On Wed, Dec 22, 2010 at 11:24 AM, Ray Soucy <
[log in to unmask]> wrote:
> Greetings, All.
>
> The new release of Joebox software from MECnet is finally looking like
> it's at a point where we can start doing production testing.
>
> We're still calling this a "beta" until we've verified that it is
> working well in a production K12 environment; so ideally we're looking
> for sites that are willing to work with us to troubleshoot and resolve
> any issues that come up due to the upgrade.
>
> If you're interested in being a "beta tester" for the new release,
> please drop me a note.
> Disclaimer: There will be a limited number of sites that get the beta
> software, so you may or may not get included.
>
>
>
>
> Here is a summary of what has changed in the new release. As you can
> see there are a lot of major changes, so we may run into bugs that
> weren't caught in internal testing.
>
> FIREWALL ENGINE
>
> The JB Firewall Engine has been re-written. The new engine
> dynamically adds, modifies, and removes rules without flushing and
> re-creating the entire policy (which is how the current version
> operates). This should improve stability and make minor changes to
> the Joebox less disruptive to production traffic.
>
> Firewall groups and rules can now be ordered in the web UI. The
> Joebox will now correctly respect ordering. This resolves issues for
> sites using multiple groups.
>
> The Linux kernel used by the system has been upgraded to the long-term
> stable development tree (2.6.32).
>
> Additional kernel tuning to provide better support for large networks.
>
> Firewall rules now allow for ICMP protocol and type to be specified.
>
> SMTP filtering now provides an internal ACL field for IP addresses or
> networks that should be allowed to make outgoing SMTP connections.
>
> Policy Engineering for Low, Medium, and High policy levels has been
> re-worked. The new policy will allow for rules to correctly filter
> between internal networks.
>
> WEB FILTERING
>
> MECguard has been upgrade to a new major version. The new version of
> MECguard no longer resets active connections when changes are applied,
> making changes less disruptive.
>
> The TLD list has been replaced with global Allow and Block lists;
> which now works. This makes the user interface a little more
> intuitive.
>
> A "soft allow" list has been added to ignore URLs that would be
> otherwise blocked as part of a filter category, but not be globally
> allowed (e.g. these sites will still go through the standard checks).
> For example, "
youtube.com" is in the "Pornography" category list. You
> likely wouldn't want to allow
youtube.com as that would allow any
> request to the site without making any checks. The soft allow removes
>
youtube.com from the category list, but still allows for more
> fine-grain blocking via RTF or URL lists, for example blocking
> "
youtube.com/signin" but not blocking all of
youtube.com.
>
> RTF now correctly checks all keywords. This fixes an obscure bug
> where some keywords would be checked and others would not be. For
> example, the keyword "soucy" would always be ignored by RTF in the
> previous release.
>
> MECguard is now more respective of filter groups. For example, blocks
> triggered by RTF will only be applied to the group that the block was
> triggers on. Like the firewall engine, group order displayed is now
> respected by the system. Group-level options to use global URL lists
> and RTF are correctly respected.
>
> MECguard performance has been improved.
>
> MECguard now makes use of 192.0.0.1 as its override login address
> instead of 172.31.255.1 which was a conflict for some networks. The
> old address will remain valid until the next release to provide time
> to update block pages.
>
> A button to reset the MECguard block page to the system default has
> been added in the event you want to revert from a custom block page.
>
> MECguard access logs now correctly export.
>
> MECguard "top sites" log is now broken down by group.
>
> MECguard log viewer now includes a date widget.
>
> SECURE WEB FILTERING
>
> Major change here: MECguard SSL is now a proxy-based solution rather
> than a transparent one. This means that in order to use MECguard SSL
> the system or browser will need to be configured to do so. It also
> means, however, that MECguard will be able to block SSL websites by
> hostname and log requests without generating SSL certificate errors
> for allowed sites.
>
> A group-level "Force MECguard SSL" checkbox has been added which
> redirects any non-proxy HTTPS traffic for the group to a block page
> explaining that HTTPS is disabled unless using a proxy. MECguard SSL
> can still be used without blocking non-proxy traffic if the option is
> not checked.
>
> The Joebox provides an automatic proxy configuration script at the URL
> "
MailScanner has detected a possible fraud attempt from "192.0.0.1" claiming to be http://192.0.0.1/wpad.dat", this script includes the necessary
> exceptions to not filter private networks, and only direct HTTPS
> requests to the proxy server (also at 192.0.0.1).
>
> For browsers to auto-discover the proxy configuration URL, you can
> create a DNS record for wpad.domain (where domain is whatever domain
> name you assign to your hosts) which points to 192.0.0.1. If using
> the Joebox as your DNS server in local mode (private IP addressing)
> the "wpad.local" DNS record will correctly respond without additional
> configuration. Site's using their own DNS server and a domain name
> other than local will need to manually create the DNS record.
>
> Client systems may need to have automatic configuration enabled under
> Internet settings for WPAD to work.
>
> Sites running their own DHCP server may be able to provide the WPAD
> configuration URL using DHCP (we believe the DHCP method is Windows
> only).
>
> SYSTEM
>
> Reminder messages have been added reminding you to save your
> configuration if changes have been made, and to reboot your Joebox if
> software has been upgraded.
>
> Fix for a memory leak in UI causing load average to slowly rise.
>
> Local-mode DHCP server now correctly includes the "authoritative;"
> statement and will force clients to request a new lease if they
> attempt to renew an invalid lease. This was causing significant
> address assignment problems for hosts that roam between different
> networks (such as wireless).
>
> System kernel has been upgraded to a more actively developed and
> maintained tree.
>
> --
> Ray Soucy
>
> Epic Communications Specialist
>
> Phone: +1 (207) 561-3526
>
> Networkmaine, a Unit of the University of Maine System
>
http://www.networkmaine.net/
>
--
Ray Soucy
Epic Communications Specialist
Phone: +1 (207) 561-3526
Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/