have been added for - SMTP Virus scanner - POP3 Virus scanner in the Proxies->SMTP Proxy->Virus Scanner section. 8. POP3 Virus Scanner’s redirection rule has been made such that it will have high precedence over DNAT rules. (It will always get added in the first position) 9. After update 3.01, the ownership of the ICMP services file was changed. So, while adding ICMP services, error messages were getting displayed. Fixed it. 10. Version Control - Clearing the options was not being allowed. Now it is allowed. 11. PPPoE is enabled and it is not able to get an IP address. Now, restart the box. After coming up, the gateway and IP address for WAN entries in the Network Setup are in non-editable format. Also, while monitor is trying to get an IP address, at those times, the gateway and WAN entries will be in non-editable format. 12. Factory default values changed for the above. The IPTable rule file in factory default did not have entry for the SQUID_DROP chain. Added it. Also, if it is not there already in IPTables, it will get added now. The entry for POP3VSCAN was not there in the factory default process status file. Added it. Changes and Bug Fixes in Version 3.01 (March 3, 2003) ===================================================== Processes will be restarted and changes that will be done to the existing configurations: ----------------------------------------------------------------------------------------- - PPTP daemon will be restarted. All the existing connections will be brought down. - DHCP client will be restarted. - SurfControl server will be restarted. - Existing IPSec connections with Local Subnet as ‘Any’ or ‘none’ Remote Subnet as Any will be removed. - After this update, only one authentication type can be selected for HTTP Proxy and SOCKS Proxy authentication. So if 2 or 3 authentication types have been selected already (before the update), the first authentication type alone will be enabled and the others will be disabled. So, HTTP Proxy and SOCKS proxy will be restarted. - ICMP Packet filter rules with the following codes will be removed Network Unreachable - Protocol Unreachable. - This is because, already if there is any rule added, it would not have got really added in the IPTable rules. - ICMP Packet filter rules with the following codes will be removed - time-stamp-request - time-stamp-reply - network-unreachable -> host-isolated as they are obsolete. - Existing Network Intrusion Detection rules with Destination IP Address as ‘Any’ will be removed. Changes: -------- 1. SARG report generation has been moved from cron.fivemins to cron.hourly 2. PPTP - Static IP address assignment support for users. 3. Networks & Services - Services - The Protocol “ANY” has been removed from the Services page. This is because, already a static service ‘Any’ is there with ports 1-65535. There is no meaning having one more user-defined service with protocol “Any”. If protocol is “Any”, then the port numbers configured will not have any meaning. 4. IPSec - When adding new or editing existing IPsec connection, connections cannot be added with Local LAN = Any, local LAN = none or Remote LAN = Any anymore. 5. HTTP Proxy - HTTP proxy authentication will now allow only ONE type (local or Radius or SAM) 6. SOCKS Proxy - SOCKS proxy authentication will allow only ONE type (local or Radius or SAM) 7. Network Intrusion Detection - The entry Any from the Destination list box has been removed. This is because, it adds up to logging a lot of messages and the box becomes very slow. 8. DNAT - ‘Any’ has been removed from the pre-destination network. 9. Backup - The length of the comment field in the backup page has been limited to 100 characters Fixes: ------ 1. Statistics & Logs – SMTP Proxy - If you select from left side menu once and click again on same (SMTP proxy) it will give error. Fixed this. 2. URL Categorization filters – a memory leakage problem has been fixed. 3. URL Categorization filters - The check for memory percentage has been removed from the five minutes cron job. 4. PPTP - PPP CPU % was going high if client disconnect is not proper. After that, no other connection will be allowed. Fixed this problem. 5. PPTP – An extra log option has been removed from /var/chroot-pptp/etc/ppp/options file. 6. Networks & Services – Services - Click on edit of one service and then again click on edit of another service to edit the next service. The new edited second service becomes the first service. Fixed this problem. 7. Network Groups / Service Groups - The same service / network was not getting added in two different groups. Now it can be added. 8. System Updates - If no update is to be done, the message shown in the update livelog is wrong. Also, if the signature check for any rpm fails, the update was going on in an infinite loop. Fixed these problems. 9. System Updates - After a system update, File Integrity Check Module was sending a mail, it is not supposed to send. Fixed it. 10. Virus Update - After the update from 2.94a to 3.0, the virus update date and time were not getting displayed in the web GUI. Fixed it. 11. SSH - If there are SSH connections to the box, and if main sshd gets killed, self monitor was not restarting sshd. Fixed it. 12. IPSec - If for some reason Pluto gets killed, monitor should be able to restart IPSec 13. Log rotate – The virus scanner’s log file kavscan.rpt has been included in logrotate. 14. Packet Filters - Packet filter rule with service as "ICMP as Network Unreachable and Protocol Unreachable" was not getting added. Fixed this. 15. Packet Filters – Packet filter rules with ICMP time-stamp-request, time-stamp-reply, network-unreachable -> host-isolated were not getting added as they have become obsolete. Removed those options from the Services page itself. 16. DHCP client - If the IP address is changed during renewal, the configuration files were not getting updated properly. Fixed it. 17. Web Admin Site Certificate – Now, spaces are allowed for State, City, Company, Organization unit. 18. Web GUI - The GUI has been made faster as File Integrity Check calls have been optimized. 19. Backup – The version file has been added in backup. 20. Backup - After importing backup, the folder /home/multiweb was getting deleted. Fixed this problem. 21. Backup - If comment is not given while taking backup (from the web GUI), the importing of that backup file was giving a version error. Fixed it. 22. Backup - After the number of backup files to be kept in the firewall reaches the maximum number configured, and then if the date is changed to past, the subsequent backups were failing. Fixed this. 23. Certain domains were not getting added in the Accepted Incoming Domains field – Fixed the validation problem. 24. 0s were not getting accepted in the 2nd or 3rd fields of the WINS IP address – Fixed the validation problem. 25. DNS Proxy – The admin mail id in the default zone file has been changed to admin@yourdomain.com. 26. POP3 Virus Scanner - Included POP3 Virus scanner in self monitor 27. Packet Filters – ICMP – ICMP on firewall - If ICMP is disabled for LAN or DMZ, DROP rules were getting added for WAN also. Fixed this. 28. Changes in factory default for the above. Also, after restoring factory default, the /home/multiweb directory was getting deleted. Fixed it. Support Options =============== For technical support, you may contact your authorized Multi-Tech Systems distributor, dealer or the following Multi-Tech Systems branch offices. U.S.A. Web Site: www.multitecch.com FTP Site: ftp.multitech.com Tel: +1(763)785-3500 Fax: +1(763)785-9874 U.K. Tel: +44(118)959-7774 Fax: +44(118)959-7775 France Tel: +33(1)6461-0981 Fax: +33(1)6461-0971 India Tel: +91(11)6174-634 Fax: +91(11)410-5968 Copyrights, Trademarks ====================== All documents and software provided herewith are Copyright (c) 2003 Multi-Tech Systems. All rights reserved. MS, Windows, Windows 95, Windows NT are tradenames of Microsoft Corporation. Other trademarks or tradenames used herein are properties of the respective owners.