LISTSERV - JOEBOX-L Archives

JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

	LISTSERV Archives
	JOEBOX-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Joebox 12.x Beta Test
From:	Ray Soucy <[log in to unmask]>
Reply To:	Joebox User <[log in to unmask]>
Date:	Wed, 22 Dec 2010 11:24:25 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (157 lines)
Greetings, All.

The new release of Joebox software from MECnet is finally looking like
it's at a point where we can start doing production testing.

We're still calling this a "beta" until we've verified that it is
working well in a production K12 environment; so ideally we're looking
for sites that are willing to work with us to troubleshoot and resolve
any issues that come up due to the upgrade.

If you're interested in being a "beta tester" for the new release,
please drop me a note.
Disclaimer: There will be a limited number of sites that get the beta
software, so you may or may not get included.




Here is a summary of what has changed in the new release.  As you can
see there are a lot of major changes, so we may run into bugs that
weren't caught in internal testing.

FIREWALL ENGINE

The JB Firewall Engine has been re-written.  The new engine
dynamically adds, modifies, and removes rules without flushing and
re-creating the entire policy (which is how the current version
operates).  This should improve stability and make minor changes to
the Joebox less disruptive to production traffic.

Firewall groups and rules can now be ordered in the web UI.  The
Joebox will now correctly respect ordering.  This resolves issues for
sites using multiple groups.

The Linux kernel used by the system has been upgraded to the long-term
stable development tree (2.6.32).

Additional kernel tuning to provide better support for large networks.

Firewall rules now allow for ICMP protocol and type to be specified.

SMTP filtering now provides an internal ACL field for IP addresses or
networks that should be allowed to make outgoing SMTP connections.

Policy Engineering for Low, Medium, and High policy levels has been
re-worked.  The new policy will allow for rules to correctly filter
between internal networks.

WEB FILTERING

MECguard has been upgrade to a new major version.  The new version of
MECguard no longer resets active connections when changes are applied,
making changes less disruptive.

The TLD list has been replaced with global Allow and Block lists;
which now works.  This makes the user interface a little more
intuitive.

A "soft allow" list has been added to ignore URLs that would be
otherwise blocked as part of a filter category, but not be globally
allowed (e.g. these sites will still go through the standard checks).
For example, "youtube.com" is in the "Pornography" category list.  You
likely wouldn't want to allow youtube.com as that would allow any
request to the site without making any checks.  The soft allow removes
youtube.com from the category list, but still allows for more
fine-grain blocking via RTF or URL lists, for example blocking
"youtube.com/signin" but not blocking all of youtube.com.

RTF now correctly checks all keywords.  This fixes an obscure bug
where some keywords would be checked and others would not be.  For
example, the keyword "soucy" would always be ignored by RTF in the
previous release.

MECguard is now more respective of filter groups.  For example, blocks
triggered by RTF will only be applied to the group that the block was
triggers on.  Like the firewall engine, group order displayed is now
respected by the system.  Group-level options to use global URL lists
and RTF are correctly respected.

MECguard performance has been improved.

MECguard now makes use of 192.0.0.1 as its override login address
instead of 172.31.255.1 which was a conflict for some networks.  The
old address will remain valid until the next release to provide time
to update block pages.

A button to reset the MECguard block page to the system default has
been added in the event you want to revert from a custom block page.

MECguard access logs now correctly export.

MECguard "top sites" log is now broken down by group.

MECguard log viewer now includes a date widget.

SECURE WEB FILTERING

Major change here: MECguard SSL is now a proxy-based solution rather
than a transparent one.  This means that in order to use MECguard SSL
the system or browser will need to be configured to do so.  It also
means, however, that MECguard will be able to block SSL websites by
hostname and log requests without generating SSL certificate errors
for allowed sites.

A group-level "Force MECguard SSL" checkbox has been added which
redirects any non-proxy HTTPS traffic for the group to a block page
explaining that HTTPS is disabled unless using a proxy.  MECguard SSL
can still be used without blocking non-proxy traffic if the option is
not checked.

The Joebox provides an automatic proxy configuration script at the URL
"http://192.0.0.1/wpad.dat", this script includes the necessary
exceptions to not filter private networks, and only direct HTTPS
requests to the proxy server (also at 192.0.0.1).

For browsers to auto-discover the proxy configuration URL, you can
create a DNS record for wpad.domain (where domain is whatever domain
name you assign to your hosts) which points to 192.0.0.1.  If using
the Joebox as your DNS server in local mode (private IP addressing)
the "wpad.local" DNS record will correctly respond without additional
configuration.  Site's using their own DNS server and a domain name
other than local will need to manually create the DNS record.

Client systems may need to have automatic configuration enabled under
Internet settings for WPAD to work.

Sites running their own DHCP server may be able to provide the WPAD
configuration URL using DHCP (we believe the DHCP method is Windows
only).

SYSTEM

Reminder messages have been added reminding you to save your
configuration if changes have been made, and to reboot your Joebox if
software has been upgraded.

Fix for a memory leak in UI causing load average to slowly rise.

Local-mode DHCP server now correctly includes the "authoritative;"
statement and will force clients to request a new lease if they
attempt to renew an invalid lease.  This was causing significant
address assignment problems for hosts that roam between different
networks (such as wireless).

System kernel has been upgraded to a more actively developed and
maintained tree.

-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/
ATOM RSS1 RSS2
LISTS.MAINE.EDU