JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
"Jef H. HamLin" <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Wed, 22 Dec 2010 12:56:49 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (99 lines)
Always willing to help out, Ray.

H

-----Original Message-----
From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray Soucy
Sent: Wednesday, December 22, 2010 11:24 AM
To: [log in to unmask]
Subject: Joebox 12.x Beta Test

Greetings, All.

The new release of Joebox software from MECnet is finally looking like it's at a point where we can start doing production testing.

We're still calling this a "beta" until we've verified that it is working well in a production K12 environment; so ideally we're looking for sites that are willing to work with us to troubleshoot and resolve any issues that come up due to the upgrade.

If you're interested in being a "beta tester" for the new release, please drop me a note.
Disclaimer: There will be a limited number of sites that get the beta software, so you may or may not get included.




Here is a summary of what has changed in the new release.  As you can see there are a lot of major changes, so we may run into bugs that weren't caught in internal testing.

FIREWALL ENGINE

The JB Firewall Engine has been re-written.  The new engine dynamically adds, modifies, and removes rules without flushing and re-creating the entire policy (which is how the current version operates).  This should improve stability and make minor changes to the Joebox less disruptive to production traffic.

Firewall groups and rules can now be ordered in the web UI.  The Joebox will now correctly respect ordering.  This resolves issues for sites using multiple groups.

The Linux kernel used by the system has been upgraded to the long-term stable development tree (2.6.32).

Additional kernel tuning to provide better support for large networks.

Firewall rules now allow for ICMP protocol and type to be specified.

SMTP filtering now provides an internal ACL field for IP addresses or networks that should be allowed to make outgoing SMTP connections.

Policy Engineering for Low, Medium, and High policy levels has been re-worked.  The new policy will allow for rules to correctly filter between internal networks.

WEB FILTERING

MECguard has been upgrade to a new major version.  The new version of MECguard no longer resets active connections when changes are applied, making changes less disruptive.

The TLD list has been replaced with global Allow and Block lists; which now works.  This makes the user interface a little more intuitive.

A "soft allow" list has been added to ignore URLs that would be otherwise blocked as part of a filter category, but not be globally allowed (e.g. these sites will still go through the standard checks).
For example, "youtube.com" is in the "Pornography" category list.  You likely wouldn't want to allow youtube.com as that would allow any request to the site without making any checks.  The soft allow removes youtube.com from the category list, but still allows for more fine-grain blocking via RTF or URL lists, for example blocking "youtube.com/signin" but not blocking all of youtube.com.

RTF now correctly checks all keywords.  This fixes an obscure bug where some keywords would be checked and others would not be.  For example, the keyword "soucy" would always be ignored by RTF in the previous release.

MECguard is now more respective of filter groups.  For example, blocks triggered by RTF will only be applied to the group that the block was triggers on.  Like the firewall engine, group order displayed is now respected by the system.  Group-level options to use global URL lists and RTF are correctly respected.

MECguard performance has been improved.

MECguard now makes use of 192.0.0.1 as its override login address instead of 172.31.255.1 which was a conflict for some networks.  The old address will remain valid until the next release to provide time to update block pages.

A button to reset the MECguard block page to the system default has been added in the event you want to revert from a custom block page.

MECguard access logs now correctly export.

MECguard "top sites" log is now broken down by group.

MECguard log viewer now includes a date widget.

SECURE WEB FILTERING

Major change here: MECguard SSL is now a proxy-based solution rather than a transparent one.  This means that in order to use MECguard SSL the system or browser will need to be configured to do so.  It also means, however, that MECguard will be able to block SSL websites by hostname and log requests without generating SSL certificate errors for allowed sites.

A group-level "Force MECguard SSL" checkbox has been added which redirects any non-proxy HTTPS traffic for the group to a block page explaining that HTTPS is disabled unless using a proxy.  MECguard SSL can still be used without blocking non-proxy traffic if the option is not checked.

The Joebox provides an automatic proxy configuration script at the URL "http://192.0.0.1/wpad.dat", this script includes the necessary exceptions to not filter private networks, and only direct HTTPS requests to the proxy server (also at 192.0.0.1).

For browsers to auto-discover the proxy configuration URL, you can create a DNS record for wpad.domain (where domain is whatever domain name you assign to your hosts) which points to 192.0.0.1.  If using the Joebox as your DNS server in local mode (private IP addressing) the "wpad.local" DNS record will correctly respond without additional configuration.  Site's using their own DNS server and a domain name other than local will need to manually create the DNS record.

Client systems may need to have automatic configuration enabled under Internet settings for WPAD to work.

Sites running their own DHCP server may be able to provide the WPAD configuration URL using DHCP (we believe the DHCP method is Windows only).

SYSTEM

Reminder messages have been added reminding you to save your configuration if changes have been made, and to reboot your Joebox if software has been upgraded.

Fix for a memory leak in UI causing load average to slowly rise.

Local-mode DHCP server now correctly includes the "authoritative;"
statement and will force clients to request a new lease if they attempt to renew an invalid lease.  This was causing significant address assignment problems for hosts that roam between different networks (such as wireless).

System kernel has been upgraded to a more actively developed and maintained tree.

--
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/

ATOM RSS1 RSS2